Skip to content

lvm在线增加磁盘空间

一。查看当前空间
#df -h

Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
97G 1.9G 91G 3% /
/dev/mapper/VolGroup00-LogVol01
194G 140G 44G 77% /home
/dev/mapper/VolGroup00-LogVol04
97G 17G 75G 19% /var
/dev/mapper/VolGroup00-LogVol03
97G 52G 41G 56% /opt
/dev/mapper/VolGroup00-LogVol02
9.7G 158M 9.1G 2% /tmp
/dev/sda1 99M 12M 82M 13% /boot
tmpfs 1010M 4.0K 1010M 1% /dev/shm

/home 增加200G
/opt 增加100G

fdisk 查看下磁盘为1T大小,并全部分给lvm
#fdisk -l

Disk /dev/sda: 1000.2 GB, 1000203804160 bytes
255 heads, 63 sectors/track, 121601 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 104391 83 Linux
/dev/sda2 14 535 4192965 82 Linux swap / Solaris
/dev/sda3 536 121601 972462645 8e Linux LVM

vgdisplay查看卷组空间,还有400G空闲空间
#vgdisplay

— Volume group —
VG Name VolGroup00
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 6
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 5
Open LV 5
Max PV 0
Cur PV 1
Act PV 1
VG Size 927.41 GB
PE Size 32.00 MB
Total PE 29677
Alloc PE / Size 16320 / 510.00 GB
Free PE / Size 13357 / 417.41 GB
VG UUID 4Wzdqp-f3RH-1lEP-YfXN-01Vp-3K5c-EmtcBE

二.开始增加空间
(错误的方式)
#lvextend -L +100G /dev/mapper/VolGroup00-LogVol03

Volume group “mapper” not found
Volume group mapper doesn’t exist

这里的设备名写错了(另注意一定要加”+“),正确的是
#lvextend -L +100G /dev/VolGroup00/LogVol03

Extending logical volume LogVol03 to 200.00 GB
Logical volume LogVol03 successfully resized

三.lvextend修改了lvm的大小,下面还需修改文件系统大小。
可以用umount+resize2fs 或ext2online
umount通常会碰到device is busy,这里用ext2online

下载ext2online
http://www.mirrorservice.org/sites/download.sourceforge.net/pub/sourceforge/e/project/ex/ext2resize/ext2resize/ext2resize-1.1.19/

1.下载i386的rpm
#wget http://www.mirrorservice.org/sites/download.sourceforge.net/pub/sourceforge/e/project/ex/ext2resize/ext2resize/ext2resize-1.1.19/ext2resize-1.1.19-1.i386.rpm

2.创建sct用户
#useradd sct
#rpm -ivh ext2resize-1.1.19-1.i386.rpm
—————–
安装完成后会有三个命令:
ext2online ext2prepare ext2resize
—————–
注意:安装此工具,必须有sct用户(当前用户不用是sct)

3.运行
#ext2online /dev/VolGroup00/LogVol03
ext2online v1.1.18 – 2001/03/18 for EXT2FS 0.5b

四.最后检查
#df -h

Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
97G 1.9G 91G 3% /
/dev/mapper/VolGroup00-LogVol01
194G 140G 44G 77% /home
/dev/mapper/VolGroup00-LogVol04
97G 17G 75G 19% /var
/dev/mapper/VolGroup00-LogVol03
194G 52G 133G 28% /opt
/dev/mapper/VolGroup00-LogVol02
9.7G 158M 9.1G 2% /tmp
/dev/sda1 99M 12M 82M 13% /boot
tmpfs 1010M 0 1010M 0% /dev/shm

/opt 已增加到200G.同样的方式再增加/home就可以了。

Posted in linux 维护优化, 技术.

Tagged with , , .

rev="post-1019" No comments

By C1G 2010/07/05

linux基本安全配置设置脚本

依据linux基本安全配置手册
方便设置一些基本的linux安全设置

#vi autosafe.sh

#!/bin/bash
#########################################################################
#
# File: autosafe.sh
# Description:
# Language: GNU Bourne-Again SHell
# Version: 1.1
# Date: 2010-6-23
# Corp.: c1gstudio.com
# Author: c1g
# WWW: http://blog.c1gstudio.com
### END INIT INFO
###############################################################################

V_DELUSER=”adm lp sync shutdown halt mail news uucp operator games gopher ftp”
V_DELGROUP=”adm lp mail news uucp games gopher mailnull floppy dip pppusers popusers slipusers daemon”
V_PASSMINLEN=8
V_HISTSIZE=30
V_TMOUT=300
V_GROUPNAME=suadmin
V_SERVICE=”acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmail setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd”
V_TTY=”3|4|5|6″
V_SUID=(
‘/usr/bin/chage’
‘/usr/bin/gpasswd’
‘/usr/bin/wall’
‘/usr/bin/chfn’
‘/usr/bin/chsh’
‘/usr/bin/newgrp’
‘/usr/bin/write’
‘/usr/sbin/usernetctl’
‘/bin/traceroute’
‘/bin/mount’
‘/bin/umount’
‘/sbin/netreport’
)
version=1.0

# we need root to run
if test “`id -u`” -ne 0
then
echo “You need to start as root!”
exit
fi

case $1 in
“deluser”)
echo “delete user …”
for i in $V_DELUSER ;do
echo “deleting $i”;
userdel $i ;
done
;;

“delgroup”)
echo “delete group …”
for i in $V_DELGROUP ;do
echo “deleting $i”;
groupdel $i;
done
;;

“password”)
echo “change password limit …”
echo “/etc/login.defs”
echo “PASS_MIN_LEN $V_PASSMINLEN”
sed -i “/^PASS_MIN_LEN/s/5/$V_PASSMINLEN/” /etc/login.defs
;;

“history”)
echo “change history limit …”
echo “/etc/profile”
echo “HISTSIZE $V_HISTSIZE”
sed -i “/^HISTSIZE/s/1000/$V_HISTSIZE/” /etc/profile
;;

“logintimeout”)
echo “change login timeout …”
echo “/etc/profile”
echo “TMOUT=$V_TMOUT”
sed -i “/^HISTSIZE/a\TMOUT=$V_TMOUT” /etc/profile
;;

“bashhistory”)
echo “denied bashhistory …”
echo “/etc/skel/.bash_logout”
echo ‘rm -f $HOME/.bash_history’
if egrep “bash_history” /etc/skel/.bash_logout > /dev/null
then
echo ‘warning:existed’
else
echo ‘rm -f $HOME/.bash_history’ >> /etc/skel/.bash_logout
fi

;;
“addgroup”)
echo “groupadd $V_GROUPNAME …”
groupadd $V_GROUPNAME
;;

“sugroup”)
echo “permit $V_GROUPNAME use su …”
echo “/etc/pam.d/su”
echo “auth sufficient /lib/security/pam_rootok.so debug”
echo “auth required /lib/security/pam_wheel.so group=$V_GROUPNAME”
if egrep “auth sufficient /lib/security/pam_rootok.so debug” /etc/pam.d/su > /dev/null
then
echo ‘warning:existed’
else
echo ‘auth sufficient /lib/security/pam_rootok.so debug’ >> /etc/pam.d/su
echo “auth required /lib/security/pam_wheel.so group=${V_GROUPNAME}” >> /etc/pam.d/su
fi
;;

“denyrootssh”)
echo “denied root login …”
echo “/etc/ssh/sshd_config”
echo “PermitRootLogin no”
sed -i ‘/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/’ /etc/ssh/sshd_config
;;

“stopservice”)
echo “stop services …”
for i in $V_SERVICE ;do
service $i stop;
done
;;

“closeservice”)
echo “close services autostart …”
for i in $V_SERVICE ;do
chkconfig $i off;
done
;;

“tty”)
echo “close tty …”
echo “/etc/inittab”
echo “#3:2345:respawn:/sbin/mingetty tty3”
echo “#4:2345:respawn:/sbin/mingetty tty4”
echo “#5:2345:respawn:/sbin/mingetty tty5”
echo “#6:2345:respawn:/sbin/mingetty tty6”
sed -i ‘/^[$V_TTY]:2345/s/^/#/’ /etc/inittab
;;

“ctrlaltdel”)
echo “close ctrl+alt+del …”
echo “/etc/inittab”
echo “#ca::ctrlaltdel:/sbin/shutdown -t3 -r now”
sed -i ‘/^ca::/s/^/#/’ /etc/inittab
;;

“lockfile”)
echo “lock user&services …”
echo “chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services”
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services
;;

“unlockfile”)
echo “unlock user&services …”
echo “chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services”
chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services
;;

“chmodinit”)
echo “init script only for root …”
echo “chmod -R 700 /etc/init.d/*”
echo “chmod 600 /etc/grub.conf”
echo “chattr +i /etc/grub.conf”
chmod -R 700 /etc/init.d/*
chmod 600 /etc/grub.conf
chattr +i /etc/grub.conf
;;

“chmodcommand”)
echo “remove SUID …”
echo “/usr/bin/chage /usr/bin/gpasswd …”
for i in ${V_SUID[@]};
do
chmod a-s $i
done
;;

“version”)
echo “Version: Autosafe for Linux $version”
;;

*)
echo “Usage: $0
echo “”
echo ” deluser delete user”
echo ” delgroup delete group”
echo ” password change password limit”
echo ” history change history limit”
echo ” logintimeout change login timeout”
echo ” bashhistory denied bashhistory”
echo ” addgroup groupadd $V_GROUPNAME”
echo ” sugroup permit $V_GROUPNAME use su”
echo ” denyrootssh denied root login”
echo ” stopservice stop services ”
echo ” closeservice close services”
echo ” tty close tty”
echo ” ctrlaltdel close ctrl+alt+del ”
echo ” lockfile lock user&services”
echo ” unlockfile unlock user&services”
echo ” chmodinit init script only for root”
echo ” chmodcommand remove SUID”
echo ” version ”
echo “”

;;
esac

设置权限

chmod u+x ./autosafe.sh

运行脚本

./autosafe.sh deluser
./autosafe.sh delgroup
…..

猛击下载脚本
autosafe.sh

其它参考
linux基本安全配置手册
iptables 默认安全规则脚本

Posted in shell, 安全, 技术.

Tagged with , , .

rev="post-1008" 2 comments

By C1G 2010/06/29

iptables 默认安全规则脚本

默认脚本只开启常规web服务器的80,3306,22端口

#vi default_firewall.sh

#!/bin/bash
#########################################################################
#
# File: default_firewall.sh
# Description:
# Language: GNU Bourne-Again SHell
# Version: 1.0
# Date: 2010-6-23
# Corp.: c1gstudio.com
# Author: c1g
# WWW: http://blog.c1gstudio.com
### END INIT INFO
###############################################################################

IPTABLES=/sbin/iptables

# start by flushing the rules
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IPTABLES -t nat -Z

## allow packets coming from the machine
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# allow outgoing traffic
$IPTABLES -A OUTPUT -o eth0 -j ACCEPT

# block spoofing
$IPTABLES -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP

$IPTABLES -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT

# stop bad packets
#$IPTABLES -A INPUT -m state –state INVALID -j DROP

# NMAP FIN/URG/PSH
#$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
# stop Xmas Tree type scanning
#$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL ALL -j DROP
#$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# stop null scanning
#$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL NONE -j DROP
# SYN/RST
#$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN
#$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
# stop sync flood
#$IPTABLES -N SYNFLOOD
#$IPTABLES -A SYNFLOOD -p tcp –syn -m limit –limit 1/s -j RETURN
#$IPTABLES -A SYNFLOOD -p tcp -j REJECT –reject-with tcp-reset
#$IPTABLES -A INPUT -p tcp -m state –state NEW -j SYNFLOOD
# stop ping flood attack
#$IPTABLES -N PING
#$IPTABLES -A PING -p icmp –icmp-type echo-request -m limit –limit 1/second -j RETURN
#$IPTABLES -A PING -p icmp -j REJECT
#$IPTABLES -I INPUT -p icmp –icmp-type echo-request -m state –state NEW -j PING

#################################
## What we allow
#################################

# tcp ports

# smtp
#$IPTABLES -A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
# http
$IPTABLES -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
# pop3
#$IPTABLES -A INPUT -p tcp -m tcp –dport 110 -j ACCEPT
# imap
#$IPTABLES -A INPUT -p tcp -m tcp –dport 143 -j ACCEPT
# ldap
#$IPTABLES -A INPUT -p tcp -m tcp –dport 389 -j ACCEPT
# https
#$IPTABLES -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
# smtp over SSL
#$IPTABLES -A INPUT -p tcp -m tcp –dport 465 -j ACCEPT
# line printer spooler
#$IPTABLES -A INPUT -p tcp -m tcp –dport 515 -j ACCEPT
# cups
#$IPTABLES -A INPUT -p tcp -m tcp –dport 631 -j ACCEPT
# mysql
$IPTABLES -A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT
# tomcat
#$IPTABLES -A INPUT -p tcp -m tcp –dport 8080 -j ACCEPT
# squid
#$IPTABLES -A INPUT -p tcp -m tcp –dport 81 -j ACCEPT
# nrpe
#$IPTABLES -A INPUT -p tcp -m tcp –dport 15666 -j ACCEPT

## restrict some tcp things ##

# ssh
$IPTABLES -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
#$IPTABLES -A INPUT -p tcp -m tcp –dport 6022 -j ACCEPT
# samba (netbios)
#$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 –dport 137:139 -j ACCEPT
# ntop
#$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 –dport 3000 -j ACCEPT
# Hylafax
#$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 –dport 4558:4559 -j ACCEPT
# webmin
#$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 –dport 10000 -j ACCEPT

# udp ports
# DNS
#$IPTABLES -A INPUT -p udp -m udp –dport 53 -j ACCEPT
# DHCP
#$IPTABLES -A INPUT -p udp -m udp –dport 67:68 -j ACCEPT
# NTP
#$IPTABLES -A INPUT -p udp -m udp –dport 123 -j ACCEPT
# SNMP
#$IPTABLES -A INPUT -p udp -m udp –dport 161:162 -j ACCEPT

## restrict some udp things ##

# Samba (Netbios)
#$IPTABLES -A INPUT -p udp -m udp -s 192.168.0.0/16 –dport 137:139 -j ACCEPT
#$IPTABLES -A INPUT -p udp -m udp –sport 137:138 -j ACCEPT

# finally – drop the rest

#$IPTABLES -A INPUT -p tcp –syn -j DROP

设置权限

chmod u+x ./default_firewall.sh

运行脚本

./default_firewall.sh

查看iptables

#/sbin/iptables -nL

保存iptables

#/sbin/iptables-save > /etc/sysconfig/iptables

重启iptables

#/etc/init.d/iptables restart

猛击下载脚本:
default_firewall.sh

Posted in shell, 安全, 技术.

Tagged with , , , .

rev="post-1003" 1 comment

By C1G 2010/06/29

linux基本安全配置手册

安装注意

作为服务器,不安装不需要的组件,所以在选择组件的时候,不要安装服务包和桌面但需要开发工具和开发包。
以下命令等适用redhat/centos 4,5

1.删除系统特殊的的用户帐号:

禁止所有默认的被操作系统本身启动的且不需要的帐号,当你第一次装上系统时就应该做此检查,Linux提供了各种帐号,你可能不需要,如果你不需要这个帐号,就移走它,你有的帐号越多,就越容易受到攻击。
======================================================================
#为删除你系统上的用户,用下面的命令:
[root@c1gstudio]# userdel username

#批量删除方式
#这里删除”adm lp sync shutdown halt mail news uucp operator games gopher ftp “账号
#如果你开着ftp等服务可以把ftp账号保留下来。

for i in adm lp sync shutdown halt mail news uucp ope
rator games gopher ftp ;do userdel $i ;done

======================================================================

2.删除系统特殊的组帐号

[root@c1gstudio]# groupdel groupname

#批量删除方式

for i in adm lp mail news uucp games dip pppusers pop
users slipusers ;do groupdel $i ;done

======================================================================

3.用户密码设置

安装linux时默认的密码最小长度是5个字节,但这并不够,要把它设为8个字节。修改最短密码长度需要编辑login.defs文件#vi /etc/login.defs


PASS_MAX_DAYS 99999 ##密码设置最长有效期(默认值)
PASS_MIN_DAYS 0 ##密码设置最短有效期
PASS_MIN_LEN 5 ##设置密码最小长度,将5改为8
PASS_WARN_AGE 7 ##提前多少天警告用户密码即将过期。

然后修改Root密码
#passwd root
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
======================================================================

4.修改自动注销帐号时间

自动注销帐号的登录,在Linux系统中root账户是具有最高特权的。如果系统管理员在离开系统之前忘记注销root账户,那将会带来很大的安全隐患,应该让系统会自动注销。通过修改账户中“TMOUT”参数,可以实现此功能。TMOUT按秒计算。编辑你的profile文件(vi /etc/profile),在”HISTSIZE=”后面加入下面这行:

  TMOUT=300

300,表示300秒,也就是表示5分钟。这样,如果系统中登陆的用户在5分钟内都没有动作,那么系统会自动注销这个账户。
======================================================================

5.限制Shell命令记录大小

默认情况下,bash shell会在文件$HOME/.bash_history中存放多达500条命令记录(根据具体的系统不同,默认记录条数不同)。系统中每个用户的主目录下都有一个这样的文件。在此笔者强烈建议限制该文件的大小。
您可以编辑/etc/profile文件,修改其中的选项如下: HISTFILESIZE=30或HISTSIZE=30
#vi /etc/profile

HISTSIZE=30

======================================================================

6.注销时删除命令记录

编辑/etc/skel/.bash_logout文件,增加如下行:

rm -f $HOME/.bash_history

这样,系统中的所有用户在注销时都会删除其命令记录。
如果只需要针对某个特定用户,如root用户进行设置,则可只在该用户的主目录下修改/$HOME/.bash_history文件,增加相同的一行即可。

======================================================================

7.用下面的命令加需要的用户组和用户帐号

[root@c1gstudio]# groupadd
例如:增加website 用户组,groupadd website
然后调用vigr命令查看已添加的用户组

用下面的命令加需要的用户帐号
[root@c1gstudio]# useradd username –g website //添加用户到website组(作为webserver的普通管理员,而非root管理员)
然后调用vipw命令查看已添加的用户

用下面的命令改变用户口令(至少输入8位字母和数字组合的密码,并将密码记录于本地机的专门文档中,以防遗忘)
[root@c1gstudio]# passwd username
======================================================================

8.阻止任何人su作为root

如果你不想任何人能够su作为root,你能编辑/etc/pam.d/su加下面的行:

#vi /etc/pam.d/su

auth sufficient /lib/security/$ISA/pam_rootok.so debug
auth required /lib/security/$ISA/pam_wheel.so group=website

意味着仅仅website组的用户可以su作为root.
======================================================================

9.修改ssh服务的root登录权限

修改ssh服务配置文件,使的ssh服务不允许直接使用root用户来登录,这样减少系统被恶意登录攻击的机会。

#vi /etc/ssh/sshd_config

PermitRootLogin yes

将这行前的#去掉后,修改为:

PermitRootLogin no

10.修改ssh服务的sshd 端口

ssh默认会监听在22端口,你可以修改至6022端口以避过常规的扫描。
注意:修改端口错误可能会导致你下次连不到服务器,可以先同时开着22和6022两个端口,然后再关掉22端口;
重启sshd不会弹掉你当前的连接,可以另外开一个客户端来测试服务;

#vi /etc/ssh/sshd_config
#增加修改

#Port 22 #关闭22端口
Port 6022 #增加6022端口

#重启sshd服务

service sshd restart

检查一下sshd的监听端口对不对

netstat -lnp|grep ssh

#iptables开放sshd的6022端口

vi /etc/sysconfig/iptables


#如果使用redhat默认规则则增加
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 6022 -j ACCEPT
#或
iptables -A INPUT -p tcp –dport 6022 -j ACCEPT
iptables -A OUTPUT -p udp –sport 6022 -j ACCEPT

重启iptables 服务

service iptables restart

#测试两个端口是否都能连上,连上后再将22端口删除

详细参考:
Linux操作系统下SSH默认22端口修改方法
======================================================================

11.关闭系统不使用的服务:

cd /etc/init.d #进入到系统init进程启动目录
在这里有两个方法,可以关闭init目录下的服务,
一、将init目录下的文件名mv成*.old类的文件名,即修改文件名,作用就是在系统启动的时候找不到这个服务的启动文件。二、使用chkconfig系统命令来关闭系统启动等级的服务。
注:在使用以下任何一种方法时,请先检查需要关闭的服务是否是本服务器特别需要启动支持的服务,以防关闭正常使用的服务。

使用chkcofig命令来关闭不使用的系统服务 (level前面为2个减号)
要想在修改启动脚本前了解有多少服务正在运行,输入:
ps aux | wc -l

然后修改启动脚本后,重启系统,再次输入上面的命令,就可计算出减少了多少项服务。越少服务在运行,安全性就越好。另外运行以下命令可以了解还有多少服务在运行:
netstat -na –ip

批量方式
先停止服务

for i in acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmai
l setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd ;do service $i stop;done

关闭启动服务

for i in acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmai
l setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd ;do chkconfig $i off;done

以下为手动方式及解释,执行批量方式后不需再执行了
chkconfig –level 345 apmd off ##笔记本需要
chkconfig –level 345 netfs off ## nfs客户端
chkconfig –level 345 yppasswdd off ## NIS服务器,此服务漏洞很多
chkconfig –level 345 ypserv off ## NIS服务器,此服务漏洞很多
chkconfig –level 345 dhcpd off ## dhcp服务
chkconfig –level 345 portmap off ##运行rpc(111端口)服务必需
chkconfig –level 345 lpd off ##打印服务
chkconfig –level 345 nfs off ## NFS服务器,漏洞极多
chkconfig –level 345 sendmail off ##邮件服务, 漏洞极多
chkconfig –level 345 snmpd off ## SNMP,远程用户能从中获得许多系统信息
chkconfig –level 345 rstatd off ##避免运行r服务,远程用户可以从中获取很多信息
chkconfig –level 345 atd off ##和cron很相似的定时运行程序的服务
注:以上chkcofig 命令中的3和5是系统启动的类型,以下为数字代表意思
0:开机(请不要切换到此等级)
1:单人使用者模式的文字界面
2:多人使用者模式的文字界面,不具有网络档案系统(NFS)功能
3:多人使用者模式的文字界面,具有网络档案系统(NFS)功能
4:某些发行版的linux使用此等级进入x windows system
5:某些发行版的linux使用此等级进入x windows system
6:重新启动

如果不指定–level 单用on和off开关,系统默认只对运行级3,4,5有效

chkconfig cups off #打印机
chkconfig bluetooth off # 蓝牙
chkconfig hidd off # 蓝牙
chkconfig ip6tables off # ipv6
chkconfig ipsec off # vpn
chkconfig auditd off #用户空间监控程序
chkconfig autofs off #光盘软盘硬盘等自动加载服务

chkconfig avahi-daemon off #主要用于Zero Configuration Networking ,一般没什么用建议关闭
chkconfig avahi-dnsconfd off #主要用于Zero Configuration Networking ,同上,建议关闭
chkconfig cpuspeed off #动态调整CPU频率的进程,在服务器系统中这个进程建议关闭
chkconfig isdn off #isdn
chkconfig kudzu off #硬件自动监测服务
chkconfig nfslock off #NFS文档锁定功能。文档共享支持,无需的能够关了
chkconfig nscd off #负责密码和组的查询,在有NIS服务时需要
chkconfig pcscd off #智能卡支持,,如果没有可以关了
chkconfig yum-updatesd off #yum更新

chkconfig acpid off
chkconfig autofs off
chkconfig firstboot off
chkconfig mcstrans off #selinux
chkconfig microcode_ctl off
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig setroubleshoot off
chkconfig xfs off
chkconfig xinetd off
chkconfig messagebus off
chkconfig gpm off #鼠标
chkconfig restorecond off #selinux
chkconfig haldaemon off
chkconfig sysstat off
chkconfig readahead_early off
chkconfig anacron off

需要保留的服务

crond , irqbalance , microcode_ctl ,network , sshd ,syslog

因为有些服务已运行,所以设置完后需重启

chkconfig
/*
语  法:chkconfig [–add][–del][–list][系统服务] 或 chkconfig [–level <等级代号>][系统服务][on/off/reset]

补充说明:这是Red Hat公司遵循GPL规则所开发的程序,它可查询操作系统在每一个执行等级中会执行哪些系统服务,其中包括各类常驻服务。

参  数:
 –add  增加所指定的系统服务,让chkconfig指令得以管理它,并同时在系统启动的叙述文件内增加相关数据。
 –del  删除所指定的系统服务,不再由chkconfig指令管理,并同时在系统启动的叙述文件内删除相关数据。
 –level<等级代号>  指定读系统服务要在哪一个执行等级中开启或关毕
*/

======================================================================

12.阻止系统响应任何从外部/内部来的ping请求

既然没有人能ping通你的机器并收到响应,你可以大大增强你的站点的安全性。你可以加下面的一行命令到/etc/rc.d/rc.local,以使每次启动后自动运行。

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

#这个可以不做哈
======================================================================

12.修改“/etc/host.conf”文件

  “/etc/host.conf”说明了如何解析地址。编辑“/etc/host.conf”文件(vi /etc/host.conf),加入下面这行:
  # Lookup names via DNS first then fall back to /etc/hosts.
  order hosts,bind
  # We have machines with multiple IP addresses.
  multi on
  # Check for IP address spoofing.
  nospoof on

第一项设置首先通过DNS解析IP地址,然后通过hosts文件解析。第二项设置检测是否“/etc/hosts”文件中的主机是否拥有多个IP地址(比如有多个以太口网卡)。第三项设置说明要注意对本机未经许可的电子欺骗。
======================================================================

13.不允许从不同的控制台进行root登陆

  ”/etc/securetty”文件允许你定义root用户可以从那个TTY设备登陆。你可以编辑”/etc/securetty”文件,再不需要登陆的TTY设备前添加“#”标志,来禁止从该TTY设备进行root登陆。

  在/etc/inittab文件中有如下一段话:
  # Run gettys in standard runlevels
  1:2345:respawn:/sbin/mingetty tty1
  2:2345:respawn:/sbin/mingetty tty2
  #3:2345:respawn:/sbin/mingetty tty3
  #4:2345:respawn:/sbin/mingetty tty4
  #5:2345:respawn:/sbin/mingetty tty5
  #6:2345:respawn:/sbin/mingetty tty6

  系统默认的可以使用6个控制台,即Alt+F1,Alt+F2…,这里在3,4,5,6前面加上“#”,注释该句话,这样现在只有两个控制台可供使用,最好保留两个。然后重新启动init进程,改动即可生效!
======================================================================

15.禁止Control-Alt-Delete键盘关闭命令

  在”/etc/inittab” 文件中注释掉下面这行(使用#):
  ca::ctrlaltdel:/sbin/shutdown -t3 -r now
  改为:
  #ca::ctrlaltdel:/sbin/shutdown -t3 -r now

  为了使这项改动起作用,输入下面这个命令:
# /sbin/init q
======================================================================

16.用chattr命令给下面的文件加上不可更改属性。

[root@c1gstudio]# chattr +i /etc/passwd
[root@c1gstudio]# chattr +i /etc/shadow
[root@c1gstudio]# chattr +i /etc/group
[root@c1gstudio]# chattr +i /etc/gshadow
【注:chattr是改变文件属性的命令,参数i代表不得任意更动文件或目录,此处的i为不可修改位(immutable)。查看方法:lsattr /etc/passwd,撤销为chattr –i /etc/group】
补充说明:这项指令可改变存放在ext2文件系统上的文件或目录属性,这些属性共有以下8种模式:
 a:让文件或目录仅供附加用途。
 b:不更新文件或目录的最后存取时间。
 c:将文件或目录压缩后存放。
 d:将文件或目录排除在倾倒操作之外。
 i:不得任意更动文件或目录。
 s:保密性删除文件或目录。
 S:即时更新文件或目录。
 u:预防以外删除。

参  数:
 -R 递归处理,将指定目录下的所有文件及子目录一并处理。
 -v<版本编号> 设置文件或目录版本。
 -V 显示指令执行过程。
 +<属性> 开启文件或目录的该项属性。
 -<属性> 关闭文件或目录的该项属性。
 =<属性> 指定文件或目录的该项属性。

======================================================================

17.给系统服务端口列表文件加锁

主要作用:防止未经许可的删除或添加服务

chattr +i /etc/services
【查看方法:lsattr /etc/ services,撤销为chattr –i /etc/ services】

======================================================================

17.系统文件权限修改

Linux文件系统的安全主要是通过设置文件的权限来实现的。每一个Linux的文件或目录,都有3组属性,分别定义文件或目录的所有者,用户组和其他人的使用权限(只读、可写、可执行、允许SUID、允许SGID等)。特别注意,权限为SUID和SGID的可执行文件,在程序运行过程中,会给进程赋予所有者的权限,如果被黑客发现并利用就会给系统造成危害。

(1)修改init目录文件执行权限:
chmod -R 700 /etc/init.d/* (递归处理,owner具有rwx,group无,others无)

(2)修改部分系统文件的SUID和SGID的权限:
chmod a-s /usr/bin/chage
chmod a-s /usr/bin/gpasswd
chmod a-s /usr/bin/wall
chmod a-s /usr/bin/chfn
chmod a-s /usr/bin/chsh
chmod a-s /usr/bin/newgrp
chmod a-s /usr/bin/write
chmod a-s /usr/sbin/usernetctl
chmod a-s /usr/sbin/traceroute
chmod a-s /bin/mount
chmod a-s /bin/umount
chmod a-s /sbin/netreport

(3)修改系统引导文件
chmod 600 /etc/grub.conf
chattr +i /etc/grub.conf
【查看方法:lsattr /etc/grub.conf,撤销为chattr –i /etc/grub.conf】

======================================================================

18.增加dns

#vi /etc/resolv.conf

nameserver 8.8.8.8 #google dns
nameserver 8.8.4.4

======================================================================

19.hostname 修改

#注意需先把mysql、postfix等服务停了
1.hostname servername

2.vi /etc/sysconfig/network
service network restart

3.vi /etc/hosts

======================================================================

20.selinux 修改

开启selinux可以增加安全性,但装软件时可能会遇到一些奇怪问题
以下是关闭方法
#vi /etc/selinux/config
改成disabled

======================================================================

21.关闭ipv6


echo “alias net-pf-10 off” >> /etc/modprobe.conf
echo “alias ipv6 off” >> /etc/modprobe.conf

#vi /etc/sysconfig/network

NETWORKING_IPV6=no

重启服务

Service ip6tables stop
Service network restart

关闭自动启动

chkconfig –level 235 ip6tables off

======================================================================

22.设置iptables

iptables 默认安全规则脚本

======================================================================

重启系统

以上大部分设置可以运行脚本来完成
linux安全设置快捷脚本

设置完成后重启系统

其它设置项

linux调整系统时区/时间的方法

把/usr/share/zoneinfo里相应的时区与/etc/localtime做个软link.比如使用上海时区的时间:ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime 如果要使用UTC计时方式,则应在/etc/sysconfig/clock文件里改UTC=TRUE 时间的设置: 使用date 命令加s参数修改,注意linux的时间格式为”月日时分年”,也可以只修改时间date -s 22:30:20,如果修改的是年月日和时间,格式为”月日时分年.秒”,2007-03-18 11:01:56则应写为”date -s 031811012007.56 硬件时间与当前时间更新: hwclock –systohc 如果硬件记时用UTC,则为 hwclock –systohc –utc

linux调整系统时区/时间的方法

1) 找到相应的时区文件 /usr/share/zoneinfo/Asia/Shanghai

用这个文件替换当前的/etc/localtime文件。
步骤: cp –i /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
选择覆盖
2) 修改/etc/sysconfig/clock文件,修改为:

ZONE=”Asia/Shanghai”
UTC=false
ARC=false

3)
时间设定成2005年8月30日的命令如下:
#date -s 08/30/2005

将系统时间设定成下午6点40分0秒的命令如下。
#date -s 18:40:00

4)
同步BIOS时钟,强制把系统时间写入CMOS,命令如下:
#clock -w

======================================================================

增加网易yum源

#cd /etc/yum.repos.d/
#mv CentOS-Base.repo CentOS-Base.repo.bak
#wget http://mirrors.163.com/.help/CentOS-Base-163.repo

======================================================================

安装ntpd

#yum install ntp
#chkconfig –levels 235 ntpd on
#ntpdate ntp.api.bz #先手动校准下
#service ntpd start

======================================================================

设置语言

英文语言,中文支持
#vi /etc/sysconfig/i18n

LANG=”en_US.UTF-8″
SUPPORTED=”zh_CN.UTF-8:zh_CN:zh”
SYSFONT=”latarcyrheb-sun16″

======================================================================

tmpwatch 定时清除

假设服务器自定义了php的session和upload目录

#vi /etc/cron.daily/tmpwatch
在240 /tmp 前增加
-x /tmp/session -x /tmp/upload

#mkdir /tmp/session
#mkdir /tmp/upload
#chown nobody:nobody /tmp/upload
#chmod 0770 /tmp/upload
======================================================================

安装fail2ban

使用fail2ban来阻止Ssh暴力入侵
======================================================================

安装Tripwire

安装Tripwire检查文件完整性
======================================================================

安装jailkit

用jailkit创建一个chroot环境的sftp

Posted in 安全, 技术.

Tagged with , , .

rev="post-998" No comments

By C1G 2010/06/29

诺顿提供免费DNS服务

诺顿是著名杀毒软件,这次也推出了免费DNS解析服务

要想使用Norton DNS Public,只需将你的电脑DNS设置为:

    198.153.192.1
    198.153.194.1

我这里上海电信ping一下,比google 的8.8.8.8 慢了一点。

C:\Documents and Settings\User>ping 198.153.192.1

Pinging 198.153.192.1 with 32 bytes of data:

Reply from 198.153.192.1: bytes=32 time=134ms TTL=48
Reply from 198.153.192.1: bytes=32 time=134ms TTL=48
Reply from 198.153.192.1: bytes=32 time=133ms TTL=48
Reply from 198.153.192.1: bytes=32 time=134ms TTL=48

Ping statistics for 198.153.192.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 133ms, Maximum = 134ms, Average = 133ms

设置指南
http://www.nortondns.com/windows.html

========================
google 的免费dns

    8.8.8.8
    8.8.4.4

========================
opendns的免费dns

    208.67.222.222
    208.67.220.220

========================
其它短dns

    4.3.2.1
    4.2.2.1
    4.2.2.2
    4.2.2.3
    4.2.2.4
    4.2.2.5
    4.2.2.6

Posted in 其它, 网站建设.

Tagged with , .

rev="post-996" No comments

By C1G 2010/06/25

GoDaddy域名注册6.89美元优惠码

godaddy优惠码:cjc689upr

优惠:这个godaddy优惠码可以多年以$6.78价格多年注册域名,仅能用来注册域名,支持支付宝.

这个GoDaddy优惠码过期时间:2010.06.30

Posted in 其它, 网站建设.

Tagged with , .

rev="post-993" No comments

By C1G 2010/06/22

shell防采集脚本

介绍
脚本使用bash编写,仅作简单防御,增加采集复杂度
原理是通过采集器的特点,请求频率高并只请求关键文件(html,php…),而不请求无关文件(css,js,jp…)来进行筛选并放入iptables

采集者请求的log样例

122.70.137.104 – – [10/Jun/2010:13:11:05 +0800] “GET /chongqingjob/list_1.html HTTP/1.0” 200 24013 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 2.0.93341)” –
122.70.137.104 – – [10/Jun/2010:13:11:05 +0800] “GET /chongqingjob/list_2.html HTTP/1.0” 200 22803 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 2.0.97314)” –
122.70.137.104 – – [10/Jun/2010:13:11:05 +0800] “GET /chongqingjob/list_3.html HTTP/1.0” 200 22397 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 2.0.99305)” –
122.70.137.104 – – [10/Jun/2010:13:11:05 +0800] “GET /yunnanjob/list_1.html HTTP/1.0” 200 23545 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 2.0.2415)” –
122.70.137.104 – – [10/Jun/2010:13:11:05 +0800] “GET /yunnanjob/list_2.html HTTP/1.0” 200 22274 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 2.0.96797)” –
122.70.137.104 – – [10/Jun/2010:13:11:06 +0800] “GET /yunnanjob/list_3.html HTTP/1.0” 200 22222 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 2.0.33279)” –
122.70.137.104 – – [10/Jun/2010:13:11:06 +0800] “GET /guizhoujob/list_1.html HTTP/1.0” 200 23911 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 2.0.34389)” –
122.70.137.104 – – [10/Jun/2010:13:11:06 +0800] “GET /guizhoujob/list_2.html HTTP/1.0” 200 22928 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 2.0.4951)” –
122.70.137.104 – – [10/Jun/2010:13:11:06 +0800] “GET /guizhoujob/list_3.html HTTP/1.0” 200 22232 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 2.0.18697)” –

脚本默认配置
1.每3分钟运行一次
2.检查是否清除iptables中的采集ip
2.取出前3分钟排除百度等蜘蛛后的访问日志
3.取出防问量大于60的前三个ip
4.检查是否是可信任ip
5.检查请求favicon.ico的次数是否大于2
6.将采集ip放入iptable

参数说明

#运行log日志位置
V_DEBUGLOG=./kickleech.log
#apache或nginx的访问日志
V_LOG=/opt/nginx/logs/blog.c1gstudio.com.log
#访问日志临时文件
V_TMPFILE=/opt/nginx/logs/kickleechtmp.log
#ip临时存放位置
V_IPTMPFILE=./kickleechip.log
#最前几分钟的访问日志
V_TIMELIMIT=3
#请求频率,大于此值才会进行审核
V_THRESHOLD=60
#取多少个ip放入iptables中(按请求次数降序)
V_MAXIP=3
#可信任的ip地址
V_SAFEIP=”192.168.0.15 222.147.111.3 222.236.154.162″
#验证字符,如果在${V_TIMELIMI}分钟内请求${V_CODE}少于${V_REQUESTNUM}次将会被认为是采集者
V_CODE=’favicon.ico’
#是否放入iptables中(iptables不作保存,重载或重启会清除之前记录的ip),1=放入,0=仅记录
V_IPTABLES=1
#用于iptables的web访问端口
V_HTTPPORT=80
#清除采集者的时间,当系统为3,12…分会清除采集ip,采集者又可以采了
#需和crontab的时间设定配合,仅仅清空采集相关ip
V_IPTABLESFLUSHTIME=”3 12 21 33 42 51″
V_REQUESTNUM=2

V_CODE参数说明
V_CODE=’favicon.ico’
可以设置成某个css或图片等
这里的配置为favicon.ico,也就是收藏的小图标,浏览器访问时默认会自动请求根目录下此文件,确保存在。
不要设置expires时间,否则日志中不会记录访问请求
以下为nginx设置

location ~(favicon.ico) {
#log_not_found off;
expires -1;
break;
}

这样可以在有缓存时也产生个304请求

222.236.154.162 – – [10/Jun/2010:10:50:37 +0800] “GET /favicon.ico HTTP/1.1” 200 3638 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 ( .NET CLR 3.5.30729)” –
222.236.154.162 – – [10/Jun/2010:10:52:13 +0800] “GET /favicon.ico HTTP/1.1” 304 0 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 ( .NET CLR 3.5.30729)” –

kickleech.log日志记录格式

=====Thu Jun 10 13:12:01 CST 2010========
Flush iptables #清空iptables中相关ip
148 122.70.137.104#请求次数和ip
Bad guy 122.70.137.104 #审核为采集者
iptables 122.70.137.104 #放入了iptables
=====Thu Jun 10 13:15:01 CST 2010========
None IP #没有超过指定请求数
=====Thu Jun 10 13:18:01 CST 2010========
165 222.236.154.162
155 125.69.85.71
Safe ip 222.236.154.162 #信任的ip
That’s ok 125.69.85.71 #审核为不是采集者
=====Thu Jun 10 13:18:03 CST 2010========
235 202.102.111.124
That’s ok 202.102.111.124 #审核为不是采集者

安装使用
下载脚本并上传到/opt/shell

chmod 0755 /opt/shell/kickleech.sh

以root身份运行

crontab -e

添加自动运行

*/3 * * * * cd /opt/shell && /bin/sh ./kickleech.sh > /dev/null 2>&1

下载脚本
kickleech.zip

Posted in shell, 技术.

Tagged with , .

rev="post-979" 2 comments

By C1G 2010/06/10

Godaddy最新0.99刀域名优惠码

godaddy域名优惠码: INDY2010

这个Godaddy优惠码可以用来注册和转移.com, .net, .mobi, .biz, .us, .org, .ca, .co.uk, 和 .in域名
同样,这个Godaddy优惠码只支持信用卡支付

好像还送.info域名一个。

刚刚买了个com域名,加上要交0.18美分的手续费,全价是1.17美分

原文:
http://godaddy.mrooo.com/godaddy-new-0-99-coupon-domain.html


2010-6-22
此优惠码已过期

Posted in 其它, 网站建设.

Tagged with , .

rev="post-973" No comments

By C1G 2010/05/31

Linux 的 Out-of-Memory (OOM) Killer

这个也让咱遇上了。

top – 10:53:30 up 111 days, 16:49, 1 user, load average: 2.68, 2.98, 3.39
Tasks: 131 total, 1 running, 130 sleeping, 0 stopped, 0 zombie
Cpu(s): 20.6%us, 8.9%sy, 0.0%ni, 69.7%id, 0.3%wa, 0.0%hi, 0.4%si, 0.0%st
Mem: 8168412k total, 7844888k used, 323524k free, 106604k buffers
Swap: 2097144k total, 88664k used, 2008480k free, 6534044k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
13596 mysql 15 0 2325m 1.0g 4060 S 283.3 13.0 574:16.15 mysqld
1 root 15 0 10348 88 56 S 0.0 0.0 12:35.68 init
2 root RT -5 0 0 0 S 0.0 0.0 0:02.39 migration/0

#cat /var/log/messages |grep ‘May 26 03’
May 26 03:29:35 touareg kernel: Node 1 Normal per-cpu: empty
May 26 03:29:35 touareg kernel: Node 1 HighMem per-cpu: empty
May 26 03:29:36 touareg kernel: Free pages: 12980kB (0kB HighMem)
May 26 03:29:36 touareg kernel: Active:612100 inactive:1406689 dirty:0 writeback:0 unstable:0 free:3245 slab:6346 mapped-file:1004 mapped-anon:2018482 pagetables:6473
May 26 03:29:37 touareg kernel: Node 0 DMA free:0kB min:0kB low:0kB high:0kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimable? no
May 26 03:29:38 touareg kernel: lowmem_reserve[]: 0 1242 6040 6040
May 26 03:29:38 touareg kernel: Node 0 DMA32 free:1876kB min:1768kB low:2208kB high:2652kB active:1092684kB inactive:196800kB present:1272420kB pages_scanned:3346160 all_unreclaimable? yes
May 26 03:29:39 touareg kernel: lowmem_reserve[]: 0 0 4797 4797
May 26 03:29:39 touareg kernel: Node 0 Normal free:6548kB min:6836kB low:8544kB high:10252kB active:514812kB inactive:4318496kB present:4912640kB pages_scanned:17304011 all_unreclaimable? yes
May 26 03:29:40 touareg kernel: lowmem_reserve[]: 0 0 0 0
May 26 03:29:41 touareg kernel: Node 0 HighMem free:0kB min:128kB low:128kB high:128kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimable? no
May 26 03:29:42 touareg kernel: lowmem_reserve[]: 0 0 0 0
May 26 03:29:43 touareg kernel: Node 1 DMA free:1736kB min:12kB low:12kB high:16kB active:0kB inactive:0kB present:10696kB pages_scanned:0 all_unreclaimable? yes
May 26 03:29:43 touareg kernel: lowmem_reserve[]: 0 2004 2004 2004
May 26 03:29:43 touareg kernel: Node 1 DMA32 free:2820kB min:2856kB low:3568kB high:4284kB active:845864kB inactive:1106756kB present:2052320kB pages_scanned:4059828 all_unreclaimable? yes
May 26 03:29:44 touareg kernel: lowmem_reserve[]: 0 0 0 0
May 26 03:29:45 touareg kernel: Node 1 Normal free:0kB min:0kB low:0kB high:0kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimable? no
May 26 03:29:45 touareg kernel: lowmem_reserve[]: 0 0 0 0
May 26 03:29:46 touareg kernel: Node 1 HighMem free:0kB min:128kB low:128kB high:128kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimable? no
May 26 03:29:46 touareg kernel: lowmem_reserve[]: 0 0 0 0
May 26 03:29:47 touareg kernel: Node 0 DMA: empty
May 26 03:29:47 touareg kernel: Node 0 DMA32: 31*4kB 7*8kB 4*16kB 1*32kB 1*64kB 0*128kB 0*256kB 1*512kB 1*1024kB 0*2048kB 0*4096kB = 1876kB
May 26 03:29:47 touareg kernel: Node 0 Normal: 115*4kB 3*8kB 11*16kB 8*32kB 4*64kB 2*128kB 2*256kB 1*512kB 0*1024kB 0*2048kB 1*4096kB = 6548kB
May 26 03:29:48 touareg kernel: Node 0 HighMem: empty
May 26 03:29:48 touareg kernel: Node 1 DMA: 2*4kB 2*8kB 1*16kB 5*32kB 4*64kB 0*128kB 1*256kB 0*512kB 1*1024kB 0*2048kB 0*4096kB = 1736kB
May 26 03:29:48 touareg kernel: Node 1 DMA32: 63*4kB 7*8kB 17*16kB 2*32kB 2*64kB 6*128kB 1*256kB 0*512kB 1*1024kB 0*2048kB 0*4096kB = 2820kB
May 26 03:29:49 touareg kernel: Node 1 Normal: empty
May 26 03:29:49 touareg kernel: Node 1 HighMem: empty
May 26 03:29:50 touareg kernel: 1339 pagecache pages
May 26 03:29:50 touareg kernel: Swap cache: add 1051209, delete 1051023, find 5464906/5502739, race 0+41
May 26 03:29:50 touareg kernel: Free swap = 0kB
May 26 03:29:51 touareg kernel: Total swap = 2097144kB
May 26 03:29:51 touareg kernel: Free swap: 0kB
May 26 03:29:51 touareg kernel: 2293760 pages of RAM
May 26 03:29:52 touareg kernel: 251657 reserved pages
May 26 03:29:52 touareg kernel: 6005 pages shared
May 26 03:29:53 touareg kernel: 263 pages swap cached
May 26 03:29:54 touareg kernel: Out of memory: Killed process 13285 (mysqld).
May 26 03:29:54 touareg kernel: sshd invoked oom-killer: gfp_mask=0x200d2, order=0, oomkilladj=0
May 26 03:29:55 touareg kernel:
May 26 03:29:55 touareg kernel: Call Trace:
May 26 03:29:56 touareg kernel: [] out_of_memory+0x8e/0x2f5
May 26 03:29:57 touareg kernel: [] __alloc_pages+0x245/0x2ce
May 26 03:29:57 touareg kernel: [] read_swap_cache_async+0x45/0xd8
May 26 03:29:57 touareg kernel: [] wake_bit_function+0x0/0x23
May 26 03:29:58 touareg kernel: [] swapin_readahead+0x60/0xd3
May 26 03:29:58 touareg kernel: [] __handle_mm_fault+0x9bc/0xe5c
May 26 03:29:59 touareg kernel: [] do_page_fault+0x4cb/0x830
May 26 03:29:59 touareg kernel: [] skb_dequeue+0x48/0x50
May 26 03:30:00 touareg kernel: [] unix_release_sock+0x19e/0x1fa
May 26 03:30:00 touareg kernel: [] dput+0x2c/0x114
May 26 03:30:00 touareg kernel: [] error_exit+0x0/0x84
May 26 03:30:01 touareg kernel:
May 26 03:30:01 touareg kernel: Mem-info:
May 26 03:30:01 touareg kernel: Node 0 DMA per-cpu: empty
May 26 03:30:02 touareg kernel: Node 0 DMA32 per-cpu:
May 26 03:30:03 touareg kernel: cpu 0 hot: high 186, batch 31 used:89
May 26 03:30:03 touareg kernel: cpu 0 cold: high 62, batch 15 used:57
May 26 03:30:03 touareg kernel: cpu 1 hot: high 186, batch 31 used:0
May 26 03:30:04 touareg kernel: cpu 1 cold: high 62, batch 15 used:0
May 26 03:30:04 touareg kernel: cpu 2 hot: high 186, batch 31 used:180
May 26 03:30:04 touareg kernel: cpu 2 cold: high 62, batch 15 used:61
May 26 03:30:05 touareg kernel: cpu 3 hot: high 186, batch 31 used:0
May 26 03:30:05 touareg kernel: cpu 3 cold: high 62, batch 15 used:29
May 26 03:30:05 touareg kernel: cpu 4 hot: high 186, batch 31 used:155
May 26 03:30:05 touareg kernel: cpu 4 cold: high 62, batch 15 used:48
May 26 03:30:05 touareg kernel: cpu 5 hot: high 186, batch 31 used:0
May 26 03:30:05 touareg kernel: cpu 5 cold: high 62, batch 15 used:14
May 26 03:30:06 touareg kernel: cpu 6 hot: high 186, batch 31 used:98
May 26 03:30:06 touareg kernel: cpu 6 cold: high 62, batch 15 used:54
May 26 03:30:06 touareg kernel: cpu 7 hot: high 186, batch 31 used:0
May 26 03:30:06 touareg kernel: cpu 7 cold: high 62, batch 15 used:2
May 26 03:30:06 touareg kernel: Node 0 Normal per-cpu:
May 26 03:30:06 touareg kernel: cpu 0 hot: high 186, batch 31 used:3
May 26 03:30:07 touareg kernel: cpu 0 cold: high 62, batch 15 used:56
May 26 03:30:07 touareg kernel: cpu 1 hot: high 186, batch 31 used:0
May 26 03:30:07 touareg kernel: cpu 1 cold: high 62, batch 15 used:0
May 26 03:30:07 touareg kernel: cpu 2 hot: high 186, batch 31 used:15
May 26 03:30:07 touareg kernel: cpu 2 cold: high 62, batch 15 used:48
May 26 03:30:07 touareg kernel: cpu 3 hot: high 186, batch 31 used:0
May 26 03:30:08 touareg kernel: cpu 3 cold: high 62, batch 15 used:0
May 26 03:30:08 touareg kernel: cpu 4 hot: high 186, batch 31 used:103
May 26 03:30:08 touareg kernel: cpu 4 cold: high 62, batch 15 used:51
May 26 03:30:08 touareg kernel: cpu 5 hot: high 186, batch 31 used:0
May 26 03:30:08 touareg kernel: cpu 5 cold: high 62, batch 15 used:0
May 26 03:30:08 touareg kernel: cpu 6 hot: high 186, batch 31 used:113
May 26 03:30:09 touareg kernel: cpu 6 cold: high 62, batch 15 used:60
May 26 03:30:09 touareg kernel: cpu 7 hot: high 186, batch 31 used:0
May 26 03:30:09 touareg kernel: cpu 7 cold: high 62, batch 15 used:0
May 26 03:30:09 touareg kernel: Node 0 HighMem per-cpu: empty
May 26 03:30:09 touareg kernel: Node 1 DMA per-cpu:
May 26 03:30:09 touareg kernel: cpu 0 hot: high 0, batch 1 used:0
May 26 03:30:09 touareg kernel: cpu 0 cold: high 0, batch 1 used:0
May 26 03:30:10 touareg kernel: cpu 1 hot: high 0, batch 1 used:0
May 26 03:30:10 touareg kernel: cpu 1 cold: high 0, batch 1 used:0
May 26 03:30:10 touareg kernel: cpu 2 hot: high 0, batch 1 used:0
May 26 03:30:10 touareg kernel: cpu 2 cold: high 0, batch 1 used:0
May 26 03:30:10 touareg kernel: cpu 3 hot: high 0, batch 1 used:0
May 26 03:30:10 touareg kernel: cpu 3 cold: high 0, batch 1 used:0
May 26 03:30:11 touareg kernel: cpu 4 hot: high 0, batch 1 used:0
May 26 03:30:11 touareg kernel: cpu 4 cold: high 0, batch 1 used:0
May 26 03:30:11 touareg kernel: cpu 5 hot: high 0, batch 1 used:0
May 26 03:30:11 touareg kernel: cpu 5 cold: high 0, batch 1 used:0
May 26 03:30:11 touareg kernel: cpu 6 hot: high 0, batch 1 used:0
May 26 03:30:11 touareg kernel: cpu 6 cold: high 0, batch 1 used:0
May 26 03:30:12 touareg kernel: cpu 7 hot: high 0, batch 1 used:0
May 26 03:30:12 touareg kernel: cpu 7 cold: high 0, batch 1 used:0
May 26 03:30:12 touareg kernel: Node 1 DMA32 per-cpu:
May 26 03:30:12 touareg kernel: cpu 0 hot: high 186, batch 31 used:0
May 26 03:30:12 touareg kernel: cpu 0 cold: high 62, batch 15 used:0
May 26 03:30:12 touareg kernel: cpu 1 hot: high 186, batch 31 used:27
May 26 03:30:12 touareg kernel: cpu 1 cold: high 62, batch 15 used:37
May 26 03:30:12 touareg kernel: cpu 2 hot: high 186, batch 31 used:0
May 26 03:30:13 touareg kernel: cpu 2 cold: high 62, batch 15 used:0
May 26 03:30:13 touareg kernel: cpu 3 hot: high 186, batch 31 used:13
May 26 03:30:13 touareg kernel: cpu 3 cold: high 62, batch 15 used:15
May 26 03:30:13 touareg kernel: cpu 4 hot: high 186, batch 31 used:0
May 26 03:30:13 touareg kernel: cpu 4 cold: high 62, batch 15 used:0
May 26 03:30:13 touareg kernel: cpu 5 hot: high 186, batch 31 used:176
May 26 03:30:13 touareg kernel: cpu 5 cold: high 62, batch 15 used:38
May 26 03:30:14 touareg kernel: cpu 6 hot: high 186, batch 31 used:0
May 26 03:30:14 touareg kernel: cpu 6 cold: high 62, batch 15 used:0
May 26 03:30:14 touareg kernel: cpu 7 hot: high 186, batch 31 used:10
May 26 03:30:14 touareg kernel: cpu 7 cold: high 62, batch 15 used:58
May 26 03:30:14 touareg kernel: Node 1 Normal per-cpu: empty
May 26 03:30:14 touareg kernel: Node 1 HighMem per-cpu: empty
May 26 03:30:15 touareg kernel: Free pages: 12348kB (0kB HighMem)
May 26 03:30:15 touareg kernel: Active:1054383 inactive:964358 dirty:0 writeback:0 unstable:0 free:3087 slab:6302 mapped-file:1005 mapped-anon:2018488 pagetables:6477
May 26 03:30:15 touareg kernel: Node 0 DMA free:0kB min:0kB low:0kB high:0kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimable? no
May 26 03:30:15 touareg kernel: lowmem_reserve[]: 0 1242 6040 6040
May 26 03:30:15 touareg kernel: Node 0 DMA32 free:1720kB min:1768kB low:2208kB high:2652kB active:699680kB inactive:588284kB present:1272420kB pages_scanned:2814597 all_unreclaimable? yes
May 26 03:30:15 touareg kernel: lowmem_reserve[]: 0 0 4797 4797
May 26 03:30:15 touareg kernel: Node 0 Normal free:6116kB min:6836kB low:8544kB high:10252kB active:2214940kB inactive:2618664kB present:4912640kB pages_scanned:16399035 all_unreclaimable? yes
May 26 03:30:16 touareg kernel: lowmem_reserve[]: 0 0 0 0
May 26 03:30:16 touareg kernel: Node 0 HighMem free:0kB min:128kB low:128kB high:128kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimable? no
May 26 03:30:16 touareg kernel: lowmem_reserve[]: 0 0 0 0
May 26 03:30:16 touareg kernel: Node 1 DMA free:1736kB min:12kB low:12kB high:16kB active:0kB inactive:0kB present:10696kB pages_scanned:0 all_unreclaimable? yes
May 26 03:30:16 touareg kernel: lowmem_reserve[]: 0 2004 2004 2004
May 26 03:30:16 touareg kernel: Node 1 DMA32 free:2776kB min:2856kB low:3568kB high:4284kB active:1303380kB inactive:650400kB present:2052320kB pages_scanned:4508965 all_unreclaimable? yes
May 26 03:30:16 touareg kernel: lowmem_reserve[]: 0 0 0 0
May 26 03:30:17 touareg kernel: Node 1 Normal free:0kB min:0kB low:0kB high:0kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimable? no
May 26 03:30:17 touareg kernel: lowmem_reserve[]: 0 0 0 0
May 26 03:30:17 touareg kernel: Node 1 HighMem free:0kB min:128kB low:128kB high:128kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclaimable? no
May 26 03:30:17 touareg kernel: lowmem_reserve[]: 0 0 0 0
May 26 03:30:17 touareg kernel: Node 0 DMA: empty
May 26 03:30:17 touareg kernel: Node 0 DMA32: 0*4kB 5*8kB 3*16kB 1*32kB 1*64kB 0*128kB 0*256kB 1*512kB 1*1024kB 0*2048kB 0*4096kB = 1720kB
May 26 03:30:17 touareg kernel: Node 0 Normal: 497*4kB 44*8kB 40*16kB 20*32kB 9*64kB 1*128kB 1*256kB 1*512kB 1*1024kB 0*2048kB 0*4096kB = 6116kB
May 26 03:30:18 touareg kernel: Node 0 HighMem: empty
May 26 03:30:18 touareg kernel: Node 1 DMA: 2*4kB 2*8kB 1*16kB 5*32kB 4*64kB 0*128kB 1*256kB 0*512kB 1*1024kB 0*2048kB 0*4096kB = 1736kB
May 26 03:30:18 touareg kernel: Node 1 DMA32: 184*4kB 33*8kB 17*16kB 7*32kB 4*64kB 6*128kB 1*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 2776kB
May 26 03:30:18 touareg kernel: Node 1 Normal: empty
May 26 03:30:18 touareg kernel: Node 1 HighMem: empty
May 26 03:30:18 touareg kernel: 1379 pagecache pages
May 26 03:30:18 touareg kernel: Swap cache: add 1053289, delete 1053103, find 5465453/5503467, race 0+41
May 26 03:30:18 touareg kernel: Free swap = 0kB
May 26 03:30:19 touareg kernel: Total swap = 2097144kB
May 26 03:30:19 touareg kernel: Free swap: 0kB
May 26 03:30:19 touareg kernel: 2293760 pages of RAM
May 26 03:30:19 touareg kernel: 251657 reserved pages
May 26 03:30:19 touareg kernel: 5999 pages shared
May 26 03:30:19 touareg kernel: 263 pages swap cached
May 26 03:30:19 touareg kernel: Out of memory: Killed process 13328 (mysqld).
May 26 03:30:19 touareg kernel: mysqld: page allocation failure. order:0, mode:0x201d2

先增加2G swap再说

#dd if=/dev/zero of=/opt/swapfile bs=1M count=2048
#mkswap /opt/swapfile
#swapon /opt/swapfile
#swapon -s

Filename Type Size Used Priority
/dev/mapper/VolGroup00-LogVol00 partition 2097144 87352 -1
/opt/swapfile file 2097144 0 -2

在fstab增加相关记录,否则重启就没了
#vi /etc/fstab

/opt/swapfile swap swap defaults 0 0

参考
http://www.dbanotes.net/database/linux_outofmemory_oom_killer.html
http://jk.scanmon.com/1228.html
http://www.itjaj.com/thread-3029-1-1.html

Posted in linux 维护优化, 技术.

Tagged with .

rev="post-971" No comments

By C1G 2010/05/26

RHCE 顺利通过

The results of your RHCE Certification Exam are reported below. The
RHCE Certification Exam allows candidates to qualify for the
Red Hat Certified Engineer (RHCE) and Red Hat Certified Technician
(RHCT) certificates. Please note that the RHCE designation is
understood to both include and supersede the RHCT designation.

RHCE requirements: score of 70 or higher on RHCT components (100 points)
score of 70 or higher on RHCE components (100 points)

RHCT requirement: score of 70 or higher on RHCT components (100 points)

RHCT components score: 92.6
RHCE components score: 100.0

RHCE Certification: PASS

Congratulations — you are now certified as a Red Hat Certified
Engineer! Your RHCE Certificate number is 80501000xxxxxxx.
The attached file is your personal print-ready certificate.

You are entitled to print this document and use it to demonstrate
that you are an RHCE, provided you remain an RHCE in good standing.
You may not modify or change the document’s contents in any way, nor
may you appropriate any elements of this document for use in other
electronic documents or printed materials. You may only print the
document in its entirety. Any other use of the document must be
approved by Red Hat, Inc.

Posted in RHCE&RHCA, 技术.

Tagged with , .

rev="post-969" 9 comments

By C1G 2010/04/20