sudo deluser ubuntu sudo
sudo su
passwd root
vi /etc/sudoers
%admin ALL=(ALL) ALL
ubuntu ALL=(ALL:ALL) ALL,ALL
To:
#%sudo ALL=(ALL:ALL) ALL
ubuntu ALL=(ALL:ALL) ALL,!/bin/su
adduser xxx
passwd xxx
exit
login use xxx
userdel ubuntu
su root
timedatectl set-timezone Asia/Shanghai
date
apt-get update
apt-get upgrade
apt install net-tools
reboot
vi /etc/ssh/sshd_config
#PermitRootLogin prohibit-password
to
PermitRootLogin no
systemctl restart sshd
验证是否有账号存在空口令的情况:
awk -F: '($2 == "") { print $1 }' /etc/shadow
检查除了root以外是否还有其它账号的UID为0:(任何UID为0的账号在系统上都具有超级用户权限.)
awk -F: '($3 == 0) { print $1 }' /etc/passwd
apt-get install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local
Add to [sshd]:
[sshd]
enabled=true
使用以下命令验证配置:
fail2ban-client -t
systemctl enable fail2ban
systemctl start fail2ban
fail2ban-client status sshd
/etc/init.d/fail2ban status -l
Unlock:
fail2ban-client set sshd unbanip you.wantto.unban.ip
ufw status
ufw default allow outgoing
ufw default deny incoming
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 22/tcp
ufw allow 10022/tcp
ufw enable
ufw status verbose
vi /etc/fail2ban/jail.local
修改第二个[sshd]
port = ssh
为
enabled = true
port = 10022
vi /etc/ssh/sshd_config
修改
#Port 22
为
Port 10022
systemctl restart fail2ban
systemctl restart sshd
在终端中登录:
ssh user@IP地址 -p port
https://nginx.org/en/linux_packages.html#Ubuntu
sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
| sudo tee /etc/apt/preferences.d/99nginx
apt update
apt install nginx
systemctl enable nginx
systemctl start nginx
apt install php8.1 php8.1-fpm php8.1-common
apt install php8.1-dev php8.1-bcmath php8.1-gd
apt install libjpeg8-*
apt install php8.1-curl php8.1-intl php8.1-ldap php8.1-mbstring php8.1-mysqlnd php8.1-odbc php8.1-pdo php8.1-memcache php8.1-memcached php8.1-opcache php8.1-redis php8.1-soap php8.1-xml php8.1-xmlrpc php8.1-zip php8.1-mongodb
cp /lib/systemd/system/php8.1-fpm.service /lib/systemd/system/php-fpm.service
systemctl daemon-reload
systemctl stop php8.1-fpm
systemctl disable php8.1-fpm
systemctl enable php-fpm
systemctl start php-fpm
systemctl status php-fpm
systemctl restart nginx
vi /etc/php/8.1/fpm/php.ini
cgi.fix_pathinfo=0
session.cookie_httponly = 1
post_max_size = 8M
upload_max_filesize = 8M
max_execution_time=60
vi /etc/php/8.1/fpm/pool.d/www.conf
listen.owner = nobody
listen.group = nobody
...
user = nobody
group = nobody
vi /etc/nginx/nginx.conf
user nobody;
在 http 区段中添加:
client_max_body_size 8M;
client_body_buffer_size 10M;
keepalive_timeout 65;
设置最大上传文件大小:
vi /etc/php/8.1/fpm/php.ini
post_max_size = 8M
upload_max_filesize = 8M
vi /etc/nginx/conf.d/default.conf
server {
listen 80;
server_name localhost;
root /usr/share/nginx/html;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\. {
deny all;
}
}
groupadd nobody
systemctl restart php-fpm
systemctl restart nginx
vi /usr/share/nginx/html/info.php
<?php phpinfo(); ?>
http://your_server_IP_address/info.php
rm /usr/share/nginx/html/info.php
vi /etc/nginx/nginx.conf
在 http 区段中加入:
server_tokens off;
proxy_hide_header X-Powered-By;
X-Frame限制同源:
add_header X-Frame-Options SAMEORIGIN;
保存
检查配置文件是否有错误:
/usr/sbin/nginx -t
重启 Nginx :
systemctl reload nginx
or:
sudo systemctl restart nginx
vi /etc/php/8.1/fpm/php.ini
date.timezone = PRC
禁止显示php版本的信息:
expose_php = Off
禁止显示错误信息:
display_errors = Off
display_startup_errors = Off
log_errors = On
opcache.enable=1
vi /etc/php/8.1/fpm/pool.d/www.conf
catch_workers_output = yes
重启 php-fpm:
systemctl restart php-fpm
log会输出到:/var/log/php8.1-fpm.log
vi /etc/nginx/nginx.conf
在 http 区段里加入:
gzip on;
gzip_min_length 1k;
gzip_comp_level 6;
gzip_buffers 32 4k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_vary on;
vi /etc/nginx/conf.d/default.conf
修改:
location ~*^.+.(jpg|jpeg|gif|png)$ {
expires 30d;
add_header Cache-Control private;
}
apt install redis
vi /etc/redis/redis.conf
maxmemory 100MB
systemctl enable redis
systemctl start redis
chown -R root:root /usr/share/nginx/html/
禁止IP直接访问,防止恶意解析:
vi /etc/nginx/nginx.conf
在 listen [::]:80 default_server; 之后添加:
return 403;
如果 /etc/nginx/nginx.conf 文件中没有,则在 /etc/nginx/conf.d/default.conf 文件顶部添加:
server {
listen 80;
listen [::]:80 default_server;
return 403;
}
强制使用 www 二级域名访问:
vi /etc/nginx/conf.d/default.conf
# FORCE WWW
server {
server_name site.com;
rewrite ^/(.*)$ http://www.site.com$1 permanent;
}
限制 PHP 脚本的文件访问范围,防止一个站点被攻陷后殃及整个服务器(重要!!!):
vi /etc/nginx/conf.d/default.conf
增加:
fastcgi_param PHP_VALUE "open_basedir=$document_root:/tmp/";
or:{
vi /etc/php/8.1/fpm/php.ini
在末尾加入:
[HOST=testdomain.com]
open_basedir=/usr/share/nginx/html/:/tmp/
}
注意用open_basedir指定的限制实际上是前缀,而不是目录名。所以如果要将访问限制在仅为指定的目录,请用斜线结束路径名。
systemctl restart nginx
禁用某些 PHP 内置函数:
vi /etc/php/8.1/fpm/php.ini
disable_functions = pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,phpinfo,exec,passthru,chroot,shell_exec,system,chgrp,chown,dl,show_source,highlight_file,str_rot13,pfsockopen,syslog,readlink,symlink,stream_socket_server,leak,popepassthru,escapeshellcmd,escapeshellarg,max_execution_time,getcwd,ini_alter,popen,pclose,proc_open,proc_close,proc_get_status,chmod,set_time_limit
;,rename,mkdir,copy,delete,rmdir,chdir,dir,putenv,gzinflate
;,file,fopen,fwrite,unlink,file_get_contents,fputs,opendir,readdir,scandir
;,ini_set,ini_restore,assert
禁用远程url文件处理功能(打开它容易引起性能的问题,建议禁止,禁用之后 file_get_contents 函数将无法读取远程文件,可以用curl代替):
# 容易造成任意文件读取和包含问题,注意,此项默认就是开启的
allow_url_fopen = Off
# 容易造成远程包含,强烈建议关闭此项
allow_url_include = Off
禁止加载动态连接库
enable_dl = Off
systemctl restart php-fpm
apt install mysql-server mysql-client
systemctl enable mysql
systemctl start mysql
vi /etc/mysql/mysql.conf.d/mysqld.cnf
[mysqld]
default-time_zone = '+8:00'
character-set-server = utf8mb4
default-authentication-plugin=mysql_native_password
[client]
default-character-set=utf8mb4
systemctl restart mysql
mysql_secure_installation
空密码登录
mysql -uroot -p
mysql> create user 'dba'@'localhost' identified by 'password';
mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'youpassword';
mysql> ALTER USER 'yourusername'@'localhost' IDENTIFIED WITH mysql_native_password BY 'youpassword';
mysql> flush privileges;
Nginx log中如果出现大量的:an upstream response is buffered to a temporary file,则在 http 区段中添加:
vi /etc/nginx/nginx.conf
fastcgi_buffer_size 512k;
fastcgi_buffers 6 512k;
fastcgi_busy_buffers_size 512k;
fastcgi_temp_file_write_size 512k;
https://www.isvee.com/archives/4253
Nginx + php-fpm 性能优化
MySQL 5.7/8.0 优化
CentOS 7.0 添加 SWAP
https://www.isvee.com/archives/3345