使用dd命令创建一个swap分区

[root@localhost Desktop]#dd if=/dev/zero of=/home/swap bs=1024 count=1048576

#count的计算公式： count=SIZE*1024 (size以MB为单位）
这样就建立一个/home/swap的分区文件，大小为1G，接着需要格式化新建的SWAP分区：

[root@localhost Desktop]# mkswap /home/swap

再用swapon命令把这个文件分区变成swap分区

[root@localhost Desktop]#swapon /home/swap
#关闭SWAP分区命令为：[root@localhost Desktop]#swapoff /home/swap

再用free -m查看一下，可以看出swap扩大了。

为了能够让swap自动挂载，要修改/etc/fstab文件

vi /etc/fstab
在文件末尾加上
/home/swap swap swap default 0 0

这样就算重启系统，swap分区就不用手动挂载了。

参考：http://blog.chinaunix.net/uid-26881541-id-3347389.html

源代码安装

yum remove curl curl-devel
 
wget http://curl.haxx.se/download/curl-7.24.0.tar.bz2
tar xfj curl-7.24.0.tar.bz2
cd curl-7.24.0
./configure --prefix=/usr
make
make install
#check version
curl -V
./configure --with-curl=/usr --with-curlwrappers

参考：http://gadelkareem.com/2012/02/27/upgrade-curl-7-24-on-centos-6-2/

1、获取Squid源代码

wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.9.tar.gz

2、编译及安装

tar -zxvf squid-3.1.9.tar.gz
cd squid-3.1.9
./configure --prefix=/usr/local/squid --enable-arp-acl --enable-linux-netfilter --enable-pthreads --enable-err-language="Simplify_Chinese" --enable-default-err-language="Simplify_Chinese" --enable-auth="basic" --enable-baisc-auth-helpers="NCSA" --enable-underscore
make
make install

3、编译生成Squid认证程序ncsa_auth

cd helpers/basic_auth/NCSA/
make
cp ncsa_auth /usr/sbin/
cd ../../../

4、使用htpasswd来生成用户名/密码对应的文件

htpasswd -c /usr/local/squid/password <用户名>

5、修改Squid配置文件

cd /usr/local/squid/
mv -f etc/squid.conf etc/squid.conf.bak
vi etc/squid.conf
 
# 插入如下内容
 
 
acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT
  
auth_param basic program /usr/sbin/ncsa_auth /usr/local/squid/password
acl normal proxy_auth REQUIRED
http_access allow normal
  
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
  
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
  
# And finally deny all other access to this proxy
http_access deny all
  
# Squid normally listens to port 3128
http_port 3128
  
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
  
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir null /tmp
  
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache
  
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320

6、启动Squid

./sbin/squid

转载：http://www.oschina.net/code/snippet_4873_1535

安装教程

cd /usr/local/src
wget http://techsware.in/downloads/harden.sh
chmod 755 harden.sh
./harden.sh 

1：什么是KalluscPHarden？
答：KalluscPHarden是一个shell脚本，基于cPanel服务器安全加固、检查。

2：会为cPanel做什么？
答：改变调整设置，密码修改强度，后台进程检查，编译器的访问安全，Shell Bomb Fork保护等设置....

3：有什么额外的应用程序将安装到服务器？
答：CSF，CMM，CMQ，CMC，Maldet，Rkhunter，Linux Socket 监控，Linux的环境安全等

4：服务器会有哪些地方被调整/加固？
答：Apache，cPanel，FTP，SSH，MySQL，CSF，PHP等

5: What additional hardening steps it does ?
Ans : TMP hardening, Logrotate hardening, Daily Rkhunter scanning, rDNS Check, Disable unwanted processes, SYN FLOOD Kernel Tweak, etc

6: How to recover the old configuration, before running this tool?
Ans : All configurations will be backup as conf_file.beforetweak before making changes to it. So you can compare the configurations in you want to check anything.

7: Any more tweaks it do ?
Ans : Check change log for recent changes to the script

8：这个脚本多少钱？
答：它是完全免费的。

9：想知道更多？
Ans : Please feel free to reach me at kallu[at]techsware.in

官方主页：http://techsware.in/kcpharden.html

SYNFLOOD is disabled by default. If you are not receiving any sort of attack, there is no need to enable it. If you are expecting an attack, enable it and set the rules a bit strict, like

SYNFLOOD_RATE = "5/s"
SYNFLOOD_BURST = "3"

i.e. if 5 connections are received from an IP/sec for 3 times, block it. Make sure don't keep it too strict if you are not receiving an attack else it will generate false positives and will block legit connections.

摘自：http://www.webhostingtalk.com/showthread.php?t=892958

Hello,
update script not part from directadmin.com
**** USE IT YOUR OWN RISKS ****

*****
*****
*****

GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 2006,2007 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Update script made by Wael Isa
H188, R4008, Arad 240, Kingdom of Bahrain
http://www.web4host.net
Version: 1.8.1
Release Date: 1 / 9 / 2006

*****
*****
*****

If you find update script useful, please consider to make a donation to support this freeware.
Please keep in mind that donations are welcome, but in no way required to use and distribute update.script.
You can support update.script by paypal – CLICK HERE

update.script Version: 1.8.1
update script tested in this OS 32bit and 64bit.

• RedHat Linux
• RedHat Fedora
• RedHat Enterprise
• CentOS
• Debian

• OpenSSL (You need to build ssh, apache, php, etc after upgrade)
• Exim
• OpenSSH
• ProFTP
• ProFTP with mod_clamav
• phpMyAdmin
• F-PROT Anti-Virus
• AVG
• ClamAV
• MODclamAV
• MRTG
• SquirrelMail
• SquirrelMail full language pack
• SpamAssassin
• MODsecurity 2.x (Apache 2.x Only)
• ImageMagick
• GraphicsMagick
• eAccelerator
• FFMPEG-php
• PHP Clamav
• Webmin control panel (You need to open one port 10000 in your firewall)
• MailScanner
• Suhosin
• NoBody Check

安装

mkdir /usr/local/updatescript
cd /usr/local/updatescript
wget http://tools.web4host.net/update.script
chmod 755 update.script
Run this to read how to use.

运行以下命令查看如何使用

./update.script

查看更多：http://www.web4host.net/update-script/

ELS stands for Easy Linux Security. ELS was created by Richard Gannon, Martynas Bendorius and Wael Isa. ELS takes many of the tasks performed by our Administrators and puts it into an easy to use program for anyone to use. It is released under the GNU/GPL so it is free to use.

This program is always being improved with new features and bugfixes, so be sure to keep it up to date. If you found a bug or would like an improvement, please let us know! If you really like this program, donations are welcome!

支持的操作系统 :

* Red Hat Linux
* Red Hat Enterprise Linux
* Fedora Core
* CentOS
* Debian

ELS 有哪些功能:

* Install RKHunter
* Install RKHunter Cronjob which emails a user-set email address nightly
* Install/update APF
* Install/update BFD
* Install CHKROOTKIT
* Install CHKROOTKIT Cronjob which emails a user-set email address nightly
* Disable Telnet
* Force SSH Protocol 2
* Secure /tmp
* Secure /var/tmp
* Secure /dev/shm
* 安装/升级 Zend Optimizer
* 安装/升级 eAccelerator
* MySQL 4.1 and 5.0 Configuration Optimization
* Upgrade MySQL to 5.0
* Tweak WHM Settings for security and stability
* Configure RNDC if not already done (cPanel only)
* Change SSH port (also configure APF as necessary)
* Add wheel user and disable direct root login over SSH
* 优化 MySQL tables
* 安装/升级 Libsafe
* 安装/升级 ImageMagick (from latest source)
* Uninstall LAuS
* Harden sysctl.conf
* Install Chirpy’s Free Exim Dictionary Attack ACL (cPanel only)
* 更多!

安装 ELS, 以ROOT身份运行以下命令:

wget -O installer.sh http://els.web4host.net/installer.sh
chmod +x installer.sh
sh installer.sh

官方网站：http://www.web4host.net/easy-linux-security/

MySQL错误提示如下：

ERROR! MySQL server PID file could not be found!
Starting MySQL.. ERROR! The server quit without updating PID file (/var/lib/mysql/server.pcpartsadvice.com.pid)

解决办法：

# rm /var/lib/mysql/mysql.sock
# service mysqld restart

netstat 工具来检测SYN攻击

# netstat -n -p -t
tcp0 0 10.11.11.11:23124.173.152.8:25882 SYN_RECV-
tcp0 0 10.11.11.11:23236.15.133.204:2577 SYN_RECV-
tcp0 0 10.11.11.11:23127.160.6.129:51748 SYN_RECV-

LINUX系统中看到的，很多连接处于SYN_RECV状态（在WINDOWS系统中是SYN_RECEIVED状态）， 源IP地址都是随机的，表明这是一种带有IP欺骗的SYN攻击。

# netstat -n -p -t | grep SYN_RECV | grep :80 | wc -l
324

查看在LINUX环境下某个端囗的未连接队列的条目数，显示TCP端囗22的未连接数有324个，虽然还远达不到系统极限，但应该引起管理员的注意。

[root@pub wxjsr]# netstat -na | grep SYN_RECV
tcp 0 0 58.193.192.20:80 221.0.108.162:32383 SYN_RECV
tcp 0 0 58.193.192.20:80 125.85.118.231:2601 SYN_RECV
tcp 0 0 58.193.192.20:80 222.242.171.215:2696 SYN_RECV
tcp 0 0 58.193.192.20:80 116.52.10.51:2629 SYN_RECV
tcp 0 0 58.193.192.20:80 218.171.175.157:1117
[root@pub wxjsr]# netstat -na | grep SYN_RECV |wc
11 66 979

查看系统SYN相关的配置

Linux内核提供了若干SYN相关的配置，用命令： sysctl -a | grep syn

[root@metc apache2]# /sbin/sysctl -a | grep syn
net.ipv6.conf.default.max_desync_factor = 600
net.ipv6.conf.all.max_desync_factor = 600
net.ipv6.conf.eth0.max_desync_factor = 600
net.ipv6.conf.lo.max_desync_factor = 600
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
fs.quota.syncs = 18

防范SYN攻击设置

#缩短SYN- Timeout时间：

iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -i eth0 -m limit --limit 1/sec --limit-burst 5 -j ACCEPT

#每秒 最多3个 syn 封包 进入 表达为 ：

iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -A syn-flood -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn-flood -j REJECT

#设置syncookies：

sysctl -w net.ipv4.tcp_syncookies=1
/sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=3000
/sbin/sysctl -w net.ipv4.tcp_synack_retries=1
/sbin/sysctl -w net.ipv4.tcp_syn_retries=1
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.forwarding=0
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
/sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0 # 禁用icmp源路由选项
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # 忽略icmp ping广播包，应开启
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_all=1 # 忽略所有icmp ping数据，覆盖上一项

转载：http://www.tuicool.com/articles/m6nE3q

cat>>/home/cc.sh< #!/bin/sh
status=`netstat -na|awk '$5 ~ /[0-9]+:[0-9]+/ {print $5}' |awk -F ":" -- '{print $1}' |sort -n|uniq -c |sort -n|tail -n 1`
NUM=`echo $status|awk '{print $1}'`
IP=`echo $status|awk '{print $2}'`
result=`echo "$NUM > 150" | bc`
if [ $result = 1 ]
then
echo IP\:$IP is over $NUM, BAN IT!
echo $(date +"%y-%m-%d") `uptime`
/sbin/iptables -I INPUT -s $IP -j DROP
fi
EOF
ln -sf /usr/bin/apt-get /usr/bin/yum
yum install -y bc

执行/home/cc.sh即可！ 也可以将执行脚本加入到Cron执行！

转载：http://www.jb4.net/archives/74.html