網站轉移紀錄

CentOS  LAMP轉移Ubuntu LEMP,這邊弄了好久終於寫出來!!!!累

1.安裝套件及安全性設定
2.設定測試
3.備份&還原資料
4.增加Let’s encrypt設定

1.安裝套件及安全性設定
更換IP

#vi /etc/network/interfaces
#ip addr flush ens160 && systemctl restart networking

切換root 身分

#sudo -i
#apt-get install iptables-persistent htop iotop fail2ban nginx  nginx-extras php7.0 php7.0-fpm php7.0-mcrypt php7.0-mbstring mariadb-server mariadb-client php7.0-mysql php-gd

進行系統更新

#apt-get update
#apt-get upgrade

重新開機

#reboot

設定自動更新

#vi /etc/cron.weekly/autoupdt
#!/bin/bash
apt-get update
apt-get upgrade -y
apt-get autoclean

修改SSH port參數

#vi /etc/ssh/sshd_config
Port 2223

設定iptables

#vi /root/iptables.sh
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -i ens160 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ens160 -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -i ens160 -p tcp --dport 2223 -j ACCEPT
iptables -A INPUT -i ens160 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ens160 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i ens160 -p udp -s 210.242.7.159 --dport 161 -j ACCEPT
#chmod 700 /root/iptables.sh;/root/iptables.sh;iptables-save >  /etc/iptables/rules.v4

設定fail2ban

#vi /etc/fail2ban/jail.local
[sshd]
enabled = true
filter =sshd
maxretry = 5
findtime = 60
port = 2223
bantime = -1
banaction = iptables-multiport
#systemctl restart fail2ban

設定僅允許使用keypair登入

#ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/fred/.ssh/id_rsa): 
Created directory '/home/fred/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/fred/.ssh/id_rsa.
Your public key has been saved in /home/fred/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:jHJP7PV20w541DeQ6S0aoNd4HBUfP1leErXu3l0fxsg fred@Blog
The key's randomart image is:
+---[RSA 2048]----+
| o+++|
| . +oB|
| . . + =o|
| +. = o +..|
| . o.So.= o.+o|
| o +....+o=.o|
| o .+E==o|
| . oo+*|
| .=|
+----[SHA256]-----+
#cd .ssh/ ; cat id_rsa.pub >> authorized_keys ; chmod 600 authorized_keys
#vi /etc/ssh/sshd_config
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
#systemctl restart sshd

2.設定測試

初始化MariaDB

#mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
 SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] 
 ... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

設定http2

建立自簽發憑證

#openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

增加key交換安全性

#openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
#cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak
#vi /etc/nginx/sites-available/default
...省略...
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
server {  #HTTP Redirect HTTPS
 listen 80;
 listen [::]:80;
 server_name blog.imprezagt1031.idv.tw;
 return 301 https://$server_name$request_uri;

}

server { #enable HTTPS & HTTP2
 add_header X-Frame-Options "SAMEORIGIN"; #Clickjacking attack
 add_header X-XSS-Protection "1; mode=block"; #XSS attack
 add_header Referrer-Policy: no-referrer;
 add_header X-Content-Type-Options nosniff;
 add_header Content-Security-Policy "policy-definition";
 listen 443 ssl http2 default_server;
 listen [::]:443 ssl http2 default_server;


 root /var/www/blog;  #RocumnetRoot

 index index.php index.html index.htm index.nginx-debian.html;

 server_name blog.imprezagt1031.idv.tw;

location / {
 # First attempt to serve request as file, then
 # as directory, then fall back to displaying a 404.
 #try_files $uri $uri/ =404;
 try_files $uri $uri/ /index.php?$args;  #Wordpress 設定
 
 }
location ~ \.php$ {  #PHP設定
 include snippets/fastcgi-php.conf;

 # # With php7.0-cgi alone:
 # fastcgi_pass 127.0.0.1:9000;
 # # With php7.0-fpm:
 fastcgi_pass unix:/run/php/php7.0-fpm.sock;
 fastcgi_index index.php;
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 include fastcgi_params;
 }
#憑證資訊
ssl_certificate /etc/nginx/ssl/nginx.crt;   #憑證(之後更換憑證)
ssl_certificate_key /etc/nginx/ssl/nginx.key;  #私鑰(之後更換私鑰)
ssl_dhparam /etc/nginx/ssl/dhparam.pem; #增加key交換的安全性
}

隱藏Nginx 表頭版本

#vi /etc/nginx/nginx.conf
server_tokens off;
more_set_headers 'Server: Fred';

隱藏PHP 表頭版本

# vi /etc/php/php.ini
expose_php = Off

檔案上傳大小控制

# vi /etc/nginx/nginx.conf
client_max_body_size
# vi /etc/php/php.ini
post_max_size
upload_max_filesize

移除不安全的加密演算法

#vi /etc/nginx/nginx.conf
...省略... 
# SSL Settings
 ##

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
 ssl_prefer_server_ciphers on;
 ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

 ##

修改ssl 連線快取

#vi /etc/nginx/nginx.conf
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 1h;

開啟HSTS

#vi /etc/nginx/nginx.conf
add_header Strict-Transport-Security "max-age=15768000" always;

開啟壓縮

#vi /etc/nginx/nginx.conf
. . .
##
# `gzip` Settings
#
#
gzip on;
gzip_disable "msie6";

gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
. . .

確認參數是否正常

#nginx -t

重新啟動服務

#systemctl restart nginx

3.備份資料
舊主機上備份網站資料 & SQL Table

#tar -jcv -f wordpress.tar.bz2 /var/www/wordpress
#mysqldump -u root -p --databases wp > /root/blog.sql

4.還原資料
新主機上還原網站資料 & SQL Table

#tar -jxvf wordpress.tar.bz2 

修改權限

#chown -R www-data:www-data /var/www/blog

建立相同DB

#mysql -u root -p
建立舊有database name
MariaDB [(none)]> create database wp;
MariaDB [(none)]> grant all privileges on wp.* to wpuser@localhost  identified by 'yourpassword' ;
確認使用者
MariaDB [(none)]> select host, user, password from mysql.user;
MariaDB {(none)]> quit

還原DB

#mysql -u root -p wp < blog.sql
#mysql -u root -p
確認資料還原是否正常
MariaDB [(none)]> show databases;
MariaDB [(none)]> use wp;
MariaDB [wp]> show tables;

4.增加Let’s encrypt設定
預設certbot 並沒有在ubuntu的source list 上可以下載,直接使用add-apt-repository來增加

#add-apt-repository ppa:certbot/certbot
#apt-get update

安裝certbot

#apt-get install certbot

使用webroot plugin,在根目錄下會建立一個/.well-known目錄並產出一個特殊文件,這個目錄需要可以被存取的權限

#vi /etc/nginx/sites-available/default
location ~ /.well-known {  #Webroot Plugin
                allow all;
        }

重啟服務

#systemctl restart nginx

產生憑證

#certbot certonly --webroot --webroot-path=/var/www/blog -d blog.imprezagt1031.idv.tw

產生後可在此路徑上查看

#ll /etc/letsencrypt/live/blog.imprezagt1031.idv.tw/

憑證更換可以參考前面所寫內容,設定自動更新憑證

#vi /etc/crontab
#Auto new certbot
0 1 * * * /usr/bin/certbot renew && systemctl force-reload nginx

關閉迴響 (From database)

# mysql -u root -p
use yourdatabase;
show tables;
UPDATE wp_posts SET comment_status = 'closed';
Facebook Comments