מי שמכיר אותי ואת העבר שלי בתחום תחזוק שרתי ה-WEB יודע שהייתי בין החלוצים שנתנו תמורה טובה לשירות ולפיתוחו..
עד 2007 החזקתי את פורום FXP, איפשהו בדרך אחסנתי את מערכת הפורומים הזאת ותחזקתי לא מעט שרתים וחברות הוסטינג שקיימות עד היום.
בכל מקרה, מצאתי תקייה ששמרתי חלק מהסקריפטים וההגדרות שבזמנו היו שוות זהב והיום איך שהשוק השתנה כרגע אין לי ממש צורך בהם. נכון לעכשיו אין לי ממש תוכניות לחזור לשוק ואין לי בעיה לשתף אותכם.
השימוש בהגדרות הנ"ל ובסקריפטים דורש ידע בסיסי בתחזוק שרתים ונוסה לאחרונה על שרת ב-2008 ככה שיכול להיות שצריך לעשות קצת טוויקים בשביל להתאים את הדברים שאני אפרסם לשרתים של היום.
הכל עבד תחת מערכת הפעלה CentOS (תהרגו אותי אני כבר לא זוכר איזה גירסה)
על אחריותכם.
דבר ראשון חשוב לעדכן את כל התוכנות על השרת זה נעשה פשוט יותר בעזרת הסקריפט הבא:
http://www.web4host.net/forum/viewtopic.php?f=2&t=1
כ"כ
http://www.directadmin.com/forum/showthread.php?t=14500
תעקבו אחרי המדריך וההגדרות שהוא נותן שם הם טובות, אבל אני ממליץ על ההגדרות הבאות:
httpd.conf main config
קוד:
RLimitMEM 194692778
RLimitCPU 70
Timeout 10
KeepAlive Off
MaxKeepAliveRequests 20
KeepAliveTimeout 5
MinSpareServers 7
MaxSpareServers 13
StartServers 7
MaxClients 50
MaxRequestsPerChild 20
script for determining RLimitMEM (perl)
קוד:
#!/usr/bin/perl
BEGIN {
push(@INC,"/scripts");
}
#this is under the artistic lics
print "This should help you alot prevanting serverloads go boom :D~ enjoy :D~ david..";
print "Calculating Memory Limit blablabla.... .....";
$size = 0;
open(MEMINFO,"/proc/meminfo");
while(<MEMINFO>) {
tr/[A-Z]/[a-z]/;
if (/^(\S+):\s*(\S+)\s(\S+)$/) {
if ($3 eq "kb") {
if ($1 eq "swaptotal") { print "..$2..";
$size += int($2 / 3);
print "$size";
}
if ($1 eq "memtotal") { print "..$2..";
$size += int($2 / 2);
print "$size";
}
}
}
}
if (-e "/usr/local/bin/muse") {
foreach (split(/\n/,`/usr/local/bin/muse`)) {
if(/^(total|inactive):[\t|\s]*(\d+)/i) { $size += int($2 / 1024 / 2); }
}
}
$size = int($size / 2);
$size = int($size * 1024);
print "..$size..\n";
$size = int($size / 3);
print "..$size..<save this number yair\n";
close(MEMINFO);
mod_security config httpd.conf
קוד:
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature off
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
# The name of the audit log file
SecAuditLog logs/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:403"
## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ##
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Prevent OS specific keywords
SecFilter /etc/password
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "lynx " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "scp " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "ftp " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "cvs " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "rcp " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "curl " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "telnet " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "ssh " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "echo " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "links -dump " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "links -dump-charset " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "links -dump-width " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "links http:// " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "links ftp:// " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "links -source " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "mkdir " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "cd /tmp " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "cd /var/tmp " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "/config.php?v=1&DIR " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "/../../ " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "&highlight=%2527%252E " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "arta\.zip " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "cmd=cd\x20/var " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "HCL_path=http " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "clamav-partial " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "vi\.recover " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "netenberg " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "psybnc " "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "fantastico_de_luxe " "redirect:http://abuse.novel.co.il/"
#Block BCC/PHP Spam
SecFilterSelective THE_REQUEST|POST_PAYLOAD "bcc|Bcc|BCc|BCC|bCc|bCC|bcC|BcC" chain
SecFilterSelective THE_REQUEST|POST_PAYLOAD "com|org|net" "redirect:http://abuse.novel.co.il/"
# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
SecFilter "phpbb_root_path=" "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "
SecFilterSelective HTTP_USER_AGENT "Wget" "redirect:http://abuse.novel.co.il/"
SecFilterSelective HTTP_USER_AGENT "wget" "redirect:http://abuse.novel.co.il/"
SecFilterSelective "POST_PAYLOAD" "wget" "redirect:http://abuse.novel.co.il/"
SecFilterSelective "POST_PAYLOAD" "su root" "redirect:http://abuse.novel.co.il/"
SecFilterSelective "POST_PAYLOAD" "mkdir" "redirect:http://abuse.novel.co.il/"
SecFilterSelective "POST_PAYLOAD" "rm -rf" "redirect:http://abuse.novel.co.il/"
SecFilterSelective THE_REQUEST "/phpmyadmin.+cfg\\[" "redirect:http://abuse.novel.co.il/"
SecFilterSelective HTTP_USER_AGENT "wget" "redirect:http://abuse.novel.co.il/"
SecFilterSelective HTTP_USER_AGENT "ftp" "redirect:http://abuse.novel.co.il/"
SecFilterSelective HTTP_USER_AGENT "cvs" "redirect:http://abuse.novel.co.il/"
SecFilterSelective HTTP_USER_AGENT "telnet" "redirect:http://abuse.novel.co.il/"
SecFilterSelective HTTP_USER_AGENT "ssh" "redirect:http://abuse.novel.co.il/"
SecFilterSelective HTTP_USER_AGENT "cd /var/tmp" "redirect:http://abuse.novel.co.il/"
SecFilterSelective HTTP_USER_AGENT "cd /tmp" "redirect:http://abuse.novel.co.il/"
SecFilterSelective HTTP_USER_AGENT "v=1&DIR" "redirect:http://abuse.novel.co.il/"
SecFilterSelective HTTP_USER_AGENT "/../../ " "redirect:http://abuse.novel.co.il/"
SecFilterSelective HTTP_USER_AGENT "&highlight=%2527%252E" "redirect:http://abuse.novel.co.il/"
SecFilterSelective HTTP_USER_AGENT "changedir=%2Ftmp%2F.php" "redirect:http://abuse.novel.co.il/"
</IfModule>
change abuse.novel.co.il to your abuse adress
Boosting up network connections (bash script - make "script.sh" chmod it and run)
קוד:
#!/bin/bash
# Create backup
if [ ! -e ./speed_backup.sh ] ; then
echo -n "Creating backup (`pwd`/speed_backup.sh)... "
echo "#!/bin/bash" > ./speed_backup.sh
echo "" >> ./speed_backup.sh
echo "echo \"`cat /proc/sys/net/ipv4/tcp_sack`\" > /proc/sys/net/ipv4/tcp_sack" >> ./speed_backup.sh
echo "echo \"`cat /proc/sys/net/ipv4/tcp_timestamps`\" > /proc/sys/net/ipv4/tcp_timestamps" >> ./speed_backup.sh
echo "echo \"`cat /proc/sys/net/ipv4/tcp_mem`\" > /proc/sys/net/ipv4/tcp_mem" >> ./speed_backup.sh
echo "echo \"`cat /proc/sys/net/ipv4/tcp_rmem`\" > /proc/sys/net/ipv4/tcp_rmem" >> ./speed_backup.sh
echo "echo \"`cat /proc/sys/net/ipv4/tcp_wmem`\" > /proc/sys/net/ipv4/tcp_wmem" >> ./speed_backup.sh
echo "echo \"`cat /proc/sys/net/core/optmem_max`\" > /proc/sys/net/core/optmem_max" >> ./speed_backup.sh
echo "echo \"`cat /proc/sys/net/core/rmem_default`\" > /proc/sys/net/core/rmem_default" >> ./speed_backup.sh
echo "echo \"`cat /proc/sys/net/core/rmem_max`\" > /proc/sys/net/core/rmem_max" >> ./speed_backup.sh
echo "echo \"`cat /proc/sys/net/core/wmem_default`\" > /proc/sys/net/core/wmem_default" >> ./speed_backup.sh
echo "echo \"`cat /proc/sys/net/core/wmem_max`\" > /proc/sys/net/core/wmem_max" >> ./speed_backup.sh
chmod 744 ./speed_backup.sh
echo -e "\tdone!"
else
echo "Backup found (`pwd`/speed_backup.sh). Skipping creation of one."
fi
# Boost buffer settings
echo -n "Boosting... "
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "3129344 3137536 3145728" > /proc/sys/net/ipv4/tcp_mem
echo "65536 1398080 2796160" > /proc/sys/net/ipv4/tcp_rmem
echo "65536 1398080 2796160" > /proc/sys/net/ipv4/tcp_wmem
echo "163840" > /proc/sys/net/core/optmem_max
echo "1048560" > /proc/sys/net/core/rmem_default
echo "2097136" > /proc/sys/net/core/rmem_max
echo "1048560" > /proc/sys/net/core/wmem_default
echo "2097136" > /proc/sys/net/core/wmem_max
echo -e "\tdone!"
Dos.pl antiddos perl script (needs apf to work)
קוד:
#!/usr/bin/perl
####################
# controls number of connections to the server from single ip
# blocks ip if there are > $allowed connections
# - damir ( proton.bolchat.org )
###################
# delay (in secs)
$INTERVAL = 120;
# max number of connections allowed from one ip
$MAX = 550;
# safe list, i used hash, i think its faster than to call up regex
%WL = (
'127.0.0.1' => 1,
);
# port to monitor, 80 for webserver (apache).
$PORT = 80;
# don't touch anything below this line heh
open(STDERR, ">dos_log"); print STDERR "program starting " . `date`; select STDERR;
$| = 1;
if (fork) { exit(0); }
$SIG{ALRM} = 'IGNORE';
while (1) {
sleep($INTERVAL);
&check_load();
}
sub check_load {
$cdate = localtime(time);
$time = (time);
if(%BLOCKED) {
}
undef(%u);
foreach(split(/\n/, `netstat -an| grep tcp`))
{
if($_ =~ /^tcp\s+0\s+0\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}):$PORT\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}):(.*)$/){
$u{$2}++;
}
}
foreach $i (keys %u){
if($u{$i} > $MAX && !$BLOCKED{$i})
{
if($WL{$i}) {
print STDERR "IP on whitelist flooding: $i ( $u{$i} connectons ) load: " . `uptime`;
} else {
system("/etc/apf/apf -d $i");
$BLOCKED{$i} = $time;
print STDERR "$cdate blocked: $i ( $u{$i} connectons ) current load: " . `uptime`;
}
}
}
}
perl script to kill and restart apache process when server load runs over 20 + sends out e-mail
קוד:
#!/usr/bin/perl
(`uptime` =~ /:\s+(\d+.?(\d+)?)/)?(($1>20)?system('killall -9 httpd;killall -9 httpd;killall -9 httpd;/sbin/service httpd stop;/sbin/service httpd start;echo -e "Subject: Load is above 20 apache restarted!\n\n:(\n.\n" | /usr/sbin/exim your@mail.here'):exit):exit;
crontab it every 10 minutes.
change email!
disable functions via php.ini
קוד:
disable_functions = shell, phpinfo, readfile, system, proc_terminate, proc_nice, pclose, popen, passthru,
pcntl_fork, pcntl_exec, posix_kill, pcntl_signal, exec, escapeshellarg, escapeshellcmd,
proc_close,proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec
יש עוד אבל נשמור את זה לפעם הבאה, בהצלחה