# 防火墙
firewalld.sh
#!/bin/sh
systemctl start firewalld
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --permanent --add-rich-rule='rule protocol value="icmp" drop'
#firewall-cmd --permanent --add-rich-rule='rule icmp-type name="echo-reply" drop'
#firewall-cmd --permanent --add-rich-rule='rule icmp-type name="time-exceeded" drop'
#firewall-cmd --permanent --add-rich-rule='rule icmp-type name="destination-unreachable" drop'
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type 0 -m comment --comment "deny traceroute" -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type 3 -m comment --comment "deny traceroute" -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type 11 -m comment --comment "deny traceroute" -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p ICMP --icmp-type 0 -m comment --comment "deny traceroute" -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p ICMP --icmp-type 3 -m comment --comment "deny traceroute" -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p ICMP --icmp-type 11 -m comment --comment "deny traceroute" -j DROP
firewall-cmd --reload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# 升级openssl
upgrade_openssl.sh
#!/bin/sh
cd /usr/local/src
#1.下载openssl安装包
wget https://www.openssl.org/source/openssl-1.1.1s.tar.gz
#2.解压
tar zxvf openssl-1.1.1s.tar.gz
#3.进到 openssl
cd openssl-1.1.1s
#4.编译,解压并进入解压目录后执行:
./config --prefix=/usr/local/openssl shared zlib
#5.安装
make && make install
#6.备份当前Openssl
mv /usr/bin/openssl /usr/bin/openssl.bak
mv /usr/include/openssl /usr/include/openssl.bak
#7.使用新版Openssl
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
#8.更新动态链接库数据
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
#9.重新加载动态链接库
ldconfig -v
#10.查看安装完成后的最新版本
openssl version
openssl version –a
#安装完成,测试一切正常后,删除原有备份
rm -rf /usr/bin/openssl.bak
rm -rf /usr/include/openssl.bak
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# 升级nginx(lnmp)
upgrade_nginx.sh
#!/bin/sh
version=1.22.1
path=/usr/local/src/lnmp1.8/include/upgrade_nginx.sh
sed -i "51ised -i 's/Server: nginx/Server: TencentWAF/' src/http/ngx_http_header_filter_module.c" ${path}
sed -i "52ised -i 's/${version}//' src/core/nginx.h" ${path}
sed -i "53ised -i 's/\"nginx\\\//\"/' src/core/nginx.h" ${path}
sed -i "54ised -i 's/\"NGINX\"/\"TencentWAF\"/' src/core/nginx.h" ${path}
sed -i "55ised -i 's/>nginx</>TencentWAF</' src/http/ngx_http_special_response.c" ${path}
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
# nginx日志切割
cut_nginx_logs.sh
#!/usr/bin/env bash
#function:cut nginx log files for lnmp v0.5 and v0.6
#author: https://lnmp.org
#set the path to nginx log files
log_files_path="/home/wwwlogs/"
log_files_dir=${log_files_path}$(date -d "yesterday" +"%Y")/$(date -d "yesterday" +"%m")
#set nginx log files you want to cut
log_files_name=(access vpser licess)
#set the path to nginx.
nginx_sbin="/usr/local/nginx/sbin/nginx"
#Set how long you want to save
save_days=30
############################################
#Please do not modify the following script #
############################################
mkdir -p $log_files_dir
log_files_num=${#log_files_name[@]}
#cut nginx log files
for((i=0;i<$log_files_num;i++));do
mv ${log_files_path}${log_files_name[i]}.log ${log_files_dir}/${log_files_name[i]}_$(date -d "yesterday" +"%Y%m%d").log
done
#delete 30 days ago nginx log files
find $log_files_path -mtime +$save_days -exec rm -rf {} \;
$nginx_sbin -s reload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# 检测502
check502.sh
#!/usr/bin/env bash
# author: licess
# website: https://lnmp.org
CheckURL="http://www.xxx.com"
STATUS_CODE=`curl -o /dev/null -m 10 --connect-timeout 10 -s -w %{http_code} $CheckURL`
#echo "$CheckURL Status Code:\t$STATUS_CODE"
if [ "$STATUS_CODE" = "502" ]; then
/etc/init.d/php-fpm restart
fi
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
# denyhosts
防止sshd暴力破解
denyhosts.sh
#!/usr/bin/env bash
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
# Check if user is root
if [ $(id -u) != "0" ]; then
echo "Error: You must be root to run this script, please use root to install lnmp"
exit 1
fi
. ../lnmp.conf
. ../include/main.sh
Get_Dist_Name
Get_Dist_Version
Press_Start
if [ "${PM}" = "yum" ]; then
yum install python rsyslog python-ipaddr -y
if [ "${DISTRO}" = "CentOS" ] && echo "${CentOS_Version}" | grep -Eqi "^8"; then
dnf install python2 -y
alternatives --set python /usr/bin/python2
pip2 install ipaddr
fi
service rsyslog restart
cat /dev/null > /var/log/secure
elif [ "${PM}" = "apt" ]; then
apt-get update
apt-get install python rsyslog python-ipaddr -y
/etc/init.d/rsyslog restart
cat /dev/null > /var/log/auth.log
fi
echo "Downloading..."
cd ../src
Download_Files ${Download_Mirror}/security/denyhosts/denyhosts-3.1.tar.gz denyhosts-3.1.tar.gz
Tar_Cd denyhosts-3.1.tar.gz denyhosts-3.1
echo "Installing..."
python setup.py install
echo "Copy files..."
\cp denyhosts.conf /etc
if [ "${PM}" = "yum" ]; then
sed -i 's@^SECURE_LOG = /var/log/auth.log@#SECURE_LOG = /var/log/auth.log@g' /etc/denyhosts.conf
sed -i 's@^#SECURE_LOG = /var/log/secure@SECURE_LOG = /var/log/secure@g' /etc/denyhosts.conf
\cp /usr/bin/daemon-control-dist /usr/bin/daemon-control
chown root /usr/bin/daemon-control
chmod 700 /usr/bin/daemon-control
\cp /usr/bin/daemon-control /etc/init.d/denyhosts
ln -sf /usr/bin/denyhosts.py /usr/sbin/denyhosts
elif [ "${PM}" = "apt" ]; then
\cp /usr/local/bin/daemon-control-dist /usr/local/bin/daemon-control
chown root /usr/local/bin/daemon-control
chmod 700 /usr/local/bin/daemon-control
\cp /usr/local/bin/daemon-control /etc/init.d/denyhosts
ln -sf /usr/local/bin/denyhosts.py /usr/sbin/denyhosts
cat >lsb.ini<<EOF
### BEGIN INIT INFO
# Provides: denyhosts
# Required-Start: \$syslog \$local_fs \$time
# Required-Stop: \$syslog \$local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start denyhosts and watch .
### END INIT INFO
EOF
sed -i '9 r lsb.ini' /etc/init.d/denyhosts
rm -f lsb.ini
fi
sed -i 's#/run/denyhosts.pid#/var/run/denyhosts.pid#g' /etc/init.d/denyhosts
sed -i 's#^PURGE_DENY =.*#PURGE_DENY =1d#g' /etc/denyhosts.conf
sed -i 's@^#PURGE_THRESHOLD = 0@PURGE_THRESHOLD = 3@g' /etc/denyhosts.conf
sed -i '/^IPTABLES/s/^/#/' /etc/denyhosts.conf
sed -i '/^ADMIN_EMAIL/s/^/#/' /etc/denyhosts.conf
sed -i 's#^DENY_THRESHOLD_ROOT =.*#DENY_THRESHOLD_ROOT = 3#g' /etc/denyhosts.conf
sed -i '/STATE_LOCK_EXISTS\ \=\ \-2/aif not os.path.exists("/var/lock/subsys"): os.makedirs("/var/lock/subsys")' /etc/init.d/denyhosts
cd ..
rm -rf denyhosts-3.1
StartUp denyhosts
echo "Start DenyHosts..."
/etc/init.d/denyhosts start
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# denyhosts_removeip
denyhosts_removeip.sh
#!/usr/bin/env bash
# Author:licess
# Website:https://www.vpser.net & https://lnmp.org
HOST=$1
if [ -z "${HOST}" ]; then
echo "Usage:$0 IP"
exit 1
fi
echo "Remove IP:${HOST} from denyhosts..."
/etc/init.d/denyhosts stop
echo '
/etc/hosts.deny
/var/lib/denyhosts/hosts
/var/lib/denyhosts/hosts-restricted
/var/lib/denyhosts/hosts-root
/var/lib/denyhosts/hosts-valid
/var/lib/denyhosts/users-hosts
' | grep -v "^$" | xargs sed -i "/${HOST}/d"
#iptables -D INPUT -s ${HOST} -p tcp -m tcp --dport 22 -j DROP
echo " done"
/etc/init.d/denyhosts start
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# 备份
backup.sh
#!/usr/bin/env bash
#Funciont: Backup website and mysql database
#Author: licess
#Website: https://lnmp.org
#IMPORTANT!!!Please Setting the following Values!
Backup_Home="/home/backup/"
MySQL_Dump="/usr/local/mysql/bin/mysqldump"
######~Set Directory you want to backup~######
Backup_Dir=("/home/wwwroot/vpser.net" "/home/wwwroot/lnmp.org")
######~Set MySQL Database you want to backup~######
Backup_Database=("lnmp" "vpser")
######~Set MySQL UserName and password~######
MYSQL_UserName='root'
MYSQL_PassWord='yourrootpassword'
######~Enable Ftp Backup~######
Enable_FTP=0
# 0: enable; 1: disable
######~Set FTP Information~######
FTP_Host='1.2.3.4'
FTP_Username='vpser.net'
FTP_Password='yourftppassword'
FTP_Dir="backup"
#Values Setting END!
TodayWWWBackup=www-*-$(date +"%Y%m%d").tar.gz
TodayDBBackup=db-*-$(date +"%Y%m%d").sql
OldWWWBackup=www-*-$(date -d -3day +"%Y%m%d").tar.gz
OldDBBackup=db-*-$(date -d -3day +"%Y%m%d").sql
Backup_Dir()
{
Backup_Path=$1
Dir_Name=`echo ${Backup_Path##*/}`
Pre_Dir=`echo ${Backup_Path}|sed 's/'${Dir_Name}'//g'`
tar zcf ${Backup_Home}www-${Dir_Name}-$(date +"%Y%m%d").tar.gz -C ${Pre_Dir} ${Dir_Name}
}
Backup_Sql()
{
${MySQL_Dump} -u$MYSQL_UserName -p$MYSQL_PassWord $1 > ${Backup_Home}db-$1-$(date +"%Y%m%d").sql
}
if [ ! -f ${MySQL_Dump} ]; then
echo "mysqldump command not found.please check your setting."
exit 1
fi
if [ ! -d ${Backup_Home} ]; then
mkdir -p ${Backup_Home}
fi
if [ ${Enable_FTP} = 0 ]; then
type lftp >/dev/null 2>&1 || { echo >&2 "lftp command not found. Install: centos:yum install lftp,debian/ubuntu:apt-get install lftp."; }
fi
echo "Backup website files..."
for dd in ${Backup_Dir[@]};do
Backup_Dir ${dd}
done
echo "Backup Databases..."
for db in ${Backup_Database[@]};do
Backup_Sql ${db}
done
echo "Delete old backup files..."
rm -f ${Backup_Home}${OldWWWBackup}
rm -f ${Backup_Home}${OldDBBackup}
if [ ${Enable_FTP} = 0 ]; then
echo "Uploading backup files to ftp..."
cd ${Backup_Home}
lftp ${FTP_Host} -u ${FTP_Username},${FTP_Password} << EOF
cd ${FTP_Dir}
mrm ${OldWWWBackup}
mrm ${OldDBBackup}
mput ${TodayWWWBackup}
mput ${TodayDBBackup}
bye
EOF
echo "complete."
fi
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# 计划任务自动删除文件
crontab_auto_delete_logs.txt
#!/bin/sh
find /www/wwwroot -mtime +30 -name "*.txt" -exec rm -rf {} \;
1
2
2
# TCP连接情况
# 全部连接
netstat -an
# 统计80端口连接数
netstat -nat|grep -i "80"|wc -l
# 统计httpd协议连接数
ps -ef|grep httpd|wc -l
# 统计已连接上的,状态为“established
netstat -na|grep ESTABLISHED|wc -l
# 连接情况
netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
TCP连接状态详解
- LISTEN: 侦听来自远方的TCP端口的连接请求
- SYN-SENT: 再发送连接请求后等待匹配的连接请求
- SYN-RECEIVED:再收到和发送一个连接请求后等待对方对连接请求的确认
- ESTABLISHED: 代表一个打开的连接
- FIN-WAIT-1: 等待远程TCP连接中断请求,或先前的连接中断请求的确认
- FIN-WAIT-2: 从远程TCP等待连接中断请求
- CLOSE-WAIT: 等待从本地用户发来的连接中断请求
- CLOSING: 等待远程TCP对连接中断的确认
- LAST-ACK: 等待原来的发向远程TCP的连接中断请求的确认
- TIME-WAIT: 等待足够的时间以确保远程TCP接收到连接中断请求的确认
- CLOSED: 没有任何连接状态