Shell进程监控脚本

sh文件

#!/bin/bash
CommandName=$1
ExistingProcessNumber=`ps -ef | grep -w "$CommandName" | grep -v -E "grep|$0" | wc -l`
DesiredProcessNumber=$2

for(( i=$ExistingProcessNumber;i<$DesiredProcessNumber;i++))
do
    $CommandName 2>&1 &
done

用法

./monitor_process.sh "php /path/code.php" 5

保证至少有5个"php /path/code.php"进程

PHP用Curl发送值为空的header

对接方要求在header中传一个空的Authorizaiton过去,然而测试发现

curl_setopt($ch, CURLOPT_HTTPHEADER, array('Authorization: '));

并没有用。curl会自动过滤空的header,在google搜了半天,发现一个hack

curl_setopt($ch, CURLOPT_HTTPHEADER, array("Authorization: \r\nAccept: */*"));

将另一个header接在空header之后,就可以了

CentOS7升级OpenSSH

服务器在安全扫描中被报告openssh版本低于7.7,存在安全漏洞,需要升级,于是就开始折腾。

1.安装依赖

yum install -y pam pam-devel zlib zlib-devel gcc make

2.备份配置文件

cp /etc/ssh/sshd_config /root/sshd_config.bak

3.删除老版本openssl和openssh 【注意】删除openssl后sudo报错,需先以root身份登录

rpm -e --nodeps `rpm -qa|grep openss` 

4.下载新版openssl和openssh
下载1.0.X版本的openssl
下载最新版本openssh

5.安装openssl

unzip openssl_XXXX.zip
cd openssl_XXXX
./config --prefix=/usr --shared && make && make install
ln -s /usr/lib64/libcrypto.so.1.0.0  /usr/lib64/libcrypto.so.10
ln -s /usr/lib64/libssl.so.1.0.0  /usr/lib64/libssl.so.10
chmod -R 644 /usr/ssl

6.升级openssh

cp -R /etc/ssh/ /root/ssh-bak
tar -zxvf openssh_XXX.tar.gz
cd openssh_XXX
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords
make && make install
cp /root/sshd_config.bak /etc/ssh/sshd_config
cp contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig sshd on
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key

7.将以下写入/etc/pam.d/sshd

auth required pam_sepermit.so 
auth include password-auth 
account required pam_nologin.so 
account include password-auth 
password include password-auth 
# pam_selinux.so close should be the first session rule 
session required pam_selinux.so close 
session required pam_loginuid.so 
# pam_selinux.so open should only be followed by sessions to be executed in the user context 
session required pam_selinux.so open env_params 
session optional pam_keyinit.so force revoke 
session include password-auth

8.重启sshd服务

systemctl restart sshd

SELinux下权限配置

配置可读目录权限

chcon -Rt httpd_sys_content_t /PATH_TO_DIR

配置可读写目录权限

chcon -Rt public_content_rw_t /PATH_TO_DIR
setsebool -P allow_httpd_anon_write=1

检查目录状态

ll -Z

开放某个端口供http使用

yum install -y policycoreutils-python
semanage port -a -t http_port_t -p tcp 8080

若报错已定义端口,则

semanage port -m -t http_port_t -p tcp 8080

允许httpd进程访问远程MySQL、Redis

sudo setsebool -P httpd_can_network_connect_db on
sudo setsebool -P httpd_can_network_connect on

Centos 7 安装 Nginx

安装依赖

yum install -y pcre pcre-devel zlib zlib-devel openssl openssl-devel

下载源码并安装

wget https://nginx.org/download/nginx-1.15.8.tar.gz
tar -xzvf nginx-1.15.8.tar.gz
cd nginx-1.15.8
./configure --user=www --group=www
make && make install

修改Nginx配置

mkdir /usr/local/nginx/conf/servers
vim /usr/local/nginx/conf/nginx.conf

在http模块最后添加

include servers/*.conf;

配置环境变量

echo "export PATH=\$PATH:/usr/local/nginx/sbin" >> /etc/profile
source /etc/profile

自启动

echo "/usr/local/nginx/sbin/nginx" >> /etc/rc.local
chmod +x /etc/rc.local

启动、停止Nginx

nginx 
nginx -s stop
nginx -s quit
nginx -s reload