5.3 使用PF防火墙
如果用户恶意短时间内发起多个连接就BLOCK掉这个IP一段时间。
# vi /etc/pf.conf
加上下面一句,每个IP最多可以同时建立3个连接,如果连接超过了3个这个IP地址就会被BLOCK一段时间:
table <abusive_hosts> persist
block in quick on $ext_if inet proto tcp from <abusive_hosts> to $web port 80
pass in quick on $ext_if proto tcp from any to $web port 80 flags S/SA \
keep state (max-src-conn 100, max-src-conn-rate 3/1, max-src-states 3 \
overload <abusive_hosts> flush)
APACHE2.x在不修改源码的情况下,可以允许设置2万多个用户连接,一般来说这个数值绝对够用了。APACHE1.x在这种情况下最多允许256个用户访问,显然在大多数时候256显得太小了,需要修改源码来增加这个数值,以适应我们的需要。修改的方法很简单,在源码中找到httpd.h然后:
# vi httpd.h
=========+===========+===========+============
#define HARD_SERVER_LIMIT 256 //把256改为你需要的
=========+===========+===========+============
5.4 MYSQL性能与安全
如果你的MYSQL服务不需要和其他主机通信只是在本机上使用的话,这样设定一下很有必要:
# vi /etc/my.conf
[mysqld]
bind-address = 127.0.0.1 //加上这个设定
下面是MYSQL的几个常用的提高性能的设定,注意这个设置是针对2G内存设置的。
# vi /etc/my.conf
===========+===========+===========+============
[mysqld]
skip-innodb
skip-bdb
skip-name-resolve
skip-locking
#log-bin
set-variable = key_buffer=512M
set-variable = max_allowed_packet=4M
set-variable = table_cache=1024
set-variable = thread_cache=64
set-variable = join_buffer_size=32M
set-variable = sort_buffer=32M
set-variable = record_buffer=32M
set-variable = max_connections=512
set-variable = wait_timeout=120
set-variable = interactive_timeout=120
set-variable = max_connect_errors=30000
set-variable = long_query_time=1
set-variable = max_heap_table_size=256M
set-variable = tmp_table_size=128M
set-variable = thread_concurrency=8
set-variable = myisam_sort_buffer_size=128M
===========+===========+===========+============
还有一种提高数据库性能的方案就是在单机上运行多个MYSQL服务(每个服务监听不同的端口),这种方案对服务器硬件要求较高。
5.5 PHP性能与安全
如果下面的安全设定可能使你的某些PHP程序不能运行,酌情增减一下
# vi php.ini
===========+===========+===========+============
file_uploads=Off
register_globals = Off
safe_mode = On
display_errors = Off
disable_functions = passthru, exec, system, phpinfo, \
popen, chroot ,scandir ,chgrp , chown ,escapeshellcmd, escapeshellarg, \
shell_exec ,proc_open,proc_get_status
===========+===========+===========+============