Archive for 12月, 2013

如何从cPanel搬家到DirectAdmin(服务器端)

这里要用到的工具是da.cpanel.import这个工具。

首先,在cPanel服务器上,下载并解压工具到任意你想要的目录。

1
2
wget http://www.pusathosting.com/file/da.cpanel.import.9.4.tar.gz
tar xzvf da.cpanel.import.9.4.tar.gz

然后我们需要新建一个 import文件夹和export文件夹

mkdir import export

现在,复制用户的cpanel备份文件到import文件夹下。

接下来,编辑 defaults.conf 这个文件,主要修改两项。分别是:

ip=XXX.XXX.XXX.XXX (你DA面板的IP地址)
ns1=ns1.paulhost.com (NS1)
ns2=ns2.paulhost.com (NS2)

然后,执行 perl da.cpanel.import.pl , 然后我们按照提示来选择。

Have you read, understood and applied the above? (y/n) 选y

[If you are running this tool on the cPanel server]: After this tool is finished, should successfully created DirectAdmin tarballs be transferred to your DirectAdmin reseller user_backups directory?(y/n) 选y

接下来要确认DA面板所在服务器的IP,和备份要传往的路径。

接下来就是等待完成了(中途需要输入DA面板服务器的root密码)。

完成后,进入DA面板——管理员备份 进行恢复操作。

评论

利用iptables防止php-ddos对外udp发包

利用iptables防止php-ddos对外udp发包
最近php-ddos泛滥,尤其是织梦一堆洞洞,你懂得,我们可以利用iptables,从根源上禁止php-ddos对外发包。

 

首选允许需要UDP服务的端口(如DNS)

 iptables -I OUTPUT -p udp –dport 53 -d 8.8.8.8 -j ACCEPT
iptables -I OUTPUT -p udp –dport 53 -d 8.8.4.4 -j ACCEPT

“53”,为DNS所需要的UDP端口,“8.8.8.8”部分为DNS IP,根据您服务器的设定来定,若您不知您当前服务器使用的DNS IP,可在SSH中执行以下命令获取:

cat /etc/resolv.conf |grep nameserver |awk ‘NR==1{print $2 }’

禁止本机对外发送UDP包

iptables -A OUTPUT -p udp -j DROP

评论

Varnish HTTP accellerator and Cpanel

cd /usr/local/src
wget http://stderr.net/apache/rpaf/downlo…paf-0.6.tar.gz
tar -xzf mod_rpaf-0.6.tar.gz
cd mod_rpaf-*
apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c

2. Once installed, we need to load the module into Apache configuration. Since cPanel already has Include Editor for Apache, we will use that functions. Login to WHM > Service Configuration > Apache Configuration > Include Editor > Pre Main Include > All Versions and paste following text:

LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
RPAFproxy_ips 127.0.0.1 123.124.125.88 # replace the value with your server IP
RPAFsethostname On
RPAFheader X-Real-IP

评论

在CentOS下安装OpenVZ

初次接触OpenVZ是在挑选VPS的时候,OpenVZ的VPS要比Xen的便宜不少。经过了解发现OpenVZ是操作系统层的虚拟产品,与Xen、KVM、Huper-V等虚拟化产品完全是两个不同层次的。OpenVZ提供的只是一个虚拟的环境(VE),OpenVZ自己称它为容器(Container),Xen、KVM等提供的是具有Hypervisor的虚拟机,OpenVZ对于便宜的低端VPS来说确实比较好,Xen等虚拟化产品则一般使用在企业级的应用中心、云计算平台等。

安装OpenVZ

环境:使用CentOS5.6_x86_64操作系统安装在DELL的一台PC机上。

 

官网(http://wiki.openvz.org/)给出了一个yum的源来在CentOS上进行安装,我们来调整yum源,且为了安全问题,支持OpenVZ对于CentOS5的内核补丁支持的内核版本必须大于等于2.6.18.308.8.2.el5,可以到此处查看支持的内核版本http://wiki.openvz.org/Download/kernel

[[email protected] yum.repos.d]# cd /etc/yum.repos.d
[[email protected] yum.repos.d]# wget http://download.openvz.org/openvz.repo
[[email protected] yum.repos.d]#uname -r
2.6.18-238.9.1.el5
[[email protected] yum.repos.d]#yum install kernel.x86_64   #升级内核到2.6.18.308,
[[email protected] yum.repos.d]#uname -r
2.6.18-308.8.2.el5

[[email protected] yum.repos.d]#cat openvz.repo   #修改openvz源,确保如下默认选择的是6.2的版本

[openvz-utils]
name=OpenVZ utilities
#baseurl=<a href="http://download.openvz.org/current/">http://download.openvz.org/current/</a>
mirrorlist=<a href="http://download.openvz.org/mirrors-current">http://download.openvz.org/mirrors-current</a>
enabled=1
gpgcheck=1
gpgkey=http://download.openvz.org/RPM-GPG-Key-OpenVZ
[openvz-kernel-rhel5]
name=OpenVZ RHEL5-based kernel
#baseurl=http://download.openvz.org/kernel/branches/rhel5-2.6.18/current/
mirrorlist=http://download.openvz.org/kernel/mirrors-rhel5-2.6.18
enabled=1
gpgcheck=1
gpgkey=http://download.openvz.org/RPM-GPG-Key-OpenVZ
[[email protected] ~]# yum install ovzkernel -y#安装openvz内核
[[email protected] ~]# yum install vzctl vzquota#安装openvz的2个常用工具

由于我们的VE需要访问外部网络,所以这里先打开包转发,在后面会说到。

[[email protected] ~]# grep ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 1
[[email protected] ~]#

查看grub.conf设置的默认启动内核

default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title OpenVZ (2.6.18-308.8.2.el5.028stab101.1)
        root (hd0,0)
        kernel /vmlinuz-2.6.18-308.8.2.el5.028stab101.1 ro root=LABEL=/ selinux=0#已经自动设置关闭selinux了
        initrd /initrd-2.6.18-308.8.2.el5.028stab101.1.img
[[email protected] ~]# init 6

确保vz服务开机启动

[[email protected] ~]# service vz status
OpenVZ is running...
[[email protected] ~]# chkconfig --list vz
vz                 0:off    1:off    2:on    3:on    4:on    5:on    6:off
[[email protected] ~]#

安装管理VE

OpenVZ是使用vzctl来管理VE的,我们来看其详细命令。

[[email protected] ~]# vzctl
vzctl version 3.3
Copyright (C) 2000-2012, Parallels, Inc.
This program may be distributed under the terms of the GNU GPL License.
Usage: vzctl [options] <command> <ctid> [parameters]
vzctl create <ctid> [--ostemplate <name>] [--config <name>]
   [--layout ploop|simfs] [--hostname <name>] [--name <name>] [--ipadd <addr>]
   [--diskspace <kbytes>] [--private <path>] [--root <path>]#创建VE
vzctl start <ctid> [--force] [--wait]#启动VE
vzctl destroy | mount | umount | stop | restart | status <ctid>#关闭VE
vzctl convert <ctid> [--layout ploop[:mode]] [--diskspace <kbytes>]
vzctl quotaon | quotaoff | quotainit <ctid>#设置qutoa
vzctl console <ctid> [ttyno]#进入VE
vzctl enter <ctid> [--exec <command> [arg ...]]#进入VE
vzctl exec | exec2 <ctid> <command> [arg ...]#不进入VE执行VE下的命令
vzctl runscript <ctid> <script>#为VE执行脚本
vzctl chkpnt <ctid> [--dumpfile <name>]#保存VE的状态到文件
vzctl restore <ctid> [--dumpfile <name>]#从恢复文件恢复VE的状态
vzctl set <ctid> [--save] [--force] [--setmode restart|ignore]
   [--ram <bytes>[KMG]] [--swap <bytes>[KMG]]#设置RAM
   [--ipadd <addr>] [--ipdel <addr>|all] [--hostname <name>]#添加和删除IP
   [--nameserver <addr>] [--searchdomain <name>]#指定nameserber和sercherdomain
   [--onboot yes|no] [--bootorder <N>]#设置开机启动
   [--userpasswd <user>:<passwd>]#修改VE的用户密码
   [--cpuunits <N>] [--cpulimit <N>] [--cpus <N>] [--cpumask <cpus>]
   [--diskspace <soft>[:<hard>]] [--diskinodes <soft>[:<hard>]]
   [--quotatime <N>] [--quotaugidlimit <N>]
   [--noatime yes|no] [--capability <name>:on|off ...]
   [--devices b|c:major:minor|all:r|w|rw]
   [--devnodes device:r|w|rw|none]
   [--netif_add <ifname[,mac,host_ifname,host_mac,bridge]]>]#添加桥接设备
   [--netif_del <ifname>]#删除桥接设备
   [--applyconfig <name>] [--applyconfig_map <name>]
   [--features <name:on|off>] [--name <vename>] [--ioprio <N>]
   [--pci_add [<domain>:]<bus>:<slot>.<func>] [--pci_del <d:b:s.f>]
   [--iptables <name>] [--disabled <yes|no>]#VE的防火墙设置
   [UBC parameters]

安装一个Guest,OpenVZ官方建议的安装方法,是下载其优化过的操作系统压缩包,来进行安装。在OpenVZ上保存操作系统压缩包的位置是/vz/template/cache/。操作系统压缩包的下载地址为http://wiki.openvz.org/Download/template/precreated 。我这里下载的是CentOS5_X84_64,用来安装测试。

[[email protected] ~]# ll /vz/template/cache/
total 188092
-rw-r--r-- 1 root root 192411846 Jul 19 02:08 centos-5-x86_64.tar.gz
[[email protected] ~]# vzctl create 2 --ostemplate centos-5-x86_64 --hostname centos01
Creating container private area (centos-5-x86_64)
Performing postcreate actions
CT configuration saved to /etc/vz/conf/2.conf#配置文件保存为/etc/vz/下的2.conf
Container private area was created
[[email protected] ~]#

使用OS模版centos-5-x86_64 安装ID为2的VE,主机名为centos01,安装完成后需要修改默认的配置文件,再启动VE。

设置VE开机自启动、设置IP、设置DNS、内存、设置磁盘大小

[[email protected] ~]# vzctl set 2 --onboot yes
WARNING: Settings were not saved to config (use --save flag) #提示保存到配置文件需要--save
[[email protected] ~]# vzctl set 2 --onboot yes --save
CT configuration saved to /etc/vz/conf/2.conf
[[email protected] ~]# vzctl set 2 --ipadd 10.20.100.146 --save#此时还不能使用
CT configuration saved to /etc/vz/conf/2.conf
[[email protected] ~]# vzctl set 2 --nameserver 10.20.1.6 --save
CT configuration saved to /etc/vz/conf/2.conf
[[email protected] ~]# vzctl set 2 --ram 345 --save
Error: kernel does not support vswap, unable to use --ram/--swap parameters
Error parsing options  #内核不支持
[[email protected] ~]# vzctl set 2 --diskspace 3G:3G --save
CT configuration saved to /etc/vz/conf/2.conf
[[email protected] ~]# vzctl start 2#启动ID为2的VE
Starting container ...
Container is mounted
Adding IP address(es): 192.168.221.2
Setting CPU units: 1000
Container start in progress...
[[email protected] ~]#

使用vzlist查看VE

[[email protected] ~]# vzlist 2
      CTID      NPROC STATUS    IP_ADDR         HOSTNAME
         2         12 running   192.168.221.2   centos01

登入VE、退出VE、重启VE、启动VE、关闭VE、断电VE

[[email protected] ~]# vzctl enter 2
[[email protected] /]# exit
[[email protected] ~]# vzctl restart 2
[[email protected] ~]# vzctl start 2
[[email protected] ~]# vzctl stop 2
[[email protected] ~]# vzctl destroy 2

不登陆VE,执行命令、执行脚本

[[email protected] ~]# vzctl  exec 2  ifconfig#不登录VE查看网卡信息
[[email protected] ~]# vzctl  runscript 2 scriptname#script在服务器上

计算VE的耗用

[[email protected] ~]# vzcalc -v 2

修改VE的root密码

[[email protected] ~]# vzctl exec 2 passwd#输入2次密码
[[email protected] ~]# vzctl set 2  --userpasswd root:123456#直接修改密码为123456

 

VE的网络

按照直接添加IP的方法,VE访问外网有2种方式来实现。一种是开启母机(用母机一词,果然比较好区分)的包转发功能,VE使用和母机同一段的IP,独立IP的VPS就是使用的这种方式,VE有自己的外网IP,用户可以登录自己的VPS进行管理;另外一种是使用路由转发功能,防火墙做snat源地址转换,VE使用私有IP,这样的话,VE可以访问外网,但是外网不能直接访问内网的VE。

方式一:公有IP

开启包转发

[[email protected] ~]# grep ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 1

使其生效

[[email protected] ~]# /sbin/sysctl -p
net.ipv4.ip_forward = 1

配置或修改VE的IP,此IP和母机在同一段(VPS中使用的是公有IP)。

[[email protected] ~]# ifconfig#母机的IP
eth0      Link encap:Ethernet  HWaddr 00:0C:29:FD:E4:AA 
          inet addr:10.20.100.141  Bcast:10.20.100.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:35535 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8399 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3534995 (3.3 MiB)  TX bytes:934525 (912.6 KiB)
          Interrupt:59 Base address:0x2000
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:784 (784.0 b)  TX bytes:784 (784.0 b)
venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:494 errors:0 dropped:0 overruns:0 frame:0
          TX packets:283 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:37807 (36.9 KiB)  TX bytes:23312 (22.7 KiB)
[[email protected] ~]# vzctl set 2 --ipadd 10.20.100.146 --save#修改或设置VE的IP,

测试VE的网络

[[email protected] ~]# vzctl exec 2 ifconfig
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:224 errors:0 dropped:0 overruns:0 frame:0
          TX packets:292 errors:0 dropped:53 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:18572 (18.1 KiB)  TX bytes:23106 (22.5 KiB)
venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.20.100.146  P-t-P:10.20.100.146  Bcast:10.20.100.146  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
[[email protected] ~]# vzctl exec 2 ping www.baidu.com
PING www.a.shifen.com (220.181.111.147) 56(84) bytes of data.
64 bytes from 220.181.111.147: icmp_seq=1 ttl=54 time=35.2 ms
64 bytes from 220.181.111.147: icmp_seq=2 ttl=54 time=34.9 ms

方式二:私有IP,SNAT

开启包转发

[[email protected] ~]# grep ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 1

使其生效

[[email protected] ~]# /sbin/sysctl -p
net.ipv4.ip_forward = 1

修改VE的IP,此IP为私有IP

[[email protected] ~]# vzctl set 2 --ipdel 10.20.100.146 --save#删除之前的100段IP
[[email protected] ~]# vzctl set 2 --ipadd 10.20.102.146 --save#修改或设置IP,与母机的IP段不同

开启SNAT

[[email protected] ~]# /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

或者

[[email protected] ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.20.100.141
[[email protected] ~]# iptables -t nat -L#查看NAT策略
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
SNAT       all  --  anywhere             anywhere            to:10.20.100.141
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

查看VE网络

[[email protected] ~]# vzctl exec 2 ifconfig
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:127.0.0.1  P-t-P:127.0.0.1  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:330 errors:0 dropped:0 overruns:0 frame:0
          TX packets:407 errors:0 dropped:53 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:26810 (26.1 KiB)  TX bytes:33397 (32.6 KiB)
venet0:1  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.20.102.146  P-t-P:10.20.102.146  Bcast:10.20.102.146  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
[[email protected] ~]#

测试VE网络

[[email protected] ~]# vzctl exec 2 ping www.baidu.com
PING www.a.shifen.com (220.181.111.147) 56(84) bytes of data.
64 bytes from 220.181.111.147: icmp_seq=1 ttl=54 time=35.0 ms
64 bytes from 220.181.111.147: icmp_seq=2 ttl=54 time=34.9 ms
[[email protected] ~]#

评论