软件源代码包存放位置:/usr/local/src
源码包编译安装位置(prefix):/usr/local/software_name
脚本以及维护程序存放位置:/usr/local/sbin
MySQL 数据库位置:/var/lib/MySQL(可按情况设置)
Apache 网站根目录:/home/www/wwwroot(可按情况设置)
Apache 虚拟主机日志根目录:/home/www/logs(可按情况设置)
Apache 运行账户:www:www
# more /var/log/messages(检查有无系统级错误信息) # dmesg(检查硬件设备是否有错误信息) # ifconfig(检查网卡设置是否正确) # ping www.163.com(检查网络是否正常)
# ntsysv 以下仅列出需要启动的服务,未列出的服务一律推荐关闭: atd crond irqbalance microcode_ctl network sendmail sshd syslog
# init 6
# vi /root/.bashrc在 alias mv='mv -i' 下面添加一行:alias vi='vim' 保存退出。
# echo 'syntax on' > /root/.vimrc
# yum install ntp vim-enhanced gcc gcc-c++ gcc-g77 flex bison autoconf automake bzip2-devel ncurses-devel libjpeg-devel libpng-devel libtiff-devel freetype-devel pam-devel kerne
# crontab -e加入一行:
*/30 * * * * ntpdate 210.72.145.44
需要下载的文件
gd-2.0.34.tar.gz libxml2-2.6.30.tar.bz2 libmcrypt-2.5.8.tar.bz2 cronolog-1.7.0-beta.tar.gz openssl-0.9.8e.tar.gz (可选) openssl-0.9.8e.tar.gz (可选)
7.1 GD2
# cd /usr/local/src # tar xzvf gd-2.0.34.tar.gz # cd gd-2.0.34 # ./configure --prefix=/usr/local/gd2 # make # make install7.2 LibXML2
# cd /usr/local/src # tar xjvf libxml2-2.6.30.tar.bz2 # cd libxml2-2.6.30 # ./configure --prefix=/usr/local/libxml2 # make # make install7.3 LibMcrypt
# cd /usr/local/src # tar xjvf libmcrypt-2.5.8.tar.bz2 # cd libmcrypt-2.5.8 # ./configure –prefix=/usr/local/libmcrypt # make # make install7.4 Apache日志截断程序
# cd /usr/local/src # tar xzvf cronolog-1.7.0-beta.tar.gz # cd cronolog-1.7.0-beta # ./configure –prefix=/usr/local/cronolog # make # make install
# cd /usr/local/src # tar xzvf openssl-0.9.8e.tar.gz # cd openssl-0.9.8e # ./config --prefix=/usr/local/openssl # make # make test # make install # cd .. # tar xzvf openssh-4.7p1.tar.gz # cd openssh-4.7p1 # ./configure \ "--prefix=/usr" \ "--with-pam" \ "--with-zlib" \ "--sysconfdir=/etc/ssh" \ "--with-ssl-dir=/usr/local/openssl" \ "--with-md5-passwords" # make # make install(1)禁用 SSH V1 协议 找到:
#Protocol 2,1改为:
Protocol 2(2)禁止root直接登录,此处先建立一个普通系统用户:
# useradd username # passwd username找到:
#PermitRootLogin yes改为:
PermitRootLogin no(3)禁用服务器端GSSAPI,找到以下两行,并将它们注释:
GSSAPIAuthentication yes GSSAPICleanupCredentials yes(4)禁用 DNS 名称解析,找到:
#UseDNS yes改为:
UseDNS no(5)禁用客户端 GSSAPI
# vi /etc/ssh/ssh_config找到:
GSSAPIAuthentication yes将这行注释掉。
# service sshd restart # ssh -v确认 OpenSSH 以及 OpenSSL 版本正确。
# cd /usr/local/src下载文件mysql,apache,php,请到下面网址下载相应软件
http://www.apache.org/ (推荐版本:2.2.21) http://www.php.net/ (推荐版本:5.2.17) http://www.mysql.com/
# tar xzvf MySQL-5.0.45-linux-i686-glibc23.tar.gz # mv MySQL-5.0.45-linux-i686-glibc23 /usr/local/ # ln -s /usr/local/ MySQL-5.0.45-linux-i686-glibc23 /usr/local/MySQL # useradd MySQL # chown -R MySQL:root /usr/local/MySQL/ # cd /usr/local/MySQL # ./scripts/MySQL_install_db --user=MySQL # cp ./support-files/MySQL.server /etc/rc.d/init.d/MySQLd # chown root:root /etc/rc.d/init.d/MySQLd # chmod 755 /etc/rc.d/init.d/MySQLd # chkconfig --add MySQLd # chkconfig --level 3 5 MySQLd on # cp ./support-files/my-huge.cnf /etc/my.cnf # mv /usr/local/MySQL/data /var/lib/MySQL # chown -R MySQL:MySQL /var/lib/MySQL/ # vi /etc/my.cnf
# cd /usr/local/src # tar xjvf httpd-2.2.21.tar.bz2 # cd httpd-2.2.21 # ./configure \ "--prefix=/usr/local/apache2" \ "--with-included-apr" \ "--enable-so" \ "--enable-deflate=shared" \ "--enable-expires=shared" \ "--enable-rewrite=shared" \ "--enable-static-support" \ "--disable-userdir" # make # make install # echo '/usr/local/apache2/bin/apachectl start ' >> /etc/rc.local
# cd /usr/local/src # tar xjvf php-5.2.17.tar.bz2 # cd php-5.2.17 # ./configure \ "--prefix=/usr/local/php" \ "--with-apxs2=/usr/local/apache2/bin/apxs" \ "--with-config-file-path=/usr/local/php/etc" \ "--with-MySQL=/usr/local/MySQL" \ "--with-libxml-dir=/usr/local/libxml2" \ "--with-gd=/usr/local/gd2" \ "--with-jpeg-dir" \ "--with-png-dir" \ "--with-bz2" \ "--with-freetype-dir" \ "--with-iconv-dir" \ "--with-zlib-dir " \ "--with-openssl=/usr/local/openssl" \ "--with-mcrypt=/usr/local/libmcrypt" \ "--enable-soap" \ "--enable-gd-native-ttf" \ "--enable-ftp" \ "--enable-mbstring" \ "--enable-exif" \ "--disable-ipv6" \ "--disable-cgi" \ "--disable-cli" # make # make install # mkdir /usr/local/php/etc # cp php.ini-dist /usr/local/php/etc/php.ini
# vi /usr/local/apache2/conf/httpd.conf找到:
AddType application/x-gzip .gz .tgz在该行下面添加
AddType application/x-httpd-php .php找到:
DirectoryIndex index.html将该行改为
DirectoryIndex index.html index.htm index.php找到:
#Include conf/extra/httpd-mpm.conf #Include conf/extra/httpd-info.conf #Include conf/extra/httpd-vhosts.conf #Include conf/extra/httpd-default.conf去掉前面的“#”号,取消注释。注意:以上 4 个扩展配置文件中的设置请按照相关原则进行合理配置!修改完成后保存退出。
# /usr/local/apache2/bin/apachectl restart
在网站根目录放置 phpinfo.php 脚本,检查phpinfo中的各项信息是否正确。
确认 PHP 能够正常工作后,在 php.ini 中进行设置提升 PHP 安全性。
# vi /etc/php.ini找到:
disable_functions =设置为:
phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter, ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server