个人主页站点安全 推荐

-------------------------------------------

一、前言
二、环境
三、基本配置
1.搭建LAMP环境
2.安装WordPress
3.安装phpMyAdmin
四、安全配置
1.身份验证
2.来源控制
3.加密访问(https)
五、测试
-------------------------------------------

一、前言
LAMP即Linux+Apache+Mysql+PHP，一组常用来搭建动态网站或者服务器的开源软件，本身都是各自独立的程序，但是因为常被放在一起使用，拥有了越来越高的兼容度，共同组成了一个强大的Web应用程序平台。随着开源潮流的蓬勃发展，开放源代码的LAMP已经与J2EE和.Net商业软件形成三足鼎立之势，并且该软件开发的项目在软件方面的投资成本较低，因此受到整个IT界的关注。从网站的流量上来说，70%以上的访问流量是LAMP来提供的，LAMP是最强大的网站解决方案．
WordPress是一种使用PHP语言开发的博客平台，用户可以在支持PHP和MySQL 数据库的服务器上架设属于自己的网站。也可以把 WordPress 当作一个内容管理系统（CMS）来使用。WordPress 是一个免费的开源项目，在GNU通用公共许可证下授权发布。WordPress 被认为是Michel Valdrighi所开发的网志平台b2/cafelog的正式继承者。“WordPress”这个名字出自 Christine Selleck 的主意，他是主要开发者Matt Mullenweg的朋友。
phpMyAdmin 是一个以PHP为基础，以Web-Base方式架构在网站主机上的MySQL的数据库管理工具，让管理者可用Web接口管理MySQL数据库。借由此Web接口可以成为一个简易方式输入繁杂SQL语法的较佳途径，尤其要处理大量资料的汇入及汇出更为方便。其中一个更大的优势在于由于phpMyaAdmin跟其他PHP程式一样在网页服务器上执行，但是您可以在任何地方使用这些程式产生的HTML页面，也就是于远端管理MySQL数据库，方便的建立、修改、删除数据库及资料表。也可借由phpMyAdmin建立常用的php语法，方便编写网页时所需要的sql语法正确性。
二、环境
系统：redhat6.5 32位
IP：192.168.2.200/24
软件包：
wordpress-3.9-zh_CN.zip wordpress主文件
phpMyAdmin-4.1.5-all-languages.zip phpMyAdmin主文件
三、基本配置
1.搭建LAMP环境

# service iptables stop    //关闭防火墙及SELinux
# setenforce 0
# yum install httpd mysql mysql-server php php-mysql php-gd php-xml
# service httpd start
# service mysqld start
# chkconfig httpd on       //开机启动
# chkconfig --list |grep httpd
httpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
# chkconfig mysqld on
# chkconfig --list |grep mysql
mysqld          0:off   1:off   2:on    3:on    4:on    5:on    6:off
# mysqladmin -u root -p password '123'  //为mysql设置用户和密码
Enter password:                         //此处回车即可。
# mysql -u root -p
Enter password:
mysql> create database wordpress;       //创建wordpress数据库，为下面安装wordpress做准备。
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| test               |
| wordpress          |
+--------------------+
mysql> \q
Bye

2.安装WordPress

# unzip wordpress-3.9-zh_CN.zip    //解压缩
# mv wordpress /var/www/html/

将下面IP和域名写入hosts文件C:\Windows\System32\drivers\etc\hosts
192.168.2.10 www.yinuo.com
客户端浏览器访问 http://www.yinuo.com/wordpress/



(1)点击创建配置文件。



(2)点击现在就开始。




（3）写入用户名和密码，点击提交。




（4)按照提示，手动创建wp-config.php文件，并把文本复制进去，然后进行安装。

# cd /var/www/html/wordpress/
# vim wp-config.php

（5）如果数据库连接错误，一定要看下wp-config.php文件的17-26行，不许有任何错误（如下图）。









（6）填写站点信息，安装wordpress。





（7）已成功，可以进行登录了。





（8）登录测试。





（9）更换个性主题，如fengying.zip。

# unzip fengying.zip
# mv fengying /var/www/html/wordpress/wp-content/themes/

3.安装phpMyAdmin

# unzip phpMyAdmin-4.1.5-all-languages.zip
# mv phpMyAdmin-4.1.5-all-languages /var/www/html/phpmyadmin
# rpm -qa php           //查看php版本信息
php-5.3.3-26.el6.i686 http://rpm.pbone.net/   //去这个网址下载和php版本相对应的php-mbstring

# rpm -ivh php-mbstring-5.3.3-26.el6.i686.rpm
# rpm -qa |grep php
php-5.3.3-26.el6.i686
php-mbstring-5.3.3-26.el6.i686
再次提醒，php和php-mbstring版本信息必须一致。
# service httpd restart
Stopping httpd:                              [  OK  ]
Starting httpd:                              [  OK  ]

访问http://www.yinuo.com/phpmyadmin

输入数据库的账号和密码。



管理数据库（图形界面下的mysql管理工具）。




四、安全配置
1.身份验证

# vim /etc/httpd/conf/httpd.conf
338     AllowOverride all        //访问需要验证
# cd /var/www/html/wordpress/
# vim .htaccess                  //创建验证说明文件
authuserfile   /var/www/html/.htpasswd
authname       "nuo"
authtype       basic
require        valid-user
# cd ..
# htpasswd -c .htpasswd admin    //创建密码文件，用户名为admin，为了安全，密码和说明文件不在同一目录下
New password:
Re-type new password:
Adding password for user admin
# cat .htpasswd
admin:OEWyxf6WFthog
# ll -a
drwxr-xr-x. 3 root root 4096 May 14 14:21 .
drwxr-xr-x. 6 root root 4096 Mar 30 15:01 ..
-rw-r--r--. 1 root root   20 May 14 14:21 .htpasswd
drwxr-xr-x. 5 root root 4096 May 14 14:20 wordpress
# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

客户端浏览器访问 http://www.yinuo.com/wordpress/

需账号和密码才能正常访问个人主页。




2.来源控制

# vim /etc/httpd/conf/httpd.conf
343     Order allow,deny
344     Allow from all
345     deny from X.X.X.X

X.X.X.X 表示拒绝访问的IP。
3.加密访问(https)

# cd /etc/pki
# ll
drwxr-xr-x. 6 root root 4096 Mar 30 14:59 CA
drwxr-xr-x. 4 root root 4096 Mar 30 14:57 ca-trust
drwxr-xr-x. 2 root root 4096 Mar 30 15:41 entitlement
drwxr-xr-x. 2 root root 4096 Mar 30 14:57 java
drwxr-xr-x. 2 root root 4096 Mar 30 14:58 nssdb
drwxr-xr-x. 2 root root 4096 Mar 30 15:15 product
drwxr-xr-x. 2 root root 4096 Mar 30 14:55 rpm-gpg
drwx------. 2 root root 4096 Aug 15  2013 rsyslog
drwxr-xr-x. 5 root root 4096 Mar 30 14:59 tls
# vim tls/openssl.cnf

# cd /etc/pki/CA/
# touch index.txt
# touch serial
# echo 00 >serial
# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
.................++++++
.........................................++++++
e is 65537 (0x10001)
# ll private/cakey.pem
-rw-r--r--. 1 root root 887 May 14 14:38 private/cakey.pem
# openssl req -new -key private/cakey.pem -x509 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:ZhengZhou
Organization Name (eg, company) [Default Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:rootca.net.org
Email Address []:
# mkdir -pv /etc/httpd/certs
# cd /etc/httpd/certs/
# openssl genrsa 1024 >httpd.key
Generating RSA private key, 1024 bit long modulus
.......++++++
....++++++
e is 65537 (0x10001)
# ll
-rw-r--r--. 1 root root 887 May 14 14:42 httpd.key
# chmod 600 httpd.key
# ll
-rw-------. 1 root root 887 May 14 14:42 httpd.key
# vim /etc/pki/tls/openssl.cnf   // 低行命令模式:85,87 s/match/optional

# openssl req -new -key httpd.key -out httpd.crq
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:ZhengZhou
Organization Name (eg, company) [Default Company Ltd]:abc
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:www.abc.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# ll
-rw-r--r--. 1 root root 651 May 14 14:46 httpd.crq
-rw-------. 1 root root 887 May 14 14:42 httpd.key
# openssl ca -in httpd.crq -out httpd.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: May 14 21:46:54 2014 GMT
Not After : May 14 21:46:54 2015 GMT
Subject:
countryName               = CN
stateOrProvinceName       = ZhengZhou
organizationName          = abc
organizationalUnitName    = tec
commonName                = www.abc.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0A:8A:11:6A:C4:86:4B:66:DC:C3:10:B5:D4:CE:C2:AB:E8:8A:8B:DE
X509v3 Authority Key Identifier:
keyid:79:AB:D7:17:BC:30:27:1F:59:08:6F:01:70:A2:33:53:55:99:27:E1
Certificate is to be certified until May 14 21:46:54 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# cd /etc/pki/CA/
# cat index.txt
V 150514214654Z 00 unknown /C=CN/ST=ZhengZhou/O=abc/OU=tec/CN=www.abc.com
# yum install mod_ssl
# vim /etc/httpd/conf.d/ssl.conf
105 SSLCertificateFile /etc/httpd/certs/httpd.cert
112 SSLCertificateKeyFile /etc/httpd/certs/httpd.key
121 SSLCertificateChainFile /etc/pki/CA/cacert.pem
# service httpd configtest       //语法测试
Syntax OK
# vim /etc/httpd/conf/httpd.conf
136 #Listen 80                   //关闭80端口，仅能使用https方式访问
# service httpd restart
Stopping httpd:                       [  OK  ]
Starting httpd:                       [  OK  ]
# netstat -tupln |grep httpd
tcp        0      0 :::443     :::*       LISTEN      25167/httpd

五、测试
客户端浏览器访问 https://www.yinuo.com/wordpress/




查看证书并安装。



主页展示