ServeurWeb
Un article de Tifauve|NET.
Sommaire |
Servir
Lighttpd
Installer via apt-get
- http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-lighttpd-et-php-sur-debian-4-0-etch
- Configuration (todo): https://calomel.org/lighttpd.html
Ajout nouveau site
Créer répertoire de log
Modifier logrotate (sudo vim /etc/logrotate.d/lighttpd)
Ajouter site dans logwatch (sudo vim /etc/logwatch/conf/override.conf)
Ajouter Nouvelle Conf awstats
Modifier Crontab awstats
Ajouter Site dans jawstats
Redmine
- http://www.redmine.org/wiki/redmine/Guide
- http://howto.landure.fr/gnu-linux/debian-4-0-etch-en/install-the-redmine-project-management-application-on-debian-4-0-etch
- http://blog.josefsson.org/2008/10/17/redmine-on-debian-lenny-using-lighttpd/
/!\ Penser à rajouter openssl: sudo apt-get install libopenssl-ruby1.8
Ma configuration pour Rails avec lighttpd 1.4
#Virtual host
server.modules += ( "mod_fastcgi", "mod_rewrite")
$HTTP["host"] =~ "labs.zeneffy.fr" { # nom du vhos
server.errorlog = "/var/log/lighttpd/zeneffy/labs/error.log"
accesslog.filename = "/var/log/lighttpd/zeneffy/labs/access.log"
server.document-root = "/var/www/zeneffy/labs/public"
server.indexfiles = ( "dispatch.fcgi" )
server.error-handler-404 = "/dispatch.fcgi"
url.rewrite-once = (
"^/(.*\..+(?!html))$" => "$0",
"^/(.*)\.(.*)" => "$0",
)
fastcgi.server = (
".fcgi" => (
"labs.tifauve.net" => (
"bin-path" => "/var/www/zeneffy/labs/public/dispatch.fcgi",
"socket" => "/tmp/redmine.socket",
"min-procs" => 1,
"max-procs" => 2,
"idle-timeout" => 20,
"check-local" => "disable",
"bin-environment" => ( "RAILS_ENV" => "production", "RAILS_ROOT" => "/var/www/zeneffy/labs" )
)
)
)
}
pour plus tard avec lighttpd 1.5: http://www.hiddentao.com/archives/2008/12/06/redmine-svn-mysql-5-lighttpd-15/
Servir la 9Box
Il est possible d'utiliser lighttpd pour servir le mediacenter de la 9Box au lieu du Apache donné avec - ci-dessous la configuration:
$SERVER["socket"] == "192.168.1.21:26180" {
server.document-root = "/var/www/mediacenter/httpd/"
server.errorlog = "/var/log/lighttpd/mp9lhd.log"
accesslog.filename = "/var/log/lighttpd/mp9Access.log"
#server.pid-file = "/var/run/mp9lhd.pid"
#server.port = 26180
mimetype.assign = (
".html" => "text/html",
".txt" => "text/plain",
".jpg" => "image/jpeg",
".png" => "image/png",
)
index-file.names = ( "index.php", "index.html")
#server.modules +=("mod_alias")
alias.url = ( "/__mp9ctl_share_1/" => "/var/mediaData/" )
}
Superviser
Cacti sous ubuntu
Installer via apt-get
- CACTI http://doc.ubuntu-fr.org/cacti
- SNMP snmp http://doc.ubuntu-fr.org/tutoriel/configurer_snmp_pour_utiliser_cacti_depuis_une_machine_distante
Scripts utiles
Nouveau Graph sous cacti
script dans /usr/share/cacti/site/scripts
1==
Data Input Methods->Add
Name: Remaining Voltage
Input Type: Script/Command
Input String: python /usr/share/cacti/site/scripts/battery.py
Output Fields
Field [Output]: voltage
Friendly Name: Remaining Voltage
2==
Data template->Add
Data Source
Name Template: Remaining Voltage
Data Source Name: |host_description| - Remaining Voltage
Data Input Method: Remaining Voltage
Internal Data Source Name: voltage
3==
Graph Templates->Add
Template
Name: Check remaining Voltage
Graph Template
Title: |host_description| - Check remaining Power
Vertical Label: mWh
Create->Graph Template Items->Add.
Graph Template Items
Data Source: Remaining Voltage (voltage)
Color: FF0000
Graph Item Type: AREA
Value: mWh
Text Format: voltage
Monit
Installer via apt-get
Fichier de conf
Awstats
Piwik
Sécuriser
UFW
Est Installé automatiquement
sudo ufw enable|disable
sudo ufw logging on|off
sudo allow/deny port/tcp ou udp
iptables -I INPUT -d xxx.xxx.xxx.xxx -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP
- iptables: http://spamcleaner.org/fr/misc/w00tw00t.html
- UFW: http://www.ubuntugeek.com/ufw-uncomplicated-firewall-for-ubuntu-hardy.html
sudo ufw status
État : actif
Vers Action Depuis
---- ------ ------
22/tcp ALLOW Anywhere
22/udp ALLOW Anywhere
80/tcp ALLOW Anywhere
161/udp ALLOW Anywhere
67/udp ALLOW 68/udp
Pour DHCP:
sudo ufw allow from any port 68 to any port 67 proto udp
Rootkits
- A installer: http://samiux.wordpress.com/2009/06/13/howto-make-sure-no-rootkit-on-your-ubuntu-9-04-server/
#! /bin/sh
#healthcheck: vérifs quotidiennes pour sécuriser le serveur
echo "**** Healthcheck ****" > /tmp/healthcheck.log
echo "*********************" >> /tmp/healthcheck.log
echo "1. chkrootkit ==============" >> /tmp/healthcheck.log
chkrootkit -q >> /tmp/healthcheck.log
echo "============================" >> /tmp/healthcheck.log
echo " " >> /tmp/healthcheck.log
echo "2. rkhunter ================" >> /tmp/healthcheck.log
rkhunter --cronjob --rwo >> /tmp/healthcheck.log
echo "============================" >> /tmp/healthcheck.log
echo " " >> /tmp/healthcheck.log
echo "3. unhide ==================" >> /tmp/healthcheck.log
unhide proc -q >> /tmp/healthcheck.log
unhide sys -q >> /tmp/healthcheck.log
unhide brute -q >> /tmp/healthcheck.log
unhide-tcp -q >> /tmp/healthcheck.log
echo "============================" >> /tmp/healthcheck.log
cat /tmp/healthcheck.log | sendEmail -s smtp.cegetel.net -t julien@raigneau.net -q -u "[admin@shrek]Healthcheck" -f admin@tifauve.net
http://didier.misson.net/blog/2007/11/13/securisation-d-un-serveur-linux-detection-des-rootkit-avec-rootkit-hunter/
sudo rkhunter --versioncheck
sudo rkhunter --update