Professional Documents
Culture Documents
CI T VPS
A. Cc thnh phn s ci
- Ci t Nginx, ngx_pagespeed v cu hnh ti u
- Ci t v ti u Mariadb
- Ci t v ti u php-fpm
- Phpmyadmin
- VSFTPD
- Xcache
- CSF
- Bonus : Bo mt nginx c bn
B. Cc bc chun b.
I. Add cc repo cn thit
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epelrelease-6-8.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -Uvh
http://www6.atomicorp.com/channels/atomic/centos/6/i386/RPMS/atom
ic-release-1.0-19.el6.art.noarch.rpm
Page 1
Page 2
- To th mc public_html
mkdir -p /home/domain-ca-bn/public_html
mkdir /home/domain-ca-bn/logs
chmod 777 /domain-ca-bn/logs
chown R nginx:nginx /home/domain-ca-bn
- Truy cp vo th mc conf.d v to mt file bt k vi ui l .conf
v d mnh to file quylevhb.conf
Page 3
server {
server_name www.domain-ca-bn;
rewrite ^(.*) http://domain-ca-bn-khng-c-www $1 permanent;
}
server {
listen 80;
access_log off;
error_log off;
# error_log/home/domain-ca-bn/error.log;
root /home/domain-ca-bn/public_html;
index index.php index.html index.htm;
server_name domain-ca-bn-khng-c-www;
location / {
try_files $uri $uri/ /index.php?$args;
}
include /etc/nginx/ngx_pagespeed.conf; # bt ngx_pagespeed
location ~ \.php$ {
root /home/domain-ca-bn/public_html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include
fastcgi_params;
}
}
}
II.
Ci t mariadb
1. Add repo
Page 4
Page 5
Page 6
3. t mt khu v bo mt mysql
Chy lnh:
service mysql start
chkconfig mysql on
mysql_secure_installation
Page 7
Q
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none): [Bm Enter]
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] Y
New password: [Nhp mt khu bn mun]
Re-enter new password: [Nhp li mt khu]
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
Page 8
4. Ti u MariaDB
Khi ng li mysql
service mysql restart
III.
Ci t php-fpm
1. Ci t
yum -y --enablerepo=remi install php-common php-fpm php-gd php-mysql
php-pdo php-xml php-mbstring php-mcrypt php-pecl-apc php-curl php-soap
Ch : lnh ny s ci t php 5.4 nu mun ci php 5.6 cc bn
chy lnh
BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM
Page 9
yum --enablerepo=remi,remi-php56 -y install php php-common php-fpm phpmysql php-gd php-xml php-mbstring php-mcrypt php-pdo php-soap
-
Khi ng php-fpm
service php-fpm start
chkconfig --levels 235 php-fpm on
Page 10
2. Cu hnh
BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM
Page 11
[www]
listen = 127.0.0.1:9000
listen.allowed_clients = 127.0.0.1
user = nginx
group = nginx
pm = ondemand
pm.max_children = 2
; default: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 20
pm.min_spare_servers = 1
pm.max_spare_servers = 5
pm.max_requests = 500
pm.status_path = /php_status
request_terminate_timeout = 100s
pm.process_idle_timeout = 10s;
request_slowlog_timeout = 4s
slowlog = /home/domain-cua-ban/logs/php-fpm-slow.log
rlimit_files = 131072
rlimit_core = unlimited
catch_workers_output = yes
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
php_admin_value[error_log] = / home/domain-cua-ban/logs/php-fpm-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session
Page 12
Ci t phpmyadmin
1. Ci t
yum --enablerepo=remi -y install phpMyAdmin
2. Cu hnh
m file vhost (etc/nginx/conf.d/abc.conf)
abc.conf: Tn file vhost ca bn
Thm vo cui file on rule sau
server {
listen
1109;
# listen port
server_name localhost;
location / {
root /usr/share/phpMyAdmin;
# Document root
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM
Page 13
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include
fastcgi_params;
}
}
Trong
- 1109: L port d vo phpmyadmin. Cc bn c th t ty . Lu port
cn phi free v khng c service no s dng trnh xung t
Danh sch port cc bn c th xem y:
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
4. M port
M file /etc/sysconfig/iptables thm vo rule sau
-A INPUT -m state --state NEW -p tcp --dport 1109 -j ACCEPT
- Khi ng li iptables
service iptables restart
- Khi ng li nginx
service nginx restart
- Truy cp theo a ch
http://domain.com:1109
hoc
http://ip-server:2313
V.
Ci t vsftpd
Page 14
1. Ci t
yum -y install vsftpd
2. Cu hnh
M file /etc/vsftpd/vsftpd.conf
- Tm
anonymous_enable=YES
sa thnh
anonymous_enable=NO
- Tm
#ascii_upload_enable=YES
#ascii_download_enable=YES
sa thnh
ascii_upload_enable=YES
ascii_download_enable=YES
- Tm
#ls_recurse_enable=YES
sa thnh
ls_recurse_enable=YES
- Tm
#chroot_local_user=YES
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/chroot_list
sa thnh
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
Page 15
Ci t Xcache
VII. Ci t csf
1. Ci cc lib cn thit
Yum -y install perl-libwww-perl
2. Ci t csf
cd /tmp
Page 16
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
3. Tin hnh test csf
perl /usr/local/csf/bin/csftest.pl
Nu thy bo nh hnh l ok
4. M file /etc/csf/csf.conf
Sa: TESTING = "1"
Thnh: TESTING = "0"
5. Run cc lnh sau khi ng csf
chkconfig --level 235 csf on
service csf restart
VIII. Bo mt c bn cho nginx
1. Chmod
- Chmod th mc: home, domain-ca-bn, public_html, etc/nginx,
etc/nginx/conf.d, etc/php-fpm.d v 711
- Chmod tt c cc file trong th mc /etc/nginx, /etc/php-fpm.d,
/etc/phpMyAdmin v /etc/nginx/conf.d v 600
BLOG HACKING & SECURITY: QUYLEVHB.BLOGSPOT.COM
Page 17
location /admincp {
auth_basic "Private";
auth_basic_user_file /etc/nginx/conf/.htpasswd;
}
Thay /admincp bng path th mc admincp ca bn
To file .htpasswd trong th mc /etc/nginx. to cc bn dung lnh sau
Ti liu
Page 18