2014 Июль | Записки системного администратора

Архивы за месяц Июль, 2014

Установка и настройка Rkhunter на Centos/Debian

Июль 28th, 2014

Evgeniy Kamenev

Установка и настройка Rkhunter на Centos Установка через менеджер пакетов yum 1. Установка через менеджер пакетов yum

# yum  install  rkhunter

1	# yum install rkhunter

Просмотр части файлов, которые создаются при установке rkhunter

# rpm -ql rkhunter-1.4.2-3.el6.noarch | grep "etc\|log"

1	# rpm -ql rkhunter-1.4.2-3.el6.noarch \| grep "etc\\|log"

/etc/cron.daily/rkhunter
/etc/logrotate.d/rkhunter
/etc/rkhunter.conf
/etc/sysconfig/rkhunter
/var/log/rkhunter

/etc/cron.daily/rkhunter

/etc/logrotate.d/rkhunter

/etc/rkhunter.conf

/etc/sysconfig/rkhunter

/var/log/rkhunter

2.Изменяем адрес ,на который будет приходит уведомление в случае появления Warning при проверке

# nano /etc/sysconfig/rkhunter

1	# nano /etc/sysconfig/rkhunter

MAILTO=your@email
DIAG_SCAN=no

1 2	MAILTO=your@email DIAG_SCAN=no

3.Настраиваем конфигурационный файл rkhunter.conf

# cp /etc/rkhunter.conf /etc/rkhunter.conf~

1	# cp /etc/rkhunter.conf /etc/rkhunter.conf~

# nano /etc/rkhunter.conf

1	# nano /etc/rkhunter.conf

MAIL-ON-WARNING=your@email
LOGFILE=/var/log/rkhunter/rkhunter.log
APPEND_LOG=1
ALLOW_SSH_PROT_V1=0
ALLOW_SSH_ROOT_USER=unset
SSH_CONFIG_DIR=/etc/ssh
ENABLE_TESTS=ALL
DISABLE_TESTS="suspscan deleted_files packet_cap_apps apps"
PKGMGR=RPM
SUSPSCAN_DIRS=/tmp /var/tmp
SUSPSCAN_MAXSIZE=10240000
SUSPSCAN_THRESH=200

MAIL-ON-WARNING=your@email

LOGFILE=/var/log/rkhunter/rkhunter.log

APPEND_LOG=1

ALLOW_SSH_PROT_V1=0

ALLOW_SSH_ROOT_USER=unset

SSH_CONFIG_DIR=/etc/ssh

ENABLE_TESTS=ALL

DISABLE_TESTS="suspscan deleted_files packet_cap_apps apps"

PKGMGR=RPM

SUSPSCAN_DIRS=/tmp /var/tmp

SUSPSCAN_MAXSIZE=10240000

SUSPSCAN_THRESH=200

[…]

Опубликовано в рубрике Centos, Debian/Ubuntu, Security, Security, Security Tools, System

Метки: rkhunter, security

Комментарии отключены

Оптимизация Nginx+PHP-FPM

Июль 12th, 2014

Evgeniy Kamenev

Оптимизация Nginx 1.Выставляем кол-во процессов Nginx равное кол-ву процессоров в системе.

# cat /proc/cpuinfo | grep processor | wc –l

1	# cat /proc/cpuinfo \| grep processor \| wc –l

# nano /etc/nginx/nginx.conf

1	# nano /etc/nginx/nginx.conf

[...]
worker_processes 1;
worker_priority -3;
[...]

[...]

worker_processes 1;

worker_priority -3;

[...]

Максимальное количество соединений одного рабочего процесса. Следует выбирать значения от 1024 до 4096. Метод выбора соединений . Для Linux – epoll, для FreeBSD — kqueue. Ngix будет принимать максимально возможное количество соединений.

events {
worker_connections 1024;
use epoll;
multi_accept on;
}

events {

worker_connections 1024;

use epoll;

multi_accept on;

}

2. Включаем sendfile, tcp_nopush, tcp_nodelay, отключаем показ версии […]

Опубликовано в рубрике Debian/Ubuntu, Nginx, PHP, PHP, PHP, Web

Метки: APC, Nginx, PHP-FPM

Комментарии отключены

Установка и настройка Nginx+PHP-FPM на Debian

Июль 12th, 2014

Evgeniy Kamenev

Загружаем и устанавливаем ключ, которым подписаны пакеты и репозитарий nginx

# wget http://nginx.org/keys/nginx_signing.key

1	# wget http://nginx.org/keys/nginx_signing.key

# apt-key add nginx_signing.key

1	# apt-key add nginx_signing.key

Добавляем в

/etc/apt/sources.list

1	/etc/apt/sources.list

Для Debian-Wheezy

deb http://nginx.org/packages/debian/  wheezy  nginx
deb-src http://nginx.org/packages/debian/  wheezy  nginx

1 2	deb http://nginx.org/packages/debian/ wheezy nginx deb-src http://nginx.org/packages/debian/ wheezy nginx

Для Debian-Squeeze

deb http://nginx.org/packages/debian/  squeeze  nginx
deb-src http://nginx.org/packages/debian/  sqeeze  nginx

1 2	deb http://nginx.org/packages/debian/ squeeze nginx deb-src http://nginx.org/packages/debian/ sqeeze nginx

# apt-get update

1	# apt-get update

1.Установка и настройка Nginx

# apt-get install nginx

1	# apt-get install nginx

# sysv-rc-conf  --level 2345 nginx on

1	# sysv-rc-conf --level 2345 nginx on

# cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf~

1	# cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf~

# nano /etc/nginx/nginx.conf

1	# nano /etc/nginx/nginx.conf

user nginx;
worker_processes 1; #число равно количеству процессов на сервере
#cat /proc/cpuinfo | grep processor | wc -l
worker_priority -5;

error_log /var/log/nginx/error.log warn;
pid       /var/run/nginx.pid;

events {
worker_connections 1024;
use epoll;
multi_accept on;
}

http {
include       /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

#access_log /var/log/nginx/access.log main;
access_log off;

#restricting on numbers of connection from one ip-adress
limit_conn_zone $binary_remote_addr zone=connections:10m;
limit_conn_log_level notice;
#limit_conn   connections  15;

#restricting numbers of connection per second from one ip-adress
limit_req_zone $binary_remote_addr zone=requests:10m rate=5r/s;
limit_req_log_level warn;
#limit_req zone=requests burst=10;

sendfile       on;
tcp_nopush     on;
tcp_nodelay     on;
server_tokens   off;
keepalive_timeout 65;
types_hash_max_size 2048;

gzip on;
gzip_static     on;
gzip_comp_level 5;
gzip_min_length 1024;
gzip_proxied     any;
gzip_vary       on;
gzip_types     text/plain text/xml application/xml application/x-javascript text/javascript text/css text/json;
gzip_disable   "msie6";

open_file_cache max=5000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;

fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_connect_timeout 90;
fastcgi_send_timeout 90;
fastcgi_read_timeout 90;

client_max_body_size 128m;
client_body_buffer_size 16K;

index index.php index.html;
include /etc/nginx/conf.d/*.conf;
}

user nginx;

worker_processes 1; #число равно количеству процессов на сервере

#cat /proc/cpuinfo | grep processor | wc -l

worker_priority -5;

error_log /var/log/nginx/error.log warn;

pid /var/run/nginx.pid;

events {

worker_connections 1024;

use epoll;

multi_accept on;

}

http {

include /etc/nginx/mime.types;

default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '

'$status $body_bytes_sent "$http_referer" '

'"$http_user_agent" "$http_x_forwarded_for"';

#access_log /var/log/nginx/access.log main;

access_log off;

#restricting on numbers of connection from one ip-adress

limit_conn_zone $binary_remote_addr zone=connections:10m;

limit_conn_log_level notice;

#limit_conn connections 15;

#restricting numbers of connection per second from one ip-adress

limit_req_zone $binary_remote_addr zone=requests:10m rate=5r/s;

limit_req_log_level warn;

#limit_req zone=requests burst=10;

sendfile on;

tcp_nopush on;

tcp_nodelay on;

server_tokens off;

keepalive_timeout 65;

types_hash_max_size 2048;

gzip on;

gzip_static on;

gzip_comp_level 5;

gzip_min_length 1024;

gzip_proxied any;

gzip_vary on;

gzip_types text/plain text/xml application/xml application/x-javascript text/javascript text/css text/json;

gzip_disable "msie6";

open_file_cache max=5000 inactive=20s;

open_file_cache_valid 30s;

open_file_cache_min_uses 2;

open_file_cache_errors on;

fastcgi_buffer_size 128k;

fastcgi_buffers 256 16k;

fastcgi_busy_buffers_size 256k;

fastcgi_temp_file_write_size 256k;

fastcgi_connect_timeout 90;

fastcgi_send_timeout 90;

fastcgi_read_timeout 90;

client_max_body_size 128m;

client_body_buffer_size 16K;

index index.php index.html;

include /etc/nginx/conf.d/*.conf;

}

# nano /etc/nginx/conf.d/default.conf

1	# nano /etc/nginx/conf.d/default.conf

server {
listen       192.168.1.72:80 default_server;
server_name localhost;
root           /usr/share/nginx/html;

location / {
#root   /usr/share/nginx/html;
try_files $uri $uri/ /index.php?$args;
}

error_page   500 502 503 504 /50x.html;
location = /50x.html {
root   /usr/share/nginx/html;
}

location ~ \.php$ {
#root           /usr/share/nginx/html;
try_files $uri =404;
fastcgi_split_path_info ^(.+?\.php)(/.*)?$;
fastcgi_pass   unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include       fastcgi_params;
}

location ~ /\.ht {
deny all;
}

location /nginx_status {
stub_status on;
access_log   off;
allow 127.0.0.1;
allow 192.168.1.0/24;
deny all;
  }

location = /favicon.ico {
log_not_found off;
access_log off;
allow all;
  }

location = /robots.txt {
access_log off;
log_not_found off;
  }
}

server {

listen 192.168.1.72:80 default_server;

server_name localhost;

root /usr/share/nginx/html;

location / {

#root /usr/share/nginx/html;

try_files $uri $uri/ /index.php?$args;

}

error_page 500 502 503 504 /50x.html;

location = /50x.html {

root /usr/share/nginx/html;

}

location ~ \.php$ {

#root /usr/share/nginx/html;

try_files $uri =404;

fastcgi_split_path_info ^(.+?\.php)(/.*)?$;

fastcgi_pass unix:/var/run/php5-fpm.sock;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

include fastcgi_params;

}

location ~ /\.ht {

deny all;

}

location /nginx_status {

stub_status on;

access_log off;

allow 127.0.0.1;

allow 192.168.1.0/24;

deny all;

}

location = /favicon.ico {

log_not_found off;

access_log off;

allow all;

}

location = /robots.txt {

access_log off;

log_not_found off;

}

Настройка конфигурационных файлов виртуальных хостов Nginx(содержание в конце статьи)

# nano /etc/nginx/conf.d/joomla.uk.conf

1	# nano /etc/nginx/conf.d/joomla.uk.conf

# nano /etc/nginx/conf.d/wordpress.uk.conf

1	# nano /etc/nginx/conf.d/wordpress.uk.conf

# nano /etc/nginx/conf.d/kamaok.uk.conf

1	# nano /etc/nginx/conf.d/kamaok.uk.conf

# nginx –t

1	# nginx –t

# /etc/init.d/nginx restart

1	# /etc/init.d/nginx restart

# tail -f /var/log/nginx/error.log

1	# tail -f /var/log/nginx/error.log

Установка и настройка […]

Опубликовано в рубрике Debian/Ubuntu, PHP, Web

Метки: Debian/Ubuntu, Nginx, PHP-FPM

Комментарии отключены

Настройка fail2ban для защиты Postfix на Centos

Июль 8th, 2014

Evgeniy Kamenev

# yum install fail2ban

1	# yum install fail2ban

# chkconfig --level 235 fail2ban on

1	# chkconfig --level 235 fail2ban on

# nano /etc/fail2ban/fail2ban.conf

1	# nano /etc/fail2ban/fail2ban.conf

[Definition]
loglevel = 3
logtarget = /var/log/fail2ban.log
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid

[Definition]

loglevel = 3

logtarget = /var/log/fail2ban.log

socket = /var/run/fail2ban/fail2ban.sock

pidfile = /var/run/fail2ban/fail2ban.pid

 # nano /etc/fail2ban/jail.conf

1	# nano /etc/fail2ban/jail.conf

ignoreip = 127.0.0.1/8  77.120.XXX.YYY/32
bantime = 3600
findtime = 600
maxretry = 5
backend = auto
usedns = warn

ignoreip = 127.0.0.1/8 77.120.XXX.YYY/32

bantime = 3600

findtime = 600

maxretry = 5

backend = auto

usedns = warn

# Для блокировки подбора логина/пароля при использовании SASL-аутентификации

[postfix25-iptables]
enabled = true
filter = postfix-sasl
action = iptables[name=Postfix-smtp, port=smtp, protocol=tcp]
sendmail[name=Postfix-smtp, dest=your@email, sender=fail2ban@myserver.com]
logpath = /var/log/maillog
bantime = 86400
maxretry = 3
findtime = 3600

[postfix25-iptables]

enabled = true

filter = postfix-sasl

action = iptables[name=Postfix-smtp, port=smtp, protocol=tcp]

sendmail[name=Postfix-smtp, dest=your@email, sender=fail2ban@myserver.com]

logpath = /var/log/maillog

bantime = 86400

maxretry = 3

findtime = 3600

И для блокировки пересылки через Ваш почтовый сервер и др.

[postfix-iptables]
enabled = true
filter = postfix
action = iptables[name=Postfix-smtp, port=smtp, protocol=tcp]
sendmail[name=Postfix-smtp, dest=your@email, sender=fail2ban@myserver.com]
logpath = /var/log/maillog
bantime = 86400
maxretry = 3
findtime = 3600

[postfix-iptables]

enabled = true

filter = postfix

action = iptables[name=Postfix-smtp, port=smtp, protocol=tcp]

sendmail[name=Postfix-smtp, dest=your@email, sender=fail2ban@myserver.com]

logpath = /var/log/maillog

bantime = 86400

maxretry = 3

findtime = 3600

# nano /etc/fail2ban/filter.d/postfix-sasl.conf

1	# nano /etc/fail2ban/filter.d/postfix-sasl.conf

# Fail2Ban filter for postfix authentication failures
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
ignoreregex =

# Fail2Ban filter for postfix authentication failures

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/smtpd

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

ignoreregex =

проверка срабатывания правил

# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl.conf

1	# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl.conf

# nano /etc/fail2ban/filter.d/postfix.conf

1	# nano /etc/fail2ban/filter.d/postfix.conf

# Fail2Ban configuration file
[Definition]
failregex = reject: RCPT from (.*)\[<HOST>\]: 550
reject: RCPT from (.*)\[<HOST>\]: 450
reject: RCPT from (.*)\[<HOST>\]: 554
ignoreregex =

# Fail2Ban configuration file

[Definition]

failregex = reject: RCPT from (.*)\[<HOST>\]: 550

reject: RCPT from (.*)\[<HOST>\]: 450

reject: RCPT from (.*)\[<HOST>\]: 554

ignoreregex =

проверка срабатывания правил

# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.conf

1	# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.conf

Опубликовано в рубрике Centos, Mail

Метки: fail2ban, postfix

Комментарии отключены

Архивы за месяц Июль, 2014

Установка и настройка Rkhunter на Centos/Debian

Оптимизация Nginx+PHP-FPM

Установка и настройка Nginx+PHP-FPM на Debian

Настройка fail2ban для защиты Postfix на Centos

Страницы

Свежие записи

Архивы

Рубрики

Админ-панель