0x00 实验目的

根据文章”PHP绕过open_basedir列目录的研究”通过测试不同的配置验证本文的绕过basedir的方法是否有效,从而安全配置php open_basedir的目的.
文中后面几个方法都是windwos下采用枚举的方式列出目录,linux下需要做暴力猜解的方式才可以,所以[……]

安装Xdebug

wget http://xdebug.org/files/xdebug-2.2.7.tgz
tar zxvf xdebug-2.2.7.tgz
cd xdebug-2.2.7
phpize
./configure --enable-xdebug --with-php-config=/usr/local/php/bin/php-config
make
make install

wget http://xdebug.org/files/xdebug-2.2.7.tgz

tar zxvf xdebug-2.2.7.tgz

cd xdebug-2.2.7

phpize

./configure --enable-xdebug --with-php-config=/usr/local/php/bin/php-config

make

make install

配置

[……]

继续阅读

Centos6.x已有LNMP环境下编译安装Zabbix2.2

2014-07-06 by wwek·3条评论

#安装依赖库
yum -y install mysql-devel libcurl-devel net-snmp-devel Percona-Server-devel-55
#因为我的mysql使用的是percona55 所以这里需要装 Percona-Server-devel-55

#给zabbix在mysql中创建库和用户
create database zabbix character set utf8;
grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix';


#创建zabbix运行的独立用户
groupadd zabbix
useradd zabbix -g zabbix -s /sbin/nologin

#下载编译安装zabbix
wget -O zabbix.tar.gz -c "http://sourceforge.net/projects/zabbix/files/ZABBIX%20Latest%20Stable/2.2.4/zabbix-2.2.4.tar.gz/download"

tar zxvf zabbix.tar.gz
cd zabbix-2.2.4/

./configure --prefix=/usr/local/zabbix --enable-server --enable-agent \
--with-mysql --with-net-snmp --with-libcurl
make install

##编译错误解决
#checking for mysql_config... /usr/bin/mysql_config
#checking for main in -lmysqlclient... no
#configure: error: Not found mysqlclient library
ln -s /usr/lib64/mysql/libmysqlclient.so.16.0.0 /usr/lib64/mysql/libmysqlclient.so
ln -s /usr/lib64/mysql/libmysqlclient_r.so.16.0.0 /usr/lib64/mysql/libmysqlclient_r.so
ln -s /usr/lib64/libmysqlclient.so.16.0.0 /usr/lib64/libmysqlclient.so
ln -s /usr/lib64/libmysqlclient_r.so.16.0.0 /usr/lib64/libmysqlclient_r.so

#导入zabbix的数据库
mysql -uzabbix -pzabbix -hlocalhost zabbix < database/mysql/schema.sql
mysql -uzabbix -pzabbix -hlocalhost zabbix < database/mysql/images.sql
mysql -uzabbix -pzabbix -hlocalhost zabbix < database/mysql/data.sql

#修改配置文件
cp misc/init.d/fedora/core/zabbix_server /etc/init.d/
cp misc/init.d/fedora/core/zabbix_agentd /etc/init.d/
cp -R frontends/php /data/wwwroot/zabbix  #复制web文件到网站目录，替换成你自己的
sed -i 's/^DBUser=.*$/DBUser=zabbix/g' /usr/local/zabbix/etc/zabbix_server.conf
sed -i 's/^.*DBPassword=.*$/DBPassword=zabbix/g' /usr/local/zabbix/etc/zabbix_server.conf
sed -i 's/BASEDIR=\/usr\/local/BASEDIR=\/usr\/local\/zabbix/g' /etc/init.d/zabbix_server
sed -i 's/BASEDIR=\/usr\/local/BASEDIR=\/usr\/local\/zabbix/g' /etc/init.d/zabbix_agentd

#增加服务端口<br>
cat >>/etc/services <<EOF
zabbix-agent 10050/tcp #Zabbix Agent
zabbix-agent 10050/udp #Zabbix Agent
zabbix-trapper 10051/tcp #Zabbix Trapper
zabbix-trapper 10051/udp #Zabbix Trapper
EOF

#启动服务
/etc/init.d/zabbix_server start
/etc/init.d/zabbix_agentd start
chkconfig zabbix_server on   #开机启动启动服务
#chkconfig zabbix_agentd on  #被控端
#echo "/etc/init.d/zabbix_server start" >> /etc/rc.local
#echo "/etc/init.d/zabbix_agentd start" >> /etc/rc.local

#安装依赖库

yum -y install mysql-devel libcurl-devel net-snmp-devel Percona-Server-devel-55

#因为我的mysql使用的是percona55 所以这里需要装 Percona-Server-devel-55

#给zabbix在mysql中创建库和用户

create database zabbix character set utf8;

grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix';

#创建zabbix运行的独立用户

groupadd zabbix

useradd zabbix -g zabbix -s /sbin/nologin

#下载编译安装zabbix

wget -O zabbix.tar.gz -c "http://sourceforge.net/projects/zabbix/files/ZABBIX%20Latest%20Stable/2.2.4/zabbix-2.2.4.tar.gz/download"

tar zxvf zabbix.tar.gz

cd zabbix-2.2.4/

./configure --prefix=/usr/local/zabbix --enable-server --enable-agent \

--with-mysql --with-net-snmp --with-libcurl

make install

##编译错误解决

#checking for mysql_config... /usr/bin/mysql_config

#checking for main in -lmysqlclient... no

#configure: error: Not found mysqlclient library

ln -s /usr/lib64/mysql/libmysqlclient.so.16.0.0 /usr/lib64/mysql/libmysqlclient.so

ln -s /usr/lib64/mysql/libmysqlclient_r.so.16.0.0 /usr/lib64/mysql/libmysqlclient_r.so

ln -s /usr/lib64/libmysqlclient.so.16.0.0 /usr/lib64/libmysqlclient.so

ln -s /usr/lib64/libmysqlclient_r.so.16.0.0 /usr/lib64/libmysqlclient_r.so

#导入zabbix的数据库

mysql -uzabbix -pzabbix -hlocalhost zabbix < database/mysql/schema.sql

mysql -uzabbix -pzabbix -hlocalhost zabbix < database/mysql/images.sql

mysql -uzabbix -pzabbix -hlocalhost zabbix < database/mysql/data.sql

#修改配置文件

cp misc/init.d/fedora/core/zabbix_server /etc/init.d/

cp misc/init.d/fedora/core/zabbix_agentd /etc/init.d/

cp -R frontends/php /data/wwwroot/zabbix #复制web文件到网站目录，替换成你自己的

sed -i 's/^DBUser=.*$/DBUser=zabbix/g' /usr/local/zabbix/etc/zabbix_server.conf

sed -i 's/^.*DBPassword=.*$/DBPassword=zabbix/g' /usr/local/zabbix/etc/zabbix_server.conf

sed -i 's/BASEDIR=\/usr\/local/BASEDIR=\/usr\/local\/zabbix/g' /etc/init.d/zabbix_server

sed -i 's/BASEDIR=\/usr\/local/BASEDIR=\/usr\/local\/zabbix/g' /etc/init.d/zabbix_agentd

#增加服务端口<br>

cat >>/etc/services <<EOF

zabbix-agent 10050/tcp #Zabbix Agent

zabbix-agent 10050/udp #Zabbix Agent

zabbix-trapper 10051/tcp #Zabbix Trapper

zabbix-trapper 10051/udp #Zabbix Trapper

EOF

#启动服务

/etc/init.d/zabbix_server start

/etc/init.d/zabbix_agentd start

chkconfig zabbix_server on #开机启动启动服务

#chkconfig zabbix_agentd on #被控端

#echo "/etc/init.d/zabbix_server start" >> /etc/rc.local

#echo "/etc/init.d/zabbix_agentd start" >> /etc/rc.local

问题处理

zabbix_server 不能监听端口tcp 10051 ？

打开日志 cat /tmp/zabbix_server.log

1635:20140706:015834.413 [Z3001][……]

继续阅读

Centos6.x Python环境搭建相关

2014-06-24 by wwek·0评论

使用pyenv管理安装Python多版本共存

安装pyenv

安装依赖库

yum -y install readline readline-devel readline-static openssl openssl-devel openssl-static sqlite-devel bzip2-devel bzip2-libs automake gcc git

1	yum -y install readline readline-devel readline-static openssl openssl-devel openssl-static sqlite-devel bzip2-devel bzip2-libs automake gcc git

git克隆安装pyenv

git clone git://github.com/yyuu/pyenv.git ~/.pyenv
echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
echo 'export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(pyenv init -)"' >> ~/.bashrc
exec $SHELL -l

git clone git://github.com/yyuu/pyenv.git ~/.pyenv

echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc

echo 'export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc

echo 'eval "$(pyenv init -)"' >> ~/.bashrc

exec $SHELL -l

安装Python

查看可安装的版本

[crayon-[……]

继续阅读

Centos6.x下yum update升级更新openssl rpm二进制包

2014-06-06 by wwek·2条评论

2014年6月5日OpenSSL.org官方发布OpenSSL存在诸多漏洞。这些漏洞可能导致中间人攻击，拒绝服务，任意代码执行，会话注入数据等威胁，严重影响到网站的安全。

官网详细信息看这里 http://www.openssl.org/news/secadv_20140605.txt[……]

继续阅读

Centos 编译安装 haproxy

2013-04-29 by wwek·3条评论

wget -c http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.23.tar.gz

haproxy_install.sh

#!/bin/bash 
#install haproxy  
#20111207 by dongnan 

#variables 
dir=/usr/local 
ha_dir=${dir}/haproxy 
ha_cfg=${ha_dir}/haproxy.cfg 
kernel=`uname -r | grep '2.6'` 
pcre=$(rpm -qa | grep 'pcre' | wc -l) 
echo "$dir, $ha_dir, $ha_cfg, $kernel, $pcre" 

#check 
if [ ! "$kernel" -o "$pcre" -lt "2" ];then 
    echo -e "the script need linux 2.6 kernel and pcre pcre-devel \nyou can usage 'yum install pcre pcre-devel' or 'rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm'" 
    exit 1 
fi 

#function 

install_ha_cfg (){ 
#configure haproxy.cfg 
#default configure file for test,but need your change the frontend server and backend server ip address, 
#good luck! 

echo ' 
global 
    log 127.0.0.1   local0 
    maxconn 4096              #最大连接数 
    chroot /usr/local/haproxy #安装目录 
    uid 99                    #用户haproxy 
    gid 99                    #组haproxy 
    daemon                    #守护进程运行 
    nbproc 1                  #进程数量 
    pidfile /usr/local/haproxy/logs/haproxy.pid #haproxy pid 

defaults 
   log     global 
   mode    http               #7层 http;4层tcp  
   option  httplog            #http 日志格式 
   option  httpclose          #主动关闭http通道 
   option  redispatch         #serverId对应的服务器挂掉后,强制定向到其他健康的服务器 

   option  dontlognull 
   maxconn 2000               #最大连接数 
   contimeout      5000       #连接超时(毫秒) 
   clitimeout      50000      #客户端超时(毫秒) 
   srvtimeout      50000      #服务器超时(毫秒) 

frontend haproxy_test         #定义前端服务器(haproxy) 
        bind 10.0.1.251:80    #监听地址 
        default_backend server_pool  #指定后端服务器群 
        #errorfile 502 /usr/local/haproxy/html/maintain.html 
        #errorfile 503 /usr/local/haproxy/html/maintain.html 
        #errorfile 504 /usr/local/haproxy/html/maintain.html 

backend server_pool           #定义后端服务器群(web server/apache/nginx/iis..) 
        mode http 
        option  forwardfor    #后端服务器(apache/nginx/iis/*),从Http Header中获得客户端IP 
        #balance roundrobin    #负载均衡的方式,轮询方式 
        balance leastconn     #负载均衡的方式,最小连接 
        cookie SERVERID       #插入serverid到cookie中,serverid后面可以定义 
        option  httpchk HEAD /check.html #用来做健康检查html文档 
        server server1 10.0.1.252:80 cookie server1 check inter 2000 rise 3 fall 3 weight 3 
        server server2 10.0.1.253:80 cookie server2 check inter 2000 rise 3 fall 3 maxconn 120 weight 3 
        server server3 10.0.1.254:80 cookie server3 check maxconn 90 rise 2 fall 3 weight 3 
#服务器定义: 
#cookie server1表示serverid为server1; 
#check inter 2000 是检测心跳频率(check 默认 ); 
#rise 3 表示 3次正确认为服务器可用; 
#fall 3 表示 3次失败认为服务器不可用; 
#weight 表示权重。 

listen admin_stat                   #status 
    bind *:8080                     #监听端口 
    mode http                       #http的7层模式 
    stats refresh 30s               #统计页面自动刷新时间 
    stats uri /haproxy-stats        #统计页面URL 
    stats realm Haproxy\ Statistics #统计页面密码框上提示文本 
    stats auth admin:admin          #统计页面用户名和密码设置 
    stats hide-version              #隐藏统计页面上HAProxy的版本信息 
    stats admin if TRUE             #手工启用/禁用,后端服务器 
' > "$ha_cfg" && sed -i '1 d' "$ha_cfg" 
} 

#install 
if [ ! -e "$ha_dir" ];then 
   tar zxf haproxy*.tar.gz 
   cd haproxy*/ 
   make TARGET=linux26 USE_STATIC_PCRE=1 PREFIX=/usr/local/haproxy && make install PREFIX=/usr/local/haproxy && mkdir /usr/local/haproxy/{html,logs} 
   cd ../ 
# 
   if [ ! -e "$ha_dir" ];then 
       echo "error! can't install haproxy  please check ! Will now out of the script !" 
       exit 1 
   else 
       ! grep 'haproxy' /etc/syslog.conf && echo 'local1.*            /var/log/haproxy.log' >> /etc/syslog.conf 
       sed -ir 's/SYSLOGD_OPTIONS="-m 0"/SYSLOGD_OPTIONS="-r -m 0"/g' /etc/sysconfig/syslog && /etc/init.d/syslog restart 
       install_ha_cfg 
       rm -rf haproxy*/ 
   fi 
else 
   echo "haproxy is already exists!" 
fi

100

101

102

103

104

#!/bin/bash

#install haproxy

#20111207 by dongnan

#variables

dir=/usr/local

ha_dir=${dir}/haproxy

ha_cfg=${ha_dir}/haproxy.cfg

kernel=`uname -r | grep '2.6'`

pcre=$(rpm -qa | grep 'pcre' | wc -l)

echo "$dir, $ha_dir, $ha_cfg, $kernel, $pcre"

#check

if [ ! "$kernel" -o "$pcre" -lt "2" ];then

echo -e "the script need linux 2.6 kernel and pcre pcre-devel \nyou can usage 'yum install pcre pcre-devel' or 'rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm'"

exit 1

#function

install_ha_cfg (){

#configure haproxy.cfg

#default configure file for test,but need your change the frontend server and backend server ip address,

#good luck!

echo '

global

log 127.0.0.1 local0

maxconn 4096 #最大连接数

chroot /usr/local/haproxy #安装目录

uid 99 #用户haproxy

gid 99 #组haproxy

daemon #守护进程运行

nbproc 1 #进程数量

pidfile /usr/local/haproxy/logs/haproxy.pid #haproxy pid

defaults

log global

mode http #7层 http;4层tcp

option httplog #http 日志格式

option httpclose #主动关闭http通道

option redispatch #serverId对应的服务器挂掉后,强制定向到其他健康的服务器

option dontlognull

maxconn 2000 #最大连接数

contimeout 5000 #连接超时(毫秒)

clitimeout 50000 #客户端超时(毫秒)

srvtimeout 50000 #服务器超时(毫秒)

frontend haproxy_test #定义前端服务器(haproxy)

bind 10.0.1.251:80 #监听地址

default_backend server_pool #指定后端服务器群

#errorfile 502 /usr/local/haproxy/html/maintain.html

#errorfile 503 /usr/local/haproxy/html/maintain.html

#errorfile 504 /usr/local/haproxy/html/maintain.html

backend server_pool #定义后端服务器群(web server/apache/nginx/iis..)

mode http

option forwardfor #后端服务器(apache/nginx/iis/*),从Http Header中获得客户端IP

#balance roundrobin #负载均衡的方式,轮询方式

balance leastconn #负载均衡的方式,最小连接

cookie SERVERID #插入serverid到cookie中,serverid后面可以定义

option httpchk HEAD /check.html #用来做健康检查html文档

server server1 10.0.1.252:80 cookie server1 check inter 2000 rise 3 fall 3 weight 3

server server2 10.0.1.253:80 cookie server2 check inter 2000 rise 3 fall 3 maxconn 120 weight 3

server server3 10.0.1.254:80 cookie server3 check maxconn 90 rise 2 fall 3 weight 3

#服务器定义:

#cookie server1表示serverid为server1;

#check inter 2000 是检测心跳频率(check 默认 );

#rise 3 表示 3次正确认为服务器可用;

#fall 3 表示 3次失败认为服务器不可用;

#weight 表示权重。

listen admin_stat #status

bind *:8080 #监听端口

mode http #http的7层模式

stats refresh 30s #统计页面自动刷新时间

stats uri /haproxy-stats #统计页面URL

stats realm Haproxy\ Statistics #统计页面密码框上提示文本

stats auth admin:admin #统计页面用户名和密码设置

stats hide-version #隐藏统计页面上HAProxy的版本信息

stats admin if TRUE #手工启用/禁用,后端服务器

' > "$ha_cfg" && sed -i '1 d' "$ha_cfg"

}

#install

if [ ! -e "$ha_dir" ];then

tar zxf haproxy*.tar.gz

cd haproxy*/

make TARGET=linux26 USE_STATIC_PCRE=1 PREFIX=/usr/local/haproxy && make install PREFIX=/usr/local/haproxy && mkdir /usr/local/haproxy/{html,logs}

cd ../

if [ ! -e "$ha_dir" ];then

echo "error! can't install haproxy please check ! Will now out of the script !"

exit 1

else

! grep 'haproxy' /etc/syslog.conf && echo 'local1.* /var/log/haproxy.log' >> /etc/syslog.conf

sed -ir 's/SYSLOGD_OPTIONS="-m 0"/SYSLOGD_OPTIONS="-r -m 0"/g' /etc/sysconfig/syslog && /etc/init.d/syslog restart

install_ha_cfg

rm -rf haproxy*/

else

echo "haproxy is already exists!"

haproxy.sh
[crayon-[……]

继续阅读

流水理鱼

流水理鱼（wwek）的博客

标签：centos

推荐的nginx+php(fpm-php fastcgi)open_basedir安全设置

0x00 实验目的

Centos Linux 上给PHP安装Xdebug调试笔记

安装Xdebug

配置

Centos6.x已有LNMP环境下编译安装Zabbix2.2

zabbix_server 不能监听端口tcp 10051 ？

Centos6.x Python环境搭建相关

使用pyenv管理安装Python多版本共存

安装pyenv

安装Python

查看可安装的版本

Centos6.x下yum update升级更新openssl rpm二进制包

Centos 编译安装 haproxy