建立Centos主機幾個建議

安裝fail2ban

sudo yum install fail2ban

編輯設定

sudo nano /etc/fail2ban/jail.local
[sshd]
enabled = true
filter  = sshd
port    = 22
action = %(action_mwl)s
logpath = /var/log/secure
banaction = firewallcmd-ipset

啟動及查看狀態

sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd

可參考


使用安裝新版本apache

cd /etc/yum.repos.d && wget https://repo.codeit.guru/codeit.el`rpm -q --qf "%{VERSION}" $(rpm -q --whatprovides redhat-release)`.repo
sudo yum install httpd
sudo systemctl enable httpd
sudo systemctl start httpd

變更apache使用mpm event


建立su使用者

adduser eric
passwd eric

usermod -aG wheel eric
#test
su - eric
sudo ls -la /root

禁止 root 遠端登入

編輯

sudo nano /etc/ssh/sshd_config
# 是否允許 root 管理者以 SSH 登入
PermitRootLogin no
# 重新啟動 SSH 服務(CentOS Linux)
sudo systemctl restart sshd

禁止使用密碼登入(需使用auth key登入)

sudo nano /etc/ssh/sshd_config
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
# 重新啟動 SSH 服務(CentOS Linux)
sudo systemctl restart sshd

建立putty 使用login auth key(windows適用)

1. 產生 auth public key

下載並執行PuTTY Key Generator

https://www.puttygen.com/

(mouse moving)

2.將 public key 跟 private key 都存起來

可以設定key passphrase不設的話登入時則不需要輸入public key的密碼(建議設定)

3. public key 置放於server side
把 ssh-rsa 開始的那一段碼貼到 server ~/.ssh/authorized_keys 即可. 如果沒有這個檔案可以建新的

mkdir ~/.ssh/
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
nano ~/.ssh/authorized_keys

無法使用可能有SElinux問題

restorecon -R -v /home

4. 將 private key 引入 putty 中使用

安裝tomcat


自行complie mod_jk


連結apache與tomcat

sudo nano /etc/httpd/conf/workers.properties
workers.apache_log=/var/log/httpd
worker.list=app1Worker
worker.stat1.type=status

worker.app1Worker.type=ajp13
#put your app host here
worker.app1Worker.host=localhost
worker.app1Worker.port=8009
sudo nano /etc/httpd/conf.d/mod_jk.conf
LoadModule jk_module "/etc/httpd/modules/mod_jk.so"

JkWorkersFile /etc/httpd/conf/workers.properties
# Where to put jk shared memory
JkShmFile     /var/run/httpd/mod_jk.shm
# Where to put jk logs
JkLogFile     /var/log/httpd/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel    info
# Select the timestamp log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
#JkRequestLogFormat "%w %V %T"
#JkEnvVar SSL_CLIENT_V_START worker1

設定Virtual Host支援

sudo nano /etc/httpd/conf.d/app1.conf
<VirtualHost *:80>
       ServerName cloud.yslifes.com
       JkMount /* app1Worker
       JkUnMount /.well-known/* app1Worker
</VirtualHost>

安裝brotli網頁壓縮

發表迴響