centos7minimal安装之后,tab键不能补全了。。。
上网搜了下,原来是要安装一个插件bash-completion
我就直接安装了
yum install bash-completion
安装ok了
然后再退出终端,,在登陆一下就ok了~~~~
参考网址:http://blog.csdn.net/zokie/article/details/8730542
http://www.51ou.com/browse/centos/61405.html
centos6.6执行yum安装的话,找不到这个软件
去这里下载http://www.caliban.org/files/redhat/RPMS/noarch/bash-completion-20060301-1.noarch.rpm
sudo rpm -ivf bash-completion-20060301-1.noarch.rpm
重新登陆下就好了
nginx
自带的yum源的nginx版本比较低,到nginx官网下载版本对应的源http://nginx.org/en/linux_packages.html#stable
然后安装
rpm -ivf nginx-release-centos-6-0.el6.ngx.noarch.rpm
再安装nginx
yum install nginx
安装成功,启动nginx
service nginx start
mysql
去mysql的官网下载源,http://dev.mysql.com/downloads/repo/yum/
这个页面有安装步骤,http://dev.mysql.com/doc/mysql-yum-repo-quick-guide/en/
安装下载的源
rpm -ivf mysql-community-release-el6-5.noarch.rpm
安装mysql
yum install mysql-community-server
启动mysql
service mysqld start
会报错,启动不成功
初始化 MySQL 数据库: 2015-06-08T13:15:59.011125Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2015-06-08T13:15:59.013681Z 0 [ERROR] Can't change data directory owner to mysql
2015-06-08T13:15:59.013693Z 0 [ERROR] Aborting
关闭下selinux
setenforce 0
再启动下,然后进行运行mysql的命令进行一些初始化工作(具体设置内容可以看centos7安装LANP)
运行这个命令需要的密码可以用这个命令看到
grep 'temporary password' /var/log/mysqld.log
mysql_secure_installation
php
安装php的源,比较新
yum install epel-release
rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
安装php(这里安装了一些php的扩展,有些不知道是干嘛的~~~可以根据需求去掉,但是php-fpm和php-mysqlnd最好别去掉,一个是之后和nginx整合需要用到的,一个连接mysql的)
yum install --enablerepo=remi --enablerepo=remi-php56 php php-fpm php-opcache php-devel php-mbstring php-mcrypt php-mysqlnd php-phpunit-PHPUnit php-pecl-xdebug php-pecl-xhprof
php和nginx
先启动php-fpm
service php-fpm start
修改nginx配置文件(配置在这里点击我)
然后就ok了
php和mysql
先打开selinux的一个选项
setsebool -P httpd_can_network_connect=1
再测试下,应该就ok了~~~~
设置下服务在开机的时候自启动
chkconfig --level 235 php-fpm on
chkconfig --level 235 mysqld on
chkconfig --level 235 nginx on
这样设置之后因为防火墙的关系,只有本机可以访问,查看防火墙的设定防火墙设定
nginx
rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
yum install nginx
systemctl start nginx
yum install links
links 127.0.0.1
links 192.168.208.6
firewall-cmd --get-active-zones
firewall-cmd --zone=public --list-services
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --reload
安装安装成功,可以测试,出现nginx欢迎页面就ok
mysql
rpm -ivf mysql-community-release-el7-5.noarch.rpm
yum search yum-utils
yum install yum-utils
yum-config-manager --disable mysql56-community
yum-config-manager --enable mysql57-community-dmr
yum search mysql-server
yum repolist | grep 'mysql'
yum repolist enabled | grep 'mysql'
yum search mysql-community-server
yum install mysql-community-server
[root@localhost log]# systemctl start mysqld.service
[root@localhost log]# grep 'temporary password' /var/log/mysqld.log
2015-06-08T01:44:44.713032Z 1 [Warning] A temporary password is generated for root@localhost: ln3hb?;Jkk6w
[root@localhost log]# mysql_secure_installation
Securing the MySQL server deployment.
Enter password for root user: 这里填grep 'temporary password' /var/log/mysqld.log命令显示出的密码
The existing password for the user account has expired. Please set a new password.
重新设置密码
New password:
Re-enter new password:
VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?
密码强度插件
Press y|Y for Yes, any other key for No: y
There are three levels of password validation policy:
LOW Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary file
Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 2
Using existing root password.
Estimated strength of the password: 100
Change the root password? (Press y|Y for Yes, any other key for No) : n
... skipping.
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.
删除anonymous用户,
Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
Success.
Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.
是都禁止root远程连接
Disallow root login remotely? (Press y|Y for Yes, any other key for No) : n
... skipping.
By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.
删除test数据库
Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
- Dropping test database...
Success.
- Removing privileges on test database...
Success.
Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.
重新载入权限表
Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
Success.
All done!
php
yum install epel-release
rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
yum install --enablerepo=remi --enablerepo=remi-php56 php php-fpm php-opcache php-devel php-mbstring php-mcrypt php-mysqlnd php-phpunit-PHPUnit php-pecl-xdebug php-pecl-xhprof
整合nginx和php
修改vi /etc/php.ini
cgi.fix_pathinfo=0
修改nginx配置文件
vim /etc/nginx/conf.d/default.conf
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/log/host.access.log main;
root /usr/share/nginx/html;
location / {
#root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
#root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
# root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
[root@localhost log]# systemctl start php-fpm.service
[root@localhost log]# systemctl restart nginx.service
ok
php和mysql
新建一个文件连接mysql试试
<?php
$con = mysql_connect("192.168.208.6:3306","root","testTEST!@#123");
if($con){
echo "ok";
}else{
echo mysql_error();
}
?>
但是连接报错
Permission denied
于是用远程连接mysql试试看
进入mysql
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%'IDENTIFIED BY 'testTEST!@#123' WITH GRANT OPTION;
FLUSH PRIVILEGES;
然后再本机上面用远程连接时ok的,于是试着关掉selinux,
setenforce 0
就ok了
于是再开启selinux,查看http相关的selinux选项
[root@localhost html]# getsebool -a|grep -i httpd | grep net
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
修改selinux的选项
[root@localhost html]# setsebool -P httpd_can_network_connect=1
再就ok了~~~
转载http://www.haiyun.me/archives/iptables-recent.html
未完待续
记录下
recent这个模块很有趣,善加利用可充分保证您服务器安全。
设定常用参数:
--name #设定列表名称,默认DEFAULT。
--rsource #源地址,此为默认。
--rdest #目的地址
--seconds #指定时间内
--hitcount #命中次数
--set #将地址添加进列表,并更新信息,包含地址加入的时间戳。
--rcheck #检查地址是否在列表,以第一个匹配开始计算时间。
--update #和rcheck类似,以最后一个匹配计算时间。
--remove #在列表里删除相应地址,后跟列表名称及地址。
示例:
1.限制80端口60秒内每个IP只能发起10个新连接,超过记录日记及丢失数据包,可防CC及非伪造IP的syn flood
iptables -A INPUT -p tcp --dport 80 --syn -m recent --name webpool --rcheck --seconds 60 --hitcount 10 -j LOG --log-prefix 'DDOS:' --log-ip-options
iptables -A INPUT -p tcp --dport 80 --syn -m recent --name webpool --rcheck --seconds 60 --hitcount 10 -j DROP
iptables -A INPUT -p tcp --dport 80 --syn -m recent --name webpool --set -j ACCEPT
备忘:每个IP目标端口为80的新连接会记录在案,可在/proc/net/xt_recent/目录内查看,rcheck检查此IP是否在案及请求次数,如果超过规则就丢弃数据包,否则进入下条规则并更新列表信息。
2.发送特定指定执行相应操作,按上例如果自己IP被阻止了,可设置解锁哦。
iptables -A INPUT -p tcp --dport 5000 --syn -j LOG --log-prefix "WEBOPEN: "
#记录日志,前缀WEBOPEN:
iptables -A INPUT -p tcp --dport 5000 --syn -m recent --remove --name webpool --rsource -j REJECT --reject-with tcp-reset
#符合规则即删除webpool列表内的本IP记录
3.芝麻开门,默认封闭SSH端口,为您的SSH服务器设置开门暗语。
iptables -A INPUT -p tcp --dport 50001 --syn -j LOG --log-prefix "SSHOPEN: "
#记录日志,前缀SSHOPEN:
iptables -A INPUT -p tcp --dport 50001 --syn -m recent --set --name sshopen --rsource -j REJECT --reject-with tcp-reset
#目标端口tcp50001的新数据设定列表为sshopen返回TCP重置,并记录源地址。
iptables -A INPUT -p tcp --dport 22 --syn -m recent --rcheck --seconds 15 --name sshopen --rsource -j ACCEPT
#开启SSH端口,15秒内允许记录的源地址登录SSH。
nc host 50001 #开门钥匙
telnet host 50001
nmap -sS host 50001
指定端口容易被破解密钥,可以使用ping指定数据包大小为开门钥匙。
iptables -A INPUT -p icmp --icmp-type 8 -m length --length 78 -j LOG --log-prefix "SSHOPEN: "
#记录日志,前缀SSHOPEN:
iptables -A INPUT -p icmp --icmp-type 8 -m length --length 78 -m recent --set --name sshopen --rsource -j ACCEPT
#指定数据包78字节,包含IP头部20字节,ICMP头部8字节。
iptables -A INPUT -p tcp --dport 22 --syn -m recent --rcheck --seconds 15 --name sshopen --rsource -j ACCEPT
ping -s 50 host #Linux下解锁
ping -l 50 host #Windows下解锁
在安装完LAMP之后,因为没有开启防火墙,www的请求会被防火墙档掉,所以来配置下防火墙
这里是配置的防火墙的sheel,摘自鸟哥的linux私房菜
我注释掉了一些
#!/bin/bash
# 请先输入您的相关参数,不要输入错误了!
EXTIF='eth0' # 这个是可以连上 Public IP 的网络接口
INIF='' # 内部 LAN 的连接接口;若无则写成 INIF=""
INNET='' # 若无内部网域接口,请填写成 INNET=""
export EXTIF INIF INNET
# 第一部份,针对本机的防火墙设定!##########################################
# 1. 先设定好核心的网络功能:
#阻挡ddos攻击
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
#>>ping broadcast 地址时才取消 ping 的回应
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#rp_filter丢弃不合理的封包,log_martians记录不合法的ip
for i in /proc/sys/net/ipv4/conf/*/{rp_filter,log_martians}
do
echo "1" > $i;
done
#>>关闭掉的功能
for i in /proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,send_redirects}
do
echo "0" > $i;
done
# 2. 清除规则、设定默认政策及开放 lo 与相关的设定值
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; export PATH
#清除filter table规则
iptables -F
iptables -X
iptables -Z
#设置filter表的链的默认的规则
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#设置信任装置
iptables -A INPUT -i lo -j ACCEPT
# ESTABLISHED:已经联机成功的联机状态;RELATED :这个最常用!表示这个封包是与我们主机发送出去的封包有关
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# 3. 启动额外的防火墙 script 模块
if [ -f /usr/local/virus/iptables/iptables.deny ]; then
sh /usr/local/virus/iptables/iptables.deny
fi
if [ -f /usr/local/virus/iptables/iptables.allow ]; then
sh /usr/local/virus/iptables/iptables.allow
fi
if [ -f /usr/local/virus/httpd-err/iptables.http ]; then
sh /usr/local/virus/httpd-err/iptables.http
fi
#记录到指定端口的连接
iptables -A INPUT -p tcp --dport 22306 -i $EXTIF -m state --state NEW -m recent --set --name sshcount
#检测如果在30秒内的连接数达到3次则拒绝连接
iptables -A INPUT -p tcp --dport 22306 -i $EXTIF -m state --state NEW -m recent --update --seconds 30 --hitcount 4 --name sshcount -j DROP
#记录日志,前缀SSHOPEN:
iptables -A INPUT -p icmp --icmp-type 8 -m length --length 78 -m recent --set --name sshopen --rsource -j ACCEPT
#指定数据包78字节,包含IP头部20字节,ICMP头部8字节。
iptables -A INPUT -p tcp --dport 22306 --syn -m recent --rcheck --seconds 15000 --name sshopen --rsource -j ACCEPT
# 5. 允许某些服务的进入,请依照你自己的环境开启
# iptables -A INPUT -p TCP -i $EXTIF --dport 21 --sport 1024:65534 -j ACCEPT # FTP
#iptables -A INPUT -p TCP -i $EXTIF --dport 22306 --sport 1024:65534 -j ACCEPT # SSH
# iptables -A INPUT -p TCP -i $EXTIF --dport 25 --sport 1024:65534 -j ACCEPT # SMTP
# iptables -A INPUT -p UDP -i $EXTIF --dport 53 --sport 1024:65534 -j ACCEPT # DNS
# iptables -A INPUT -p TCP -i $EXTIF --dport 53 --sport 1024:65534 -j ACCEPT # DNS
iptables -A INPUT -p TCP -i $EXTIF --dport 80 --sport 1024:65534 -j ACCEPT # WWW
# iptables -A INPUT -p TCP -i $EXTIF --dport 110 --sport 1024:65534 -j ACCEPT # POP3
# iptables -A INPUT -p TCP -i $EXTIF --dport 443 --sport 1024:65534 -j ACCEPT # HTTPS
# 第二部份,针对后端主机的防火墙设定!###############################
# 1. 先加载一些有用的模块
modules="ip_tables iptable_nat ip_nat_ftp ip_nat_irc ip_conntrack
ip_conntrack_ftp ip_conntrack_irc"
for mod in $modules
do
testmod=`lsmod | grep "^${mod} " | awk '{print $1}'`
if [ "$testmod" == "" ]; then
modprobe $mod
fi
done
# 2. 清除 NAT table 的规则吧!,没有用到,就先注释了
#iptables -F -t nat
#iptables -X -t nat
#iptables -Z -t nat
#iptables -t nat -P PREROUTING ACCEPT
#iptables -t nat -P POSTROUTING ACCEPT
#iptables -t nat -P OUTPUT ACCEPT
# 3. 若有内部接口的存在 (双网卡) 开放成为路由器,且为 IP 分享器!
if [ "$INIF" != "" ]; then
iptables -A INPUT -i $INIF -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
if [ "$INNET" != "" ]; then
for innet in $INNET
do
iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
done
fi
fi
# 如果你的 MSN 一直无法联机,或者是某些网站 OK 某些网站不 OK,
# 可能是 MTU 的问题,那你可以将底下这一行给他取消批注来启动 MTU 限制范围
# iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss \
# --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
# 4. NAT 服务器后端的 LAN 内对外之服务器设定
# iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 \
# -j DNAT --to-destination 192.168.1.210:80 # WWW
# 5. 特殊的功能,包括 Windows 远程桌面所产生的规则,假设桌面主机为 1.2.3.4
# iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 --dport 6000 \
# -j DNAT --to-destination 192.168.100.10
# iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 --sport 3389 \
# -j DNAT --to-destination 192.168.100.20
# 6. 最终将这些功能储存下来吧!
/etc/init.d/iptables save
另外,我是从windows下上传这个文件到linux上去执行的,各种报错,开始以为是真的语法有错误,后来才知道是文件格式的问题,用dos2unix转换一下就好了...