331
技術社區[雲棲]
架設某大型網站服務器全部詳細過程(鬱悶少年)
鬱悶少年架設某大型網站服務器之全部過程
*版權所有
所有:鬱悶少年&&二娃家園
網站:https://www.mingfor.com
發布:mingfu
聯係:msn:linux@mingfor.com
日期:2006-04-04
首發:2006-04-04 00:00:00
修改:2006-04-04
歡迎轉載,
本程序為 GPL 授權,任何人皆可傳播本文檔.
但請勿直接用於商業用途,否則將追究其相關責任.
*網站服務器
主要任務:
根據開發設計需求架設大型的網站服務器
主要軟件:
apache+jboss+oracle
簡稱:LAJO
apache+php+mysql
簡稱:LAMP
proftpd+mysql
簡稱:LPM
ssh+expect
iptables
bind
mail
具體要求:
海量用戶訪問
海量用戶存儲
(國內外互通)
南北互通.
需求分析:
1.保證高要求高質量高性能,需要選擇係*nix操作平台(這裏選擇as4.3);
2.保證高訪問量高數據處理,需要選數商業數據庫(這裏選擇oracle9.2.0.4);
3.解決南北互通(包括國內外互通),需要架設基於bind-view功能的智能DNS服務器.
4.使用流行的B/S,C/S程序架構,需要選擇了JBOSS服務器.
5.更好地處理靜態頁麵效果,需要選擇了Apache服務器.
6.根據程序注冊用戶與上傳要求,需要架設ftp服務器.
7.時時自動化係統監控,需要架設LAPM服務器.(這裏使用軟件cacti).
8.公司與客戶交流,需要架設郵件服務器.(這裏使用postfix+extmail).
9.自動化文件數據處理與安全設置,需expect+ssh+iptables結合shell腳本.
10.海量,需要集群負載均衡與配備存儲設備.
具體流程:
1.硬件采購.
這裏略.
2.操作係統安裝
安裝redhat as 4.3
係統空間劃分(略)
安裝開發環境,DNS,LAMP環境所需軟件包.
並確認以下包已安裝:
compat-db
compat-gcc
compat-gcc-32
compat-oracle-rhel4
compat-libcwait
compat-libgcc
compat-libstdc++-296
compat-libstdc++-33
gcc
gcc-c++
gnome-libs
gnome-libs-devel
libaio-devel
libaio
make
openmotif21
xorg-x11-deprecated-libs-devel
xorg-x11-deprecated-libs
sysstat disk4
openmotif21 disk3
libaio disk3
libaio-devel disk3
freetype-devel disk3
fontconfig-devel disk3
xorg-x11-devel- disk3
xorg-x11-deprecated-libs-devel- disk3
glib-devel disk4
ORBit-devel disk4
gtk+-devel disk4
alsa-lib-devel disk3
audiofile-devel disk3
esound-devel- disk3
libjpeg-devel- disk3
libtiff-devel- disk3
libungif-devel- disk3
imlib-devel disk4
gnome-libs-devel disk4
expect disk4
注意:我遇到的一個問題:全新的dell服務器1.5T,raid5,重沒有安裝過任何係統,硬盤也沒有分區,直接用as4.3安裝盤安裝提示:內存錯誤,藍屏,而安裝失敗。用了好幾種linux係統盤(包括windows安裝盤)都如此,(手裏沒有硬盤格式分區工具,沒有測試是否可以硬盤分區。)官方發行版說不支持超過2G內存,於是安裝係統時先卸下2G內存,待安裝完畢在請求支持超過2G內存的內核安裝後就可以支持4G內存了,倘如日後全新安裝係統不使用hugemem而使用默認的smp內核也能識別4G內存,更不會出現藍屏問題。關於之中奧妙,還沒有仔細研究過。。。。
#rpm –ivh kernel-elhugemem….rpm
修改啟動文件grub.conf確保新安裝的內核為優先啟動.
#cat /etc/grub.conf
////////////////////////////////////////////////////////////////////
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,1)
# kernel /vmlinuz-version ro root=/dev/sda8
# initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,1)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux AS (2.6.9-22.ELhugemem)
root (hd0,1)
kernel /vmlinuz-2.6.9-22.ELhugemem ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.9-22.ELhugemem.img
title Red Hat Enterprise Linux AS (2.6.9-22.ELsmp)
root (hd0,1)
kernel /vmlinuz-2.6.9-22.ELsmp ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.9-22.ELsmp.img
title Red Hat Enterprise Linux AS-up (2.6.9-22.EL)
root (hd0,1)
kernel /vmlinuz-2.6.9-22.EL ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.9-22.EL.img
////////////////////////////////////////////////////////////////////////////////////////////////
如果hiddenmenu
下麵的內容順序不對,請修改default=x(x對應ELhugemem項)
重啟並加載另外2G內存.
這樣讓係統支持4G內存的正常運行.
2)係統安裝完畢請 作連接: #ln –s /tmp /temp
3.配置DNS
由於要南北互通,開源得隻有使用view的ACL訪問控製列表文件來實現多線路的自動導向.
(當然也有其他的商業解決辦法,比如智能路由與交換機的設置來實現,我們這裏使用開源的而且容易實現與調整的解決軟件bind)
關於view的ACL獲得辦法有很多途徑,這裏不一一商討.
具體架設參考如下
默認安裝的bind為9係列的,已經支持view,配置分為三步驟分別如下所示.
(1)修改named.conf
(2)創建與配置hosts
(3)域名解析
#vi /etc/named.conf
////////////////////////文件內容開始///////////////////
//
// named.conf for Red Hat caching-nameserver
//
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
include "/etc/rndc.key";
//modify by mingfu 060404
acl "CNC" {
58.16.0.0/16;
58.17.0.0/17;
58.17.128.0/17;
58.18.0.0/16;
58.19.0.0/16;
58.20.0.0/16;
58.21.0.0/16;
58.22.0.0/15;
58.240.0.0/15;
58.242.0.0/15;
58.244.0.0/15;
58.246.0.0/15;
58.248.0.0/13;
60.0.0.0/13;
60.8.0.0/15;
60.10.0.0/16;
60.11.0.0/16;
60.12.0.0/16;
60.13.0.0/18;
60.13.128.0/17;
60.14.0.0/15;
60.16.0.0/13;
60.24.0.0/14;
60.30.0.0/16;
60.31.0.0/16;
60.208.0.0/13;
60.216.0.0/15;
60.218.0.0/15;
60.220.0.0/14;
61.48.0.0/13;
61.133.0.0/17;
61.134.96.0/19;
61.134.128.0/17;
61.135.0.0/16;
61.137.128.0/17;
61.138.0.0/17;
61.138.128.0/18;
61.139.128.0/18;
61.148.0.0/15;
61.156.0.0/16;
61.159.0.0/18;
61.161.0.0/18;
61.161.128.0/17;
61.162.0.0/16;
61.163.0.0/16;
61.167.0.0/16;
61.168.0.0/16;
61.176.0.0/16;
61.179.0.0/16;
61.181.0.0/16;
61.182.0.0/16;
61.189.0.0/17;
125.32.0.0/16;
125.40.0.0/13;
202.96.0.0/18;
202.96.64.0/21;
202.96.72.0/21;
202.97.128.0/18;
202.97.224.0/21;
202.97.240.0/20;
202.98.0.0/21;
202.98.8.0/21;
202.99.64.0/19;
202.99.96.0/21;
202.99.128.0/19;
202.99.160.0/21;
202.99.168.0/21;
202.99.176.0/20;
202.99.208.0/20;
202.99.224.0/21;
202.99.232.0/21;
202.99.240.0/20;
202.102.128.0/21;
202.102.224.0/21;
202.102.232.0/21;
202.106.0.0/16;
202.107.0.0/17;
202.108.0.0/16;
202.110.0.0/17;
202.111.128.0/18;
203.93.8.0/24;
203.93.192.0/18;
210.13.128.0/17;
210.14.160.0/19;
210.14.192.0/19;
210.15.32.0/19;
210.15.96.0/19;
210.15.128.0/18;
210.21.0.0/16;
210.52.128.0/17;
210.53.0.0/17;
210.53.128.0/17;
210.74.96.0/19;
210.74.128.0/19;
210.82.0.0/15;
218.8.0.0/14;
218.12.0.0/16;
218.21.128.0/17;
218.24.0.0/14;
218.56.0.0/14;
218.60.0.0/15;
218.67.128.0/17;
218.68.0.0/15;
218.104.0.0/14;
219.154.0.0/15;
219.156.0.0/15;
219.158.0.0/17;
219.158.128.0/17;
219.159.0.0/18;
220.252.0.0/16;
221.0.0.0/15;
221.2.0.0/16;
221.3.0.0/17;
221.3.128.0/17;
221.4.0.0/16;
221.5.0.0/17;
221.5.128.0/17;
221.6.0.0/16;
221.7.0.0/19;
221.7.32.0/19;
221.7.64.0/19;
221.7.96.0/19;
221.8.0.0/15;
221.10.0.0/16;
221.11.0.0/17;
221.11.128.0/18;
221.11.192.0/19;
221.12.0.0/17;
221.12.128.0/18;
221.13.0.0/18;
221.13.64.0/19;
221.13.96.0/19;
221.13.128.0/17;
221.14.0.0/15;
221.192.0.0/15;
221.194.0.0/16;
221.195.0.0/16;
221.196.0.0/15;
221.198.0.0/16;
221.199.0.0/19;
221.199.32.0/20;
221.199.128.0/18;
221.199.192.0/20;
221.200.0.0/14;
221.204.0.0/15;
221.206.0.0/16;
221.207.0.0/18;
221.207.64.0/18;
221.207.128.0/17;
221.208.0.0/14;
221.212.0.0/16;
221.213.0.0/16;
221.216.0.0/13;
222.128.0.0/14;
222.132.0.0/14;
222.136.0.0/13;
222.160.0.0/15;
222.162.0.0/16;
222.163.0.0/19;
222.163.32.0/19;
222.163.64.0/18;
222.163.128.0/17;
};
view "view_cnc" {
match-clients { CNC; };
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
include "master/cnc.def";
};
view "view_any" {
match-clients { any; };
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
include "master/telecom.def";
};
////////////////////////文件內容結束///////////////////
#mkdir /var/named/master
#mkdir /var/named/master/cnc
#mkdir /var/named/master/telecom
#touch /var/named/master/cnc.def
#touch /var/named/master/telecom.def
說明:關於如何進行域名解析配置:
@Zone區文件配置:
Master/Cnc.def 網通
Master/Telecom.def 電信
*.def文件裏麵為解析域名的zone配置區設置部分.
@Hosts 區文件配置
Master/Cnc 網通
Master/Telecom 電信
下麵以解析www.xxxx.com為例
#vi /var/named/master/cnc.def
////////////////////////文件內容開始///////////////////
zone "xxxx.com" {
type master;
file "master/cnc/xxxx.com";
};
////////////////////////文件內容結束///////////////////
#vi /var/named/master/telecom.def
////////////////////////文件內容開始///////////////////
zone "xxxx.com" {
type master;
file "master/telecom/xxxx.com";
};
////////////////////////文件內容結束///////////////////
#vi /var/named/master/cnc/xxxx.com
////////////////////////文件內容開始///////////////////
$TTL 3600
$ORIGIN xxxx.com.
@ IN SOA ns.xxxx.com. root.ns.xxxx.com.(
2005121013 ;Serial
3600 ; Refresh ( seconds )
900 ; Retry ( seconds )
68400 ; Expire ( seconds )
15 );Minimum TTL for Zone ( seconds )
;
@ IN NS ns.xxxx.com.
@ IN MX xxxx.com.
;;ip for cnc
@ IN A x.x.x.x(網通IP)
www IN A x.x.x.x(網通IP)
////////////////////////文件內容結束///////////////////
#vi /var/named/master/telecom/xxxx.com
////////////////////////文件內容開始///////////////////
$TTL 3600
$ORIGIN xxxx.com.
@ IN SOA ns.xxxx.com. root.ns.xxxx.com.(
2005121013 ;Serial
3600 ; Refresh ( seconds )
900 ; Retry ( seconds )
68400 ; Expire ( seconds )
15 );Minimum TTL for Zone ( seconds )
;
@ IN NS ns.xxxx.com.
@ IN MX xxxx.com.
;;ip for telecom
@ IN A x.x.x.x(電信IP)
www IN A x.x.x.x(電信IP)
////////////////////////文件內容結束///////////////////
客服端測試:
nslookup --type=a xxxx.com x.x.x.x(網通任意一個DNS服務器IP)
nslookup --type=a xxxx.com x.x.x.x(電信任意一個DNS服務器IP)
看到的為配置文件中對應ip則解析配置正常.
注意:
上麵的xxxxx.com需要修改DNS解析服務器為
ns.xxxxx.com
對應IP為:網通IP.
備注:
1).在這裏做了網通與非網通的訪問控製,用於實現南北互通,如要國內外互通,需要在列出一個相應的訪問控製列表ACL就可以實現了.
2).關於使用tar包編譯安裝請參看:
https://www.mingfor.com/forum/showthread.php?tid=94
4.配置LAJO
軟件:
Apache2.0.58
JBOSS.4.0.3SP1
Oracle9.2.0.4
Mod-jk1.12
配置:
1)apache+mod-jk
#tar zxvf httpd-2.0.58.tar.gz
#cd httpd-2.0.58
#./configure --enable-MODULE=shared --enable-so --with-mpm=worker
#make&&make install
#tar zxvf jakarta-tomcat-connectors-1.2.14.1-src.tar.gz
#cd /home/software/jakarta-tomcat-connectors-1.2.14.1-src/jk/native
# ./configure --with-apxs=/usr/local/apache2/bin/apxs
#make
# cp ./apache-2.0/mod_jk.so /usr/local/apache2/modules
httpd.conf的修改
該文件的路徑位於$APACHE-HOME/conf
上述編譯過程中我們選用的worker模式,因此我們將修改worker模塊的配置
<IfModule worker.c>
StartServers 4 #最初建立進程的數量
ServerLimit 24 #進程建立的最大數量,硬限製
ThreadLimit 128 #每一進程能創建線程的最大數量,硬限製,該參數建議#和ThreadsPerChild一致,如果ThreadLimit > ThreadsPerChild的話,會造成不##必要的內存消耗。
MaxClients 3072 #同時可以得到處理的客戶端的最大數量
MinSpareThreads 100 #所有進程中空閑線程的總數最小數值
MaxSpareThreads 200 #所有進程中空閑線程的總數最大數值
ThreadsPerChild 128 #每個子進程可以建立的固定數量的線程
MaxRequestsPerChild 0 #用於控製服務器建立和結束進程的頻率,為0表示沒有#限製,但在solaris OS下該值可能會出錯,可以設置為1000或2000。根據係統#的並發負載吧。
</IfModule>
同時修改與新增httpd.conf如下內容:
Include conf/mod_jk2.conf
User xxxx
Group 5dxc
DocumentRoot "/site"
<Directory "/site">
NameVirtualHost IP:80
<VirtualHost IP:80>
ServerAdmin foway@163.com
DocumentRoot /site
ServerName IP
ErrorLog logs/ip-error_log
CustomLog logs/ip-access_log common
</VirtualHost>
<VirtualHost IP:82>
ServerAdmin foway@163.com
DocumentRoot /var/www/html
ServerName admin.xxxx.com
ErrorLog logs/ip-error_log
CustomLog logs/ip-access_log common
</VirtualHost>
#vi $APACHE-HOME/conf/mod_jk2.conf
////////////////////////文件內容開始///////////////////
LoadModule jk_module modules/mod_jk.so
JkWorkersFile conf/workers2.properties
JkLogFile logs/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel info
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat "%w %V %T"
JkMount /* loadbalancer
#apache will serve the static picture.
#以下命令意味著所有的圖片與htm,css,js頁麵將由APACHE解析其它交由jboss處理
JkUnMount /*.jpg loadbalancer
JkUnMount /*.gif loadbalancer
JkUnMount /*.swf loadbalancer
JkUnMount /*.bmp loadbalancer
JkUnMount /*.png loadbalancer
JkUnMount /*.js loadbalancer
JkUnMount /*.css loadbalancer
JkUnMount /*.htm loadbalancer
////////////////////////文件內容結束///////////////////
#vi $APACHE-HOME/conf/ uriworkermap.properties
////////////////////////文件內容開始///////////////////
/jmx-console=loadbalancer
/jmx-console/*=loadbalancer
/web-console=loadbalancer
/web-console/*=loadbalancer
////////////////////////文件內容結束///////////////////
#vi $APACHE-HOME/conf/uriworkermap.properties
////////////////////////文件內容開始///////////////////
worker.list=loadbalancer,status
worker.node1.port=8009
worker.node1.host=192.168.0.192(請填寫服務器的IP)
worker.node1.type=ajp13
worder.node1.lbfactor=1
worker.node1.cachesize=10
worker.node2.port=8009
worker.node1.host=localhost
worker.node1.type=ajp13
worder.node1.lbfactor=1
worker.node1.cachesize=10
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=node1,node2
worker.loadbalancer.sticky_session=1
worker.status.type=status
////////////////////////文件內容結束///////////////////
注意:如果需要負載:修改
worker.node2.port=8009
worker.node1.host=localhost
worker.node1.type=ajp13
worder.node1.lbfactor=1
worker.node1.cachesize=10
為:
worker.node2.port=8009
worker.node2.host=IP(進行負載的IP地址)
worker.node2.type=ajp13
worder.node2.lbfactor=1
worker.node2.cachesize=10
備注:如果要進行更多的負載….
修改:
worker.noden.port=8009
worker.noden.host=IP(進行負載的IP地址)
worker.noden.type=ajp13
worder.noden.lbfactor=1
worker.noden.cachesize=10
worker.loadbalancer.balance_workers=node1,node2,noden
2)jboss
jboss安裝.
Jboss4.0.3sp1 解壓到/site/jboss目錄下….
…./ deploy/jbossweb-tomcat55.sar/server.xml中,找8080,修改為8088
Jdk環境變量設定:
Jdk安裝:
#chmod 755 jdk-1_5_0_06-linux-i586.bin
#./jdk-1_5_0_06-linux-i586.bin
Java參數設置:
#ln –s /usr/local/jdk1.5.0_06 /usr/local/jdk
如果你下載的是rpm包請如下操作
#./jdk-1_5_0_06-linux-i586.rpm.bin
#rpm jdk-1_5_0_06-linux-i586.rpm
# ln –s /usr/ jdk1.5.0_06 /usr/local/jdk
#vi /etc/profile.d/java.sh
////////////////////////文件內容///////////////////
JAVA_HOME=/usr/local/jdk
PATH=$PATH:$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$CATALINA_HOME/bin
export JAVA_HOME PATH
////////////////////////文件內容///////////////////
3) apache+jboos服務啟動問題
apache+jboss整合配置已完畢.下麵是啟動這些服務了.
..用戶與權限分配
groupadd –g 5500 xxxx
adduser -u 5500 -s /bin/false -d /bin/null -c "proftpd user" -g xxxx xxxx
修改/etc/passwd文件中的xxxx用戶中的”/bin/false”為”/bin/bash”,以便於以後jboss使用.當然你也可以這樣做:
adduser -u 5500 -s /bin/bash -d /bin/null -c "proftpd user" -g xxxx xxxx
chown xxxx /site/* –R
chgrp xxxx /site/* -R
chmod 755 /site/* -R
..服務啟動
添加如下內容到/etc/rc.local
/usr/local/apache2/bin/apachectl start
/etc/init.d/jboss start
#vi /etc/init.d/jboss
////////////////////////文件內容開始///////////////////
#/etc/init.d/jboss
/etc/rc.d/init.d/functions
JBOSS_HOME=/site/jboss
export JBOSS_HOME
JAVA_HOME=/usr/local/jdk
export JAVA_HOME
PATH=$PATH:$JAVA_HOME/bin
export PATH
CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export CLASSPATH
prog="jboss"
start()
{
#Input the jbos Service log into jboss.log
echo "Jboss4.0.3SP1 Service Starting........" >>/var/log/xxxx/jboss.log
echo "-----------------------------------------------" >>/var/log/xxxx/jboss.log
date "+%Y-%m-%d %A %T :Jboss Service start" >>/var/log/xxxx/jboss.log
echo "-----------------------------------------------" >>/var/log/xxxx/jboss.log
su - xxxx -c $JBOSS_HOME/bin/run.sh & >>/var/log/xxxx/jboss.log
touch /var/log/xxxx/jboss.log
}
#Function stop,Stop the Jboss Service auto
#when the Linux Halt
stop()
{
#Input the jboss Service log into jboss.log
echo "jboss Service Stopping........" >>/var/log/xxxx/jboss.log
echo "-----------------------------------------------" >>/var/log/xxxx/jboss.log
date "+%Y-%m-%d %A %T :jboss Service Stop">>/var/log/xxxx/jboss.log
echo "-----------------------------------------------" >>/var/log/xxxx/jboss.log
su - xxxx -c “$JBOSS_HOME/bin/shutdown.sh –S”>>/var/log/xxxx/jboss.log
}
case $1 in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
;;
status)
status $prog
;;
*)
echo "Please Input start|stop|restart|reload|status"
return 1
esac
////////////////////////文件內容結束///////////////////
注意:
請賦予jboos的執行權限:chmod 755 /etc/init.d/jboss
請注意xxxx用戶是沒有設置密碼的,確保使用xxxx用戶是無法登錄的,隻有root可以切換到該用戶環境中去的:#su – xxxx…..
4)oracle安裝與啟動
創建相關安裝目錄和環境變量
1,創建user/group;
#groupadd dba
#groupadd oinstall
#useradd oracle -g oinstall -G dba
#passwd oracle
2,建立oracle安裝文件夾;
# mkdir -p /opt/ora9/product/9.2.0.4
# mkdir /var/opt/oracle
# chmod oracle.dba /var/opt/oracle
# chown -R oracle.dba /opt/ora9
3,配置環境變量;
以root用戶登錄,設置root用戶的環境打開.bash_profile文件,將如下內容加入:
export ORACLE_BASE=/opt/ora9
export ORACLE_HOME=/opt/ora9/product/9.2.0.4
export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin
export ORACLE_OWNER=oracle
export ORACLE_SID=oradb //此處為你的sid
使用Oracle用戶登陸:
#su – oracle
$vi .bash_profile
以下是配置文件的內容
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$PATH:$HOME/bin
export ORACLE_BASE=/opt/ora9
export ORACLE_HOME=/opt/ora9/product/9.2.0.4
export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin
export ORACLE_OWNER=oracle
export ORACLE_SID=oradb
export ORACLE_TERM=xterm
export LD_ASSUME_KERNEL=2.4.19
export THREADS_FLAG=native
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export NLS_LANG=”American_america.utf8”
export ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data
export PATH
unset USERNAME
4,設置係統參數;
#su – root切換到root用戶
a) 修改#vi /etc/sysctl.conf, 以下是配置文件的內容:
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
kernel.shmmax = 536870912
kernel.shmmni = 4096
kernel.shmall = 2097152
kernel.sem = 250 32000 100 128
fs.file-max = 65536
net.ipv4.ip_local_port_range = 1024 65000
修改後運行
#sysctl –p
命令使得內核改變立即生效;
注:
一般情況下可以設置最大共享內存為物理內存的一半,如果物理內存是 2G,則可以設置最大共享內存為 1073741824,如上;如物理內存是 1G,則可以設置最大共享內存為 512 * 1024 * 1024 = 536870912;以此類推。
建議永久地增加 shmmax 設置。
sem 4個參數依次為SEMMSL(每個用戶擁有信號量最大數);SEMMNS(係統信號量最大數);SEMOPM(每次semopm係統調用操作數);SEMMNI(係統辛苦量集數最大數).Shmmax 最大共享內存,官方文檔建議是內存的1/2,Shmmni 最小共享內存 4096KB.Shmall 所有內存大小 。
b) 設置oracle對文件的要求:
編輯文件:#vi /etc/security/limits.conf 加入以下語句:
oracle soft nofile 65536
oracle hard nofile 65536
oracle soft nproc 16384
oracle hard nproc 16384
也可以寫成:
* soft nofile 65536
* hard nofile 65536
* soft nproc 16384
* hard nproc 16384
c) gcc降級
#mv /usr/bin/gcc /usr/bin/gcc34
#ln –s /usr/bin/gcc32 /usr/bin/gcc
#mv /usr/bin/g++ /usr/bin/g++34
#ln –s /usr/bin/g++32 /usr/bin/g++
5,安裝oracle補丁
# cd /opt
#ls compat*.rpm
compat-libcwait-2.0-2.i386.rpm compat-oracle-rhel4-1.0-5.i386.rpm
# rpm -Uvh compat*.rpm
Preparing... ########################################### [100%]
1:compat-libcwait-2.0-2.i386.rpm ##################################### [ 50%]
2:compat-oracle-rhel4-1.0-5.i386.rpm#################################### [100%]
開始安裝Oracle9i
1,解壓下載的安裝文件:
#zcat ship_9204_linux_disk1.cpio.gz | cpio –idmv&&zcat ship_9204_linux_disk2.cpio.gz | cpio –idmv&& zcat ship_9204_linux_disk3.cpio.gz | cpio –idmv
解包和解壓過程中,自動創建了3個包含安裝文件的目錄:
Disk1
Disk2
Disk3
.以oracle用戶登錄係統,進行Oracle的安裝(注意請不要在root登錄中切換到oracle,是以oracle登錄到係統(圖形界麵)):
$ cd Disk1
$ ./runInstaller過一會兒就會出現Oracle的安裝界麵
- Welcome Screen: Click Next
- Inventory Location: Click Next
- Unix Group Name: Use "oinstall" and click Next
When asked to run /tmp/orainstRoot.sh, run it before you click Continue
- At the end of the installation, exit runInstaller.
2.一步一個腳印安裝下去就行了!
3,安裝完後打補丁:
切換到oracle:#su – oracle 首先安裝 opatch.
$cd /opt
$unzip p2617419_210_GENERIC.zip
Archive: p2617419_210_GENERIC.zip
creating: OPatch/
creating: OPatch/docs/
inflating: Opatch/docs/FAQ
......
inflating: README.txt
$export PATH=$PATH:/opt/OPatch:/sbin
(修改PATH時要要包括解壓縮出來的Opatch 和 sbin目錄)
$unzip p3238244_9204_LINUX.zip
$export ORACLE_BASE=/opt/ora9
$export ORACLE_HOME=/opt/ora9/product/9.2.0.4
$ cd 3238244
$opatch apply
出現success的提示就全部安裝成功.
補丁打完後,還要relinked一個.mk文件
$cd $ORACLE_HOME/network/lib
$make -f ins_oemagent.mk install
之後就可以啟動Agent服務了.
4, 最後執行 $dbca 建oracle數據庫
注意:在SID處指定為oradb (與 ORACLE_SID=oradb)中的值一致.
點擊OK,然後退出即可,正常登陸並啟動數據庫的操作。
$ lsnrctl start
$ sqlplus /nolog
SQL*Plus: Release 9.2.0.4.0 - Production on Sat Mar 12 22:58:53 2005
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
SQL>connect / as sysdba
Connected.
SQL> shutdown immediate 關閉數據庫
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL>startup; 啟動數據庫
ORACLE instance started.
Total System Global Area 236000356 bytes
Fixed Size 451684 bytes
Variable Size 201326592 bytes
Database Buffers 33554432 bytes
Redo Buffers 667648 bytes
Database mounted.
Database opened.
5, oracle服務啟動
以root身份進入,編寫以下腳本:
vi /etc/init.d/oracle
////////////內容//////////////////
#!/bin/bash
#start and stop the oracle instance
# chkconfig –level 5 --add ora9i
#chkconfig: 345 91 19
# description: starts the oracle listener and instance
export ORACLE_HOME="/opt/ora9/product/9.2.0.4"
export PATH=$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin:$PATH
export ORACLE_OWNER="oracle"
export ORACLE_SID=oradb
if [ ! -f $ORACLE_HOME/bin/dbstart -o ! -d $ORACLE_HOME ]
then
echo "oracle startup:cannot start"
exit 1
fi
case "$1" in
start)
#startup the listener and instance
echo -n "oracle startup: "
su - $ORACLE_OWNER -c "$ORACLE_HOME/bin/lsnrctl start"
su - $ORACLE_OWNER -c $ORACLE_HOME/bin/dbstart
touch /var/lock/subsys/oracle
echo "finished"
;;
stop)
# stop listener, apache and database
echo -n "oracle shutdown:"
su - $ORACLE_OWNER -c "$ORACLE_HOME/bin/lsnrctl stop"
su - $ORACLE_OWNER -c $ORACLE_HOME/bin/dbshut
rm -f /var/lock/subsys/oracle
echo "finished"
;;
reload|restart)
$0 stop
$0 start
;;
*)
echo "Usage: ora9i [start|stop|reload|restart]"
exit 1
esac
exit 0
////////////內容//////////////////
給予執行權限,以root身份運行/etc/rc.d/init.d/oracle start |stop 來管理oracle的啟動和停止了。如果要將這個腳本加入到係統中使其可開機運行(不過官方是不建議開機自動運行的,我本人也不建議這樣做,你確實需要可以這麼做),那麼要運行以下命令:chkconfig --level 35 --add oracle
或者以root用戶執行如下命令:
#chmod a+x /etc/rc.d/init.d /oracle
#cd /etc/rc.d/rc5.d
#ln -s /etc/rc.d/init.d/oracle S99ora9i
#cd /etc/rc.d/rc0.d
#ln -s /etc/rc.d/init.d/oracle K99ora9i
也可如下自啟動oracle9i!
在/etc/rc.d/rc.local中加入如下:
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/lsnrctl start"
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/dbstart start"
注意:如果啟動不理想,請編寫shell scripts:
方法:以我個人習慣為例;;;;;;;;;;
#mkdir /usr/local/syscmf
#vi /usr/local/syscmf/oracle.sh
////////////////////////文件內容開始///////////////////
#!/bin/sh
#modify by mingfu 060404
#oracle run scripts
#run user for oracle
lsnrctl start
expect /usr/local/syscmf/oracle.exp
////////////////////////文件內容結束///////////////////
#vi /usr/local/syscmf/oracle.exp
////////////////////////文件內容開始///////////////////
#!/usr/local/bin/expect
#modify by mingfu 060404
#oracle run scripts
set timeout 120
spawn sqlplus //nolog
expect "SQL/>"
send "conn // as sysdba/r"
expect "SQL/>"
send "startup/r"
expect "SQL/>"
send "exit/r"
exit
////////////////////////文件內容結束///////////////////
#chown oracle /usr/local/syscmf/*
#chgrp oracle /usr/local/syscmf./*
#chmod 755 /usr/local/syscmf/*
在/etc/rc.local中新增如下內容:
su – oracle /usr/local/syscmf/oracle.sh
刪除原來的:
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/lsnrctl start"
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/dbstart start"
6, 關於數據庫刪除重新安裝的問題:
把ORACLE安裝目錄刪除及/etc/ora*.*刪除就行了
#rm –f /etc/ora*.*
7,關於在LINUX中運行管理軟件$oemapp
#su – oracle
$oemapp console
8, 中文顯示不正常解決辦法
Oracle目前缺省安裝的字符集是WE8MSWIN1252,不是中文字符集,並且不能通過直接運行 alter database character set ZHS16GBK ; 來修改,因為ZHS16GBK不是缺省字符集的超集。過去流傳很廣的直接修改sys用戶下的PROPS$表的方法,也會給字符集的變更留下很多潛在的問題.
linux下進行如下的操作來修改字符集:
sqlplus /nolog
sql>conn / as sysdba
sql>shutdown immediate
sql>startup mount
sql>alter system enable restricted session ;
sql>alter system set JOB_QUEUE_PROCESSES=0;
sql>alter system set AQ_TM_PROCESSES=0;
sql>alter database open ;
sql>alter database character set internal_use ZHS16GBK ;
sql>shutdown immediate
sql>startup
這樣字符集的修改就完成了(如果你在安裝時選擇了中文字符集,這裏就不用修改了)
LAJO服務環境配置完畢.
5.配置LAMP
係統自帶安裝http+php+mysql軟件包,進行配置如下:
Apache配置
修改/etc/httpd/conf/httpd.conf內容如下:
Listen 82
ServerName 127.0.0.1:82
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
注意:係統已經有兩個httpd服務進程.
用戶分別是:xxxx apache
請確保
/usr/local/apache2/bin/apachectl start
/etc/init.d/httpd start
此兩個服務自啟動.
Mysql設置
Mysql>create ftpdb;
Mysql>grant all privileges on ftpdb.* to ftpuser@localhost identified by “xxxx”;
Mysql>grant all privileges on *.* to root@’%’ identified by “xxxx”;
Mysql>flush privileges;
Mysql>exit
請確保
/etc/init.d/mysqld start
此服務自啟動.
LAMP服務環境配置完畢.
7.配置FTP
配合工程實施與建立ftp帳號相關聯,方便維護與管理,我這裏選擇了Proftpd與數據庫結合的方式來實現的.
創建Ftpdb結構:
Mysql>use ftpdb;
Mysql> CREATE TABLE `ftpgroup` (
`groupname` varchar(16) NOT NULL default '',
`gid` smallint(6) NOT NULL default '5500',
`members` varchar(16) NOT NULL default '',
KEY `groupname` (`groupname`)
) ;
Mysql> CREATE TABLE `ftpquotalimits` (
`name` varchar(30) default NULL,
`quota_type` enum('user','group','class','all') NOT NULL default 'user',
`per_session` enum('false','true') NOT NULL default 'false',
`limit_type` enum('soft','hard') NOT NULL default 'soft',
`bytes_in_avail` float NOT NULL default '0',
`bytes_out_avail` float NOT NULL default '0',
`bytes_xfer_avail` float NOT NULL default '0',
`files_in_avail` int(10) unsigned NOT NULL default '0',
`files_out_avail` int(10) unsigned NOT NULL default '0',
`files_xfer_avail` int(10) unsigned NOT NULL default '0'
) ;
Mysql> CREATE TABLE `ftpquotatallies` (
`name` varchar(30) NOT NULL default '',
`quota_type` enum('user','group','class','all') NOT NULL default 'user',
`bytes_in_used` float NOT NULL default '0',
`bytes_out_used` float NOT NULL default '0',
`bytes_xfer_used` float NOT NULL default '0',
`files_in_used` int(10) unsigned NOT NULL default '0',
`files_out_used` int(10) unsigned NOT NULL default '0',
`files_xfer_used` int(10) unsigned NOT NULL default '0'
) ;
Mysql> CREATE TABLE `ftpuser` (
`id` int(10) unsigned NOT NULL auto_increment,
`userid` varchar(32) NOT NULL default '',
`passwd` varchar(32) NOT NULL default '',
`uid` smallint(6) NOT NULL default '5500',
`gid` smallint(6) NOT NULL default '5500',
`homedir` varchar(255) NOT NULL default '',
`shell` varchar(16) NOT NULL default '/sbin/nologin',
`count` int(11) NOT NULL default '0',
`accessed` datetime NOT NULL default '0000-00-00 00:00:00',
`modified` datetime NOT NULL default '0000-00-00 00:00:00',
PRIMARY KEY (`id`)
) ;
Mysql> INSERT INTO `ftpgroup` (`groupname`, `gid`, `members`) VALUES("5dxc", "5500", "xxxx");
Mysql>INSERT INTO `ftpquotalimits` (`name`, `quota_type`, `per_session`, `limit_type`, `bytes_in_avail`, `bytes_out_avail`, `bytes_xfer_avail`, `files_in_avail`, `files_out_avail`, `files_xfer_avail`) VALUES("test", "user", "false", "soft", "1.024e+06", "0", "0", "0", "0", "0");
Mysql> INSERT INTO `ftpquotatallies` (`name`, `quota_type`, `bytes_in_used`, `bytes_out_used`, `bytes_xfer_used`, `files_in_used`, `files_out_used`, `files_xfer_used`) VALUES("test", "user", "809781", "0", "809781", "0", "0", "0");
Mysql> INSERT INTO `ftpuser` (`id`, `userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`, `count`, `accessed`, `modified`) VALUES("1", "test", "test", "5500", "5500", "/site", "/sbin/nologin", "0", "0000-00-00 00:00:00", "0000-00-00 00:00:00");
配置proftp:
#tar xzvf proftpd-1.3.0rc5.tar.gz
#cd proftpd-1.3.0rc5
#./configure --prefix=/usr/local/proftpd --with-modules=mod_sql:mod_sql_mysql:mod_quotatab:mod_quotatab_sql:mod_ratio --with-includes=/usr/include/mysql --with-libraries=/usr/lib/mysql
#make&&make install
#mv /etc/local/proftpd/etc/proftpd.conf /etc/local/proftpd/etc/proftpd.confbak
#vi /etc/local/proftpd/etc/proftpd.conf
////////////////////////文件內容///////////////////
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
#ServerName "ProFTPD Default Installation"
ServerName "Mingfu's ftp"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 100
MaxLoginAttempts 3
# Set the user and group under which the server will run.
User nobody
Group nobody
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
DefaultRoot ~
#put the proftpd log files in /var/log/ftp.syslog
#SystemLog /var/log/ftp.syslog
SystemLog /var/log/xxxx/ftp.syslog
#TransferLog log files
TransferLog /var/log/xxxx/ftp.transferlog
MaxHostsPerUser 1 "Sorry, you may not connect more than one time 1."
MaxClientsPerUser 13 "Only one such user at a time 2."
MaxClientsPerHost 20 "Sorry, you may not connect more than one time 3."
#setup the Restart
AllowRetrieveRestart on
RootLogin off
RequireValidShell off
TimeoutStalled 600
MaxClients 2000
AllowForeignAddress on
AllowStoreRestart on
ServerIdent off
DefaultRoot ~ xxxx
#Slow logins
UseReverseDNS off
IdentLookups off
#IdentLookups and tcpwrappers ***
# Normally, we want files to be overwriteable.
AllowOverwrite on
TimeoutIdle 600
SQLAuthTypes Backend Plaintext
SQLAuthenticate users* groups*
# databasename@host database_user user_password
#SQLConnectInfo ftpdb@localhost proftpd password
SQLConnectInfo ftpdb@localhost ftpuser xxxx
SQLUserInfo ftpuser userid passwd uid gid homedir shell
SQLGroupInfo ftpgroup groupname gid members
SQLHomedirOnDemand on
# Update count every time user logs in
SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "count=count+1,accessed=now() WHERE userid='%u'" ftpuser
# Update modified everytime user uploads or deletes a file
SQLLog STOR,DELE modified
SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits kb
QuotaShowQuotas on
QuotaLog "/var/log/quota"
SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}'AND quota_type = '%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used+ %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies
QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
////////////////////////文件內容///////////////////
在/etc/rc.local文件中新增
/usr/local/proftpd/sbin/proftpd &
LPM配置完畢.
注意:以後添加ftp帳號隻需操作ftpuser表添加相應字段.用戶磁盤限額操作ftpquotalimits表添加相應字段.
Mysql管理win工具推薦:mysql-front
其中遠程連接帳號:
User:root
Host:IP
Pswd:xxxx
(與grant all privileges on *.* to root@’%’ identified by “xxxx”;
中設置的密碼一致) .
架設也可參考如下連接:
https://www.mingfor.com/forum/showthread.php?tid=28
8.配置MAIL
配合jboss工程程序實施與建立MAIL帳號相關聯,方便維護與管理,我這裏選擇了郵件服務器與數據庫結合的方式來實現的.
具體架設參考郵件發送程序,然後來配置郵件服務器,郵件係統的用戶帳號不準創建真實的係統帳號,所有的帳號均建在mysql數據庫中.
具體架設過程略。
架設可參考如下連接:
https://www.mingfor.com/forum/showthread.php?tid=19
https://www.extmail.org
9.安全策略
下麵是一個簡易有效的防火牆設置,隻要沒有固定IP來入侵,服務器均可正常訪問.
因此服務器上線後需要提取服務器通信狀態信息.這裏服務器已進配置好LAMP環境,因此係統監控請安裝CACTI(https://www.cacti.net)軟件來監控.
關於它的安裝方法比較簡單,這裏不一一說明了.
還要時時將#netstat –na|grep SYN的結果中連續15個相同的偽連接給DJOP出係統通信間道.
當有這樣的入侵連接時….
#iptables –A …………..djop(注意請不要將這個寫入到iptables文件中)
下麵是iptables文件的所有內容:
#cat /etc/sysconfig/iptables
////////////////////文件內容////////////////////
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -s 0/0 -d 0/0 --dport 177 -j ACCEPT
#modify by mingfu 060404
#Please do not modify the content below
#ACK FIN SYN
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#port scan
# NMAP FIN/URG/PSH
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# Xmas Tree
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
# Another Xmas Tree
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Null Scan(possibly)
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
# SYN/RST
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN -- Scan(possibly)
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#!--syn
-A RH-Firewall-1-INPUT -p tcp ! --syn -m state --state NEW -j DROP
#Dos
-A RH-Firewall-1-INPUT -p tcp --dport 80 -m limit --limit 10/second --limit-burst 300 -j ACCEPT
#sync flood
-N synfoold
-A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN
-A synfoold -p tcp -j REJECT --reject-with tcp-reset
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -j synfoold
-N ping
-A ping -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN
-A ping -p icmp -j REJECT
-I RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ping
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s 0/0 -j DROP
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s 0/0 -j ACCEPT
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s localip -j DROP
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s localip -j DROP
#all ports
-A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#FTP
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 32800:34000 -j ACCEPT
#MAIL
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 113 -j ACCEPT
#SSH
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 922 -j ACCEPT
#WEB
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 82 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8088 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 4443 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 7777 -j ACCEPT
#DNS
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
#DATABASE
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8009 -j ACCEPT
#VNC
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 5801: -j ACCEPT
#ICMP
-A RH-Firewall-1-INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW,INVALID -j DROP
COMMIT
////////////////////文件內容////////////////////
在/etc/rc.local中新增如下內容:
////////////////////文件內容////////////////////
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/tcp_syn_retries
echo "1" > /proc/sys/net/ipv4/tcp_synack_retries
echo 8192 >/proc/sys/net/ipv4/tcp_max_syn_backlog
////////////////////文件內容////////////////////
其中8192=1024*4*2.更多詳情請查閱/proc相關文獻介紹
關於獲取netstat –na|grep SYN_RECV 與TIME_WAIT的腳本:這裏我無法寫下來。隻是原理和主要的代碼告訴大家:
使用 netstat 來統計重複的連線 IP,將這些來自同一 IP 的連線統計一下,
如果超過一個設定值(您自己選擇的!),那麽該 IP 就會被iptables 機製擋掉了!
利用shell script 結合iptables來完成(其中用到的linux命令主要有:netstat awk cut sort)。。。
*版權所有
所有:鬱悶少年&&二娃家園
網站:https://www.mingfor.com
發布:mingfu
聯係:msn:linux@mingfor.com
日期:2006-04-04
首發:2006-04-04 00:00:00
修改:2006-04-04
歡迎轉載,
本程序為 GPL 授權,任何人皆可傳播本文檔.
但請勿直接用於商業用途,否則將追究其相關責任.
*網站服務器
主要任務:
根據開發設計需求架設大型的網站服務器
主要軟件:
apache+jboss+oracle
簡稱:LAJO
apache+php+mysql
簡稱:LAMP
proftpd+mysql
簡稱:LPM
ssh+expect
iptables
bind
具體要求:
海量用戶訪問
海量用戶存儲
(國內外互通)
南北互通.
需求分析:
1.保證高要求高質量高性能,需要選擇係*nix操作平台(這裏選擇as4.3);
2.保證高訪問量高數據處理,需要選數商業數據庫(這裏選擇oracle9.2.0.4);
3.解決南北互通(包括國內外互通),需要架設基於bind-view功能的智能DNS服務器.
4.使用流行的B/S,C/S程序架構,需要選擇了JBOSS服務器.
5.更好地處理靜態頁麵效果,需要選擇了Apache服務器.
6.根據程序注冊用戶與上傳要求,需要架設ftp服務器.
7.時時自動化係統監控,需要架設LAPM服務器.(這裏使用軟件cacti).
8.公司與客戶交流,需要架設郵件服務器.(這裏使用postfix+extmail).
9.自動化文件數據處理與安全設置,需expect+ssh+iptables結合shell腳本.
10.海量,需要集群負載均衡與配備存儲設備.
具體流程:
1.硬件采購.
這裏略.
2.操作係統安裝
安裝redhat as 4.3
係統空間劃分(略)
安裝開發環境,DNS,LAMP環境所需軟件包.
並確認以下包已安裝:
compat-db
compat-gcc
compat-gcc-32
compat-oracle-rhel4
compat-libcwait
compat-libgcc
compat-libstdc++-296
compat-libstdc++-33
gcc
gcc-c++
gnome-libs
gnome-libs-devel
libaio-devel
libaio
make
openmotif21
xorg-x11-deprecated-libs-devel
xorg-x11-deprecated-libs
sysstat disk4
openmotif21 disk3
libaio disk3
libaio-devel disk3
freetype-devel disk3
fontconfig-devel disk3
xorg-x11-devel- disk3
xorg-x11-deprecated-libs-devel- disk3
glib-devel disk4
ORBit-devel disk4
gtk+-devel disk4
alsa-lib-devel disk3
audiofile-devel disk3
esound-devel- disk3
libjpeg-devel- disk3
libtiff-devel- disk3
libungif-devel- disk3
imlib-devel disk4
gnome-libs-devel disk4
expect disk4
注意:我遇到的一個問題:全新的dell服務器1.5T,raid5,重沒有安裝過任何係統,硬盤也沒有分區,直接用as4.3安裝盤安裝提示:內存錯誤,藍屏,而安裝失敗。用了好幾種linux係統盤(包括windows安裝盤)都如此,(手裏沒有硬盤格式分區工具,沒有測試是否可以硬盤分區。)官方發行版說不支持超過2G內存,於是安裝係統時先卸下2G內存,待安裝完畢在請求支持超過2G內存的內核安裝後就可以支持4G內存了,倘如日後全新安裝係統不使用hugemem而使用默認的smp內核也能識別4G內存,更不會出現藍屏問題。關於之中奧妙,還沒有仔細研究過。。。。
#rpm –ivh kernel-elhugemem….rpm
修改啟動文件grub.conf確保新安裝的內核為優先啟動.
#cat /etc/grub.conf
////////////////////////////////////////////////////////////////////
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,1)
# kernel /vmlinuz-version ro root=/dev/sda8
# initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,1)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux AS (2.6.9-22.ELhugemem)
root (hd0,1)
kernel /vmlinuz-2.6.9-22.ELhugemem ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.9-22.ELhugemem.img
title Red Hat Enterprise Linux AS (2.6.9-22.ELsmp)
root (hd0,1)
kernel /vmlinuz-2.6.9-22.ELsmp ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.9-22.ELsmp.img
title Red Hat Enterprise Linux AS-up (2.6.9-22.EL)
root (hd0,1)
kernel /vmlinuz-2.6.9-22.EL ro root=LABEL=/ rhgb quiet
initrd /initrd-2.6.9-22.EL.img
////////////////////////////////////////////////////////////////////////////////////////////////
如果hiddenmenu
下麵的內容順序不對,請修改default=x(x對應ELhugemem項)
重啟並加載另外2G內存.
這樣讓係統支持4G內存的正常運行.
2)係統安裝完畢請 作連接: #ln –s /tmp /temp
3.配置DNS
由於要南北互通,開源得隻有使用view的ACL訪問控製列表文件來實現多線路的自動導向.
(當然也有其他的商業解決辦法,比如智能路由與交換機的設置來實現,我們這裏使用開源的而且容易實現與調整的解決軟件bind)
關於view的ACL獲得辦法有很多途徑,這裏不一一商討.
具體架設參考如下
默認安裝的bind為9係列的,已經支持view,配置分為三步驟分別如下所示.
(1)修改named.conf
(2)創建與配置hosts
(3)域名解析
#vi /etc/named.conf
////////////////////////文件內容開始///////////////////
//
// named.conf for Red Hat caching-nameserver
//
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
include "/etc/rndc.key";
//modify by mingfu 060404
acl "CNC" {
58.16.0.0/16;
58.17.0.0/17;
58.17.128.0/17;
58.18.0.0/16;
58.19.0.0/16;
58.20.0.0/16;
58.21.0.0/16;
58.22.0.0/15;
58.240.0.0/15;
58.242.0.0/15;
58.244.0.0/15;
58.246.0.0/15;
58.248.0.0/13;
60.0.0.0/13;
60.8.0.0/15;
60.10.0.0/16;
60.11.0.0/16;
60.12.0.0/16;
60.13.0.0/18;
60.13.128.0/17;
60.14.0.0/15;
60.16.0.0/13;
60.24.0.0/14;
60.30.0.0/16;
60.31.0.0/16;
60.208.0.0/13;
60.216.0.0/15;
60.218.0.0/15;
60.220.0.0/14;
61.48.0.0/13;
61.133.0.0/17;
61.134.96.0/19;
61.134.128.0/17;
61.135.0.0/16;
61.137.128.0/17;
61.138.0.0/17;
61.138.128.0/18;
61.139.128.0/18;
61.148.0.0/15;
61.156.0.0/16;
61.159.0.0/18;
61.161.0.0/18;
61.161.128.0/17;
61.162.0.0/16;
61.163.0.0/16;
61.167.0.0/16;
61.168.0.0/16;
61.176.0.0/16;
61.179.0.0/16;
61.181.0.0/16;
61.182.0.0/16;
61.189.0.0/17;
125.32.0.0/16;
125.40.0.0/13;
202.96.0.0/18;
202.96.64.0/21;
202.96.72.0/21;
202.97.128.0/18;
202.97.224.0/21;
202.97.240.0/20;
202.98.0.0/21;
202.98.8.0/21;
202.99.64.0/19;
202.99.96.0/21;
202.99.128.0/19;
202.99.160.0/21;
202.99.168.0/21;
202.99.176.0/20;
202.99.208.0/20;
202.99.224.0/21;
202.99.232.0/21;
202.99.240.0/20;
202.102.128.0/21;
202.102.224.0/21;
202.102.232.0/21;
202.106.0.0/16;
202.107.0.0/17;
202.108.0.0/16;
202.110.0.0/17;
202.111.128.0/18;
203.93.8.0/24;
203.93.192.0/18;
210.13.128.0/17;
210.14.160.0/19;
210.14.192.0/19;
210.15.32.0/19;
210.15.96.0/19;
210.15.128.0/18;
210.21.0.0/16;
210.52.128.0/17;
210.53.0.0/17;
210.53.128.0/17;
210.74.96.0/19;
210.74.128.0/19;
210.82.0.0/15;
218.8.0.0/14;
218.12.0.0/16;
218.21.128.0/17;
218.24.0.0/14;
218.56.0.0/14;
218.60.0.0/15;
218.67.128.0/17;
218.68.0.0/15;
218.104.0.0/14;
219.154.0.0/15;
219.156.0.0/15;
219.158.0.0/17;
219.158.128.0/17;
219.159.0.0/18;
220.252.0.0/16;
221.0.0.0/15;
221.2.0.0/16;
221.3.0.0/17;
221.3.128.0/17;
221.4.0.0/16;
221.5.0.0/17;
221.5.128.0/17;
221.6.0.0/16;
221.7.0.0/19;
221.7.32.0/19;
221.7.64.0/19;
221.7.96.0/19;
221.8.0.0/15;
221.10.0.0/16;
221.11.0.0/17;
221.11.128.0/18;
221.11.192.0/19;
221.12.0.0/17;
221.12.128.0/18;
221.13.0.0/18;
221.13.64.0/19;
221.13.96.0/19;
221.13.128.0/17;
221.14.0.0/15;
221.192.0.0/15;
221.194.0.0/16;
221.195.0.0/16;
221.196.0.0/15;
221.198.0.0/16;
221.199.0.0/19;
221.199.32.0/20;
221.199.128.0/18;
221.199.192.0/20;
221.200.0.0/14;
221.204.0.0/15;
221.206.0.0/16;
221.207.0.0/18;
221.207.64.0/18;
221.207.128.0/17;
221.208.0.0/14;
221.212.0.0/16;
221.213.0.0/16;
221.216.0.0/13;
222.128.0.0/14;
222.132.0.0/14;
222.136.0.0/13;
222.160.0.0/15;
222.162.0.0/16;
222.163.0.0/19;
222.163.32.0/19;
222.163.64.0/18;
222.163.128.0/17;
};
view "view_cnc" {
match-clients { CNC; };
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
include "master/cnc.def";
};
view "view_any" {
match-clients { any; };
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
include "master/telecom.def";
};
////////////////////////文件內容結束///////////////////
#mkdir /var/named/master
#mkdir /var/named/master/cnc
#mkdir /var/named/master/telecom
#touch /var/named/master/cnc.def
#touch /var/named/master/telecom.def
說明:關於如何進行域名解析配置:
@Zone區文件配置:
Master/Cnc.def 網通
Master/Telecom.def 電信
*.def文件裏麵為解析域名的zone配置區設置部分.
@Hosts 區文件配置
Master/Cnc 網通
Master/Telecom 電信
下麵以解析www.xxxx.com為例
#vi /var/named/master/cnc.def
////////////////////////文件內容開始///////////////////
zone "xxxx.com" {
type master;
file "master/cnc/xxxx.com";
};
////////////////////////文件內容結束///////////////////
#vi /var/named/master/telecom.def
////////////////////////文件內容開始///////////////////
zone "xxxx.com" {
type master;
file "master/telecom/xxxx.com";
};
////////////////////////文件內容結束///////////////////
#vi /var/named/master/cnc/xxxx.com
////////////////////////文件內容開始///////////////////
$TTL 3600
$ORIGIN xxxx.com.
@ IN SOA ns.xxxx.com. root.ns.xxxx.com.(
2005121013 ;Serial
3600 ; Refresh ( seconds )
900 ; Retry ( seconds )
68400 ; Expire ( seconds )
15 );Minimum TTL for Zone ( seconds )
;
@ IN NS ns.xxxx.com.
@ IN MX xxxx.com.
;;ip for cnc
@ IN A x.x.x.x(網通IP)
www IN A x.x.x.x(網通IP)
////////////////////////文件內容結束///////////////////
#vi /var/named/master/telecom/xxxx.com
////////////////////////文件內容開始///////////////////
$TTL 3600
$ORIGIN xxxx.com.
@ IN SOA ns.xxxx.com. root.ns.xxxx.com.(
2005121013 ;Serial
3600 ; Refresh ( seconds )
900 ; Retry ( seconds )
68400 ; Expire ( seconds )
15 );Minimum TTL for Zone ( seconds )
;
@ IN NS ns.xxxx.com.
@ IN MX xxxx.com.
;;ip for telecom
@ IN A x.x.x.x(電信IP)
www IN A x.x.x.x(電信IP)
////////////////////////文件內容結束///////////////////
客服端測試:
nslookup --type=a xxxx.com x.x.x.x(網通任意一個DNS服務器IP)
nslookup --type=a xxxx.com x.x.x.x(電信任意一個DNS服務器IP)
看到的為配置文件中對應ip則解析配置正常.
注意:
上麵的xxxxx.com需要修改DNS解析服務器為
ns.xxxxx.com
對應IP為:網通IP.
備注:
1).在這裏做了網通與非網通的訪問控製,用於實現南北互通,如要國內外互通,需要在列出一個相應的訪問控製列表ACL就可以實現了.
2).關於使用tar包編譯安裝請參看:
https://www.mingfor.com/forum/showthread.php?tid=94
4.配置LAJO
軟件:
Apache2.0.58
JBOSS.4.0.3SP1
Oracle9.2.0.4
Mod-jk1.12
配置:
1)apache+mod-jk
#tar zxvf httpd-2.0.58.tar.gz
#cd httpd-2.0.58
#./configure --enable-MODULE=shared --enable-so --with-mpm=worker
#make&&make install
#tar zxvf jakarta-tomcat-connectors-1.2.14.1-src.tar.gz
#cd /home/software/jakarta-tomcat-connectors-1.2.14.1-src/jk/native
# ./configure --with-apxs=/usr/local/apache2/bin/apxs
#make
# cp ./apache-2.0/mod_jk.so /usr/local/apache2/modules
httpd.conf的修改
該文件的路徑位於$APACHE-HOME/conf
上述編譯過程中我們選用的worker模式,因此我們將修改worker模塊的配置
<IfModule worker.c>
StartServers 4 #最初建立進程的數量
ServerLimit 24 #進程建立的最大數量,硬限製
ThreadLimit 128 #每一進程能創建線程的最大數量,硬限製,該參數建議#和ThreadsPerChild一致,如果ThreadLimit > ThreadsPerChild的話,會造成不##必要的內存消耗。
MaxClients 3072 #同時可以得到處理的客戶端的最大數量
MinSpareThreads 100 #所有進程中空閑線程的總數最小數值
MaxSpareThreads 200 #所有進程中空閑線程的總數最大數值
ThreadsPerChild 128 #每個子進程可以建立的固定數量的線程
MaxRequestsPerChild 0 #用於控製服務器建立和結束進程的頻率,為0表示沒有#限製,但在solaris OS下該值可能會出錯,可以設置為1000或2000。根據係統#的並發負載吧。
</IfModule>
同時修改與新增httpd.conf如下內容:
Include conf/mod_jk2.conf
User xxxx
Group 5dxc
DocumentRoot "/site"
<Directory "/site">
NameVirtualHost IP:80
<VirtualHost IP:80>
ServerAdmin foway@163.com
DocumentRoot /site
ServerName IP
ErrorLog logs/ip-error_log
CustomLog logs/ip-access_log common
</VirtualHost>
<VirtualHost IP:82>
ServerAdmin foway@163.com
DocumentRoot /var/www/html
ServerName admin.xxxx.com
ErrorLog logs/ip-error_log
CustomLog logs/ip-access_log common
</VirtualHost>
#vi $APACHE-HOME/conf/mod_jk2.conf
////////////////////////文件內容開始///////////////////
LoadModule jk_module modules/mod_jk.so
JkWorkersFile conf/workers2.properties
JkLogFile logs/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel info
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat "%w %V %T"
JkMount /* loadbalancer
#apache will serve the static picture.
#以下命令意味著所有的圖片與htm,css,js頁麵將由APACHE解析其它交由jboss處理
JkUnMount /*.jpg loadbalancer
JkUnMount /*.gif loadbalancer
JkUnMount /*.swf loadbalancer
JkUnMount /*.bmp loadbalancer
JkUnMount /*.png loadbalancer
JkUnMount /*.js loadbalancer
JkUnMount /*.css loadbalancer
JkUnMount /*.htm loadbalancer
////////////////////////文件內容結束///////////////////
#vi $APACHE-HOME/conf/ uriworkermap.properties
////////////////////////文件內容開始///////////////////
/jmx-console=loadbalancer
/jmx-console/*=loadbalancer
/web-console=loadbalancer
/web-console/*=loadbalancer
////////////////////////文件內容結束///////////////////
#vi $APACHE-HOME/conf/uriworkermap.properties
////////////////////////文件內容開始///////////////////
worker.list=loadbalancer,status
worker.node1.port=8009
worker.node1.host=192.168.0.192(請填寫服務器的IP)
worker.node1.type=ajp13
worder.node1.lbfactor=1
worker.node1.cachesize=10
worker.node2.port=8009
worker.node1.host=localhost
worker.node1.type=ajp13
worder.node1.lbfactor=1
worker.node1.cachesize=10
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=node1,node2
worker.loadbalancer.sticky_session=1
worker.status.type=status
////////////////////////文件內容結束///////////////////
注意:如果需要負載:修改
worker.node2.port=8009
worker.node1.host=localhost
worker.node1.type=ajp13
worder.node1.lbfactor=1
worker.node1.cachesize=10
為:
worker.node2.port=8009
worker.node2.host=IP(進行負載的IP地址)
worker.node2.type=ajp13
worder.node2.lbfactor=1
worker.node2.cachesize=10
備注:如果要進行更多的負載….
修改:
worker.noden.port=8009
worker.noden.host=IP(進行負載的IP地址)
worker.noden.type=ajp13
worder.noden.lbfactor=1
worker.noden.cachesize=10
worker.loadbalancer.balance_workers=node1,node2,noden
2)jboss
jboss安裝.
Jboss4.0.3sp1 解壓到/site/jboss目錄下….
…./ deploy/jbossweb-tomcat55.sar/server.xml中,找8080,修改為8088
Jdk環境變量設定:
Jdk安裝:
#chmod 755 jdk-1_5_0_06-linux-i586.bin
#./jdk-1_5_0_06-linux-i586.bin
Java參數設置:
#ln –s /usr/local/jdk1.5.0_06 /usr/local/jdk
如果你下載的是rpm包請如下操作
#./jdk-1_5_0_06-linux-i586.rpm.bin
#rpm jdk-1_5_0_06-linux-i586.rpm
# ln –s /usr/ jdk1.5.0_06 /usr/local/jdk
#vi /etc/profile.d/java.sh
////////////////////////文件內容///////////////////
JAVA_HOME=/usr/local/jdk
PATH=$PATH:$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$CATALINA_HOME/bin
export JAVA_HOME PATH
////////////////////////文件內容///////////////////
3) apache+jboos服務啟動問題
apache+jboss整合配置已完畢.下麵是啟動這些服務了.
..用戶與權限分配
groupadd –g 5500 xxxx
adduser -u 5500 -s /bin/false -d /bin/null -c "proftpd user" -g xxxx xxxx
修改/etc/passwd文件中的xxxx用戶中的”/bin/false”為”/bin/bash”,以便於以後jboss使用.當然你也可以這樣做:
adduser -u 5500 -s /bin/bash -d /bin/null -c "proftpd user" -g xxxx xxxx
chown xxxx /site/* –R
chgrp xxxx /site/* -R
chmod 755 /site/* -R
..服務啟動
添加如下內容到/etc/rc.local
/usr/local/apache2/bin/apachectl start
/etc/init.d/jboss start
#vi /etc/init.d/jboss
////////////////////////文件內容開始///////////////////
#/etc/init.d/jboss
/etc/rc.d/init.d/functions
JBOSS_HOME=/site/jboss
export JBOSS_HOME
JAVA_HOME=/usr/local/jdk
export JAVA_HOME
PATH=$PATH:$JAVA_HOME/bin
export PATH
CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export CLASSPATH
prog="jboss"
start()
{
#Input the jbos Service log into jboss.log
echo "Jboss4.0.3SP1 Service Starting........" >>/var/log/xxxx/jboss.log
echo "-----------------------------------------------" >>/var/log/xxxx/jboss.log
date "+%Y-%m-%d %A %T :Jboss Service start" >>/var/log/xxxx/jboss.log
echo "-----------------------------------------------" >>/var/log/xxxx/jboss.log
su - xxxx -c $JBOSS_HOME/bin/run.sh & >>/var/log/xxxx/jboss.log
touch /var/log/xxxx/jboss.log
}
#Function stop,Stop the Jboss Service auto
#when the Linux Halt
stop()
{
#Input the jboss Service log into jboss.log
echo "jboss Service Stopping........" >>/var/log/xxxx/jboss.log
echo "-----------------------------------------------" >>/var/log/xxxx/jboss.log
date "+%Y-%m-%d %A %T :jboss Service Stop">>/var/log/xxxx/jboss.log
echo "-----------------------------------------------" >>/var/log/xxxx/jboss.log
su - xxxx -c “$JBOSS_HOME/bin/shutdown.sh –S”>>/var/log/xxxx/jboss.log
}
case $1 in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
;;
status)
status $prog
;;
*)
echo "Please Input start|stop|restart|reload|status"
return 1
esac
////////////////////////文件內容結束///////////////////
注意:
請賦予jboos的執行權限:chmod 755 /etc/init.d/jboss
請注意xxxx用戶是沒有設置密碼的,確保使用xxxx用戶是無法登錄的,隻有root可以切換到該用戶環境中去的:#su – xxxx…..
4)oracle安裝與啟動
創建相關安裝目錄和環境變量
1,創建user/group;
#groupadd dba
#groupadd oinstall
#useradd oracle -g oinstall -G dba
#passwd oracle
2,建立oracle安裝文件夾;
# mkdir -p /opt/ora9/product/9.2.0.4
# mkdir /var/opt/oracle
# chmod oracle.dba /var/opt/oracle
# chown -R oracle.dba /opt/ora9
3,配置環境變量;
以root用戶登錄,設置root用戶的環境打開.bash_profile文件,將如下內容加入:
export ORACLE_BASE=/opt/ora9
export ORACLE_HOME=/opt/ora9/product/9.2.0.4
export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin
export ORACLE_OWNER=oracle
export ORACLE_SID=oradb //此處為你的sid
使用Oracle用戶登陸:
#su – oracle
$vi .bash_profile
以下是配置文件的內容
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$PATH:$HOME/bin
export ORACLE_BASE=/opt/ora9
export ORACLE_HOME=/opt/ora9/product/9.2.0.4
export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin
export ORACLE_OWNER=oracle
export ORACLE_SID=oradb
export ORACLE_TERM=xterm
export LD_ASSUME_KERNEL=2.4.19
export THREADS_FLAG=native
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export NLS_LANG=”American_america.utf8”
export ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data
export PATH
unset USERNAME
4,設置係統參數;
#su – root切換到root用戶
a) 修改#vi /etc/sysctl.conf, 以下是配置文件的內容:
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
kernel.shmmax = 536870912
kernel.shmmni = 4096
kernel.shmall = 2097152
kernel.sem = 250 32000 100 128
fs.file-max = 65536
net.ipv4.ip_local_port_range = 1024 65000
修改後運行
#sysctl –p
命令使得內核改變立即生效;
注:
一般情況下可以設置最大共享內存為物理內存的一半,如果物理內存是 2G,則可以設置最大共享內存為 1073741824,如上;如物理內存是 1G,則可以設置最大共享內存為 512 * 1024 * 1024 = 536870912;以此類推。
建議永久地增加 shmmax 設置。
sem 4個參數依次為SEMMSL(每個用戶擁有信號量最大數);SEMMNS(係統信號量最大數);SEMOPM(每次semopm係統調用操作數);SEMMNI(係統辛苦量集數最大數).Shmmax 最大共享內存,官方文檔建議是內存的1/2,Shmmni 最小共享內存 4096KB.Shmall 所有內存大小 。
b) 設置oracle對文件的要求:
編輯文件:#vi /etc/security/limits.conf 加入以下語句:
oracle soft nofile 65536
oracle hard nofile 65536
oracle soft nproc 16384
oracle hard nproc 16384
也可以寫成:
* soft nofile 65536
* hard nofile 65536
* soft nproc 16384
* hard nproc 16384
c) gcc降級
#mv /usr/bin/gcc /usr/bin/gcc34
#ln –s /usr/bin/gcc32 /usr/bin/gcc
#mv /usr/bin/g++ /usr/bin/g++34
#ln –s /usr/bin/g++32 /usr/bin/g++
5,安裝oracle補丁
# cd /opt
#ls compat*.rpm
compat-libcwait-2.0-2.i386.rpm compat-oracle-rhel4-1.0-5.i386.rpm
# rpm -Uvh compat*.rpm
Preparing... ########################################### [100%]
1:compat-libcwait-2.0-2.i386.rpm ##################################### [ 50%]
2:compat-oracle-rhel4-1.0-5.i386.rpm#################################### [100%]
開始安裝Oracle9i
1,解壓下載的安裝文件:
#zcat ship_9204_linux_disk1.cpio.gz | cpio –idmv&&zcat ship_9204_linux_disk2.cpio.gz | cpio –idmv&& zcat ship_9204_linux_disk3.cpio.gz | cpio –idmv
解包和解壓過程中,自動創建了3個包含安裝文件的目錄:
Disk1
Disk2
Disk3
.以oracle用戶登錄係統,進行Oracle的安裝(注意請不要在root登錄中切換到oracle,是以oracle登錄到係統(圖形界麵)):
$ cd Disk1
$ ./runInstaller過一會兒就會出現Oracle的安裝界麵
- Welcome Screen: Click Next
- Inventory Location: Click Next
- Unix Group Name: Use "oinstall" and click Next
When asked to run /tmp/orainstRoot.sh, run it before you click Continue
- At the end of the installation, exit runInstaller.
2.一步一個腳印安裝下去就行了!
3,安裝完後打補丁:
切換到oracle:#su – oracle 首先安裝 opatch.
$cd /opt
$unzip p2617419_210_GENERIC.zip
Archive: p2617419_210_GENERIC.zip
creating: OPatch/
creating: OPatch/docs/
inflating: Opatch/docs/FAQ
......
inflating: README.txt
$export PATH=$PATH:/opt/OPatch:/sbin
(修改PATH時要要包括解壓縮出來的Opatch 和 sbin目錄)
$unzip p3238244_9204_LINUX.zip
$export ORACLE_BASE=/opt/ora9
$export ORACLE_HOME=/opt/ora9/product/9.2.0.4
$ cd 3238244
$opatch apply
出現success的提示就全部安裝成功.
補丁打完後,還要relinked一個.mk文件
$cd $ORACLE_HOME/network/lib
$make -f ins_oemagent.mk install
之後就可以啟動Agent服務了.
4, 最後執行 $dbca 建oracle數據庫
注意:在SID處指定為oradb (與 ORACLE_SID=oradb)中的值一致.
點擊OK,然後退出即可,正常登陸並啟動數據庫的操作。
$ lsnrctl start
$ sqlplus /nolog
SQL*Plus: Release 9.2.0.4.0 - Production on Sat Mar 12 22:58:53 2005
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
SQL>connect / as sysdba
Connected.
SQL> shutdown immediate 關閉數據庫
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL>startup; 啟動數據庫
ORACLE instance started.
Total System Global Area 236000356 bytes
Fixed Size 451684 bytes
Variable Size 201326592 bytes
Database Buffers 33554432 bytes
Redo Buffers 667648 bytes
Database mounted.
Database opened.
5, oracle服務啟動
以root身份進入,編寫以下腳本:
vi /etc/init.d/oracle
////////////內容//////////////////
#!/bin/bash
#start and stop the oracle instance
# chkconfig –level 5 --add ora9i
#chkconfig: 345 91 19
# description: starts the oracle listener and instance
export ORACLE_HOME="/opt/ora9/product/9.2.0.4"
export PATH=$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin:$PATH
export ORACLE_OWNER="oracle"
export ORACLE_SID=oradb
if [ ! -f $ORACLE_HOME/bin/dbstart -o ! -d $ORACLE_HOME ]
then
echo "oracle startup:cannot start"
exit 1
fi
case "$1" in
start)
#startup the listener and instance
echo -n "oracle startup: "
su - $ORACLE_OWNER -c "$ORACLE_HOME/bin/lsnrctl start"
su - $ORACLE_OWNER -c $ORACLE_HOME/bin/dbstart
touch /var/lock/subsys/oracle
echo "finished"
;;
stop)
# stop listener, apache and database
echo -n "oracle shutdown:"
su - $ORACLE_OWNER -c "$ORACLE_HOME/bin/lsnrctl stop"
su - $ORACLE_OWNER -c $ORACLE_HOME/bin/dbshut
rm -f /var/lock/subsys/oracle
echo "finished"
;;
reload|restart)
$0 stop
$0 start
;;
*)
echo "Usage: ora9i [start|stop|reload|restart]"
exit 1
esac
exit 0
////////////內容//////////////////
給予執行權限,以root身份運行/etc/rc.d/init.d/oracle start |stop 來管理oracle的啟動和停止了。如果要將這個腳本加入到係統中使其可開機運行(不過官方是不建議開機自動運行的,我本人也不建議這樣做,你確實需要可以這麼做),那麼要運行以下命令:chkconfig --level 35 --add oracle
或者以root用戶執行如下命令:
#chmod a+x /etc/rc.d/init.d /oracle
#cd /etc/rc.d/rc5.d
#ln -s /etc/rc.d/init.d/oracle S99ora9i
#cd /etc/rc.d/rc0.d
#ln -s /etc/rc.d/init.d/oracle K99ora9i
也可如下自啟動oracle9i!
在/etc/rc.d/rc.local中加入如下:
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/lsnrctl start"
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/dbstart start"
注意:如果啟動不理想,請編寫shell scripts:
方法:以我個人習慣為例;;;;;;;;;;
#mkdir /usr/local/syscmf
#vi /usr/local/syscmf/oracle.sh
////////////////////////文件內容開始///////////////////
#!/bin/sh
#modify by mingfu 060404
#oracle run scripts
#run user for oracle
lsnrctl start
expect /usr/local/syscmf/oracle.exp
////////////////////////文件內容結束///////////////////
#vi /usr/local/syscmf/oracle.exp
////////////////////////文件內容開始///////////////////
#!/usr/local/bin/expect
#modify by mingfu 060404
#oracle run scripts
set timeout 120
spawn sqlplus //nolog
expect "SQL/>"
send "conn // as sysdba/r"
expect "SQL/>"
send "startup/r"
expect "SQL/>"
send "exit/r"
exit
////////////////////////文件內容結束///////////////////
#chown oracle /usr/local/syscmf/*
#chgrp oracle /usr/local/syscmf./*
#chmod 755 /usr/local/syscmf/*
在/etc/rc.local中新增如下內容:
su – oracle /usr/local/syscmf/oracle.sh
刪除原來的:
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/lsnrctl start"
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/dbstart start"
6, 關於數據庫刪除重新安裝的問題:
把ORACLE安裝目錄刪除及/etc/ora*.*刪除就行了
#rm –f /etc/ora*.*
7,關於在LINUX中運行管理軟件$oemapp
#su – oracle
$oemapp console
8, 中文顯示不正常解決辦法
Oracle目前缺省安裝的字符集是WE8MSWIN1252,不是中文字符集,並且不能通過直接運行 alter database character set ZHS16GBK ; 來修改,因為ZHS16GBK不是缺省字符集的超集。過去流傳很廣的直接修改sys用戶下的PROPS$表的方法,也會給字符集的變更留下很多潛在的問題.
linux下進行如下的操作來修改字符集:
sqlplus /nolog
sql>conn / as sysdba
sql>shutdown immediate
sql>startup mount
sql>alter system enable restricted session ;
sql>alter system set JOB_QUEUE_PROCESSES=0;
sql>alter system set AQ_TM_PROCESSES=0;
sql>alter database open ;
sql>alter database character set internal_use ZHS16GBK ;
sql>shutdown immediate
sql>startup
這樣字符集的修改就完成了(如果你在安裝時選擇了中文字符集,這裏就不用修改了)
LAJO服務環境配置完畢.
5.配置LAMP
係統自帶安裝http+php+mysql軟件包,進行配置如下:
Apache配置
修改/etc/httpd/conf/httpd.conf內容如下:
Listen 82
ServerName 127.0.0.1:82
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
注意:係統已經有兩個httpd服務進程.
用戶分別是:xxxx apache
請確保
/usr/local/apache2/bin/apachectl start
/etc/init.d/httpd start
此兩個服務自啟動.
Mysql設置
Mysql>create ftpdb;
Mysql>grant all privileges on ftpdb.* to ftpuser@localhost identified by “xxxx”;
Mysql>grant all privileges on *.* to root@’%’ identified by “xxxx”;
Mysql>flush privileges;
Mysql>exit
請確保
/etc/init.d/mysqld start
此服務自啟動.
LAMP服務環境配置完畢.
7.配置FTP
配合工程實施與建立ftp帳號相關聯,方便維護與管理,我這裏選擇了Proftpd與數據庫結合的方式來實現的.
創建Ftpdb結構:
Mysql>use ftpdb;
Mysql> CREATE TABLE `ftpgroup` (
`groupname` varchar(16) NOT NULL default '',
`gid` smallint(6) NOT NULL default '5500',
`members` varchar(16) NOT NULL default '',
KEY `groupname` (`groupname`)
) ;
Mysql> CREATE TABLE `ftpquotalimits` (
`name` varchar(30) default NULL,
`quota_type` enum('user','group','class','all') NOT NULL default 'user',
`per_session` enum('false','true') NOT NULL default 'false',
`limit_type` enum('soft','hard') NOT NULL default 'soft',
`bytes_in_avail` float NOT NULL default '0',
`bytes_out_avail` float NOT NULL default '0',
`bytes_xfer_avail` float NOT NULL default '0',
`files_in_avail` int(10) unsigned NOT NULL default '0',
`files_out_avail` int(10) unsigned NOT NULL default '0',
`files_xfer_avail` int(10) unsigned NOT NULL default '0'
) ;
Mysql> CREATE TABLE `ftpquotatallies` (
`name` varchar(30) NOT NULL default '',
`quota_type` enum('user','group','class','all') NOT NULL default 'user',
`bytes_in_used` float NOT NULL default '0',
`bytes_out_used` float NOT NULL default '0',
`bytes_xfer_used` float NOT NULL default '0',
`files_in_used` int(10) unsigned NOT NULL default '0',
`files_out_used` int(10) unsigned NOT NULL default '0',
`files_xfer_used` int(10) unsigned NOT NULL default '0'
) ;
Mysql> CREATE TABLE `ftpuser` (
`id` int(10) unsigned NOT NULL auto_increment,
`userid` varchar(32) NOT NULL default '',
`passwd` varchar(32) NOT NULL default '',
`uid` smallint(6) NOT NULL default '5500',
`gid` smallint(6) NOT NULL default '5500',
`homedir` varchar(255) NOT NULL default '',
`shell` varchar(16) NOT NULL default '/sbin/nologin',
`count` int(11) NOT NULL default '0',
`accessed` datetime NOT NULL default '0000-00-00 00:00:00',
`modified` datetime NOT NULL default '0000-00-00 00:00:00',
PRIMARY KEY (`id`)
) ;
Mysql> INSERT INTO `ftpgroup` (`groupname`, `gid`, `members`) VALUES("5dxc", "5500", "xxxx");
Mysql>INSERT INTO `ftpquotalimits` (`name`, `quota_type`, `per_session`, `limit_type`, `bytes_in_avail`, `bytes_out_avail`, `bytes_xfer_avail`, `files_in_avail`, `files_out_avail`, `files_xfer_avail`) VALUES("test", "user", "false", "soft", "1.024e+06", "0", "0", "0", "0", "0");
Mysql> INSERT INTO `ftpquotatallies` (`name`, `quota_type`, `bytes_in_used`, `bytes_out_used`, `bytes_xfer_used`, `files_in_used`, `files_out_used`, `files_xfer_used`) VALUES("test", "user", "809781", "0", "809781", "0", "0", "0");
Mysql> INSERT INTO `ftpuser` (`id`, `userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`, `count`, `accessed`, `modified`) VALUES("1", "test", "test", "5500", "5500", "/site", "/sbin/nologin", "0", "0000-00-00 00:00:00", "0000-00-00 00:00:00");
配置proftp:
#tar xzvf proftpd-1.3.0rc5.tar.gz
#cd proftpd-1.3.0rc5
#./configure --prefix=/usr/local/proftpd --with-modules=mod_sql:mod_sql_mysql:mod_quotatab:mod_quotatab_sql:mod_ratio --with-includes=/usr/include/mysql --with-libraries=/usr/lib/mysql
#make&&make install
#mv /etc/local/proftpd/etc/proftpd.conf /etc/local/proftpd/etc/proftpd.confbak
#vi /etc/local/proftpd/etc/proftpd.conf
////////////////////////文件內容///////////////////
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
#ServerName "ProFTPD Default Installation"
ServerName "Mingfu's ftp"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 100
MaxLoginAttempts 3
# Set the user and group under which the server will run.
User nobody
Group nobody
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
DefaultRoot ~
#put the proftpd log files in /var/log/ftp.syslog
#SystemLog /var/log/ftp.syslog
SystemLog /var/log/xxxx/ftp.syslog
#TransferLog log files
TransferLog /var/log/xxxx/ftp.transferlog
MaxHostsPerUser 1 "Sorry, you may not connect more than one time 1."
MaxClientsPerUser 13 "Only one such user at a time 2."
MaxClientsPerHost 20 "Sorry, you may not connect more than one time 3."
#setup the Restart
AllowRetrieveRestart on
RootLogin off
RequireValidShell off
TimeoutStalled 600
MaxClients 2000
AllowForeignAddress on
AllowStoreRestart on
ServerIdent off
DefaultRoot ~ xxxx
#Slow logins
UseReverseDNS off
IdentLookups off
#IdentLookups and tcpwrappers ***
# Normally, we want files to be overwriteable.
AllowOverwrite on
TimeoutIdle 600
SQLAuthTypes Backend Plaintext
SQLAuthenticate users* groups*
# databasename@host database_user user_password
#SQLConnectInfo ftpdb@localhost proftpd password
SQLConnectInfo ftpdb@localhost ftpuser xxxx
SQLUserInfo ftpuser userid passwd uid gid homedir shell
SQLGroupInfo ftpgroup groupname gid members
SQLHomedirOnDemand on
# Update count every time user logs in
SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "count=count+1,accessed=now() WHERE userid='%u'" ftpuser
# Update modified everytime user uploads or deletes a file
SQLLog STOR,DELE modified
SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits kb
QuotaShowQuotas on
QuotaLog "/var/log/quota"
SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}'AND quota_type = '%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used+ %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies
QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
////////////////////////文件內容///////////////////
在/etc/rc.local文件中新增
/usr/local/proftpd/sbin/proftpd &
LPM配置完畢.
注意:以後添加ftp帳號隻需操作ftpuser表添加相應字段.用戶磁盤限額操作ftpquotalimits表添加相應字段.
Mysql管理win工具推薦:mysql-front
其中遠程連接帳號:
User:root
Host:IP
Pswd:xxxx
(與grant all privileges on *.* to root@’%’ identified by “xxxx”;
中設置的密碼一致) .
架設也可參考如下連接:
https://www.mingfor.com/forum/showthread.php?tid=28
8.配置MAIL
配合jboss工程程序實施與建立MAIL帳號相關聯,方便維護與管理,我這裏選擇了郵件服務器與數據庫結合的方式來實現的.
具體架設參考郵件發送程序,然後來配置郵件服務器,郵件係統的用戶帳號不準創建真實的係統帳號,所有的帳號均建在mysql數據庫中.
具體架設過程略。
架設可參考如下連接:
https://www.mingfor.com/forum/showthread.php?tid=19
https://www.extmail.org
9.安全策略
下麵是一個簡易有效的防火牆設置,隻要沒有固定IP來入侵,服務器均可正常訪問.
因此服務器上線後需要提取服務器通信狀態信息.這裏服務器已進配置好LAMP環境,因此係統監控請安裝CACTI(https://www.cacti.net)軟件來監控.
關於它的安裝方法比較簡單,這裏不一一說明了.
還要時時將#netstat –na|grep SYN的結果中連續15個相同的偽連接給DJOP出係統通信間道.
當有這樣的入侵連接時….
#iptables –A …………..djop(注意請不要將這個寫入到iptables文件中)
下麵是iptables文件的所有內容:
#cat /etc/sysconfig/iptables
////////////////////文件內容////////////////////
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -s 0/0 -d 0/0 --dport 177 -j ACCEPT
#modify by mingfu 060404
#Please do not modify the content below
#ACK FIN SYN
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#port scan
# NMAP FIN/URG/PSH
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# Xmas Tree
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
# Another Xmas Tree
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Null Scan(possibly)
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
# SYN/RST
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN -- Scan(possibly)
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#!--syn
-A RH-Firewall-1-INPUT -p tcp ! --syn -m state --state NEW -j DROP
#Dos
-A RH-Firewall-1-INPUT -p tcp --dport 80 -m limit --limit 10/second --limit-burst 300 -j ACCEPT
#sync flood
-N synfoold
-A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN
-A synfoold -p tcp -j REJECT --reject-with tcp-reset
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -j synfoold
-N ping
-A ping -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN
-A ping -p icmp -j REJECT
-I RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ping
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s 0/0 -j DROP
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s 0/0 -j ACCEPT
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s localip -j DROP
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s localip -j DROP
#all ports
-A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#FTP
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 32800:34000 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 113 -j ACCEPT
#SSH
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 922 -j ACCEPT
#WEB
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 82 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8088 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 4443 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 7777 -j ACCEPT
#DNS
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
#DATABASE
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8009 -j ACCEPT
#VNC
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 5801: -j ACCEPT
#ICMP
-A RH-Firewall-1-INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW,INVALID -j DROP
COMMIT
////////////////////文件內容////////////////////
在/etc/rc.local中新增如下內容:
////////////////////文件內容////////////////////
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/tcp_syn_retries
echo "1" > /proc/sys/net/ipv4/tcp_synack_retries
echo 8192 >/proc/sys/net/ipv4/tcp_max_syn_backlog
////////////////////文件內容////////////////////
其中8192=1024*4*2.更多詳情請查閱/proc相關文獻介紹
關於獲取netstat –na|grep SYN_RECV 與TIME_WAIT的腳本:這裏我無法寫下來。隻是原理和主要的代碼告訴大家:
使用 netstat 來統計重複的連線 IP,將這些來自同一 IP 的連線統計一下,
如果超過一個設定值(您自己選擇的!),那麽該 IP 就會被iptables 機製擋掉了!
利用shell script 結合iptables來完成(其中用到的linux命令主要有:netstat awk cut sort)。。。
shell腳本中部分主要代碼:
///////////////////////////////////////
basedir="/usr/local/syscmf"
#=== Part A, about the TIME WAIT signle ===#
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| /
awk '{if ($1 >= 12) print $2}' > $basedir/netstata
sleep 14s
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| /
awk '{if ($1 >= 12) print $2}' > $basedir/netstatb
sleep 14s
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| /
awk '{if ($1 >= 12) print $2}' > $basedir/netstatc
cat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 | sort | uniq -c | /
awk '{ if ( $1 == 3 ) print $2 }' > $basedir/netstat-wait.now
denyip_netstat=`cat $basedir/netstat-wait.now`
///////////////////////////////////////
basedir="/usr/local/syscmf"
#=== Part A, about the TIME WAIT signle ===#
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| /
awk '{if ($1 >= 12) print $2}' > $basedir/netstata
sleep 14s
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| /
awk '{if ($1 >= 12) print $2}' > $basedir/netstatb
sleep 14s
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| /
awk '{if ($1 >= 12) print $2}' > $basedir/netstatc
cat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 | sort | uniq -c | /
awk '{ if ( $1 == 3 ) print $2 }' > $basedir/netstat-wait.now
denyip_netstat=`cat $basedir/netstat-wait.now`
#=== Part B, about the SYN RECV signle ===#
netstat -an|grep 80|grep SYN| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| /
awk '{if ($1 >= 12) print $2}' > $basedir/netstat1
sleep 12s
netstat -an|grep 80|grep SYN| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| /
awk '{if ($1 >= 12) print $2}' > $basedir/netstat2
sleep 12s
netstat -an|grep 80|grep SYN| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| /
awk '{if ($1 >= 12) print $2}' > $basedir/netstat3
cat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 | sort | uniq -c | /
awk '{ if ( $1 == 3 ) print $2 }' > $basedir/netstat-syn.now
denyip_netstat=`cat $basedir/netstat-syn.now`
///////////////////////////////////////
關於防止別人來猜測ssh用戶登錄的密碼,修改默認的ssh端口22為922(與防火牆中規則指定的922相一致.) 修改方法如下:
#vi /etc/ssh/sshd_config
修改:
#Port 22
為:
Port 922
注意:修改後的ssh連接方法:ssh user@ip –p 922
如果你不想指定-p參數,請修改
/etc/ssh/ssh_config的
#Port 22
為:
Port 922
建議將提供服務的服務器中的ssh服務端與客服端的ssh通信端口都修改……
10.測試上線
所有的配置完畢,重啟服務器.測試好準備上線.
注意:以下服務不能重複多次啟動,必須服務在停止的情況下才能啟動,否則會出現啟動錯誤.
#su - oracle usr/local/syscmf/oracle.sh
#/etc/rc.d/init.d/jboss start
關於這兩個服務的啟動用戶與權限:
1.Oracle:
用戶:oracle(可以進行係統登錄)
切忌有關oracle的操作請在oracle用戶環境中進行操作.你實在要在root用戶中操作,請不要忘了#su – oracle –c “lsncrctl start”……..
a.Oracle服務停止:
$sqlplus /nolog
SQL>conn / as sysdba
SQL>shutdown immediate
SQL> exit
$lsnrctl stop
b.Oracle服務啟動:
$lsnrctl start
$sqlplus /nolog
SQL>conn / as sysdba
SQL> startup
c.Oracle服務強製啟動:
在oracle服務已進啟動的情況下也可啟動oracle服務.
$sqlplus /nolog
SQL>conn / as sysdba
SQL> startup force
如果你要利用我寫的expect自動輸入腳本來啟動,你需要修改,在裏麵加入條件判斷結構.
2.Jboss:
用戶:xxxx (不可以進行係統登錄)
切忌有關jboss的操作請在jboss用戶環境中進行操作.你實在要在root用戶中操作,請不要忘了
#su – xxxx /site/jboss/bin/run.sh
或者
#/etc/init.d/jboss start
a.xxxx用戶環境下:
無法登錄如何使用呢?
遠程文本界麵啟動法:
以root登錄係統:切換root可以登錄到xxxx用戶環境來進入xxxx.
#su – xxxx
Jboos 啟動
$/site/jboss/bin/run.sh
Jboss停止
$/site/jboss/bin/shutdown.sh –S
遠程圖形界麵法:
關於開啟遠程圖形界麵登錄的問題:
隻允許oracle用戶可以遠程圖形界麵登錄,為了便於操作oracle.
下麵是開啟改功能的過程:
#su – oracle
$vncserver
Password:********
Password:********
$exit
$ps –ef|grep vnc
將看到的vnc進程kill -9.
$vi .vnc/xstartup
修改:
twm &
為
gnome-session &
$vncserver
注意:隻允許開啟一個vnc服務進程…..對應的端口為5801
在已進有vncserver啟動的情況下不要在次啟動vncserver服務.否則它將在增加一個vnc服務進程…….
https://ip:5801
輸入密碼即可遠程圖形登錄係統了.
由於是oracle登錄到係統的….要啟動jboss.需要如下操作:
$su –
Password:********
#su – xxxx
Jboos 啟動
$/site/jboss/bin/run.sh
Jboss停止
$/site/jboss/bin/shutdown.sh –S
b.root用戶環境下:
Jboos 啟動
#su – xxxx /site/jboss/bin/run.sh
或者
#service jboss start
或者
#/etc/init.d/jboss start
Jboss停止
#su – xxxx /site/jboss/bin/shutdown.sh –S
或者
#service jboss stop
或者
#/etc/init.d/jboss stop
關於(係統,軟件)日誌分析,根據自己的使用習慣搭建…..
關於係統用戶創建問題,由於係統裏麵創建的xxxx用戶指定了-u=5500.所以在以後創建的係統帳戶id=550X, 這樣會存在安全隱患,所以在創建用戶時請指定id=50x(x=5開始.):例如創建user:
#groupadd –g 505 user
#adduser –u 505 –g user user
注意所有的係統帳號id請不要超過5500.
如有任何不明白請聯係:
鬱悶少年&&二娃家園
https://www.mingfor.com
msn:linux@mingfor.com
QQ:1017785809
netstat -an|grep 80|grep SYN| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| /
awk '{if ($1 >= 12) print $2}' > $basedir/netstat1
sleep 12s
netstat -an|grep 80|grep SYN| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| /
awk '{if ($1 >= 12) print $2}' > $basedir/netstat2
sleep 12s
netstat -an|grep 80|grep SYN| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| /
awk '{if ($1 >= 12) print $2}' > $basedir/netstat3
cat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 | sort | uniq -c | /
awk '{ if ( $1 == 3 ) print $2 }' > $basedir/netstat-syn.now
denyip_netstat=`cat $basedir/netstat-syn.now`
///////////////////////////////////////
關於防止別人來猜測ssh用戶登錄的密碼,修改默認的ssh端口22為922(與防火牆中規則指定的922相一致.) 修改方法如下:
#vi /etc/ssh/sshd_config
修改:
#Port 22
為:
Port 922
注意:修改後的ssh連接方法:ssh user@ip –p 922
如果你不想指定-p參數,請修改
/etc/ssh/ssh_config的
#Port 22
為:
Port 922
建議將提供服務的服務器中的ssh服務端與客服端的ssh通信端口都修改……
10.測試上線
所有的配置完畢,重啟服務器.測試好準備上線.
注意:以下服務不能重複多次啟動,必須服務在停止的情況下才能啟動,否則會出現啟動錯誤.
#su - oracle usr/local/syscmf/oracle.sh
#/etc/rc.d/init.d/jboss start
關於這兩個服務的啟動用戶與權限:
1.Oracle:
用戶:oracle(可以進行係統登錄)
切忌有關oracle的操作請在oracle用戶環境中進行操作.你實在要在root用戶中操作,請不要忘了#su – oracle –c “lsncrctl start”……..
a.Oracle服務停止:
$sqlplus /nolog
SQL>conn / as sysdba
SQL>shutdown immediate
SQL> exit
$lsnrctl stop
b.Oracle服務啟動:
$lsnrctl start
$sqlplus /nolog
SQL>conn / as sysdba
SQL> startup
c.Oracle服務強製啟動:
在oracle服務已進啟動的情況下也可啟動oracle服務.
$sqlplus /nolog
SQL>conn / as sysdba
SQL> startup force
如果你要利用我寫的expect自動輸入腳本來啟動,你需要修改,在裏麵加入條件判斷結構.
2.Jboss:
用戶:xxxx (不可以進行係統登錄)
切忌有關jboss的操作請在jboss用戶環境中進行操作.你實在要在root用戶中操作,請不要忘了
#su – xxxx /site/jboss/bin/run.sh
或者
#/etc/init.d/jboss start
a.xxxx用戶環境下:
無法登錄如何使用呢?
遠程文本界麵啟動法:
以root登錄係統:切換root可以登錄到xxxx用戶環境來進入xxxx.
#su – xxxx
Jboos 啟動
$/site/jboss/bin/run.sh
Jboss停止
$/site/jboss/bin/shutdown.sh –S
遠程圖形界麵法:
關於開啟遠程圖形界麵登錄的問題:
隻允許oracle用戶可以遠程圖形界麵登錄,為了便於操作oracle.
下麵是開啟改功能的過程:
#su – oracle
$vncserver
Password:********
Password:********
$exit
$ps –ef|grep vnc
將看到的vnc進程kill -9.
$vi .vnc/xstartup
修改:
twm &
為
gnome-session &
$vncserver
注意:隻允許開啟一個vnc服務進程…..對應的端口為5801
在已進有vncserver啟動的情況下不要在次啟動vncserver服務.否則它將在增加一個vnc服務進程…….
https://ip:5801
輸入密碼即可遠程圖形登錄係統了.
由於是oracle登錄到係統的….要啟動jboss.需要如下操作:
$su –
Password:********
#su – xxxx
Jboos 啟動
$/site/jboss/bin/run.sh
Jboss停止
$/site/jboss/bin/shutdown.sh –S
b.root用戶環境下:
Jboos 啟動
#su – xxxx /site/jboss/bin/run.sh
或者
#service jboss start
或者
#/etc/init.d/jboss start
Jboss停止
#su – xxxx /site/jboss/bin/shutdown.sh –S
或者
#service jboss stop
或者
#/etc/init.d/jboss stop
關於(係統,軟件)日誌分析,根據自己的使用習慣搭建…..
關於係統用戶創建問題,由於係統裏麵創建的xxxx用戶指定了-u=5500.所以在以後創建的係統帳戶id=550X, 這樣會存在安全隱患,所以在創建用戶時請指定id=50x(x=5開始.):例如創建user:
#groupadd –g 505 user
#adduser –u 505 –g user user
注意所有的係統帳號id請不要超過5500.
如有任何不明白請聯係:
鬱悶少年&&二娃家園
https://www.mingfor.com
msn:linux@mingfor.com
QQ:1017785809
最後更新:2017-04-03 05:38:56