Skip to content

linux centos5.8 安装memcached

1.安装libevent yum install libevent.x86_64 libevent-devel.x86_64 没有libevent编译memcached为出错

checking for libevent directory… configure: error: libevent is required. You can get it from http://www.monkey.org/~provos/libevent/ If it’s already installed, specify its path using –with-libevent=/dir/

2.安装memcached

wget http://memcached.googlecode.com/files/memcached-1.4.15.tar.gz tar zxvf memcached-1.4.15.tar.gz cd memcached-1.4.15 ./configure –prefix=/opt/memcached-1.4.15 make make install ln -s /opt/memcached-1.4.15 /opt/memcached

3.配置文件 vi /opt/memcached/my.conf

PORT=”11200″ IP=”192.168.0.40″ USER=”root” MAXCONN=”1524″ CACHESIZE=”3000″ OPTIONS=”” #memcached

4.启动/关闭脚本 vi /etc/init.d/memcached

#!/bin/bash # # Save me to /etc/init.d/memcached # And add me to system start # chmod +x memcached # chkconfig –add memcached # chkconfig –level 35 memcached on # # Written by lei # # chkconfig: – 80 12 # description: Distributed memory caching daemon # # processname: memcached # config: /usr/local/memcached/my.conf source /etc/rc.d/init.d/functions ### Default variables PORT=”11211″ IP=”192.168.0.40″ USER=”root” MAXCONN=”1524″ CACHESIZE=”64″ OPTIONS=”” SYSCONFIG=”/opt/memcached/my.conf” ### Read configuration [ -r “$SYSCONFIG” ] && source “$SYSCONFIG” RETVAL=0 prog=”/opt/memcached/bin/memcached” desc=”Distributed memory caching” start() { echo -n $”Starting $desc ($prog): ” daemon $prog -d -p $PORT -l $IP -u $USER -c $MAXCONN -m $CACHESIZE $OPTIONS RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/memcached return $RETVAL } stop() { echo -n $”Shutting down $desc ($prog): ” killproc $prog RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/memcached return $RETVAL } restart() { stop start } reload() { echo -n $”Reloading $desc ($prog): ” killproc $prog -HUP RETVAL=$? echo return $RETVAL } case “$1″ in start) start ;; stop) stop ;; restart) restart ;; condrestart) [ -e /var/lock/subsys/$prog ] && restart RETVAL=$? ;; reload) reload ;; status) status $prog RETVAL=$? ;; *) echo $”Usage: $0 {start|stop|restart|condrestart|status}” RETVAL=1 esac exit $RETVAL

5.添加iptables 充许192.168.0.0/24访问

iptables -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp –dport 11200 -j ACCEPT

6.启动 /etc/init.d/memcached start

7.web 管理界面 http://www.junopen.com/memadmin/

Posted in Memcached/redis.

Tagged with .

rev="post-1607" No comments

By C1G 2013/04/18

linux centos5.8 安装redis

Redis 是一个高性能的key-value数据库。 redis的出现,很大程度补偿了memcached这类key/value存储的不足,在部 分场合可以对关系数据库起到很好的补充作用。它提供了Python,Ruby,Erlang,PHP客户端,使用很方便。 一.安装tcl 否则在redis make test时出报错

You need tcl 8.5 or newer in order to run the Redis test make[1]: *** [test] Error 1 wget http://downloads.sourceforge.net/tcl/tcl8.6.0-src.tar.gz tar zxvf tcl8.6.0-src.tar.gz cd tcl8.6.0-src cd unix && ./configure –prefix=/usr \ –mandir=/usr/share/man \ $([ $(uname -m) = x86_64 ] && echo –enable-64bit) make && sed -e “s@^\(TCL_SRC_DIR=’\).*@\1/usr/include’@” \ -e “/TCL_B/s@=’\(-L\)\?.*unix@=’\1/usr/lib@” \ -i tclConfig.sh make test Tests ended at Tue Apr 16 12:02:27 CST 2013 all.tcl: Total 116 Passed 116 Skipped 0 Failed 0 make install && make install-private-headers && ln -v -sf tclsh8.6 /usr/bin/tclsh && chmod -v 755 /usr/lib/libtcl8.6.so

二.redis 1.安装redis

wget http://redis.googlecode.com/files/redis-2.6.12.tar.gz tar xzf redis-2.6.12.tar.gz cd redis-2.6.12 make make test

以下错误可以忽略 https://github.com/antirez/redis/issues/1034

[exception]: Executing test client: assertion:Server started even if RDB was unreadable!. assertion:Server started even if RDB was unreadable! while executing “error “assertion:$msg”” (procedure “fail” line 2) invoked from within “fail “Server started even if RDB was unreadable!”” (“uplevel” body line 2) invoked from within “uplevel 1 $elsescript” (procedure “wait_for_condition” line 7) invoked from within “wait_for_condition 50 100 { [string match {*Fatal error loading*} [exec tail -n1

make命令执行完成后,会在当前目录下生成4个可执行文件,分别是redis-server、redis-cli、redis-benchmark、redis-stat,它们的作用如下: redis-server:Redis服务器的daemon启动程序 redis-cli:Redis命令行操作工具。当然,你也可以用telnet根据其纯文本协议来操作 redis-benchmark:Redis性能测试工具,测试Redis在你的系统及你的配置下的读写性能 redis-stat:Redis状态检测工具,可以检测Redis当前状态参数及延迟状况

2.建立Redis目录

mkdir -p /opt/redis/bin mkdir -p /opt/redis/etc mkdir -p /opt/redis/var cp redis.conf /opt/redis/etc/ cd src cp redis-server redis-cli redis-benchmark redis-check-aof redis-check-dump /opt/redis/bin/ useradd redis chown -R redis.redis /opt/redis

建立Redis目录,只是为了将Redis相关的资源更好的统一管理。你也可以使用 make install 安装在系统默认目录

3.复制启动文件

cp ../utils/redis_init_script /etc/init.d/redis

4.启动redis

cd /opt/redis/bin ./redis-server /opt/redis/etc/redis.conf _._ _.-“__ ”-._ _.-“ `. `_. ”-._ Redis 2.6.12 (00000000/0) 64 bit .-“ .-“`. “`\/ _.,_ ”-._ ( ‘ , .-` | `, ) Running in stand alone mode |`-._`-…-` __…-.“-._|’` _.-‘| Port: 6379 | `-._ `._ / _.-‘ | PID: 24454 `-._ `-._ `-./ _.-‘ _.-‘ |`-._`-._ `-.__.-‘ _.-‘_.-‘| | `-._`-._ _.-‘_.-‘ | http://redis.io `-._ `-._`-.__.-‘_.-‘ _.-‘ |`-._`-._ `-.__.-‘ _.-‘_.-‘| | `-._`-._ _.-‘_.-‘ | `-._ `-._`-.__.-‘_.-‘ _.-‘ `-._ `-.__.-‘ _.-‘ `-._ _.-‘ `-.__.-‘ [24454] 12 Apr 10:34:19.519 # Server started, Redis version 2.6.12 [24454] 12 Apr 10:34:19.519 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add ‘vm.overcommit_memory = 1’ to /etc/sysctl.conf and then reboot or run the command ‘sysctl vm.overcommit_memory=1’ for this to take effect. [24454] 12 Apr 10:34:19.519 * The server is now ready to accept connections on port 6379

成功安装Redis后,直接执行redis-server即可运行Redis,此时它是按照默认配置来运行的(默认配置不是后台运行)。如果我们希望Redis按我们的要求运行,则需要修改配置文件,

5.设置itpables,充许192.168.0内网网段访问

iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp –dport 6379 -j ACCEPT /etc/init.d/iptables save

6.配置redis vi /opt/redis/etc/redis.conf

daemonize yes #是否作为守护进程运行 默认0 pidfile /var/run/redis.pid # 指定一个pid,默认为/var/run/redis.pid port 6379 #Redis默认监听端口 bind 192.168.0.41 #绑定主机IP,默认值为127.0.0.1 timeout 300 #客户端闲置多少秒后,断开连接,默认为300(秒) tcp-keepalive 0 # tcp保持连接 loglevel notice #日志记录等级,有4个可选值,debug,verbose(默认值),notice,warning logfile /opt/redis/var/redis.log #指定日志输出的文件名,默认值为stdout,也可设为/dev/null屏蔽日志 databases 16 #可用数据库数,默认值为16 save 900 1 #保存数据到disk的策略 #当有一条Keys数据被改变是,900秒刷新到disk一次 save 300 10 #当有10条Keys数据被改变时,300秒刷新到disk一次 save 60 10000 #当有1w条keys数据被改变时,60秒刷新到disk一次 #当dump .rdb数据库的时候是否压缩数据对象 rdbcompression yes #本地数据库文件名,默认值为dump.rdb dbfilename dump.rdb #本地数据库存放路径,默认值为 ./ dir /opt/redis/var/ #内存限制 maxmemory 2G #刷新策略 maxmemory-policy allkeys-lru
  1. 调整系统内核参数 如果内存情况比较紧张的话,需要设定内核参数:
echo 1 > /proc/sys/vm/overcommit_memory

这里说一下这个配置的含义:/proc/sys/vm/overcommit_memory 该文件指定了内核针对内存分配的策略,其值可以是0、1、2。 0,表示内核将检查是否有足够的可用内存供应用进程使用;如果有足够的可用内存,内存申请允许;否则,内存申请失败,并把错误返回给应用进程。 1,表示内核允许分配所有的物理内存,而不管当前的内存状态如何。 2,表示内核允许分配超过所有物理内存和交换空间总和的内存 Redis在dump数据的时候,会fork出一个子进程,理论上child进程所占用的内存和parent是一样的,比如parent占用的内存为8G,这个时候也要同样分配8G的内存给child, 如果内存无法负担,往往会造成redis服务器的down机或者IO负载过高,效率下降。所以这里比较优化的内存分配策略应该设置为 1(表示内核允许分配所有的物理内存,而不管当前的内存状态如何)

vi /etc/sysctl.conf

vm.overcommit_memory = 1

然后应用生效:

sysctl –p

8.修改redis服务脚本 vi /etc/init.d/redis

REDISPORT=6379 EXEC=/opt/redis/bin/redis-server CLIEXEC=/opt/redis/bin/redis-cli PIDFILE=/var/run/redis.pid CONF=”/opt/redis/etc/redis.conf”

如果监听非本机IP地址时还需修改下脚本,不然关不掉

#增加监听地址变量 REDIHOST=192.168.0.41 #增加-h $REDIHOST echo “Stopping …” $CLIEXEC -h $REDIHOST -p $REDISPORT shutdown

9.测试

/etc/init.d/redis start

Starting Redis server…

/opt/redis/bin/redis-cli -h 192.168.0.41

redis 127.0.0.1:6379> ping PONG redis 127.0.0.1:6379> set mykey c1gstduio OK redis 127.0.0.1:6379> get mykey “c1gstduio” redis 127.0.0.1:6379> exit

benchmark /opt/redis/bin/redis-benchmark -h 192.168.0.41

====== PING_INLINE ====== 10000 requests completed in 0.17 seconds 50 parallel clients 3 bytes payload keep alive: 1 99.51%

  1. 关闭服务 /opt/redis/bin/redis-cli shutdown 如果端口变化可以指定端口: /opt/redis/bin/redis-cli -h 192.168.0.41 -p 6379 shutdown

  2. 保存/备份 数据备份可以通过定期备份该文件实现。 因为redis是异步写入磁盘的,如果要让内存中的数据马上写入硬盘可以执行如下命令: redis-cli save 或者 redis-cli -p 6379 save(指定端口) 注意,以上部署操作需要具备一定的权限,比如复制和设定内核参数等。 执行redis-benchmark命令时也会将内存数据写入硬盘。

/opt/redis/bin/redis-cli save OK

查看结果 ll -h var/

total 48K -rw-r–r– 1 root root 40K Apr 12 11:49 dump.rdb -rw-r–r– 1 root root 5.3K Apr 12 11:49 redis.log

12.开机运行 vi /etc/rc.local

/etc/init.d/redis start

三.php扩展

redis扩展非常多,光php就有好几个,这里选用phpredis,Predis需要PHP >= 5.3 Predis ? ★ Repository JoL1hAHN Mature and supported phpredis ? ★ Repository yowgi This is a client written in C as a PHP module. Rediska ? Repository Homepage shumkov RedisServer Repository OZ Standalone and full-featured class for Redis in PHP Redisent ? Repository justinpoliey
Credis Repository colinmollenhour Lightweight, standalone, unit-tested fork of Redisent which wraps phpredis for best performance if available.

1.安装php扩展phpredis

wget https://nodeload.github.com/nicolasff/phpredis/zip/master –no-check-certificate cd phpredis-master unzip master cd phpredis-master/ /opt/php/bin/phpize ./configure –with-php-config=/opt/php/bin/php-config make make install

接下来在php.ini中添加extension=redis.so vi /opt/php/etc/php.ini

extension_dir = “/opt/php/lib/php/extensions/no-debug-non-zts-20060613/” extension=redis.so

vi test.php

phpinfo(); $redis = new Redis(); $redis->connect(“127.0.0.1”,6379); $redis->set(“test”,”Hello World”); echo $redis->get(“test”); ?>

redis Redis Support enabled Redis Version 2.2.2

四.基于php的web管理工具

phpRedisAdmin https://github.com/ErikDubbelboer/phpRedisAdmin 演示:http://dubbelboer.com/phpRedisAdmin/?overview 这个用的人很多,但是我装完无法显示

readmin http://readmin.org/ 演示:http://demo.readmin.org/ 需要装在根目录

phpredmin https://github.com/sasanrose/phpredmin#readme 可以显示,有漂良的图表 使用伪rewrite,/index.php/welcome/stats

wget https://nodeload.github.com/sasanrose/phpredmin/zip/master unzip phpredmin-master.zip

ln -s phpredmin/public predmin

编辑nginx,支持rewrite nginx.conf

location ~* ^/predmin/index.php/ { rewrite ^/predmin/index.php/(.*) /predmin/index.php?$1 break; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fcgi.conf; }

crontab -e

* * * * * root cd /var/www/phpredmin/public && php index.php cron/index

配置redis vi phpreadmin/config

‘redis’ => Array( ‘host’ => ‘192.168.0.30’, ‘port’ => ‘6379’, ‘password’ => Null, ‘database’ => 0

访问admin.xxx.com/predmin/就可以显示界面

五.实际使用感觉 redis装完后做discuzx2.5的cache 带宽消耗惊人,大概是memcached的十倍左右 内存占用也多了四分之一左右 discuz连接redis偶尔会超时和出错 最后还是切回了memcached

参考: http://redis.io/topics/quickstart http://hi.baidu.com/mucunzhishu/item/ead872ba3cec36db84dd798c http://www.linuxfromscratch.org/blfs/view/svn/general/tcl.html

Posted in Memcached/redis.

Tagged with .

rev="post-1604" 4 comments

By C1G 2013/04/17

centos5.8 LINUX 安装openvpn

1.下载

wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz wget https://nodeload.github.com/OpenVPN/openvpn/zip/release/2.3 wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.0.tar.gz

2.安装LZO

tar -xvzf lzo-2.06.tar.gz cd lzo-2.06 ./configure –prefix=/usr/local/lzo-2.06 make && make install

3.安装openvpn

tar zxvf openvpn-2.3.0.tar.gz cd openvpn-2.3.0 ./configure –prefix=/usr/local/openvpn-2.3.0 –with-lzo-headers=/usr/local/lzo/include/lzo-2.06 –with-lzo-lib=/usr/local/lzo-2.06/lib –with-ssl-headers=/usr/include/openssl/ –with-ssl-lib=/usr/lib/openssl/

如果有错误 openvpn error: lzo enabled but missing 可以尝试下面

ldconfig CFLAGS=”-I/usr/local/include” LDFLAGS=”-L/usr/local/lib” ./configure –prefix=/usr/local/openvpn-2.3.0 make && make install

安装后提示

(1) make device node: mknod /dev/net/tun c 10 200 (2a) add to /etc/modules.conf: alias char-major-10-200 tun (2b) load driver: modprobe tun (3) enable routing: echo 1 > /proc/sys/net/ipv4/ip_forward

4.创建tun

mknod /dev/net/tun c 10 200

5.复制服务端样例配置文件

mkdir /etc/openvpn cp sample/sample-config-files/server.conf /etc/openvpn/

6.下载easy-rsa

wget https://nodeload.github.com/OpenVPN/easy-rsa/zip/master unzip master cd easy-rsa-master cp -R easy-rsa/ /etc/openvpn/

7.创建证书 cd /etc/openvpn/easy-rsa/2.0/ 这下面的文件做简单介绍: vars 脚本,是用来创建环境变量,设置所需要的变量的脚本 clean-all 脚本,是创建生成CA证书及密钥 文件所需要的文件和目录 build-ca 脚本,生成CA证书(交互) build-dh 脚本,生成Diffie-Hellman文件(交互) build-key-server 脚本,生成服务器端密钥(交互) build-key 脚本,生成客户端密钥(交互) pkitool 脚本,直接使用vars的环境变量设置直接生成证书(非交互)

a.初始化keys文件

. ./vars (注意有两个点,两个点之间有空格) ./clean-all ./build-ca (一路按回车就可以)

b.生成Diffie-Hellman文件

./build-dh

c.生成VPN server ca证书

./build-key-server server

然后把刚生成的CA证书和密钥copy到/etc/openvpn/下

cd keys cp ca.crt ca.key server.crt server.key dh2048.pem /etc/openvpn/

d.生成客户端CA证书及密钥

./build-key client

打包客户端证书 供客户端使用

tar zcvf userkeys.tar.gz ca.crt ca.key client.crt client.key client.csr

8.编辑配置文件 vi /etc/openvpn/openvpn.conf

port 8099 proto udp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key # This file should be kept secret dh /etc/openvpn/dh2048.pem server 172.16.1.0 255.255.255.0 ifconfig-pool-persist ipp.txt push “dhcp-option DNS 8.8.8.8” client-to-client duplicate-cn keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status /var/log/openvpn-status.log log /var/log/openvpn.log log-append /var/log/openvpn.log verb 3

9.启动和查看openvpn

ln -s /usr/local/openvpn-2.3.0 /usr/local/openvpn /usr/local/openvpn/sbin/openvpn –daemon –config /etc/openvpn/openvpn.conf netstat -tunlp

10.开启iptables

iptables -t nat -A POSTROUTING -o eth0 -s 172.16.2.0/24 -j SNAT –to-source 100.100.100.100 iptables -A INPUT -p udp -m state –state NEW -m udp –dport 8099 -j ACCEPT iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 8099 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -s 172.16.1.0/24 -j SNAT –to-source 100.100.100.100

100.100.100.100为vpn服务器外网卡eth0的IP地址,这是保证客户端能翻墙上网。也可以这样设置

iptables -t nat -A POSTROUTING -o eth0 -s 172.16.2.0/24 -j MASQUERADE

这应该是一种比较通用方法,适合ADSL拨号的动态公网地址

11. 客户端安装和配置 我的客户端是windowsXP系统的。从openvpn官网下载最新的客户端,然后安装,过程一直下一步就OK了。 完成之后我们需要把VPN-server服务器上的/etc/openvpn/keys/ 目录下的ca.crt、client.crt、client.key三个文件复制到“C:\Program Files\openvpn\config\keys”文件夹内。 然后连接

http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.0-I004-i686.exe

ps:openvpn需安装客户端,多用户也不能同时连接.

参考: http://lxsym.blog.51cto.com/1364623/772075 http://blog.jiechic.com/archives/budgetvm-install-openvpn-vpn-vps-server http://www.itdhz.com/post-287.html http://www.kdolphin.com/1120 http://blog.creke.net/748.html http://luxiaok.blog.51cto.com/2177896/1078375 http://docs.linuxtone.org/ebooks/VPN/openvpn%E9%9B%86%E5%90%88.pdf

Posted in VPN.

Tagged with , .

rev="post-1601" No comments

By C1G 2013/04/10

centos5.8 LINUX 安装L2TP/IPSec VPN

第二层隧道协议L2TP(Layer 2 Tunneling Protocol)是一种工业标准的Internet隧道协议,它使用UDP的1701端口进行通信。L2TP本身并没有任何加密,但是我们可以使用IPSec对L2TP包进行加密。L2TP VPN比PPTP VPN搭建复杂一些。 IPSec 使用预共享密钥(PSK)进行加密和验证,L2TP 负责封包,PPP 负责具体的用户验证 一、部署IPSEC 、安装 openswan 1、安装关联包

yum install make gcc gmp-devel bison flex

2、编译安装 使用Openswan来实现IPSec

wget http://ftp.openswan.org/openswan/openswan-2.6.38.tar.gz tar zxvf openswan-2.6.38.tar.gz cd openswan-2.6.38 make programs install

3、配置ipsec vi /etc/ipsec.conf

config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport left=YOUR.SERVER.IP leftprotoport=17/1701 right=%any rightprotoport=17/%any

YOUR.SERVER.IP为vpn服务器的公网ip 注意前面有tab缩进,否则可能出现下面错误

failed to start openswan IKE daemon – the following error occured: can not load config ‘/etc/ipsec.conf’: /etc/ipsec.conf:58: syntax error, unexpected KEYWORD, expecting $end [rightsubnet]

4、 设置 Shared Key

vi /etc/ipsec.secrets

YOUR.SERVER.IP %any: PSK “YourSharedSecret”

YOUR.SERVER.IP为vpn服务器的公网ip YourSharedSecret为共享密钥

5、 修改包转发设置

for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done echo 1 >/proc/sys/net/core/xfrm_larval_drop echo 1 >/proc/sys/net/ipv4/ip_forward sed -i ‘/net.ipv4.ip_forward / {s/0/1/g} ‘ /etc/sysctl.conf sed -i ‘/net.ipv4.conf.default.rp_filter / {s/1/0/g} ‘ /etc/sysctl.conf touch /var/lock/subsys/local

6、 重启 IPSec ,测试

/etc/init.d/ipsec restart

ipsec_setup: Stopping Openswan IPsec… ipsec_setup: stop ordered, but IPsec appears to be already stopped! ipsec_setup: doing cleanup anyway… ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.18-308.el5..

ipsec verify 没有报[FAILED]就可以了。

Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.38/K2.6.18-308.el5 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing XFRM related proc values [OK] [OK] [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [FAILED] Checking NAT and MASQUERADEing [OK] Checking for ‘ip’ command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for ‘iptables’ command [OK] Opportunistic Encryption Support [DISABLED]

错误1: SAref kernel support [N/A] /etc/xl2tpd/xl2tpd.conf这个文件里

[global] ipsec saref = no

Linux Openswan U2.6.38/K2.6.18-308.el5 (netkey) 以netkey方式运行不支持局域网多个nat客户; 开启SAref kernel support后以klips方式运行支持

错误2: Two or more interfaces found, checking IP forwarding 修改ip_forward,只要 cat /proc/sys/net/ipv4/ip_forward 返回结果是1就没事 echo 1 >/proc/sys/net/ipv4/ip_forward

错误3: Please enable /proc/sys/net/core/xfrm_larval_drop echo 1 > /proc/sys/net/core/xfrm_larval_drop

二、安装 L2TP 1、关联包

yum install libpcap-devel ppp

2.编译安装

wget http://jaist.dl.sourceforge.net/project/rp-l2tp/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz tar -zxvf rp-l2tp-0.4.tar.gz cd rp-l2tp-0.4 ./configure make cp handlers/l2tp-control /usr/local/sbin/ mkdir /var/run/xl2tpd/ ln -s /usr/local/sbin/l2tp-control /var/run/xl2tpd/l2tp-control wget http://www.xelerance.com/wp-content/uploads/software/xl2tpd/xl2tpd-1.3.0.tar.gz tar -zxvf xl2tpd-1.3.0.tar.gz cd xl2tpd-1.3.0 make make install

安装显示

install -d -m 0755 /usr/local/sbin install -m 0755 xl2tpd /usr/local/sbin/xl2tpd install -d -m 0755 /usr/local/share/man/man5 install -d -m 0755 /usr/local/share/man/man8 install -m 0644 doc/xl2tpd.8 /usr/local/share/man/man8/ install -m 0644 doc/xl2tpd.conf.5 doc/l2tp-secrets.5 \ /usr/local/share/man/man5/ # pfc install -d -m 0755 /usr/local/bin install -m 0755 pfc /usr/local/bin/pfc install -d -m 0755 /usr/local/share/man/man1 install -m 0644 contrib/pfc.1 /usr/local/share/man/man1/ # control exec install -d -m 0755 /usr/local/sbin install -m 0755 xl2tpd-control /usr/local/sbin/xl2tpd-control

3、配置

mkdir /etc/xl2tpd vi /etc/xl2tpd/xl2tpd.conf [global] ipsec saref = yes [lns default] ip range = 192.168.81.2-192.168.81.254 local ip = 192.168.81.1 //你的内网口 refuse chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes

4、修改 ppp 配置

vi /etc/ppp/options.xl2tpd

require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 asyncmap 0 auth crtscts lock hide-password modem debug name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4

5、添加用户名/密码

vi /etc/ppp/chap-secrets

# user server password ip vpnuser l2tpd userpass *

8、启动 xl2tpd

iptables -t nat -A POSTROUTING -s 192.168.81.0/24 -o eth0 -j MASQUERADE iptables -A INPUT -p udp -m state –state NEW -m udp –dport 1701 -j ACCEPT iptables -A INPUT -p udp -m state –state NEW -m udp –dport 500 -j ACCEPT iptables -A INPUT -p udp -m state –state NEW -m udp –dport 4500 -j ACCEPT iptables -I FORWARD -s 192.168.81.0/24 -j ACCEPT iptables -I FORWARD -d 192.168.81.0/24 -j ACCEPT

/usr/local/sbin/xl2tpd

错误

Feb 20 15:20:38 localc1g ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 250: 7859 Aborted (core dumped) /usr/local/libexec/ipsec/pluto –nofork –secretsfile /etc/ipsec.secrets –ipsecdir /etc/ipsec.d –use-netkey –uniqueids –nat_traversal –virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 Feb 20 15:20:38 localc1g ipsec__plutorun: !pluto failure!: exited with error status 134 (signal 6) Feb 20 15:20:38 localc1g ipsec__plutorun: restarting IPsec after pause… Feb 20 16:58:47 localc1g pppd[13553]: The remote system is required to authenticate itself Feb 20 16:58:47 localc1g pppd[13553]: but I couldn’t find any suitable secret (password) for it to use to do so.

检查chap-secrets文件server是否正确

Feb 21 11:30:52 localc1g pluto[16897]: “L2TP-PSK-NAT”[11] 122.221.55.121 #11: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet Feb 21 11:30:52 localc1g pluto[16897]: | payload malformed after IV

检查客户端PSK是否正确

9、开机运行 放入/etc/rc.local中

touch /var/lock/subsys/local for each in /proc/sys/net/ipv4/conf/* do echo 0 > $each/accept_redirects echo 0 > $each/send_redirects done echo 1 >/proc/sys/net/core/xfrm_larval_drop echo 1 >/proc/sys/net/ipv4/ip_forward /etc/init.d/ipsec restart /usr/local/sbin/xl2tpd

参考: http://www.myvm.net/archives/554 http://amumy.blog.163.com/blog/static/17312970201210282323568/ http://www.vpsyou.com/2010/08/10/centos-install-l2tpipsec-and-simple-troubleshooting.html http://www.esojourn.org/blog/post/setup-l2tp-vpn-server-with-ipsec-in-centos6.php https://www.dls-yan.com/2012/10/04/783.html http://blog.csdn.net/rosetta/article/details/7794826

http://book.51cto.com/art/201204/331170.htm http://blog.csdn.net/cumtmimi/article/details/1814073

1、“IPSEC服务”服务不在运行状态

请依次执行下列操作:

计算机管理->服务和应用程序->服务,找到IPSEC Services ,双击打开,设启动方式为自动。

重新开机再设置策略

2、IPSEC Services 如何打开

补充:如果点打开时出现提示 在 本地计算机 无发启动 IPSEC Services 服务 错误1747:未知的验证服务 现在就是自动的 只是前面的装备 没有启动 网络客户端装上后 还是一样不能启动

修复方法: Code: 开始>运行 输入:CMD 在窗口中输入:netsh winsock reset

3、修改注册表 缺省的Windows XP L2TP 传输策略不允许L2TP 传输不使用IPSec 加密。可以通过修改 Windows XP 注册表来禁用缺省的行为: 手工修改: 1) 进入Windows XP 的“开始” “运行”里面输入“Regedt32”,打开“注册表编辑 器”,定位“HKEY_Local_Machine / System / CurrentControl Set / Services / RasMan / Parameters ”主键。 2) 为该主键添加以下键值: 键值:ProhibitIpSec 数据类型:reg_dword 值:1

Posted in VPN.

Tagged with , , .

rev="post-1597" 1 comment

By C1G 2013/02/22

编译安装ntp

升级ssh时连带升级OpenSSL 后ntp无法启动,yum升级ntp无果,决定重新编译个.

#ntpd –version

ntpd – NTP daemon program – Ver. 4.2.4p8

#tail /var/log/messages

ntpd: OpenSSL version mismatch. Built against 10000003, you have 1000103f

删除原ntp

yum remove ntp

编译ntp

wget http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.6p5.tar.gz tar zxvf ntp-4.2.6p5.tar.gz cd ntp-4.2.6p5 ./configure –prefix=/usr/local/ntp-4.2.6p5 –enable-all-clocks –enable-parse-clocks make && make install

创建软链接 ln -s /usr/local/ntp-4.2.6p5 /usr/local/ntp

编辑配置文件 vi /etc/ntp.conf

driftfile /var/lib/ntp/drift restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1 server 0.centos.pool.ntp.org server 1.centos.pool.ntp.org server 2.centos.pool.ntp.org includefile /etc/ntp/crypto/pw keys /etc/ntp/keys

运行ntp

/usr/local/ntp/bin/ntpd -c /etc/ntp.conf

检查同步情况

watch /usr/local/bin/ntpq -p

开机运行

echo ‘/usr/local/ntp/bin/ntpd -c /etc/ntp.conf’ >> /etc/rc.local

参考: http://vbird.dic.ksu.edu.tw/linux_server/0440ntp/0440ntp-centos4.php

Posted in LINUX.

Tagged with , .

rev="post-1593" 1 comment

By C1G 2013/01/11

linux日志集中管理查看syslog-ng+splunk

syslog-ng ,可以简单的看成取代 syslog 的的日志服务器,企业级的.目前我们使用的 syslog-ng 开源版本是启动于十年之前的 syslog-ng 项目的“直系后代”.syslog-ng可运行与“server”和“agent”模式,分别支持 UDP、可靠的TCP和加密的TLS协议.syslog 可以用来在混合复杂的环境里建立灵活的、可靠的日志服务器.

syslog-ng开源版本的特性还有:

  1. 支持SSL/TSL协议
  2. 支持将日志写入数据库中,支持的数据库有MySQL, Microsoft SQL (MSSQL), Oracle, PostgreSQL, and SQLite.
  3. 支持标准的syslog协议
  4. 支持filter、parse以及rewrite
  5. 支持更多的平台
  6. 更高的负载能力

syslog-ng 对性能进行了优化,可以处理巨大的数据量.一般的硬件,在正确的配置下,可以实时地处理75000个消息每秒钟,超过24GB的RAW日志每小时.

前言 在标准的 Linux 中有一个 syslog .通常设置格式为

..

默认系统预先定义了12+8个(mail、news、auth等)facility,八个不同的优先级(alert到debug).通常我们也只能根据这些来做一些操作.备注中有详细的解释.

在 syslog-ng 中.就不一样,非常强大,只需要定义来源,和目标位置,有可能需要定义一个过滤. 示例为:

{Source;filter;destination;}

其中的每一个字段的会在下面进行详细的说明,这也必须在 syslog_ng.conf 文件中定义你想要的.

一.安装 syslog-ng 直接用 yum

yum install syslog-ng

源码安装 http://www.balabit.com/downloads/files?path=/libol

wget http://www.balabit.com/downloads/files?path=/libol/0.3/libol-0.3.18.tar.gz wget http://www.balabit.com/downloads/files?path=/syslog-ng/open-source-edition/3.3.7/source/eventlog_0.2.12.tar.gz wget http://www.balabit.com/downloads/files?path=/syslog-ng/open-source-edition/3.3.7/source/syslog-ng_3.3.7.tar.gz

1.安装eventlog

tar -zxvf eventlog_0.2.12.tar.gz cd eventlog-0.2.12 ./configure –prefix=/usr/local/eventlog make && make install

2.安装libol

mv files\?path\=%2Flibol%2F0.3%2Flibol-0.3.18.tar.gz libol-0.3.18.tar.gz tar -zxvf libol-0.3.18.tar.gz cd libol-0.3.18 ./configure –prefix=/usr/local/libol make && make install

3.安装syslog-ng

yum install pcre # 设置环境变量 export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig/ tar -zxvf syslog-ng_3.3.7.tar.gz cd syslog-ng-3.3.7 ./configure –prefix=/usr/local/syslog-ng –with-libol=/usr/local/libol/ make && make install

二.配置syslog-ng

1.打开iptables接收端口,这里只开放给内网

iptables -A INPUT -p tcp -m tcp -s 192.168.0.0/16 –dport 514 -j ACCEPT iptables -A INPUT -p udp -m udp -s 192.168.0.0/16 –dport 514 -j ACCEPT

2.配置全局配置 全局配置的是在 /etc/syslog-ng/syslog-ng.conf 中. 新板本中sync变成flush_lines,long_hostnames变成 chain_hostnames. Your configuration file uses an obsoleted keyword, please update your configuration; keyword=’sync’, change=’flush_lines’ Your configuration file uses an obsoleted keyword, please update your configuration; keyword=’long_hostnames’, change=’chain_hostnames’

接收远程日志并按年月日和主机地址集中的一个文件中,示例:

options { keep_hostname(off); chain_hostnames(off); flush_lines(1); log_fifo_size(1024); create_dirs(yes); # if a dir does not exist create it owner(root); # owner of created files group(root); # group of created files perm(0600); # permissions of created files dir_perm(0700); # permissions of created dirs }; source s_local { system(); unix-stream(“/dev/log”); # local system logs file(“/proc/kmsg”); # local kernel logs internal(); }; source s_all { udp(ip(0.0.0.0) port(514)); # remote logs # arriving at 514/udp }; destination d_local_file { file(“/var/syslog/$YEAR.$MONTH/$HOST/log-$DAY.log” owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; destination d_net_file { file(“/var/syslog/$YEAR.$MONTH/$HOST/log-$DAY.log” owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; log { source(s_local); destination(d_local_file); }; log { source(s_all); destination(d_net_file); };

全局选项(option) chain_hostnames 是否使用长主机名记录,也就是使用完全符合标准的域名. flush_lines 设置一次向目的地发送几行消息.如果设成0,一收到消息就发送 sync_freq 在写入文件之前,可以缓冲的日志消息行数 use_dns 是否使用 DNS ,选项包括:yes、no和persist_only.选项设成了‘persist_only’, 因而会检查 /etc/hosts 文件,以解析主机名,这时并不依赖DNS 服务器. stats_freq 两个状态消息(关于丢失日志消息的统计消息)消息之间间隔的时间(以秒为单位).0表示禁用发送STATS消息. normalize_hostnames 是否对主机名转换成小写. keep_hostname 如果要进行转发或透过外部服务器传送,该选项就会保留主机名,那样主机最终到达中央服务器后, 主机名会一并到达,而不是依赖DNS(或/etc/hosts)

来源(source) internal syslog-ng 内部产生的消息 unix-stream 打开指定的SOCK_STREAM模式的unix套接字,接收日志消息 unix-dgram 打开指定的SOCK_DGRAM模式的unix套接字,接收日志消息 file 打开指定的文件读取日志信息 pipe,fifo 打开指定的管道或者FIFO设备,读取日志信息 tcp 在指定的TCP端口接收日志消息 udp 在指定的UDP端口接收日志消息 program 来自程序 syslog 来自网络上syslog格式的信息

目的地(destination) file() file 是 syslog-ng 最重要的日志消息目的驱动器之一.使用它,你可以把日志消息定向到一些文件中. logstore() 存储成二进制格式可以加密压缩 pipe() 通过pipe()日志消息目的驱动器把日志消息发送到/dev/xconsole之类的命名管道. program() 驱动器fork出一个进程,使用给定的参数执行一个特定的程序,然后把日志消息送到这个进程的标准输入设备. sql() 存储到mysql,oracel,mssql等数据库中 syslog() 转发到远程日志服务器上 unix-stream()和unix0dgram() 通过这两个日志消息目的驱动器把日志消息发送到一个SOCK_STREAM或者SOCK_DGRAM模式的UNIX套接字. udp()和tcp() 使用TCP或者UDP协议把日志消息送到本地网络上或者internet上的另外的主机. usertty() 使用这个日志消息目的驱动器把日志消息送到一个登录用户使用的终端.

3.启动 /usr/local/syslog-ng/sbin/syslog-ng

关闭 pkill syslog-ng

4.调试 在其它的节点的 Linux 上在 syslog.conf 或rsyslog.conf 中配置 vi /etc/syslog.conf 或vi /etc/rsyslog.conf

*.* @syslog-ng 服务器 ip /etc/init.d/syslog restart

用 logger 来进行测试

logger -p local3.info hello

这样在syslog-ng 的服务器上就能见到 message 的信息了

三 splunk

splunk看着比LogZilla(php-syslog-ng)强. Splunk 是一款顶级的日志分析软件,如果你经常用 grep、awk、sed、sort、uniq、tail、head 来分析日志,那么你需要 Splunk。能处理常规的日志格式,比如 apache、squid、系统日志、mail.log 这些。对所有日志先进行 index,然后可以交叉查询,支持复杂的查询语句。然后通过直观的方式表现出来。日志可以通过文件方式传倒 Splunk 服务器,也可以通过网络实时传输过去。或者是分布式的日志收集。总之支持多种日志收集方法。

这个软件分为免费版本和专业版本。专业版本的价格是 3 万多刀。免费版本的功能也足够强大了。

下载后为企业试用版,可以转为免费版,免费版和收费版的差异 The Free license includes 500 MB/day of indexing volume, is free (as in beer), and has no expiration date.

The following features that are available with the Enterprise license are disabled in Splunk Free:

Multiple user accounts and role-based access controls
Distributed search
Forwarding in TCP/HTTP formats (you can forward data to other Splunk instances, but not to non-Splunk instances)
Deployment management (including for clients)
Alerting/monitoring

1.安装aplunkhttp://www.splunk.com 注册个用户,乱填的可能不通过 下载 splunk tarball 当前最新为splunk-5.0.1 解压 splunk tarball 并将其移动到 /usr/local/splunk

2.打开iptables splunk默认运行在8000端口,打开iptables设置充许访问的ip

iptables -A INPUT -p tcp -m tcp -s 192.168.0.39 –dport 8000-j ACCEPT

3.启动

/usr/local/splunk/bin/splunk start

第一次运行会进行一些设置,按”y”同意

4.设置日志分析目录 进入http://localhost:8000 第一次需要重设密码 然后点击添加数据,选择本地文件,还有tcp端口接收syslog-ng转发

5.修改syslog-ng配置 过滤不同日志存入不同文件,并转发至splunk

options { use_dns (no); use_fqdn(no); chain_hostnames(off); keep_hostname(off); flush_lines(0); stats_freq(43200); create_dirs(yes); }; source s_internal { internal(); }; destination d_syslognglog { file(“/var/log/syslog-ng.log”); }; log { source(s_internal); destination(d_syslognglog); }; source s_sys { system();file(“/proc/kmsg”); unix-stream(“/dev/log”);}; destination d_cons { file(“/dev/console”); }; destination d_mesg { file(“/var/log/messages”); }; destination d_auth { file(“/var/log/secure”); }; destination d_mail { file(“/var/log/maillog”); }; destination d_spol { file(“/var/log/spooler”); }; destination d_boot { file(“/var/log/boot.log”); }; destination d_cron { file(“/var/log/cron”); }; destination d_rsync { file(“/var/log/rsync”); }; destination d_mlal { usertty(“*”); }; filter f_filter1 { facility(kern); }; filter f_filter2 { level(info) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news) and level(crit)); }; filter f_filter7 { facility(local7); }; filter f_filter8 { facility(cron); }; filter f_filter9 { facility(daemon); }; filter f_filter10 { facility(local6); }; #log { source(s_sys); filter(f_filter1); destination(d_cons); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_auth); }; log { source(s_sys); filter(f_filter4); destination(d_mail); }; log { source(s_sys); filter(f_filter5); destination(d_mlal); }; log { source(s_sys); filter(f_filter6); destination(d_spol); }; log { source(s_sys); filter(f_filter7); destination(d_boot); }; log { source(s_sys); filter(f_filter8); destination(d_cron); }; # Remote logging source s_remote { udp(ip(192.168.0.39) port(514)); }; destination r_mesg { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/messages” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); }; destination r_auth { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/secure” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); }; destination r_mail { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/maillog” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); }; destination r_spol { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/spooler” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); }; destination r_boot { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/boot.log” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); }; destination r_cron { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/cron” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); }; destination r_daemon { file(“/var/log/syslog-ng/$YEAR.$MONTH/$HOST/daemon” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); }; destination r_local6 { file(“/var/log/syslog-ng/$YEAR.$MONTH/network/messages” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); }; #destination d_separatedbyhosts { # file(“/var/log/syslog-ng/$HOST/messages” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes)); #}; #log { source(s_remote); destination(d_separatedbyhosts); }; log { source(s_remote); filter(f_filter2); destination(r_mesg); }; log { source(s_remote); filter(f_filter3); destination(r_auth); }; log { source(s_remote); filter(f_filter4); destination(r_mail); }; log { source(s_remote); filter(f_filter6); destination(r_spol); }; log { source(s_remote); filter(f_filter7); destination(r_boot); }; log { source(s_remote); filter(f_filter8); destination(r_cron); }; log { source(s_remote); filter(f_filter9); destination(r_daemon); }; log { source(s_remote); filter(f_filter10); destination(r_local6); }; #splunk use 1999 port destination d_tcp { tcp(“localhost” port(1999) localport(999)); }; log { source(s_remote); destination(d_tcp); };

6.加入自运行 echo ‘/usr/local/syslog-ng/sbin/syslog-ng’ >> /etc/rc.local echo ‘/usr/local/splunk/bin/splunk start’ >> /etc/rc.local

参考: http://www.php-oa.com/2012/01/13/linux-syslog-ng.html http://blog.163.com/dingding_jacky/blog/static/1669127872011113011048416/ http://andyxu.blog.51cto.com/2050315/888583 http://bbs.linuxtone.org/thread-2082-1-3.html http://www.phpwebgo.com/2012/05/14/318.html http://www.balabit.com/sites/default/files/documents/syslog-ng-v3.0-guide-admin-en.html/bk01-toc.html http://docs.splunk.com/Documentation/Splunk http://www.syslog.org/syslog-ng

Posted in 技术, 日志.

Tagged with , .

rev="post-1587" No comments

By C1G 2012/12/31

Apache Tomcat FORM身份验证安全绕过漏洞

发布时间: 2012-12-04 (GMT+0800) 漏洞版本:

Apache Group Tomcat 7.0.0 – 7.0.29 Apache Group Tomcat 6.0.0 – 6.0.35 漏洞描述:

BUGTRAQ ID: 56812 CVE(CAN) ID: CVE-2012-3546

Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。

Tomcat v7.0.30、6.0.36之前版本在FORM身份验证的实现上存在安全漏洞。在使用FORM验证时,若其他组件(如Single-Sign-On)在调用FormAuthenticator#authenticate()之前调用了request.setUserPrincipal(),则攻击者可以通过在URL结尾添加”/j_security_check”以绕过FORM验证 < 参考 http://seclists.org/fulldisclosure/2012/Dec/73 > 安全建议:

厂商补丁:

Apache Group

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载7.0.30和6.0.36或更高版本。

参考链接: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html

Posted in Tomcat, 安全通告.

Tagged with , .

rev="post-1582" No comments

By C1G 2012/12/10

快速配置postfix

在centos6.0上系统默认已安装了postfix和sasl 1.vi /etc/postfix/main.cf

myhostname=mail.c1gstudio.com mydomain=c1gstudio.com myorigin=$mydomain inet_interfaces=all mydestintion=$myhostname,localhost,$mydomain,localhost mynetworks=192.168.100.0/24,127.0.0.0/8 #################CYRUS-SASL################### broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_sasl_application_name = smtpd smtpd_banner = $myhostname ESMTP,Warning: Version not Available! smtpd_reject_unlisted_recipient = no

2.vim /etc/sasl2/smtpd.conf

pwcheck_method: saslauthd mech_list: plain login

3.iptables

iptables -A INPUT -p tcp –dport 25 -j ACCEPT service iptables save

4.自动运行

chkconfig postfix on chkconfig saslauthd on

6.添加smtp认证用户

使用shadow认证 [root@dev ~]# groupadd mailuser [root@dev ~]# adduser -g mailuser -s /sbin/nologin service [root@dev ~]# passwd service Changing password for user service. New UNIX password: BAD PASSWORD: it is too simplistic/systematic Retype new UNIX password: passwd: all authentication tokens updated successfully. [root@dev ~]#

检查是否可以通过认证 [root@dev ~]# testsaslauthd -u service -p 123456 0: OK “Success.”

生成base64备用 [root@dev ~]#

perl -MMIME::Base64 -e ‘print encode_base64(“service”);’

c2VydmljZQ== [root@dev ~]#

perl -MMIME::Base64 -e ‘print encode_base64(“123456”);’

MTIzNDU2

7.测试 [root@dev ~]# telnet localhost 25

REtOWTk5OXh4eA== Trying 127.0.0.1… Connected to localhost.localdomain (127.0.0.1). Escape character is ‘^]’. 220 Welcome to our devmail.c1gstudio.com ESMTP,Warning: Version not Available! ehlo localhost 250-devmail.c1gstudio.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN auth login 334 VXNlcm5hbWU6 c2VydmljZQ== 334 UGFzc3dvcmQ6 MTIzNDU2 235 2.0.0 Authentication successful mail from:[email protected] 250 2.1.0 Ok rcpt to:[email protected] 250 2.1.5 Ok data 354 End data with . subject:hello 13:08 this is a test . 250 2.0.0 Ok: queued as 0BABAD607EB quit 221 2.0.0 Bye Connection closed by foreign host.

参考: https://blog.c1gstudio.com/archives/137 http://www.cnblogs.com/paipaita/archive/2012/11/20/centos_postfix.html

Posted in Mail/Postfix.

Tagged with .

rev="post-1577" No comments

By C1G 2012/11/26

Apache Tomcat DIGEST身份验证多个安全漏洞(CVE-2012-3439)

发布时间: 2012-11-05 (GMT+0800) 漏洞版本:

Apache Group Tomcat 7.x Apache Group Tomcat 6.x Apache Group Tomcat 5.x 漏洞描述:

BUGTRAQ ID: 56403 CVE ID: CVE-2012-3439

Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。

Apache Tomcat 7.0.0-7.0.27、6.0.0-6.0.35、5.5.0-5.5.35存在多个安全漏洞,成功利用后可允许攻击者绕过安全限制并执行非法操作。 < 参考 http://secunia.com/advisories/51138/ http://tomcat.apache.org/security-6.html >

Description A weakness and a vulnerability have been reported in Apache Tomcat, which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service).

1) An error within the “parseHeaders()” function (InternalNioInputBuffer.java) when parsing request headers does not properly verify the permitted size and can be exploited to trigger an OutOfMemoryError exception via specially crafted headers.

This vulnerability is reported in versions 6.0.0-6.0.35 and 7.0.0-7.0.27.

2) An error within DIGEST authentication mechanism does not properly check server nonces.

This weakness is reported in versions 5.5.0-5.5.35, 6.0.0-6.0.35, and 7.0.0-7.0.29.

Solution Update to version 5.5.36, 6.0.36, or 7.0.30. tomcat下载地址:http://tomcat.apache.org/download-60.cgi

tomcat升级参见 https://blog.c1gstudio.com/archives/1434

Posted in Tomcat, 安全通告.

Tagged with , .

rev="post-1571" 1 comment

By C1G 2012/11/08

rsync 配置免登录同步服务

平时可以利用ssh客户端密钥建立信任关系来使rsync同步,但可能存在用户权限过大的问题. 这里以daemon或服务的方式运行可以提高安全性.

一.rsync的安装 rsync现在系统一般都自带 a.yum install rsync

b.http://rsync.samba.org/ 使用rpm或源码等方式安装

二.配置rsync rsync的主要有以下三个配置文件rsyncd.conf(主配置文件)、rsyncd.secrets(密码文件)、rsyncd.motd(rysnc服务器信息)

1.服务器配置文件(/etc/rsyncd.conf),该文件默认不存在,请创建它。 注:关于auth users是必须在服务器上存在的真实的系统用户,如果你想用多个用户以,号隔开,比如auth users = www,root 定义一个discuz的模块 vi /etc/rsyncd.conf

pid file = /var/run/rsyncd.pid port = 873 address = 192.168.0.24 #uid = nobody #gid = nobody uid = www gid = website use chroot = yes read only = no #limit access to private LANs hosts allow=192.168.0.0/255.255.255.0 hosts deny=* max connections = 5 motd file = /etc/rsyncd.motd #This will give you a separate log file #log file = /var/log/rsync.log #This will log every file transferred – up to 85,000+ per user, per sync #transfer logging = yes log format = %t %a %m %f %b syslog facility = local3 timeout = 300 [discuz] path = /opt/htdocs/bbs list=no ignore errors auth users = www secrets file = /etc/rsyncd.secrets comment = This is bbs data #exclude =

2.设定密码文件 密码文件格式很简单,rsyncd.secrets的内容格式为: 用户名:密码 我们在例子中rsyncd.secrets的内容如下类似的;在文档中说,有些系统不支持长密码,自己尝试着设置一下吧。 vi /etc/rsyncd.secrets

www:c1gstudiopass

chown root:root /etc/rsyncd.secrets  #修改属主 chmod 600 /etc/rsyncd.secrets #修改权限

注:1、将rsyncd.secrets这个密码文件的文件属性设为root拥有, 且权限要设为600, 否则无法备份成功! 出于安全目的,文件的属性必需是只有属主可读。 2、这里的密码值得注意,为了安全你不能把系统用户的密码写在这里。比如你的系统用户www密码是000000,为了安全你可以让rsync中的www为c1gstudiopass。这和samba的用户认证的密码原理是差不多的。

3.设定rsyncd.motd 文件; 它是定义rysnc服务器信息的,也就是用户登录信息。比如让用户知道这个服务器是谁提供的等;类似ftp服务器登录时,我们所看到的 c1gstudio.com ftp ……。 当然这在全局定义变量时,并不是必须的,你可以用#号注掉,或删除;我在这里写了一个 rsyncd.motd的内容为: vi /etc/rsyncd.motd

++++++++++++++++++++++++++++++++++++++++++++++ rsync services! staff use only ++++++++++++++++++++++++++++++++++++++++++++++

三.运行 A. xinetd方式 省略

B. –daemon参数方式,是让rsync以服务器模式运行

/usr/bin/rsync –daemon –config=/etc/rsyncd.conf  #–config用于指定rsyncd.conf的位置,如果在/etc下可以不写

添加到/etc/rc.local,启动后自动运行

echo ‘/usr/bin/rsync –daemon –config=/etc/rsyncd.conf’ >> /etc/rc.local

防火墙 授权192.168.0.0 C类

iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp –dport 873 -j ACCEPT

授权单个IP192.168.0.21

iptables -A INPUT -s 192.168.0.21 -p tcp -m state –state NEW -m tcp –dport 873 -j ACCEPT

/etc/init.d/iptables save

四,调试 192.168.0.24为rsynce daemon端,接收数据 192.168.0.21为源数据推送端,发送数据

推送端调试列表 rsync –list-only [email protected]:: rsync: failed to connect to 192.168.0.24: Connection timed out (110) 检查防火墙,rsyncd里用户权限 传送本地/opt/htdocs/bbs/data/cache 到远端discuz模块下的data目录

rsync -av /opt/htdocs/bbs/data/cache [email protected]::discuz:/data/

创建密码文件方便免登录,密码和服务器端保持一致

echo ‘c1gstudiopass’ > /etc/rsyncd.passwd chown root:root /etc/rsyncd.passwd chmod 600 /etc/rsyncd.passwd

以密码文件全部同步一次

rsync -av –delete –password-file=/etc/rsyncd.passwd /opt/htdocs/bbs/ [email protected]::discuz

最后再以脚本方式配合inotify和crontab就可以实现自动同步

参考:http://www.cnblogs.com/itech/archive/2009/08/10/1542945.html

Posted in 备份.

Tagged with , , .

rev="post-1569" 1 comment

By C1G 2012/11/01