因为静态图片一般都不需要使用Cookie,因此,将静态文件的SetCookie头都去掉是一个很好的加快网站访问速度的办法。使用Apache的话,可以用mod_headers和mod_setenvif两个模块实现。
首先在httpd.conf中加载这两个模块,然后写上如下代码:
SetEnvIf mime image/.* unset-cookie
Header unset Set-Cookie env=unset-cookie
这样,当Apache再遇到类型为图片的文件时,就不会发送Set-Cookie头,自然可以减少一点流量的开销,加快网站的访问速度。
今天申请了一个Linode账户,因为一直知道Linode的Longview很强大,于是准备体验一下。安装好之后发现自动检测到我运行了Apache,但是看不到具体的信息,因为我的Apache的Status页面没有配置好。
于是按照官方的教程进行配置,结果怎么访问都不成功。实验了多次并查找资料后发现,是我的Wordpress在捣鬼。
因为Wordpress启用了伪静态,所以所有的请求都会被重写向index.php,包括/server-status。于是直接导致了页面404。解决方法是在Wordpress的Rewrite规则中添加这一句:
RewriteRule ^(server-info|server-status) - [L]
这样如果Apache判断你的请求是server-info或server-status就会直接终止Rewrite,这样就不会将该请求重写到index.php,导致404了。
PS:在安装的时候还出现了一个小问题,就是发现在安装perl-DBD-MySQL的时候会失败,找不到依赖包。最后使用yum –enablerepo=remi install perl-DBD-MySQL的方式解决。
今天在处理服务器故障的时候遇到了一个奇怪的问题,在使用mount尝试挂载磁盘的时候,始终提示:
Mount: /dev/xxx already mounted or /mnt busy
奇怪的是,使用
df -h
和
lsof -n
都找不到任何相关信息,看起来这块磁盘既没有挂载,也没有进程在写目录。但是就是挂载不成功。
后来搜索了一下发现了一个解决办法:
首先使用
dmsetup ls
查看能否看到Device Mapper信息。如果显示类似:
[root@]# dmsetup ls
ddf1_44656c6c202020201028001510281f033832b7a2f6678dab (253, 0)
ddf1_44656c6c202020201028001510281f033832b7a2f6678dab1 (253, 1)
那么执行两次
dmsetup remove xxxxxx
命令,将这两个Mapper信息删除,检查一下:
[root@]# dmsetup ls
No devices found
此时,再挂载磁盘就不会出现问题了。
好久没使用过samba了,刚刚需要在Fedora9下挂载Windows共享时,准备使用smbmount,执行smbmount的时候,提示没有这个命令,系统samba也安装了呀,为什么没有呢,google下才知道,从Fedora9以后就没有smbmount这个概念了,而是使用cifs (Common Internet File Systemcifs),也就是说在这以后的系统直接使用mount加参数cifs就可直接挂载Windows的共享了.
使用方法:
先在你的xp电脑里面添加一个共享的文件夹linux
#mount -t cifs -o username=fish,password=fish //192.168.1.10/linux /mnt/linux
这样就可以了很是方便
但是如果你要挂载你的硬盘分区的话,同样设置你的硬盘分区d为共享但是主要你的共享名称一定要是英文
#mount -t cifs -o username=fish,password=fish //192.168.1.10/ld /mnt/d
这样也可以的
如果你要卸载你挂载的东西
#umount /mnt/linux
#umount /mnt/d
就可以了
备注:
说明一下,cifs是MS的一种通用的协议,Windows下的网上邻居访问其它计算机就是使用cifs协议.
操作一台服务器的时候可以 ssh,操作多台服务器可以开多个窗口多个 ssh,那操作很多台服务器呢?
我们的一个 Oracle Gird Engine 集群上大概有60多台 Ubuntu 服务器作执行节点,这些服务器操作系统和软件配置完全一样(上线后由 puppet 统一配置),有时候我们需要在这些服务器上做同样的操作,这个时候特别适合使用 PSSH 这种 ssh 批量操作工具。
当然,如果对 Python 不恐惧的话也可以用 Fabric 批量执行服务器任务。
下载和安装 pssh:
$ git clone http://code.google.com/p/parallel-ssh/
$ cd parallel-ssh/
$ sudo python setup.py install
批量执行
首先新建一个服务器列表文件,把需要操作的服务器的 hostname(或者 IP 地址)加进去,然后就可以批量执行 uptime 命令了,-l 指定登录用户名,-A 询问密码,-h 指定服务器列表文件:
$ vi grids
grid01
grid02
grid03
grid04
grid05
$ pssh -i -l root -A -h grids 'uptime'
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password:
[1] 05:42:09 [SUCCESS] grid01
11:42:09 up 620 days, 20:30, 0 users, load average: 6.09, 6.14, 6.13
[2] 05:42:09 [SUCCESS] grid03
11:42:09 up 620 days, 20:29, 0 users, load average: 9.01, 9.04, 9.05
[3] 05:42:09 [SUCCESS] grid05
11:42:09 up 620 days, 20:10, 0 users, load average: 8.46, 8.18, 8.10
[4] 05:42:09 [SUCCESS] grid04
11:42:09 up 620 days, 20:25, 0 users, load average: 6.00, 6.01, 6.05
[5] 05:42:10 [SUCCESS] grid02
11:42:10 up 606 days, 2:07, 0 users, load average: 6.03, 6.02, 6.01
批量上传
批量上传本地文件 linux-3.14.3.tar.xz 到服务器上的 /tmp 目录:
$ pscp -l root -A -h grids linux-3.14.3.tar.xz /tmp/
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password:
[1] 05:56:16 [SUCCESS] grid01
[2] 05:56:16 [SUCCESS] grid03
[3] 05:57:04 [SUCCESS] grid05
[4] 05:57:04 [SUCCESS] grid04
[5] 05:57:05 [SUCCESS] grid02
批量下载
批量下载服务器上的某文件到本地,不用担心重名问题,因为 pssh 已经建立了 grid01, grid02, …, grid05 目录来存放下载的文件:
$ pslurp -l root -h grids -A /tmp/linux-3.14.3.tar.xz .
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password:
[1] 06:06:01 [SUCCESS] grid01
[2] 06:06:01 [SUCCESS] grid03
[3] 06:06:06 [SUCCESS] grid04
[4] 06:06:06 [SUCCESS] grid02
[5] 06:06:06 [SUCCESS] grid05
$ ls
grid01 grid02 grid03 grid04 grid05 grids linux-3.14.3.tar.xz parallel-ssh
批量同步
有时候我们需要保持开发机上(某目录里)的数据和服务器上的数据一致:
$ prsync -l root -h grids -A -r develop/ /tmp/production/
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password:
[1] 06:12:52 [SUCCESS] grid05
[2] 06:12:52 [SUCCESS] grid01
[3] 06:12:52 [SUCCESS] grid04
[4] 06:12:52 [SUCCESS] grid02
[5] 06:12:52 [SUCCESS] grid03
我们一般修改php的配置项都是在php.ini中修改。在php,ini中的修改会影响到所有使用php的程序。假如我想让修改只在某个域名下生效,该如何做呢?
使用ini_set()
首先想到的可能是使用ini_set()方法在脚本中修改。但是这个只能修改作用域为PHP_INI_USER和PHP_INI_ALL的配置项。具体配置项作用域说明请查看 PHP配置指令作用域说明
使用php_value
如果我访问wanke.etao.com下的url时,程序每次执行都自动加载一个header.php文件。但是,如果是通过shell脚本方式执行,就不要加载这个文件了。要实现这个需求,我们需要用到 auto_prepend_file 这个配置想。这个配置想的作用域是 PHP_INI_PERDIR 。 也就是说不能通过ini_set()方法设置。那我们可以通过php_value进行设置。
如果是apache+php的组合,我们可以在apache的配置文件中加入如下指令即可。
Php_value auto_prepend_file /home/www/wanke.etao.com/header.php
如果是nginx+php组合,可以加入如下指令
fastcgi_param PHP_VALUE “auto_prepend_file=/home/www/wanke.etao.com/header.php”;
注意,nginx中多次使用 PHP_VALUE时,最后的一个会覆盖之前的。如果想设置多个配置项,需要写在一起,然后用换行分割。如:
fastcgi_param PHP_VALUE “auto_prepend_file=/home/www/wanke.etao.com/header.php \n auto_append_file=/home/www/wanke.etao.com/external/footer.php”;
php官方对配置项设置的一些文档
本文适用于所有CentOS6及Red Hat Enterprise Linux6版本上安装php5.4,本人测试安装环境为32位CentOS6系统。
文章来源:PHP 5.4 on CentOS/RHEL 6.2 via Yum http://www.webtatic.com/packages/php54/
php5.4于2012年5月8号发布,从php5.4.0开始php加入了一些新特色如:
如果安装失败,建议您先卸载以前的php再进行安装,使用yum remove php php-*
| Package | Provides |
|---|---|
| php54w | mod_php |
| php54w-bcmath | |
| php54w-cli | php-cgi, php-pcntl, php-readline |
| php54w-common | php-api, php-bz2, php-calendar, php-ctype, php-curl, php-date, php-exif, php-fileinfo, php-ftp, php-gettext, php-gmp, php-hash, php-iconv, php-json, php-libxml, php-openssl, php-pcre, php-pecl-Fileinfo, php-pecl-phar, php-pecl-zip, php-reflection, php-session, php-shmop, php-simplexml, php-sockets, php-spl, php-tokenizer, php-zend-abi, php-zip, php-zlib |
| php54w-dba | |
| php54w-devel | |
| php54w-embedded | php-embedded-devel |
| php54w-enchant | |
| php54w-fpm | |
| php54w-gd | |
| php54w-imap | |
| php54w-interbase | php_database, php-firebird |
| php54w-intl | |
| php54w-ldap | |
| php54w-mbstring | |
| php54w-mcrypt | |
| php54w-mssql | |
| php54w-mysql | php-mysqli, php_database |
| php54w-odbc | php-pdo_odbc, php_database |
| php54w-pdo | |
| php54w-pgsql | php-pdo_pgsql, php_database |
| php54w-process | php-posix, php-sysvmsg, php-sysvsem, php-sysvshm |
| php54w-pspell | |
| php54w-recode | |
| php54w-snmp | |
| php54w-soap | |
| php54w-tidy | |
| php54w-xml | php-dom, php-domxml, php-wddx, php-xsl |
| php54w-xmlrpc | |
| php54w-zts |
查看版本,某些版本可能会包含特定的漏洞。
/etc/debian_version.
/etc/redhat-release
/etc/fedora-release
lsb_release -a #ubuntu
查看内核版本:
uname -a
查看开机时间,开机时间意味着有多长时间没有升级内核了。
uptime #check last kernel upgrade
查看时区:
cat /etc/timezone
时间服务
ps aux|grep ntp
时间服务log
ntpq -p -n
查看安装的软件包,也许会找到有漏洞的版本:
dpkg -l
查找有setuid的可执行文件:
find / -perm -u+s 2>/dev/null
登录日志记录:
/etc/rsyslog.conf
查看网络接口:
ip addr
查看dns是否被更改:
cat /etc/resolv.conf
查看hosts文件:
cat /etc/hosts
todo:导出shell
检查敏感文件的权限:
/etc/shadow
/etc/shadow.backup
/etc/mysql/my.cnf
备份的文件
检查有root权限的应用:
find / -perm -4000 -ls
检查用户:
cat /etc/passwd
检查用户的uid和guid是否是0:0,如果是0:0意味着他们登录后是root
确认无需登录用户bash是/bin/false或/bin/nologin
检查shadowfile
cat /etc/shadow
密码hash以$和$1$开头的分别是DES和MD5 hash,应当修改。
题外话:
在检查shadow文件的时候有这么一行
|
1
|
root:$6$BPoThzPl$2FDtPs0iYJfIBWVG1Z1BxuzSD7ZYTN.wdjkqyo7R0NlqgRiY9s0qsyQT1PhN.qfLYwYZglpzK72e4sU5Khr1B.:15664:0:99999:7:::
|
这个对应的用户名和密码是root:toor
检查chown和chmod的权限,普通用户应该不能访问这两个命令。
检查sudo配置文件
egrep -v ‘^#|^$’ /etc/sudoers
查看打开的端口和对应的进程
# lsof -i TCP -n -P
# lsof -i UDP -n -P
关闭ssh的root远程访问权限
echo ‘PermitRootLogig off’ >> /etc/ssh/sshd_config
强制ssh使用新版本加密:
echo ‘protocol 2′ >> /etc/ssh/sshd_config
如果无需远程访问mysql的话,将mysql端口绑定到127.0.0.1上:
cat /etc/mysql/my.cnf
[mysqld]
bind-address = 127.0.0.1
mysql登录:
|
1
|
mysql -u root #会有主机没密码么
|
mysql查看版本:
|
1
|
select @@version;
|
mysql查看用户和密码:
|
1
|
select Host, User, Password from mysql.user;
|
mysql查看密码hash:
|
1
|
select password(‘admin’)
|
mysql查看写文件权限:
|
1
|
SELECT user,file_priv FROM mysql.user WHERE FILE_PRIV=’Y’;
|
检查apache运行的用户:
ps aux|grep apache
在apache的配置文件里也能找到
|
1
2
3
4
5
|
#cat /etc/apache2/envvars
…
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
…
|
确认网站目录下的文件权限:
|
1
2
3
4
5
|
#ls -lR /var/www/
/var/www/wordpress/:
total 125
-rwxrwxrwx 1 www-data www-data 395 Jul 11 07:02 index.php
-rwxrwxrwx 1 www-data www-data 19929 Jul 11 07:02 license.txt
|
这个例子中的文件权限应该被改为 -rwx-r–r–
关闭apache在http头中输出版本,这是Debian的设置位置
|
1
|
#echo “ServerTokens Prod;\nServerSignature Off” >> /etc/apache2/conf.d/security
|
关闭文件目录遍历
cat /etc/apache2/sitesenable/000-default
|
1
2
3
4
5
6
|
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
deny from all
|
Php设置
display_errors Off
reviewerror_reporting E_ALL
log_errors On;
safe_mode On;
禁用函数 eval, exec, passthru, shell_exec, system, proc_open,
popen。
allow_url_ Off.
Lynis是针对Unix/Linux的安全检查工具,可以发现潜在的安全威胁。这个工具覆盖可疑文件监测、漏洞、恶意程序扫描、配置错误等。
检查项举例:
系统允许的登陆操作 失效的SSL证书 不需要密码的账户 未授权的文件 配置错误
Sorry for the lame title. I was thinking the other day, about how awesome SSH is, and how it’s probably one of the most crucial pieces of technology that I use every single day. Here’s a list of 10 things that I think are particularly awesome and perhaps a bit off the beaten path.
Update: (2011-09-19) There are some user-submitted ssh-tricks on the wiki now! Please feel free to add your favorites. Also the hacker news thread might be helpful for some.
I used SSH regularly for years before I learned about the config file, that you can create at ~/.ssh/config to tell how you want ssh to behave.
Consider the following configuration example:
Host example.com *.example.net
User root
Host dev.example.net dev.example.net
User shared
Port 220
Host test.example.com
User root
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
Host t
HostName test.example.org
Host *
Compression yes
CompressionLevel 7
Cipher blowfish
ServerAliveInterval 600
ControlMaster auto
ControlPath /tmp/ssh-%r@%h:%p
I’ll cover some of the settings in the “Host *” block, which apply to all outgoing ssh connections, in other items in this post, but basically you can use this to create shortcuts with the ssh command, to control what username is used to connect to a given host, what port number, if you need to connect to an ssh daemon running on a non-standard port. See “man ssh_config” for more information.
This is probably the coolest thing that I know about in SSH. Set the “ControlMaster” and “ControlPath” as above in the ssh configuration. Anytime you try to connect to a host that matches that configuration a “master session” is created. Then, subsequent connections to the same host will reuse the same master connection rather than attempt to renegotiate and create a separate connection. The result is greater speed less overhead.
This can cause problems if you’ want to do port forwarding, as this must be configured on the original connection, otherwise it won’t work.
While ControlMaster/ControlPath is the coolest thing you can do with SSH, key-based authentication is probably my favorite. Basically, rather than force users to authenticate with passwords, you can use a secure cryptographic method to gain (and grant) access to a system. Deposit apublic key on servers far and wide, while keeping a “private” key secure on your local machine. And it just works.
You can generate multiple keys, to make it more difficult for an intruder to gain access to multiple machines by breaching a specific key, or machine. You can specify specific keys and key files to be used when connected to specific hosts in the ssh config file (see above.) Keys can also be (optionally) encrypted locally with a pass-code, for additional security. Once I understood how secure the system is (or can be), I found my self thinking “I wish you could use this for more than just SSH.”
Most people start using SSH keys because they’re easier and it means that you don’t have to enter a password every time that you want to connect to a host. But the truth is that in most cases you want to have unencrypted private keys that have meaningful access to systems because once someone has access to a copy of the private key the have full access to the system. That’s not good.
But the truth is that typing in passwords is a pain, so there’s a solution: the ssh-agent. Basically one authenticates to the ssh-agent locally, which decrypts the key and does some magic, so that then whenever the key is needed for the connecting to a host you don’t have to enter your password. ssh-agent manages the local encryption on your key for the current session.
I’m not sure where I found this amazing little function but it’s great. Typically, ssh-agents are attached to the current session, like the window manager, so that when the window manager dies, the ssh-agent loses the decrypted bits from your ssh key. That’s nice, but it also means that if you have some processes that exist outside of your window manager’s session (e.g. Screen sessions) they loose the ssh-agent and get trapped without access to an ssh-agent so you end up having to restart would-be-persistent processes, or you have to run a large number ofssh-agents which is not ideal.
Enter “ssh-reagent.” stick this in your shell configuration (e.g. ~/.bashrc or ~/.zshrc) and run ssh-reagent whenever you have an agent session running and a terminal that can’t see it.
ssh-reagent () {
for agent in /tmp/ssh-*/agent.*; do
export SSH_AUTH_SOCK=$agent
if ssh-add -l 2>&1 > /dev/null; then
echo Found working SSH Agent:
ssh-add -l
return
fi
done
echo Cannot find ssh agent - maybe you should reconnect and forward it?
}
It’s magic.
Typically we think of ssh as a way to run a command or get a prompt on a remote machine. But SSH can do a lot more than that, and the OpenSSH package that probably the most popular implementation of SSH these days has a lot of features that go beyond just “shell” access. Here are two cool ones:
SSHFS creates a mountable file system using [FUSE][] of the files located on a remote system over SSH. It’s not always very fast, but it’s simpleand works great for quick operations on local systems, where the speed issue is much less relevant.
SFTP, replaces FTP (which is plagued by security problems,) with a similar tool for transferring files between two systems that’s secure (because it works over SSH) and is just as easy to use. In fact most recent OpenSSH daemons provide SFTP access by default.
There’s more, like a full VPN solution in recent versions, secure remote file copy, port forwarding, and the list could go on.
SSH includes the ability to connect a port on your local system to a port on a remote system, so that to applications on your local system the local port looks like a normal local port, but when accessed the service running on the remote machine responds. All traffic is really sent over ssh.
I set up an SSH tunnel for my local system to the outgoing mail server on my server. I tell my mail client to send mail to localhost server (without mail server authentication!), and it magically goes to my personal mail relay encrypted over ssh. The applications of this are nearly endless.
The problem: unless you’re doing something with SSH it doesn’t send any packets, and as a result the connections can be pretty resilient to network disturbances. That’s not a problem, but it does mean that unless you’re actively using an SSH session, it can go silent causing your local area network’s NAT to eat a connection that it thinks has died, but hasn’t. The solution is to set the “ServerAliveInterval [seconds]” configuration in the SSH configuration so that your ssh client sends a “dummy packet” on a regular interval so that the router thinks that the connection is active even if it’s particularly quiet. It’s good stuff.
A lot of what I do in my day job involves deploying new systems, testing something out and then destroying that installation and starting over in the same virtual machine. So my “test rigs” have a few IP addresses, I can’t readily deploy keys on these hosts, and every time I redeploy SSH’s host-key checking tells me that a different system is responding for the host, which in most cases is the symptom of some sort of security error, and in most cases knowing this is a good thing, but in some cases it can be very annoying.
These configuration values tell your SSH session to save keys to `/dev/null (i.e. drop them on the floor) and to not ask you to verify an unknown host:
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
This probably saves me a little annoyance and minute or two every day or more, but it’s totally worth it. Don’t set these values for hosts that you actually care about.
I’m sure there are other awesome things you can do with ssh, and I’d live to hear more. Onward and Upward!