/*********************系统盘规划*********************************/
伦理片 http://www.dotdy.com/
/dev/vda 8G
/dev/vdb 500G
/dev/vda 系统盘 挂载在 /
/dev/vdb 分四个逻辑盘
/dev/vdb1 400G 用作项目应用 挂载 /var/www
/dev/vdb2 60G 用作日志记录 挂载 /var/log
/dev/vdb3 20G 分系统使用的软件其余的工具 例如 一些测试网速的软件就存放安装到这里 挂载 /opt
/dev/vdb4 20G /home 数据交换
/**********sshd key 登录*******************************************/
必须将 key 备份到本地 登录要用。
/************sshd 登录编码格式 vim设置 时区设置 关闭selinux*************/
vim /etc/sysconfig/i18n
vim ~/.vimrc
vim /etc/profile
###设置vi, vim的默认的tab、行号显示参数
##设置正确的时区
/*******************************************防火墙***************/
vim /etc/sysconfig/iptables
service iptables start
/*********************禁止root 创建普通用户******************************/
useradd wyj2507
passwd wyj2507 (密码 www.xiubt.com)
visudo (99行)
/*********************禁止root 创建普通用户********************/
/*******************************************修改HOSTS*******************/
vi /etc/hosts
27.0.0.1 localhost VM_41_93_centos
#使用DNS域名服务器来解析名字
order bind hosts
#一台主机是否存在多个IP
multi on
#如果用逆向解析找出与指定的地址匹配的主机名,对返回的地址进行解析以确认它确实与您查询的地址相配.为了防止“骗取”IP地址
nospoof on
service network restart
/*****************精简开机自启动服务*************************************/
7个运行级别 0 系统停机模式 1 单用户 2 多用户模 3 完整多用户
4 系统未使用 5 图形化模式 6 重启模式
init 0 1 2 3 4 5 6 设置运行级别
新系统只保留crond,network,syslog(rsyslog),sshd自启动服务 后期加
查看运行级别 runlevel
查看开启的服 chkconfig --list
#关闭全部服务
#或者
#开启需要的服务
#或者需要使用防火墙的话可以开启iptables和ip6tables
/******************清理登陆的时候显示的系统及内核版本等***********************/
#查看登陆信息
cat /etc/redhat-release
cat /etc/issue
#清理登陆信息
echo >/etc/redhat-release
echo >/etc/issue
#关闭重启ctl-alt-delete组合键
vi /etc/init/control-alt-delete.conf
#注释掉
#exec /sbin/shutdown -r now "Control-Alt-Deletepressed"
#chattr类似chmod修改文件/目录属性 级别高于chmod
#chattr命令不能保护/、/dev、/tmp、/var目录。lsattr命令是显示chattr命令设置的文件属性。
#锁定关键文件系统
#删除不必要的系统用户和群组
#删除不必要的群组
/******************************************清理登陆的时候显示的系统及内核版本等********************************/
/*****************************内核参数优化*************************/
vi /etc/sysctl.conf 增加以下配置
echo "modprobe nf_conntrack" >> /etc/rc.local
echo "modprobe bridge" >> /etc/rc.local
配置生效
# modprobe nf_conntrack
# sysctl -p
修改iptables启动脚本,在star()函数里面加上
# vi /etc/init.d/iptables
/sbin/sysctl -p
service iptables restart
iptables -v -n -L
#查看当前的会话
cat /proc/net/nf_conntrack | wc -l
lNMP
/*******************************************依赖包*************/
wget http://nginx.org/download/nginx-1.8.0.tar.gz
tar -zxvf nginx-1.8.0.tar.gz
cd nginx-1.8.0
## 启用SSL模块 启用nginx状态模块 启用realip模块(将用户IP转发给后端服务器)
或者
./configure --with-zlib=/opt/zlib-1.2.8 --with-ssl=/usr/local/ssl && make && make install
--with-openssl=/usr/local/ssl --with-libs=/usr/local/ssl
ldd $(which curl)
ln -s /usr/local/ssl/lib/libcrypto.so /usr/local/lib/libcrypto.so.1.0.0
cd /opt/php-5.6.12/ext/curl
/usr/local/php/bin/phpize
./configure -with-php-config=/usr/local/php/bin/php-config --with-curl=/opt/curl-7.44.0
make && make install
编译oci php扩展
rpm -ivh oracle-instantclient12.1-basic-12.1.0.1.0-1.x86_64.rpm
rpm -ivh oracle-instantclient12.1-sqlplus-12.1.0.1.0-1.x86_64.rpm
rpm -ivh oracle-instantclient12.1-devel-12.1.0.1.0-1.x86_64.rpm
配置库路径 libsqlplus.so
vim /etc/ld.so.conf
/usr/lib/oracle/12.1/client64/lib/
ldconfig
/*******************************************Mysql********************************/
mysql
wget http://ftp.jaist.ac.jp/pub/mysql/Downloads/MySQL-5.5/mysql-5.5.44.tar.gz
groupadd mysql
useradd -r -g mysql mysql
##此处本来只应该装客户端
[client]
socket = /var/run/mysqld/mysqld.sock
groupadd mysql
useradd -r -g mysql mysql
cd /usr/local/mysql
chown -R mysql . //更改所有文件的所有者为mysql
chgrp -R mysql . // 更改所有文件的所属组为mysql
2. mysql 初始化安装 执行以下命令 //以mysql的身份执行scripts/mysql_install_db脚本
/usr/local/mysql/scripts/mysql_install_db --basedir=/usr/local/mysql \
--defaults-file=/usr/local/mysql/etc/my.cnf \
--user=mysql \
--datadir=/usr/local/mysql/data
chown -R root . //再将所有文件的所有者改为root
chown -R mysql data //其中要将data目录及其子文件的所有者改为mysql
chown -R mysql /usr/local/mysql/data
chgrp -R mysql /usr/local/mysql/data
cp /etc/my.cnf /etc/my.cnf_bak
cp /usr/local/mysql/etc/my.cnf /etc/my.cnf
mkdir /var/run/mysqld
chmod -R 777 /var/run/mysqld
mkdir /usr/local/mysql/run
chmod -R 777 /usr/local/mysql/run
/usr/local/mysql/bin/mysqld \
--defaults-file=/usr/local/mysql/etc/my.cnf \
--basedir=/usr/local/mysql \
--datadir=/usr/local/mysql/data \
--plugin-dir=/usr/local/mysql/lib/plugin \
--user=mysql \
--log-error=/usr/local/mysql/log/mysql_error.log \
--pid-file=/usr/local/mysql/run/mysql.pid \
--socket=/var/run/mysqld/mysqld.sock \
--port=3306 &
cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
客户端
yum install mysql
update user set password=passworD("wyj_2015") where user='root';
update user set host='%' where user='root';
flush privileges;
/*******************************************php*********************************/
http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html
##最小权限
#session
/*********************************************启动命令***************************/
pkill php-fpm
/usr/local/php/sbin/php-fpm -c /usr/local/php/etc/php.ini -y /usr/local/php/etc/php-fpm.conf
chown -R nobody:nobody /usr/local/php/sess
chown nobody:nobody /dev/shm/sess/weijiaoyun
chmod u+wr -R /usr/local/php/sess/weijiaoyun
kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid` #平滑重启 推荐
kill -USR1 `cat /usr/local/php/var/run/php-fpm.pid` #平滑重启日志 推荐
pkill nginx
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
/usr/local/nginx/sbin/nginx -s reload
chown -R nobody:nobody /dev/shm
kill -USR2 `cat /usr/local/nginx/logs/nginx.pid` #平滑重启 推荐
kill -USR1 `cat /usr/local/nginx/logs/nginx.pid` #平滑重启日志 推荐
pkill mysqld
/usr/local/mysql/bin/mysqld \
--defaults-file=/usr/local/mysql/etc/my.cnf \
--basedir=/usr/local/mysql \
--datadir=/usr/local/mysql/data \
--plugin-dir=/usr/local/mysql/lib/plugin \
--user=mysql \
--log-error=/usr/local/mysql/log/mysql_error.log \
--pid-file=/usr/local/mysql/run/mysql.pid \
--socket=/var/run/mysqld/mysqld.sock \
--port=3306 &
不保存历史
sed -i 's/HISTSIZE\=3000/HISTSIZE\=4/g' /etc/profile
source /etc/profile
传输命令
scp -i /root/wjyRsa -P 54321 -r /var/www/testscp 119.29.38.43:/var/www/
scp -i /root/devRsa -P 54321 -r /opt/curl-7.44.0 119.29.11.29:/opt/curl-7.44.0
/********************************系统工具**************************************/
yum -y install vim
yum install fonts-chinese.noarch
添加库文件路径
vim /etc/ld.so.conf
ldconfig
#滞后
--with-oci8 \
apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump
tcpdump -i lo -w /var/www/logs/php-fpm2
/usr/sbin/tcpdump -i eth0 -w /var/www/logs/tcpdump7
yum -y install sysstat
sar -n EDEV 2 10
sar -n SOCK 2 10
sar -r 6 #men
sar -u 6 #cpu
top -p pid
P:按%CPU使用率排行
T:按MITE+排行
M:按%MEM排行
Linux查看网络端口对应的程序
lsof -i :80
netstat -a |grep LISTEN |grep -v unix
ps -aux | sort -k4nr
ps -aux | grep -E "sap|USER"
#innode
df -i
#innode 大小
dumpe2fs -h /dev/vdb2 | grep "Inode size"
查看 进程的详细内存
pmap -q php-fpmp的pid
/**********************配置文件备份*******************************/
/usr/local/mysql/etc/my.cnf
cat /usr/local/php/etc/php.ini
[PHP]
cat /usr/local/php/etc/php-fpm.conf | grep -v '^;' | grep -v '^$'| less
cat /usr/local/nginx/conf/vhost/dev.xcoach.cn.conf | grep -v '^#' | grep -v '^$'| less
/*************************************定时程序***************************/
/*************************************************定时程序***********************************************************/
/***************************************其他************************/
保证每天多少PV的并发连接数的计算公式是:
并发连接数= PV / 统计时间(一天是86400) * 页面衍生连接次数 * http响应时间 * 因数(5) / web服务器数量
保证4千万PV的并发连接数:
(40000000PV / 86400秒 * 10个派生连接数 * 5秒内响应 * 5倍峰值) / 6台Web服务器 = 19290连接数
10PV的并发连接数:
(100000PV / 86400秒 * 10个派生连接数 * 5秒内响应 * 5倍峰值) / 1台Web服务器 = 289连接数
ab.exe -n2000 -kc2000
svn
svn delete svn://119.29.11.29/weijiaoyun/Public -m "delete Public"
svn import -m 'reimport' /var/www/html/Public svn://119.29.11.29/weijiaoyun/Public
vim ignore.txt
Application/User/Conf/config.php
Application/Common/Conf/config.php
Runtime
Uploads
svn propset svn:ignore -F ignore.txt .
svn proplist
svn propget svn:ignore
ngnix无法打印日志 tail -f 没有磁盘空间 增大max_user_watches 参考 http://www.51know.info/system_security/inotify.html
echo '17000' > cat /proc/sys/fs/inotify/max_user_watches
批量替换 参考 http://php.net/manual/zh/language.exceptions.php (jim at anderos dot com)
grep 'throw new Exception' /var/www/ceshi/ -rl | xargs sed -i 's/throw new Exception/throw new \\Exception/g'
sed -i 's/throw new Exception/throw new \\Exception/g' `grep 'throw new Exception' /var/www/ceshi/ -rl`
错误日志分析
error_log="/usr/local/nginx/logs/weijiaoyun_error.log"
deny_ip_arr=`cat $error_log | grep -iE "referrer: \"http:\/\/123.249.24.233\/POST_ip_port.phpAccep" | sed 's/\(.*\)\(client: \)\(.*\)\(, server:.*\)/\3/g'`
for ip in $deny_ip_arr
do
exist=`cat /etc/sysconfig/iptables| grep $ip`
if [ -z "$exist" ]
then
/sbin/iptables -A INPUT -s $ip -j DROP
/sbin/iptables -I INPUT -s $ip -j DROP
/sbin/iptables-save > /etc/sysconfig/iptables
fi
done
PHP-FPM master进程可以理解以下信号
INT, TERM 立刻终止 QUIT 平滑终止 USR1 重新打开日志文件 USR2平滑重载所有worker进程并重新载入配置和二进制模块
php-fpm 关闭:kill -INT `cat /usr/local/php/var/run/php-fpm.pid`
php-fpm 重启:kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid`
/**********************************************************其他******************************************************/
/****************服务优化 只开启必要的服务,提高安全性和性能********************/
###以下服务是必须的必须开启 其他可以尝试关闭
安装完Linux之后,以下服务是必须的必须开启,没列出的服务可关闭
acpid #高级控制电源管理接口
crond #定时执行任务
haldaemon #必须开启,否则可能导致控制台键盘鼠标无法使用
hidd #同上
irqbalance #支持多cpu中断,必须开启
kudzu #检测硬件变化时自动进行配置
lvm2-monitor #用于监测LVM状态
messagebus #Linux系统进程间通讯的关键服务
mdmonitor #监测软RAID健康状态 即使没有使用软RAID, 也强烈建议启用此服务
mdmpd #同上,即使没有多路径存储设备,也强烈建议启用之
network #网络支持
readahead_early #预先加载特定的应用程序到内存中以提供性能
readahead_later #同上
smartd #硬盘故障自动检测
sshd
syslog
klogd #如果服务列表中存在,则必须开启
提示:配置服务可使用ntsysv工具,比较方便
其它强烈建议开启的服务 iptables
/**********************************服务优化 只开启必要的服务,提高安全性和性能*************************************/
/*************************************日志************************************/
/var/log/message 系统启动后的信息和错误日志,是Red Hat Linux中最常用的日志之一
/var/log/secure 与安全相关的日志信息
/var/log/maillog 与邮件相关的日志信息
/var/log/cron 与定时任务相关的日志信息
/var/log/spooler 与UUCP和news设备相关的日志信息
/var/log/boot.log 守护进程启动和停止相关的日志消息
dmesg | grep IDE # 查看启动时IDE设备检测状况
route -n # 查看路由表
/**************************************参考***********************/
生产服务器环境最小化安装后 Centos 6.5优化配置备忘 http://zhangxugg-163-com.iteye.com/blog/1843724
Centos 6.5优化配置 http://www.lvtao.net/server/centos-server-setup.html
inotify: http://www.51know.info/system_security/inotify.html
Linux(Centos )的网络内核参数优化来提高服务器并发处理能力 http://blog.csdn.net/shaobingj126/article/details/8549494
日志 :http://www.centoscn.com/CentosSecurity/CentosSafe/2014/0304/2490.html
linux下使用tc模拟网络延迟和丢包 http://blog.csdn.net/duanbeibei/article/details/41250029
/*****************************参考***********************************/
伦理片 http://www.dotdy.com/
/dev/vda 8G
/dev/vdb 500G
/dev/vda 系统盘 挂载在 /
/dev/vdb 分四个逻辑盘
/dev/vdb1 400G 用作项目应用 挂载 /var/www
/dev/vdb2 60G 用作日志记录 挂载 /var/log
/dev/vdb3 20G 分系统使用的软件其余的工具 例如 一些测试网速的软件就存放安装到这里 挂载 /opt
/dev/vdb4 20G /home 数据交换
Java代码
- ulimit -SHn 65535
- echo "* soft nofile 65535" >> /etc/security/limits.conf
- echo "* hard nofile 65535" >> /etc/security/limits.conf
/**********sshd key 登录*******************************************/
Java代码
- yum -y install sshd
- echo "ClientAliveInterval 60" >> /etc/ssh/sshd_config
- echo "ClientAliveCountMax 60" >> /etc/ssh/sshd_config
- echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
- echo export TMOUT=1000000 >> /root/.bash_profile
- source /root/.bash_profile
- service sshd restart
- /usr/bin/ssh-keygen -t rsa XXXXXXX
- move XXXXXXX.pub /root/.ssh/authorized_keys
必须将 key 备份到本地 登录要用。
/************sshd 登录编码格式 vim设置 时区设置 关闭selinux*************/
Java代码
- yum install fonts-chinese
- locale -a | grep -E 'zh|en_US'
vim /etc/sysconfig/i18n
Java代码
- LANG="zh_CN.gb18030"
- LANGUAGE="zh_CN.gb18030:zh_CN.gb2312:zh_CN.gbk:zh_CN.utf8:zh_CN"
- SUPPORTED="zh_CN.utf8:zh_CN:zh:en_US.utf8:en_US:en"
- SYSFONT="lat0-sun16"
- LANG="zh_CN.gb18030"
- LANG="en_US.utf8"
- source /etc/sysconfig/i18n
vim ~/.vimrc
Java代码
- set termencoding=gbk
- set encoding=utf-8
- set fileencodings=ucs-bom,utf-8,cp936
- set fileencoding=utf-8
vim /etc/profile
Java代码
- export LANG=zh_CN.utf8
- export LC_ALL=zh_CN.gb18030
###设置vi, vim的默认的tab、行号显示参数
Java代码
- echo "set tabstop=4" >> /etc/virc
- echo "set tabstop=4" >> /etc/vimrc
- echo "set number" >> /etc/virc
- echo "set number" >> /etc/vimrc
- echo "alias vi=vim" >> ~/.bashrc
Java代码
- source ~/.bashrc
##设置正确的时区
Java代码
- cp /usr/share/zoneinfo/Asia/Chongqing /etc/localtime
- printf 'ZONE="Asia/Chongqing"\nUTC=false\nARC=false' > /etc/sysconfig/clock
- ###更新系统时间 每天凌晨6点更新系统时间
- ntpdate pool.ntp.org
- 06*** /sbin/ntpdate pool.ntp.org 2>&1 | /bin/logger
- 设置/etc/sysconfig/selinux文件中
- SELINUX=disabled
/*******************************************防火墙***************/
vim /etc/sysconfig/iptables
Java代码
- # Firewall configuration written by system-config-firewall
- # Manual customization of this file is not recommended.
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- #-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- #-A INPUT -p icmp -j ACCEPT
- #-A INPUT -i lo -j ACCEPT
- #-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
- #-A INPUT -j REJECT --reject-with icmp-host-prohibited
- #-A FORWARD -j REJECT --reject-with icmp-host-prohibited
- -N whitelist
- -A whitelist -s 36.36.68.0/24 -j ACCEPT
- -A whitelist -s 223.73.59.0/24 -j ACCEPT
- -A whitelist -s 119.130.86.0/24 -j ACCEPT
- -A whitelist -s 36.36.68.65 -j ACCEPT
- -A whitelist -s 223.73.59.101 -j ACCEPT
- -A whitelist -s 119.130.86.201 -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -m state --state INVALID,NEW -j LOG
- -A INPUT -s 180.0.0.0/8 -j DROP
- -A INPUT -p tcp -m tcp --sport 54321 -j ACCEPT
- -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
- -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
- -A INPUT -p tcp -m tcp --sport 20 -j ACCEPT
- -A INPUT -p tcp -m tcp --sport 21 -j ACCEPT
- -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
- -A INPUT -p tcp -m tcp --sport 110 -j ACCEPT
- -A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
- -A INPUT -p tcp -m tcp --sport 995 -j ACCEPT
- -A INPUT -p tcp -m tcp --sport 68 -j ACCEPT
- #iptables -A INPUT -p tcp -m tcp --sport 995 -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 80 -m limit --limit 25/min --limit-burst 200 -j ACCEPT
- COMMIT
service iptables start
/*********************禁止root 创建普通用户******************************/
useradd wyj2507
passwd wyj2507 (密码 www.xiubt.com)
visudo (99行)
Java代码
- wyj2507 ALL=(ALL) ALL
/*********************禁止root 创建普通用户********************/
/*******************************************修改HOSTS*******************/
vi /etc/hosts
27.0.0.1 localhost VM_41_93_centos
#使用DNS域名服务器来解析名字
order bind hosts
#一台主机是否存在多个IP
multi on
#如果用逆向解析找出与指定的地址匹配的主机名,对返回的地址进行解析以确认它确实与您查询的地址相配.为了防止“骗取”IP地址
nospoof on
service network restart
/*****************精简开机自启动服务*************************************/
7个运行级别 0 系统停机模式 1 单用户 2 多用户模 3 完整多用户
4 系统未使用 5 图形化模式 6 重启模式
init 0 1 2 3 4 5 6 设置运行级别
新系统只保留crond,network,syslog(rsyslog),sshd自启动服务 后期加
查看运行级别 runlevel
查看开启的服 chkconfig --list
#关闭全部服务
Java代码
- for sun in `chkconfig --list|grep 3:启用 | awk '{print $1}'`;
- do
- chkconfig --level 3 $sun off
- done
#或者
Java代码
- for sun in `chkconfig --list|grep 3:启用|awk '{print $1}'`;
- do
- chkconfig --level 3 $sun off
- done
#开启需要的服务
Java代码
- for sun in crond rsyslog sshd network
- do
- chkconfig --level 3 $sun on
- done
#或者需要使用防火墙的话可以开启iptables和ip6tables
Java代码
- for sun in crond rsyslog sshd network iptables ip6tables
- do
- chkconfig --level 3 $sun on
- done
/******************清理登陆的时候显示的系统及内核版本等***********************/
#查看登陆信息
cat /etc/redhat-release
cat /etc/issue
#清理登陆信息
echo >/etc/redhat-release
echo >/etc/issue
#关闭重启ctl-alt-delete组合键
vi /etc/init/control-alt-delete.conf
#注释掉
#exec /sbin/shutdown -r now "Control-Alt-Deletepressed"
#chattr类似chmod修改文件/目录属性 级别高于chmod
#chattr命令不能保护/、/dev、/tmp、/var目录。lsattr命令是显示chattr命令设置的文件属性。
#锁定关键文件系统
Java代码
- chattr +i /etc/passwd
- chattr +i /etc/inittab
- chattr +i /etc/group
- chattr +i /etc/shadow
- chattr +i /etc/gshadow
#删除不必要的系统用户和群组
Java代码
- userdel adm
- userdel lp
- userdel sync
- userdel shutdown
- userdel halt
- userdel news
- userdel uucp
- userdel operator
- userdel games
- userdel gopher
- userdel ftp
#删除不必要的群组
Java代码
- groupdel adm
- groupdel lp
- groupdel news
- groupdel uucp
- groupdel games
- groupdel dip
- groupdel pppusers
/******************************************清理登陆的时候显示的系统及内核版本等********************************/
/*****************************内核参数优化*************************/
vi /etc/sysctl.conf 增加以下配置
Java代码
- net.ipv4.tcp_max_syn_backlog = 65536
- net.core.netdev_max_backlog = 32768
- net.core.somaxconn = 32768
- net.core.wmem_default = 8388608
- net.core.rmem_default = 8388608
- net.core.rmem_max = 16777216
- net.core.wmem_max = 16777216
- net.ipv4.tcp_timestamps = 0
- net.ipv4.tcp_synack_retries = 2
- net.ipv4.tcp_syn_retries = 2
- net.ipv4.tcp_mem = 94500000 915000000 927000000
- net.ipv4.tcp_max_orphans = 3276800
- net.ipv4.ip_local_port_range = 1024 65535
Java代码
- net.nf_conntrack_max = 25000000 # 如果使用默认参数,容易出现网络丢包 最大会话数
- net.netfilter.nf_conntrack_max = 25000000 # 如果使用默认参数,容易出现网络丢包 最大会话数
- net.netfilter.nf_conntrack_tcp_timeout_established = 180 #会话连接超时变量 自动清除30分钟的无效链接
- net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
- net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
- net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
Java代码
- #TIME_WAIT 要过段时间释放 Linux 65535个端口
- #1 SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击
- #2 允许将TIME-WAIT sockets重新用于新的TCP连接
- #3 开启TCP连接中TIME-WAIT sockets的快速回收
- #4 系統默认的 TIMEOUT 时间
- net.ipv4.tcp_syncookies = 1
- net.ipv4.tcp_tw_reuse = 1
- net.ipv4.tcp_tw_recycle = 1
- net.ipv4.tcp_fin_timeout = 30
echo "modprobe nf_conntrack" >> /etc/rc.local
echo "modprobe bridge" >> /etc/rc.local
配置生效
# modprobe nf_conntrack
# sysctl -p
修改iptables启动脚本,在star()函数里面加上
# vi /etc/init.d/iptables
/sbin/sysctl -p
service iptables restart
iptables -v -n -L
#查看当前的会话
cat /proc/net/nf_conntrack | wc -l
lNMP
/*******************************************依赖包*************/
Java代码
- yum install -y autoconf curl curl-devel cmake
- yum install -y sendmail graphviz
- yum install -y gcc gcc-c++
- yum -y install python
- yum -y install python-dev
- yum install libicu-devel
- yum install ncurses-libs
- yum install ncurses-devel
- yum -y install libxslt
- yum install libxslt-devel
- yum -y install curl-devel
- yum -y install e2fsprogs-devel krb5-devel libidn-devel openssl-devel
Java代码
- wget http://download.savannah.gnu.org/releases/freetype/freetype-2.4.4.tar.gz
- tar zxvf freetype-2.4.4.tar.gz
- ./configure
- make && make install
- wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.37.tar.bz2
- tar -jxvf pcre-8.37.tar.bz2
- cd pcre-8.37
- ./configure
- make && make install
- wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz -O openssl-1.0.1g.tar.gz
- tar -zxf openssl-1.0.1g.tar.gz
- ./config -fPIC enable-shared
- make && make test && make install
- wget http://zlib.net/zlib-1.2.8.tar.gz
- tar -zxf zlib-1.2.8.tar.gz
- ./configure
- make && make install
wget http://nginx.org/download/nginx-1.8.0.tar.gz
tar -zxvf nginx-1.8.0.tar.gz
cd nginx-1.8.0
## 启用SSL模块 启用nginx状态模块 启用realip模块(将用户IP转发给后端服务器)
Java代码
- ./configure --prefix=/usr/local/nginx \
- --user=nobody \
- --conf-path=/usr/local/nginx/conf/nginx.conf \
- --with-http_ssl_module \
- --with-http_flv_module \
- --with-http_stub_status_module \
- --with-http_gzip_static_module \
- --with-http_realip_module \ #启用realip模块(将用户IP转发给后端服务器)
- --with-pcre=/opt/pcre-8.37
- --with-openssl=/opt/openssl-1.0.1g \
- --with-zlib=/opt/zlib-1.2.8 \
Java代码
- wget http://xmlsoft.org/sources/old/libxml2-2.7.0.tar.gz
- wget ftp://ftp.xmlsoft.org/libxml2/libxml2-2.9.2.tar.gz
- tar zxvf libxml2-2.9.2.tar.gz
- ./configure
- make && make install
- libjpeg
- wget ftp://ftp.pl.freebsd.org/vol/rzm1/GraphicsMagick/delegates/libjpeg-6b.tar.gz
- tar zxvf libjpeg-6b.tar.gz
- ./configure && make && make install
- libpng
- wget http://download.sourceforge.net/libpng/libpng-1.6.18.tar.gz
- tar zxvf libpng-1.6.18.tar.gz
- ./configure
- sed -i 's/LDFLAGS\=/LDFLAGS\=-L\/usr\/local\/lib/g' Makefile
- sed -i 's/CPPFLAGS\=/CPPFLAGS\=-L\/usr\/local\/include/g' Makefile
- make && make install
Java代码
- wget ftp://mcrypt.hellug.gr/pub/crypto/mcrypt/attic/libmcrypt/libmcrypt-2.5.7.tar.gz
- tar zxvf libmcrypt-2.5.7.tar.gz
- ./configure
- make && make install
- wget http://curl.haxx.se/download/curl-7.44.0.tar.gz
- wget http://www.execve.net/curl/curl-7.44.0.tar.gz
- tar zxvf curl-7.44.0.tar.gz
- cd /opt/curl-7.44.0
- ./configure --with-ssl=/opt/openssl-1.0.1g --with-zlib=/opt/zlib-1.2.8 && make && make install
或者
./configure --with-zlib=/opt/zlib-1.2.8 --with-ssl=/usr/local/ssl && make && make install
--with-openssl=/usr/local/ssl --with-libs=/usr/local/ssl
ldd $(which curl)
ln -s /usr/local/ssl/lib/libcrypto.so /usr/local/lib/libcrypto.so.1.0.0
cd /opt/php-5.6.12/ext/curl
/usr/local/php/bin/phpize
./configure -with-php-config=/usr/local/php/bin/php-config --with-curl=/opt/curl-7.44.0
make && make install
编译oci php扩展
rpm -ivh oracle-instantclient12.1-basic-12.1.0.1.0-1.x86_64.rpm
rpm -ivh oracle-instantclient12.1-sqlplus-12.1.0.1.0-1.x86_64.rpm
rpm -ivh oracle-instantclient12.1-devel-12.1.0.1.0-1.x86_64.rpm
配置库路径 libsqlplus.so
vim /etc/ld.so.conf
/usr/lib/oracle/12.1/client64/lib/
ldconfig
Java代码
- export ORACLE_HOME=/usr/lib/oracle/12.1/client64
- export ORACLE_BASE=/usr/lib/oracle/12.1
- export PATH=$ORACLE_HOME/bin:$PATH:
- export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$LD_LIBRARY_PATH
- export NLS_LANG=AMERICAN_AMERICA.AL32UTF8
- export TNS_ADMIN=$ORACLE_HOME/network/admin
- source /etc/profile
- cd /opt/php-5.6.12/ext/oci8
- /usr/local/php/bin/phpize
- ./configure --with-php-config=/usr/local/php/bin/php-config
- make && make install
- cd /usr/local/php/lib/php/extensions/no-debug-non-zts-20131226/
/*******************************************Mysql********************************/
mysql
wget http://ftp.jaist.ac.jp/pub/mysql/Downloads/MySQL-5.5/mysql-5.5.44.tar.gz
groupadd mysql
useradd -r -g mysql mysql
##此处本来只应该装客户端
Java代码
- cd /usr/local/Downloads
- tar -zxvf mysql-5.5.44.tar.gz
- cd mysql-5.5.44
- cmake -DCMAKE_INSTALL_PREFIX=/usr/local/mysql \
- -DMYSQL_DATADIR=/usr/local/mysql/data \
- -DMYSQL_TCP_PORT=3306 \
- -DMYSQL_UNIX_ADDR=/var/run/mysqld/mysqld.sock \
- -DMYSQL_USER=mysql \
- -DDEFAULT_CHARSET=utf8 \
- -DWITH_EXTRA_CHARSETS:STRING=utf8,gbk \
- -DWITH_MYISAM_STORAGE_ENGINE=1 \
- -DWITH_MEMORY_STORAGE_ENGINE=1 \
- -DDEFAULT_COLLATION=utf8_general_ci \
- -DEXTRA_CHARSETS=all \
- -DWITH_READLINE=1 \
- -DWITH_EMBEDDED_SERVER=1 \
- -DENABLED_LOCAL_INFILE=1 \
- -DWITH_INNOBASE_STORAGE_ENGINE=1
- make && make install
Java代码
- mkdir /usr/local/mysql/etc/
- cp support-files/my-large.cnf /usr/local/mysql/etc/my.cnf
- vim /usr/local/mysql/etc/my.cnf
- [mysqld]
- basedir = /usr/local/mysql
- datadir = /usr/local/mysql/data
- port = 3306
- socket = /var/run/mysqld/mysqld.sock
- character_set_server = utf8
- slow_query_log = 1
- log-error = /usr/local/mysql/log/mysql_error.log
- pid-file = /usr/local/mysql/run/mysql.pid
- default-storage-engine=MyISAM
- user = mysql
- open_files_limit = 65535
- max_connections = 5000
- max_connect_errors = 6000 #出错锁定host
- back_log = 600 #连接队列的最大值
- skip-name-resolve #关闭反向域名解析
- innodb_file_per_table = 0 #innodb表不共享一个文件
- interactive_timeout = 120
- wait_timeout = 120 #连接过期秒数
- thread_cache_size = 32 #连接词空闲线程数
- tmp_table_size = 56M
- max_heap_table_size = 56M
- long_query_time = 3
- log-bin = /var/www/log/binlog
- binlog_cache_size = 4M
- binlog_format = MIXED
- max_binlog_cache_size = 8M
- max_binlog_size = 1G
[client]
socket = /var/run/mysqld/mysqld.sock
groupadd mysql
useradd -r -g mysql mysql
cd /usr/local/mysql
chown -R mysql . //更改所有文件的所有者为mysql
chgrp -R mysql . // 更改所有文件的所属组为mysql
2. mysql 初始化安装 执行以下命令 //以mysql的身份执行scripts/mysql_install_db脚本
/usr/local/mysql/scripts/mysql_install_db --basedir=/usr/local/mysql \
--defaults-file=/usr/local/mysql/etc/my.cnf \
--user=mysql \
--datadir=/usr/local/mysql/data
chown -R root . //再将所有文件的所有者改为root
chown -R mysql data //其中要将data目录及其子文件的所有者改为mysql
chown -R mysql /usr/local/mysql/data
chgrp -R mysql /usr/local/mysql/data
cp /etc/my.cnf /etc/my.cnf_bak
cp /usr/local/mysql/etc/my.cnf /etc/my.cnf
mkdir /var/run/mysqld
chmod -R 777 /var/run/mysqld
mkdir /usr/local/mysql/run
chmod -R 777 /usr/local/mysql/run
/usr/local/mysql/bin/mysqld \
--defaults-file=/usr/local/mysql/etc/my.cnf \
--basedir=/usr/local/mysql \
--datadir=/usr/local/mysql/data \
--plugin-dir=/usr/local/mysql/lib/plugin \
--user=mysql \
--log-error=/usr/local/mysql/log/mysql_error.log \
--pid-file=/usr/local/mysql/run/mysql.pid \
--socket=/var/run/mysqld/mysqld.sock \
--port=3306 &
cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
客户端
yum install mysql
update user set password=passworD("wyj_2015") where user='root';
update user set host='%' where user='root';
flush privileges;
/*******************************************php*********************************/
Java代码
- wget http://cn2.php.net/distributions/php-5.6.12.tar.gz
- opcash http://php.net/manual/zh/opcache.installation.php
- tar zxvf php-5.6.12.tar.gz
- ./configure --prefix=/usr/local/php \
- --with-config-file-path=/usr/local/php/conf \
- --with-fpm-user=nobody \
- --with-fpm-group=nogroup \
- --enable-fpm \
- --enable-bcmath \
- --with-curl \
- --with-mcrypt \
- --with-freetype-dir \
- --enable-mbstring \
- --with-pdo-mysql=mysqlnd \
- --with-mysqli=mysqlnd \
- --with-mysql=/usr/local/mysql \
- --with-openssl \
- --with-imap-ssl \
- --with-freetype-dir \
- --with-gd \
- --with-jpeg-dir=/usr/lib/ \
- --with-png-dir=/usr/lib/ \
- --enable-exif \
- --enable-zip \
- --with-zlib \
- --with-xsl \
- --with-gettext \
- --enable-intl \
- --with-xmlrpc \
- --enable-xml \
- --enable-ftp \
- --with-pear \
- --enable-sockets \
- --enable-gd-native-ttf \
- --enable-sysvsem \
- --enable-sysvshm \
- --enable-shmop \
- --with-mhash \
- --enable-inline-optimization \
- --with-curlwrappers \
- --enable-mbregex \
- --enable-opcache \
- make && make install
http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html
##最小权限
Java代码
- ROOT="/var/www/html"
- chown -R nobody:nobody $ROOT
- chmod a-wxr -R $ROOT
- chmod u+xr -R $ROOT
- chmod u+rw -R $ROOT/serverConfig
- chmod u+rwx -R $ROOT/Runtime
- chmod u+rxw -R $ROOT/Uploads
- chmod u+rw -R $ROOT/crontab
- chmod u+wrx -R $ROOT/Public
- chmod u+rw -R $ROOT/serverConfig
- chown -R ftp:ftp $ROOT/ftp
- chmod u+rw -R $ROOT/ftp
#session
Java代码
- mkdir -p /usr/local/php/sess/weijiaoyun
- chown nobody:nobody /usr/local/php/sess/weijiaoyun
- chmod a-wrx -R /usr/local/php/sess/weijiaoyun
- chmod u+wr -R /usr/local/php/sess/weijiaoyun
/*********************************************启动命令***************************/
pkill php-fpm
/usr/local/php/sbin/php-fpm -c /usr/local/php/etc/php.ini -y /usr/local/php/etc/php-fpm.conf
chown -R nobody:nobody /usr/local/php/sess
chown nobody:nobody /dev/shm/sess/weijiaoyun
chmod u+wr -R /usr/local/php/sess/weijiaoyun
kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid` #平滑重启 推荐
kill -USR1 `cat /usr/local/php/var/run/php-fpm.pid` #平滑重启日志 推荐
pkill nginx
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
/usr/local/nginx/sbin/nginx -s reload
chown -R nobody:nobody /dev/shm
kill -USR2 `cat /usr/local/nginx/logs/nginx.pid` #平滑重启 推荐
kill -USR1 `cat /usr/local/nginx/logs/nginx.pid` #平滑重启日志 推荐
pkill mysqld
/usr/local/mysql/bin/mysqld \
--defaults-file=/usr/local/mysql/etc/my.cnf \
--basedir=/usr/local/mysql \
--datadir=/usr/local/mysql/data \
--plugin-dir=/usr/local/mysql/lib/plugin \
--user=mysql \
--log-error=/usr/local/mysql/log/mysql_error.log \
--pid-file=/usr/local/mysql/run/mysql.pid \
--socket=/var/run/mysqld/mysqld.sock \
--port=3306 &
不保存历史
sed -i 's/HISTSIZE\=3000/HISTSIZE\=4/g' /etc/profile
source /etc/profile
传输命令
scp -i /root/wjyRsa -P 54321 -r /var/www/testscp 119.29.38.43:/var/www/
scp -i /root/devRsa -P 54321 -r /opt/curl-7.44.0 119.29.11.29:/opt/curl-7.44.0
/********************************系统工具**************************************/
yum -y install vim
yum install fonts-chinese.noarch
添加库文件路径
vim /etc/ld.so.conf
ldconfig
#滞后
--with-oci8 \
apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump
tcpdump -i lo -w /var/www/logs/php-fpm2
/usr/sbin/tcpdump -i eth0 -w /var/www/logs/tcpdump7
yum -y install sysstat
sar -n EDEV 2 10
sar -n SOCK 2 10
sar -r 6 #men
sar -u 6 #cpu
top -p pid
P:按%CPU使用率排行
T:按MITE+排行
M:按%MEM排行
Linux查看网络端口对应的程序
lsof -i :80
netstat -a |grep LISTEN |grep -v unix
ps -aux | sort -k4nr
ps -aux | grep -E "sap|USER"
#innode
df -i
#innode 大小
dumpe2fs -h /dev/vdb2 | grep "Inode size"
查看 进程的详细内存
pmap -q php-fpmp的pid
/**********************配置文件备份*******************************/
/usr/local/mysql/etc/my.cnf
Java代码
- [client]
- port = 3306
- socket = /var/run/mysqld/mysqld.sock
- [mysqld]
- port = 3306
- socket = /var/run/mysqld/mysqld.sock
- skip-external-locking
- key_buffer_size = 256M
- max_allowed_packet = 1M
- table_open_cache = 256
- sort_buffer_size = 1M
- read_buffer_size = 1M
- read_rnd_buffer_size = 4M
- myisam_sort_buffer_size = 64M
- thread_cache_size = 8
- query_cache_size= 16M
- query_cache_limit = 2M
- query_cache_min_res_unit = 2k
- basedir = /usr/local/mysql
- datadir = /usr/local/mysql/data
- port = 3306
- socket = /var/run/mysqld/mysqld.sock
- character_set_server = utf8
- slow_query_log = 1
- log-error = /usr/local/mysql/log/mysql_error.log
- pid-file = /usr/local/mysql/run/mysql.pid
- default-storage-engine=MyISAM
- user = mysql
- thread_concurrency = 2
- open_files_limit = 65535
- max_connections = 5000
- max_connect_errors = 6000
- back_log = 600
- skip-name-resolve
- innodb_file_per_table = 0
- interactive_timeout = 120
- wait_timeout = 120
- log-bin = /var/www/log/binlog
- binlog_cache_size = 4M
- binlog_format = MIXED
- max_binlog_cache_size = 8M
- max_binlog_size = 1G
cat /usr/local/php/etc/php.ini
[PHP]
Java代码
- engine = On
- short_open_tag = Off
- asp_tags = Off
- precision = 14
- output_buffering = 4096
- zlib.output_compression = Off
- implicit_flush = Off
- unserialize_callback_func =
- serialize_precision = 17
- open_basedir = "/tmp/:/var/www/html:/var/www/task/cli/:/var/www/tasks/test_data/";
- disable_functions =
- disable_classes =
- zend.enable_gc = On
- expose_php = On
- max_execution_time = 30
- max_input_time = 60
- memory_limit = 256M
- error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
- display_errors = Off
- display_startup_errors = Off
- log_errors = On
- log_errors_max_len = 1024
- ignore_repeated_errors = Off
- ignore_repeated_source = Off
- report_memleaks = On
- track_errors = Off
- html_errors = On
- variables_order = "GPCS"
- request_order = "GP"
- register_argc_argv = Off
- auto_globals_jit = On
- post_max_size = 100M
- auto_prepend_file =
- auto_append_file =
- default_mimetype = "text/html"
- doc_root =
- user_dir =
- enable_dl = Off
- cgi.fix_pathinfo=1
- file_uploads = On
- upload_max_filesize = 100M
- max_file_uploads = 20
- upload_tmp_dir=/tmp
- allow_url_fopen = On
- allow_url_include = Off
- default_socket_timeout = 60
- [Phar]
- [mail function]
- SMTP = localhost
- smtp_port = 25
- mail.add_x_header = On
- [opcache]
- zend_extension = "/usr/local/php/lib/php/extensions/no-debug-non-zts-20131226/opcache.so"
- opcache.memory_consumption=128
- opcache.interned_strings_buffer=8
- opcache.max_accelerated_files=4000
- opcache.revalidate_freq=60
- opcache.fast_shutdown=1
- opcache.enable_cli=1
- [Session]
- session.save_handler = files
- session.save_path = "1;/usr/local/php/sess/weijiaoyun"
- session.use_cookies = 1
- session.use_only_cookies = 1
- session.name = PHPSESSID
- session.auto_start = 0
- session.cookie_lifetime = 0
- session.cookie_path = /
- [curl]
- extension="/usr/local/php/lib/php/extensions/no-debug-non-zts-20131226/curl.so"
cat /usr/local/php/etc/php-fpm.conf | grep -v '^;' | grep -v '^$'| less
Java代码
- [global]
- error_log = /var/log/php/php-fpm.log
- log_level = notice
- rlimit_files = 65535
- rlimit_core = 0
- pid = run/php-fpm.pid
- [www]
- user = nobody
- group = nobody
- listen = 127.0.0.1:9000
- listen.allowed_clients = 127.0.0.1
- pm = static
- pm.max_children = 50
- pm.start_servers = 40
- pm.min_spare_servers = 5
- pm.max_spare_servers = 10
- pm.max_requests = 1000
- pm.status_path = /status
- request_terminate_timeout = 30
- rlimit_files = 655360
- rlimit_core = 0
- security.limit_extensions = .php .html
- php_admin_value['date.timezone'] = 'Asia/Shanghai'
- cat /usr/local/nginx/conf/nginx.conf | grep -v '^#' | grep -v '^$'| less
- user nobody nobody;
- worker_processes 2;
- worker_rlimit_nofile 65353;
- events {
- worker_connections 65353;
- use epoll;
- }
- http {
- include mime.types;
- default_type application/octet-stream;
- sendfile on;
- keepalive_timeout 65;
- fastcgi_connect_timeout 300;
- fastcgi_send_timeout 300;
- fastcgi_read_timeout 300;
- fastcgi_buffer_size 128k;
- fastcgi_buffers 4 128k;
- fastcgi_busy_buffers_size 256k;
- fastcgi_temp_file_write_size 256k;
- gzip on;
- gzip_min_length 1k;
- gzip_buffers 4 32k;
- gzip_http_version 1.1;
- gzip_comp_level 2;
- gzip_types text/plain application/x-javascript text/css application/xml;
- gzip_vary on;
- gzip_disable "MSIE [1-6].";
- server_names_hash_bucket_size 128;
- client_max_body_size 100m;
- client_header_buffer_size 256k;
- large_client_header_buffers 4 256k;
- include vhost/*.conf;
- }
cat /usr/local/nginx/conf/vhost/dev.xcoach.cn.conf | grep -v '^#' | grep -v '^$'| less
Java代码
- server {
- listen 80;
- server_name 119.29.11.29;
- root /var/www/html;
- index index.php index.html;
- large_client_header_buffers 4 16k;
- client_max_body_size 300m;
- client_body_buffer_size 128k;
- proxy_connect_timeout 600;
- proxy_read_timeout 600;
- proxy_send_timeout 600;
- proxy_buffer_size 64k;
- proxy_buffers 4 32k;
- proxy_busy_buffers_size 64k;
- proxy_temp_file_write_size 64k;
- location / {
- index index.htm index.html index.php;
- if (!-e $request_filename) {
- rewrite ^/(.*)$ /index.php/$1 last;
- break;
- }
- }
- location ~ \.php$ {
- fastcgi_pass 127.0.0.1:9000;
- fastcgi_index index.php;
- fastcgi_read_timeout 150;
- include /usr/local/nginx/conf/fastcgi_params;
- set $path_info "";
- set $real_script_name $fastcgi_script_name;
- if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
- set $real_script_name $1;
- set $path_info $2;
- }
- fastcgi_param SCRIPT_FILENAME /var/www/html/$real_script_name;
- fastcgi_param SCRIPT_NAME $real_script_name;
- fastcgi_param PATH_INFO $path_info;
- }
- location /ngstatus {
- stub_status on;
- access_log off;
- }
- location /status {
- fastcgi_pass 127.0.0.1:9000;
- fastcgi_index index.php;
- include fastcgi.conf;
- }
- location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
- expires 30d;
- }
- location ~ .*\.(js|css)?$ {
- expires 12h;
- }
- location ~* \.(htaccess|inc|conf)$ {
- deny all;
- }
- location ~ /(sql|Data|Uploads|ftp)/.*\.(php|php5)?$ {
- deny all;
- }
- #location ^~ /Runtime {
- # deny all;
- #}
- access_log logs/dev.xcoach.cn.access.log;
- error_log logs/dev.xcoach.cn.error.log;
- }
/*************************************定时程序***************************/
Java代码
- * * * * * /bin/sh /var/www/tasks/defend_ddos/defend_ddos.sh &
- */10 * * * * /var/www/tasks/ftp/ftp_get.sh "school" "username" "password" "/var/www/html/ftp/userdata" "/userdata/*.data" &
- */10 * * * * /usr/local/php/bin/php -q /var/www/tasks/cli/cliApiBandRelation.php &
- #59 * * * * /var/www/tasks/data_docking/doching.sh 121.41.74.208 youanbao PPla@0155 yabsz 3306 &
- */1 * * * * /usr/local//qcloud/stargate/admin/start.sh > /dev/null 2>&1 &
- 0 0 * * * bash /var/www/task/nglog_bak/nglog_bak.sh &
/*************************************************定时程序***********************************************************/
/***************************************其他************************/
保证每天多少PV的并发连接数的计算公式是:
并发连接数= PV / 统计时间(一天是86400) * 页面衍生连接次数 * http响应时间 * 因数(5) / web服务器数量
保证4千万PV的并发连接数:
(40000000PV / 86400秒 * 10个派生连接数 * 5秒内响应 * 5倍峰值) / 6台Web服务器 = 19290连接数
10PV的并发连接数:
(100000PV / 86400秒 * 10个派生连接数 * 5秒内响应 * 5倍峰值) / 1台Web服务器 = 289连接数
ab.exe -n2000 -kc2000
svn
svn delete svn://119.29.11.29/weijiaoyun/Public -m "delete Public"
svn import -m 'reimport' /var/www/html/Public svn://119.29.11.29/weijiaoyun/Public
vim ignore.txt
Application/User/Conf/config.php
Application/Common/Conf/config.php
Runtime
Uploads
svn propset svn:ignore -F ignore.txt .
svn proplist
svn propget svn:ignore
ngnix无法打印日志 tail -f 没有磁盘空间 增大max_user_watches 参考 http://www.51know.info/system_security/inotify.html
echo '17000' > cat /proc/sys/fs/inotify/max_user_watches
批量替换 参考 http://php.net/manual/zh/language.exceptions.php (jim at anderos dot com)
grep 'throw new Exception' /var/www/ceshi/ -rl | xargs sed -i 's/throw new Exception/throw new \\Exception/g'
sed -i 's/throw new Exception/throw new \\Exception/g' `grep 'throw new Exception' /var/www/ceshi/ -rl`
错误日志分析
error_log="/usr/local/nginx/logs/weijiaoyun_error.log"
deny_ip_arr=`cat $error_log | grep -iE "referrer: \"http:\/\/123.249.24.233\/POST_ip_port.phpAccep" | sed 's/\(.*\)\(client: \)\(.*\)\(, server:.*\)/\3/g'`
for ip in $deny_ip_arr
do
exist=`cat /etc/sysconfig/iptables| grep $ip`
if [ -z "$exist" ]
then
/sbin/iptables -A INPUT -s $ip -j DROP
/sbin/iptables -I INPUT -s $ip -j DROP
/sbin/iptables-save > /etc/sysconfig/iptables
fi
done
PHP-FPM master进程可以理解以下信号
INT, TERM 立刻终止 QUIT 平滑终止 USR1 重新打开日志文件 USR2平滑重载所有worker进程并重新载入配置和二进制模块
php-fpm 关闭:kill -INT `cat /usr/local/php/var/run/php-fpm.pid`
php-fpm 重启:kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid`
/**********************************************************其他******************************************************/
/****************服务优化 只开启必要的服务,提高安全性和性能********************/
###以下服务是必须的必须开启 其他可以尝试关闭
安装完Linux之后,以下服务是必须的必须开启,没列出的服务可关闭
acpid #高级控制电源管理接口
crond #定时执行任务
haldaemon #必须开启,否则可能导致控制台键盘鼠标无法使用
hidd #同上
irqbalance #支持多cpu中断,必须开启
kudzu #检测硬件变化时自动进行配置
lvm2-monitor #用于监测LVM状态
messagebus #Linux系统进程间通讯的关键服务
mdmonitor #监测软RAID健康状态 即使没有使用软RAID, 也强烈建议启用此服务
mdmpd #同上,即使没有多路径存储设备,也强烈建议启用之
network #网络支持
readahead_early #预先加载特定的应用程序到内存中以提供性能
readahead_later #同上
smartd #硬盘故障自动检测
sshd
syslog
klogd #如果服务列表中存在,则必须开启
提示:配置服务可使用ntsysv工具,比较方便
其它强烈建议开启的服务 iptables
/**********************************服务优化 只开启必要的服务,提高安全性和性能*************************************/
/*************************************日志************************************/
/var/log/message 系统启动后的信息和错误日志,是Red Hat Linux中最常用的日志之一
/var/log/secure 与安全相关的日志信息
/var/log/maillog 与邮件相关的日志信息
/var/log/cron 与定时任务相关的日志信息
/var/log/spooler 与UUCP和news设备相关的日志信息
/var/log/boot.log 守护进程启动和停止相关的日志消息
dmesg | grep IDE # 查看启动时IDE设备检测状况
route -n # 查看路由表
/**************************************参考***********************/
生产服务器环境最小化安装后 Centos 6.5优化配置备忘 http://zhangxugg-163-com.iteye.com/blog/1843724
Centos 6.5优化配置 http://www.lvtao.net/server/centos-server-setup.html
inotify: http://www.51know.info/system_security/inotify.html
Linux(Centos )的网络内核参数优化来提高服务器并发处理能力 http://blog.csdn.net/shaobingj126/article/details/8549494
日志 :http://www.centoscn.com/CentosSecurity/CentosSafe/2014/0304/2490.html
linux下使用tc模拟网络延迟和丢包 http://blog.csdn.net/duanbeibei/article/details/41250029
/*****************************参考***********************************/
扫一扫
981
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
