月度归档:2016年05月

centos6 安装TIGERVNC

CENTOS 6 安装 KDE 桌面环境,执行指令,

yum groupinstall "X Window System" "KDE Desktop" Desktop

即可,同时安装了 3 个软件包。注意,因为 KDE Desktop 和 X Window System 两个软件包名称中间都包含空格,需要用引号引起来才行。

要安装 Gnome 桌面环境,执行指令,

yum groupinstall "X Window System" "Desktop Platform" Desktop

即可,也是同时安装了 3 个软件包,其中 X Window System 是必须的,不管是 Gnome 还是 KDE。

卸载GNOME桌面环境

yum groupremove "GNOME Desktop Environment"

卸载KDE桌面环境

yum groupremove "KDE (K Desktop Environment)"

手动启动,由文本界面切换到图形界面:

运行命令

startx

开机自动启动图形桌面,修改/etc/inittab文件中的

id:3:initdefault , 将3改为5 ,重新启动系统

如果需要中文语言

yum groupinstall "Chinese Support"
vi /etc/sysconfig/i18n #编辑
export LC_ALL=zh_CN.UTF-8 #修改或者添加 

图形桌面安装完成后,如需图形、管理工具之类,

yum -y groupinstall "Graphical Administration Tools"
yum -y groupinstall "Internet Browser"
yum -y groupinstall "General Purpose Desktop"
yum -y groupinstall "Office Suite and Productivity"
yum -y groupinstall "Graphics Creation Tools"

首次创建 /.vnc/xstartup 时,指定的窗口管理器是twn,它是一个极小的窗口管理器,几乎每台xwindows系统及其上都有twn 。下面是修改过的实例。

vi .vnc/xstartup
DISPPLAY=:1 gnome-session &  #在最下面添加一行

增加开机自动启动TIGERVNC,

a. 在/etc/rc.d/rc.local文件中加入下面行

/etc/init.d/vncserver start

b. 编辑/etc/sysconfig/vncservers

VNCSERVERS="1:root"
VNCSERVERARGS[1]="-geometry 1024x768"  #配置启动的桌面

加入防火墙规则

-A INPUT -p tcp -m tcp --dport 5900:6000 -j ACCEPT

多个用户可以这样写:

VNCSERVERS= "1:user 2:user2 3:user3"

修改swappiness参数

–临时性修改:

# sysctl vm.swappiness=10

vm.swappiness = 10

# cat /proc/sys/vm/swappiness

10

这里我们的修改已经生效,但是如果我们重启了系统,又会变成60.

–永久修改:

在/etc/sysctl.conf 文件里添加如下参数:

vm.swappiness=10

Linux服务器下配置exif功能

先找一下LINUX服务器上php的安装目录,例如为:/root/lnmp1.3-full/php-5.2.10/

执行:

cd /root/lnmp0.4-full/php-7.0.6/ext/

我们要安装exif模块,执行

cd exif/

再执行

/usr/local/php/bin/phpize

会返回如下信息:
Configuring for:
PHP Api Version: 20041225
Zend Module Api No: 20060613
Zend Extension Api No: 220060519

再执行以下命令:

 ./configure --with-php-config=/usr/local/php/bin/php-config
make && make install

执行完返回:
Build complete.
Don’t forget to run ‘make test’.Installing shared extensions: /usr/local/php/lib/php/extensions/no-debug-non-zts-20060613/

表示已经成功,再修改
/usr/local/php/etc/php.ini

查找:extension = 再最后一个extension= 后面添加上

extension = “exif.so”

保存,执行/root/lnmp restart 重启。

lnmp下防夸目录其他方式

lnmp在web目录下有一个.user.ini文件,这个文件是为了防跨目录,如果想要修改或者删除,可以用

chattr -i /网站目录/.user.ini

如果不想要这个文件,可以在nginx 每个server下,加上

fastcgi_param  PHP_VALUE  "open_basedir=$document_root:/home/wwwroot/web:/tmp/:/proc/:/dev/urandom";

一定要加上”$document_root:” 否则其他的站点目录会打不开。

nginx下配置owncloud所解决的几个小问题

官方说明文件称apache更加适合owncloud,尽管给出了nginx的配置文档,但是过于简略,以下是配置过程中所解决问题的总结。

主机配置代码:

upstream php-handler {
#server 127.0.0.1:9000;
server unix:/tmp/php-cgi.sock;
}

server {
listen 80;
server_name mycloud.nancybox.com;
# enforce https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name mycloud.nancybox.com;

ssl_certificate /etc/ssl/ssl.crt;
ssl_certificate_key /etc/ssl/ssl.key;

# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /home/wwwroot/icloud/;

# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;

# Disable gzip to avoid the removal of the ETag header
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

index index.php;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

rewrite ^/.well-known/carddav /remote.php/carddav/ permanent;
rewrite ^/.well-known/caldav /remote.php/caldav/ permanent;

# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}

location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}

location / {

rewrite ^/remote/(.*) /remote.php last;

rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

try_files $uri $uri/ =404;
}
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the location ~ \.php(?:$|/) { block
location ~* \.(?:css|js)$ {
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
# Optional: Don't log access to assets
access_log off;
}

# Optional: Don't log access to other assets
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
access_log off;
}
}

php-fpm.conf 配置代码

[global]
pid = /usr/local/php/var/run/php-fpm.pid
error_log = /usr/local/php/var/log/php-fpm.log
log_level = notice

[www]
listen = /tmp/php-cgi.sock
listen.backlog = -1
listen.allowed_clients = 127.0.0.1
listen.owner = www
listen.group = www
listen.mode = 0666
user = www
group = www
pm = dynamic
pm.max_children = 10
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 6
request_terminate_timeout = 100
request_slowlog_timeout = 0
slowlog = var/log/slow.log
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

php.ini 防跨文件

open_basedir=/home/wwwroot:/tmp/:/proc/:/dev/urandom

Centos 6 配置ipstables报错 (Iptables error – Setting chains to policy ACCEPT: security raw nat mangle filter [FAILED])

错误信息:

Iptables error – Setting chains to policy ACCEPT: security raw nat mangle filter [FAILED]

解决办法:

vi /etc/init.d/iptables

大约143行位置找到

echo -n $”${IPTABLES}: Setting chains to policy $policy: “
ret=0
for i in $tables; do
echo -n “$i “
case “$i” in
+ security)
+ $IPTABLES -t filter -P INPUT $policy \
+ && $IPTABLES -t filter -P OUTPUT $policy \
+ && $IPTABLES -t filter -P FORWARD $policy \
+ || let ret+=1
+ ;;
raw)
$IPTABLES -t raw -P PREROUTING $policy \
&& $IPTABLES -t raw -P OUTPUT $policy \
|| let ret+=1
;;

防帐号密码穷举工具:Fail2Ban

以下方法适用于CentOS,并需要配合iptables才能运行.

一、下载并解压Fail2Ban

wget http://soft.kwx.gd/security/fail2ban-0.8.4.tar.bz2 tar 
-xjvf fail2ban-0.8.4.tar.bz2 cd fail2ban-0.8.4

二、安装Fail2Ban

python setup.py install 
cd files 
cp ./redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban
service fail2ban start

三、修改配置文件

vi /etc/fail2ban/jail.conf

四、保存并重启Fail2Ban

service fail2ban restart 
chkconfig fail2ban on

五、验证Fail2Ban是否正常运行

fail2ban-client status

Dropbox Uploader 示例

要显示根目录中的所有内容,运行:

./dropbox_uploader.sh list

要列出某个特定文件夹中的所有内容,运行:

./dropbox_uploader.sh list Documents/manuals

要上传一个本地文件到一个远程的 Dropbox 文件夹,使用:

./dropbox_uploader.sh upload snort.pdf Documents/manuals

要从 Dropbox 下载一个远程的文件到本地,使用:
./dropbox_uploader.sh download Documents/manuals/mysql.pdf ./mysql.pdf[/php]

要从 Dropbox 下载一个完整的远程文件夹到一个本地的文件夹,运行:

./dropbox_uploader.sh download Documents/manuals ./manuals

要在 Dropbox 上创建一个新的远程文件夹,使用:

./dropbox_uploader.sh mkdir Documents/whitepapers

要完全删除 Dropbox 中某个远程的文件夹(包括它所含的所有内容),运行:

./dropbox_uploader.sh delete Documents/manuals