הוסטס - פורום אחסון האתרים הגדול בישראל - תחזוק שרת Web סודות, טריקים וסקריפטים שימושיים

מי שמכיר אותי ואת העבר שלי בתחום תחזוק שרתי ה-WEB יודע שהייתי בין החלוצים שנתנו תמורה טובה לשירות ולפיתוחו..

עד 2007 החזקתי את פורום FXP, איפשהו בדרך אחסנתי את מערכת הפורומים הזאת ותחזקתי לא מעט שרתים וחברות הוסטינג שקיימות עד היום.

בכל מקרה, מצאתי תקייה ששמרתי חלק מהסקריפטים וההגדרות שבזמנו היו שוות זהב והיום איך שהשוק השתנה כרגע אין לי ממש צורך בהם. נכון לעכשיו אין לי ממש תוכניות לחזור לשוק ואין לי בעיה לשתף אותכם.

השימוש בהגדרות הנ"ל ובסקריפטים דורש ידע בסיסי בתחזוק שרתים ונוסה לאחרונה על שרת ב-2008 ככה שיכול להיות שצריך לעשות קצת טוויקים בשביל להתאים את הדברים שאני אפרסם לשרתים של היום.

הכל עבד תחת מערכת הפעלה CentOS (תהרגו אותי אני כבר לא זוכר איזה גירסה)

על אחריותכם.

דבר ראשון חשוב לעדכן את כל התוכנות על השרת זה נעשה פשוט יותר בעזרת הסקריפט הבא:
http://www.web4host.net/forum/viewtopic.php?f=2&t=1
כ"כ
http://www.directadmin.com/forum/showthread.php?t=14500

תעקבו אחרי המדריך וההגדרות שהוא נותן שם הם טובות, אבל אני ממליץ על ההגדרות הבאות:

httpd.conf main config

קוד:

RLimitMEM 194692778

RLimitCPU 70



Timeout 10

KeepAlive Off

MaxKeepAliveRequests 20

KeepAliveTimeout 5

MinSpareServers 7

MaxSpareServers 13

StartServers 7

MaxClients 50

MaxRequestsPerChild 20

script for determining RLimitMEM (perl)

קוד:

#!/usr/bin/perl



BEGIN {

               push(@INC,"/scripts");

}





#this is under the artistic lics

print "This should help you alot prevanting serverloads go boom :D~ enjoy :D~ david..";

print "Calculating Memory Limit blablabla.... .....";        

$size = 0;

open(MEMINFO,"/proc/meminfo");

while(<MEMINFO>) {

        tr/[A-Z]/[a-z]/;

        if (/^(\S+):\s*(\S+)\s(\S+)$/) {

                if ($3 eq "kb") {

                        if ($1 eq "swaptotal") { print "..$2..";

                                $size += int($2 / 3);

                                print "$size";

                         }

                        if ($1 eq "memtotal") { print "..$2.."; 

                                $size += int($2 / 2);

                                print "$size";

                        }

                }

        }

}

if (-e "/usr/local/bin/muse") {

      foreach (split(/\n/,`/usr/local/bin/muse`)) {

         if(/^(total|inactive):[\t|\s]*(\d+)/i) { $size += int($2 / 1024 / 2); }

      }

}



$size = int($size / 2);

$size = int($size * 1024);

print "..$size..\n";



$size = int($size / 3);

print "..$size..<save this number yair\n";



close(MEMINFO);

mod_security config httpd.conf

קוד:

<IfModule mod_security.c>

# Turn the filtering engine On or Off

SecFilterEngine On



# Change Server: string

SecServerSignature off



# This setting should be set to On only if the Web site is

# using the Unicode encoding. Otherwise it may interfere with

# the normal Web site operation.

SecFilterCheckUnicodeEncoding Off



# The audit engine works independently and

# can be turned On of Off on the per-server or

# on the per-directory basis. "On" will log everything,

# "DynamicOrRelevant" will log dynamic requests or violations,

# and "RelevantOnly" will only log policy violations

SecAuditEngine RelevantOnly

    # Make sure that URL encoding is valid

    SecFilterCheckURLEncoding On



    SecFilterDebugLog logs/modsec_debug_log

    SecFilterDebugLevel 0



# The name of the audit log file

SecAuditLog logs/audit_log



# Should mod_security inspect POST payloads

SecFilterScanPOST On



# Action to take by default

SecFilterDefaultAction "deny,log,status:403"



## ## ## ## ## ## ## ## ## ##

## ## ## ## ## ## ## ## ## ##



# Require HTTP_USER_AGENT and HTTP_HOST in all requests

# SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"



# Require Content-Length to be provided with

# every POST request

SecFilterSelective REQUEST_METHOD "^POST$" chain

SecFilterSelective HTTP_Content-Length "^$"

    # Prevent OS specific keywords

    SecFilter /etc/password



# Don't accept transfer encodings we know we don't handle

# (and you don't need it anyway)

SecFilterSelective HTTP_Transfer-Encoding "!^$"



# Protecting from XSS attacks through the PHP session cookie

SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"

SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"



SecFilter "viewtopic\.php\?" chain

SecFilter "chr\(([0-9]{1,3})\)" "deny,log"





# Block various methods of downloading files to a server

SecFilterSelective THE_REQUEST "wget " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "lynx " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "scp " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "ftp " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "cvs " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "rcp " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "curl " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "telnet " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "ssh " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "echo " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "links -dump " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "links -dump-charset " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "links -dump-width " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "links http:// " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "links ftp:// " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "links -source " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "mkdir " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "cd /tmp " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "cd /var/tmp " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "/config.php?v=1&DIR " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "/../../ " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "&highlight=%2527%252E " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "arta\.zip " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "cmd=cd\x20/var " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "HCL_path=http " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "clamav-partial " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "vi\.recover " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "netenberg " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "psybnc " "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "fantastico_de_luxe " "redirect:http://abuse.novel.co.il/"

#Block BCC/PHP Spam

SecFilterSelective THE_REQUEST|POST_PAYLOAD "bcc|Bcc|BCc|BCC|bCc|bCC|bcC|BcC" chain 

SecFilterSelective THE_REQUEST|POST_PAYLOAD "com|org|net"  "redirect:http://abuse.novel.co.il/"

# WEB-PHP phpbb quick-reply.php arbitrary command attempt 

SecFilterSelective THE_REQUEST "/quick-reply\.php" chain 

SecFilter "phpbb_root_path=" "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "

SecFilterSelective HTTP_USER_AGENT "Wget"  "redirect:http://abuse.novel.co.il/"

SecFilterSelective HTTP_USER_AGENT "wget"  "redirect:http://abuse.novel.co.il/"

SecFilterSelective "POST_PAYLOAD" "wget" "redirect:http://abuse.novel.co.il/"

SecFilterSelective "POST_PAYLOAD" "su root" "redirect:http://abuse.novel.co.il/"

SecFilterSelective "POST_PAYLOAD" "mkdir" "redirect:http://abuse.novel.co.il/"

SecFilterSelective "POST_PAYLOAD" "rm -rf" "redirect:http://abuse.novel.co.il/"

SecFilterSelective THE_REQUEST "/phpmyadmin.+cfg\\[" "redirect:http://abuse.novel.co.il/"

SecFilterSelective HTTP_USER_AGENT "wget"  "redirect:http://abuse.novel.co.il/"

SecFilterSelective HTTP_USER_AGENT "ftp"  "redirect:http://abuse.novel.co.il/"

SecFilterSelective HTTP_USER_AGENT "cvs"  "redirect:http://abuse.novel.co.il/"

SecFilterSelective HTTP_USER_AGENT "telnet"  "redirect:http://abuse.novel.co.il/"

SecFilterSelective HTTP_USER_AGENT "ssh"  "redirect:http://abuse.novel.co.il/"

SecFilterSelective HTTP_USER_AGENT "cd /var/tmp"  "redirect:http://abuse.novel.co.il/"

SecFilterSelective HTTP_USER_AGENT "cd /tmp"  "redirect:http://abuse.novel.co.il/"

SecFilterSelective HTTP_USER_AGENT "v=1&DIR"  "redirect:http://abuse.novel.co.il/"

SecFilterSelective HTTP_USER_AGENT "/../../ "  "redirect:http://abuse.novel.co.il/"

SecFilterSelective HTTP_USER_AGENT "&highlight=%2527%252E"  "redirect:http://abuse.novel.co.il/"

SecFilterSelective HTTP_USER_AGENT "changedir=%2Ftmp%2F.php"  "redirect:http://abuse.novel.co.il/"



</IfModule>

change abuse.novel.co.il to your abuse adress

Boosting up network connections (bash script - make "script.sh" chmod it and run)

קוד:

#!/bin/bash



# Create backup

if [ ! -e ./speed_backup.sh ] ; then

echo -n "Creating backup (`pwd`/speed_backup.sh)... "

echo "#!/bin/bash" > ./speed_backup.sh

echo "" >> ./speed_backup.sh

echo "echo \"`cat /proc/sys/net/ipv4/tcp_sack`\" > /proc/sys/net/ipv4/tcp_sack" >> ./speed_backup.sh

echo "echo \"`cat /proc/sys/net/ipv4/tcp_timestamps`\" > /proc/sys/net/ipv4/tcp_timestamps" >> ./speed_backup.sh

echo "echo \"`cat /proc/sys/net/ipv4/tcp_mem`\" > /proc/sys/net/ipv4/tcp_mem" >> ./speed_backup.sh

echo "echo \"`cat /proc/sys/net/ipv4/tcp_rmem`\" > /proc/sys/net/ipv4/tcp_rmem" >> ./speed_backup.sh

echo "echo \"`cat /proc/sys/net/ipv4/tcp_wmem`\" > /proc/sys/net/ipv4/tcp_wmem" >> ./speed_backup.sh

echo "echo \"`cat /proc/sys/net/core/optmem_max`\" > /proc/sys/net/core/optmem_max" >> ./speed_backup.sh

echo "echo \"`cat /proc/sys/net/core/rmem_default`\" > /proc/sys/net/core/rmem_default" >> ./speed_backup.sh

echo "echo \"`cat /proc/sys/net/core/rmem_max`\" > /proc/sys/net/core/rmem_max" >> ./speed_backup.sh

echo "echo \"`cat /proc/sys/net/core/wmem_default`\" > /proc/sys/net/core/wmem_default" >> ./speed_backup.sh

echo "echo \"`cat /proc/sys/net/core/wmem_max`\" > /proc/sys/net/core/wmem_max" >> ./speed_backup.sh

chmod 744 ./speed_backup.sh

echo -e "\tdone!"

else

echo "Backup found (`pwd`/speed_backup.sh). Skipping creation of one."

fi



# Boost buffer settings

echo -n "Boosting... "

echo "0" > /proc/sys/net/ipv4/tcp_sack

echo "0" > /proc/sys/net/ipv4/tcp_timestamps

echo "3129344 3137536 3145728" > /proc/sys/net/ipv4/tcp_mem

echo "65536 1398080 2796160" > /proc/sys/net/ipv4/tcp_rmem

echo "65536 1398080 2796160" > /proc/sys/net/ipv4/tcp_wmem

echo "163840" > /proc/sys/net/core/optmem_max

echo "1048560" > /proc/sys/net/core/rmem_default

echo "2097136" > /proc/sys/net/core/rmem_max

echo "1048560" > /proc/sys/net/core/wmem_default

echo "2097136" > /proc/sys/net/core/wmem_max

echo -e "\tdone!"

Dos.pl antiddos perl script (needs apf to work)

קוד:

#!/usr/bin/perl

####################

# controls number of connections to the server from single ip

# blocks ip if there are > $allowed connections

# - damir ( proton.bolchat.org  )

###################



# delay (in secs)

$INTERVAL = 120;

# max number of connections allowed from one ip

$MAX = 550;

# safe list, i used hash, i think its faster than to call up regex



%WL = (

'127.0.0.1' => 1,

);

# port to monitor, 80 for webserver (apache).

$PORT = 80;



# don't touch anything below this line heh



open(STDERR, ">dos_log"); print STDERR "program starting " . `date`; select STDERR;

$| = 1;



if (fork) { exit(0); }

$SIG{ALRM} = 'IGNORE';



while (1) {

        sleep($INTERVAL);

        &check_load();

}



sub check_load {

        $cdate = localtime(time);

        $time = (time);

        if(%BLOCKED) {

        }



        undef(%u);

                foreach(split(/\n/, `netstat -an| grep tcp`))

                {

                        if($_ =~  /^tcp\s+0\s+0\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}):$PORT\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}):(.*)$/){

                                $u{$2}++;

                        }

                }

                

                foreach $i (keys %u){

                        if($u{$i} > $MAX && !$BLOCKED{$i})

                        {

                                if($WL{$i}) {

                                        print STDERR "IP on whitelist flooding: $i ( $u{$i} connectons ) load: " . `uptime`;

                                } else  {

                                        system("/etc/apf/apf -d $i");

                                        $BLOCKED{$i} = $time;

                                        print STDERR "$cdate blocked: $i ( $u{$i} connectons ) current load: " . `uptime`;

                                }

                        }

                }

}

perl script to kill and restart apache process when server load runs over 20 + sends out e-mail

קוד:

#!/usr/bin/perl

(`uptime` =~ /:\s+(\d+.?(\d+)?)/)?(($1>20)?system('killall -9 httpd;killall -9 httpd;killall -9 httpd;/sbin/service httpd stop;/sbin/service httpd start;echo -e "Subject: Load is above 20 apache restarted!\n\n:(\n.\n" | /usr/sbin/exim your@mail.here'):exit):exit;

crontab it every 10 minutes.
change email!

disable functions via php.ini

קוד:

disable_functions = shell, phpinfo, readfile, system, proc_terminate, proc_nice, pclose, popen, passthru, 

pcntl_fork, pcntl_exec, posix_kill, pcntl_signal, exec, escapeshellarg, escapeshellcmd, 

proc_close,proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec

יש עוד אבל נשמור את זה לפעם הבאה, בהצלחה