|
Mysql设置 Mysql>create ftpdb; Mysql>grant all privileges on ftpdb.* to ftpuser@localhost identified by “xxxx”; Mysql>grant all privileges on *.* to root@’%’ identified by “xxxx”; Mysql>flush privileges; Mysql>exit 请确保 /etc/init.d/mysqld start 此服务自启动. LAMP服务环境配置完毕. 7.配置FTP 配合工程实施与建立ftp帐号相关联,方便维护与管理,我这里选择了Proftpd与数据库结合的方式来实现的. 创建Ftpdb结构: Mysql>use ftpdb; Mysql> CREATE TABLE `ftpgroup` ( `groupname` varchar(16) NOT NULL default '', `gid` smallint(6) NOT NULL default '5500', `members` varchar(16) NOT NULL default '', KEY `groupname` (`groupname`) ) ; Mysql> CREATE TABLE `ftpquotalimits` ( `name` varchar(30) default NULL, `quota_type` enum('user','group','class','all') NOT NULL default 'user', `per_session` enum('false','true') NOT NULL default 'false', `limit_type` enum('soft','hard') NOT NULL default 'soft', `bytes_in_avail` float NOT NULL default '0', `bytes_out_avail` float NOT NULL default '0', `bytes_xfer_avail` float NOT NULL default '0', `files_in_avail` int(10) unsigned NOT NULL default '0', `files_out_avail` int(10) unsigned NOT NULL default '0', `files_xfer_avail` int(10) unsigned NOT NULL default '0' ) ; Mysql> CREATE TABLE `ftpquotatallies` ( `name` varchar(30) NOT NULL default '', `quota_type` enum('user','group','class','all') NOT NULL default 'user', `bytes_in_used` float NOT NULL default '0', `bytes_out_used` float NOT NULL default '0', `bytes_xfer_used` float NOT NULL default '0', `files_in_used` int(10) unsigned NOT NULL default '0', `files_out_used` int(10) unsigned NOT NULL default '0', `files_xfer_used` int(10) unsigned NOT NULL default '0' ) ; Mysql> CREATE TABLE `ftpuser` ( `id` int(10) unsigned NOT NULL auto_increment, `userid` varchar(32) NOT NULL default '', `passwd` varchar(32) NOT NULL default '', `uid` smallint(6) NOT NULL default '5500', `gid` smallint(6) NOT NULL default '5500', `homedir` varchar(255) NOT NULL default '', `shell` varchar(16) NOT NULL default '/sbin/nologin', `count` int(11) NOT NULL default '0', `accessed` datetime NOT NULL default '0000-00-00 00:00:00', `modified` datetime NOT NULL default '0000-00-00 00:00:00', PRIMARY KEY (`id`) ) ; Mysql> INSERT INTO `ftpgroup` (`groupname`, `gid`, `members`) VALUES("5dxc", "5500", "xxxx"); Mysql>INSERT INTO `ftpquotalimits` (`name`, `quota_type`, `per_session`, `limit_type`, `bytes_in_avail`, `bytes_out_avail`, `bytes_xfer_avail`, `files_in_avail`, `files_out_avail`, `files_xfer_avail`) VALUES("test", "user", "false", "soft", "1.024e+06", "0", "0", "0", "0", "0"); Mysql> INSERT INTO `ftpquotatallies` (`name`, `quota_type`, `bytes_in_used`, `bytes_out_used`, `bytes_xfer_used`, `files_in_used`, `files_out_used`, `files_xfer_used`) VALUES("test", "user", "809781", "0", "809781", "0", "0", "0"); Mysql> INSERT INTO `ftpuser` (`id`, `userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`, `count`, `accessed`, `modified`) VALUES("1", "test", "test", "5500", "5500", "/site", "/sbin/nologin", "0", "0000-00-00 00:00:00", "0000-00-00 00:00:00"); 配置proftp: #tar xzvf proftpd-1.3.0rc5.tar.gz #cd proftpd-1.3.0rc5 #./configure --prefix=/usr/local/proftpd --with-modules=mod_sql:mod_sql_mysql:mod_quotatab:mod_quotatab_sql:mod_ratio --with-includes=/usr/include/mysql --with-libraries=/usr/lib/mysql #make&&make install #mv /etc/local/proftpd/etc/proftpd.conf /etc/local/proftpd/etc/proftpd.confbak #vi /etc/local/proftpd/etc/proftpd.conf ////////////////////////文件内容/////////////////// # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. #ServerName "ProFTPD Default Installation" ServerName "Mingfu's ftp" ServerType standalone DefaultServer on # Port 21 is the standard FTP port. Port 21 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd). MaxInstances 100 MaxLoginAttempts 3 # Set the user and group under which the server will run. User nobody Group nobody # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. #DefaultRoot ~ DefaultRoot ~ #put the proftpd log files in /var/log/ftp.syslog #SystemLog /var/log/ftp.syslog SystemLog /var/log/xxxx/ftp.syslog #TransferLog log files TransferLog /var/log/xxxx/ftp.transferlog MaxHostsPerUser 1 "Sorry, you may not connect more than one time 1." MaxClientsPerUser 13 "Only one such user at a time 2." MaxClientsPerHost 20 "Sorry, you may not connect more than one time 3." #setup the Restart AllowRetrieveRestart on RootLogin off RequireValidShell off TimeoutStalled 600 MaxClients 2000 AllowForeignAddress on AllowStoreRestart on ServerIdent off DefaultRoot ~ xxxx #Slow logins UseReverseDNS off IdentLookups off #IdentLookups and tcpwrappers *** # Normally, we want files to be overwriteable. AllowOverwrite on TimeoutIdle 600 SQLAuthTypes Backend Plaintext SQLAuthenticate users* groups* # databasename@host database_user user_password #SQLConnectInfo ftpdb@localhost proftpd password SQLConnectInfo ftpdb@localhost ftpuser xxxx SQLUserInfo ftpuser userid passwd uid gid homedir shell SQLGroupInfo ftpgroup groupname gid members SQLHomedirOnDemand on # Update count every time user logs in SQLLog PASS updatecount SQLNamedQuery updatecount UPDATE "count=count+1,accessed=now() WHERE userid='%u'" ftpuser # Update modified everytime user uploads or deletes a file SQLLog STOR,DELE modified SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser QuotaEngine on QuotaDirectoryTally on QuotaDisplayUnits kb QuotaShowQuotas on QuotaLog "/var/log/quota" SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}'AND quota_type = '%{1}'" SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'" SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used+ %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatallies SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies QuotaLimitTable sql:/get-quota-limit QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally ////////////////////////文件内容/////////////////// 在/etc/rc.local文件中新增 /usr/local/proftpd/sbin/proftpd & LPM配置完毕. 注意:以后添加ftp帐号只需操作ftpuser表添加相应字段.用户磁盘限额操作ftpquotalimits表添加相应字段. Mysql管理win工具推荐:mysql-front 其中远程连接帐号: User:root Host:IP Pswd:xxxx (与grant all privileges on *.* to root@’%’ identified by “xxxx”; 中设置的密码一致) . 架设也可参考如下连接: http://www.mingfor.com/forum/showthread.php?tid=28 8.配置MAIL 配合jboss工程程序实施与建立MAIL帐号相关联,方便维护与管理,我这里选择了邮件服务器与数据库结合的方式来实现的. 具体架设参考邮件发送程序,然后来配置邮件服务器,邮件系统的用户帐号不准创建真实的系统帐号,所有的帐号均建在mysql数据库中. 具体架设过程略。 架设可参考如下连接: http://www.mingfor.com/forum/showthread.php?tid=19 http://www.extmail.org 9.安全策略 下面是一个简易有效的防火墙设置,只要没有固定IP来入侵,服务器均可正常访问. 因此服务器上线后需要提取服务器通信状态信息.这里服务器已进配置好LAMP环境,因此系统监控请安装CACTI(http://www.cacti.net)软件来监控. 关于它的安装方法比较简单,这里不一一说明了. 还要时时将#netstat –na|grep SYN的结果中连续15个相同的伪连接给DJOP出系统通信间道. 当有这样的入侵连接时…. #iptables –A …………..djop(注意请不要将这个写入到iptables文件中) 下面是iptables文件的所有内容: #cat /etc/sysconfig/iptables ////////////////////文件内容//////////////////// # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -s 0/0 -d 0/0 --dport 177 -j ACCEPT #modify by mingfu 060404 #Please do not modify the content below #ACK FIN SYN -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #port scan # NMAP FIN/URG/PSH -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP # Xmas Tree -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP # Another Xmas Tree -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # Null Scan(possibly) -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP # SYN/RST -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # SYN/FIN -- Scan(possibly) -A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #!--syn -A RH-Firewall-1-INPUT -p tcp ! --syn -m state --state NEW -j DROP #Dos -A RH-Firewall-1-INPUT -p tcp --dport 80 -m limit --limit 10/second --limit-burst 300 -j ACCEPT #sync flood -N synfoold -A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN -A synfoold -p tcp -j REJECT --reject-with tcp-reset -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -j synfoold -N ping -A ping -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN -A ping -p icmp -j REJECT -I RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ping #-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s 0/0 -j DROP #-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s 0/0 -j ACCEPT #-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s localip -j DROP #-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s localip -j DROP #all ports -A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #FTP -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 32800:34000 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 113 -j ACCEPT #SSH -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 922 -j ACCEPT #WEB -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 82 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8088 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 4443 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 7777 -j ACCEPT #DNS -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT #DATABASE -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8009 -j ACCEPT #VNC -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 5801: -j ACCEPT #ICMP -A RH-Firewall-1-INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited -A RH-Firewall-1-INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -m state --state NEW,INVALID -j DROP COMMIT ////////////////////文件内容//////////////////// 在/etc/rc.local中新增如下内容: ////////////////////文件内容//////////////////// echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 >/proc/sys/net/ipv4/tcp_syncookies echo "1" > /proc/sys/net/ipv4/tcp_syn_retries echo "1" > /proc/sys/net/ipv4/tcp_synack_retries echo 8192 >/proc/sys/net/ipv4/tcp_max_syn_backlog ////////////////////文件内容//////////////////// 其中8192=1024*4*2.更多详情请查阅/proc相关文献介绍 关于获取netstat –na|grep SYN_RECV 与TIME_WAIT的脚本:这里我无法写下来。只是原理和主要的代码告诉大家: 使用 netstat 来统计重复的连线 IP,将这些来自同一 IP 的连线统计一下, 如果超过一个设定值(您自己选择的!),那麽该 IP 就会被iptables 机制挡掉了! 利用shell script 结合iptables来完成(其中用到的linux命令主要有:netstat awk cut sort)。。。 shell脚本中部分主要代码: /////////////////////////////////////// basedir="/usr/local/syscmf" #=== Part A, about the TIME WAIT signle ===# netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| \ awk '{if ($1 >= 12) print $2}' > $basedir/netstata sleep 14s netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| \ awk '{if ($1 >= 12) print $2}' > $basedir/netstatb sleep 14s netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| \ awk '{if ($1 >= 12) print $2}' > $basedir/netstatc cat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 | sort | uniq -c | \ awk '{ if ( $1 == 3 ) print $2 }' > $basedir/netstat-wait.now denyip_netstat=`cat $basedir/netstat-wait.now` #=== Part B, about the SYN RECV signle ===# netstat -an|grep 80|grep SYN| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| \ awk '{if ($1 >= 12) print $2}' > $basedir/netstat1 sleep 12s netstat -an|grep 80|grep SYN| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| \ awk '{if ($1 >= 12) print $2}' > $basedir/netstat2 sleep 12s netstat -an|grep 80|grep SYN| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| \ awk '{if ($1 >= 12) print $2}' > $basedir/netstat3 cat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 | sort | uniq -c | \ awk '{ if ( $1 == 3 ) print $2 }' > $basedir/netstat-syn.now denyip_netstat=`cat $basedir/netstat-syn.now` /////////////////////////////////////// (责任编辑:admin) |