01.Linux Core

  • SWAP 512MB
  • Private IP
   

Basic




Locale



# cat /etc/default/locale 
LC_ALL="en_US.UTF-8"
LANG="en_US.UTF-8"
LANGUAGE="en_US:en"


See locale-gen: 
locale-gen --purge en_US.UTF-8
and 
echo -e 'LANG="en_US.UTF-8"\nLANGUAGE="en_US:en"\n' > /etc/default/locale

export LANGUAGE=en_US.UTF-8
export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
locale-gen en_US.UTF-8
dpkg-reconfigure locales

/etc/default/locale
#  File generated by update-locale
LANG=en_US.UTF-8
LC_ALL=en_US.UTF-8


# export LC_ALL=en_US.UTF-8
# dpkg-reconfigure locales



Timezone


Ubuntu default:UTC
  • /usr/share/zoneinfo/* 時區檔
# ln -sf /usr/share/zoneinfo/Asia/Taipei /etc/localtime

# tzselect 
or
# dpkg-reconfigure tzdata


vi /etc/profile.d/TZ.sh
TZ='Asia/Taipei'
export TZ



Debian - Testing


/etc/apt/source.list
deb http://ftp.us.debian.org/debian/ testing main contrib non-free
deb-src http://ftp.us.debian.org/debian/ testing main contrib non-free

deb http://security.debian.org/ testing/updates main contrib non-free
deb-src http://security.debian.org/ testing/updates main contrib non-free 

deb http://ftp.us.debian.org/debian/ testing-proposed-updates main contrib non-free
deb-src http://ftp.us.debian.org/debian/ testing-proposed-updates main contrib non-free

# aptitude update
# aptitude full-upgrade



Webmin


http://www.webmin.com/download.html

/srv/webmin/
# wget webmin.tar
# ./setup.sh
  • Changed SSH Port
  • Webmin + PG(PostgreSQL) perl module
  • Webmin SSL +
    • /etc/webmin/stop ; /etc/webmin/start
commands: /etc/webmin

/etc/rc.local
/etc/webmin/start


Users



# adduser wisdomfish



增加預設套件來源


# aptitude install nginx postgresql mercurial
  • mysql-server
# /etc/init.d/nginx start
  • apache2-utils (ab)
  • siege


sysctl
# cat /proc/sys/fs/file-max 
76455
root@li408-72:~# sysctl -a | grep file
fs.file-nr = 384 0 76455
fs.file-max = 76455
fs.xfs.filestream_centisecs = 3000

/etc/sysctl.conf or /etc/sysctl.d/local.conf
# sysctl -p
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.ip_forward = 1

# by Kuo, ChaoYi
fs.file-max = 2390251

# net.core.somaxconn = 128 -> 262144
net.core.somaxconn = 10240
# net.core.netdev_max_backlog = 1000 -> 262144
net.core.netdev_max_backlog = 10240

# net.ipv4.tcp_fin_timeout = 60
net.ipv4.tcp_fin_timeout = 1
# net.ipv4.tcp_keepalive_time = 7200
net.ipv4.tcp_keepalive_time = 30

# net.ipv4.tcp_max_orphans = 65536 -> 262144
net.ipv4.tcp_max_tw_buckets = 6000  
# net.ipv4.tcp_max_syn_backlog = 512 -> 262144
net.ipv4.tcp_max_syn_backlog = 10240

# net.ipv4.ip_local_port_range = 32768  61000
net.ipv4.ip_local_port_range = 1024    65000

# net.ipv4.tcp_syncookies = 1
# net.ipv4.tcp_synack_retries = 5
net.ipv4.tcp_synack_retries = 1
# net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_syn_retries = 1

# net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_recycle = 1
# net.ipv4.tcp_tw_reuse = 0



HG
~/.hgrc
[ui]
username = Kuo, ChaoYi <Kuo.ChaoYi@gmail.com>
verbose = True

/etc/mercurial/hgrc
[extensions]
color =


/etc/postgresql/9.0/main/postgresql.conf
listen_addresses = '*'          # what IP address(es) to listen on;

/etc/postgresql/9.0/main/pg_hba.conf
host    all             all             x.x.x.x/0                 md5

example
#
# Database administrative login by Unix domain socket
local   all             postgres                                peer

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     peer
# IPv4 local connections:
host all all 0.0.0.0 0.0.0.0 md5
# IPv6 local connections:
host    all             all             127.0.0.1/32            md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local   replication     postgres                                peer
#host    replication     postgres        127.0.0.1/32            md5
#host    replication     postgres        ::1/128                 md5
host    all             all             ::1/128                 md5

# /etc/init.d/postgresql restart



JDK



cd /opt
# wget https://raw.github.com/flexiondotorg/oab-java6/master/oab-java6.sh -O oab-java6.sh
# aptitude install sun-java6-bin sun-java6-demo sun-java6-fonts sun-java6-javadb sun-java6-jdk sun-java6-jre sun-java6-plugin sun-java6-source
# aptitude install sun-java6-jre sun-java6-plugin

#aptitude install sun-java6-bin sun-java6-demo sun-java6-fonts sun-java6-javadb sun-java6-jdk sun-java6-jre sun-java6-plugin sun-java6-source

Download Oracle JDK, set JAVA_HOME and bin.



Security

Linux Firewall


Webmin can set one up for you, to be stored in the save file/etc/sysconfig/iptables

清空 Rulse 用
#!/bin/sh
iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -F
iptables -X
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t raw -F
iptables -t raw -X
iptables -t raw -P PREROUTING ACCEPT
iptables -t raw -P OUTPUT ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080


Rules file /etc/iptables.up.rules
# Generated by iptables-save v1.4.10 on Thu Dec  8 01:58:21 2011
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport ???? -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport ???? -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport ???? -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG  --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Dec  8 01:58:21 2011


/etc/sysctl.conf

  • /etc/sysctl.d/10-network-security.conf
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks.
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

# Turn on SYN-flood protections.  Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions.  When flood
# protections kick in under high unanswered-SYN load, the system
# should remain more stable, with a trade off of some loss of TCP
# functionality/features (e.g. TCP Window scaling).
net.ipv4.tcp_syncookies=1

# by Kuo
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.ip_local_port_range = 1024 65000


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
 net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
net.ipv4.conf.all.log_martians = 1
#


執行以下指令使設定生效:
/sbin/sysctl -p

# sysctl -p
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.ip_forward = 1






舊筆記 for Ubuntu




Hg



安裝參考 > Mercurial - hg [內部連結]

# sudo apt-get install python-all-dev
# sudo apt-get install python-setuptools
# sudo easy_install -U mercurial

# hg --version

# apt-get install mercurial
# hg --version



/etc/.hgignore
webmin/system-status/
alternatives/
webmin/package-updates/
X11/
defoma/
.java/
gtk-2.0/



SSHd



change port
/etc/ssh/sshd_config

PermitRootLogin no

ssh-keygen -t rsa -b 1024 







Software Package Updates







Pakcages




PostgreSQL



Ubuntu 11.10 add PostgreSQL 9.1

/etc/apt/source.list.d/org.wisdomfish.list
# PostgreSQL 9.x
deb http://ppa.launchpad.net/pitti/postgresql/ubuntu maverick main
deb-src http://ppa.launchpad.net/pitti/postgresql/ubuntu maverick main

# ORACLE-JAVA
deb http://archive.canonical.com/ubuntu maverick partner
* enabled /etc/apt/source.list all '#'


Bugs,


/etc/sysctl.d/30-postgresql-shm.conf
# Shared memory settings for PostgreSQL

# Note that if another program uses shared memory as well, you will have to
# coordinate the size settings between the two.

# Maximum size of shared memory segment in bytes
kernel.shmmax = 33554432

# Maximum total size of shared memory in pages (normally 4096 bytes)
kernel.shmall = 2097152

# /etc/init.d/postgresql restart






JDK 7


Ubuntu 11.10
# apt-get install java7-jdk
# update-alternatives --config java

http://www.oracle.com/technetwork/java/javase/downloads/java-se-jdk-7-download-432154.html
/usr/lib64/jvm/

sudo update-alternatives --config java
sudo update-alternatives --install /usr/bin/java java /usr/lib/jvm/jdk1.7.0/jre/bin/java 3
Ref: http://www.shinephp.com/install-jdk-7-on-ubuntu/

JAVA_HOME=/home/kuochaoyi/jdk7
export JAVA_HOME
PATH=$PATH:$JAVA_HOME/bin
export PATH

CATALINA_HOME=/opt/javaEE/tomcat7
export CATALINA_HOME
CATALINA_OPTS="-server -Xmx400m"
export CATALINA_OPTS


# apt-get update
# apt-get install sun-java6-jdk sun-java6-plugin
# apt-get install postgresql-9.0




Nginx



http://wiki.nginx.org/Install#Ubuntu_PPA

echo "deb http://ppa.launchpad.net/nginx/stable/ubuntu $(lsb_release -cs) main" >> /etc/apt/sources.list.d/nginx.list
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C300EE8C
apt-get update && apt-get install nginx

deb http://ppa.launchpad.net/nginx/stable/ubuntu oneiric main

http://nginxlibrary.com/ubuntu-latest-nginx/


Bug:
root@li388-54:/etc/init.d# ./nginx start
Starting nginx: nginx: [emerg] unknown "https" variable
nginx: configuration file /etc/nginx/nginx.conf test failed
root@li388-54:/etc/init.d# vi /etc/nginx/fastcgi_params
# fastcgi_param HTTPS                   $server_https;
http://www.webhostingtalk.com/showthread.php?t=1099802







Tomcat 7



Play! Framework



/srv
# ln -s /opt/play-1.x /opt/play-1 

# vi /etc/profile.d/wsidomfish.sh
PLAY_HOME=/KuoSDK/play-1
PATH=$PATH:$PLAY_HOME
export PLAY_HOME
export PATH



LAPM



三分鐘快速安裝nginx+php5-fpm,以Ubuntu 11.04為例, http://blog.lyhdev.com/2011/05/nginxphp5-fpmubuntu-1104.html

Creating config file /etc/php5/fpm/php.ini with new version
root@li176-97:~# /etc/init.d/nginx start
Starting nginx: nginx.
root@li176-97:~# /etc/init.d/php5-fpm start
 * Starting PHP5 FPM...
   ...done.


Security

vi php5/fpm/pool.d/www.conf -> listen = 127.0.0.1:30000

nginx/sites-available/default
        location ~ \.php$ {
                fastcgi_pass 127.0.0.1:30000;
                fastcgi_index index.php;
                include fastcgi_params;
        }

#/etc/init.d/php5-fpm reload
#/etc/init.d/nginx reload


PHP-FPM
/etc# vi /etc/nginx/fastcgi_params
fastcgi_param   SERVER_SOFTWARE         nginx/$nginx_version;




Dist upgrade



# apt-get install update-manager-core
# do-release-upgrade
// rebooted
# lsb_release -a

or
# vi /etc/update-manager/release-upgrades
Prompt=normal

# do-release-upgrade -d


GPG keys



Reading package lists... Done
W: GPG error: http://extras.ubuntu.com oneiric Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 16126D3A3E5C1192
W: GPG error: http://ppa.launchpad.net maverick Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 99B656EA8683D8A2

# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 16126D3A3E5C1192



Subpages (3): Nginx 1 sysctl Tomcat
Comments