(1)、yum安装mysql
//yum安装
yum -y install mysql mysql_server
//在服务清单中添加mysql服务
chkconfig --add mysqld
//服务启动
service mysqld start
//初始化mysql数据库
/usr/bin/mysql_secure_installation
(2)、安装apache
yum -y install httpd
service httpd start
添加iptables允许访问端口{21: ftp, 80: http}.
iptables -I RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
(3)、安装php
yum -y install php php-mssql php-mysql
(4)、安装Zend使PHP应用程序的执行效率大幅度提高
wget http://downloads.zend.com/optimizer/3.0.1/ZendOptimizer-3.0.1-linux-glibc21-i386.tar.gz
tar zxvf ZendOptimizer-3.0.1-linux-glibc21-i386.tar.gz
./install.sh
可能会出现的问题
Failed loading /usr/local/Zend/lib/Optimizer-3.3.0/php-5.1.x/ZendOptimizer.so: /usr/local/Zend/lib/Optimizer-3.3.0/php-5.1.x/ZendOptimizer.so: cannot restore segment prot after reloc: Permission denied
上网查找原因,说是selinux的原因,服务器确实开着selinux的,更改selinux的配置文件将其设为disable,可我不想重启服务器,有以下解决办法:
执行命令:setenforce 0
就可以不重启关闭selinux了,不过关闭selinux而使zend optimizer生效毕竟不是完美的解决办法,继续关注中。
附selinux的资料:
selinux简介
SElinux 在linux内核级别上提供了一个灵活的强制访问控制系统(MAC),这个强制访问控制系统是建立在自由访问控制系统(DAC)之上的。
DAC是指系统的安全访问控制都是由系统管理员root自由管理的,不是系统强制行为
MAC运行的时候,比如一个应用程序或者一个线程以某个用户UID或者SUID运行的时候同样对一些其他的对象拥有访问控制限制,比如文件,套接子(sockets)或者其他的线程
通过运行SElinux MAC内核可以保护系统不受到恶意程序的侵犯,或者系统本身的bug不会给系统带来致命影响(把影响限定在一定范围内)
SElinux为每一个用户,程序,进程,还有文件定义了访问还有传输的权限。然后管理所有这些对象之间的交互关系
对于SELinux设定的对象全限是可以根据需要在安装时候规定严格程度,或者完全禁用
在大多数情况下,SElinux对于用户来说是完全透明的,普通用户根本感觉不到Selinux的存在,只有系统管理员才需要对这些用户环境,以及策略进行考虑。这些策略可以按照需要宽松的部署或者应用严格的限制,Selinux提供了非常具体的控制策略,范围覆盖整个linux系统
比如,当一个对象如应用程序要访问一个文件对象,内核中的控制程序检查访问向量缓存(AVC),从这里寻找目标和对象的权限,如果在这里没有发现权限定义,则继续查询安全定义的上下关联,以及文件权限,然后作出准许访问以及拒绝访问的决定。如果在var/log/messages出现avc: denied信息,则表明访问拒绝。
目标和对象通过安装的策略来决定自身的安全关联,同时这些安装的策略也负责给系统产生安全列表提供信息。
除了运行强制模式以外,SELinux可以运行在许可模式,这时候,检查AVC之后,拒绝的情况被记录。Selinux不强制使用这种策略.
以下介绍一下SELinux相关的工具
/usr/bin/setenforce 修改SELinux的实时运行模式
setenforce 1 设置SELinux 成为enforcing模式
setenforce 0 设置SELinux 成为permissive模式
如果要彻底禁用SELinux 需要在/etc/sysconfig/selinux中设置参数selinux=0 ,或者在/etc/grub.conf中添加这个参数
/usr/bin/setstatus -v
察看系统的状态
以下是运行输出,请参考
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Policy version: 18
最好是重启一下系统
(5)、配置apahce
接下来,为了使服务器更安全以及更加符合我们的实际要求,对默认的设置进行一些必要的更改。尤其在一些细节方面,越少向外界透露服务器的信息,就越能保证服务器的安全。
[root@sample ~]# vi /etc/httpd/conf/httpd.conf ← 编辑Apache的配置文件
#
# Don't give away too much information about all the subcomponents
# we are running. Comment out this line if you don't mind remote sites
# finding out what major optional modules you are running
ServerTokens OS ← 找到这一行,将“OS”改为“Prod”(在出现错误页的时候不显示服务器操作系统的名称)
↓
ServerTokens Prod ← 变为此状态
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
ServerSignature On ← 找到这一行,将“On”改为“Off”
↓
ServerSignature Off ← 在错误页中不显示Apache的版本
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin root@localhost ← 将管理员邮箱设置为自己常用的邮箱
↓
ServerAdmin yourname@yourserver.com ← 根据实际情况修改默认设置
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If this is not set to valid DNS name for your host, server-generated
# redirections will not work. See also the UseCanonicalName directive.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
# You will have to access it by its address anyway, and this will make
# redirections work in a sensible way.
#
#ServerName new.host.name:80 ← 修改主机名
↓
ServerName www.centospub.com:80 ← 根据实际情况修改,端口号保持默认的80
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks ← 找到这一行,删除“Indexes”,并添加“Includes”、“ExecCGI”
↓
Options Includes ExecCGI FollowSymLinks ← 允许服务器执行CGI及SSI
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi ← 找到这一行,去掉行首的“#”,并在行尾添加“.pl”
↓
AddHandler cgi-script .cgi .pl ← 允许扩展名为.pl的CGI脚本运行
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None ← 找到这一行,将“None”改为“All”
↓
AllowOverride All ← 变为此状态,允许.htaccess
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t /"%r/" %>s %b /"%{Referer}i/" /"%{User-Agent}i/"" combined ← 找到这一行
↓
LogFormat "%h %l %u %t /"%!414r/" %>s %b /"%{Referer}i/" /"%{User-Agent}i/"" combined ← 改为此状态(添加“!414”到规则中,对于过长的日志不记录)
#
# Specify a default charset for all pages sent out. This is
# always a good idea and opens the door for future internationalisation
# of your web site, should you ever want it. Specifying it as
# a default does little harm; as the standard dictates that a page
# is in iso-8859-1 (latin1) unless specified otherwise i.e. you
# are merely stating the obvious. There are also some security
# reasons in browsers, related to javascript and URL parsing
# which encourage you to always set a default char set.
#
AddDefaultCharset UTF-8 ← 找到这一行,在行首添加“#”
↓
#AddDefaultCharset UTF-8 ← 不使用UTF-8作为网页的默认编码
AddDefaultCharset GB2312 ← 并接着添加这一行(添加GB2312为默认编码)
<Directory "/var/www/icons"> ← 找到这一个标签,并在标签中更改相应选项
Options Indexes MultiViews ← 找到这一行,将“Indexes”删除
↓
Options MultiViews ← 变为此状态(不在浏览器上显示树状目录结构)
AllowOverride None
Order allow,deny
Allow from all
</Directory>