search

stanleyyylau / linux-project

第二阶段大作业
0 stars 0 forks source link

刘满霆操作记录 #7

Open stanleyyylau opened 7 years ago

stanleyyylau commented 7 years ago

机器:175, 176 操作:密钥登陆,禁止root远程登陆,配置sudo和简易的审计系统

密钥登录

创建aminglinux用户, 密码为7组内部统一密码

useradd aminglinux && passwd aminglinux

添加生成的私钥

mkdir /home/aminglinux/.ssh && vi /home/aminglinux/.ssh/authorized_keys

相关权限修改

chmod 700 /home/aminglinux/.ssh  && chmod 600 /home/aminglinux/.ssh/authorized_keys
chown -R aminglinux. /home/aminglinux

禁止root远程登陆

vi /etc/ssh/sshd_config 找到 PasswordAuthenticationPermitRootLogin 这两行 关掉注释并分别修改为 

PasswordAuthentication no
PermitRootLogin no

保存文件并重启sshd

systemctl restart sshd

配置sudo

visudo
# 在 Allow root to run any commands anywhere 下面增加
aminglinux ALL=(ALL) ALL  
# 保存退出

配置简易审计

打开/etc/profile 在最下面复制下面内容

HISTSIZE=1000

HISTTIMEFORMAT="%Y/%m/%d %T ";export HISTTIMEFORMAT

export HISTORY_FILE=/var/log/audit.log

export PROMPT_COMMAND='{ thisHistID=`history 1|awk "{print \\$1}"`;lastCommand=`history 1| awk "{\\$1=\"\" ;print}"`;user=`id -un`;whoStr=(`who -u am i`);realUser=${whoStr[0]};logMonth=${whoStr[2]};logDay=${whoStr[3]};logTime=${whoStr[4]};pid=${whoStr[6]};ip=${whoStr[7]};if [ ${thisHistID}x != ${lastHistID}x ];then echo -E `date "+%Y/%m/%d %H:%M:%S"` $user\($realUser\)@$ip[PID:$pid][LOGIN:$logMonth $logDay $logTime] --- $lastCommand ;lastHistID=$thisHistID;fi; } >> $HISTORY_FILE'

保存并执行 source /etc/profile

最后为了让其他用户能记录,需求给其实用户加上写权限

chmod 646 /var/log/audit.log

stanleyyylau commented 7 years ago

机器:175 操作:安装NFS客户端工具,测试组员配置的NFS服务器

sudo yum install -y nfs-utils

查看资源

showmount -e 192.168.14.182

显示结果如下

Export list for 192.168.14.182:
/share 192.168.0.0/20

挂载资源

sudo mount -t nfs -o nfsvers=3 192.168.14.182:/share/ /mnt/
df -h

显示挂载成功

测试

sudo mkdir /mnt/share /mnt/backup
ls
stanleyyylau commented 7 years ago

机器:175 操作:安装PHP环境,Java环境

一键安装lnmp环境

cd /usr/local/src/
sudo yum install screen
sudo yum install -y wget
screen -S lnmp
sudo wget -c http://soft.vpser.net/lnmp/lnmp1.4.tar.gz && sudo tar zxf lnmp1.4.tar.gz && cd lnmp1.4 && sudo ./install.sh lnmp

安装按照默认的,PHP安装5.2的

 安装Java环境

JDK

官网下载地址 http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html 下载jdk8,放到/usr/local/src/目录下 tar zxvf jdk-8u144-linux-x64.tar.gz mv jdk1.8.0_144 /usr/local/jdk1.8 vi /etc/profile //最后面增加

JAVA_HOME=/usr/local/jdk1.8/
JAVA_BIN=/usr/local/jdk1.8/bin
JRE_HOME=/usr/local/jdk1.8/jre
PATH=$PATH:/usr/local/jdk1.8/bin:/usr/local/jdk1.8/jre/bin
CLASSPATH=/usr/local/jdk1.8/jre/lib:/usr/local/jdk1.8/lib:/usr/local/jdk1.8/jre/lib/charsets.jar

source /etc/profile java -version

给权限,不然执行不了tomcat

sudo chown aminglinux:aminglinux src/
sudo chown -R aminglinux:aminglinux /usr/local/tomcat
cd /usr/local/src
sudo wget http://mirrors.shuosc.org/apache/tomcat/tomcat-8/v8.5.20/bin/apache-tomcat-8.5.20.tar.gz
sudo tar zxvf apache-tomcat-8.5.20.tar.gz
sudo mv apache-tomcat-8.5.20 /usr/local/tomcat

sudo chown aminglinux:aminglinux /usr/local/tomcat/bin/startup.sh

解决权限问题,不然会出现404
sudo chown -R aminglinux:aminglinux /data

/usr/local/tomcat/bin/startup.sh
ps aux|grep tomcat    启动的是tomcat,但是会出现java的进程
netstat -lntp |grep java

安装zrlog

sudo vi /usr/local/tomcat/conf/server.xml 增加虚拟主机,编辑server.xml,在</Host>下面增加如下内容

<Host name="www.team7blog.com" appBase=""
    unpackWARs= "true" autoDeploy="true"
    xmlValidation="false" xmlNamespaceAware="false">
    <Context path="" docBase="/data/wwwroot/123.cn/" debug="0" reloadable="true" crossContext="true"/>
</Host>
zrlog wget http://dl.zrlog.com/release/zrlog-1.7.1-baaecb9-release.war
mv zrlog-1.7.1-baaecb9-release.war /usr/local/tomcat/webapps/
mv /usr/local/tomcat/webapps/zrlog-1.7.1-baaecb9-release /usr/local/tomcat/webapps/zrlog
mv /usr/local/tomcat/webapps/zrlog/* /data/wwwroot/123.cn/

开启反向代理,放80端口可以访问tomcat的8080

server
    {
        listen 80;
        #listen [::]:80;
        server_name www.team7blog.com;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/www.team7blog.com;

        include none.conf;
        #error_page   404   /404.html;

          location / {
               proxy_pass http://192.168.14.175:8080/;
               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection 'upgrade';
               proxy_set_header Host $host;
               proxy_cache_bypass $http_upgrade;
             }

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        access_log off;
    }

访问web端完成安装

安装dede cms

sudo chown aminglinux:aminglinux DedeCMS-V5.7-UTF8-SP2-Full sudo cp -r DedeCMS-V5.7-UTF8-SP2-Full/uploads/* . rm -rf DedeCMS-V5.7-UTF8-SP2-Full sudo find /home/wwwroot/www.team7dedecms.com -type d -exec chmod 775 {} \; sudo find /home/wwwroot/www.team7dedecms.com -type f -exec chmod 644 {} \; sudo chown -R www:www www.team7dedecms.com/

访问web端完成安装

175挂载NFS

先挂载共享盘 sudo mount -t nfs -o nfsvers=3 192.168.14.177:/share/ /mnt/share

再挂载备份盘 sudo mount -t nfs -o nfsvers=3 192.168.14.182:/share/ /mnt/backup

分别创建目录放dedecms和zrlog的共享文件 需要共享的静态文件目录如下

dedecms

uploads images

mkdir /mnt/share/dedecms/uploads mkdir /mnt/share/dedecms/images

sudo cp -r ./images/ /mnt/share/dedecms/images/ sudo cp -r ./uploads/ /mnt/share/dedecms/uploads/

删除原dedecms里面的文件夹,开始建立软连接

sudo ln -s /mnt/share/dedecms/uploads /home/wwwroot/www.team7dedecms.com/uploads sudo ln -s /mnt/share/dedecms/images /home/wwwroot/www.team7dedecms.com/images

把属主改回nginx sudo chown -R www:www images sudo chown -R www:www uploads

175上搭建NFS服务端

sudo yum install nfs-utils sudo yum install rpcbind

关闭防火墙 sudo systemctl stop firewalld.service sudo setenforce 0

编辑配置文件,准备共享 sudo vi /etc/exports

/home/wwwroot 192.168.0.0/20(rw,sync,no_root_squash)

开启服务 sudo systemctl start rpcbind.service sudo systemctl enable rpcbind.service sudo systemctl start nfs.service sudo systemctl enable nfs.service

测试 showmount -e 192.168.14.175

stanleyyylau commented 7 years ago

机器:176 操作:安装PHP环境,Java环境,挂载web1的网站程序文件

环境安装同上

挂载远程NFS服务器

只挂载共享盘就行了,备份数据全部由web1传送给备份服务器

先挂载静态NFS,再挂载web1 sudo mount -t nfs -o nfsvers=3 192.168.14.182:/share/ /mnt/backup sudo mkdir /mnt/web1

删除原来/home/wwwroot/www.team7dedecms.com 文件夹并创建软连接 sudo ln -s /mnt/web1/www.team7dedecms.com /home/wwwroot/www.team7dedecms.com sudo chown -R www:www www.team7dedecms.com/

修改host文件然后访问www.team7dedecms.com 测试成功

配置java程序

直接挂载 sudo mount -t nfs -o nfsvers=3 192.168.14.175:/data/wwwroot/123.cn /mnt/web1_123.cn

sudo ln -s /mnt/web1_123.cn /data/wwwroot/123.cn

stanleyyylau commented 7 years ago

机器:173,174 操作:配置nginx负载均衡

操作

查看nginx配置路径 /etc/init.d/nginx -v

sudo cp /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak sudo vi /usr/local/nginx/conf/nginx.conf

最底部改成这样

upstream backend
    {
       server 192.168.14.175:80;
       server 192.168.14.176:80;
    }
    server
    {
        listen 80;
        server_name www.team7dedecms.com www.team7blog.com;

        location / {
            proxy_pass http://backend/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
     }

sudo /etc/init.d/nginx configtest sudo /etc/init.d/nginx reload curl -x192.168.14.17 www.team7blog.com -I

stanleyyylau commented 7 years ago

机器:175 操作:安装Discuz