Skip to content

linux日志集中管理查看syslog-ng+splunk

syslog-ng ,可以简单的看成取代 syslog 的的日志服务器,企业级的.目前我们使用的 syslog-ng 开源版本是启动于十年之前的 syslog-ng 项目的“直系后代”.syslog-ng可运行与“server”和“agent”模式,分别支持 UDP、可靠的TCP和加密的TLS协议.syslog 可以用来在混合复杂的环境里建立灵活的、可靠的日志服务器.

syslog-ng开源版本的特性还有:

1. 支持SSL/TSL协议
2. 支持将日志写入数据库中,支持的数据库有MySQL, Microsoft SQL (MSSQL), Oracle, PostgreSQL, and SQLite.
3. 支持标准的syslog协议
4. 支持filter、parse以及rewrite
5. 支持更多的平台
6. 更高的负载能力

syslog-ng 对性能进行了优化,可以处理巨大的数据量.一般的硬件,在正确的配置下,可以实时地处理75000个消息每秒钟,超过24GB的RAW日志每小时.

前言
在标准的 Linux 中有一个 syslog .通常设置格式为

<设备 facility>.<严重性 priority>.<动作>

默认系统预先定义了12+8个(mail、news、auth等)facility,八个不同的优先级(alert到debug).通常我们也只能根据这些来做一些操作.备注中有详细的解释.

在 syslog-ng 中.就不一样,非常强大,只需要定义来源,和目标位置,有可能需要定义一个过滤.
示例为:


{Source;filter;destination;}

其中的每一个字段的会在下面进行详细的说明,这也必须在 syslog_ng.conf 文件中定义你想要的.

一.安装 syslog-ng
直接用 yum

yum install syslog-ng

源码安装
http://www.balabit.com/downloads/files?path=/libol

wget http://www.balabit.com/downloads/files?path=/libol/0.3/libol-0.3.18.tar.gz
wget http://www.balabit.com/downloads/files?path=/syslog-ng/open-source-edition/3.3.7/source/eventlog_0.2.12.tar.gz
wget http://www.balabit.com/downloads/files?path=/syslog-ng/open-source-edition/3.3.7/source/syslog-ng_3.3.7.tar.gz

1.安装eventlog

tar -zxvf eventlog_0.2.12.tar.gz
cd eventlog-0.2.12
./configure –prefix=/usr/local/eventlog
make && make install

2.安装libol

mv files\?path\=%2Flibol%2F0.3%2Flibol-0.3.18.tar.gz libol-0.3.18.tar.gz
tar -zxvf libol-0.3.18.tar.gz
cd libol-0.3.18
./configure –prefix=/usr/local/libol
make && make install

3.安装syslog-ng

yum install pcre
# 设置环境变量
export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig/

tar -zxvf syslog-ng_3.3.7.tar.gz
cd syslog-ng-3.3.7
./configure –prefix=/usr/local/syslog-ng –with-libol=/usr/local/libol/
make && make install

二.配置syslog-ng

1.打开iptables接收端口,这里只开放给内网

iptables -A INPUT -p tcp -m tcp -s 192.168.0.0/16 –dport 514 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 192.168.0.0/16 –dport 514 -j ACCEPT

2.配置全局配置
全局配置的是在 /etc/syslog-ng/syslog-ng.conf 中.
新板本中sync变成flush_lines,long_hostnames变成 chain_hostnames.
Your configuration file uses an obsoleted keyword, please update your configuration; keyword=’sync’, change=’flush_lines’
Your configuration file uses an obsoleted keyword, please update your configuration; keyword=’long_hostnames’, change=’chain_hostnames’

接收远程日志并按年月日和主机地址集中的一个文件中,示例:

options {
keep_hostname(off);
chain_hostnames(off);
flush_lines(1);
log_fifo_size(1024);
create_dirs(yes); # if a dir does not exist create it
owner(root); # owner of created files
group(root); # group of created files
perm(0600); # permissions of created files
dir_perm(0700); # permissions of created dirs
};
source s_local {
system();
unix-stream(“/dev/log”); # local system logs
file(“/proc/kmsg”); # local kernel logs
internal();
};
source s_all {
udp(ip(0.0.0.0) port(514)); # remote logs # arriving at 514/udp
};
destination d_local_file {
file(“/var/syslog/$YEAR.$MONTH/$HOST/log-$DAY.log” owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes));
};
destination d_net_file {
file(“/var/syslog/$YEAR.$MONTH/$HOST/log-$DAY.log” owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes));
};

log {
source(s_local);
destination(d_local_file);
};
log {
source(s_all);
destination(d_net_file);
};

全局选项(option)
chain_hostnames 是否使用长主机名记录,也就是使用完全符合标准的域名.
flush_lines 设置一次向目的地发送几行消息.如果设成0,一收到消息就发送
sync_freq 在写入文件之前,可以缓冲的日志消息行数
use_dns 是否使用 DNS ,选项包括:yes、no和persist_only.选项设成了‘persist_only’,
因而会检查 /etc/hosts 文件,以解析主机名,这时并不依赖DNS 服务器.
stats_freq 两个状态消息(关于丢失日志消息的统计消息)消息之间间隔的时间(以秒为单位).0表示禁用发送STATS消息.
normalize_hostnames 是否对主机名转换成小写.
keep_hostname 如果要进行转发或透过外部服务器传送,该选项就会保留主机名,那样主机最终到达中央服务器后,
主机名会一并到达,而不是依赖DNS(或/etc/hosts)
来源(source)
internal syslog-ng 内部产生的消息
unix-stream 打开指定的SOCK_STREAM模式的unix套接字,接收日志消息
unix-dgram 打开指定的SOCK_DGRAM模式的unix套接字,接收日志消息
file 打开指定的文件读取日志信息
pipe,fifo 打开指定的管道或者FIFO设备,读取日志信息
tcp 在指定的TCP端口接收日志消息
udp 在指定的UDP端口接收日志消息
program 来自程序
syslog 来自网络上syslog格式的信息

目的地(destination)
file() file 是 syslog-ng 最重要的日志消息目的驱动器之一.使用它,你可以把日志消息定向到一些文件中.
logstore() 存储成二进制格式可以加密压缩
pipe() 通过pipe()日志消息目的驱动器把日志消息发送到/dev/xconsole之类的命名管道.
program() 驱动器fork出一个进程,使用给定的参数执行一个特定的程序,然后把日志消息送到这个进程的标准输入设备.
sql() 存储到mysql,oracel,mssql等数据库中
syslog() 转发到远程日志服务器上
unix-stream()和unix0dgram() 通过这两个日志消息目的驱动器把日志消息发送到一个SOCK_STREAM或者SOCK_DGRAM模式的UNIX套接字.
udp()和tcp() 使用TCP或者UDP协议把日志消息送到本地网络上或者internet上的另外的主机.
usertty() 使用这个日志消息目的驱动器把日志消息送到一个登录用户使用的终端.

3.启动
/usr/local/syslog-ng/sbin/syslog-ng

关闭
pkill syslog-ng

4.调试
在其它的节点的 Linux 上在 syslog.conf 或rsyslog.conf 中配置
vi /etc/syslog.conf 或vi /etc/rsyslog.conf

*.* @syslog-ng 服务器 ip


/etc/init.d/syslog restart

用 logger 来进行测试

logger -p local3.info hello

这样在syslog-ng 的服务器上就能见到 message 的信息了

三 splunk

splunk看着比LogZilla(php-syslog-ng)强.
Splunk 是一款顶级的日志分析软件,如果你经常用 grep、awk、sed、sort、uniq、tail、head 来分析日志,那么你需要 Splunk。能处理常规的日志格式,比如 apache、squid、系统日志、mail.log 这些。对所有日志先进行 index,然后可以交叉查询,支持复杂的查询语句。然后通过直观的方式表现出来。日志可以通过文件方式传倒 Splunk 服务器,也可以通过网络实时传输过去。或者是分布式的日志收集。总之支持多种日志收集方法。

这个软件分为免费版本和专业版本。专业版本的价格是 3 万多刀。免费版本的功能也足够强大了。

下载后为企业试用版,可以转为免费版,免费版和收费版的差异
The Free license includes 500 MB/day of indexing volume, is free (as in beer), and has no expiration date.

The following features that are available with the Enterprise license are disabled in Splunk Free:

Multiple user accounts and role-based access controls
Distributed search
Forwarding in TCP/HTTP formats (you can forward data to other Splunk instances, but not to non-Splunk instances)
Deployment management (including for clients)
Alerting/monitoring

1.安装aplunk
从 http://www.splunk.com 注册个用户,乱填的可能不通过
下载 splunk tarball
当前最新为splunk-5.0.1
解压 splunk tarball 并将其移动到 /usr/local/splunk

2.打开iptables
splunk默认运行在8000端口,打开iptables设置充许访问的ip

iptables -A INPUT -p tcp -m tcp -s 192.168.0.39 –dport 8000-j ACCEPT

3.启动

/usr/local/splunk/bin/splunk start

第一次运行会进行一些设置,按”y”同意

4.设置日志分析目录
进入http://localhost:8000 第一次需要重设密码
然后点击添加数据,选择本地文件,还有tcp端口接收syslog-ng转发

5.修改syslog-ng配置
过滤不同日志存入不同文件,并转发至splunk

options {
use_dns (no);
use_fqdn(no);
chain_hostnames(off);
keep_hostname(off);
flush_lines(0);
stats_freq(43200);
create_dirs(yes);
};
source s_internal { internal(); };
destination d_syslognglog { file(“/var/log/syslog-ng.log”); };
log { source(s_internal); destination(d_syslognglog); };

source s_sys { system();file(“/proc/kmsg”); unix-stream(“/dev/log”);};
destination d_cons { file(“/dev/console”); };
destination d_mesg { file(“/var/log/messages”); };
destination d_auth { file(“/var/log/secure”); };
destination d_mail { file(“/var/log/maillog”); };
destination d_spol { file(“/var/log/spooler”); };
destination d_boot { file(“/var/log/boot.log”); };
destination d_cron { file(“/var/log/cron”); };
destination d_rsync { file(“/var/log/rsync”); };
destination d_mlal { usertty(“*”); };

filter f_filter1 { facility(kern); };
filter f_filter2 { level(info) and
not (facility(mail)
or facility(authpriv) or facility(cron)); };
filter f_filter3 { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or
(facility(news) and level(crit)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };
filter f_filter9 { facility(daemon); };
filter f_filter10 { facility(local6); };

#log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };

# Remote logging
source s_remote {
udp(ip(192.168.0.39) port(514));
};

destination r_mesg { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/messages” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_auth { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/secure” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_mail { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/maillog” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_spol { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/spooler” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_boot { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/boot.log” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_cron { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/cron” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_daemon { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/daemon” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_local6 { file(“/var/log/syslog-ng/$YEAR.$MONTH/network/messages” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); };
#destination d_separatedbyhosts {
# file(“/var/log/syslog-ng/$HOST/messages” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes));
#};

#log { source(s_remote); destination(d_separatedbyhosts); };
log { source(s_remote); filter(f_filter2); destination(r_mesg); };
log { source(s_remote); filter(f_filter3); destination(r_auth); };
log { source(s_remote); filter(f_filter4); destination(r_mail); };
log { source(s_remote); filter(f_filter6); destination(r_spol); };
log { source(s_remote); filter(f_filter7); destination(r_boot); };
log { source(s_remote); filter(f_filter8); destination(r_cron); };
log { source(s_remote); filter(f_filter9); destination(r_daemon); };
log { source(s_remote); filter(f_filter10); destination(r_local6); };

#splunk use 1999 port
destination d_tcp { tcp(“localhost” port(1999) localport(999)); };
log { source(s_remote); destination(d_tcp); };

6.加入自运行
echo ‘/usr/local/syslog-ng/sbin/syslog-ng’ >> /etc/rc.local
echo ‘/usr/local/splunk/bin/splunk start’ >> /etc/rc.local

参考:
http://www.php-oa.com/2012/01/13/linux-syslog-ng.html
http://blog.163.com/dingding_jacky/blog/static/1669127872011113011048416/
http://andyxu.blog.51cto.com/2050315/888583
http://bbs.linuxtone.org/thread-2082-1-3.html
http://www.phpwebgo.com/2012/05/14/318.html
http://www.balabit.com/sites/default/files/documents/syslog-ng-v3.0-guide-admin-en.html/bk01-toc.html
http://docs.splunk.com/Documentation/Splunk
http://www.syslog.org/syslog-ng

Posted in 技术, 日志.

Tagged with , .

rev="post-1587" No comments

By C1G 2012/12/31

Apache Tomcat FORM身份验证安全绕过漏洞

发布时间: 2012-12-04 (GMT+0800)
漏洞版本:

Apache Group Tomcat 7.0.0 – 7.0.29
Apache Group Tomcat 6.0.0 – 6.0.35
漏洞描述:

BUGTRAQ ID: 56812
CVE(CAN) ID: CVE-2012-3546

Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。

Tomcat v7.0.30、6.0.36之前版本在FORM身份验证的实现上存在安全漏洞。在使用FORM验证时,若其他组件(如Single-Sign-On)在调用FormAuthenticator#authenticate()之前调用了request.setUserPrincipal(),则攻击者可以通过在URL结尾添加”/j_security_check”以绕过FORM验证
<* 参考 http://seclists.org/fulldisclosure/2012/Dec/73
*>
安全建议:

厂商补丁:

Apache Group
————
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载7.0.30和6.0.36或更高版本。

参考链接:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html

Posted in Tomcat, 安全通告.

Tagged with , .

rev="post-1582" No comments

By C1G 2012/12/10

快速配置postfix

在centos6.0上系统默认已安装了postfix和sasl
1.vi /etc/postfix/main.cf

myhostname=mail.c1gstudio.com
mydomain=c1gstudio.com
myorigin=$mydomain
inet_interfaces=all
mydestintion=$myhostname,localhost,$mydomain,localhost
mynetworks=192.168.100.0/24,127.0.0.0/8

#################CYRUS-SASL###################
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd
smtpd_banner = $myhostname ESMTP,Warning: Version not Available!
smtpd_reject_unlisted_recipient = no

2.vim /etc/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

3.iptables

iptables -A INPUT -p tcp –dport 25 -j ACCEPT

service iptables save

4.自动运行

chkconfig postfix on
chkconfig saslauthd on

6.添加smtp认证用户
===================
使用shadow认证
[root@dev ~]# groupadd mailuser
[root@dev ~]# adduser -g mailuser -s /sbin/nologin service
[root@dev ~]# passwd service
Changing password for user service.
New UNIX password:
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@dev ~]#

检查是否可以通过认证
[root@dev ~]# testsaslauthd -u service -p 123456
0: OK “Success.”

生成base64备用
[root@dev ~]#

perl -MMIME::Base64 -e ‘print encode_base64(“service”);’

c2VydmljZQ==
[root@dev ~]#

perl -MMIME::Base64 -e ‘print encode_base64(“123456”);’

MTIzNDU2

7.测试
[root@dev ~]# telnet localhost 25

REtOWTk5OXh4eA==
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 Welcome to our devmail.c1gstudio.com ESMTP,Warning: Version not Available!
ehlo localhost
250-devmail.c1gstudio.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth login
334 VXNlcm5hbWU6
c2VydmljZQ==
334 UGFzc3dvcmQ6
MTIzNDU2
235 2.0.0 Authentication successful
mail from:[email protected]
250 2.1.0 Ok
rcpt to:[email protected]
250 2.1.5 Ok
data
354 End data with .
subject:hello 13:08
this is a test
.
250 2.0.0 Ok: queued as 0BABAD607EB
quit
221 2.0.0 Bye
Connection closed by foreign host.

参考:
http://blog.c1gstudio.com/archives/137
http://www.cnblogs.com/paipaita/archive/2012/11/20/centos_postfix.html

Posted in Mail/Postfix.

Tagged with .

rev="post-1577" No comments

By C1G 2012/11/26

Apache Tomcat DIGEST身份验证多个安全漏洞(CVE-2012-3439)

发布时间: 2012-11-05 (GMT+0800)
漏洞版本:

Apache Group Tomcat 7.x
Apache Group Tomcat 6.x
Apache Group Tomcat 5.x
漏洞描述:

BUGTRAQ ID: 56403
CVE ID: CVE-2012-3439

Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。

Apache Tomcat 7.0.0-7.0.27、6.0.0-6.0.35、5.5.0-5.5.35存在多个安全漏洞,成功利用后可允许攻击者绕过安全限制并执行非法操作。
<* 参考 http://secunia.com/advisories/51138/
http://tomcat.apache.org/security-6.html
*>

Description
A weakness and a vulnerability have been reported in Apache Tomcat, which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service).

1) An error within the “parseHeaders()” function (InternalNioInputBuffer.java) when parsing request headers does not properly verify the permitted size and can be exploited to trigger an OutOfMemoryError exception via specially crafted headers.

This vulnerability is reported in versions 6.0.0-6.0.35 and 7.0.0-7.0.27.

2) An error within DIGEST authentication mechanism does not properly check server nonces.

This weakness is reported in versions 5.5.0-5.5.35, 6.0.0-6.0.35, and 7.0.0-7.0.29.

Solution
Update to version 5.5.36, 6.0.36, or 7.0.30.
tomcat下载地址:http://tomcat.apache.org/download-60.cgi

tomcat升级参见 http://blog.c1gstudio.com/archives/1434

Posted in Tomcat, 安全通告.

Tagged with , .

rev="post-1571" 1 comment

By C1G 2012/11/08

rsync 配置免登录同步服务

平时可以利用ssh客户端密钥建立信任关系来使rsync同步,但可能存在用户权限过大的问题.
这里以daemon或服务的方式运行可以提高安全性.

一.rsync的安装
rsync现在系统一般都自带
a.yum install rsync

b.http://rsync.samba.org/
使用rpm或源码等方式安装

二.配置rsync
rsync的主要有以下三个配置文件rsyncd.conf(主配置文件)、rsyncd.secrets(密码文件)、rsyncd.motd(rysnc服务器信息)

1.服务器配置文件(/etc/rsyncd.conf),该文件默认不存在,请创建它。
注:关于auth users是必须在服务器上存在的真实的系统用户,如果你想用多个用户以,号隔开,比如auth users = www,root
定义一个discuz的模块
vi /etc/rsyncd.conf

pid file = /var/run/rsyncd.pid
port = 873
address = 192.168.0.24
#uid = nobody
#gid = nobody
uid = www
gid = website

use chroot = yes
read only = no

#limit access to private LANs
hosts allow=192.168.0.0/255.255.255.0
hosts deny=*

max connections = 5
motd file = /etc/rsyncd.motd

#This will give you a separate log file
#log file = /var/log/rsync.log

#This will log every file transferred – up to 85,000+ per user, per sync
#transfer logging = yes

log format = %t %a %m %f %b
syslog facility = local3
timeout = 300

[discuz]
path = /opt/htdocs/bbs
list=no
ignore errors
auth users = www
secrets file = /etc/rsyncd.secrets
comment = This is bbs data
#exclude =

2.设定密码文件
密码文件格式很简单,rsyncd.secrets的内容格式为:
用户名:密码
我们在例子中rsyncd.secrets的内容如下类似的;在文档中说,有些系统不支持长密码,自己尝试着设置一下吧。
vi /etc/rsyncd.secrets

www:c1gstudiopass

chown root:root /etc/rsyncd.secrets  #修改属主
chmod 600 /etc/rsyncd.secrets #修改权限

注:1、将rsyncd.secrets这个密码文件的文件属性设为root拥有, 且权限要设为600, 否则无法备份成功! 出于安全目的,文件的属性必需是只有属主可读。
2、这里的密码值得注意,为了安全你不能把系统用户的密码写在这里。比如你的系统用户www密码是000000,为了安全你可以让rsync中的www为c1gstudiopass。这和samba的用户认证的密码原理是差不多的。

3.设定rsyncd.motd 文件;
它是定义rysnc服务器信息的,也就是用户登录信息。比如让用户知道这个服务器是谁提供的等;类似ftp服务器登录时,我们所看到的 c1gstudio.com ftp ……。 当然这在全局定义变量时,并不是必须的,你可以用#号注掉,或删除;我在这里写了一个 rsyncd.motd的内容为:
vi /etc/rsyncd.motd

++++++++++++++++++++++++++++++++++++++++++++++
rsync services! staff use only
++++++++++++++++++++++++++++++++++++++++++++++

三.运行
A. xinetd方式
省略

B. –daemon参数方式,是让rsync以服务器模式运行

/usr/bin/rsync –daemon –config=/etc/rsyncd.conf  #–config用于指定rsyncd.conf的位置,如果在/etc下可以不写

添加到/etc/rc.local,启动后自动运行

echo ‘/usr/bin/rsync –daemon –config=/etc/rsyncd.conf’ >> /etc/rc.local

防火墙
授权192.168.0.0 C类

iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp –dport 873 -j ACCEPT

授权单个IP192.168.0.21

iptables -A INPUT -s 192.168.0.21 -p tcp -m state –state NEW -m tcp –dport 873 -j ACCEPT

/etc/init.d/iptables save

四,调试
192.168.0.24为rsynce daemon端,接收数据
192.168.0.21为源数据推送端,发送数据

推送端调试列表
rsync –list-only [email protected]::
rsync: failed to connect to 192.168.0.24: Connection timed out (110)
检查防火墙,rsyncd里用户权限
传送本地/opt/htdocs/bbs/data/cache 到远端discuz模块下的data目录

rsync -av /opt/htdocs/bbs/data/cache [email protected]::discuz:/data/

创建密码文件方便免登录,密码和服务器端保持一致

echo ‘c1gstudiopass’ > /etc/rsyncd.passwd
chown root:root /etc/rsyncd.passwd
chmod 600 /etc/rsyncd.passwd

以密码文件全部同步一次

rsync -av –delete –password-file=/etc/rsyncd.passwd /opt/htdocs/bbs/ [email protected]::discuz

最后再以脚本方式配合inotify和crontab就可以实现自动同步

参考:http://www.cnblogs.com/itech/archive/2009/08/10/1542945.html

Posted in 备份.

Tagged with , , .

rev="post-1569" 1 comment

By C1G 2012/11/01

windows下svn1.5.4升级至svn1.7.7简明纪要

原始svn版本安装在xp下基于apache,曾经从 1.4.3升至1.5.4
客户端为
TortoiseSVN-1.4.3.8645-win32-svn-1.4.3.msi

1.准备svn
http://subversion.apache.org
Subversion 1.7.7 + Apache Server (Windows 32-bit)
http://tortoisesvn.net/
TortoiseSVN-1.7.10.23359-win32-svn-1.7.7.msi

2.备份原svn
backup.bat

echo off
rem Subversion的安装目录
set SVN_HOME=”D:\Subversion”
rem 所有版本库的父目录
set SVN_ROOT=D:\svnroot
rem 备份的目录
set BACKUP_SVN_ROOT=D:\svnrootbak
set BACKUP_DIRECTORY=%BACKUP_SVN_ROOT%\%date:~0,10%
if exist %BACKUP_DIRECTORY% goto checkBack
echo 建立备份目录%BACKUP_DIRECTORY%>>%SVN_ROOT%/backup.log
mkdir %BACKUP_DIRECTORY%
rem 验证目录是否为版本库,如果是则取出名称备份
for /r %SVN_ROOT% %%I in (.) do @if exist “%%I\conf\svnserve.conf” %SVN_ROOT%\simplebackup.bat “%%~fI” %%~nI
goto end
:checkBack
echo 备份目录%BACKUP_DIRECTORY%已经存在,请清空。
goto end
:end

simplebackup.bat

@echo 正在备份版本库%1……
@%SVN_HOME%\bin\svnadmin hotcopy %1 %BACKUP_DIRECTORY%\%2
@echo 版本库%1成功备份到了%2!

用svn hotcopy命今热备,导出的结构和原始文件是一样的,dump方式太慢了;
拷贝到svn库目录下运行backup.bat;
注意svnadmin路径,错误路径会报”发现格式4″,并且没有format文件,不能升级
打包后传到新机器上

3.新svn服务器
解压,并保持和原有目录一致
安装svn服务
在命令行下

[路径]svn upgrade 每个库路径

客户端执行update时报
Not authorized to open root of edit operation

服务器端accessfile文件加上”* = r”可能解决,但所有人都会有check out 权限

[/]
* = r

在apache的httpd.conf加入相关认证解决权限问题

# 用户认证….
Order allow,deny
deny from all

4.客户端升级
在客户端关闭不相关程序,安装TortoiseSVN然后重启
在原目录copy上点右键没有更新操作了,只有“SVN升级工作副本”,升级后就能执行日常操作
ubversion 1.7最让我喜欢的一个改变是.svn目录只存在于根目录了。

===================
2012-11-30更新apache的httpd.conf相关认证权限

Posted in Subversion.

Tagged with , , .

rev="post-1564" No comments

By C1G 2012/10/24

nginx “location”受限制资源服务漏洞

发布时间: 2012-10-15 (GMT+0800)
漏洞版本:

Nginx 1.2.x
漏洞描述:

CVE ID: CVE-2011-4963

nginx是一款使用非常广泛的高性能Web服务器。

nginx允许远程攻击者通过请求内的“.”或某些“$index_allocation”序列,绕过目标访问限制或访问受限文件。
<* 参考 http://secunia.com/advisories/50912/
*>
安全建议:

厂商补丁:

Nginx
—–
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://nginx.net/

参考:
http://sebug.net/vuldb/ssvid-60439

Posted in 安全通告.

Tagged with , .

rev="post-1561" No comments

By C1G 2012/10/17

phpMyAdmin 3.5.x HTML注入漏洞(CVE-2012-5339)

PMASA-2012-6

Announcement-ID: PMASA-2012-6

Date: 2012-10-12

Summary

Multiple XSS due to unescaped HTML output in Trigger, Procedure and Event pages.

Description

When creating/modifying a trigger, event or procedure with a crafted name, it is possible to trigger an XSS.
phpMyAdmin Trigger, Procedure和Event页面不正确转义HTML输出,使用特殊名创建/修改trigger, event或procedure时,可触发跨站脚本攻击,可获得敏感信息或劫持用户会话。
Severity

We consider these vulnerabilities to be non critical.

Mitigation factor

These XSS can only be triggered when a crafted value is entered by the user.

Affected Versions

Versions 3.5.x are affected.

Solution

Upgrade to phpMyAdmin 3.5.3 or newer or apply the patches listed below.

References

Thanks to Maxim Rupp for reporting an issue when creating an event.

Assigned CVE ids: CVE-2012-5339

CWE ids: CWE-661 CWE-79

http://sebug.net/vuldb/ssvid-60440
http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php

Posted in 安全通告.

Tagged with , .

rev="post-1559" No comments

By C1G 2012/10/17

mysql复制同步1062错误修复

Percona-Server-5.5.22-rel25.2
其中一台从库同步discuzx时出错,Slave_SQL_Running为no

show slave status;

lave_IO_State Waiting for master to send event
Master_Host 192.168.0.99
Master_User xxx
Master_Port 3306
Connect_Retry 60
Master_Log_File mysql-bin.000059
Read_Master_Log_Pos 63986019
Relay_Log_File C1g-relay-bin.000417
Relay_Log_Pos 48985722
Relay_Master_Log_File mysql-bin.000059
Slave_IO_Running Yes
Slave_SQL_Running No
Replicate_Do_DB discuzx
Replicate_Ignore_DB
Replicate_Do_Table
Replicate_Ignore_Table discuzx.pre_common_admincp_session,discuzx.pre_common_session
Replicate_Wild_Do_Table
Replicate_Wild_Ignore_Table
Last_Errno 1062
Last_Error Error ‘Duplicate entry ‘1503760-25’ for key ‘PRIMARY” on query. Default database: ‘discuzx’. Query: ‘INSERT INTO pre_forum_post SET `fid`=’456′ , `tid`=’1553760′ , `first`=’0′ , `author`=’xxx’ , `authorid`=’4018205′ , `subject`=” , `dateline`=’1349931502′ , `message`=’xxx’ , `useip`=’61.165.2.2′ , `invisible`=’0′ , `anonymous`=’0′ , `usesig`=’1′ , `htmlon`=’0′ , `bbcodeoff`=0 , `smileyoff`=’-1′ , `parseurloff`=0 , `attachment`=’0′ , `status`=’0′ , `pid`=’12202748”
Skip_Counter 0
Exec_Master_Log_Pos 48985576
Relay_Log_Space 64152580
Until_Condition None
Until_Log_File

先尝试修复表pre_forum_post,再删除1503760-25主键记录,start slave;
依然有很表错误

Last_Error Error ‘Duplicate entry ‘3064092’ for key ‘PRIMARY” on query. Default database: ‘discuzx’. Query: ‘INSERT INTO pre_common_member_action_log SET `uid`=’4818285′ , `action`=’1’ , `dateline`=’1349931502”
Last_Error Error ‘Duplicate entry ‘2327049’ for key ‘PRIMARY” on query. Default database: ‘discuzx’. Query: ‘INSERT INTO pre_home_notification SET `uid`=’4047895′ , `type`=’post’ , `new`=’1′ , `authorid`=’4818285′ , `author`=’xxx’ , `note`=’xxx’ , `dateline`=’1349931502′ , `from_id`=’12002748′ , `from_idtype`=’quote’ , `from_num`=’1”
last_Error Error ‘Duplicate entry ‘3409334’ for key ‘PRIMARY” on query. Default database: ‘discuzx’. Query: ‘INSERT INTO pre_common_credit_rule_log SET `uid`=’4082252′ , `rid`=’5′ , `fid`=’0′ , `total`=’1′ , `cyclenum`=’1′ , `dateline`=’1349931503′ , `extcredits2`=’-2”

尝试sql_slave_skip_counter无效

stop slave;
set global sql_slave_skip_counter =1 ;
start slave;

使用命令批量修复数据表
不停机 mysqlcheck -A -o -r -p
或停机用myisamchk

在my.cnf中忽略所有1062错误

slave-skip-errors = 1062

重启mysql

/opt/mysql/bin/mysql.server restart

会出现找不到Relay log日志的错误

Last_Errno 1594
Last_Error Relay log read failure: Could not parse relay log event entry. The possible reasons are: the master’s binary log is corrupted (you can check this by running ‘mysqlbinlog’ on the binary log), the slave’s relay log is corrupted (you can check this by running ‘mysqlbinlog’ on the relay log), a network problem, or a bug in the master’s or slave’s MySQL code. If you want to check the master’s binary log or slave’s relay log, you will be able to know their names by issuing ‘SHOW SLAVE STATUS’ on this slave.

show slave status;


Connect_Retry 60
Master_Log_File mysql-bin.000059
Read_Master_Log_Pos 89775799
Relay_Log_File C1g-relay-bin.000417
Relay_Log_Pos 49139383
Relay_Master_Log_File mysql-bin.000059
Slave_IO_Running Yes
Slave_SQL_Running No
Replicate_Do_DB discuzx
Replicate_Ig

Skip_Counter 1
Exec_Master_Log_Pos 49139237
Relay_Log_Space 89942788
Until_Condition None
Until_Log_File
Until_Log_Pos 0
Master_SSL_Allowed

记录下面两个参数,重新设定记录点

Relay_Master_Log_File mysql-bin.000059
Exec_Master_Log_Pos 49139237


stop slave;
change master to Master_Log_File=’mysql-bin.000059′, Master_Log_Pos=49139237;
start slave;

show slave status;

Slave_IO_Running Yes
Slave_SQL_Running Yes

再观察其它从库和master的记录点,没有问题,修复成功

参考:
http://www.cnblogs.com/niniwzw/archive/2010/02/04/1663685.html

Posted in Mysql.

Tagged with , .

rev="post-1555" 2 comments

By C1G 2012/10/11

dedecms(织梦) < 5.7 多个SQL注入漏洞

漏洞版本:

dedecms < 5.7 漏洞描述: BUGTRAQ ID: 51211 CVE ID: CVE-2011-5200 DedeCms是免费的PHP网站内容管理系统。 DedeCMS 5.6存在多个SQL注入漏洞,通过id参数向 list.php、members.php、book.php传参,可允许远程攻击者利用这些漏洞控制应用、访问或修改数据、利用下层数据库内的其他漏洞。 <* 参考 http://www.exploit-db.com/exploits/18292/
*>
安全建议:

厂商补丁:

dedecms
——-
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.dedecms.com/products/dedecms/

参考:http://sebug.net/vuldb/ssvid-60403

Posted in 安全通告.

Tagged with , .

rev="post-1552" No comments

By C1G 2012/09/26