CentOS LAMP轉移Ubuntu LEMP,這邊弄了好久終於寫出來!!!!累
1.安裝套件及安全性設定
2.設定測試
3.備份&還原資料
4.增加Let’s encrypt設定
1.安裝套件及安全性設定
更換IP
#vi /etc/network/interfaces
#ip addr flush ens160 && systemctl restart networking
切換root 身分
#sudo -i
#apt-get install iptables-persistent htop iotop fail2ban nginx nginx-extras php7.0 php7.0-fpm php7.0-mcrypt php7.0-mbstring mariadb-server mariadb-client php7.0-mysql php-gd
進行系統更新
#apt-get update
#apt-get upgrade
重新開機
#reboot
設定自動更新
#vi /etc/cron.weekly/autoupdt
#!/bin/bash apt-get update apt-get upgrade -y apt-get autoclean
修改SSH port參數
#vi /etc/ssh/sshd_config
Port 2223
設定iptables
#vi /root/iptables.sh
iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A INPUT -i ens160 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i ens160 -p icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -i ens160 -p tcp --dport 2223 -j ACCEPT iptables -A INPUT -i ens160 -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i ens160 -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i ens160 -p udp -s 210.242.7.159 --dport 161 -j ACCEPT
#chmod 700 /root/iptables.sh;/root/iptables.sh;iptables-save > /etc/iptables/rules.v4
設定fail2ban
#vi /etc/fail2ban/jail.local
[sshd] enabled = true filter =sshd maxretry = 5 findtime = 60 port = 2223 bantime = -1 banaction = iptables-multiport
#systemctl restart fail2ban
設定僅允許使用keypair登入
#ssh-keygen -t rsa
Generating public/private rsa key pair. Enter file in which to save the key (/home/fred/.ssh/id_rsa): Created directory '/home/fred/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/fred/.ssh/id_rsa. Your public key has been saved in /home/fred/.ssh/id_rsa.pub. The key fingerprint is: SHA256:jHJP7PV20w541DeQ6S0aoNd4HBUfP1leErXu3l0fxsg fred@Blog The key's randomart image is: +---[RSA 2048]----+ | o+++| | . +oB| | . . + =o| | +. = o +..| | . o.So.= o.+o| | o +....+o=.o| | o .+E==o| | . oo+*| | .=| +----[SHA256]-----+
#cd .ssh/ ; cat id_rsa.pub >> authorized_keys ; chmod 600 authorized_keys
#vi /etc/ssh/sshd_config
# Change to no to disable tunnelled clear text passwords PasswordAuthentication no
#systemctl restart sshd
2.設定測試
初始化MariaDB
#mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. Set root password? [Y/n] y New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] y ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!
設定http2
建立自簽發憑證
#openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
增加key交換安全性
#openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
#cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak
#vi /etc/nginx/sites-available/default
...省略...
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
server { #HTTP Redirect HTTPS
listen 80;
listen [::]:80;
server_name blog.imprezagt1031.idv.tw;
return 301 https://$server_name$request_uri;
}
server { #enable HTTPS & HTTP2
add_header X-Frame-Options "SAMEORIGIN"; #Clickjacking attack
add_header X-XSS-Protection "1; mode=block"; #XSS attack
add_header Referrer-Policy: no-referrer;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "policy-definition";
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /var/www/blog; #RocumnetRoot
index index.php index.html index.htm index.nginx-debian.html;
server_name blog.imprezagt1031.idv.tw;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
#try_files $uri $uri/ =404;
try_files $uri $uri/ /index.php?$args; #Wordpress 設定
}
location ~ \.php$ { #PHP設定
include snippets/fastcgi-php.conf;
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
#憑證資訊
ssl_certificate /etc/nginx/ssl/nginx.crt; #憑證(之後更換憑證)
ssl_certificate_key /etc/nginx/ssl/nginx.key; #私鑰(之後更換私鑰)
ssl_dhparam /etc/nginx/ssl/dhparam.pem; #增加key交換的安全性
}
隱藏Nginx 表頭版本
#vi /etc/nginx/nginx.conf
server_tokens off; more_set_headers 'Server: Fred';
隱藏PHP 表頭版本
# vi /etc/php/php.ini
expose_php = Off
檔案上傳大小控制
# vi /etc/nginx/nginx.conf
client_max_body_size
# vi /etc/php/php.ini
post_max_size upload_max_filesize
移除不安全的加密演算法
#vi /etc/nginx/nginx.conf
...省略...
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
##
修改ssl 連線快取
#vi /etc/nginx/nginx.conf
ssl_session_cache shared:SSL:5m; ssl_session_timeout 1h;
開啟HSTS
#vi /etc/nginx/nginx.conf
add_header Strict-Transport-Security "max-age=15768000" always;
開啟壓縮
#vi /etc/nginx/nginx.conf
. . .
##
# `gzip` Settings
#
#
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
. . .確認參數是否正常
#nginx -t
重新啟動服務
#systemctl restart nginx
3.備份資料
舊主機上備份網站資料 & SQL Table
#tar -jcv -f wordpress.tar.bz2 /var/www/wordpress
#mysqldump -u root -p --databases wp > /root/blog.sql
4.還原資料
新主機上還原網站資料 & SQL Table
#tar -jxvf wordpress.tar.bz2
修改權限
#chown -R www-data:www-data /var/www/blog
建立相同DB
#mysql -u root -p
建立舊有database name
MariaDB [(none)]> create database wp;
MariaDB [(none)]> grant all privileges on wp.* to wpuser@localhost identified by 'yourpassword' ;
確認使用者
MariaDB [(none)]> select host, user, password from mysql.user;
MariaDB {(none)]> quit
還原DB
#mysql -u root -p wp < blog.sql
#mysql -u root -p
確認資料還原是否正常 MariaDB [(none)]> show databases; MariaDB [(none)]> use wp; MariaDB [wp]> show tables;
4.增加Let’s encrypt設定
預設certbot 並沒有在ubuntu的source list 上可以下載,直接使用add-apt-repository來增加
#add-apt-repository ppa:certbot/certbot
#apt-get update
安裝certbot
#apt-get install certbot
使用webroot plugin,在根目錄下會建立一個/.well-known目錄並產出一個特殊文件,這個目錄需要可以被存取的權限
#vi /etc/nginx/sites-available/default
location ~ /.well-known { #Webroot Plugin
allow all;
}
重啟服務
#systemctl restart nginx
產生憑證
#certbot certonly --webroot --webroot-path=/var/www/blog -d blog.imprezagt1031.idv.tw
產生後可在此路徑上查看
#ll /etc/letsencrypt/live/blog.imprezagt1031.idv.tw/
憑證更換可以參考前面所寫內容,設定自動更新憑證
#vi /etc/crontab
#Auto new certbot 0 1 * * * /usr/bin/certbot renew && systemctl force-reload nginx
關閉迴響 (From database)
# mysql -u root -p
use yourdatabase; show tables; UPDATE wp_posts SET comment_status = 'closed';
Facebook Comments