APT404-不作恶

在路上,一直在路上!

centOS7_x64 + Httpd 2.4.27 + Mysql 5.7.18 + Php 7.1.9

2016-06-27 by klion



一、首先,部署apache

0x01 关于centOS7的安装就不细说了,依然是最小化安装,只勾选必要的系统库及常用工具,务必记得先禁用selinux和系统防火墙,此次部署环境软件包如下:

1
2
3
4
5
6
7
apr-1.6.2.tar.gz
apr-util-1.6.0.tar.gz
cronolog-1.6.2.tar.gz
httpd-2.4.27.tar.gz
libiconv-1.14.tar.gz
mysql-5.7.18-linux-glibc2.5-x86_64.tar.gz
php-7.1.9.tar.gz

要实现的架构大致如下:

1
centOS7_x64 +  httpd 2.4.27 + mysql 5.7.18 + php 7.1.9

0x02 开始编译安装httpd 2.4.27,跟之前一样,依然是先装好各种依赖库,步骤如下:

1
2
3
4
5
6
7
8
9
# yum install zlib zlib-devel pcre pcre-devel openssl openssl-devel libtool libtool-ltdl-devel -y
# tar xf apr-1.6.2.tar.gz
# cd apr-1.6.2 && ./configure --prefix=/usr/local/apr && make && make install
# yum install expat-devel -y
# tar xf apr-util-1.6.0.tar.gz && cd apr-util-1.6.0
# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr/ && make && make install
# useradd web -s /sbin/nologin -M
# tar xf httpd-2.4.27.tar.gz
# cd httpd-2.4.27

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# ./configure --prefix=/usr/local/httpd-2.4.27 \
--enable-deflate \
--enable-expires \
--enable-headers \
--enable-ssl \
--with-pcre \
--enable-cgi \
--enable-modules=most \
--enable-so \
--with-mpm=worker \
--enable-rewrite \
--with-apr=/usr/local/apr \
--with-apr-util=/usr/local/apr-util \
--libdir=/usr/lib64

# make && make install
# ll /usr/local/
# ln -s /usr/local/httpd-2.4.27/ /usr/local/httpd
# mkdir /var/html/{bwapp,wp,discuz,drupal,joomla,phpcms,phpbb,dvwa} -p
# cd /usr/local/httpd/conf/
# cp httpd.conf httpd.conf.bak && egrep -v "^$|#" httpd.conf > httpd.min.conf
# cat httpd.min.conf > httpd.conf

0x03 编辑配置apache主配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# vi httpd.conf

ServerRoot "/usr/local/httpd-2.4.27"
ServerName localhost:80
Listen 80
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
<IfModule !mpm_prefork_module>
</IfModule>
<IfModule mpm_prefork_module>
</IfModule>
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
<IfModule unixd_module>
User web
Group web
</IfModule>
ServerAdmin sec@secheight.com
<Directory />
    AllowOverride none
    Allow from all
</Directory>
DocumentRoot "/usr/local/httpd-2.4.27/htdocs"
<Directory "/usr/local/httpd-2.4.27/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
<Files ".ht*">
    Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" common
</IfModule>
<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/usr/local/httpd-2.4.27/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "/usr/local/httpd-2.4.27/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<IfModule headers_module>
    RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
</IfModule>
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Include conf/extra/httpd-vhosts.conf
Include conf/extra/httpd-mpm.conf
Include conf/extra/httpd-default.conf
<Directory "/var/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

0x04 编辑配置各种扩展功能

添加虚拟机主机

1
2
3
4
5
6
7
8
9
10
# vi /usr/local/httpd/conf/extra/httpd-vhosts.conf

<VirtualHost *:80>
    ServerAdmin bwapp@bwapp.com
    DocumentRoot "/var/html/bwapp"
    ServerName bwapp.com
    ServerAlias www.bwapp.com
    ErrorLog "logs/bwapp.com-error_log"
    CustomLog "logs/bwapp.com-access_log" common
</VirtualHost>

0x05 让访问日志自动轮询

1
2
3
4
5
6
7
8
9
10
11
# tar xf cronolog-1.6.2.tar.gz
# cd cronolog-1.6.2
# ./configure && make && make install
<VirtualHost *:80>
    ServerAdmin bwapp@bwapp.com
    DocumentRoot "/var/html/bwapp"
    ServerName bwapp.com
    ServerAlias www.bwapp.com
    ErrorLog "logs/bwapp.com-error_log"
    CustomLog "|/usr/local/sbin/cronolog /usr/local/httpd/logs/bwapp.com-access_%Y%m%d.log" combined
</VirtualHost>

0x06 简单优化apache

调节apache默认并发

1
2
3
4
5
6
7
8
9
# vi /usr/local/httpd/conf/extra/httpd-mpm.conf
<IfModule mpm_worker_module>
    StartServers             3
    MinSpareThreads         75
    MaxSpareThreads        250 
    ThreadsPerChild         25
    MaxRequestWorkers      400
    MaxConnectionsPerChild   0
</IfModule>

配置文件级别隐藏apache敏感版本信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# vi /usr/local/httpd/conf/extra/httpd-default.conf

Timeout  60
KeepAlive  On
MaxKeepAliveRequests  100
KeepAliveTimeout  5
UseCanonicalName  Off
AccessFileName  .htaccess
ServerTokens  Prod
ServerSignature  Off
HostnameLookups  Off
<IfModule reqtimeout_module>
  	RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>

1
2
3
4
5
# /usr/local/httpd/bin/apachectl -t
# /usr/local/httpd/bin/apachectl start
# echo "/usr/local/httpd/bin/apachectl start" >> /etc/rc.local
# systemctl stop firewalld
# systemctl disable firewalld

二、部署mysql [ 为了节省时间,此次会用二进制包的方式进行部署 ]

0x01 安装前的一些准备工作

1
# yum -y install gcc glibc libaio libstdc++

0x02 编写mysql主配置文件,my.cnf

1
2
3
4
5
6
7
8
9
10
11
12
13
# cp /etc/my.cnf /etc/my.cnf.bak
# > /etc/my.cnf
# vi /etc/my.cnf

[mysqld]
user=mysql
port = 3306
server_id = 1
socket=/tmp/mysql.sock
basedir =/usr/local/mysql
datadir =/usr/local/mysql/data
pid-file=/usr/local/mysql/data/mysqld.pid
log-error=/usr/local/mysql/log/mysql-error.log

0x03 安装初始化mysql

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# tar xf mysql-5.7.18-linux-glibc2.5-x86_64.tar.gz
# mv mysql-5.7.18-linux-glibc2.5-x86_64 /usr/local/
# cd /usr/local/
# ln -s mysql-5.7.18-linux-glibc2.5-x86_64/ mysql
# echo "export PATH=$PATH:/usr/local/mysql/bin/" >> /etc/profile
# source /etc/profile
# groupadd mysql
# useradd -r -g mysql -s /bin/false mysql
# cd mysql
# mkdir log
# chown -R mysql:mysql . && ll
# mysqld --defaults-file=/etc/my.cnf --initialize --user=mysql --explicit_defaults_for_timestamp
# cat /usr/local/mysql/log/mysql-error.log
  root@localhost: (aAEs.S5csf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
# /etc/init.d/mysqld start
# /etc/init.d/mysqld stop
# echo "/etc/init.d/mysqld start" >> /etc/rc.local
# echo "export PATH=$PATH:/usr/local/mysql/bin" >> /etc/profile 
# source /etc/profile
# mysqld_safe --skip-grant-tables
# mysql -uroot -p
mysql> use mysql;
mysql> update user set authentication_string=password("admin") where user="root" and Host = 'localhost';
mysql> flush privileges;
# pkill mysqld
# /etc/init.d/mysqld start
# mysql -uroot -p
mysql> ALTER USER 'root'@'localhost' IDENTIFIED BY 'mysql';
mysql> use mysql;
mysql> select Host,User from user;
mysql> exit
mysql> grant all on *.* to 'root'@'%' identified by 'admin' with grant option;flush privileges;

三、部署php

0x01 仍旧是先安装好所需的各种依赖库,为了方便大家复制,所以这里就分开写了

1
2
3
4
5
6
7
# yum install -y zlib zlib-devel libxml2-devel libxslt-devel 
# yum install -y libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel 
# yum install -y gd gd-devel curl curl-devel bison-devel 
# yum install -y libedit-devel readline-devel sqlite-devel libzip
# yum install -y epel-release
# yum install -y libmcrypt libmcrypt-devel mcrypt mhash mhash-devel openssl openssl-devel 
# yum install -y bzip2-devel jemalloc jemalloc-devel

1
2
3
4
5
6
7
# ln -s /usr/lib64/libjpeg.so /usr/lib/libjpeg.so
# ln -s /usr/lib64/libpng.so /usr/lib/libpng.so
# tar xf libiconv-1.14.tar.gz
# cd libiconv-1.14/srclib/
# sed -i -e '/gets is a security/d' ./stdio.in.h
# cd ..
# ./configure --prefix=/usr/local/libiconv && make && make install

0x02 开始编译安装php 7.1.9,注意,php7已经废弃mysql_connect

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# tar xf php-7.1.9.tar.gz
# cd php-7.1.9
# ./configure \
--prefix=/usr/local/php-7.1.9 \
--exec-prefix=/usr/local/php-7.1.9 \
--bindir=/usr/local/php-7.1.9/bin \
--sbindir=/usr/local/php-7.1.9/sbin \
--includedir=/usr/local/php-7.1.9/include \
--libdir=/usr/local/php-7.1.9/lib/php \
--mandir=/usr/local/php-7.1.9/php/man \
--with-config-file-path=/usr/local/php-7.1.9/etc \
--with-iconv-dir=/usr/local/libiconv \
--with-apxs2=/usr/local/httpd/bin/apxs \
--with-mysqli=/usr/local/mysql/bin/mysql_config \
--with-mcrypt \
--with-mhash \
--with-openssl \
--with-mysqli=shared,mysqlnd \
--with-pdo-mysql=shared,mysqlnd \
--with-gd \
--with-zlib \
--enable-zip \
--enable-inline-optimization \
--disable-debug \
--disable-rpath \
--enable-shared \
--enable-xml \
--enable-bcmath \
--enable-shmop \
--enable-sysvsem \
--enable-mbregex \
--enable-mbstring \
--enable-ftp \
--enable-gd-native-ttf \
--enable-pcntl \
--enable-sockets \
--with-xmlrpc \
--enable-soap \
--without-pear \
--with-gettext \
--enable-session \
--with-curl \
--with-jpeg-dir \
--enable-short-tags \
--enable-static \
--with-png-dir \
--with-freetype-dir \
--with-fpm-user=web \
--with-fpm-group=web \
--enable-opcache \
--enable-fpm \
--without-gdbm \
--with-xsl \
--disable-fileinfo

# make && make install
# ll /usr/local/php-7.1.9/
# ln -s /usr/local/php-7.1.9/ /usr/local/php
# cp php.ini-production /usr/local/php/etc/php.ini

0x03 安装各种php扩展库

1
2
3
4
5
6
7
# cd ext/mysqli/
# /usr/local/php/bin/phpize
# ./configure --prefix=/usr/local/mysqli \
--with-php-config=/usr/local/php/bin/php-config \
--with-mysqli=/usr/local/mysql/bin/mysql_config

# make && make install

1
2
3
4
5
# vi /usr/local/php/etc/php.ini
extension_dir = "/usr/local/php-7.1.9/lib/php/extensions/no-debug-non-zts-20160303/"
extension=mysqli.so
extension=opcache.so
extension=pdo_mysql.so
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# vi /usr/local/httpd/conf/httpd.conf
LoadModule php7_module        modules/libphp7.so
<Directory />
  AllowOverride none
# Require all denied
  Allow from all
</Directory>
<IfModule dir_module>
    DirectoryIndex index.php index.html
</IfModule>
<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType application/x-httpd-php .php .pthml
    AddType application/x-httpd-php-source .phps
</IfModule>
1
2
# /usr/local/httpd/bin/apachectl -t
# /usr/local/httpd/bin/apachectl graceful

四、安装各类开源程序对环境进行全面可用性检测

1
2
3
4
5
6
7
安装bwapp 漏洞演练程序
安装dvwa 漏洞演练程序
安装 Discuz X3.2 
安装drupal 7.56
安装 wordpress 4.8.1
安装 joomla 3.6.5
...



End
    写脚本,写脚本,写脚本,重要的事情说三遍,或者更暴力一点,配好了以后直接打成rpm包,以后如果是完全相同的系统,直接全程yum即可,不然得烦死,另外,此环境仅作为自己学习之用,所以基本没做过任何加固处理,严禁直接参考用于实际生产环境中,否则,一切后果自负

env
#env