網站服務器主要任務:根據開發設計需求架設大型的網站服務器主要軟件:apache+jboss+Oracle簡稱:LAJOapache+PHP+mysql簡稱:LAMPproFTPd+mysql簡稱:LPMssh+eXPectiptablesbindmail具體要求:海量用戶訪問海量用戶存儲(國內外互通)南北互通.需求分析:1.保證高要求高質量高性能,需要選擇系*nix操作平台(這裡選擇as4.3);2.保證高訪問量高數據處理,需要選數商業數據庫(這裡選擇oracle9.2.0.4);3.解決南北互通(包括國內外互通),需要架設基於bind-view功能的智能DNS服務器.4.使用流行的B/S,C/S程序架構,需要選擇了JBOSS服務器.5.更好地處理靜態頁面效果,需要選擇了Apache服務器.6.根據程序注冊用戶與上傳要求,需要架設ftp服務器.7.時時自動化系統監控,需要架設LAPM服務器.(這裡使用軟件cacti).8.公司與客戶交流,需要架設郵件服務器.(這裡使用postfix+extmail).9.自動化文件數據處理與安全設置,需expect+ssh+iptables結合shell腳本.10.海量,需要集群負載均衡與配備存儲設備.具體流程:1.硬件采購.這裡略.2.操作系統安裝安裝redhat as 4.3系統空間劃分(略)
安裝開發環境,DNS,LAMP環境所需軟件包.並確認以下包已安裝:compat-db compat-gcccompat-gcc-32compat-oracle-rhel4compat-libcwaitcompat-libgcccompat-libstdc++-296compat-libstdc++-33gccgcc-c++gnome-libsgnome-libs-devellibaio-devellibaiomakeopenmotif21xorg-x11-deprecated-libs-develxorg-x11-deprecated-libssysstat disk4openmotif21 disk3libaio disk3libaio-devel disk3freetype-devel disk3fontconfig-devel disk3xorg-x11-devel- disk3xorg-x11-deprecated-libs-devel- disk3glib-devel disk4ORBit-devel disk4gtk+-devel disk4alsa-lib-devel disk3audiofile-devel disk3esound-devel- disk3libjpeg-devel- disk3liBTiff-devel- disk3libungif-devel- disk3imlib-devel disk4gnome-libs-devel disk4expect disk4注意:我遇到的一個問題:全新的dell服務器1.5T,raid5,重沒有安裝過任何系統,硬盤也沒有分區,直接用as4.3安裝盤安裝提示:內存錯誤,藍屏,而安裝失敗。用了好幾種Linux系統盤(包括windows安裝盤)都如此,(手裡沒有硬盤格式分區工具,沒有測試是否可以硬盤分區。)官方發行版說不支持超過2G內存,於是安裝系統時先卸下2G內存,待安裝完畢在請求支持超過2G內存的內核安裝後就可以支持4G內存了,倘如日後全新安裝系統不使用hugemem而使用默認的smp內核也能識別4G內存,更不會出現藍屏問題。關於之中奧妙,還沒有仔細研究過。。。。#rpm –ivh kernel-elhugemem….rpm修改啟動文件grub.conf確保新安裝的內核為優先啟動.#cat /etc/grub.conf////////////////////////////////////////////////////////////////////# grub.conf generated by anaconda## Note that you do not have to rerun grub after making changes to this file# NOTICE: You have a /boot partition. This means that# all kernel and initrd paths are relative to /boot/, eg.# root (hd0,1)# kernel /vmlinuz-version ro root=/dev/sda8# initrd /initrd-version.img#boot=/dev/sdadefault=0timeout=5splashimage=(hd0,1)/grub/splash.xpm.gzhiddenmenutitle Red Hat Enterprise Linux AS (2.6.9-22.ELhugemem)root (hd0,1)kernel /vmlinuz-2.6.9-22.ELhugemem ro root=LABEL=/ rhgb quietinitrd /initrd-2.6.9-22.ELhugemem.imgtitle Red Hat Enterprise Linux AS (2.6.9-22.ELsmp)root (hd0,1)kernel /vmlinuz-2.6.9-22.ELsmp ro root=LABEL=/ rhgb quietinitrd /initrd-2.6.9-22.ELsmp.imgtitle Red Hat Enterprise Linux AS-up (2.6.9-22.EL)root (hd0,1)kernel /vmlinuz-2.6.9-22.EL ro root=LABEL=/ rhgb quietinitrd /initrd-2.6.9-22.EL.img////////////////////////////////////////////////////////////////////////////////////////////////如果hiddenmenu下面的內容順序不對,請修改default=x(x對應ELhugemem項)重啟並加載另外2G內存.這樣讓系統支持4G內存的正常運行.2)系統安裝完畢請 作連接: #ln –s /tmp /temp
3.配置DNS由於要南北互通,開源得只有使用view的ACL訪問控制列表文件來實現多線路的自動導向.(當然也有其他的商業解決辦法,比如智能路由與交換機的設置來實現,我們這裡使用開源的而且容易實現與調整的解決軟件bind)關於view的ACL獲得辦法有很多途徑,這裡不一一商討.具體架設參考如下默認安裝的bind為9系列的,已經支持view,配置分為三步驟分別如下所示.(1)修改named.conf(2)創建與配置hosts(3)域名解析#vi /etc/named.conf////////////////////////文件內容開始/////////////////////// named.conf for Red Hat caching-nameserver//options {Directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";/** If there is a firewall between you and nameservers you want* to talk to, you might need to uncomment the query-source* directive below. Previous versions of BIND always asked* questions using port 53, but BIND 8.1 uses an unprivileged* port by default.*/// query-source address * port 53;};//// a caching only nameserver config//controls {inet 127.0.0.1 allow { localhost; } keys { rndckey; };};include "/etc/rndc.key";//modify by mingfu 060404acl "CNC" {58.16.0.0/16;58.17.0.0/17;58.17.128.0/17;58.18.0.0/16;58.19.0.0/16;58.20.0.0/16;58.21.0.0/16;58.22.0.0/15;58.240.0.0/15;58.242.0.0/15;58.244.0.0/15;58.246.0.0/15;58.248.0.0/13;60.0.0.0/13;60.8.0.0/15;60.10.0.0/16;60.11.0.0/16;60.12.0.0/16;60.13.0.0/18;60.13.128.0/17;60.14.0.0/15;60.16.0.0/13;60.24.0.0/14;60.30.0.0/16;60.31.0.0/16;60.208.0.0/13;60.216.0.0/15;60.218.0.0/15;60.220.0.0/14;61.48.0.0/13;61.133.0.0/17;61.134.96.0/19;61.134.128.0/17;61.135.0.0/16;61.137.128.0/17;61.138.0.0/17;61.138.128.0/18;61.139.128.0/18;61.148.0.0/15;61.156.0.0/16;61.159.0.0/18;61.161.0.0/18;61.161.128.0/17;61.162.0.0/16;61.163.0.0/16;61.167.0.0/16;61.168.0.0/16;61.176.0.0/16;61.179.0.0/16;61.181.0.0/16;61.182.0.0/16;61.189.0.0/17;125.32.0.0/16;125.40.0.0/13;202.96.0.0/18;202.96.64.0/21;202.96.72.0/21;202.97.128.0/18;202.97.224.0/21;202.97.240.0/20;202.98.0.0/21;202.98.8.0/21;202.99.64.0/19;202.99.96.0/21;202.99.128.0/19;202.99.160.0/21;202.99.168.0/21;202.99.176.0/20;202.99.208.0/20;202.99.224.0/21;202.99.232.0/21;202.99.240.0/20;202.102.128.0/21;202.102.224.0/21;202.102.232.0/21;202.106.0.0/16;202.107.0.0/17;202.108.0.0/16;202.110.0.0/17;202.111.128.0/18;203.93.8.0/24;203.93.192.0/18;210.13.128.0/17;210.14.160.0/19;210.14.192.0/19;210.15.32.0/19;210.15.96.0/19;210.15.128.0/18;210.21.0.0/16;210.52.128.0/17;210.53.0.0/17;210.53.128.0/17;210.74.96.0/19;210.74.128.0/19;210.82.0.0/15;218.8.0.0/14;218.12.0.0/16;218.21.128.0/17;218.24.0.0/14;218.56.0.0/14;218.60.0.0/15;218.67.128.0/17;218.68.0.0/15;218.104.0.0/14;219.154.0.0/15;219.156.0.0/15;219.158.0.0/17;219.158.128.0/17;219.159.0.0/18;220.252.0.0/16;221.0.0.0/15;221.2.0.0/16;221.3.0.0/17;221.3.128.0/17;221.4.0.0/16;221.5.0.0/17;221.5.128.0/17;221.6.0.0/16;221.7.0.0/19;221.7.32.0/19;221.7.64.0/19;221.7.96.0/19;221.8.0.0/15;221.10.0.0/16;221.11.0.0/17;221.11.128.0/18;221.11.192.0/19;221.12.0.0/17;221.12.128.0/18;221.13.0.0/18;221.13.64.0/19;221.13.96.0/19;221.13.128.0/17;221.14.0.0/15;221.192.0.0/15;221.194.0.0/16;221.195.0.0/16;221.196.0.0/15;221.198.0.0/16;221.199.0.0/19;221.199.32.0/20;221.199.128.0/18;221.199.192.0/20;221.200.0.0/14;221.204.0.0/15;221.206.0.0/16;221.207.0.0/18;221.207.64.0/18;221.207.128.0/17;221.208.0.0/14;221.212.0.0/16;221.213.0.0/16;221.216.0.0/13;222.128.0.0/14;222.132.0.0/14;222.136.0.0/13;222.160.0.0/15;222.162.0.0/16;222.163.0.0/19;222.163.32.0/19;222.163.64.0/18;222.163.128.0/17;};view "view_cnc" {match-clients { CNC; };zone "." {type hint;file "named.ca";};zone "0.0.127.IN-ADDR.ARPA" {type master;file "localhost.rev";};include "master/cnc.def";};view "view_any" {match-clients { any; };zone "." {type hint;file "named.ca";};zone "0.0.127.IN-ADDR.ARPA" {type master;file "localhost.rev";};include "master/telecom.def";};////////////////////////文件內容結束///////////////////#mkdir /var/named/master#mkdir /var/named/master/cnc#mkdir /var/named/master/telecom#toUCh /var/named/master/cnc.def#touch /var/named/master/telecom.def說明:關於如何進行域名解析配置:@Zone區文件配置:Master/Cnc.def 網通Master/Telecom.def 電信*.def文件裡面為解析域名的zone配置區設置部分.@Hosts 區文件配置Master/Cnc 網通Master/Telecom 電信下面以解析www.xxxx.com為例#vi /var/named/master/cnc.def////////////////////////文件內容開始///////////////////zone "xxxx.com" {type master;file "master/cnc/xxxx.com";};////////////////////////文件內容結束///////////////////#vi /var/named/master/telecom.def////////////////////////文件內容開始///////////////////zone "xxxx.com" {type master;file "master/telecom/xxxx.com";};////////////////////////文件內容結束///////////////////#vi /var/named/master/cnc/xxxx.com////////////////////////文件內容開始///////////////////$TTL 3600$ORIGIN xxxx.com.@ IN SOA ns.xxxx.com. root.ns.xxxx.com.(2005121013 ;Serial3600 ; Refresh ( seconds )900 ; Retry ( seconds )68400 ; Expire ( seconds )15 );Minimum TTL for Zone ( seconds );@ IN NS ns.xxxx.com.@ IN MX xxxx.com.;;ip for cnc@ IN A x.x.x.x(網通IP)www IN A x.x.x.x(網通IP)////////////////////////文件內容結束///////////////////#vi /var/named/master/telecom/xxxx.com////////////////////////文件內容開始///////////////////$TTL 3600$ORIGIN xxxx.com.@ IN SOA ns.xxxx.com. root.ns.xxxx.com.(2005121013 ;Serial3600 ; Refresh ( seconds )900 ; Retry ( seconds )68400 ; Expire ( seconds )15 );Minimum TTL for Zone ( seconds );@ IN NS ns.xxxx.com.@ IN MX xxxx.com.;;ip for telecom@ IN A x.x.x.x(電信IP)www IN A x.x.x.x(電信IP)////////////////////////文件內容結束///////////////////客服端測試:nslookup --type=a xxxx.com x.x.x.x(網通任意一個DNS服務器IP)nslookup --type=a xxxx.com x.x.x.x(電信任意一個DNS服務器IP)看到的為配置文件中對應ip則解析配置正常.注意:上面的xxxxx.com需要修改DNS解析服務器為ns.xxxxx.com對應IP為:網通IP.備注:1).在這裡做了網通與非網通的訪問控制,用於實現南北互通,如要國內外互通,需要在列出一個相應的訪問控制列表ACL就可以實現了.2).關於使用tar包編譯安裝請參看:http://www.mingfor.com/forum/showthread.php?tid=94
4.配置LAJO軟件:Apache2.0.58JBOSS.4.0.3SP1Oracle9.2.0.4Mod-jk1.12配置:1)apache+mod-jk#tar zxvf httpd-2.0.58.tar.gz#cd httpd-2.0.58#./configure --enable-MODULE=shared --enable-so --with-mpm=worker#make&&make install#tar zxvf jakarta-tomcat-connectors-1.2.14.1-src.tar.gz#cd /home/software/jakarta-tomcat-connectors-1.2.14.1-src/jk/native# ./configure --with-apxs=/usr/local/apache2/bin/apxs#make# cp ./apache-2.0/mod_jk.so /usr/local/apache2/moduleshttpd.conf的修改該文件的路徑位於$APACHE-HOME/conf上述編譯過程中我們選用的worker模式,因此我們將修改worker模塊的配置<IfModule worker.c>StartServers 4 #最初建立進程的數量ServerLimit 24 #進程建立的最大數量,硬限制ThreadLimit 128 #每一進程能創建線程的最大數量,硬限制,該參數建議#和ThreadsPerChild一致,如果ThreadLimit > ThreadsPerChild的話,會造成不##必要的內存消耗。MaxClients 3072 #同時可以得到處理的客戶端的最大數量MinSpareThreads 100 #所有進程中空閒線程的總數最小數值MaxSpareThreads 200 #所有進程中空閒線程的總數最大數值ThreadsPerChild 128 #每個子進程可以建立的固定數量的線程MaxRequestsPerChild 0 #用於控制服務器建立和結束進程的頻率,為0表示沒有#限制,但在solaris OS下該值可能會出錯,可以設置為1000或2000。根據系統#的並發負載吧。</IfModule>同時修改與新增httpd.conf如下內容:Include conf/mod_jk2.confUser xxxxGroup 5dxcDocumentRoot "/site"<Directory "/site">NameVirtualHost IP:80<VirtualHost IP:80>ServerAdmin [email protected] /siteServerName IPErrorLog logs/ip-error_logCustomLog logs/ip-Access_log common</VirtualHost><VirtualHost IP:82>ServerAdmin [email protected] /var/www/HtmlServerName admin.xxxx.comErrorLog logs/ip-error_logCustomLog logs/ip-access_log common</VirtualHost>#vi $APACHE-HOME/conf/mod_jk2.conf////////////////////////文件內容開始///////////////////LoadModule jk_module modules/mod_jk.soJkWorkersFile conf/workers2.propertiesJkLogFile logs/mod_jk.log# Set the jk log level [debug/error/info]JkLogLevel info# Select the log formatJkLogStampFormat "[%a %b %d %H:%M:%S %Y] "# JkOptions indicate to send SSL KEY SIZE,JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories# JkRequestLogFormat set the request formatJkRequestLogFormat "%w %V %T"JkMount /* loadbalancer#apache will serve the static picture.#以下命令意味著所有的圖片與htm,Css,js頁面將由APACHE解析其它交由jboss處理JkUnMount /*.jpg loadbalancerJkUnMount /*.gif loadbalancerJkUnMount /*.swf loadbalancerJkUnMount /*.bmp loadbalancerJkUnMount /*.png loadbalancerJkUnMount /*.js loadbalancerJkUnMount /*.css loadbalancerJkUnMount /*.htm loadbalancer////////////////////////文件內容結束///////////////////#vi $APACHE-HOME/conf/ uriworkermap.properties////////////////////////文件內容開始////////////////////jmx-console=loadbalancer/jmx-console/*=loadbalancer/web-console=loadbalancer/web-console/*=loadbalancer////////////////////////文件內容結束///////////////////#vi $APACHE-HOME/conf/uriworkermap.properties////////////////////////文件內容開始///////////////////worker.list=loadbalancer,statusworker.node1.port=8009worker.node1.host=192.168.0.192(請填寫服務器的IP)worker.node1.type=ajp13Worder.node1.lbfactor=1worker.node1.cachesize=10worker.node2.port=8009worker.node1.host=localhostworker.node1.type=ajp13worder.node1.lbfactor=1worker.node1.cachesize=10worker.loadbalancer.type=lbworker.loadbalancer.balance_workers=node1,node2worker.loadbalancer.sticky_session=1worker.status.type=status////////////////////////文件內容結束///////////////////注意:如果需要負載:修改worker.node2.port=8009worker.node1.host=localhostworker.node1.type=ajp13worder.node1.lbfactor=1worker.node1.cachesize=10為:worker.node2.port=8009worker.node2.host=IP(進行負載的IP地址)worker.node2.type=ajp13worder.node2.lbfactor=1worker.node2.cachesize=10備注:如果要進行更多的負載….修改:worker.noden.port=8009worker.noden.host=IP(進行負載的IP地址)worker.noden.type=ajp13worder.noden.lbfactor=1worker.noden.cachesize=10worker.loadbalancer.balance_workers=node1,node2,noden2)jbossjboss安裝.Jboss4.0.3sp1 解壓到/site/jboss目錄下….…./ deploy/jbossweb-tomcat55.sar/server.XML中,找8080,修改為8088Jdk環境變量設定:Jdk安裝:#chmod 755 jdk-1_5_0_06-linux-i586.bin#./jdk-1_5_0_06-linux-i586.binJava參數設置:#ln –s /usr/local/jdk1.5.0_06 /usr/local/jdk如果你下載的是rpm包請如下操作#./jdk-1_5_0_06-linux-i586.rpm.bin#rpm jdk-1_5_0_06-linux-i586.rpm# ln –s /usr/ jdk1.5.0_06 /usr/local/jdk#vi /etc/profile.d/java.sh////////////////////////文件內容///////////////////JAVA_HOME=/usr/local/jdkPATH=$PATH:$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$CATALINA_HOME/binexport JAVA_HOME PATH////////////////////////文件內容///////////////////3) apache+jboos服務啟動問題apache+jboss整合配置已完畢.下面是啟動這些服務了...用戶與權限分配groupadd –g 5500 xxxxadduser -u 5500 -s /bin/false -d /bin/null -c "proftpd user" -g xxxx xxxx修改/etc/passwd文件中的xxxx用戶中的”/bin/false”為”/bin/bash”,以便於以後jboss使用.當然你也可以這樣做:adduser -u 5500 -s /bin/bash -d /bin/null -c "proftpd user" -g xxxx xxxxchown xxxx /site/* –Rchgrp xxxx /site/* -Rchmod 755 /site/* -R..服務啟動添加如下內容到/etc/rc.local/usr/local/apache2/bin/apachectl start/etc/init.d/jboss start#vi /etc/init.d/jboss////////////////////////文件內容開始///////////////////#/etc/init.d/jboss/etc/rc.d/init.d/functionsJBOSS_HOME=/site/jbossexport JBOSS_HOMEJAVA_HOME=/usr/local/jdkexport JAVA_HOMEPATH=$PATH:$JAVA_HOME/binexport PATHCLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jarexport CLASSPATHprog="jboss"start(){#Input the jbos Service log into jboss.logecho "Jboss4.0.3SP1 Service Starting........" >>/var/log/xxxx/jboss.logecho "-----------------------------------------------" >>/var/log/xxxx/jboss.logdate "+%Y-%m-%d %A %T :Jboss Service start" >>/var/log/xxxx/jboss.logecho "-----------------------------------------------" >>/var/log/xxxx/jboss.logsu - xxxx -c $JBOSS_HOME/bin/run.sh & >>/var/log/xxxx/jboss.logtouch /var/log/xxxx/jboss.log}#Function stop,Stop the Jboss Service auto#when the Linux Haltstop(){#Input the jboss Service log into jboss.logecho "jboss Service Stopping........" >>/var/log/xxxx/jboss.logecho "-----------------------------------------------" >>/var/log/xxxx/jboss.logdate "+%Y-%m-%d %A %T :jboss Service Stop">>/var/log/xxxx/jboss.logecho "-----------------------------------------------" >>/var/log/xxxx/jboss.logsu - xxxx -c “$JBOSS_HOME/bin/shutdown.sh –S”>>/var/log/xxxx/jboss.log}case $1 instart)start;;stop)stop;;restartreload)stopstart;;status)status $prog;;*)echo "Please Input startstoprestartreloadstatus"return 1esac////////////////////////文件內容結束///////////////////注意:請賦予jboos的執行權限:chmod 755 /etc/init.d/jboss請注意xxxx用戶是沒有設置密碼的,確保使用xxxx用戶是無法登錄的,只有root可以切換到該用戶環境中去的:#su – xxxx…..
4)oracle安裝與啟動創建相關安裝目錄和環境變量 1,創建user/group; #groupadd dba #groupadd oinstall #useradd oracle -g oinstall -G dba #passwd oracle 2,建立oracle安裝文件夾; # mkdir -p /opt/ora9/product/9.2.0.4 # mkdir /var/opt/oracle # chmod oracle.dba /var/opt/oracle # chown -R oracle.dba /opt/ora9 3,配置環境變量;以root用戶登錄,設置root用戶的環境打開.bash_profile文件,將如下內容加入:export ORACLE_BASE=/opt/ora9export ORACLE_HOME=/opt/ora9/product/9.2.0.4export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/binexport ORACLE_OWNER=oracleexport ORACLE_SID=oradb //此處為你的sid 使用Oracle用戶登陸: #su – oracle $vi .bash_profile 以下是配置文件的內容 # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then. ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin export ORACLE_BASE=/opt/ora9 export ORACLE_HOME=/opt/ora9/product/9.2.0.4 export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin export ORACLE_OWNER=oracle export ORACLE_SID=oradb export ORACLE_TERM=xterm export LD_ASSUME_KERNEL=2.4.19 export THREADS_FLAG=native export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib export NLS_LANG=”American_america.utf8” export ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data export PATH unset USERNAME 4,設置系統參數;#su – root切換到root用戶a) 修改#vi /etc/sysctl.conf, 以下是配置文件的內容:# Kernel sysctl configuration file for Red Hat Linux## For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and# sysctl.conf(5) for more details.# Controls IP packet forwardingnet.ipv4.ip_forward = 0# Controls source route verificationnet.ipv4.conf.default.rp_filter = 1# Controls the System Request debugging functionality of the kernelkernel.sysrq = 0# Controls whether core dumps will append the PID to the core filename.# Useful for debugging multi-threaded applications.kernel.core_uses_pid = 1kernel.shmmax = 536870912kernel.shmmni = 4096kernel.shmall = 2097152kernel.sem = 250 32000 100 128fs.file-max = 65536net.ipv4.ip_local_port_range = 1024 65000修改後運行#sysctl –p命令使得內核改變立即生效;注:一般情況下可以設置最大共享內存為物理內存的一半,如果物理內存是 2G,則可以設置最大共享內存為 1073741824,如上;如物理內存是 1G,則可以設置最大共享內存為 512 * 1024 * 1024 = 536870912;以此類推。建議永久地增加 shmmax 設置。sem 4 個參數依次為SEMMSL(每個用戶擁有信號量最大數);SEMMNS(系統信號量最大數);SEMOPM(每次semopm系統調用操作數); SEMMNI(系統辛苦量集數最大數).Shmmax 最大共享內存,官方文檔建議是內存的1/2,Shmmni 最小共享內存 4096KB.Shmall 所有內存大小 。b) 設置oracle對文件的要求:編輯文件:#vi /etc/security/limits.conf 加入以下語句:oracle soft nofile 65536oracle hard nofile 65536oracle soft nproc 16384oracle hard nproc 16384也可以寫成:* soft nofile 65536* hard nofile 65536* soft nproc 16384* hard nproc 16384c) gcc降級#mv /usr/bin/gcc /usr/bin/gcc34#ln –s /usr/bin/gcc32 /usr/bin/gcc#mv /usr/bin/g++ /usr/bin/g++34#ln –s /usr/bin/g++32 /usr/bin/g++5,安裝oracle補丁# cd /opt#ls compat*.rpmcompat-libcwait-2.0-2.i386.rpm compat-oracle-rhel4-1.0-5.i386.rpm# rpm -Uvh compat*.rpmPreparing... ########################################### [100%]1:compat-libcwait-2.0-2.i386.rpm ##################################### [ 50%]2:compat-oracle-rhel4-1.0-5.i386.rpm#################################### [100%]開始安裝Oracle9i1,解壓下載的安裝文件:#zcat ship_9204_linux_disk1.cpio.gz cpio –idmv&&zcat ship_9204_linux_disk2.cpio.gz cpio –idmv&& zcat ship_9204_linux_disk3.cpio.gz cpio –idmv解包和解壓過程中,自動創建了3個包含安裝文件的目錄:Disk1Disk2Disk3.以oracle用戶登錄系統,進行Oracle的安裝(注意請不要在root登錄中切換到oracle,是以oracle登錄到系統(圖形界面)):$ cd Disk1$ ./runInstaller過一會兒就會出現Oracle的安裝界面- Welcome Screen: Click Next- Inventory Location: Click Next- Unix Group Name: Use "oinstall" and click NextWhen asked to run /tmp/orainstRoot.sh, run it before you click Continue- At the end of the installation, exit runInstaller.2.一步一個腳印安裝下去就行了!3,安裝完後打補丁:切換到oracle:#su – oracle 首先安裝 opatch.$cd /opt$unzip p2617419_210_GENERIC.zipArchive: p2617419_210_GENERIC.zipcreating: OPatch/creating: OPatch/docs/inflating: Opatch/docs/FAQ......inflating: README.txt$export PATH=$PATH:/opt/OPatch:/sbin(修改PATH時要要包括解壓縮出來的Opatch 和 sbin目錄)$unzip p3238244_9204_LINUX.zip$export ORACLE_BASE=/opt/ora9$export ORACLE_HOME=/opt/ora9/product/9.2.0.4$ cd 3238244$opatch apply出現success的提示就全部安裝成功.補丁打完後,還要relinked一個.mk文件$cd $ORACLE_HOME/network/lib$make -f ins_oemagent.mk install之後就可以啟動Agent服務了.
4, 最後執行 $dbca 建oracle數據庫注意:在SID處指定為oradb (與 ORACLE_SID=oradb)中的值一致.點擊OK,然後退出即可,正常登陸並啟動數據庫的操作。$ lsnrctl start$ sqlplus /nologSQL*Plus: Release 9.2.0.4.0 - Production on Sat Mar 12 22:58:53 2005Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.SQL>connect / as sysdbaConnected.SQL> shutdown immediate 關閉數據庫Database closed.Database dismounted.ORACLE instance shut down.SQL>startup; 啟動數據庫ORACLE instance started.Total System Global Area 236000356 bytesFixed Size 451684 bytesVariable Size 201326592 bytesDatabase Buffers 33554432 bytesRedo Buffers 667648 bytesDatabase mounted.Database opened.5, oracle服務啟動以root身份進入,編寫以下腳本:vi /etc/init.d/oracle////////////內容//////////////////#!/bin/bash#start and stop the oracle instance# chkconfig –level 5 --add ora9i#chkconfig: 345 91 19# description: starts the oracle listener and instanceexport ORACLE_HOME="/opt/ora9/product/9.2.0.4"export PATH=$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin:$PATHexport ORACLE_OWNER="oracle"export ORACLE_SID=oradbif [ ! -f $ORACLE_HOME/bin/dbstart -o ! -d $ORACLE_HOME ]thenecho "oracle startup:cannot start"exit 1ficase "$1" instart)#startup the listener and instanceecho -n "oracle startup: "su - $ORACLE_OWNER -c "$ORACLE_HOME/bin/lsnrctl start"su - $ORACLE_OWNER -c $ORACLE_HOME/bin/dbstarttouch /var/lock/subsys/oracleecho "finished";;stop)# stop listener, apache and databaseecho -n "oracle shutdown:"su - $ORACLE_OWNER -c "$ORACLE_HOME/bin/lsnrctl stop"su - $ORACLE_OWNER -c $ORACLE_HOME/bin/dbshutrm -f /var/lock/subsys/oracleecho "finished";;reloadrestart)$0 stop$0 start;;*)echo "Usage: ora9i [startstopreloadrestart]"exit 1esacexit 0////////////內容//////////////////給予執行權限,以root身份運行/etc/rc.d/init.d/oracle start stop 來管理oracle的啟動和停止了。如果要將這個腳本加入到系統中使其可開機運行(不過官方是不建議開機自動運行的,我本人也不建議這樣做,你確實需要可以這麼做),那麼要運行以下命令: chkconfig --level 35 --add oracle或者以root用戶執行如下命令:#chmod a+x /etc/rc.d/init.d /oracle#cd /etc/rc.d/rc5.d#ln -s /etc/rc.d/init.d/oracle S99ora9i#cd /etc/rc.d/rc0.d#ln -s /etc/rc.d/init.d/oracle K99ora9i也可如下自啟動oracle9i!在/etc/rc.d/rc.local中加入如下:su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/lsnrctl start"su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/dbstart start"注意:如果啟動不理想,請編寫shell scripts:方法:以我個人習慣為例;;;;;;;;;;#mkdir /usr/local/syscmf#vi /usr/local/syscmf/oracle.sh////////////////////////文件內容開始///////////////////#!/bin/sh#modify by mingfu 060404#oracle run scripts#run user for oraclelsnrctl startexpect /usr/local/syscmf/oracle.exp////////////////////////文件內容結束///////////////////#vi /usr/local/syscmf/oracle.exp////////////////////////文件內容開始///////////////////#!/usr/local/bin/expect#modify by mingfu 060404#oracle run scriptsset timeout 120spawn sqlplus \/nologexpect "SQL\>"send "conn \/ as sysdba\r"expect "SQL\>"send "startup\r"expect "SQL\>"send "exit\r"exit////////////////////////文件內容結束///////////////////#chown oracle /usr/local/syscmf/*#chgrp oracle /usr/local/syscmf./*#chmod 755 /usr/local/syscmf/*在/etc/rc.local中新增如下內容:su – oracle /usr/local/syscmf/oracle.sh刪除原來的:su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/lsnrctl start"su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/dbstart start"6, 關於數據庫刪除重新安裝的問題:把ORACLE安裝目錄刪除及/etc/ora*.*刪除就行了#rm –f /etc/ora*.*
7,關於在LINUX中運行管理軟件$oemapp#su – oracle$oemapp console8, 中文顯示不正常解決辦法Oracle 目前缺省安裝的字符集是WE8MSWIN1252,不是中文字符集,並且不能通過直接運行 alter database character set ZHS16GBK ; 來修改,因為ZHS16GBK不是缺省字符集的超集。過去流傳很廣的直接修改sys用戶下的PROPS$表的方法,也會給字符集的變更留下很多潛在的問題.linux下進行如下的操作來修改字符集:sqlplus /nologsql>conn / as sysdbasql>shutdown immediatesql>startup mountsql>alter system enable restricted session ;sql>alter system set JOB_QUEUE_PROCESSES=0;sql>alter system set AQ_TM_PROCESSES=0;sql>alter database open ;sql>alter database character set internal_use ZHS16GBK ;sql>shutdown immediatesql>startup這樣字符集的修改就完成了(如果你在安裝時選擇了中文字符集,這裡就不用修改了)LAJO服務環境配置完畢.5.配置LAMP系統自帶安裝http+php+mysql軟件包,進行配置如下:Apache配置修改/etc/httpd/conf/httpd.conf內容如下:Listen 82ServerName 127.0.0.1:82DocumentRoot "/var/www/html"<Directory "/var/www/html">注意:系統已經有兩個httpd服務進程.用戶分別是:xxxx apache請確保/usr/local/apache2/bin/apachectl start/etc/init.d/httpd start此兩個服務自啟動.Mysql設置Mysql>create ftpdb;Mysql>grant all privileges on ftpdb.* to ftpuser@localhost identified by “xxxx”;Mysql>grant all privileges on *.* to root@’%’ identified by “xxxx”;Mysql>flush privileges;Mysql>exit請確保/etc/init.d/mysqld start此服務自啟動.LAMP服務環境配置完畢.7.配置FTP配合工程實施與建立ftp帳號相關聯,方便維護與管理,我這裡選擇了Proftpd與數據庫結合的方式來實現的.創建Ftpdb結構:Mysql>use ftpdb;Mysql> CREATE TABLE `ftpgroup` (`groupname` varchar(16) NOT NULL default '',`gid` smallint(6) NOT NULL default '5500',`members` varchar(16) NOT NULL default '',KEY `groupname` (`groupname`)) ;Mysql> CREATE TABLE `ftpquotalimits` (`name` varchar(30) default NULL,`quota_type` enum('user','group','class','all') NOT NULL default 'user',`per_session` enum('false','true') NOT NULL default 'false',`limit_type` enum('soft','hard') NOT NULL default 'soft',`bytes_in_avail` float NOT NULL default '0',`bytes_out_avail` float NOT NULL default '0',`bytes_xfer_avail` float NOT NULL default '0',`files_in_avail` int(10) unsigned NOT NULL default '0',`files_out_avail` int(10) unsigned NOT NULL default '0',`files_xfer_avail` int(10) unsigned NOT NULL default '0') ;Mysql> CREATE TABLE `ftpquotatallies` (`name` varchar(30) NOT NULL default '',`quota_type` enum('user','group','class','all') NOT NULL default 'user',`bytes_in_used` float NOT NULL default '0',`bytes_out_used` float NOT NULL default '0',`bytes_xfer_used` float NOT NULL default '0',`files_in_used` int(10) unsigned NOT NULL default '0',`files_out_used` int(10) unsigned NOT NULL default '0',`files_xfer_used` int(10) unsigned NOT NULL default '0') ;Mysql> CREATE TABLE `ftpuser` (`id` int(10) unsigned NOT NULL auto_increment,`userid` varchar(32) NOT NULL default '',`passwd` varchar(32) NOT NULL default '',`uid` smallint(6) NOT NULL default '5500',`gid` smallint(6) NOT NULL default '5500',`homedir` varchar(255) NOT NULL default '',`shell` varchar(16) NOT NULL default '/sbin/nologin',`count` int(11) NOT NULL default '0',`accessed` datetime NOT NULL default '0000-00-00 00:00:00',`modified` datetime NOT NULL default '0000-00-00 00:00:00',PRIMARY KEY (`id`)) ;Mysql> INSERT INTO `ftpgroup` (`groupname`, `gid`, `members`) VALUES("5dxc", "5500", "xxxx");Mysql>INSERT INTO `ftpquotalimits` (`name`, `quota_type`, `per_session`, `limit_type`, `bytes_in_avail`, `bytes_out_avail`, `bytes_xfer_avail`, `files_in_avail`, `files_out_avail`, `files_xfer_avail`) VALUES("test", "user", "false", "soft", "1.024e+06", "0", "0", "0", "0", "0");Mysql> INSERT INTO `ftpquotatallies` (`name`, `quota_type`, `bytes_in_used`, `bytes_out_used`, `bytes_xfer_used`, `files_in_used`, `files_out_used`, `files_xfer_used`) VALUES("test", "user", "809781", "0", "809781", "0", "0", "0");Mysql> INSERT INTO `ftpuser` (`id`, `userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`, `count`, `accessed`, `modified`) VALUES("1", "test", "test", "5500", "5500", "/site", "/sbin/nologin", "0", "0000-00-00 00:00:00", "0000-00-00 00:00:00");配置proftp:#tar xzvf proftpd-1.3.0rc5.tar.gz#cd proftpd-1.3.0rc5#./configure --prefix=/usr/local/proftpd --with-modules=mod_sql:mod_sql_mysql:mod_quotatab:mod_quotatab_sql:mod_ratio --with-includes=/usr/include/mysql --with-libraries=/usr/lib/mysql#make&&make install#mv /etc/local/proftpd/etc/proftpd.conf /etc/local/proftpd/etc/proftpd.confbak#vi /etc/local/proftpd/etc/proftpd.conf////////////////////////文件內容///////////////////# This is a basic ProFTPD configuration file (rename it to# 'proftpd.conf' for actual use. It establishes a single server# and a single anonymous login. It assumes that you have a user/group# "nobody" and "ftp" for normal operation and anon.#ServerName "ProFTPD Default Installation"ServerName "Mingfu's ftp"ServerType standaloneDefaultServer on# Port 21 is the standard FTP port.Port 21# Umask 022 is a good standard umask to prevent new dirs and files# from being group and world writable.Umask 022# To prevent DoS attacks, set the maximum number of child processes# to 30. If you need to allow more than 30 concurrent connections# at once, simply increase this value. Note that this ONLY works# in standalone mode, in inetd mode you should use an inetd server# that allows you to limit maximum number of processes per service# (such as xinetd).MaxInstances 100MaxLoginAttempts 3# Set the user and group under which the server will run.User nobodyGroup nobody# To cause every FTP user to be "jailed" (chrooted) into their home# directory, uncomment this line.#DefaultRoot ~DefaultRoot ~#put the proftpd log files in /var/log/ftp.syslog#SystemLog /var/log/ftp.syslogSystemLog /var/log/xxxx/ftp.syslog#TransferLog log filesTransferLog /var/log/xxxx/ftp.transferlogMaxHostsPerUser 1 "Sorry, you may not connect more than one time 1."MaxClientsPerUser 13 "Only one such user at a time 2."MaxClientsPerHost 20 "Sorry, you may not connect more than one time 3."#setup the RestartAllowRetrieveRestart onRootLogin offRequireValidShell offTimeoutStalled 600MaxClients 2000AllowForeignAddress onAllowStoreRestart onServerIdent offDefaultRoot ~ xxxx#Slow loginsUseReverseDNS offIdentLookups off#IdentLookups and tcpwrappers ***# Normally, we want files to be overwriteable.AllowOverwrite onTimeoutIdle 600SQLAuthTypes Backend PlaintextSQLAuthenticate users* groups*# databasename@host database_user user_password#SQLConnectInfo ftpdb@localhost proftpd passwordSQLConnectInfo ftpdb@localhost ftpuser xxxxSQLUserInfo ftpuser userid passwd uid gid homedir shellSQLGroupInfo ftpgroup groupname gid membersSQLHomedirOnDemand on# Update count every time user logs inSQLLog PASS updatecountSQLNamedQuery updatecount UPDATE "count=count+1,accessed=now() WHERE userid='%u'" ftpuser# Update modified everytime user uploads or deletes a fileSQLLog STOR,DELE modifiedSQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuserQuotaEngine onQuotaDirectoryTally onQuotaDisplayUnits kbQuotaShowQuotas onQuotaLog "/var/log/quota"SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}'AND quota_type = '%{1}'"SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used+ %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatalliesSQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatalliesQuotaLimitTable sql:/get-quota-limitQuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally////////////////////////文件內容///////////////////在/etc/rc.local文件中新增/usr/local/proftpd/sbin/proftpd &LPM配置完畢.注意:以後添加ftp帳號只需操作ftpuser表添加相應字段.用戶磁盤限額操作ftpquotalimits表添加相應字段.Mysql管理win工具推薦:mysql-front其中遠程連接帳號:User:rootHost:IPPswd:xxxx(與grant all privileges on *.* to root@’%’ identified by “xxxx”;中設置的密碼一致) .架設也可參考如下連接:http://www.mingfor.com/forum/showthread.php?tid=28
8.配置MAIL配合jboss工程程序實施與建立MAIL帳號相關聯,方便維護與管理,我這裡選擇了郵件服務器與數據庫結合的方式來實現的.具體架設參考郵件發送程序,然後來配置郵件服務器,郵件系統的用戶帳號不准創建真實的系統帳號,所有的帳號均建在mysql數據庫中.具體架設過程略。架設可參考如下連接:http://www.mingfor.com/forum/showthread.php?tid=19http://www.extmail.org9.安全策略下面是一個簡易有效的防火牆設置,只要沒有固定IP來入侵,服務器均可正常訪問.因此服務器上線後需要提取服務器通信狀態信息.這裡服務器已進配置好LAMP環境,因此系統監控請安裝CACTI(http://www.cacti.net)軟件來監控.關於它的安裝方法比較簡單,這裡不一一說明了.還要時時將#netstat –nagrep SYN的結果中連續15個相同的偽連接給DJOP出系統通信間道.當有這樣的入侵連接時….#iptables –A …………..djop(注意請不要將這個寫入到iptables文件中)下面是iptables文件的所有內容:#cat /etc/sysconfig/iptables////////////////////文件內容////////////////////# Firewall configuration written by system-config-securitylevel# Manual customization of this file is not recommended.*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:RH-Firewall-1-INPUT - [0:0]-A INPUT -j RH-Firewall-1-INPUT-A FORWARD -j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT -i lo -j ACCEPT-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT-A RH-Firewall-1-INPUT -p 50 -j ACCEPT-A RH-Firewall-1-INPUT -p 51 -j ACCEPT-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -s 0/0 -d 0/0 --dport 177 -j ACCEPT#modify by mingfu 060404#Please do not modify the content below#ACK FIN SYN-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP#port scan# NMAP FIN/URG/PSH-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP# Xmas Tree-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP# Another Xmas Tree-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP# Null Scan(possibly)-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP# SYN/RST-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP# SYN/FIN -- Scan(possibly)-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP#!--syn-A RH-Firewall-1-INPUT -p tcp ! --syn -m state --state NEW -j DROP#Dos-A RH-Firewall-1-INPUT -p tcp --dport 80 -m limit --limit 10/second --limit-burst 300 -j ACCEPT#sync flood-N synfoold-A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN-A synfoold -p tcp -j REJECT --reject-with tcp-reset-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -j synfoold-N ping-A ping -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN-A ping -p icmp -j REJECT-I RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ping#-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s 0/0 -j DROP#-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s 0/0 -j ACCEPT#-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s localip -j DROP#-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s localip -j DROP#all ports-A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT#FTP-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 32800:34000 -j ACCEPT#MAIL-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 113 -j ACCEPT#SSH-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 922 -j ACCEPT#WEB-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 82 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8088 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 4443 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 7777 -j ACCEPT#DNS-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT#DATABASE-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8009 -j ACCEPT#VNC-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 5801: -j ACCEPT#ICMP-A RH-Firewall-1-INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited-A RH-Firewall-1-INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW,INVALID -j DROPCOMMIT////////////////////文件內容////////////////////在/etc/rc.local中新增如下內容:////////////////////文件內容////////////////////echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_allecho 1 >/proc/sys/net/ipv4/tcp_syncookiesecho "1" > /proc/sys/net/ipv4/tcp_syn_retriesecho "1" > /proc/sys/net/ipv4/tcp_synack_retriesecho 8192 >/proc/sys/net/ipv4/tcp_max_syn_backlog////////////////////文件內容////////////////////其中8192=1024*4*2.更多詳情請查閱/proc相關文獻介紹關於獲取netstat –nagrep SYN_RECV 與TIME_WAIT的腳本:這裡我無法寫下來。只是原理和主要的代碼告訴大家:使用 netstat 來統計重復的連線 IP,將這些來自同一 IP 的連線統計一下,如果超過一個設定值(您自己選擇的!),那麽該 IP 就會被iptables 機制擋掉了!利用shell script 結合iptables來完成(其中用到的linux命令主要有:netstat awk cut sort)。。。shell腳本中部分主要代碼:///////////////////////////////////////basedir="/usr/local/syscmf"#=== Part A, about the TIME WAIT signle ===#netstat -angrep 80grep TIME awk '{print $5}' cut -d':' -f1 sort uniq -c \awk '{if ($1 >= 12) print $2}' > $basedir/netstatasleep 14snetstat -angrep 80grep TIME awk '{print $5}' cut -d':' -f1 sort uniq -c \awk '{if ($1 >= 12) print $2}' > $basedir/netstatbsleep 14snetstat -angrep 80grep TIME awk '{print $5}' cut -d':' -f1 sort uniq -c \awk '{if ($1 >= 12) print $2}' > $basedir/netstatccat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 sort uniq -c \awk '{ if ( $1 == 3 ) print $2 }' > $basedir/netstat-wait.nowdenyip_netstat=`cat $basedir/netstat-wait.now`#=== Part B, about the SYN RECV signle ===#netstat -angrep 80grep SYN awk '{print $5}' cut -d':' -f1 sort uniq -c \awk '{if ($1 >= 12) print $2}' > $basedir/netstat1sleep 12snetstat -angrep 80grep SYN awk '{print $5}' cut -d':' -f1 sort uniq -c \awk '{if ($1 >= 12) print $2}' > $basedir/netstat2sleep 12snetstat -angrep 80grep SYN awk '{print $5}' cut -d':' -f1 sort uniq -c \awk '{if ($1 >= 12) print $2}' > $basedir/netstat3cat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 sort uniq -c \awk '{ if ( $1 == 3 ) print $2 }' > $basedir/netstat-syn.nowdenyip_netstat=`cat $basedir/netstat-syn.now`///////////////////////////////////////關於防止別人來猜測ssh用戶登錄的密碼,修改默認的ssh端口22為922(與防火牆中規則指定的922相一致.) 修改方法如下:#vi /etc/ssh/sshd_config修改:#Port 22為:Port 922注意:修改後的ssh連接方法:ssh user@ip –p 922如果你不想指定-p參數,請修改/etc/ssh/ssh_config的#Port 22為:Port 922建議將提供服務的服務器中的ssh服務端與客服端的ssh通信端口都修改……10.測試上線所有的配置完畢,重啟服務器.測試好准備上線.注意:以下服務不能重復多次啟動,必須服務在停止的情況下才能啟動,否則會出現啟動錯誤.#su - oracle usr/local/syscmf/oracle.sh#/etc/rc.d/init.d/jboss start關於這兩個服務的啟動用戶與權限:1.Oracle:用戶:oracle(可以進行系統登錄)切忌有關oracle的操作請在oracle用戶環境中進行操作.你實在要在root用戶中操作,請不要忘了#su – oracle –c “lsncrctl start”……..a.Oracle服務停止:$sqlplus /nologSQL>conn / as sysdbaSQL>shutdown immediateSQL> exit$lsnrctl stopb.Oracle服務啟動:$lsnrctl start$sqlplus /nologSQL>conn / as sysdbaSQL> startupc.Oracle服務強制啟動:在oracle服務已進啟動的情況下也可啟動oracle服務.$sqlplus /nologSQL>conn / as sysdbaSQL> startup force如果你要利用我寫的expect自動輸入腳本來啟動,你需要修改,在裡面加入條件判斷結構.
2.Jboss:用戶:xxxx (不可以進行系統登錄)切忌有關jboss的操作請在jboss用戶環境中進行操作.你實在要在root用戶中操作,請不要忘了#su – xxxx /site/jboss/bin/run.sh或者#/etc/init.d/jboss starta.xxxx用戶環境下:無法登錄如何使用呢?遠程文本界面啟動法:以root登錄系統:切換root可以登錄到xxxx用戶環境來進入xxxx.#su – xxxxJboos 啟動$/site/jboss/bin/run.shJboss停止$/site/jboss/bin/shutdown.sh –S遠程圖形界面法:關於開啟遠程圖形界面登錄的問題:只允許oracle用戶可以遠程圖形界面登錄,為了便於操作oracle.下面是開啟改功能的過程:#su – oracle$vncserverPassword:********Password:********$exit$ps –efgrep vnc將看到的vnc進程kill -9.$vi .vnc/xstartup修改:twm &為gnome-session &$vncserver注意:只允許開啟一個vnc服務進程…..對應的端口為5801在已進有vncserver啟動的情況下不要在次啟動vncserver服務.否則它將在增加一個vnc服務進程…….http://ip:5801輸入密碼即可遠程圖形登錄系統了.由於是oracle登錄到系統的….要啟動jboss.需要如下操作:$su –Password:********#su – xxxxJboos 啟動$/site/jboss/bin/run.shJboss停止$/site/jboss/bin/shutdown.sh –Sb.root用戶環境下:Jboos 啟動#su – xxxx /site/jboss/bin/run.sh或者#service jboss start或者#/etc/init.d/jboss startJboss停止#su – xxxx /site/jboss/bin/shutdown.sh –S或者#service jboss stop或者#/etc/init.d/jboss stop關於(系統,軟件)日志分析,根據自己的使用習慣搭建…..關於系統用戶創建問題,由於系統裡面創建的xxxx用戶指定了-u=5500.所以在以後創建的系統帳戶id=550X, 這樣會存在安全隱患,所以在創建用戶時請指定id=50x(x=5開始.):例如創建user:#groupadd –g 505 user#adduser –u 505 –g user user注意所有的系統帳號id請不要超過5500.