网站服务器主要任务:根据开发设计需求架设大型的网站服务器主要软件:apache+jboss+Oracle简称:LAJOapache+PHP+mysql简称:LAMPproFTPd+mysql简称:LPMssh+eXPectiptablesbindmail具体要求:海量用户访问海量用户存储(国内外互通)南北互通.需求分析:1.保证高要求高质量高性能,需要选择系*nix操作平台(这里选择as4.3);2.保证高访问量高数据处理,需要选数商业数据库(这里选择oracle9.2.0.4);3.解决南北互通(包括国内外互通),需要架设基于bind-view功能的智能DNS服务器.4.使用流行的B/S,C/S程序架构,需要选择了JBOSS服务器.5.更好地处理静态页面效果,需要选择了Apache服务器.6.根据程序注册用户与上传要求,需要架设ftp服务器.7.时时自动化系统监控,需要架设LAPM服务器.(这里使用软件cacti).8.公司与客户交流,需要架设邮件服务器.(这里使用postfix+extmail).9.自动化文件数据处理与安全设置,需expect+ssh+iptables结合shell脚本.10.海量,需要集群负载均衡与配备存储设备.具体流程:1.硬件采购.这里略.2.操作系统安装安装redhat as 4.3系统空间划分(略)
安装开发环境,DNS,LAMP环境所需软件包.并确认以下包已安装:compat-db compat-gcccompat-gcc-32compat-oracle-rhel4compat-libcwaitcompat-libgcccompat-libstdc++-296compat-libstdc++-33gccgcc-c++gnome-libsgnome-libs-devellibaio-devellibaiomakeopenmotif21xorg-x11-deprecated-libs-develxorg-x11-deprecated-libssysstat disk4openmotif21 disk3libaio disk3libaio-devel disk3freetype-devel disk3fontconfig-devel disk3xorg-x11-devel- disk3xorg-x11-deprecated-libs-devel- disk3glib-devel disk4ORBit-devel disk4gtk+-devel disk4alsa-lib-devel disk3audiofile-devel disk3esound-devel- disk3libjpeg-devel- disk3liBTiff-devel- disk3libungif-devel- disk3imlib-devel disk4gnome-libs-devel disk4expect disk4注意:我遇到的一个问题:全新的dell服务器1.5T,raid5,重没有安装过任何系统,硬盘也没有分区,直接用as4.3安装盘安装提示:内存错误,蓝屏,而安装失败。用了好几种Linux系统盘(包括windows安装盘)都如此,(手里没有硬盘格式分区工具,没有测试是否可以硬盘分区。)官方发行版说不支持超过2G内存,于是安装系统时先卸下2G内存,待安装完毕在请求支持超过2G内存的内核安装后就可以支持4G内存了,倘如日后全新安装系统不使用hugemem而使用默认的smp内核也能识别4G内存,更不会出现蓝屏问题。关于之中奥妙,还没有仔细研究过。。。。#rpm –ivh kernel-elhugemem….rpm修改启动文件grub.conf确保新安装的内核为优先启动.#cat /etc/grub.conf////////////////////////////////////////////////////////////////////# grub.conf generated by anaconda## Note that you do not have to rerun grub after making changes to this file# NOTICE: You have a /boot partition. This means that# all kernel and initrd paths are relative to /boot/, eg.# root (hd0,1)# kernel /vmlinuz-version ro root=/dev/sda8# initrd /initrd-version.img#boot=/dev/sdadefault=0timeout=5splashimage=(hd0,1)/grub/splash.xpm.gzhiddenmenutitle Red Hat Enterprise Linux AS (2.6.9-22.ELhugemem)root (hd0,1)kernel /vmlinuz-2.6.9-22.ELhugemem ro root=LABEL=/ rhgb quietinitrd /initrd-2.6.9-22.ELhugemem.imgtitle Red Hat Enterprise Linux AS (2.6.9-22.ELsmp)root (hd0,1)kernel /vmlinuz-2.6.9-22.ELsmp ro root=LABEL=/ rhgb quietinitrd /initrd-2.6.9-22.ELsmp.imgtitle Red Hat Enterprise Linux AS-up (2.6.9-22.EL)root (hd0,1)kernel /vmlinuz-2.6.9-22.EL ro root=LABEL=/ rhgb quietinitrd /initrd-2.6.9-22.EL.img////////////////////////////////////////////////////////////////////////////////////////////////如果hiddenmenu下面的内容顺序不对,请修改default=x(x对应ELhugemem项)重启并加载另外2G内存.这样让系统支持4G内存的正常运行.2)系统安装完毕请 作连接: #ln –s /tmp /temp
[1] [2] [3] [4] [5] [6] [7] [8] 下一页
3.配置DNS由于要南北互通,开源得只有使用view的ACL访问控制列表文件来实现多线路的自动导向.(当然也有其他的商业解决办法,比如智能路由与交换机的设置来实现,我们这里使用开源的而且容易实现与调整的解决软件bind)关于view的ACL获得办法有很多途径,这里不一一商讨.具体架设参考如下默认安装的bind为9系列的,已经支持view,配置分为三步骤分别如下所示.(1)修改named.conf(2)创建与配置hosts(3)域名解析#vi /etc/named.conf////////////////////////文件内容开始/////////////////////// named.conf for Red Hat caching-nameserver//options {Directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";/** If there is a firewall between you and nameservers you want* to talk to, you might need to uncomment the query-source* directive below. Previous versions of BIND always asked* questions using port 53, but BIND 8.1 uses an unprivileged* port by default.*/// query-source address * port 53;};//// a caching only nameserver config//controls {inet 127.0.0.1 allow { localhost; } keys { rndckey; };};include "/etc/rndc.key";//modify by mingfu 060404acl "CNC" {58.16.0.0/16;58.17.0.0/17;58.17.128.0/17;58.18.0.0/16;58.19.0.0/16;58.20.0.0/16;58.21.0.0/16;58.22.0.0/15;58.240.0.0/15;58.242.0.0/15;58.244.0.0/15;58.246.0.0/15;58.248.0.0/13;60.0.0.0/13;60.8.0.0/15;60.10.0.0/16;60.11.0.0/16;60.12.0.0/16;60.13.0.0/18;60.13.128.0/17;60.14.0.0/15;60.16.0.0/13;60.24.0.0/14;60.30.0.0/16;60.31.0.0/16;60.208.0.0/13;60.216.0.0/15;60.218.0.0/15;60.220.0.0/14;61.48.0.0/13;61.133.0.0/17;61.134.96.0/19;61.134.128.0/17;61.135.0.0/16;61.137.128.0/17;61.138.0.0/17;61.138.128.0/18;61.139.128.0/18;61.148.0.0/15;61.156.0.0/16;61.159.0.0/18;61.161.0.0/18;61.161.128.0/17;61.162.0.0/16;61.163.0.0/16;61.167.0.0/16;61.168.0.0/16;61.176.0.0/16;61.179.0.0/16;61.181.0.0/16;61.182.0.0/16;61.189.0.0/17;125.32.0.0/16;125.40.0.0/13;202.96.0.0/18;202.96.64.0/21;202.96.72.0/21;202.97.128.0/18;202.97.224.0/21;202.97.240.0/20;202.98.0.0/21;202.98.8.0/21;202.99.64.0/19;202.99.96.0/21;202.99.128.0/19;202.99.160.0/21;202.99.168.0/21;202.99.176.0/20;202.99.208.0/20;202.99.224.0/21;202.99.232.0/21;202.99.240.0/20;202.102.128.0/21;202.102.224.0/21;202.102.232.0/21;202.106.0.0/16;202.107.0.0/17;202.108.0.0/16;202.110.0.0/17;202.111.128.0/18;203.93.8.0/24;203.93.192.0/18;210.13.128.0/17;210.14.160.0/19;210.14.192.0/19;210.15.32.0/19;210.15.96.0/19;210.15.128.0/18;210.21.0.0/16;210.52.128.0/17;210.53.0.0/17;210.53.128.0/17;210.74.96.0/19;210.74.128.0/19;210.82.0.0/15;218.8.0.0/14;218.12.0.0/16;218.21.128.0/17;218.24.0.0/14;218.56.0.0/14;218.60.0.0/15;218.67.128.0/17;218.68.0.0/15;218.104.0.0/14;219.154.0.0/15;219.156.0.0/15;219.158.0.0/17;219.158.128.0/17;219.159.0.0/18;220.252.0.0/16;221.0.0.0/15;221.2.0.0/16;221.3.0.0/17;221.3.128.0/17;221.4.0.0/16;221.5.0.0/17;221.5.128.0/17;221.6.0.0/16;221.7.0.0/19;221.7.32.0/19;221.7.64.0/19;221.7.96.0/19;221.8.0.0/15;221.10.0.0/16;221.11.0.0/17;221.11.128.0/18;221.11.192.0/19;221.12.0.0/17;221.12.128.0/18;221.13.0.0/18;221.13.64.0/19;221.13.96.0/19;221.13.128.0/17;221.14.0.0/15;221.192.0.0/15;221.194.0.0/16;221.195.0.0/16;221.196.0.0/15;221.198.0.0/16;221.199.0.0/19;221.199.32.0/20;221.199.128.0/18;221.199.192.0/20;221.200.0.0/14;221.204.0.0/15;221.206.0.0/16;221.207.0.0/18;221.207.64.0/18;221.207.128.0/17;221.208.0.0/14;221.212.0.0/16;221.213.0.0/16;221.216.0.0/13;222.128.0.0/14;222.132.0.0/14;222.136.0.0/13;222.160.0.0/15;222.162.0.0/16;222.163.0.0/19;222.163.32.0/19;222.163.64.0/18;222.163.128.0/17;};view "view_cnc" {match-clients { CNC; };zone "." {type hint;file "named.ca";};zone "0.0.127.IN-ADDR.ARPA" {type master;file "localhost.rev";};include "master/cnc.def";};view "view_any" {match-clients { any; };zone "." {type hint;file "named.ca";};zone "0.0.127.IN-ADDR.ARPA" {type master;file "localhost.rev";};include "master/telecom.def";};////////////////////////文件内容结束///////////////////#mkdir /var/named/master#mkdir /var/named/master/cnc#mkdir /var/named/master/telecom#toUCh /var/named/master/cnc.def#touch /var/named/master/telecom.def说明:关于如何进行域名解析配置:@Zone区文件配置:Master/Cnc.def 网通Master/Telecom.def 电信*.def文件里面为解析域名的zone配置区设置部分.@Hosts 区文件配置Master/Cnc 网通Master/Telecom 电信下面以解析www.xxxx.com为例#vi /var/named/master/cnc.def////////////////////////文件内容开始///////////////////zone "xxxx.com" {type master;file "master/cnc/xxxx.com";};////////////////////////文件内容结束///////////////////#vi /var/named/master/telecom.def////////////////////////文件内容开始///////////////////zone "xxxx.com" {type master;file "master/telecom/xxxx.com";};////////////////////////文件内容结束///////////////////#vi /var/named/master/cnc/xxxx.com////////////////////////文件内容开始///////////////////$TTL 3600$ORIGIN xxxx.com.@ IN SOA ns.xxxx.com. root.ns.xxxx.com.(2005121013 ;Serial3600 ; Refresh ( seconds )900 ; Retry ( seconds )68400 ; Expire ( seconds )15 );Minimum TTL for Zone ( seconds );@ IN NS ns.xxxx.com.@ IN MX xxxx.com.;;ip for cnc@ IN A x.x.x.x(网通IP)www IN A x.x.x.x(网通IP)////////////////////////文件内容结束///////////////////#vi /var/named/master/telecom/xxxx.com////////////////////////文件内容开始///////////////////$TTL 3600$ORIGIN xxxx.com.@ IN SOA ns.xxxx.com. root.ns.xxxx.com.(2005121013 ;Serial3600 ; Refresh ( seconds )900 ; Retry ( seconds )68400 ; Expire ( seconds )15 );Minimum TTL for Zone ( seconds );@ IN NS ns.xxxx.com.@ IN MX xxxx.com.;;ip for telecom@ IN A x.x.x.x(电信IP)www IN A x.x.x.x(电信IP)////////////////////////文件内容结束///////////////////客服端测试:nslookup --type=a xxxx.com x.x.x.x(网通任意一个DNS服务器IP)nslookup --type=a xxxx.com x.x.x.x(电信任意一个DNS服务器IP)看到的为配置文件中对应ip则解析配置正常.注意:上面的xxxxx.com需要修改DNS解析服务器为ns.xxxxx.com对应IP为:网通IP.备注:1).在这里做了网通与非网通的访问控制,用于实现南北互通,如要国内外互通,需要在列出一个相应的访问控制列表ACL就可以实现了.2).关于使用tar包编译安装请参看:http://www.mingfor.com/forum/showthread.php?tid=94
上一页 [1] [2] [3] [4] [5] [6] [7] [8] 下一页
4.配置LAJO软件:Apache2.0.58JBOSS.4.0.3SP1Oracle9.2.0.4Mod-jk1.12配置:1)apache+mod-jk#tar zxvf httpd-2.0.58.tar.gz#cd httpd-2.0.58#./configure --enable-MODULE=shared --enable-so --with-mpm=worker#make&&make install#tar zxvf jakarta-tomcat-connectors-1.2.14.1-src.tar.gz#cd /home/software/jakarta-tomcat-connectors-1.2.14.1-src/jk/native# ./configure --with-apxs=/usr/local/apache2/bin/apxs#make# cp ./apache-2.0/mod_jk.so /usr/local/apache2/moduleshttpd.conf的修改该文件的路径位于$APACHE-HOME/conf上述编译过程中我们选用的worker模式,因此我们将修改worker模块的配置<IfModule worker.c>StartServers 4 #最初建立进程的数量ServerLimit 24 #进程建立的最大数量,硬限制ThreadLimit 128 #每一进程能创建线程的最大数量,硬限制,该参数建议#和ThreadsPerChild一致,如果ThreadLimit > ThreadsPerChild的话,会造成不##必要的内存消耗。MaxClients 3072 #同时可以得到处理的客户端的最大数量MinSpareThreads 100 #所有进程中空闲线程的总数最小数值MaxSpareThreads 200 #所有进程中空闲线程的总数最大数值ThreadsPerChild 128 #每个子进程可以建立的固定数量的线程MaxRequestsPerChild 0 #用于控制服务器建立和结束进程的频率,为0表示没有#限制,但在solaris OS下该值可能会出错,可以设置为1000或2000。根据系统#的并发负载吧。</IfModule>同时修改与新增httpd.conf如下内容:Include conf/mod_jk2.confUser xxxxGroup 5dxcDocumentRoot "/site"<Directory "/site">NameVirtualHost IP:80<VirtualHost IP:80>ServerAdmin [email protected] /siteServerName IPErrorLog logs/ip-error_logCustomLog logs/ip-Access_log common</VirtualHost><VirtualHost IP:82>ServerAdmin [email protected] /var/www/HtmlServerName admin.xxxx.comErrorLog logs/ip-error_logCustomLog logs/ip-access_log common</VirtualHost>#vi $APACHE-HOME/conf/mod_jk2.conf////////////////////////文件内容开始///////////////////LoadModule jk_module modules/mod_jk.soJkWorkersFile conf/workers2.propertiesJkLogFile logs/mod_jk.log# Set the jk log level [debug/error/info]JkLogLevel info# Select the log formatJkLogStampFormat "[%a %b %d %H:%M:%S %Y] "# JkOptions indicate to send SSL KEY SIZE,JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories# JkRequestLogFormat set the request formatJkRequestLogFormat "%w %V %T"JkMount /* loadbalancer#apache will serve the static picture.#以下命令意味着所有的图片与htm,Css,js页面将由APACHE解析其它交由jboss处理JkUnMount /*.jpg loadbalancerJkUnMount /*.gif loadbalancerJkUnMount /*.swf loadbalancerJkUnMount /*.bmp loadbalancerJkUnMount /*.png loadbalancerJkUnMount /*.js loadbalancerJkUnMount /*.css loadbalancerJkUnMount /*.htm loadbalancer////////////////////////文件内容结束///////////////////#vi $APACHE-HOME/conf/ uriworkermap.properties////////////////////////文件内容开始////////////////////jmx-console=loadbalancer/jmx-console/*=loadbalancer/web-console=loadbalancer/web-console/*=loadbalancer////////////////////////文件内容结束///////////////////#vi $APACHE-HOME/conf/uriworkermap.properties////////////////////////文件内容开始///////////////////worker.list=loadbalancer,statusworker.node1.port=8009worker.node1.host=192.168.0.192(请填写服务器的IP)worker.node1.type=ajp13Worder.node1.lbfactor=1worker.node1.cachesize=10worker.node2.port=8009worker.node1.host=localhostworker.node1.type=ajp13worder.node1.lbfactor=1worker.node1.cachesize=10worker.loadbalancer.type=lbworker.loadbalancer.balance_workers=node1,node2worker.loadbalancer.sticky_session=1worker.status.type=status////////////////////////文件内容结束///////////////////注意:如果需要负载:修改worker.node2.port=8009worker.node1.host=localhostworker.node1.type=ajp13worder.node1.lbfactor=1worker.node1.cachesize=10为:worker.node2.port=8009worker.node2.host=IP(进行负载的IP地址)worker.node2.type=ajp13worder.node2.lbfactor=1worker.node2.cachesize=10备注:如果要进行更多的负载….修改:worker.noden.port=8009worker.noden.host=IP(进行负载的IP地址)worker.noden.type=ajp13worder.noden.lbfactor=1worker.noden.cachesize=10worker.loadbalancer.balance_workers=node1,node2,noden2)jbossjboss安装.Jboss4.0.3sp1 解压到/site/jboss目录下….…./ deploy/jbossweb-tomcat55.sar/server.XML中,找8080,修改为8088Jdk环境变量设定:Jdk安装:#chmod 755 jdk-1_5_0_06-linux-i586.bin#./jdk-1_5_0_06-linux-i586.binJava参数设置:#ln –s /usr/local/jdk1.5.0_06 /usr/local/jdk如果你下载的是rpm包请如下操作#./jdk-1_5_0_06-linux-i586.rpm.bin#rpm jdk-1_5_0_06-linux-i586.rpm# ln –s /usr/ jdk1.5.0_06 /usr/local/jdk#vi /etc/profile.d/java.sh////////////////////////文件内容///////////////////JAVA_HOME=/usr/local/jdkPATH=$PATH:$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$CATALINA_HOME/binexport JAVA_HOME PATH////////////////////////文件内容///////////////////3) apache+jboos服务启动问题apache+jboss整合配置已完毕.下面是启动这些服务了...用户与权限分配groupadd –g 5500 xxxxadduser -u 5500 -s /bin/false -d /bin/null -c "proftpd user" -g xxxx xxxx修改/etc/passwd文件中的xxxx用户中的”/bin/false”为”/bin/bash”,以便于以后jboss使用.当然你也可以这样做:adduser -u 5500 -s /bin/bash -d /bin/null -c "proftpd user" -g xxxx xxxxchown xxxx /site/* –Rchgrp xxxx /site/* -Rchmod 755 /site/* -R..服务启动添加如下内容到/etc/rc.local/usr/local/apache2/bin/apachectl start/etc/init.d/jboss start#vi /etc/init.d/jboss////////////////////////文件内容开始///////////////////#/etc/init.d/jboss/etc/rc.d/init.d/functionsJBOSS_HOME=/site/jbossexport JBOSS_HOMEJAVA_HOME=/usr/local/jdkexport JAVA_HOMEPATH=$PATH:$JAVA_HOME/binexport PATHCLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jarexport CLASSPATHprog="jboss"start(){#Input the jbos Service log into jboss.logecho "Jboss4.0.3SP1 Service Starting........" >>/var/log/xxxx/jboss.logecho "-----------------------------------------------" >>/var/log/xxxx/jboss.logdate "+%Y-%m-%d %A %T :Jboss Service start" >>/var/log/xxxx/jboss.logecho "-----------------------------------------------" >>/var/log/xxxx/jboss.logsu - xxxx -c $JBOSS_HOME/bin/run.sh & >>/var/log/xxxx/jboss.logtouch /var/log/xxxx/jboss.log}#Function stop,Stop the Jboss Service auto#when the Linux Haltstop(){#Input the jboss Service log into jboss.logecho "jboss Service Stopping........" >>/var/log/xxxx/jboss.logecho "-----------------------------------------------" >>/var/log/xxxx/jboss.logdate "+%Y-%m-%d %A %T :jboss Service Stop">>/var/log/xxxx/jboss.logecho "-----------------------------------------------" >>/var/log/xxxx/jboss.logsu - xxxx -c “$JBOSS_HOME/bin/shutdown.sh –S”>>/var/log/xxxx/jboss.log}case $1 instart)start;;stop)stop;;restartreload)stopstart;;status)status $prog;;*)echo "Please Input startstoprestartreloadstatus"return 1esac////////////////////////文件内容结束///////////////////注意:请赋予jboos的执行权限:chmod 755 /etc/init.d/jboss请注意xxxx用户是没有设置密码的,确保使用xxxx用户是无法登录的,只有root可以切换到该用户环境中去的:#su – xxxx…..
上一页 [1] [2] [3] [4] [5] [6] [7] [8] 下一页
4)oracle安装与启动创建相关安装目录和环境变量 1,创建user/group; #groupadd dba #groupadd oinstall #useradd oracle -g oinstall -G dba #passwd oracle 2,建立oracle安装文件夹; # mkdir -p /opt/ora9/product/9.2.0.4 # mkdir /var/opt/oracle # chmod oracle.dba /var/opt/oracle # chown -R oracle.dba /opt/ora9 3,配置环境变量;以root用户登录,设置root用户的环境打开.bash_profile文件,将如下内容加入:export ORACLE_BASE=/opt/ora9export ORACLE_HOME=/opt/ora9/product/9.2.0.4export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/binexport ORACLE_OWNER=oracleexport ORACLE_SID=oradb //此处为你的sid 使用Oracle用户登陆: #su – oracle $vi .bash_profile 以下是配置文件的内容 # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then. ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin export ORACLE_BASE=/opt/ora9 export ORACLE_HOME=/opt/ora9/product/9.2.0.4 export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin export ORACLE_OWNER=oracle export ORACLE_SID=oradb export ORACLE_TERM=xterm export LD_ASSUME_KERNEL=2.4.19 export THREADS_FLAG=native export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib export NLS_LANG=”American_america.utf8” export ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data export PATH unset USERNAME 4,设置系统参数;#su – root切换到root用户a) 修改#vi /etc/sysctl.conf, 以下是配置文件的内容:# Kernel sysctl configuration file for Red Hat Linux## For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and# sysctl.conf(5) for more details.# Controls IP packet forwardingnet.ipv4.ip_forward = 0# Controls source route verificationnet.ipv4.conf.default.rp_filter = 1# Controls the System Request debugging functionality of the kernelkernel.sysrq = 0# Controls whether core dumps will append the PID to the core filename.# Useful for debugging multi-threaded applications.kernel.core_uses_pid = 1kernel.shmmax = 536870912kernel.shmmni = 4096kernel.shmall = 2097152kernel.sem = 250 32000 100 128fs.file-max = 65536net.ipv4.ip_local_port_range = 1024 65000修改后运行#sysctl –p命令使得内核改变立即生效;注:一般情况下可以设置最大共享内存为物理内存的一半,如果物理内存是 2G,则可以设置最大共享内存为 1073741824,如上;如物理内存是 1G,则可以设置最大共享内存为 512 * 1024 * 1024 = 536870912;以此类推。建议永久地增加 shmmax 设置。sem 4 个参数依次为SEMMSL(每个用户拥有信号量最大数);SEMMNS(系统信号量最大数);SEMOPM(每次semopm系统调用操作数); SEMMNI(系统辛苦量集数最大数).Shmmax 最大共享内存,官方文档建议是内存的1/2,Shmmni 最小共享内存 4096KB.Shmall 所有内存大小 。b) 设置oracle对文件的要求:编辑文件:#vi /etc/security/limits.conf 加入以下语句:oracle soft nofile 65536oracle hard nofile 65536oracle soft nproc 16384oracle hard nproc 16384也可以写成:* soft nofile 65536* hard nofile 65536* soft nproc 16384* hard nproc 16384c) gcc降级#mv /usr/bin/gcc /usr/bin/gcc34#ln –s /usr/bin/gcc32 /usr/bin/gcc#mv /usr/bin/g++ /usr/bin/g++34#ln –s /usr/bin/g++32 /usr/bin/g++5,安装oracle补丁# cd /opt#ls compat*.rpmcompat-libcwait-2.0-2.i386.rpm compat-oracle-rhel4-1.0-5.i386.rpm# rpm -Uvh compat*.rpmPreparing... ########################################### [100%]1:compat-libcwait-2.0-2.i386.rpm ##################################### [ 50%]2:compat-oracle-rhel4-1.0-5.i386.rpm#################################### [100%]开始安装Oracle9i1,解压下载的安装文件:#zcat ship_9204_linux_disk1.cpio.gz cpio –idmv&&zcat ship_9204_linux_disk2.cpio.gz cpio –idmv&& zcat ship_9204_linux_disk3.cpio.gz cpio –idmv解包和解压过程中,自动创建了3个包含安装文件的目录:Disk1Disk2Disk3.以oracle用户登录系统,进行Oracle的安装(注意请不要在root登录中切换到oracle,是以oracle登录到系统(图形界面)):$ cd Disk1$ ./runInstaller过一会儿就会出现Oracle的安装界面- Welcome Screen: Click Next- Inventory Location: Click Next- Unix Group Name: Use "oinstall" and click NextWhen asked to run /tmp/orainstRoot.sh, run it before you click Continue- At the end of the installation, exit runInstaller.2.一步一个脚印安装下去就行了!3,安装完后打补丁:切换到oracle:#su – oracle 首先安装 opatch.$cd /opt$unzip p2617419_210_GENERIC.zipArchive: p2617419_210_GENERIC.zipcreating: OPatch/creating: OPatch/docs/inflating: Opatch/docs/FAQ......inflating: README.txt$export PATH=$PATH:/opt/OPatch:/sbin(修改PATH时要要包括解压缩出来的Opatch 和 sbin目录)$unzip p3238244_9204_LINUX.zip$export ORACLE_BASE=/opt/ora9$export ORACLE_HOME=/opt/ora9/product/9.2.0.4$ cd 3238244$opatch apply出现success的提示就全部安装成功.补丁打完后,还要relinked一个.mk文件$cd $ORACLE_HOME/network/lib$make -f ins_oemagent.mk install之后就可以启动Agent服务了.
上一页 [1] [2] [3] [4] [5] [6] [7] [8] 下一页
4, 最后执行 $dbca 建oracle数据库注意:在SID处指定为oradb (与 ORACLE_SID=oradb)中的值一致.点击OK,然后退出即可,正常登陆并启动数据库的操作。$ lsnrctl start$ sqlplus /nologSQL*Plus: Release 9.2.0.4.0 - Production on Sat Mar 12 22:58:53 2005Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.SQL>connect / as sysdbaConnected.SQL> shutdown immediate 关闭数据库Database closed.Database dismounted.ORACLE instance shut down.SQL>startup; 启动数据库ORACLE instance started.Total System Global Area 236000356 bytesFixed Size 451684 bytesVariable Size 201326592 bytesDatabase Buffers 33554432 bytesRedo Buffers 667648 bytesDatabase mounted.Database opened.5, oracle服务启动以root身份进入,编写以下脚本:vi /etc/init.d/oracle////////////内容//////////////////#!/bin/bash#start and stop the oracle instance# chkconfig –level 5 --add ora9i#chkconfig: 345 91 19# description: starts the oracle listener and instanceexport ORACLE_HOME="/opt/ora9/product/9.2.0.4"export PATH=$ORACLE_HOME/bin:$ORACLE_HOME/Apache/Apache/bin:$PATHexport ORACLE_OWNER="oracle"export ORACLE_SID=oradbif [ ! -f $ORACLE_HOME/bin/dbstart -o ! -d $ORACLE_HOME ]thenecho "oracle startup:cannot start"exit 1ficase "$1" instart)#startup the listener and instanceecho -n "oracle startup: "su - $ORACLE_OWNER -c "$ORACLE_HOME/bin/lsnrctl start"su - $ORACLE_OWNER -c $ORACLE_HOME/bin/dbstarttouch /var/lock/subsys/oracleecho "finished";;stop)# stop listener, apache and databaseecho -n "oracle shutdown:"su - $ORACLE_OWNER -c "$ORACLE_HOME/bin/lsnrctl stop"su - $ORACLE_OWNER -c $ORACLE_HOME/bin/dbshutrm -f /var/lock/subsys/oracleecho "finished";;reloadrestart)$0 stop$0 start;;*)echo "Usage: ora9i [startstopreloadrestart]"exit 1esacexit 0////////////内容//////////////////给予执行权限,以root身份运行/etc/rc.d/init.d/oracle start stop 来管理oracle的启动和停止了。如果要将这个脚本加入到系统中使其可开机运行(不过官方是不建议开机自动运行的,我本人也不建议这样做,你确实需要可以这么做),那么要运行以下命令: chkconfig --level 35 --add oracle或者以root用户执行如下命令:#chmod a+x /etc/rc.d/init.d /oracle#cd /etc/rc.d/rc5.d#ln -s /etc/rc.d/init.d/oracle S99ora9i#cd /etc/rc.d/rc0.d#ln -s /etc/rc.d/init.d/oracle K99ora9i也可如下自启动oracle9i!在/etc/rc.d/rc.local中加入如下:su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/lsnrctl start"su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/dbstart start"注意:如果启动不理想,请编写shell scripts:方法:以我个人习惯为例;;;;;;;;;;#mkdir /usr/local/syscmf#vi /usr/local/syscmf/oracle.sh////////////////////////文件内容开始///////////////////#!/bin/sh#modify by mingfu 060404#oracle run scripts#run user for oraclelsnrctl startexpect /usr/local/syscmf/oracle.exp////////////////////////文件内容结束///////////////////#vi /usr/local/syscmf/oracle.exp////////////////////////文件内容开始///////////////////#!/usr/local/bin/expect#modify by mingfu 060404#oracle run scriptsset timeout 120spawn sqlplus \/nologexpect "SQL\>"send "conn \/ as sysdba\r"expect "SQL\>"send "startup\r"expect "SQL\>"send "exit\r"exit////////////////////////文件内容结束///////////////////#chown oracle /usr/local/syscmf/*#chgrp oracle /usr/local/syscmf./*#chmod 755 /usr/local/syscmf/*在/etc/rc.local中新增如下内容:su – oracle /usr/local/syscmf/oracle.sh删除原来的:su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/lsnrctl start"su - oracle -c "/opt/ora9/oracle/product/9.2.0.4/bin/dbstart start"6, 关于数据库删除重新安装的问题:把ORACLE安装目录删除及/etc/ora*.*删除就行了#rm –f /etc/ora*.*
上一页 [1] [2] [3] [4] [5] [6] [7] [8] 下一页
7,关于在LINUX中运行管理软件$oemapp#su – oracle$oemapp console8, 中文显示不正常解决办法Oracle 目前缺省安装的字符集是WE8MSWIN1252,不是中文字符集,并且不能通过直接运行 alter database character set ZHS16GBK ; 来修改,因为ZHS16GBK不是缺省字符集的超集。过去流传很广的直接修改sys用户下的PROPS$表的方法,也会给字符集的变更留下很多潜在的问题.linux下进行如下的操作来修改字符集:sqlplus /nologsql>conn / as sysdbasql>shutdown immediatesql>startup mountsql>alter system enable restricted session ;sql>alter system set JOB_QUEUE_PROCESSES=0;sql>alter system set AQ_TM_PROCESSES=0;sql>alter database open ;sql>alter database character set internal_use ZHS16GBK ;sql>shutdown immediatesql>startup这样字符集的修改就完成了(如果你在安装时选择了中文字符集,这里就不用修改了)LAJO服务环境配置完毕.5.配置LAMP系统自带安装http+php+mysql软件包,进行配置如下:Apache配置修改/etc/httpd/conf/httpd.conf内容如下:Listen 82ServerName 127.0.0.1:82DocumentRoot "/var/www/html"<Directory "/var/www/html">注意:系统已经有两个httpd服务进程.用户分别是:xxxx apache请确保/usr/local/apache2/bin/apachectl start/etc/init.d/httpd start此两个服务自启动.Mysql设置Mysql>create ftpdb;Mysql>grant all privileges on ftpdb.* to ftpuser@localhost identified by “xxxx”;Mysql>grant all privileges on *.* to root@’%’ identified by “xxxx”;Mysql>flush privileges;Mysql>exit请确保/etc/init.d/mysqld start此服务自启动.LAMP服务环境配置完毕.7.配置FTP配合工程实施与建立ftp帐号相关联,方便维护与管理,我这里选择了Proftpd与数据库结合的方式来实现的.创建Ftpdb结构:Mysql>use ftpdb;Mysql> CREATE TABLE `ftpgroup` (`groupname` varchar(16) NOT NULL default '',`gid` smallint(6) NOT NULL default '5500',`members` varchar(16) NOT NULL default '',KEY `groupname` (`groupname`)) ;Mysql> CREATE TABLE `ftpquotalimits` (`name` varchar(30) default NULL,`quota_type` enum('user','group','class','all') NOT NULL default 'user',`per_session` enum('false','true') NOT NULL default 'false',`limit_type` enum('soft','hard') NOT NULL default 'soft',`bytes_in_avail` float NOT NULL default '0',`bytes_out_avail` float NOT NULL default '0',`bytes_xfer_avail` float NOT NULL default '0',`files_in_avail` int(10) unsigned NOT NULL default '0',`files_out_avail` int(10) unsigned NOT NULL default '0',`files_xfer_avail` int(10) unsigned NOT NULL default '0') ;Mysql> CREATE TABLE `ftpquotatallies` (`name` varchar(30) NOT NULL default '',`quota_type` enum('user','group','class','all') NOT NULL default 'user',`bytes_in_used` float NOT NULL default '0',`bytes_out_used` float NOT NULL default '0',`bytes_xfer_used` float NOT NULL default '0',`files_in_used` int(10) unsigned NOT NULL default '0',`files_out_used` int(10) unsigned NOT NULL default '0',`files_xfer_used` int(10) unsigned NOT NULL default '0') ;Mysql> CREATE TABLE `ftpuser` (`id` int(10) unsigned NOT NULL auto_increment,`userid` varchar(32) NOT NULL default '',`passwd` varchar(32) NOT NULL default '',`uid` smallint(6) NOT NULL default '5500',`gid` smallint(6) NOT NULL default '5500',`homedir` varchar(255) NOT NULL default '',`shell` varchar(16) NOT NULL default '/sbin/nologin',`count` int(11) NOT NULL default '0',`accessed` datetime NOT NULL default '0000-00-00 00:00:00',`modified` datetime NOT NULL default '0000-00-00 00:00:00',PRIMARY KEY (`id`)) ;Mysql> INSERT INTO `ftpgroup` (`groupname`, `gid`, `members`) VALUES("5dxc", "5500", "xxxx");Mysql>INSERT INTO `ftpquotalimits` (`name`, `quota_type`, `per_session`, `limit_type`, `bytes_in_avail`, `bytes_out_avail`, `bytes_xfer_avail`, `files_in_avail`, `files_out_avail`, `files_xfer_avail`) VALUES("test", "user", "false", "soft", "1.024e+06", "0", "0", "0", "0", "0");Mysql> INSERT INTO `ftpquotatallies` (`name`, `quota_type`, `bytes_in_used`, `bytes_out_used`, `bytes_xfer_used`, `files_in_used`, `files_out_used`, `files_xfer_used`) VALUES("test", "user", "809781", "0", "809781", "0", "0", "0");Mysql> INSERT INTO `ftpuser` (`id`, `userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`, `count`, `accessed`, `modified`) VALUES("1", "test", "test", "5500", "5500", "/site", "/sbin/nologin", "0", "0000-00-00 00:00:00", "0000-00-00 00:00:00");配置proftp:#tar xzvf proftpd-1.3.0rc5.tar.gz#cd proftpd-1.3.0rc5#./configure --prefix=/usr/local/proftpd --with-modules=mod_sql:mod_sql_mysql:mod_quotatab:mod_quotatab_sql:mod_ratio --with-includes=/usr/include/mysql --with-libraries=/usr/lib/mysql#make&&make install#mv /etc/local/proftpd/etc/proftpd.conf /etc/local/proftpd/etc/proftpd.confbak#vi /etc/local/proftpd/etc/proftpd.conf////////////////////////文件内容///////////////////# This is a basic ProFTPD configuration file (rename it to# 'proftpd.conf' for actual use. It establishes a single server# and a single anonymous login. It assumes that you have a user/group# "nobody" and "ftp" for normal operation and anon.#ServerName "ProFTPD Default Installation"ServerName "Mingfu's ftp"ServerType standaloneDefaultServer on# Port 21 is the standard FTP port.Port 21# Umask 022 is a good standard umask to prevent new dirs and files# from being group and world writable.Umask 022# To prevent DoS attacks, set the maximum number of child processes# to 30. If you need to allow more than 30 concurrent connections# at once, simply increase this value. Note that this ONLY works# in standalone mode, in inetd mode you should use an inetd server# that allows you to limit maximum number of processes per service# (such as xinetd).MaxInstances 100MaxLoginAttempts 3# Set the user and group under which the server will run.User nobodyGroup nobody# To cause every FTP user to be "jailed" (chrooted) into their home# directory, uncomment this line.#DefaultRoot ~DefaultRoot ~#put the proftpd log files in /var/log/ftp.syslog#SystemLog /var/log/ftp.syslogSystemLog /var/log/xxxx/ftp.syslog#TransferLog log filesTransferLog /var/log/xxxx/ftp.transferlogMaxHostsPerUser 1 "Sorry, you may not connect more than one time 1."MaxClientsPerUser 13 "Only one such user at a time 2."MaxClientsPerHost 20 "Sorry, you may not connect more than one time 3."#setup the RestartAllowRetrieveRestart onRootLogin offRequireValidShell offTimeoutStalled 600MaxClients 2000AllowForeignAddress onAllowStoreRestart onServerIdent offDefaultRoot ~ xxxx#Slow loginsUseReverseDNS offIdentLookups off#IdentLookups and tcpwrappers ***# Normally, we want files to be overwriteable.AllowOverwrite onTimeoutIdle 600SQLAuthTypes Backend PlaintextSQLAuthenticate users* groups*# databasename@host database_user user_password#SQLConnectInfo ftpdb@localhost proftpd passwordSQLConnectInfo ftpdb@localhost ftpuser xxxxSQLUserInfo ftpuser userid passwd uid gid homedir shellSQLGroupInfo ftpgroup groupname gid membersSQLHomedirOnDemand on# Update count every time user logs inSQLLog PASS updatecountSQLNamedQuery updatecount UPDATE "count=count+1,accessed=now() WHERE userid='%u'" ftpuser# Update modified everytime user uploads or deletes a fileSQLLog STOR,DELE modifiedSQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuserQuotaEngine onQuotaDirectoryTally onQuotaDisplayUnits kbQuotaShowQuotas onQuotaLog "/var/log/quota"SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}'AND quota_type = '%{1}'"SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used+ %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" ftpquotatalliesSQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatalliesQuotaLimitTable sql:/get-quota-limitQuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally////////////////////////文件内容///////////////////在/etc/rc.local文件中新增/usr/local/proftpd/sbin/proftpd &LPM配置完毕.注意:以后添加ftp帐号只需操作ftpuser表添加相应字段.用户磁盘限额操作ftpquotalimits表添加相应字段.Mysql管理win工具推荐:mysql-front其中远程连接帐号:User:rootHost:IPPswd:xxxx(与grant all privileges on *.* to root@’%’ identified by “xxxx”;中设置的密码一致) .架设也可参考如下连接:http://www.mingfor.com/forum/showthread.php?tid=28
上一页 [1] [2] [3] [4] [5] [6] [7] [8] 下一页
8.配置MAIL配合jboss工程程序实施与建立MAIL帐号相关联,方便维护与管理,我这里选择了邮件服务器与数据库结合的方式来实现的.具体架设参考邮件发送程序,然后来配置邮件服务器,邮件系统的用户帐号不准创建真实的系统帐号,所有的帐号均建在mysql数据库中.具体架设过程略。架设可参考如下连接:http://www.mingfor.com/forum/showthread.php?tid=19http://www.extmail.org9.安全策略下面是一个简易有效的防火墙设置,只要没有固定IP来入侵,服务器均可正常访问.因此服务器上线后需要提取服务器通信状态信息.这里服务器已进配置好LAMP环境,因此系统监控请安装CACTI(http://www.cacti.net)软件来监控.关于它的安装方法比较简单,这里不一一说明了.还要时时将#netstat –nagrep SYN的结果中连续15个相同的伪连接给DJOP出系统通信间道.当有这样的入侵连接时….#iptables –A …………..djop(注意请不要将这个写入到iptables文件中)下面是iptables文件的所有内容:#cat /etc/sysconfig/iptables////////////////////文件内容////////////////////# Firewall configuration written by system-config-securitylevel# Manual customization of this file is not recommended.*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:RH-Firewall-1-INPUT - [0:0]-A INPUT -j RH-Firewall-1-INPUT-A FORWARD -j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT -i lo -j ACCEPT-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT-A RH-Firewall-1-INPUT -p 50 -j ACCEPT-A RH-Firewall-1-INPUT -p 51 -j ACCEPT-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -s 0/0 -d 0/0 --dport 177 -j ACCEPT#modify by mingfu 060404#Please do not modify the content below#ACK FIN SYN-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP#port scan# NMAP FIN/URG/PSH-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP# Xmas Tree-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP# Another Xmas Tree-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP# Null Scan(possibly)-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP# SYN/RST-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP# SYN/FIN -- Scan(possibly)-A RH-Firewall-1-INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP#!--syn-A RH-Firewall-1-INPUT -p tcp ! --syn -m state --state NEW -j DROP#Dos-A RH-Firewall-1-INPUT -p tcp --dport 80 -m limit --limit 10/second --limit-burst 300 -j ACCEPT#sync flood-N synfoold-A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN-A synfoold -p tcp -j REJECT --reject-with tcp-reset-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -j synfoold-N ping-A ping -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN-A ping -p icmp -j REJECT-I RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ping#-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s 0/0 -j DROP#-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s 0/0 -j ACCEPT#-A RH-Firewall-1-INPUT -p icmp --icmp-type 0 -s localip -j DROP#-A RH-Firewall-1-INPUT -p icmp --icmp-type 8 -s localip -j DROP#all ports-A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT#FTP-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 32800:34000 -j ACCEPT#MAIL-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 113 -j ACCEPT#SSH-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 922 -j ACCEPT#WEB-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 82 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8088 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 4443 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 7777 -j ACCEPT#DNS-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT#DATABASE-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 8009 -j ACCEPT#VNC-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 5801: -j ACCEPT#ICMP-A RH-Firewall-1-INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited-A RH-Firewall-1-INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW,INVALID -j DROPCOMMIT////////////////////文件内容////////////////////在/etc/rc.local中新增如下内容:////////////////////文件内容////////////////////echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_allecho 1 >/proc/sys/net/ipv4/tcp_syncookiesecho "1" > /proc/sys/net/ipv4/tcp_syn_retriesecho "1" > /proc/sys/net/ipv4/tcp_synack_retriesecho 8192 >/proc/sys/net/ipv4/tcp_max_syn_backlog////////////////////文件内容////////////////////其中8192=1024*4*2.更多详情请查阅/proc相关文献介绍关于获取netstat –nagrep SYN_RECV 与TIME_WAIT的脚本:这里我无法写下来。只是原理和主要的代码告诉大家:使用 netstat 来统计重复的连线 IP,将这些来自同一 IP 的连线统计一下,如果超过一个设定值(您自己选择的!),那麽该 IP 就会被iptables 机制挡掉了!利用shell script 结合iptables来完成(其中用到的linux命令主要有:netstat awk cut sort)。。。shell脚本中部分主要代码:///////////////////////////////////////basedir="/usr/local/syscmf"#=== Part A, about the TIME WAIT signle ===#netstat -angrep 80grep TIME awk '{print $5}' cut -d':' -f1 sort uniq -c \awk '{if ($1 >= 12) print $2}' > $basedir/netstatasleep 14snetstat -angrep 80grep TIME awk '{print $5}' cut -d':' -f1 sort uniq -c \awk '{if ($1 >= 12) print $2}' > $basedir/netstatbsleep 14snetstat -angrep 80grep TIME awk '{print $5}' cut -d':' -f1 sort uniq -c \awk '{if ($1 >= 12) print $2}' > $basedir/netstatccat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 sort uniq -c \awk '{ if ( $1 == 3 ) print $2 }' > $basedir/netstat-wait.nowdenyip_netstat=`cat $basedir/netstat-wait.now`#=== Part B, about the SYN RECV signle ===#netstat -angrep 80grep SYN awk '{print $5}' cut -d':' -f1 sort uniq -c \awk '{if ($1 >= 12) print $2}' > $basedir/netstat1sleep 12snetstat -angrep 80grep SYN awk '{print $5}' cut -d':' -f1 sort uniq -c \awk '{if ($1 >= 12) print $2}' > $basedir/netstat2sleep 12snetstat -angrep 80grep SYN awk '{print $5}' cut -d':' -f1 sort uniq -c \awk '{if ($1 >= 12) print $2}' > $basedir/netstat3cat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 sort uniq -c \awk '{ if ( $1 == 3 ) print $2 }' > $basedir/netstat-syn.nowdenyip_netstat=`cat $basedir/netstat-syn.now`///////////////////////////////////////关于防止别人来猜测ssh用户登录的密码,修改默认的ssh端口22为922(与防火墙中规则指定的922相一致.) 修改方法如下:#vi /etc/ssh/sshd_config修改:#Port 22为:Port 922注意:修改后的ssh连接方法:ssh user@ip –p 922如果你不想指定-p参数,请修改/etc/ssh/ssh_config的#Port 22为:Port 922建议将提供服务的服务器中的ssh服务端与客服端的ssh通信端口都修改……10.测试上线所有的配置完毕,重启服务器.测试好准备上线.注意:以下服务不能重复多次启动,必须服务在停止的情况下才能启动,否则会出现启动错误.#su - oracle usr/local/syscmf/oracle.sh#/etc/rc.d/init.d/jboss start关于这两个服务的启动用户与权限:1.Oracle:用户:oracle(可以进行系统登录)切忌有关oracle的操作请在oracle用户环境中进行操作.你实在要在root用户中操作,请不要忘了#su – oracle –c “lsncrctl start”……..a.Oracle服务停止:$sqlplus /nologSQL>conn / as sysdbaSQL>shutdown immediateSQL> exit$lsnrctl stopb.Oracle服务启动:$lsnrctl start$sqlplus /nologSQL>conn / as sysdbaSQL> startupc.Oracle服务强制启动:在oracle服务已进启动的情况下也可启动oracle服务.$sqlplus /nologSQL>conn / as sysdbaSQL> startup force如果你要利用我写的expect自动输入脚本来启动,你需要修改,在里面加入条件判断结构.
上一页 [1] [2] [3] [4] [5] [6] [7] [8] 下一页
2.Jboss:用户:xxxx (不可以进行系统登录)切忌有关jboss的操作请在jboss用户环境中进行操作.你实在要在root用户中操作,请不要忘了#su – xxxx /site/jboss/bin/run.sh或者#/etc/init.d/jboss starta.xxxx用户环境下:无法登录如何使用呢?远程文本界面启动法:以root登录系统:切换root可以登录到xxxx用户环境来进入xxxx.#su – xxxxJboos 启动$/site/jboss/bin/run.shJboss停止$/site/jboss/bin/shutdown.sh –S远程图形界面法:关于开启远程图形界面登录的问题:只允许oracle用户可以远程图形界面登录,为了便于操作oracle.下面是开启改功能的过程:#su – oracle$vncserverPassword:********Password:********$exit$ps –efgrep vnc将看到的vnc进程kill -9.$vi .vnc/xstartup修改:twm &为gnome-session &$vncserver注意:只允许开启一个vnc服务进程…..对应的端口为5801在已进有vncserver启动的情况下不要在次启动vncserver服务.否则它将在增加一个vnc服务进程…….http://ip:5801输入密码即可远程图形登录系统了.由于是oracle登录到系统的….要启动jboss.需要如下操作:$su –Password:********#su – xxxxJboos 启动$/site/jboss/bin/run.shJboss停止$/site/jboss/bin/shutdown.sh –Sb.root用户环境下:Jboos 启动#su – xxxx /site/jboss/bin/run.sh或者#service jboss start或者#/etc/init.d/jboss startJboss停止#su – xxxx /site/jboss/bin/shutdown.sh –S或者#service jboss stop或者#/etc/init.d/jboss stop关于(系统,软件)日志分析,根据自己的使用习惯搭建…..关于系统用户创建问题,由于系统里面创建的xxxx用户指定了-u=5500.所以在以后创建的系统帐户id=550X, 这样会存在安全隐患,所以在创建用户时请指定id=50x(x=5开始.):例如创建user:#groupadd –g 505 user#adduser –u 505 –g user user注意所有的系统帐号id请不要超过5500.
(出处:http://www.sheup.com)