Skip to content

Connection closed by remote server

#ssh -p 6022 [email protected]

Connection closed by 192.168.0.18

再ping一下,也没问题
#ping 192.168.0.18

PING 192.168.0.18 (192.168.0.18) 56(84) bytes of data.
64 bytes from 192.168.0.18: icmp_seq=1 ttl=64 time=1.09 ms
64 bytes from 192.168.0.18: icmp_seq=2 ttl=64 time=0.215 ms
64 bytes from 192.168.0.18: icmp_seq=3 ttl=64 time=0.138 ms

— 192.168.0.18 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.138/0.481/1.090/0.431 ms

看了下web也可以访问,再看一下ssh的详细信息
#ssh -vv -p 6022 192.168.0.18

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.0.18 [192.168.0.18] port 6022.
debug1: Connection established.
debug1: identity file /home/c1g/.ssh/identity type -1
debug1: identity file /home/c1g/.ssh/id_rsa type -1
debug1: identity file /home/c1g/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 136/256 debug2: bits set: 532/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '192.168.0.18' is known and matches the RSA host key. debug1: Found key in /home/c1g/.ssh/known_hosts:4 debug2: bits set: 513/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/c1g/.ssh/identity ((nil)) debug2: key: /home/c1g/.ssh/id_rsa ((nil)) debug2: key: /home/c1g/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Unknown code krb5 195 debug1: Unspecified GSS failure. Minor code may provide more information Unknown code krb5 195 debug1: Unspecified GSS failure. Minor code may provide more information Unknown code krb5 195 debug2: we did not send a packet, disable method debug1: Next authentication method: publickey debug1: Trying private key: /home/c1g/.ssh/identity debug1: Trying private key: /home/c1g/.ssh/id_rsa debug1: Trying private key: /home/c1g/.ssh/id_dsa debug2: we did not send a packet, disable method debug1: Next authentication method: password [email protected]'s password: debug2: we sent a password packet, wait for reply Connection closed by 192.168.0.18

在输入密码后就断掉了,把机器重启下后,可以登录了。

查看/var/log/messages 和 /var/log/cron
发现从凌晨3点起就没有记录了,估计是磁盘出错变成不可写适成不能登录。

Posted in LINUX, 技术.

Tagged with .

rev="post-1064" No comments

By C1G 2010/07/26

RRDtool 1.4.4 安装

RRDtool介绍

rrdtool-3dlogo
RRDTool是由Tobias Oetiker开发的自由软件,它使用RRD(Round Robin Database)作为存储格式,Round robin是一种处理定量数据、以及当前元素指针的技术。RRDTool主要用来跟踪对象的变化情况,生成这些变化的走势图。

stream-pop

07/09/10释放的cacti-0.8.7g已支持rrdtool-1.4X
我选择05-Jul-2010 最新释放的rrdtool-1.4.4.tar.gz
系统为centos 5.2,已安装yum

安装支持包
yum install libxml2-devel libpng-devel pkg-config glib pixman pango pango-devel freetype freetype-devel fontconfig cairo cairo-devel libart_lgpl libart_lgpl-devel

安装rrdtool

wget http://oss.oetiker.ch/rrdtool/pub/rrdtool-1.4.4.tar.gz
tar zxvf rrdtool-1.4.4.tar.gz
cd rrdtool-1.4.4
./configure –prefix=/usr/local/rrdtool-1.4.4 –disable-tcl –disable-python


ordering CD from http://tobi.oetiker.ch/wish …. just kidding ;-)

—————————————————————-
Config is DONE!

With MMAP IO: yes
Build rrd_getopt: no
Static programs: no
Perl Modules: perl_piped perl_shared
Perl Binary: /usr/bin/perl
Perl Version: 5.8.8
Perl Options: PREFIX=/usr/local/rrdtool-1.4.4 LIB=/usr/local/rrdtool-1.4.4/lib/perl/5.8.8
Ruby Modules:
Ruby Binary: no
Ruby Options: sitedir=/usr/local/rrdtool-1.4.4/lib/ruby
Build Lua Bindings: no
Build Tcl Bindings: no
Build Python Bindings: no
Build rrdcgi: yes
Build librrd MT: yes
Use gettext: yes
With libDBI: no

Libraries: -lxml2 -lcairo -lcairo -lcairo -lm -lcairo -lpng12 -lglib-2.0 -lpangocairo-1.0 -lpango-1.0 -lcairo -lgobject-2.0 -lgmodule-2.0 -ldl -lglib-2.0

Type ‘make’ to compile the software and use ‘make install’ to
install everything to: /usr/local/rrdtool-1.4.4.

出现下面信息可能缺少支持包

configure: error: Please fix the library issues listed above and try again.


make
make install

ln -s /usr/local/rrdtool-1.4.4 /usr/local/rrdtool
/usr/local/rrdtool/bin/rrdtool -v


RRDtool 1.4.4 Copyright 1997-2010 by Tobias Oetiker
Compiled Jul 22 2010 11:18:48

Usage: rrdtool [options] command command_options
Valid commands: create, update, updatev, graph, graphv, dump, restore,
last, lastupdate, first, info, fetch, tune,
resize, xport, flushcached

RRDtool is distributed under the Terms of the GNU General
Public License Version 2. (www.gnu.org/copyleft/gpl.html)

For more information read the RRD manpages

参考:
rrdtool 1.3.7安装
http://blog.c1gstudio.com/archives/459

Posted in RRDtool.

Tagged with .

rev="post-1057" No comments

By C1G 2010/07/22

cacti 监控远程主机

环境介绍
安装cacti的监控机A,ip为 192.168.0.16
安装snmp的被监控机B,ip为 192.168.0.17
系统为centos 4/5

被监控B机安装snmp
net-snmp 安装参考

修改B机snmp配置,充许外部访问
自带的snmp配置文件在/etc/snmp/snmpd.conf;
编译安装的snmp配置文件在/usr/local/etc/snmp/snmpd.conf;
vi /etc/snmp/snmpd.conf

com2sec local localhost privatepass #安装教程中配置的本机访问要权限
com2sec mynetwork 192.168.0.16 privatepass #新增的外部访问权限,192.168.0.16为监控机ip,privatepass 为安全码可以和local不同

group MyROGroup v1 local
group MyROGroup v2c local
group MyROGroupnet v1 mynetwork #新增
group MyROGroupnet v2c mynetwork #新增

view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc
view all included .1 80 #新增

access MyROGroup “” any noauth exact mib2 none none
access MyROGroupnet “” any noauth exact all none none #新增

#以下为访问项目,如果想监控磁盘空间,load等需把注释去掉
#编译安装默认已去掉,自带安装的需手动把注释去掉

# Make sure mountd is running
proc mountd #去掉前面的”#”

# Make sure there are no more than 4 ntalkds running, but 0 is ok too.
proc ntalkd 4

# Make sure at least one sendmail, but less than or equal to 10 are running.
proc sendmail 10 1

# Check the / partition and make sure it contains at least 10 megs.

disk / 10000

# Check for loads:
load 12 14 14

重启snmpd服务
#/etc/init.d/snmpd restart

#killall -9 snmpd
#/usr/local/sbin/snmpd

iptables规则
假如B机开启了iptables并且INPUT默认策略为DROP
在第一条插入充许192.168.0.16(监控机)以udp协议访问snmpd默认161端口的规则

/sbin/iptables -I INPUT -p udp -m udp -s 192.168.0.16 –dport 161 -j ACCEPT

保存一下,防止重启服务后失效

/etc/init.d/iptables save

测试snmp
在A机上先看下系统信息
#snmpwalk -v 2c -c privatepass 192.168.0.17 system

SNMPv2-MIB::sysDescr.0 = STRING: Linux touareg 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (59664) 0:09:56.64
SNMPv2-MIB::sysContact.0 = STRING: Root (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = STRING: touareg
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (7) 0:00:00.07
SNMPv2-MIB::sysORID.1 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.2 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.3 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.4 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORID.6 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.7 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.8 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORDescr.1 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.3 = STRING: The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORDescr.6 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.7 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.3 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (6) 0:00:00.06
SNMPv2-MIB::sysORUpTime.6 = Timeticks: (7) 0:00:00.07
SNMPv2-MIB::sysORUpTime.7 = Timeticks: (7) 0:00:00.07
SNMPv2-MIB::sysORUpTime.8 = Timeticks: (7) 0:00:00.07

没有问题,再看下磁盘信息
#snmpwalk -v 2c -c privatepass 192.168.0.17 .1.3.6.1.4.1.2021.9

UCD-SNMP-MIB::dskIndex.1 = INTEGER: 1
UCD-SNMP-MIB::dskPath.1 = STRING: /
UCD-SNMP-MIB::dskDevice.1 = STRING: /dev/mapper/VolGroup00-LogVol01
UCD-SNMP-MIB::dskMinimum.1 = INTEGER: 10000
UCD-SNMP-MIB::dskMinPercent.1 = INTEGER: -1
UCD-SNMP-MIB::dskTotal.1 = INTEGER: 44628400
UCD-SNMP-MIB::dskAvail.1 = INTEGER: 22383404
UCD-SNMP-MIB::dskUsed.1 = INTEGER: 19941408
UCD-SNMP-MIB::dskPercent.1 = INTEGER: 47
UCD-SNMP-MIB::dskPercentNode.1 = INTEGER: 1
UCD-SNMP-MIB::dskErrorFlag.1 = INTEGER: noError(0)
UCD-SNMP-MIB::dskErrorMsg.1 = STRING:


出现下面这个信息,你需要检查下A机snmpd.conf中“disk / 10000”前的注释有无去掉。

UCD-SNMP-MIB::dskTable = No Such Object available on this agent at this OID

“.1.3.6.1.4.1.2021.9″代表磁盘
“.1.3.6.1.4.1.2021.10″代表load,可以参考snmpd.conf中的注释

监控机cacti增加监控设备
Console -> Devices->add
cacti add device
在设置页面配置

Description:touareg
Hostname:192.168.0.17
Host Template:ucd/net SNMP Host

Downed Device Detection:Ping and SNMP

SNMP Version:预定义的设置

保存后在页面左上角可以看到调试信息

touareg (192.168.0.17)
SNMP Information
System:Linux touareg 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009
x86_64
Uptime: 38790 (0 days, 0 hours, 6 minutes)
Hostname: touareg
Location: Unknown (edit /etc/snmp/snmpd.conf)
Contact: Root root@localhost (configure /etc/snmp/snmp.local.conf)

cacti graphs

1) ucd/net – CPU Usage Not Being Graphed (cpu负载,system,user,nice)
2) ucd/net – Load Average Not Being Graphed (系统平均负载,1分钟,5分钟,15分钟)
3) ucd/net – Memory Usage Not Being Graphed (内存使用,free,buffers,cache)

1) SNMP – Interface Statistics (网卡流量,in,out)
2) ucd/net – Get Monitored Partitions (根分区,free,used)

Not Being Graphed 表示还末生成图像,创建图像后会变成Is Being Graphed
我们可以再添加一些更详细的监控
Host MIB – Processes 监控进程数量
Host MIB – Logged in Users 监控登录用户

SNMP – Get Mounted Partitions 更多分区大小,Memory Buffer,Real Memory,Swap Space
SNMP – Get Processor Information 每个cpu的负载

临控对像增加图表
左则New Graphs
在host中选择touareg
cacti graphs2
勾选右则后选择create,就完成了图表创建,真是很方便。

添加到Graph Trees
图表创建后在Graph Management里可以看到图表,但点击导航上方的”graphs”是看不到的,需要添加到graph trees中。
Console -> Graph Trees -> (Edit) -> Graph Tree Items

Tree Item Type:host
Host:touareg

创建后就可以在graph中看到了
cacti graph tree

参考:http://docs.cacti.net/manual:087:2_basics.0_principles_of_operation#principles_of_operation

Posted in Cacti, 技术.

Tagged with , .

rev="post-1046" No comments

By C1G 2010/07/21

在 Android 手机上运行 PHP

PHP可不仅仅只能在互联网站上发展,一个PHP for Android (PFA)网站表示他们将可以发布编程模型、工具盒文档让PHP在Android上实现应用。该项目的主要赞助商是开源公司IronTec,PFA使用Scripting Layer for Android (SL4A),也就是Androd Scripting Environment (ASE)来实现这一点,您可以参看他们的网站来了解更多技术内幕。

1.下载并安装ASE
扫描下面的二维码,可在你的手机上安装个条码扫描器(BarcodeScanner)

或用浏览器下载并安装
http://phpforandroid.net/files/ASEr26unofficial.apk

2.安装PhpForAndroid.apk

或用浏览器下载并安装
http://phpforandroid.net/files/PhpForAndroid_r1.apk

3.运行
安装好PhpForAndroid_r1.apk后再运行ASE就可以看到5个php demo
hello_world.php

getInput(“Hi!”, “What is your name?”);
$droid->makeToast(‘Hello, ‘ . $name[‘result’]);

list_items.php

dialogCreateAlert();
$droid->dialogSetItems(range(0, 9));
$droid->dialogShow();

phpinfo.php

testnow.php

vibrate.php

vibrate();

点击phpinfo.php文件开始运行;
程序会输出php的相关信息,当前使用的php版本为5.3.3rc2

$ export TEMP=”/sdcard/ase/extras/php/tmp”
$ export AP_PORT=”37356″
$ export PHPHOME=”/data/data/com.irontec.phpforandroid/php”
$ export PHPPATH=”/sdcard/ase/extras/php”
$ /data/data/com.irontec.phpforandroid/php/bin/php -c $PHPPATH /sdcard/ase/scripts/phpinfo.php
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:402
FIX ME! implement getprotobyname() bionic/libc/bionic/stubs.c:402
phpinfo()
PHP Version => 5.3.3RC2
System => Linux localhost 2.6.29.6-xdan #20 PREEMPT Sat Mar 27 03:36:57 EDT 2010 armv6l
Build Date => Jul 4 2010 19:40:10
Configure Command => ‘./configure’ ‘–disable-all’ ‘–target=arm-linux’ ‘–enable-cli’ ‘–enable-json’ ‘–enable-sockets’
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /sdcard/ase/extras/php/php.ini
Scan this dir for additional .ini files => (none)
Additional .ini files parsed => (none)
PHP API => 20090626
PHP Extension => 20090626
Zend Extension => 220090626
Zend Extension Build => API220090626,NTS
PHP Extension Build => API20090626,NTS
Debug Build => no
Thread Safety => disabled
Zend Memory Manager => enabled
Zend Multibyte Support => disabled
IPv6 Support => disabled
Registered PHP Streams => php, file, data, http, ftp
Registered Stream Socket Transports => tcp, udp, unix, udg
Registered Stream Filters => string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk
This program makes use of the Zend Scripting Language Engine:
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
_______________________________________________________________________
Configuration
Core
PHP Version => 5.3.3RC2
Directive => Local Value => Master Value
allow_call_time_pass_reference => On => On
allow_url_fopen => On => On
allow_url_include => On => On
always_populate_raw_post_data => Off => Off
arg_separator.input => & => &
arg_separator.output => & => &
asp_tags => Off => Off
auto_append_file => no value => no value
auto_globals_jit => On => On
auto_prepend_file => no value => no value
browscap => no value => no value
default_charset => no value => no value
default_mimetype => text/html => text/html
define_syslog_variables => Off => Off
disable_classes => no value => no value
disable_functions => no value => no value
display_errors => STDOUT => STDOUT
display_startup_errors => On => On
doc_root => no value => no value
docref_ext => no value => no value
docref_root => no value => no value
enable_dl => Off => Off
error_append_string => no value => no value
error_log => no value => no value
error_prepend_string => no value => no value
error_reporting => 22527 => 22527
exit_on_timeout => Off => Off
expose_php => On => On
extension_dir => /usr/local/lib/php/extensions/no-debug-non-zts-20090626 => /usr/local/lib/php/extensions/no-debug-non-zts-20090626
file_uploads => On => On
highlight.bg => #FFFFFF => #FFFFFF
highlight.comment => #FF8000 => #FF8000
highlight.default => #0000BB => #0000BB
highlight.html => #000000 => #000000
highlight.keyword => #007700 => #007700
highlight.string => #DD0000 => #DD0000
html_errors => Off => Off
ignore_repeated_errors => Off => Off
ignore_repeated_source => Off => Off
ignore_user_abort => Off => Off
implicit_flush => On => On
include_path => .:/sdcard/ase/extras/php => .:/sdcard/ase/extras/php
log_errors => Off => Off
log_errors_max_len => 1024 => 1024
magic_quotes_gpc => Off => Off
magic_quotes_runtime => Off => Off
magic_quotes_sybase => Off => Off
mail.add_x_header => Off => Off
mail.force_extra_parameters => no value => no value
mail.log => no value => no value
max_execution_time => 0 => 0
max_file_uploads => 20 => 20
max_input_nesting_level => 64 => 64
max_input_time => -1 => -1
memory_limit => 128M => 128M
open_basedir => no value => no value
output_buffering => 0 => 0
output_handler => no value => no value
post_max_size => 8M => 8M
precision => 14 => 14
realpath_cache_size => 16K => 16K
realpath_cache_ttl => 120 => 120
register_argc_argv => On => On
register_globals => Off => Off
register_long_arrays => Off => Off
report_memleaks => On => On
report_zend_debug => Off => Off
request_order => GP => GP
safe_mode => Off => Off
safe_mode_exec_dir => no value => no value
safe_mode_gid => Off => Off
safe_mode_include_dir => no value => no value
sendmail_from => no value => no value
sendmail_path => /usr/sbin/sendmail -t -i => /usr/sbin/sendmail -t -i
serialize_precision => 100 => 100
short_open_tag => On => On
SMTP => localhost => localhost
smtp_port => 25 => 25
sql.safe_mode => Off => Off
track_errors => Off => Off
unserialize_callback_func => no value => no value
upload_max_filesize => 2M => 2M
upload_tmp_dir => no value => no value
user_dir => no value => no value
user_ini.cache_ttl => 300 => 300
user_ini.filename => .user.ini => .user.ini
variables_order => GPCS => GPCS
xmlrpc_error_number => 0 => 0
xmlrpc_errors => Off => Off
y2k_compliance => On => On
zend.enable_gc => On => On
date
date/time support => enabled
“Olson” Timezone Database Version => 2010.9
Timezone Database => internal
Warning: phpinfo(): It is not safe to rely on the system’s timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected ‘America/Chicago’ for ‘CST/-CST/no DST’ instead in /sdcard/ase/scripts/phpinfo.php on line 4
Default timezone => America/Chicago
Directive => Local Value => Master Value
date.default_latitude => 31.7667 => 31.7667
date.default_longitude => 35.2333 => 35.2333
date.sunrise_zenith => 90.583333 => 90.583333
date.sunset_zenith => 90.583333 => 90.583333
date.timezone => no value => no value
ereg
Regex Library => Bundled library enabled
json
json support => enabled
json version => 1.2.1
pcre
PCRE (Perl Compatible Regular Expressions) Support => enabled
PCRE Library Version => 8.02 2010-03-19
Directive => Local Value => Master Value
pcre.backtrack_limit => 100000 => 100000
pcre.recursion_limit => 100000 => 100000
Reflection
Reflection => enabled
Version => $Revision: 300393 $
sockets
Sockets Support => enabled
SPL
SPL support => enabled
Interfaces => Countable, OuterIterator, RecursiveIterator, SeekableIterator, SplObserver, SplSubject
Classes => AppendIterator, ArrayIterator, ArrayObject, BadFunctionCallException, BadMethodCallException, CachingIterator, DirectoryIterator, DomainException, EmptyIterator, FilesystemIterator, FilterIterator, InfiniteIterator, InvalidArgumentException, IteratorIterator, LengthException, LimitIterator, LogicException, MultipleIterator, NoRewindIterator, OutOfBoundsException, OutOfRangeException, OverflowException, ParentIterator, RangeException, RecursiveArrayIterator, RecursiveCachingIterator, RecursiveDirectoryIterator, RecursiveFilterIterator, RecursiveIteratorIterator, RecursiveRegexIterator, RecursiveTreeIterator, RegexIterator, RuntimeException, SplDoublyLinkedList, SplFileInfo, SplFileObject, SplFixedArray, SplHeap, SplMinHeap, SplMaxHeap, SplObjectStorage, SplPriorityQueue, SplQueue, SplStack, SplTempFileObject, UnderflowException, UnexpectedValueException
standard
Dynamic Library Support => enabled
Path to sendmail => /usr/sbin/sendmail -t -i
Directive => Local Value => Master Value
assert.active => 1 => 1
assert.bail => 0 => 0
assert.callback => no value => no value
assert.quiet_eval => 0 => 0
assert.warning => 1 => 1
auto_detect_line_endings => 0 => 0
default_socket_timeout => 60 => 60
safe_mode_allowed_env_vars => PHP_ => PHP_
safe_mode_protected_env_vars => LD_LIBRARY_PATH => LD_LIBRARY_PATH
url_rewriter.tags => a=href,area=href,frame=src,form=,fieldset= => a=href,area=href,frame=src,form=,fieldset=
user_agent => no value => no value
Additional Modules
Module Name
Environment
Variable => Value
ANDROID_ROOT => /system
PHPPATH => /sdcard/ase/extras/php
LD_LIBRARY_PATH => /system/lib
PATH => /usr/bin:/usr/sbin:/bin:/sbin:/system/sbin:/system/bin:/system/xbin:/system/xbin/bb:/data/local/bin
AP_PORT => 37356
ANDROID_SOCKET_zygote => 11
TEMP => /sdcard/ase/extras/php/tmp
BOOTCLASSPATH => /system/framework/core.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar
ANDROID_BOOTLOGO => 1
ANDROID_ASSETS => /system/app
EXTERNAL_STORAGE => /sdcard
ANDROID_DATA => /data
TERMINFO => /system/etc/terminfo
ANDROID_PROPERTY_WORKSPACE => 10,32768
PHPHOME => /data/data/com.irontec.phpforandroid/php
PHP Variables
Variable => Value
_SERVER[“ANDROID_ROOT”] => /system
_SERVER[“PHPPATH”] => /sdcard/ase/extras/php
_SERVER[“LD_LIBRARY_PATH”] => /system/lib
_SERVER[“PATH”] => /usr/bin:/usr/sbin:/bin:/sbin:/system/sbin:/system/bin:/system/xbin:/system/xbin/bb:/data/local/bin
_SERVER[“AP_PORT”] => 37356
_SERVER[“ANDROID_SOCKET_zygote”] => 11
_SERVER[“TEMP”] => /sdcard/ase/extras/php/tmp
_SERVER[“BOOTCLASSPATH”] => /system/framework/core.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar
_SERVER[“ANDROID_BOOTLOGO”] => 1
_SERVER[“ANDROID_ASSETS”] => /system/app
_SERVER[“EXTERNAL_STORAGE”] => /sdcard
_SERVER[“ANDROID_DATA”] => /data
_SERVER[“TERMINFO”] => /system/etc/terminfo
_SERVER[“ANDROID_PROPERTY_WORKSPACE”] => 10,32768
_SERVER[“PHPHOME”] => /data/data/com.irontec.phpforandroid/php
_SERVER[“PHP_SELF”] => /sdcard/ase/scripts/phpinfo.php
_SERVER[“SCRIPT_NAME”] => /sdcard/ase/scripts/phpinfo.php
_SERVER[“SCRIPT_FILENAME”] => /sdcard/ase/scripts/phpinfo.php
_SERVER[“PATH_TRANSLATED”] => /sdcard/ase/scripts/phpinfo.php
_SERVER[“DOCUMENT_ROOT”] =>
_SERVER[“REQUEST_TIME”] => 1279269078
_SERVER[“argv”] => Array
(
[0] => /sdcard/ase/scripts/phpinfo.php
)
_SERVER[“argc”] => 1
PHP License
This program is free software; you can redistribute it and/or modify
it under the terms of the PHP License as published by the PHP Group
and included in the distribution in the file: LICENSE
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
If you did not receive a copy of the PHP license, or have any
questions about PHP licensing, please contact [email protected].

运行结束后就是控制台界面,按menu键会出来Exit&Edit可以进入编辑模式;
编辑模式下有API Browser可供调用,save & Run就可以调试程序了。
在我的g1,1.6固件上运行正常。

安装教程
http://www.phpforandroid.net/screencast

Posted in Android, 其它.

Tagged with , , .

rev="post-1037" 1 comment

By C1G 2010/07/16

google JavaScript Style Guide

Google JavaScript Style Guide
另有C++ Style Guide, Objective-C Style Guide, and Python Style Guide

http://code.google.com/p/google-styleguide/

Posted in JavaScript/DOM/XML, 技术.

Tagged with , .

rev="post-1035" No comments

By C1G 2010/07/16

cacti 安装npc 整合 nagios

Cacti是一套PHP程序,它使用snmpget命令采集数据、RRDTool绘图。Cacti界面简洁直观,让你根本无需明白RRDTool的众多参数即可轻松绘制出漂亮的图形。另外,它还提供了强大的数据管理和用户管理功能。在图像管理上,Cacti采用了树状结构的查看界面,在用户管理上,能对用户的权限进行细致划分,甚至支持使用LDAP进行用户验证。Cacti主要功能包括:数据定时采集、图像绘制与显示、树状的主机和图像管理、RRDTool信息管理、用户和权限管理以及模板导入导出等。

cactilogo

1.Cacti系统组成

  Cacti系统由4个部分组成:

  Cacti页面(PHP)——用户控制的平台,用户在此进行所有的设置;

  SNMP采集工具——Unix下使用 Net-SNMP软件包自带的“snmpget”和“snmpwalk”等程序,Windows下使用PHP的SNMP功能;

  RRDTool绘图引擎——性能数据的存储和绘画图像;

  MySQL数据库——储存RRDTool绘图所需的信息,如模板、rra、主机对应的信息等,要注意的是MySQL数据库并不保存性能数据,性能数据保存在RRDTool自己的数据库格式rrd文件中。利用Cacti可以对校园网络进行很好的实时监控,从而做到运筹帷幄。
2.菜单功能介绍

  Console菜单包括了New Graphs(创建新图像)、Graph Management(图像管理)、Graph Trees(图像树)、Data Sources(管理rrd文件)、Devices(设备管理)、 Data Queries 和Data Input Methods(采集数据方式)、Graph Templates(图像模板)、Host Templates(主机类型模板)、Data Templates(数据模板)、Import Templates(模板导入)、Export Templates(模板导出)Settings(Cacti的主要配置菜单)、System Utilities(显示Cacti系统的一些cache和log信息)、User Management(用户管理)、Logout User (用户退出登录)等菜单选项。

  Grapes菜单包括三种查看图像的形式,分别为setting、树形显示、列表型显示和预览型显示。
cacti_promo_main

在线demo:
http://status.pulpfree.org/cacti/graph_view.php?action=tree&tree_id=3&leaf_id=28&select_first=true
http://www.querx.com/cacti/graph_view.php?action=tree&tree_id=1&leaf_id=9
http://www.kende.com/cacti/graph_view.php?action=tree&tree_id=1&leaf_id=7&select_first=true
更多demo:
http://www.cacti.net/sites_that_use_cacti.php

最新版本:
The latest stable version is 0.8.7g, released 07/09/10.
http://www.cacti.net/download_cacti.php
0.8.7g版本和某些插件有兼容型问题,如npc,thold,我安装下来在顶部不能正常显示导航菜单。
cacti的版本要和插件架构匹配,我装0.8.7e+cacti-plugin-0.8.7f-PA可以使用,但顶部导航显示不正确。
这里选用0.8.7e+cacti-plugin-0.8.7e-PA

依赖关系:
安装之前需lamp环境 安装参考
net-snmp 安装参考
RRDTool 安装参考
php扩展 安装参考
php_json
pdo_mysql
sockets
nagios 安装参考
ndoutils 安装参考

下载cacti:
cd /opt/htdocs/www
wget wget http://www.cacti.net/downloads/cacti-0.8.7e.tar.gz
wget http://mirror.cactiusers.org/downloads/plugins/cacti-plugin-0.8.7e-PA-v2.6.zip
wget http://www.constructaegis.com/downloads/npc-2.0.4.tar.gz

constructaegis.com域名已过期
可以使用svn checkout
http://svn2.assembla.com/svn/npc/trunk

安装cacti:
我的nginx运行用户为www组为website
安装路径为/opt/htdocs/www

tar zxvf cacti-0.8.7e.tar.gz
mv cacti-0.8.7e cacti
chown -R www:website cacti
chmod -R 0775 cacti

安装cacti数据库:
创建cacti库,并创建cacti用户给予它cacti库权限,也可以使用phpmyadmin来完成.
导入cacti.sql到cacti库

mysql –u root –p
mysql>create database cacti;
mysql>use cacti;
Mysql>source /opt/htdocs/www/cacti/cacti.sql
Mysql>grant all privileges on cacti.* to cacti@localhost identified by ‘cactipass’;
#添加一个数据库账号cacti 密码为cactipass 用以访问cacti库
Mysql>flush privileges; #刷新权限信息

配置cacti数据库信息
#cd cacti
#vi include/config.php

$database_type = “mysql”;
$database_default = “cacti”;
$database_hostname = “localhost”;
$database_username = “cactiuser”;
$database_password = “cacti”;

配置cacti自动运行:
#crontab -e

*/5 * * * * /opt/php/bin/php /opt/htdocs/www/cacti/poller.php > /dev/null 2>&1

Spine更有效率可以选择性安装

配置cacti:
访问cacti的web地址,就会显示安装界面
http://nagios.c1gstudio.com/cacti/

1.选择”新的安装”

2.配置路径(以系统中实际安装路径为准)
/usr/local/rrdtool/bin/rrdtool
/opt/php/bin/php
/usr/local/bin/snmpwalk
/usr/local/bin/snmpget
/usr/local/bin/snmpbulkwalk
/usr/local/bin/snmpgetnext

3.默认用户名及密码
admin/admin
接着输入新的密码

4.进入cacti后台
设置相应版本及验证码
settings->General
RRDTool Utility Version = RRDTool1.3.X
SNMP Version = 2
SNMP Community = 你的验证码(privatepass )
save

5.查看报表
点graphs选项5分钟后应该可以看到4个报表.
memory usage
load average
logged in users
processers

6.创建磁盘监控
在首页点击Create graphs然后在Data Query栏目中勾上需要监控的分区保存.

以上完成了cacti安装,下面安装插件
在安装插件前需先安装”插件框架”

安装插件框架:
1.解压

cd /opt/htdocs/www
unzip cacti-plugin-0.8.7e-PA-v2.6.zip
chown -R www:website cacti-plugin-arch/
chmod -R 0775 cacti-plugin-arch

2.导入数据库结构

mysql -u cacti -p cacti
3.覆盖文件
方法一:覆盖

cp –rf cacti-plugin-arch/files-0.8.7e/* /opt/htdocs/www/cacti

方法二:打补丁

cp cacti-plugin-arch/cacti-plugin-0.8.7e-PA-v2.6.diff /opt/htdocs/www/cacti/
cd /opt/htdocs/www/cacti/
patch -p1 -N
我用方法一

4.配置插件的数据库信息
#cd /opt/htdocs/www/cacti/
#vi include/global.php
#插件数据库需再配置一下

$database_type = “mysql”;
$database_default = “cacti”;
$database_hostname = “localhost”;
$database_username = “cactiuser”;
$database_password = “cacti”;

5.配制插件

#我的cacti安装在域下的cacti目录,这里也需修改
$config[‘url_path’] = ‘/cacti/’;

#为后面安装npc增加变量
$plugins[] = ‘npc’;

注:0.8.7g开始上面两变量改放在includes/config.php中,如果参照以前的教程会找不到了囧
参见Change Log
http://forums.cacti.net/viewtopic.php?t=38492

安装NPC插件:
1.解压后移到plugins目录下

cd /opt/htdocs/www
unzip npc.zip
chown -R www:website npc
chmod -R 0775 npc
mv npc cacti/plugins/

2.启用cacti的插件功能,
以admin用户登陆cacti,在console中的user management里对admin的用户权限进行编辑,
勾选上Plugin Management、NPC、NPC Global Commands
然后到Plugin Management
安装并启用NPC即可。
在Settings->npc中
勾上Remote Commands
Nagios Command File Path=/usr/local/nagios/var/rw/nagios.cmd
Nagios URL=你的地址(http://nagios.c1gstudio.com/nagios/)

3.配置ndoutils
参见

如果一切正常点击导航菜单npc后就可以看到信息了。
没有显示可能有以下原因:

  1. cacti和npc版本不兼容
  2. cacti和plugin框架版本不一致
  3. npc没有正确安装(数据库结构不对)
  4. ndoutils没有正确配置(数据库中无信息)
  5. php-json,pdo_mysql,sockets没有安装(php -m 检查一下)

留意cacti/log/cacti.log文件

==============================
2010-07-23
spine安装
#wget http://www.cacti.net/downloads/spine/cacti-spine-0.8.7e.tar.gz
#tar zxvf cacti-spine-0.8.7e.tar.gz
#cd cacti-spine-0.8.7e
#./configure
#make
#make install
#vi /usr/local/spine/etc/spine.conf

DB_Host localhost
DB_Database cacti
DB_User cactiuser
DB_Pass cacti
DB_Port 3306

#mv /usr/local/spine/etc/spine.conf /etc/
#/usr/local/spine/bin/spine

SPINE: Using spine config file [/etc/spine.conf]
SPINE: Version 0.8.7e starting
SPINE: Time: 7.3153 s, Threads: 1, Hosts: 11

配置spine
(1)登陆console–Configuration–Settings–poller–Poller Type改为spine
(2)登陆console–Configuration–Settings–paths–Spine Poller File Path添加/usr/local/spine/bin/spine

#tail /opt/htdocs/www/cacti/log/cacti.log
07/23/2010 03:20:02 PM – POLLER: Poller[0] ERROR: The path: /usr/local/spine/bin/spine is invalid. Can not continue #如果你的php有open_basedir限制,需加上/usr/local/spine/bin/目录
07/23/2010 03:25:04 PM – SYSTEM STATS: Time:3.2262 Method:spine Processes:1 Threads:1 Hosts:11 HostsPerProcess:11 DataSources:190 RRDsProcessed:147 #相比php方式快很多

参考:
http://liuyu.blog.51cto.com/183345/259995
http://www.cacti.net/downloads/docs/html/install_unix.html

Posted in Cacti.

Tagged with , , , .

rev="post-1028" 1 comment

By C1G 2010/07/15

lvm在线增加磁盘空间

一。查看当前空间
#df -h

Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
97G 1.9G 91G 3% /
/dev/mapper/VolGroup00-LogVol01
194G 140G 44G 77% /home
/dev/mapper/VolGroup00-LogVol04
97G 17G 75G 19% /var
/dev/mapper/VolGroup00-LogVol03
97G 52G 41G 56% /opt
/dev/mapper/VolGroup00-LogVol02
9.7G 158M 9.1G 2% /tmp
/dev/sda1 99M 12M 82M 13% /boot
tmpfs 1010M 4.0K 1010M 1% /dev/shm

/home 增加200G
/opt 增加100G

fdisk 查看下磁盘为1T大小,并全部分给lvm
#fdisk -l

Disk /dev/sda: 1000.2 GB, 1000203804160 bytes
255 heads, 63 sectors/track, 121601 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 104391 83 Linux
/dev/sda2 14 535 4192965 82 Linux swap / Solaris
/dev/sda3 536 121601 972462645 8e Linux LVM

vgdisplay查看卷组空间,还有400G空闲空间
#vgdisplay

— Volume group —
VG Name VolGroup00
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 6
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 5
Open LV 5
Max PV 0
Cur PV 1
Act PV 1
VG Size 927.41 GB
PE Size 32.00 MB
Total PE 29677
Alloc PE / Size 16320 / 510.00 GB
Free PE / Size 13357 / 417.41 GB
VG UUID 4Wzdqp-f3RH-1lEP-YfXN-01Vp-3K5c-EmtcBE

二.开始增加空间
(错误的方式)
#lvextend -L +100G /dev/mapper/VolGroup00-LogVol03

Volume group “mapper” not found
Volume group mapper doesn’t exist

这里的设备名写错了(另注意一定要加”+“),正确的是
#lvextend -L +100G /dev/VolGroup00/LogVol03

Extending logical volume LogVol03 to 200.00 GB
Logical volume LogVol03 successfully resized

三.lvextend修改了lvm的大小,下面还需修改文件系统大小。
可以用umount+resize2fs 或ext2online
umount通常会碰到device is busy,这里用ext2online

下载ext2online
http://www.mirrorservice.org/sites/download.sourceforge.net/pub/sourceforge/e/project/ex/ext2resize/ext2resize/ext2resize-1.1.19/

1.下载i386的rpm
#wget http://www.mirrorservice.org/sites/download.sourceforge.net/pub/sourceforge/e/project/ex/ext2resize/ext2resize/ext2resize-1.1.19/ext2resize-1.1.19-1.i386.rpm

2.创建sct用户
#useradd sct
#rpm -ivh ext2resize-1.1.19-1.i386.rpm
—————–
安装完成后会有三个命令:
ext2online ext2prepare ext2resize
—————–
注意:安装此工具,必须有sct用户(当前用户不用是sct)

3.运行
#ext2online /dev/VolGroup00/LogVol03
ext2online v1.1.18 – 2001/03/18 for EXT2FS 0.5b

四.最后检查
#df -h

Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
97G 1.9G 91G 3% /
/dev/mapper/VolGroup00-LogVol01
194G 140G 44G 77% /home
/dev/mapper/VolGroup00-LogVol04
97G 17G 75G 19% /var
/dev/mapper/VolGroup00-LogVol03
194G 52G 133G 28% /opt
/dev/mapper/VolGroup00-LogVol02
9.7G 158M 9.1G 2% /tmp
/dev/sda1 99M 12M 82M 13% /boot
tmpfs 1010M 0 1010M 0% /dev/shm

/opt 已增加到200G.同样的方式再增加/home就可以了。

Posted in linux 维护优化, 技术.

Tagged with , , .

rev="post-1019" No comments

By C1G 2010/07/05

linux基本安全配置设置脚本

依据linux基本安全配置手册
方便设置一些基本的linux安全设置

#vi autosafe.sh

#!/bin/bash
#########################################################################
#
# File: autosafe.sh
# Description:
# Language: GNU Bourne-Again SHell
# Version: 1.1
# Date: 2010-6-23
# Corp.: c1gstudio.com
# Author: c1g
# WWW: http://blog.c1gstudio.com
### END INIT INFO
###############################################################################

V_DELUSER=”adm lp sync shutdown halt mail news uucp operator games gopher ftp”
V_DELGROUP=”adm lp mail news uucp games gopher mailnull floppy dip pppusers popusers slipusers daemon”
V_PASSMINLEN=8
V_HISTSIZE=30
V_TMOUT=300
V_GROUPNAME=suadmin
V_SERVICE=”acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmail setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd”
V_TTY=”3|4|5|6″
V_SUID=(
‘/usr/bin/chage’
‘/usr/bin/gpasswd’
‘/usr/bin/wall’
‘/usr/bin/chfn’
‘/usr/bin/chsh’
‘/usr/bin/newgrp’
‘/usr/bin/write’
‘/usr/sbin/usernetctl’
‘/bin/traceroute’
‘/bin/mount’
‘/bin/umount’
‘/sbin/netreport’
)
version=1.0

# we need root to run
if test “`id -u`” -ne 0
then
echo “You need to start as root!”
exit
fi

case $1 in
“deluser”)
echo “delete user …”
for i in $V_DELUSER ;do
echo “deleting $i”;
userdel $i ;
done
;;

“delgroup”)
echo “delete group …”
for i in $V_DELGROUP ;do
echo “deleting $i”;
groupdel $i;
done
;;

“password”)
echo “change password limit …”
echo “/etc/login.defs”
echo “PASS_MIN_LEN $V_PASSMINLEN”
sed -i “/^PASS_MIN_LEN/s/5/$V_PASSMINLEN/” /etc/login.defs
;;

“history”)
echo “change history limit …”
echo “/etc/profile”
echo “HISTSIZE $V_HISTSIZE”
sed -i “/^HISTSIZE/s/1000/$V_HISTSIZE/” /etc/profile
;;

“logintimeout”)
echo “change login timeout …”
echo “/etc/profile”
echo “TMOUT=$V_TMOUT”
sed -i “/^HISTSIZE/a\TMOUT=$V_TMOUT” /etc/profile
;;

“bashhistory”)
echo “denied bashhistory …”
echo “/etc/skel/.bash_logout”
echo ‘rm -f $HOME/.bash_history’
if egrep “bash_history” /etc/skel/.bash_logout > /dev/null
then
echo ‘warning:existed’
else
echo ‘rm -f $HOME/.bash_history’ >> /etc/skel/.bash_logout
fi

;;
“addgroup”)
echo “groupadd $V_GROUPNAME …”
groupadd $V_GROUPNAME
;;

“sugroup”)
echo “permit $V_GROUPNAME use su …”
echo “/etc/pam.d/su”
echo “auth sufficient /lib/security/pam_rootok.so debug”
echo “auth required /lib/security/pam_wheel.so group=$V_GROUPNAME”
if egrep “auth sufficient /lib/security/pam_rootok.so debug” /etc/pam.d/su > /dev/null
then
echo ‘warning:existed’
else
echo ‘auth sufficient /lib/security/pam_rootok.so debug’ >> /etc/pam.d/su
echo “auth required /lib/security/pam_wheel.so group=${V_GROUPNAME}” >> /etc/pam.d/su
fi
;;

“denyrootssh”)
echo “denied root login …”
echo “/etc/ssh/sshd_config”
echo “PermitRootLogin no”
sed -i ‘/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/’ /etc/ssh/sshd_config
;;

“stopservice”)
echo “stop services …”
for i in $V_SERVICE ;do
service $i stop;
done
;;

“closeservice”)
echo “close services autostart …”
for i in $V_SERVICE ;do
chkconfig $i off;
done
;;

“tty”)
echo “close tty …”
echo “/etc/inittab”
echo “#3:2345:respawn:/sbin/mingetty tty3”
echo “#4:2345:respawn:/sbin/mingetty tty4”
echo “#5:2345:respawn:/sbin/mingetty tty5”
echo “#6:2345:respawn:/sbin/mingetty tty6”
sed -i ‘/^[$V_TTY]:2345/s/^/#/’ /etc/inittab
;;

“ctrlaltdel”)
echo “close ctrl+alt+del …”
echo “/etc/inittab”
echo “#ca::ctrlaltdel:/sbin/shutdown -t3 -r now”
sed -i ‘/^ca::/s/^/#/’ /etc/inittab
;;

“lockfile”)
echo “lock user&services …”
echo “chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services”
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services
;;

“unlockfile”)
echo “unlock user&services …”
echo “chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services”
chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services
;;

“chmodinit”)
echo “init script only for root …”
echo “chmod -R 700 /etc/init.d/*”
echo “chmod 600 /etc/grub.conf”
echo “chattr +i /etc/grub.conf”
chmod -R 700 /etc/init.d/*
chmod 600 /etc/grub.conf
chattr +i /etc/grub.conf
;;

“chmodcommand”)
echo “remove SUID …”
echo “/usr/bin/chage /usr/bin/gpasswd …”
for i in ${V_SUID[@]};
do
chmod a-s $i
done
;;

“version”)
echo “Version: Autosafe for Linux $version”
;;

*)
echo “Usage: $0
echo “”
echo ” deluser delete user”
echo ” delgroup delete group”
echo ” password change password limit”
echo ” history change history limit”
echo ” logintimeout change login timeout”
echo ” bashhistory denied bashhistory”
echo ” addgroup groupadd $V_GROUPNAME”
echo ” sugroup permit $V_GROUPNAME use su”
echo ” denyrootssh denied root login”
echo ” stopservice stop services ”
echo ” closeservice close services”
echo ” tty close tty”
echo ” ctrlaltdel close ctrl+alt+del ”
echo ” lockfile lock user&services”
echo ” unlockfile unlock user&services”
echo ” chmodinit init script only for root”
echo ” chmodcommand remove SUID”
echo ” version ”
echo “”

;;
esac

设置权限

chmod u+x ./autosafe.sh

运行脚本

./autosafe.sh deluser
./autosafe.sh delgroup
…..

猛击下载脚本
autosafe.sh

其它参考
linux基本安全配置手册
iptables 默认安全规则脚本

Posted in shell, 安全, 技术.

Tagged with , , .

rev="post-1008" 2 comments

By C1G 2010/06/29

iptables 默认安全规则脚本

默认脚本只开启常规web服务器的80,3306,22端口

#vi default_firewall.sh

#!/bin/bash
#########################################################################
#
# File: default_firewall.sh
# Description:
# Language: GNU Bourne-Again SHell
# Version: 1.0
# Date: 2010-6-23
# Corp.: c1gstudio.com
# Author: c1g
# WWW: http://blog.c1gstudio.com
### END INIT INFO
###############################################################################

IPTABLES=/sbin/iptables

# start by flushing the rules
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IPTABLES -t nat -Z

## allow packets coming from the machine
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# allow outgoing traffic
$IPTABLES -A OUTPUT -o eth0 -j ACCEPT

# block spoofing
$IPTABLES -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP

$IPTABLES -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT

# stop bad packets
#$IPTABLES -A INPUT -m state –state INVALID -j DROP

# NMAP FIN/URG/PSH
#$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
# stop Xmas Tree type scanning
#$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL ALL -j DROP
#$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# stop null scanning
#$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL NONE -j DROP
# SYN/RST
#$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN
#$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
# stop sync flood
#$IPTABLES -N SYNFLOOD
#$IPTABLES -A SYNFLOOD -p tcp –syn -m limit –limit 1/s -j RETURN
#$IPTABLES -A SYNFLOOD -p tcp -j REJECT –reject-with tcp-reset
#$IPTABLES -A INPUT -p tcp -m state –state NEW -j SYNFLOOD
# stop ping flood attack
#$IPTABLES -N PING
#$IPTABLES -A PING -p icmp –icmp-type echo-request -m limit –limit 1/second -j RETURN
#$IPTABLES -A PING -p icmp -j REJECT
#$IPTABLES -I INPUT -p icmp –icmp-type echo-request -m state –state NEW -j PING

#################################
## What we allow
#################################

# tcp ports

# smtp
#$IPTABLES -A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
# http
$IPTABLES -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
# pop3
#$IPTABLES -A INPUT -p tcp -m tcp –dport 110 -j ACCEPT
# imap
#$IPTABLES -A INPUT -p tcp -m tcp –dport 143 -j ACCEPT
# ldap
#$IPTABLES -A INPUT -p tcp -m tcp –dport 389 -j ACCEPT
# https
#$IPTABLES -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
# smtp over SSL
#$IPTABLES -A INPUT -p tcp -m tcp –dport 465 -j ACCEPT
# line printer spooler
#$IPTABLES -A INPUT -p tcp -m tcp –dport 515 -j ACCEPT
# cups
#$IPTABLES -A INPUT -p tcp -m tcp –dport 631 -j ACCEPT
# mysql
$IPTABLES -A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT
# tomcat
#$IPTABLES -A INPUT -p tcp -m tcp –dport 8080 -j ACCEPT
# squid
#$IPTABLES -A INPUT -p tcp -m tcp –dport 81 -j ACCEPT
# nrpe
#$IPTABLES -A INPUT -p tcp -m tcp –dport 15666 -j ACCEPT

## restrict some tcp things ##

# ssh
$IPTABLES -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -m tcp –dport 6022 -j ACCEPT
# samba (netbios)
#$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 –dport 137:139 -j ACCEPT
# ntop
#$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 –dport 3000 -j ACCEPT
# Hylafax
#$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 –dport 4558:4559 -j ACCEPT
# webmin
#$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 –dport 10000 -j ACCEPT

# udp ports
# DNS
#$IPTABLES -A INPUT -p udp -m udp –dport 53 -j ACCEPT
# DHCP
#$IPTABLES -A INPUT -p udp -m udp –dport 67:68 -j ACCEPT
# NTP
#$IPTABLES -A INPUT -p udp -m udp –dport 123 -j ACCEPT
# SNMP
#$IPTABLES -A INPUT -p udp -m udp –dport 161:162 -j ACCEPT

## restrict some udp things ##

# Samba (Netbios)
#$IPTABLES -A INPUT -p udp -m udp -s 192.168.0.0/16 –dport 137:139 -j ACCEPT
#$IPTABLES -A INPUT -p udp -m udp –sport 137:138 -j ACCEPT

# finally – drop the rest

#$IPTABLES -A INPUT -p tcp –syn -j DROP

设置权限

chmod u+x ./default_firewall.sh

运行脚本

./default_firewall.sh

查看iptables

#/sbin/iptables -nL

保存iptables

#/sbin/iptables-save > /etc/sysconfig/iptables

重启iptables

#/etc/init.d/iptables restart

猛击下载脚本:
default_firewall.sh

Posted in shell, 安全, 技术.

Tagged with , , , .

rev="post-1003" 1 comment

By C1G 2010/06/29

linux基本安全配置手册

安装注意

作为服务器,不安装不需要的组件,所以在选择组件的时候,不要安装服务包和桌面但需要开发工具和开发包。
以下命令等适用redhat/centos 4,5

1.删除系统特殊的的用户帐号:

禁止所有默认的被操作系统本身启动的且不需要的帐号,当你第一次装上系统时就应该做此检查,Linux提供了各种帐号,你可能不需要,如果你不需要这个帐号,就移走它,你有的帐号越多,就越容易受到攻击。
======================================================================
#为删除你系统上的用户,用下面的命令:
[root@c1gstudio]# userdel username

#批量删除方式
#这里删除”adm lp sync shutdown halt mail news uucp operator games gopher ftp “账号
#如果你开着ftp等服务可以把ftp账号保留下来。

for i in adm lp sync shutdown halt mail news uucp ope
rator games gopher ftp ;do userdel $i ;done

======================================================================

2.删除系统特殊的组帐号

[root@c1gstudio]# groupdel groupname

#批量删除方式

for i in adm lp mail news uucp games dip pppusers pop
users slipusers ;do groupdel $i ;done

======================================================================

3.用户密码设置

安装linux时默认的密码最小长度是5个字节,但这并不够,要把它设为8个字节。修改最短密码长度需要编辑login.defs文件#vi /etc/login.defs


PASS_MAX_DAYS 99999 ##密码设置最长有效期(默认值)
PASS_MIN_DAYS 0 ##密码设置最短有效期
PASS_MIN_LEN 5 ##设置密码最小长度,将5改为8
PASS_WARN_AGE 7 ##提前多少天警告用户密码即将过期。

然后修改Root密码
#passwd root
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
======================================================================

4.修改自动注销帐号时间

自动注销帐号的登录,在Linux系统中root账户是具有最高特权的。如果系统管理员在离开系统之前忘记注销root账户,那将会带来很大的安全隐患,应该让系统会自动注销。通过修改账户中“TMOUT”参数,可以实现此功能。TMOUT按秒计算。编辑你的profile文件(vi /etc/profile),在”HISTSIZE=”后面加入下面这行:

  TMOUT=300

300,表示300秒,也就是表示5分钟。这样,如果系统中登陆的用户在5分钟内都没有动作,那么系统会自动注销这个账户。
======================================================================

5.限制Shell命令记录大小

默认情况下,bash shell会在文件$HOME/.bash_history中存放多达500条命令记录(根据具体的系统不同,默认记录条数不同)。系统中每个用户的主目录下都有一个这样的文件。在此笔者强烈建议限制该文件的大小。
您可以编辑/etc/profile文件,修改其中的选项如下: HISTFILESIZE=30或HISTSIZE=30
#vi /etc/profile

HISTSIZE=30

======================================================================

6.注销时删除命令记录

编辑/etc/skel/.bash_logout文件,增加如下行:

rm -f $HOME/.bash_history

这样,系统中的所有用户在注销时都会删除其命令记录。
如果只需要针对某个特定用户,如root用户进行设置,则可只在该用户的主目录下修改/$HOME/.bash_history文件,增加相同的一行即可。

======================================================================

7.用下面的命令加需要的用户组和用户帐号

[root@c1gstudio]# groupadd
例如:增加website 用户组,groupadd website
然后调用vigr命令查看已添加的用户组

用下面的命令加需要的用户帐号
[root@c1gstudio]# useradd username –g website //添加用户到website组(作为webserver的普通管理员,而非root管理员)
然后调用vipw命令查看已添加的用户

用下面的命令改变用户口令(至少输入8位字母和数字组合的密码,并将密码记录于本地机的专门文档中,以防遗忘)
[root@c1gstudio]# passwd username
======================================================================

8.阻止任何人su作为root

如果你不想任何人能够su作为root,你能编辑/etc/pam.d/su加下面的行:

#vi /etc/pam.d/su

auth sufficient /lib/security/$ISA/pam_rootok.so debug
auth required /lib/security/$ISA/pam_wheel.so group=website

意味着仅仅website组的用户可以su作为root.
======================================================================

9.修改ssh服务的root登录权限

修改ssh服务配置文件,使的ssh服务不允许直接使用root用户来登录,这样减少系统被恶意登录攻击的机会。

#vi /etc/ssh/sshd_config

PermitRootLogin yes

将这行前的#去掉后,修改为:

PermitRootLogin no

10.修改ssh服务的sshd 端口

ssh默认会监听在22端口,你可以修改至6022端口以避过常规的扫描。
注意:修改端口错误可能会导致你下次连不到服务器,可以先同时开着22和6022两个端口,然后再关掉22端口;
重启sshd不会弹掉你当前的连接,可以另外开一个客户端来测试服务;

#vi /etc/ssh/sshd_config
#增加修改

#Port 22 #关闭22端口
Port 6022 #增加6022端口

#重启sshd服务

service sshd restart

检查一下sshd的监听端口对不对

netstat -lnp|grep ssh

#iptables开放sshd的6022端口

vi /etc/sysconfig/iptables


#如果使用redhat默认规则则增加
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 6022 -j ACCEPT
#或
iptables -A INPUT -p tcp –dport 6022 -j ACCEPT
iptables -A OUTPUT -p udp –sport 6022 -j ACCEPT

重启iptables 服务

service iptables restart

#测试两个端口是否都能连上,连上后再将22端口删除

详细参考:
Linux操作系统下SSH默认22端口修改方法
======================================================================

11.关闭系统不使用的服务:

cd /etc/init.d #进入到系统init进程启动目录
在这里有两个方法,可以关闭init目录下的服务,
一、将init目录下的文件名mv成*.old类的文件名,即修改文件名,作用就是在系统启动的时候找不到这个服务的启动文件。二、使用chkconfig系统命令来关闭系统启动等级的服务。
注:在使用以下任何一种方法时,请先检查需要关闭的服务是否是本服务器特别需要启动支持的服务,以防关闭正常使用的服务。

使用chkcofig命令来关闭不使用的系统服务 (level前面为2个减号)
要想在修改启动脚本前了解有多少服务正在运行,输入:
ps aux | wc -l

然后修改启动脚本后,重启系统,再次输入上面的命令,就可计算出减少了多少项服务。越少服务在运行,安全性就越好。另外运行以下命令可以了解还有多少服务在运行:
netstat -na –ip

批量方式
先停止服务

for i in acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmai
l setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd ;do service $i stop;done

关闭启动服务

for i in acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmai
l setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd ;do chkconfig $i off;done

以下为手动方式及解释,执行批量方式后不需再执行了
chkconfig –level 345 apmd off ##笔记本需要
chkconfig –level 345 netfs off ## nfs客户端
chkconfig –level 345 yppasswdd off ## NIS服务器,此服务漏洞很多
chkconfig –level 345 ypserv off ## NIS服务器,此服务漏洞很多
chkconfig –level 345 dhcpd off ## dhcp服务
chkconfig –level 345 portmap off ##运行rpc(111端口)服务必需
chkconfig –level 345 lpd off ##打印服务
chkconfig –level 345 nfs off ## NFS服务器,漏洞极多
chkconfig –level 345 sendmail off ##邮件服务, 漏洞极多
chkconfig –level 345 snmpd off ## SNMP,远程用户能从中获得许多系统信息
chkconfig –level 345 rstatd off ##避免运行r服务,远程用户可以从中获取很多信息
chkconfig –level 345 atd off ##和cron很相似的定时运行程序的服务
注:以上chkcofig 命令中的3和5是系统启动的类型,以下为数字代表意思
0:开机(请不要切换到此等级)
1:单人使用者模式的文字界面
2:多人使用者模式的文字界面,不具有网络档案系统(NFS)功能
3:多人使用者模式的文字界面,具有网络档案系统(NFS)功能
4:某些发行版的linux使用此等级进入x windows system
5:某些发行版的linux使用此等级进入x windows system
6:重新启动

如果不指定–level 单用on和off开关,系统默认只对运行级3,4,5有效

chkconfig cups off #打印机
chkconfig bluetooth off # 蓝牙
chkconfig hidd off # 蓝牙
chkconfig ip6tables off # ipv6
chkconfig ipsec off # vpn
chkconfig auditd off #用户空间监控程序
chkconfig autofs off #光盘软盘硬盘等自动加载服务

chkconfig avahi-daemon off #主要用于Zero Configuration Networking ,一般没什么用建议关闭
chkconfig avahi-dnsconfd off #主要用于Zero Configuration Networking ,同上,建议关闭
chkconfig cpuspeed off #动态调整CPU频率的进程,在服务器系统中这个进程建议关闭
chkconfig isdn off #isdn
chkconfig kudzu off #硬件自动监测服务
chkconfig nfslock off #NFS文档锁定功能。文档共享支持,无需的能够关了
chkconfig nscd off #负责密码和组的查询,在有NIS服务时需要
chkconfig pcscd off #智能卡支持,,如果没有可以关了
chkconfig yum-updatesd off #yum更新

chkconfig acpid off
chkconfig autofs off
chkconfig firstboot off
chkconfig mcstrans off #selinux
chkconfig microcode_ctl off
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig setroubleshoot off
chkconfig xfs off
chkconfig xinetd off
chkconfig messagebus off
chkconfig gpm off #鼠标
chkconfig restorecond off #selinux
chkconfig haldaemon off
chkconfig sysstat off
chkconfig readahead_early off
chkconfig anacron off

需要保留的服务

crond , irqbalance , microcode_ctl ,network , sshd ,syslog

因为有些服务已运行,所以设置完后需重启

chkconfig
/*
语  法:chkconfig [–add][–del][–list][系统服务] 或 chkconfig [–level <等级代号>][系统服务][on/off/reset]

补充说明:这是Red Hat公司遵循GPL规则所开发的程序,它可查询操作系统在每一个执行等级中会执行哪些系统服务,其中包括各类常驻服务。

参  数:
 –add  增加所指定的系统服务,让chkconfig指令得以管理它,并同时在系统启动的叙述文件内增加相关数据。
 –del  删除所指定的系统服务,不再由chkconfig指令管理,并同时在系统启动的叙述文件内删除相关数据。
 –level<等级代号>  指定读系统服务要在哪一个执行等级中开启或关毕
*/

======================================================================

12.阻止系统响应任何从外部/内部来的ping请求

既然没有人能ping通你的机器并收到响应,你可以大大增强你的站点的安全性。你可以加下面的一行命令到/etc/rc.d/rc.local,以使每次启动后自动运行。

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

#这个可以不做哈
======================================================================

12.修改“/etc/host.conf”文件

  “/etc/host.conf”说明了如何解析地址。编辑“/etc/host.conf”文件(vi /etc/host.conf),加入下面这行:
  # Lookup names via DNS first then fall back to /etc/hosts.
  order hosts,bind
  # We have machines with multiple IP addresses.
  multi on
  # Check for IP address spoofing.
  nospoof on

第一项设置首先通过DNS解析IP地址,然后通过hosts文件解析。第二项设置检测是否“/etc/hosts”文件中的主机是否拥有多个IP地址(比如有多个以太口网卡)。第三项设置说明要注意对本机未经许可的电子欺骗。
======================================================================

13.不允许从不同的控制台进行root登陆

  ”/etc/securetty”文件允许你定义root用户可以从那个TTY设备登陆。你可以编辑”/etc/securetty”文件,再不需要登陆的TTY设备前添加“#”标志,来禁止从该TTY设备进行root登陆。

  在/etc/inittab文件中有如下一段话:
  # Run gettys in standard runlevels
  1:2345:respawn:/sbin/mingetty tty1
  2:2345:respawn:/sbin/mingetty tty2
  #3:2345:respawn:/sbin/mingetty tty3
  #4:2345:respawn:/sbin/mingetty tty4
  #5:2345:respawn:/sbin/mingetty tty5
  #6:2345:respawn:/sbin/mingetty tty6

  系统默认的可以使用6个控制台,即Alt+F1,Alt+F2…,这里在3,4,5,6前面加上“#”,注释该句话,这样现在只有两个控制台可供使用,最好保留两个。然后重新启动init进程,改动即可生效!
======================================================================

15.禁止Control-Alt-Delete键盘关闭命令

  在”/etc/inittab” 文件中注释掉下面这行(使用#):
  ca::ctrlaltdel:/sbin/shutdown -t3 -r now
  改为:
  #ca::ctrlaltdel:/sbin/shutdown -t3 -r now

  为了使这项改动起作用,输入下面这个命令:
# /sbin/init q
======================================================================

16.用chattr命令给下面的文件加上不可更改属性。

[root@c1gstudio]# chattr +i /etc/passwd
[root@c1gstudio]# chattr +i /etc/shadow
[root@c1gstudio]# chattr +i /etc/group
[root@c1gstudio]# chattr +i /etc/gshadow
【注:chattr是改变文件属性的命令,参数i代表不得任意更动文件或目录,此处的i为不可修改位(immutable)。查看方法:lsattr /etc/passwd,撤销为chattr –i /etc/group】
补充说明:这项指令可改变存放在ext2文件系统上的文件或目录属性,这些属性共有以下8种模式:
 a:让文件或目录仅供附加用途。
 b:不更新文件或目录的最后存取时间。
 c:将文件或目录压缩后存放。
 d:将文件或目录排除在倾倒操作之外。
 i:不得任意更动文件或目录。
 s:保密性删除文件或目录。
 S:即时更新文件或目录。
 u:预防以外删除。

参  数:
 -R 递归处理,将指定目录下的所有文件及子目录一并处理。
 -v<版本编号> 设置文件或目录版本。
 -V 显示指令执行过程。
 +<属性> 开启文件或目录的该项属性。
 -<属性> 关闭文件或目录的该项属性。
 =<属性> 指定文件或目录的该项属性。

======================================================================

17.给系统服务端口列表文件加锁

主要作用:防止未经许可的删除或添加服务

chattr +i /etc/services
【查看方法:lsattr /etc/ services,撤销为chattr –i /etc/ services】

======================================================================

17.系统文件权限修改

Linux文件系统的安全主要是通过设置文件的权限来实现的。每一个Linux的文件或目录,都有3组属性,分别定义文件或目录的所有者,用户组和其他人的使用权限(只读、可写、可执行、允许SUID、允许SGID等)。特别注意,权限为SUID和SGID的可执行文件,在程序运行过程中,会给进程赋予所有者的权限,如果被黑客发现并利用就会给系统造成危害。

(1)修改init目录文件执行权限:
chmod -R 700 /etc/init.d/* (递归处理,owner具有rwx,group无,others无)

(2)修改部分系统文件的SUID和SGID的权限:
chmod a-s /usr/bin/chage
chmod a-s /usr/bin/gpasswd
chmod a-s /usr/bin/wall
chmod a-s /usr/bin/chfn
chmod a-s /usr/bin/chsh
chmod a-s /usr/bin/newgrp
chmod a-s /usr/bin/write
chmod a-s /usr/sbin/usernetctl
chmod a-s /usr/sbin/traceroute
chmod a-s /bin/mount
chmod a-s /bin/umount
chmod a-s /sbin/netreport

(3)修改系统引导文件
chmod 600 /etc/grub.conf
chattr +i /etc/grub.conf
【查看方法:lsattr /etc/grub.conf,撤销为chattr –i /etc/grub.conf】

======================================================================

18.增加dns

#vi /etc/resolv.conf

nameserver 8.8.8.8 #google dns
nameserver 8.8.4.4

======================================================================

19.hostname 修改

#注意需先把mysql、postfix等服务停了
1.hostname servername

2.vi /etc/sysconfig/network
service network restart

3.vi /etc/hosts

======================================================================

20.selinux 修改

开启selinux可以增加安全性,但装软件时可能会遇到一些奇怪问题
以下是关闭方法
#vi /etc/selinux/config
改成disabled

======================================================================

21.关闭ipv6


echo “alias net-pf-10 off” >> /etc/modprobe.conf
echo “alias ipv6 off” >> /etc/modprobe.conf

#vi /etc/sysconfig/network

NETWORKING_IPV6=no

重启服务

Service ip6tables stop
Service network restart

关闭自动启动

chkconfig –level 235 ip6tables off

======================================================================

22.设置iptables

iptables 默认安全规则脚本

======================================================================

重启系统

以上大部分设置可以运行脚本来完成
linux安全设置快捷脚本

设置完成后重启系统

其它设置项

linux调整系统时区/时间的方法

把/usr/share/zoneinfo里相应的时区与/etc/localtime做个软link.比如使用上海时区的时间:ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime 如果要使用UTC计时方式,则应在/etc/sysconfig/clock文件里改UTC=TRUE 时间的设置: 使用date 命令加s参数修改,注意linux的时间格式为”月日时分年”,也可以只修改时间date -s 22:30:20,如果修改的是年月日和时间,格式为”月日时分年.秒”,2007-03-18 11:01:56则应写为”date -s 031811012007.56 硬件时间与当前时间更新: hwclock –systohc 如果硬件记时用UTC,则为 hwclock –systohc –utc

linux调整系统时区/时间的方法

1) 找到相应的时区文件 /usr/share/zoneinfo/Asia/Shanghai

用这个文件替换当前的/etc/localtime文件。
步骤: cp –i /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
选择覆盖
2) 修改/etc/sysconfig/clock文件,修改为:

ZONE=”Asia/Shanghai”
UTC=false
ARC=false

3)
时间设定成2005年8月30日的命令如下:
#date -s 08/30/2005

将系统时间设定成下午6点40分0秒的命令如下。
#date -s 18:40:00

4)
同步BIOS时钟,强制把系统时间写入CMOS,命令如下:
#clock -w

======================================================================

增加网易yum源

#cd /etc/yum.repos.d/
#mv CentOS-Base.repo CentOS-Base.repo.bak
#wget http://mirrors.163.com/.help/CentOS-Base-163.repo

======================================================================

安装ntpd

#yum install ntp
#chkconfig –levels 235 ntpd on
#ntpdate ntp.api.bz #先手动校准下
#service ntpd start

======================================================================

设置语言

英文语言,中文支持
#vi /etc/sysconfig/i18n

LANG=”en_US.UTF-8″
SUPPORTED=”zh_CN.UTF-8:zh_CN:zh”
SYSFONT=”latarcyrheb-sun16″

======================================================================

tmpwatch 定时清除

假设服务器自定义了php的session和upload目录

#vi /etc/cron.daily/tmpwatch
在240 /tmp 前增加
-x /tmp/session -x /tmp/upload

#mkdir /tmp/session
#mkdir /tmp/upload
#chown nobody:nobody /tmp/upload
#chmod 0770 /tmp/upload
======================================================================

安装fail2ban

使用fail2ban来阻止Ssh暴力入侵
======================================================================

安装Tripwire

安装Tripwire检查文件完整性
======================================================================

安装jailkit

用jailkit创建一个chroot环境的sftp

Posted in 安全, 技术.

Tagged with , , .

rev="post-998" No comments

By C1G 2010/06/29