4, 最后执行 $dbca 建oracle数据库
注意:在SID处指定为oradb (与 ORACLE_SID=oradb)中的值一致.
点击OK,然后退出即可, 正常 登陆并启动数据库的操作。
$ lsnrctl start
$ sqlplus /nolog
SQL*Plus: Release 9.2.0.4.0 - Production on Sat Mar 12 22:58:53 2005
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
SQL>connect / as sysdba
Connected.
SQL> shutdown immediate 关闭数据库
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL>startup; 启动数据库
ORACLE instance started.
Total System Global Area 236000356 bytes
Fixed Size 451684 bytes
Variable Size 201326592 bytes
Database Buffers 33554432 bytes
Redo Buffers 667648 bytes
Database mounted.
Database opened.
5, oracle服务启动
以root身份进入,编写以下脚本:
vi /etc/init.d/oracle
////////////内容//////////////////
#!/bin/bash
#start and stop the oracle instance
# chkconfig –level 5 --add ora9i
#chkconfig: 345 91 19
# description: starts the oracle listener and instance
export ORACLE_HOME="/opt/ora9/product/9.2.0.4"
export PATH=$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin:$PATH
export ORACLE_OWNER="oracle"
export ORACLE_SID=oradb
if [ ! -f $ORACLE_HOME/bin/dbstart -o ! -d $ORACLE_HOME ]
then
echo "oracle startup:cannot start"
exit 1
fi
case "$1" in
start)
#startup the listener and instance
echo -n "oracle startup: "
su - $ORACLE_OWNER -c "$ORACLE_HOME/bin/lsnrctl start"
su - $ORACLE_OWNER -c $ORACLE_HOME/bin/dbstart
touch /var/lock/subsys/oracle
echo "finished"
;;
stop)
# stop listener, apache and database
echo -n "oracle shutdown:"
su - $ORACLE_OWNER -c "$ORACLE_HOME/bin/lsnrctl stop"
su - $ORACLE_OWNER -c $ORACLE_HOME/bin/dbshut
rm -f /var/lock/subsys/oracle
echo "finished"
;;
reload|restart)
$0 stop
$0 start
;;
*)
echo "Usage: ora9i [start|stop|reload|restart]"
exit 1
esac
exit 0
////////////内容//////////////////
给予执行权限,以root身份运行/etc/rc.d/init.d/oracle start |stop 来 管理 oracle的启动和停止了。如果要将这个脚本 加入 到系统中使其可开机运行(不过官方是不建议开机自动运行的,我本人也不建议这样做,你确实需要可以这么做),那么要运行以下命令: chkconfig --level 35 --add oracle
或者以root用户执行如下命令:
#chmod a+x /etc/rc.d/init.d /oracle
#cd /etc/rc.d/rc5.d
#ln -s /etc/rc.d/init.d/oracle S99ora9i
#cd /etc/rc.d/rc0.d
#ln -s /etc/rc.d/init.d/oracle K99ora9i
也可如下自启动oracle9i!
在/etc/rc.d/rc.local中加入如下:
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/lsnrctl start"
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/dbstart start"
注意:如果启动不理想,请编写shell scripts:
方法:以我个人习惯为例;;;;;;;;;;
#mkdir /usr/local/syscmf
#vi /usr/local/syscmf/oracle.sh
////////////////////////文件内容开始///////////////////
#!/bin/sh
#modify by mingfu 060404
#oracle run scripts
#run user for oracle
lsnrctl start
expect /usr/local/syscmf/oracle.exp
////////////////////////文件内容结束///////////////////
#vi /usr/local/syscmf/oracle.exp
////////////////////////文件内容开始///////////////////
#!/usr/local/bin/expect
#modify by mingfu 060404
#oracle run scripts
set timeout 120
spawn sqlplus \/nolog
expect "SQL\>"
send "conn \/ as sysdba\r"
expect "SQL\>"
send "startup\r"
expect "SQL\>"
send "exit\r"
exit
////////////////////////文件内容结束///////////////////
#chown oracle /usr/local/syscmf/*
#chgrp oracle /usr/local/syscmf./*
#chmod 755 /usr/local/syscmf/*
在/etc/rc.local中新增如下内容:
su – oracle /usr/local/syscmf/oracle.sh
删除原来的:
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/lsnrctl start"
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/dbstart start"
6, 关于数据库删除重新安装的问题:
把ORACLE安装目录删除及/etc/ora*.*删除就行了
#rm –f /etc/ora*.*
7,关于在LINUX中运行管理软件$oemapp
#su – oracle
$oemapp console
8, 中文显示不 正常 解决办法
Oracle 目前缺省安装的字符集是WE8MSWIN1252,不是中 文字 符集,并且不能通过直接运行 alter database character set ZHS16GBK ; 来修改,因为ZHS16GBK不是缺省字符集的超集。过去流传很广的直接修改sys用户下的PROPS$表的方法,也会给字符集的变更留下很多潜在的问题.
linux下进行如下的操作来修改字符集:
sqlplus /nolog
sql>conn / as sysdba
sql>shutdown immediate
sql>startup mount
sql>alter system enable restricted session ;
sql>alter system set JOB_QUEUE_PROCESSES=0;
sql>alter system set AQ_TM_PROCESSES=0;
sql>alter database open ;
sql>alter database character set internal_use ZHS16GBK ;
sql>shutdown immediate
sql>startup
这样字符集的修改就完成了(如果你在安装时选择了中文字符集,这里就不用修改了)
LAJO服务环境配置完毕.
5.配置LAMP
系统 自带安装http+php+mysql软件包,进行配置如下:
Apache配置
修改/etc/httpd/conf/httpd.conf内容如下:
Listen 82
ServerName 127.0.0.1:82
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
注意:系统已经有两个httpd服务进程.
用户分别是:xxxx apache
请确保
/usr/local/apache2/bin/apachectl start
/etc/init.d/httpd start
此两个服务自启动.
Mysql设置
Mysql>create ftpdb;
Mysql>grant all privileges on ftpdb.* to ftpuser@localhost identified by “xxxx”;
Mysql>grant all privileges on *.* to root@’%’ identified by “xxxx”;
Mysql>flush privileges;
Mysql>exit
请确保
/etc/init.d/mysqld start
此服务自启动.
LAMP服务环境配置完毕.
7.配置FTP
配合工程实施与建立ftp帐号相关联, 方便 维护与管理,我这里选择了Proftpd与数据库结合的方式来实现的.
创建Ftpdb结构:
Mysql>use ftpdb;
Mysql> CREATE TABLE `ftpgroup` (
`groupname` varchar(16) NOT NULL default '',
`gid` smallint(6) NOT NULL default '5500',
`members` varchar(16) NOT NULL default '',
KEY `groupname` (`groupname`)
) ;
Mysql> CREATE TABLE `ftpquotalimits` (
`name` varchar(30) default NULL,
`quota_type` enum('user','group','class','all') NOT NULL default 'user',
`per_session` enum('false','true') NOT NULL default 'false',
`limit_type` enum('soft','hard') NOT NULL default 'soft',
`bytes_in_avail` float NOT NULL default '0',
`bytes_out_avail` float NOT NULL default '0',
`bytes_xfer_avail` float NOT NULL default '0',
`files_in_avail` int(10) unsigned NOT NULL default '0',
`files_out_avail` int(10) unsigned NOT NULL default '0',
`files_xfer_avail` int(10) unsigned NOT NULL default '0'
) ;
Mysql> CREATE TABLE `ftpquotatallies` (
`name` varchar(30) NOT NULL default '',
`quota_type` enum('user','group','class','all') NOT NULL default 'user',
`bytes_in_used` float NOT NULL default '0',
`bytes_out_used` float NOT NULL default '0',
`bytes_xfer_used` float NOT NULL default '0',
`files_in_used` int(10) unsigned NOT NULL default '0',
`files_out_used` int(10) unsigned NOT NULL default '0',
`files_xfer_used` int(10) unsigned NOT NULL default '0'
) ;
Mysql> CREATE TABLE `ftpuser` (
`id` int(10) unsigned NOT NULL auto_increment,
`userid` varchar(32) NOT NULL default '',
`passwd` varchar(32) NOT NULL default '',
`uid` smallint(6) NOT NULL default '5500',
`gid` smallint(6) NOT NULL default '5500',
`homedir` varchar(255) NOT NULL default '',
`shell` varchar(16) NOT NULL default '/sbin/nologin',
`count` int(11) NOT NULL default '0',
`accessed` datetime NOT NULL default '0000-00-00 00:00:00',
`modified` datetime NOT NULL default '0000-00-00 00:00:00',
PRIMARY KEY (`id`)
) ;
Mysql> INSERT INTO `ftpgroup` (`groupname`, `gid`, `members`) VALUES("5dxc", "5500", "xxxx");
Mysql>INSERT INTO `ftpquotalimits` (`name`, `quota_type`, `per_session`, `limit_type`, `bytes_in_avail`, `bytes_out_avail`, `bytes_xfer_avail`, `files_in_avail`, `files_out_avail`, `files_xfer_avail`) VALUES("test", "user", "false", "soft", "1.024e+06", "0", "0", "0", "0", "0");
Mysql> INSERT INTO `ftpquotatallies` (`name`, `quota_type`, `bytes_in_used`, `bytes_out_used`, `bytes_xfer_used`, `files_in_used`, `files_out_used`, `files_xfer_used`) VALUES("test", "user", "809781", "0", "809781", "0", "0", "0");
Mysql> INSERT INTO `ftpuser` (`id`, `userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`, `count`, `accessed`, `modified`) VALUES("1", "test", "test", "5500", "5500", "/site", "/sbin/nologin", "0", "0000-00-00 00:00:00", "0000-00-00 00:00:00");
配置proftp:
#tar xzvf proftpd-1.3.0rc5.tar.gz
#cd proftpd-1.3.0rc5
#./configure --prefix=/usr/local/proftpd --with-modules=mod_sql:mod_sql_mysql:mod_quotatab:mod_quotatab_sql:mod_ratio --with-includes=/usr/include/mysql --with-libraries=/usr/lib/mysql
#make&&make install
#mv /etc/local/proftpd/etc/proftpd.conf /etc/local/proftpd/etc/proftpd.confbak
#vi /etc/local/proftpd/etc/proftpd.conf
////////////////////////文件内容///////////////////
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
#ServerName "ProFTPD Default Installation"
ServerName "Mingfu's ftp"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 100
MaxLoginAttempts 3
# Set the user and group under which the server will run.
User nobody
Group nobody
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
DefaultRoot ~
#put the proftpd log files in /var/log/ftp.syslog
#SystemLog /var/log/ftp.syslog
SystemLog /var/log/xxxx/ftp.syslog
#TransferLog log files
TransferLog /var/log/xxxx/ftp.transferlog
MaxHostsPerUser 1 "Sorry, you may not connect more than one time 1."
MaxClientsPerUser 13 "Only one such user at a time 2."
MaxClientsPerHost 20 "Sorry, you may not connect more than one time 3."
#setup the Restart
AllowRetrieveRestart on
RootLogin off
RequireValidShell off
TimeoutStalled 600
MaxClients 2000
AllowForeignAddress on
AllowStoreRestart on
ServerIdent off
DefaultRoot ~ xxxx
#Slow logins
UseReverseDNS off
IdentLookups off
#IdentLookups and tcpwrappers ***
# Normally, we want files to be overwriteable.
AllowOverwrite on
TimeoutIdle 600
SQLAuthTypes Backend Plaintext
SQLAuthenticate users* groups*
# databasename@host database_user user_password
#SQLConnectInfo ftpdb@localhost proftpd password
SQLConnectInfo ftpdb@localhost ftpuser xxxx
SQLUserInfo ftpuser userid passwd uid gid homedir shell
SQLGroupInfo ftpgroup groupname gid members
SQLHomedirOnDemand on
# Update count every time user logs in
SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "count=count+1,accessed=now() WHERE userid='%u'" ftpuser
# Update modified everytime user uploads or deletes a file
SQLLog STOR,DELE modified
SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits kb
QuotaShowQuotas on
QuotaLog "/var/log/quota"
SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}'AND quota_type = '%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used+ %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies
QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
////////////////////////文件内容///////////////////
在/etc/rc.local文件中新增
/usr/local/proftpd/sbin/proftpd &
LPM配置完毕.
注意:以后添加ftp帐号只需操作ftpuser表添加相应字段.用户磁盘限额操作ftpquotalimits表添加相应字段.
Mysql管理win工具 推荐 :mysql-front
其中远程连接帐号:
User:root
Host:IP
Pswd:xxxx
(与grant all privileges on *.* to root@’%’ identified by “xxxx”;
中设置的密码一致) .
架设也可参考如下连接:
[url]http://www.mingfor.com/forum/showthread.php?tid=28 [/url]
8.配置MAIL
配合jboss工程程序实施与建立MAIL帐号相关联, 方便 维护与管理,我这里选择了邮件服务器与数据库结合的方式来实现的.
具体架设参考邮件发送程序,然后来配置邮件服务器,邮件 系统 的用户帐号不准创建真实的系统帐号,所有的帐号均建在mysql数据库中.
具体架设过程略。
架设可参考如下连接:
[url]http://www.mingfor.com/forum/showthread.php?tid=19[/url]
[url]http://www.extmail.org[/url]
9.安全策略
下面是一个简易有效的防火墙设置,只要没有固定IP来入侵,服务器均可 正常 访问.
因此服务器上线后需要提取服务器 通信 状态信息.这里服务器已进配置好LAMP环境,因此系统监控请安装CACTI( [url]http://www.cacti.net[/url]) 软件来监控.
关于它的安装方法比较 简单 ,这里不一一说明了.
还要时时将#netstat –na|grep SYN的结果中连续15个相同的伪连接给DJOP出系统通信间道.
当有这样的入侵连接时….
#iptables –A …………..djop(注意请不要将这个写入到iptables文件中)
下面是iptables文件的所有内容:
#cat /etc/sysconfig/iptables
////////////////////文件内容////////////////////
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -s 0/0 -d 0/0 --dport 177 -j ACCEPT
#modify by mingfu 060404
#Please do not modify the content below
#ACK FIN SYN
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#port scan
# NMAP FIN/URG/PSH
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# Xmas Tree
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
# Another Xmas Tree
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Null Scan(possibly)
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
# SYN/RST
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN -- Scan(possibly)
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#!--syn
-A RH-Firewall-1-INPUT -p tcp ! --syn -m state --state NEW -j DROP
#Dos
-A RH-Firewall-1-INPUT -p tcp --dport 80 -m limit --limit 10/second --limit-burst 300 -j ACCEPT
#sync flood
-N synfoold
-A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN
-A synfoold -p tcp -j REJECT --reject-with tcp-reset
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -j synfoold
-N ping
-A ping -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN
-A ping -p icmp -j REJECT
-I RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ping
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s 0/0 -j DROP
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s 0/0 -j ACCEPT
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s localip -j DROP
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s localip -j DROP
#all ports
-A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#FTP
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 32800:34000 -j ACCEPT
#MAIL
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 113 -j ACCEPT
#SSH
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 922 -j ACCEPT
#WEB
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 82 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8088 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 4443 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 7777 -j ACCEPT
#DNS
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
#DATABASE
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8009 -j ACCEPT
#VNC
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 5801: -j ACCEPT
#ICMP
-A RH-Firewall-1-INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW,INVALID -j DROP
COMMIT
////////////////////文件内容////////////////////
在/etc/rc.local中新增如下内容:
////////////////////文件内容////////////////////
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/tcp_syn_retries
echo "1" > /proc/sys/net/ipv4/tcp_synack_retries
echo 8192 >/proc/sys/net/ipv4/tcp_max_syn_backlog
////////////////////文件内容////////////////////
其中8192=1024*4*2.更多详情请查阅/proc相关文献介绍
关于获取netstat –na|grep SYN_RECV 与TIME_WAIT的脚本:这里我无法写下来。只是原理和主要的代码告诉大家:
使用 netstat 来统计重复的连线 IP,将这些来自同一 IP 的连线统计一下,
如果超过一个设定值(您自己选择的!),那麽该 IP 就会被iptables 机制挡掉了!
利用shell script 结合iptables来完成(其中用到的linux命令主要有:netstat awk cut sort)。。。
shell脚本中部分主要代码:
///////////////////////////////////////
basedir="/usr/local/syscmf"
#=== Part A, about the TIME WAIT signle ===#
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| awk '{if ($1 >= 12) print $2}' > $basedir/netstata
sleep 14s
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| awk '{if ($1 >= 12) print $2}' > $basedir/netstatb
sleep 14s
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| awk '{if ($1 >= 12) print $2}' > $basedir/netstatc
cat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 | sort | uniq -c | awk '{ if ( $1 == 3 ) print $2 }' > $basedir/netstat-wait.now
denyip_netstat=`cat $basedir/netstat-wait.now`
#=== Part B, about the SYN RECV signle ===#
netstat -an|grep 80|grep SYN| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| awk '{if ($1 >= 12) print $2}' > $basedir/netstat1
sleep 12s
netstat -an|grep 80|grep SYN| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| awk '{if ($1 >= 12) print $2}' > $basedir/netstat2
sleep 12s
netstat -an|grep 80|grep SYN| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| awk '{if ($1 >= 12) print $2}' > $basedir/netstat3
cat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 | sort | uniq -c | awk '{ if ( $1 == 3 ) print $2 }' > $basedir/netstat-syn.now
denyip_netstat=`cat $basedir/netstat-syn.now`
///////////////////////////////////////
关于防止别人来猜测ssh用户登录的密码,修改默认的ssh端口22为922(与防火墙中规则指定的922相一致.) 修改方法如下:
#vi /etc/ssh/sshd_config
修改:
#Port 22
为:
Port 922
注意:修改后的ssh连接方法:ssh user@ip –p 922
如果你不想指定-p参数,请修改
/etc/ssh/ssh_config的
#Port 22
为:
Port 922
建议将提供服务的服务器中的ssh服务端与客服端的ssh通信端口都修改……
10.测试上线
所有的配置完毕,重启服务器.测试好准备上线.
注意:以下服务不能重复多次启动,必须服务在停止的情况下才能启动,否则会出现启动错误.
#su - oracle usr/local/syscmf/oracle.sh
#/etc/rc.d/init.d/jboss start
关于这两个服务的启动用户与权限:
1.Oracle:
用户:oracle(可以进行系统登录)
切忌有关oracle的操作请在oracle用户环境中进行操作.你实在要在root用户中操作,请不要忘了#su – oracle –c “lsncrctl start”……..
a.Oracle服务停止:
$sqlplus /nolog
SQL>conn / as sysdba
SQL>shutdown immediate
SQL> exit
$lsnrctl stop
b.Oracle服务启动:
$lsnrctl start
$sqlplus /nolog
SQL>conn / as sysdba
SQL> startup
c.Oracle服务强制启动:
在oracle服务已进启动的情况下也可启动oracle服务.
$sqlplus /nolog
SQL>conn / as sysdba
SQL> startup force
注意:在SID处指定为oradb (与 ORACLE_SID=oradb)中的值一致.
点击OK,然后退出即可, 正常 登陆并启动数据库的操作。
$ lsnrctl start
$ sqlplus /nolog
SQL*Plus: Release 9.2.0.4.0 - Production on Sat Mar 12 22:58:53 2005
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
SQL>connect / as sysdba
Connected.
SQL> shutdown immediate 关闭数据库
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL>startup; 启动数据库
ORACLE instance started.
Total System Global Area 236000356 bytes
Fixed Size 451684 bytes
Variable Size 201326592 bytes
Database Buffers 33554432 bytes
Redo Buffers 667648 bytes
Database mounted.
Database opened.
5, oracle服务启动
以root身份进入,编写以下脚本:
vi /etc/init.d/oracle
////////////内容//////////////////
#!/bin/bash
#start and stop the oracle instance
# chkconfig –level 5 --add ora9i
#chkconfig: 345 91 19
# description: starts the oracle listener and instance
export ORACLE_HOME="/opt/ora9/product/9.2.0.4"
export PATH=$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin:$PATH
export ORACLE_OWNER="oracle"
export ORACLE_SID=oradb
if [ ! -f $ORACLE_HOME/bin/dbstart -o ! -d $ORACLE_HOME ]
then
echo "oracle startup:cannot start"
exit 1
fi
case "$1" in
start)
#startup the listener and instance
echo -n "oracle startup: "
su - $ORACLE_OWNER -c "$ORACLE_HOME/bin/lsnrctl start"
su - $ORACLE_OWNER -c $ORACLE_HOME/bin/dbstart
touch /var/lock/subsys/oracle
echo "finished"
;;
stop)
# stop listener, apache and database
echo -n "oracle shutdown:"
su - $ORACLE_OWNER -c "$ORACLE_HOME/bin/lsnrctl stop"
su - $ORACLE_OWNER -c $ORACLE_HOME/bin/dbshut
rm -f /var/lock/subsys/oracle
echo "finished"
;;
reload|restart)
$0 stop
$0 start
;;
*)
echo "Usage: ora9i [start|stop|reload|restart]"
exit 1
esac
exit 0
////////////内容//////////////////
给予执行权限,以root身份运行/etc/rc.d/init.d/oracle start |stop 来 管理 oracle的启动和停止了。如果要将这个脚本 加入 到系统中使其可开机运行(不过官方是不建议开机自动运行的,我本人也不建议这样做,你确实需要可以这么做),那么要运行以下命令: chkconfig --level 35 --add oracle
或者以root用户执行如下命令:
#chmod a+x /etc/rc.d/init.d /oracle
#cd /etc/rc.d/rc5.d
#ln -s /etc/rc.d/init.d/oracle S99ora9i
#cd /etc/rc.d/rc0.d
#ln -s /etc/rc.d/init.d/oracle K99ora9i
也可如下自启动oracle9i!
在/etc/rc.d/rc.local中加入如下:
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/lsnrctl start"
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/dbstart start"
注意:如果启动不理想,请编写shell scripts:
方法:以我个人习惯为例;;;;;;;;;;
#mkdir /usr/local/syscmf
#vi /usr/local/syscmf/oracle.sh
////////////////////////文件内容开始///////////////////
#!/bin/sh
#modify by mingfu 060404
#oracle run scripts
#run user for oracle
lsnrctl start
expect /usr/local/syscmf/oracle.exp
////////////////////////文件内容结束///////////////////
#vi /usr/local/syscmf/oracle.exp
////////////////////////文件内容开始///////////////////
#!/usr/local/bin/expect
#modify by mingfu 060404
#oracle run scripts
set timeout 120
spawn sqlplus \/nolog
expect "SQL\>"
send "conn \/ as sysdba\r"
expect "SQL\>"
send "startup\r"
expect "SQL\>"
send "exit\r"
exit
////////////////////////文件内容结束///////////////////
#chown oracle /usr/local/syscmf/*
#chgrp oracle /usr/local/syscmf./*
#chmod 755 /usr/local/syscmf/*
在/etc/rc.local中新增如下内容:
su – oracle /usr/local/syscmf/oracle.sh
删除原来的:
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/lsnrctl start"
su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/dbstart start"
6, 关于数据库删除重新安装的问题:
把ORACLE安装目录删除及/etc/ora*.*删除就行了
#rm –f /etc/ora*.*
7,关于在LINUX中运行管理软件$oemapp
#su – oracle
$oemapp console
8, 中文显示不 正常 解决办法
Oracle 目前缺省安装的字符集是WE8MSWIN1252,不是中 文字 符集,并且不能通过直接运行 alter database character set ZHS16GBK ; 来修改,因为ZHS16GBK不是缺省字符集的超集。过去流传很广的直接修改sys用户下的PROPS$表的方法,也会给字符集的变更留下很多潜在的问题.
linux下进行如下的操作来修改字符集:
sqlplus /nolog
sql>conn / as sysdba
sql>shutdown immediate
sql>startup mount
sql>alter system enable restricted session ;
sql>alter system set JOB_QUEUE_PROCESSES=0;
sql>alter system set AQ_TM_PROCESSES=0;
sql>alter database open ;
sql>alter database character set internal_use ZHS16GBK ;
sql>shutdown immediate
sql>startup
这样字符集的修改就完成了(如果你在安装时选择了中文字符集,这里就不用修改了)
LAJO服务环境配置完毕.
5.配置LAMP
系统 自带安装http+php+mysql软件包,进行配置如下:
Apache配置
修改/etc/httpd/conf/httpd.conf内容如下:
Listen 82
ServerName 127.0.0.1:82
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
注意:系统已经有两个httpd服务进程.
用户分别是:xxxx apache
请确保
/usr/local/apache2/bin/apachectl start
/etc/init.d/httpd start
此两个服务自启动.
Mysql设置
Mysql>create ftpdb;
Mysql>grant all privileges on ftpdb.* to ftpuser@localhost identified by “xxxx”;
Mysql>grant all privileges on *.* to root@’%’ identified by “xxxx”;
Mysql>flush privileges;
Mysql>exit
请确保
/etc/init.d/mysqld start
此服务自启动.
LAMP服务环境配置完毕.
7.配置FTP
配合工程实施与建立ftp帐号相关联, 方便 维护与管理,我这里选择了Proftpd与数据库结合的方式来实现的.
创建Ftpdb结构:
Mysql>use ftpdb;
Mysql> CREATE TABLE `ftpgroup` (
`groupname` varchar(16) NOT NULL default '',
`gid` smallint(6) NOT NULL default '5500',
`members` varchar(16) NOT NULL default '',
KEY `groupname` (`groupname`)
) ;
Mysql> CREATE TABLE `ftpquotalimits` (
`name` varchar(30) default NULL,
`quota_type` enum('user','group','class','all') NOT NULL default 'user',
`per_session` enum('false','true') NOT NULL default 'false',
`limit_type` enum('soft','hard') NOT NULL default 'soft',
`bytes_in_avail` float NOT NULL default '0',
`bytes_out_avail` float NOT NULL default '0',
`bytes_xfer_avail` float NOT NULL default '0',
`files_in_avail` int(10) unsigned NOT NULL default '0',
`files_out_avail` int(10) unsigned NOT NULL default '0',
`files_xfer_avail` int(10) unsigned NOT NULL default '0'
) ;
Mysql> CREATE TABLE `ftpquotatallies` (
`name` varchar(30) NOT NULL default '',
`quota_type` enum('user','group','class','all') NOT NULL default 'user',
`bytes_in_used` float NOT NULL default '0',
`bytes_out_used` float NOT NULL default '0',
`bytes_xfer_used` float NOT NULL default '0',
`files_in_used` int(10) unsigned NOT NULL default '0',
`files_out_used` int(10) unsigned NOT NULL default '0',
`files_xfer_used` int(10) unsigned NOT NULL default '0'
) ;
Mysql> CREATE TABLE `ftpuser` (
`id` int(10) unsigned NOT NULL auto_increment,
`userid` varchar(32) NOT NULL default '',
`passwd` varchar(32) NOT NULL default '',
`uid` smallint(6) NOT NULL default '5500',
`gid` smallint(6) NOT NULL default '5500',
`homedir` varchar(255) NOT NULL default '',
`shell` varchar(16) NOT NULL default '/sbin/nologin',
`count` int(11) NOT NULL default '0',
`accessed` datetime NOT NULL default '0000-00-00 00:00:00',
`modified` datetime NOT NULL default '0000-00-00 00:00:00',
PRIMARY KEY (`id`)
) ;
Mysql> INSERT INTO `ftpgroup` (`groupname`, `gid`, `members`) VALUES("5dxc", "5500", "xxxx");
Mysql>INSERT INTO `ftpquotalimits` (`name`, `quota_type`, `per_session`, `limit_type`, `bytes_in_avail`, `bytes_out_avail`, `bytes_xfer_avail`, `files_in_avail`, `files_out_avail`, `files_xfer_avail`) VALUES("test", "user", "false", "soft", "1.024e+06", "0", "0", "0", "0", "0");
Mysql> INSERT INTO `ftpquotatallies` (`name`, `quota_type`, `bytes_in_used`, `bytes_out_used`, `bytes_xfer_used`, `files_in_used`, `files_out_used`, `files_xfer_used`) VALUES("test", "user", "809781", "0", "809781", "0", "0", "0");
Mysql> INSERT INTO `ftpuser` (`id`, `userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`, `count`, `accessed`, `modified`) VALUES("1", "test", "test", "5500", "5500", "/site", "/sbin/nologin", "0", "0000-00-00 00:00:00", "0000-00-00 00:00:00");
配置proftp:
#tar xzvf proftpd-1.3.0rc5.tar.gz
#cd proftpd-1.3.0rc5
#./configure --prefix=/usr/local/proftpd --with-modules=mod_sql:mod_sql_mysql:mod_quotatab:mod_quotatab_sql:mod_ratio --with-includes=/usr/include/mysql --with-libraries=/usr/lib/mysql
#make&&make install
#mv /etc/local/proftpd/etc/proftpd.conf /etc/local/proftpd/etc/proftpd.confbak
#vi /etc/local/proftpd/etc/proftpd.conf
////////////////////////文件内容///////////////////
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
#ServerName "ProFTPD Default Installation"
ServerName "Mingfu's ftp"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 100
MaxLoginAttempts 3
# Set the user and group under which the server will run.
User nobody
Group nobody
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
DefaultRoot ~
#put the proftpd log files in /var/log/ftp.syslog
#SystemLog /var/log/ftp.syslog
SystemLog /var/log/xxxx/ftp.syslog
#TransferLog log files
TransferLog /var/log/xxxx/ftp.transferlog
MaxHostsPerUser 1 "Sorry, you may not connect more than one time 1."
MaxClientsPerUser 13 "Only one such user at a time 2."
MaxClientsPerHost 20 "Sorry, you may not connect more than one time 3."
#setup the Restart
AllowRetrieveRestart on
RootLogin off
RequireValidShell off
TimeoutStalled 600
MaxClients 2000
AllowForeignAddress on
AllowStoreRestart on
ServerIdent off
DefaultRoot ~ xxxx
#Slow logins
UseReverseDNS off
IdentLookups off
#IdentLookups and tcpwrappers ***
# Normally, we want files to be overwriteable.
AllowOverwrite on
TimeoutIdle 600
SQLAuthTypes Backend Plaintext
SQLAuthenticate users* groups*
# databasename@host database_user user_password
#SQLConnectInfo ftpdb@localhost proftpd password
SQLConnectInfo ftpdb@localhost ftpuser xxxx
SQLUserInfo ftpuser userid passwd uid gid homedir shell
SQLGroupInfo ftpgroup groupname gid members
SQLHomedirOnDemand on
# Update count every time user logs in
SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "count=count+1,accessed=now() WHERE userid='%u'" ftpuser
# Update modified everytime user uploads or deletes a file
SQLLog STOR,DELE modified
SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits kb
QuotaShowQuotas on
QuotaLog "/var/log/quota"
SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}'AND quota_type = '%{1}'"
SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used+ %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies
QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally
////////////////////////文件内容///////////////////
在/etc/rc.local文件中新增
/usr/local/proftpd/sbin/proftpd &
LPM配置完毕.
注意:以后添加ftp帐号只需操作ftpuser表添加相应字段.用户磁盘限额操作ftpquotalimits表添加相应字段.
Mysql管理win工具 推荐 :mysql-front
其中远程连接帐号:
User:root
Host:IP
Pswd:xxxx
(与grant all privileges on *.* to root@’%’ identified by “xxxx”;
中设置的密码一致) .
架设也可参考如下连接:
[url]http://www.mingfor.com/forum/showthread.php?tid=28 [/url]
8.配置MAIL
配合jboss工程程序实施与建立MAIL帐号相关联, 方便 维护与管理,我这里选择了邮件服务器与数据库结合的方式来实现的.
具体架设参考邮件发送程序,然后来配置邮件服务器,邮件 系统 的用户帐号不准创建真实的系统帐号,所有的帐号均建在mysql数据库中.
具体架设过程略。
架设可参考如下连接:
[url]http://www.mingfor.com/forum/showthread.php?tid=19[/url]
[url]http://www.extmail.org[/url]
9.安全策略
下面是一个简易有效的防火墙设置,只要没有固定IP来入侵,服务器均可 正常 访问.
因此服务器上线后需要提取服务器 通信 状态信息.这里服务器已进配置好LAMP环境,因此系统监控请安装CACTI( [url]http://www.cacti.net[/url]) 软件来监控.
关于它的安装方法比较 简单 ,这里不一一说明了.
还要时时将#netstat –na|grep SYN的结果中连续15个相同的伪连接给DJOP出系统通信间道.
当有这样的入侵连接时….
#iptables –A …………..djop(注意请不要将这个写入到iptables文件中)
下面是iptables文件的所有内容:
#cat /etc/sysconfig/iptables
////////////////////文件内容////////////////////
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -s 0/0 -d 0/0 --dport 177 -j ACCEPT
#modify by mingfu 060404
#Please do not modify the content below
#ACK FIN SYN
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#port scan
# NMAP FIN/URG/PSH
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# Xmas Tree
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
# Another Xmas Tree
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Null Scan(possibly)
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
# SYN/RST
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN -- Scan(possibly)
-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#!--syn
-A RH-Firewall-1-INPUT -p tcp ! --syn -m state --state NEW -j DROP
#Dos
-A RH-Firewall-1-INPUT -p tcp --dport 80 -m limit --limit 10/second --limit-burst 300 -j ACCEPT
#sync flood
-N synfoold
-A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN
-A synfoold -p tcp -j REJECT --reject-with tcp-reset
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -j synfoold
-N ping
-A ping -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN
-A ping -p icmp -j REJECT
-I RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ping
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s 0/0 -j DROP
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s 0/0 -j ACCEPT
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s localip -j DROP
#-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s localip -j DROP
#all ports
-A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#FTP
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 32800:34000 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 113 -j ACCEPT
#SSH
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 922 -j ACCEPT
#WEB
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 82 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8088 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 4443 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 7777 -j ACCEPT
#DNS
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
#DATABASE
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8009 -j ACCEPT
#VNC
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 5801: -j ACCEPT
#ICMP
-A RH-Firewall-1-INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW,INVALID -j DROP
COMMIT
////////////////////文件内容////////////////////
在/etc/rc.local中新增如下内容:
////////////////////文件内容////////////////////
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/tcp_syn_retries
echo "1" > /proc/sys/net/ipv4/tcp_synack_retries
echo 8192 >/proc/sys/net/ipv4/tcp_max_syn_backlog
////////////////////文件内容////////////////////
其中8192=1024*4*2.更多详情请查阅/proc相关文献介绍
关于获取netstat –na|grep SYN_RECV 与TIME_WAIT的脚本:这里我无法写下来。只是原理和主要的代码告诉大家:
使用 netstat 来统计重复的连线 IP,将这些来自同一 IP 的连线统计一下,
如果超过一个设定值(您自己选择的!),那麽该 IP 就会被iptables 机制挡掉了!
利用shell script 结合iptables来完成(其中用到的linux命令主要有:netstat awk cut sort)。。。
shell脚本中部分主要代码:
///////////////////////////////////////
basedir="/usr/local/syscmf"
#=== Part A, about the TIME WAIT signle ===#
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| awk '{if ($1 >= 12) print $2}' > $basedir/netstata
sleep 14s
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| awk '{if ($1 >= 12) print $2}' > $basedir/netstatb
sleep 14s
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| awk '{if ($1 >= 12) print $2}' > $basedir/netstatc
cat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 | sort | uniq -c | awk '{ if ( $1 == 3 ) print $2 }' > $basedir/netstat-wait.now
denyip_netstat=`cat $basedir/netstat-wait.now`
#=== Part B, about the SYN RECV signle ===#
netstat -an|grep 80|grep SYN| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| awk '{if ($1 >= 12) print $2}' > $basedir/netstat1
sleep 12s
netstat -an|grep 80|grep SYN| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| awk '{if ($1 >= 12) print $2}' > $basedir/netstat2
sleep 12s
netstat -an|grep 80|grep SYN| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| awk '{if ($1 >= 12) print $2}' > $basedir/netstat3
cat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 | sort | uniq -c | awk '{ if ( $1 == 3 ) print $2 }' > $basedir/netstat-syn.now
denyip_netstat=`cat $basedir/netstat-syn.now`
///////////////////////////////////////
关于防止别人来猜测ssh用户登录的密码,修改默认的ssh端口22为922(与防火墙中规则指定的922相一致.) 修改方法如下:
#vi /etc/ssh/sshd_config
修改:
#Port 22
为:
Port 922
注意:修改后的ssh连接方法:ssh user@ip –p 922
如果你不想指定-p参数,请修改
/etc/ssh/ssh_config的
#Port 22
为:
Port 922
建议将提供服务的服务器中的ssh服务端与客服端的ssh通信端口都修改……
10.测试上线
所有的配置完毕,重启服务器.测试好准备上线.
注意:以下服务不能重复多次启动,必须服务在停止的情况下才能启动,否则会出现启动错误.
#su - oracle usr/local/syscmf/oracle.sh
#/etc/rc.d/init.d/jboss start
关于这两个服务的启动用户与权限:
1.Oracle:
用户:oracle(可以进行系统登录)
切忌有关oracle的操作请在oracle用户环境中进行操作.你实在要在root用户中操作,请不要忘了#su – oracle –c “lsncrctl start”……..
a.Oracle服务停止:
$sqlplus /nolog
SQL>conn / as sysdba
SQL>shutdown immediate
SQL> exit
$lsnrctl stop
b.Oracle服务启动:
$lsnrctl start
$sqlplus /nolog
SQL>conn / as sysdba
SQL> startup
c.Oracle服务强制启动:
在oracle服务已进启动的情况下也可启动oracle服务.
$sqlplus /nolog
SQL>conn / as sysdba
SQL> startup force
如果你要利用我写的expect自动输入脚本来启动,你需要修改,在里面加入条件判断结构.
本文转自starger51CTO博客,原文链接:http://blog.51cto.com/starger/18573 ,如需转载请自行联系原作者
