Linux技术交流论坛实施方案
制作人:Mr.Li
审核人:Mr.Li
日期:2018-06-10
10.1 使用fail2ban防止ssh暴力破解... 65
一、项目要求
【项目名称】
搭建中小型论坛网站平台
【项目说明】
设计一个中小型企业网站平台架构,可以满足公司日常一天3-5万PV访问量。项目中要包括安全,备份,监控,shell脚本自动化管理等内容。
【项目考核】
1、visio画图工具画出网站架构拓扑图;
2、搭建LNMP架构;
3、在Web架构上部署项目 (比如discuz论坛)。
4、整个方案中包括:负载、安全,调优, 监控,备份等相关内容
项目名称: XXXXX
二、设计网络拓扑图
设备清单:
主机名 |
主机IP |
作用 |
备注 |
ZABBIX |
192.168.1.226 |
监控服务端运行状况 |
|
LNMP |
192.168.1.227 |
Discuz论坛服务器 |
|
Date |
192.168.1.229 |
备份数据存放服务器 |
|
三、准备LNMP相关工具包
3.1 解决安装环境,上传相关工具
确认系统的网络yum源,mysql源,erep源存在
[root@lnmp~]# ls /etc/yum.repos.d/
CentOS7-Base-163.repo epel-testing.repo mysql-community.repo
epel.repo local-base.repo mysql-community-source.repo
上传LNMP环境相关软件安装包
nginx-1.10
mysql-5.6
pcre-8.42
php-7.0
下载地址:
https://sourceforge.net/projects/pcre/
http://nginx.org/en/download.html
https://dev.mysql.com/downloads/mysql/5.6.html#downloads
安装rz上传工具
[root@lnmp~]# yum -y install lrzsz
[root@lnmp~]# rz
[root@lnmp~]# ls
mysql-5.6.35.tar.gz nginx-1.10.3.tar.gz pcre-8.42.zip php-7.0.18.tar.gz
四、安装Naginx
4.1 解压pcre包
[root@lnmp~]# unzip pcre-8.42.zip -d /usr/local/src/
4.2 解决依赖
[root@lnmp~]# yum -y install gcc gcc-c++ autoconf automake zlib zlib-devel opensslopenssl-devel pcre*
4.3 创建nginx运行用户
[root@lnmp~]# useradd -M -s /sbin/nologin nginx
4.4 解压Naginx
[root@lnmp~]# tar xf nginx-1.10.3.tar.gz -C ./
[root@lnmp~]# cd nginx-1.10.3
4.5 配置nginx安装路径
[root@lnmpnginx-1.10.3]# ./configure --prefix=/usr/local/nginx --with-http_dav_module--with-http_stub_status_module --with-http_addition_module--with-http_sub_module --with-http_flv_module --with-http_mp4_module--with-http_ssl_module --with-pcre=/usr/local/src/pcre-8.42 --user=nginx--group=nginx
4.6 编译安装
[root@lnmpnginx-1.10.3]# make -j 4 && make install
确认安装过程成是否出现异常,非0代表异常
[root@lnmpnginx-1.10.3]# echo $?
4.7 修改配置文件
[root@lnmpnginx-1.10.3]# vim /usr/local/nginx/conf/nginx.conf
4.8 创建优化启动文件
创建软连接启动
[root@lnmpnginx-1.10.3]# ln -s /usr/local/nginx/sbin/nginx /usr/local/bin/
编写启动脚本
[root@lnmpnginx-1.10.3]# vim /etc/init.d/nginx
#!/bin/bash
#chkconfig: - 99 2
#description: Nginx Service Control Script
PROG="/usr/local/nginx/sbin/nginx"
PIDF="/usr/local/nginx/logs/nginx.pid"
case"$1" in
start)
$PROG
;;
stop)
kill -3 $(cat $PIDF)
;;
restart)
$0 stop &> /dev/null
if [ $? -ne 0 ] ; then continue ; fi
$0 start
;;
reload)
kill -1 $(cat $PIDF)
;;
*)
echo "Userage: $0 { start | stop |restart | reload }"
exit 1
esac
exit0
添加执行权限
[root@lnmpnginx-1.10.3]# chmod +x !$
chmod+x /etc/init.d/nginx
添加到开机自启动
[root@lnmpnginx-1.10.3]# chkconfig --add nginx
[root@lnmpnginx-1.10.3]# chkconfig nginx on
4.9 启动nginx
[root@lnmpnginx-1.10.3]# nginx
4.10 打开Web验证
[root@lnmp~]# nginx –t 可以检查配置文件是否异常
[root@lnmp~]# nginx –V 可以查看版本,安装路径
五、安装Mysql 5.6版本
5.1 环境准备
注:单独添加一块50G的硬盘(实际环境会空间会更大),用于安装存放mysql的数据。
[root@lnmp~]# ls /dev/sd*
/dev/sda /dev/sda1 /dev/sda2 /dev/sdb
5.1.1 新建分区
[root@lnmp~]# fdisk /dev/sdb
Changes willremain in memory only, until you decide to write them.
Be carefulbefore using the write command.
Device does notcontain a recognized partition table
Building a newDOS disklabel with disk identifier 0xa53676b9.
Command (m forhelp):n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (defaultp):p
Partition number(1-4, default 1): #默认按回车或者 1
First sector(2048-104857599, default 2048): #默认按回车
Using defaultvalue 2048
Last sector,+sectors or +size{K,M,G} (2048-104857599, default 104857599): #整个硬盘空间都给这个区,按回车
Using defaultvalue 104857599
Partition 1 oftype Linux and of size 50 GiB is set
Command (m forhelp):w
The partitiontable has been altered!
Calling ioctl()to re-read partition table.
Syncing disks.
5.1.2 创建挂载目录
[root@lnmp~]# mkdir /mysql-data
5.1.3 格式化分区系统
[root@lnmp~]# mkfs.xfs /dev/sdb1
5.1.4 查看新分区设备的UUID值
[root@lnmp~]# sudo blkid /dev/sdb1
5.1.5 写入到开机自动挂载配置文件
[root@lnmp~]# vim /etc/fstab
5.1.6 挂载所有设备
[root@lnmp~]# mount -a
5.1.7 查看当前系统挂载信息
[root@lnmp~]# df –Th
/dev/sdb1 xfs 50G 33M 50G 1%/mysql-data
5.2 卸载系统自带的mysql
[root@lnmp~]# rpm -qa | grep mariadb
[root@lnmp~]# rpm -qa | grep mysql
5.3 解决mysql依赖包
[root@lnmp~]# yum -y install gcc gcc-c++ autoconfautomake zlib* libxml* ncurses-devel libtool-ltdl-devel* make cmake
5.2.3 创建系统运行用户
[root@lnmp~]# useradd -M -s /sbin/nologin -r mysql
5.4 解压并进入Mysql5.6安装目录
[root@lnmp~]# tar -xf mysql-5.6.35.tar.gz
[root@lnmp~]# cd mysql-5.6.35
5.5 配置mysql存放路径,编码格式
[root@lnmpmysql-5.6.35]# cmake \
-DCMAKE_INSTALL_PREFIX=/mysql-data/mysql \
-DMYSQL_UNIX_ADDR=/tmp/mysql.sock \
-DDEFAULT_CHARSET=utf8 \
-DDEFAULT_COLLATION=utf8_general_ci \
-DWITH_EXTRA_CHARSETS=all \
-DWITH_MYISAM_STORAGE_ENGINE=1\
-DWITH_INNOBASE_STORAGE_ENGINE=1\
-DWITH_MEMORY_STORAGE_ENGINE=1\
-DWITH_READLINE=1\
-DENABLED_LOCAL_INFILE=1\
-DMYSQL_DATADIR=/mysql-data/mysql/data \
-DMYSQL-USER=mysql
检查安装过程中是否出现异常
[root@lnmpmysql-5.6.35]#echo $? #非0为异常报错
5.6 编译安装
[root@lnmpmysql-5.6.35]#make -j 4 && make install
[root@lnmpmysql-5.6.35]# echo $? #非0为异常报错
检查安装过程中是否出现异常(make -j 4//代表使用cpu使用4线程同时编译,默认为1)
5.7 Mysql目录授权
[root@lnmp/]# chown -R mysql:mysql /mysql-data/
5.8 编辑mysql配置文件
复制默认配置文件
[root@lnmp/]# cp /mysql-data/mysql/support-files/my-default.cnf /etc/my.cnf
复制默认启动脚本
[root@lnmp/]# cp /mysql-data/mysql/support-files/mysql.server /etc/init.d/mysqld
编辑启动脚本
[root@lnmp/]# vim /etc/init.d/mysqld
添加执行权限
[root@lnmp/]# chmod +x /etc/init.d/mysqld
添加到开机自启动
[root@lnmp/]# chkconfig --add mysqld
[root@lnmp/]# chkconfig mysqld on
初始化Mysql
[root@lnmp/]#
/mysql-data/mysql/scripts/mysql_install_db--user=mysql --basedir=/mysql-data/mysql --datadir=/mysql-data/mysql/data
运行Mysql安全配置向导
[root@lnmp~]# mysql_secure_installation
NOTE: RUNNINGALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQLSERVERS IN PRODUCTIONUSE! PLEASE READ EACH STEP CAREFULLY!
In order to loginto MySQL to secure it, we'll need the current
password for theroot user. If you've just installedMySQL, and
you haven't setthe root password yet, the password will be blank,
so you shouldjust press enter here.
Enter currentpassword for root (enter for none): #初始密码为空
OK, successfullyused password, moving on...
Setting the rootpassword ensures that nobody can log into the MySQL
root userwithout the proper authorisation.
Set rootpassword? [Y/n] y #设置root密码
New password: #输入新密码123456
Re-enter newpassword: #确认新密码123456
Password updatedsuccessfully!
Reloadingprivilege tables..
... Success!
By default, aMySQL installation has an anonymous user, allowing anyone
to log intoMySQL without having to have a user account created for
them. This is intended only for testing, and tomake the installation
go a bitsmoother. You should remove them beforemoving into a
production environment.
Remove anonymoususers? [Y/n] y #拒绝匿名用户登录
... Success!
Normally, rootshould only be allowed to connect from 'localhost'. This
ensures thatsomeone cannot guess at the root password from the network.
Disallow rootlogin remotely? [Y/n] y #拒绝root用户远程登录
... Success!
By default,MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, andshould be removed
before movinginto a production environment.
Remove testdatabase and access to it?[Y/n] y #移除test测试库
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading theprivilege tables will ensure that all changes made so far
will take effectimmediately.
Reload privilegetables now? [Y/n]y #刷新权限表
... Success!
All done! If you've completed all of the above steps,your MySQL
installationshould now be secure.
Thanks for usingMySQL!
Cleaning up...
5.9 启动数据库
[root@lnmp/]# /etc/init.d/mysqld start
用软连接方式,使系统能直接调用Mysql相关命令
[root@lnmp/]# ln -s /mysql-data/mysql/bin/* /usr/sbin/
六、安装PHP
在Nginx中,我们使用的是php-fpm来对php页面解析,PHP-FPM其实是PHP源代码的一个补丁,指在将FastCGI进程管理整合进PHP包中。必须将它patch到你的PHP源代码中,再编译安装PHP后才可以使用。
6.1 解压PHP包
[root@lnmp~]# tar xf php-5.6.36.tar.gz
[root@lnmp~]# cd php-5.6.36
6.2 配置文件安装目录
[root@lnmpphp-5.6.36]# ./configure--prefix=/usr/local/php --with-config-file-path=/usr/local/php/--enable-fpm --with-mysqli=mysqlnd--with-pdo-mysql=mysqlnd --with-iconv-dir --with-freetype-dir --with-jpeg-dir--with-png-dir --with-zlib --with-libxml-dir=/usr --enable-xml --disable-rpath--enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization--with-curl --enable-mbregex --enable-mbstring --with-mcrypt --enable-ftp--with-gd --enable-gd-native-ttf --with-openssl --with-mhash --enable-pcntl--enable-sockets --with-xmlrpc --enable-zip --enable-soap --without-pear--with-gettext --disable-fileinfo --enable-maintainer-zts
注:安装时如果出现,下面类似报错。
解决方法:yum -y install curl-devel
解决方法:yum –y install libjpeg-devel
此处省略N个依赖包…….请忽略上面截图php 7.0版本。使用PHP5.6.36版本安装
yum -y install php-mcrypt libmcrypt libmcrypt-devel php-pearlibxml2 libxml2-devel curl curl-devel libjpeg libjpeg-devel libpng libpng-develfreetype-devel
6.3 编译安装
[root@lnmpphp-5.6.36]# make -j 4 && make install
6.4 复制配置文件
编辑前养成良好习惯,先备份一份
[root@lnmpphp-5.6.36]# cp /usr/local/php/etc/php-fpm.conf.default /usr/local/php/etc/php-fpm.conf.default.bak
改名,去除后面的.default
[root@lnmpphp-5.6.36]#mv /usr/local/php/etc/php-fpm.conf.default
/usr/local/php/etc/php-fpm.cnf
修改运行用户和组
[root@lnmpphp-5.6.36]# vim /usr/local/php/etc/php-fpm.cnf
6.5 复制php.ini配置文件
[root@lnmpphp-5.6.36]#cp php.ini-production/usr/local/php/
6.6 复制php-fpm启动脚本
[root@lnmpphp-5.6.36]# cd /root/php-5.6.36/sapi/fpm/
[root@lnmpfpm]# cp init.d.php-fpm /etc/init.d/php-fpm
6.7 添加执行权限
[root@lnmpfpm]# chmod +x /etc/init.d/php-fpm
6.8 添加到开机启动项
[root@lnmpfpm]# chkconfig --add php-fpm
设置开机启动
[root@lnmpfpm]# chkconfig php-fpm on
6.9 启动php-fpm
[root@lnmpfpm]# /etc/init.d/php-fpm start
Startingphp-fpm done
6.10 测试php页面
编辑php测试页面
[root@lnmpfpm]# vim /usr/local/nginx/html/index.php
<?php
phpinfo();
?>
重启nginx
[root@lnmpfpm]# /etc/init.d/nginx restart
打开web测试
七、安装Discuz论坛
下载地址:http://www.comsenz.com/downloads/install/discuz
上传到服务器
[root@lnmp~]# rz
[root@lnmp ~]# ls
Discuz_7.2_FULL_SC_UTF8.zip
mysql-5.6.35.tar.gz
nginx-1.10.3.tar.gz
php-7.0.18
mysql-5.6.35
nginx-1.10.3
pcre-8.42.zip
php-7.0.18.tar.gz
7.1 创建存放Discuz的目录
[root@lnmp~]# mkdir discuz
解压到指定目录
[root@lnmp~]# unzip -d ./discuz/ Discuz_7.2_FULL_SC_UTF8.zip
将安装包移到网站根目录下
[root@lnmp~]# mv /root/discuz/upload/ /usr/local/nginx/html/bbs
7.2 授权给Nginx访问
[root@lnmp~]# chown -R nginx,nginx /usr/local/nginx/html/bbs/
7.3 创建Discuz数据库
[root@lnmpmysql]# mysql -uroot -p123456
mysql>create database Discuz;
mysql>grant all on Discuz.* to discuz@'%' identified by '123456';
mysql>flush privileges;
测试登陆
[root@lnmpmysql]# mysql -udiscuz -p123456
Warning:Using a password on the command line interface can be insecure.
Welcometo the MySQL monitor. Commands end with; or \g.
YourMySQL connection id is 2
Serverversion: 5.6.35 Source distribution
Copyright(c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracleis a registered trademark of Oracle Corporation and/or its
affiliates.Other names may be trademarks of their respective
owners.
Type'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
7.4 打开web安装Discuz
修改php.ini配置文件
[root@lnmp~]# vim /usr/local/php/php.ini
重启php服务
[root@lnmp~]# /etc/init.d/php-fpm restart
Gracefullyshutting down php-fpm . done
Startingphp-fpm done
返回web页面继续安装
7.5 检测不到Mysql模块,排错
找到php.ize执行脚本
[root@lnmp ~]# find /-name phpize
/root/php-5.6.36/scripts/phpize
/usr/local/php/bin/phpize
切换到源码安装包mysql路径下
[root@lnmp php]# cd/root/php-5.6.36/ext/mysql
拷贝phpize执行脚本到当前目录
[root@lnmp mysql]# cp/usr/local/php/bin/phpize ./
运行脚本
[root@lnmp mysql]#./phpize
Configuring for:
PHP Api Version: 20131106
Zend Module Api No: 20131226
Zend Extension Api No: 220131226
指定安装到php、mysql配置文件
[root@lnmp mysql]#./configure --with-php-config=/usr/local/php/bin/php-config--with-pdo-mysql=/mysql-data/mysql/
[root@lnmp mysql]#make && make install
修改配置文件,在最后新增一行
[root@lnmp mysql]#vim /usr/local/php/php.ini
[root@lnmp mysql]#/etc/init.d/php-fpm restart
Gracefully shutting down php-fpm .done
Starting php-fpm done
八、搭建zabbix监控
下载地址:https://www.zabbix.com/download
8.1 获取并安装zabbix地址:
[root@zabbix~]#wgethttp://repo.zabbix.com/zabbix/3.2/rhel/7/x86_64/zabbix-release-3.2-1.el7.noarch.rpm
[root@zabbix~]#rpm -ivh http://repo.zabbix.com/zabbix/3.2/rhel/7/x86_64/zabbix-release-3.2-1.el7.noarch.rpm
8.2 安装数据库
[root@zabbix~]# yum -y install mariadb-devel mariadb-server
[root@zabbixzabbix]# mysql -uroot -p
Enterpassword: #初次安装密码为空
8.3 创建授权数据库用户
mysql>create database zabbix;
mysql>grant all privileges on zabbix.* to zabbix@'%' identified by '123456';
mysql>flush privileges;
8.4 安装zabbix插件
[root@zabbix~]# yum install zabbix-get zabbix-sender zabbix-server-mysql zabbix-web zabbix-agent php-mysql
查看安装了那些rpm包
[root@zabbix~]# rpm -qa |grep zabbix
查看server包的文件路径
[root@zabbix~]# rpm -ql zabbix-server-mysql-3.2.11-1.el7.x86_64
切换到zabbix的数据库目录下
[root@zabbix~]# cd /usr/share/doc/zabbix-server-mysql-3.2.11
8.5 解压文件并导入到数据库
[root@zabbixzabbix-server-mysql-3.2.11]# gzip -d create.sql.gz
[root@zabbixzabbix-server-mysql-3.2.11]# mysql -uroot -p zabbix< create.sql
Enterpassword: #123456
8.6 修改配置文件的mysql路径
[root@zabbix~]# vim /etc/zabbix/zabbix_server.conf
修改启动配置文件所属时区
[root@zabbix~]# vim /etc/httpd/conf.d/zabbix.conf
8.7 启动并添加到开机自起
[root@zabbix~]# systemctl start httpd
[root@zabbix~]# systemctl start mariadb
[root@zabbix~]# systemctl start zabbix-server
[root@zabbix~]# systemctl start zabbix-agent
[root@zabbix~]# systemctl enable httpd
[root@zabbix~]# systemctl enable mariadb
[root@zabbix~]# systemctl enable zabbix-agent
[root@zabbix~]# systemctl enable zabbix-server
8.7 打开web安装zabbix
修改中文字体
[root@zabbixfonts]# cd /usr/share/zabbix/fonts
[root@zabbixfonts]# rz
删除或重命名原字体文件
[root@zabbixfonts]# mv graphfont.ttf graphfont.ttf.bak
重命名
[root@zabbixfonts]# mv msyhbd.ttf graphfont.ttf
九、监控主机
9.1 安装zabbix客户端
[root@lnmp~]# yum -y install zabbix-agent zabbix-get
修改客户端配置文件
[root@lnmp/]# vim /etc/zabbix/zabbix_agentd.conf
切换到zabbix服务端上测试联通性
[root@zabbix~]# /usr/bin/zabbix_get -s 192.168.1.227 -p 10050 -k system.uname
Linuxlnmp.com 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64
9.2 添加监控主机
选择监控模板
9.3 添加nginx监控
在nginx服务器上创建一个存放脚本目录
[root@lnmp~]# mkdir -p /usr/local/zabbix-agent/scripts
新建一个脚本文件
[root@lnmp~]# vim /usr/local/zabbix-agent/scripts/nginx-check.sh
#!/bin/bash
##################################
# Zabbix monitoringscript
#
# nginx:
# - anything available via nginx stub-statusmodule
#
##################################
# Contact:
# vincent.viallet@gmail.com
# Zabbix requestedparameter
ZBX_REQ_DATA="$1"
ZBX_REQ_DATA_URL="$2"
# Nginx defaults
NGINX_STATUS_DEFAULT_URL="http://127.0.0.1/nginx_status"
WGET_BIN="/usr/bin/wget"
#
# Error handling:
# - need to be displayable in Zabbix (avoidNOT_SUPPORTED)
# - items need to be of type "float"(allow negative + float)
#
ERROR_NO_ACCESS_FILE="-0.9900"
ERROR_NO_ACCESS="-0.9901"
ERROR_WRONG_PARAM="-0.9902"
ERROR_DATA="-0.9903"# either can not connect / bad host / bad port
# Handle host andport if non-default
if [ ! -z"$ZBX_REQ_DATA_URL" ]; then
URL="$ZBX_REQ_DATA_URL"
else
URL="$NGINX_STATUS_DEFAULT_URL"
fi
# save the nginxstats in a variable for future parsing
NGINX_STATS=$($WGET_BIN-q $URL -O - 2> /dev/null)
# error duringretrieve
if [ $? -ne 0 -o -z"$NGINX_STATS" ]; then
echo $ERROR_DATA
exit 1
fi
#
# Extract data fromnginx stats
#
case $ZBX_REQ_DATA in
active_connections) echo "$NGINX_STATS" | head -1 | cut -f3 -d' ';;
accepted_connections) echo"$NGINX_STATS" | grep -Ev '[a-zA-Z]' | cut -f2 -d' ';;
handled_connections) echo "$NGINX_STATS" | grep -Ev'[a-zA-Z]' | cut -f3 -d' ';;
handled_requests) echo "$NGINX_STATS" | grep -Ev'[a-zA-Z]' | cut -f4 -d' ';;
reading) echo "$NGINX_STATS" |tail -1 | cut -f2 -d' ';;
writing) echo "$NGINX_STATS" |tail -1 | cut -f4 -d' ';;
waiting) echo "$NGINX_STATS" |tail -1 | cut -f6 -d' ';;
*) echo $ERROR_WRONG_PARAM; exit 1;;
esac
exit 0
添加执行权限
[root@lnmp~]# chmod +x /usr/local/zabbix-agent/scripts/nginx-check.sh
新建一个nginx模块配置文件
[root@lnmp~]#vim /etc/zabbix/zabbix_agentd.d/ nginx-params.conf
插入下面的内容
UserParameter=nginx[*],/usr/local/zabbix-agent/scripts/nginx-check.sh"$1"
重启nginx和zabbix客户端
[root@lnmp~]#systemctl restart nginx
[root@lnmp~]#systemctl restart zabbix-agent
返回zabbix服务端测试
[root@zabbix~]# zabbix_get -s 192.168.1.227 -p 10050 -k "nginx[reading]"
0
9.4 在web页面导入nginx模板
模板下载地址:
https://pan.baidu.com/s/1qRdMB_1W6MUJ94VJ5rsNhg密码:xrmu
9.5 监控mysql状况
Mysql授权
[root@lnmp~]# mysql -uroot -p123456
mysql>grant all on *.* to zabbix@'%' identified by '123456';
QueryOK, 0 rows affected (0.00 sec)
mysql>flush privileges;
QueryOK, 0 rows affected (0.00 sec)
新建mysql登录配置文件
[root@lnmp ~]# vim/etc/zabbix/.my.cnf
#Zabbix Agent
[mysql]
host=localhost
user=zabbix
password=123456
socket=/tmp/mysql.sock
[mysqladmin]
host=localhost
user=zabbix
password=123456
socket=/tmp/mysql.sock
修改读取配置文件路径
[root@lnmp~]# vim /etc/zabbix/zabbix_agentd.conf
替换原文件内容
[root@lnmp~]#
sed -i's@HOME=/var/lib/zabbix@HOME=/etc/zabbix@g'/etc/zabbix/zabbix_agentd.d/userparameter_mysql.conf
[root@lnmp~]# systemctl restart zabbix-agent
添加mysql模块
9.6 设置邮件告警
[root@zabbix~]# yum -y install mailx sendmail
[root@zabbix~]# cp /etc/mail.rc /etc/mail.rc.bak
[root@zabbix ~]# vim/etc/mail.rc
set from=lzq690813425@163.com
set smtp=smtp.163.com
set smtp-auth-user=lzq690813425@163.com
set smtp-auth-password=nizhuangB520
set smtp-auth=login
[root@zabbix~]# echo "zabbix test mail" | mailx -s "zabbix" 690813425@qq.com
[root@zabbix ~]# vim/usr/lib/zabbix/alertscripts/ sendmail.sh
#!/bin/bash
messages=`echo $3 |tr '\r\n' '\n'`
subject=`echo $2 | tr'\r\n' '\n'`
echo"${messages}" | mailx -s "${subject}" $1>>/tmp/sendmail.log 2>&1
[root@zabbix~]# chmod +x sendmail.sh
[root@zabbix~]# chown zabbix.zabbix sendmail.sh
[root@zabbix~]# /usr/lib/zabbix/alertscripts/sendmail.sh 690813425@qq.com "好好学习" "努力就有收获"
十、主机安全
10.1 使用fail2ban防止ssh暴力破解
安装iptables服务
[root@lnmp~]# yum -y install iptables-services
放行服务端口
[root@lnmp~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[root@lnmp~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@lnmp~]# iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
10.2 下载fail2ban工具
10.3 上传到服务器端解压并安装
[root@lnmp~]# tar -xf fail2ban-0.8.14.tar.gz
[root@lnmp~]# cd fail2ban-0.8.14
查看python版本,不低于2.5就ok
[root@lnmpfail2ban-0.8.14]# python -V
Python2.7.5
[root@lnmpfail2ban-0.8.14]# python setup.py install
复制启动文件
[root@lnmpfail2ban-0.8.14]# cp files/redhat-initd /etc/rc.d/init.d/fail2ban
添加到开机自起
[root@lnmpfail2ban-0.8.14]#chkconfig --add fail2ban
查看添加状况信息
[root@lnmpfail2ban-0.8.14]# grep chkconfig ./* -R --color
./files/redhat-initd:#chkconfig: - 92 08
修改配置文件
[root@lnmpfail2ban-0.8.14]# vim /etc/fail2ban/jail.conf
#是否激活此项(true/false)修改成 true
enabled = true
#过滤规则filter的名字,对应filter.d目录下的sshd.conf
filter = sshd
#动作的相关参数,对应action.d/iptables.conf文件
action =iptables[name=SSH, port=ssh, protocol=tcp]
#触发报警的收件人
sendmail-whois[name=SSH,dest=you@example.com,sender=fail2ban@example.com,sendername="Fail2Ban"]
#检测的系统的登陆日志文件。这里要写sshd服务日志文件。 默认为logpath = /var/log/sshd.log
logpath = /var/log/secure
#5分钟内3次密码验证失败,禁止用户IP访问主机1小时。 配置如下
bantime = 3600 #禁止用户IP访问主机1小时
findtime = 300 #在5分钟内内出现规定次数就开始工作
maxretry = 3 #3次密码验证失败
启动
[root@lnmpfail2ban-0.8.14]# systemctl start fail2ban
[root@lnmpfail2ban-0.8.14]# chkconfig fail2ban on
[root@lnmpfail2ban-0.8.14]# > /var/log/secure
测试
1、如果做错了,想清空一下记录,还原:
只需要把 > /var/log/secure 清空就可以了。
[root@lnmp fail2ban-0.8.14]#systemctl restart fail2ban
2、另外如果后期需要把iptables清空后或iptables重启后,也需要把fail2ban重启一下。
3、如果修改ssh默认端口22为2018后。 配置fail2ban来监控sshd服务
需要修改配置文件:
[root@lnmp fail2ban]# vim jail.conf
#修改iptables动作中的端口号。默认为ssh。
改:port=ssh 为port=2018
[root@lnmp fail2ban]# vim/etc/fail2ban/action.d/iptables.conf
#修改动作文件中默认端口号。 改:port=ssh 为port=2018
重启服务即可
4、如果想要使用fail2ban发送告警邮件,请确保系统的邮件服务能够正常发送邮件!
可以发一封测试邮件到指定邮箱来测试下:
echo “test mail”|mail -s test lzq690813425@163.com
十一、定时备份数据
使用rsync定时备份nginx、mysql数据,Rsync服务依赖Xinetd,是使用超级服务来管理的需要在目标机(存储服务器)器上安装rsync服务端
安装前先查看系统当前rsync版本,尽量保持一致!
备份数据存储端:
[root@data~]# rpm -qa | grep rsync
rsync-3.1.2-4.el7.x86_64
源数据端:
[root@lnmp~]# rpm -qa | grep rsync
rsync-3.1.2-4.el7.x86_64
备份数据端安装xinetd服务:
[root@data~]# yum -y install xinetd
[root@data~]# rsync –daemon
[root@data~]# netstat -antup | grep 873
Tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 1763/rsync
tcp60 0 :::873 :::* LISTEN 1763/rsync
11.1 Rsync命令
-a, --archive archivemode 权限保存模式,相当于 -rlptgoD 参数,存档,递归,保持属性等
-z, --compress 压缩模式, 当资料在传送到目的端进行档案压缩.
-v, --verbose 复杂的输出信息
--delete, 删除那些目标位置有的文件而备份源没有的文件
11.2 创建rsync用户设置密码
[root@data~]# useradd rsync ; echo rsync:abcd123 |chpasswd
[root@lnmp~]# useradd rsync ; echo rsync:abcd123 |chpasswd
11.3 使用ACL方式授权
源数据端:
[root@lnmp~]#setfacl-R -m user:rsync:rwx /mysql-data/mysql/data/
[root@lnmp~]# setfacl -R -m user:rsync:rwx /usr/local/nginx/html/
查看ACL授权信息
[root@lnmp ~]#getfacl /usr/local/nginx/html/
getfacl: Removingleading '/' from absolute path names
# file:usr/local/nginx/html/
# owner: root
# group: root
user::rwx
user:rsync:rwx
group::r-x
mask::rwx
other::r-x
11.4 备份数据存储端:
创建数据存放目录
[root@data/]# mkdir /backup
[root@data/]# mkdir /backup/nginx-web
[root@data/]# mkdir /backup/mysql-data
修改所属用户、组
[root@data~]# chown -R rsync:rsync /backup/
[root@data~]# ll /backup/
total8
drwxr-xr-x2 rsync rsync 4096 Jun 10 10:14 mysql-data
drwxr-xr-x2 rsync rsync 4096 Jun 10 10:14 nginx-web
11.5 测试rsync是否正常
[root@lnmp~]# rsync -avz --delete /usr/local/nginx/html/ rsync@192.168.1.229:/backup/nginx-web/
返回备份端查看数据是否备份成功
[root@data~]# ll /backup/nginx-web/
total16
drwxrwxrwx18 rsync rsync 4096 Jan 6 2010 bbs
-rw-rwxr-- 1 rsync rsync 203 Jun 6 10:38 index.php
drwxrwxr-x 2 rsync rsync 4096 Jan 6 2010readme
drwxrwxr-x 2 rsync rsync 4096 Jan 6 2010utilities
11.6 使用脚本定时备份
11.6.1 切换到rsync用户
[root@lnmp~]# su - rsync
Lastlogin: Sun Jun 10 19:41:48 CST 2018 on pts/0
11.6.2 编辑备份脚本
[rsync@lnmp~]$ vim backup.sh
脚本内容:
#!/bin/bash
remotedir=/backup/nginx-web #数据备份端目录
basedir=/usr/local/nginx/html #源数据目录
host=192.168.1.229 #备份存储端主机IP
id=rsync #使用rsync用户执行备份
rsync -av -e ssh$basedir ${id}@${host}:${remotedir}
Nginx-web数据备份脚本:
Mysql-data数据备份脚本:
11.6.3 添加执行权限
[rsync@lnmp~]$ chmod +x mysql-backup.sh
[rsync@lnmp~]$ chmod +x nginx-backup.sh
11.6.4 创建rsync的ssh密秘钥登录
[rsync@lnmp ~]$ssh-keygen
Generatingpublic/private rsa key pair.
Enter file in whichto save the key (/home/rsync/.ssh/id_rsa):
#提示输入密匙文件的保存路径,默认“回车”
Enter passphrase(empty for no passphrase):
下面要求输入密码,这里的passphrase 密码是对生成的私匙文件(/root/.ssh/id_dsa)的保护口令,如果不设置可以“回车”。
Enter same passphraseagain:
Your identificationhas been saved in /home/rsync/.ssh/id_rsa.
Your public key hasbeen saved in /home/rsync/.ssh/id_rsa.pub.
The key fingerprintis:
SHA256:/n5ts4S8cg9jaqDy7ImInOmvSxQ9narCaHOLgsSEdu0sync@lnmp
The key's randomartimage is:
+---[RSA 2048]----+
| |
| . . . |
|.. o.o |
|.o..o. |
|+.... S |
|+o. E .. .. |
|=* . ... *.. |
|B.*.oo.. .ooo=+ |
|+O=o.+= o++.ooo |
+----[SHA256]-----+
[rsync@lnmp~]$ cd .ssh/
[rsync@lnmp.ssh]$ ls
id_rsa id_rsa.pub known_hosts
11.6.5 将秘钥上传到服务端
[rsync@lnmp.ssh]$ ssh-copy-id -i 192.168.1.229
11.6.6 测试密秘钥登录
[rsync@lnmp.ssh]$ ssh rsync@192.168.1.229
Lastlogin: Sun Jun 10 11:38:13 2018 from 192.168.1.227
[rsync@data~]$ exit
11.6.7 创建定时执行备份脚本
[rsync@lnmp ~]$crontab -e
0 4 * * */home/rsync/mysql-backup.sh &> /dev/null
0 5 * * */home/rsync/ nginx-backup.sh &> /dev/null
修改lnmp服务器的时间,在备份端查看备份是否成功!完成