Skip to content

yum卸载X window

查看已安装的包

yum list installed

卸载X window

yum groupinstall “X Window System”

卸载时的包会比安装的包少,install 对应的是“包所依赖的”包,remove对应“包被依赖的”包。

Posted in linux 维护优化, 技术.

Tagged with .

rev="post-919" No comments

By C1G 2010/01/29

nginx反向代理多个域名(虚似主机)

nginx反向代理同一ip多个域名,给header加上host就可以了

proxy_set_header Host $host;

nginx.conf例子

upstream mysvr {
server 127.0.0.1:8080;
}
server
{
listen 80;
server_name servera.c1gstudio.com;
index index.html index.htm index.php;
root /opt/htdocs/www;

location / {
proxy_pass http://mysvr;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server
{
listen 80;
server_name serverb.c1gstudio.com;
index index.html index.htm index.php;
root /opt/htdocs/www;

location / {
proxy_pass http://mysvr;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

Posted in Nginx, 技术.

Tagged with , .

rev="post-917" 5 comments

By C1G 2010/01/28

phpize不重新编译PHP实现扩展的安装

当php已经编译好在运行,又不想停机重新编译时可用此方法增加扩展。
增加自已写的库也可用此方法,参考HonestQiao 的记录
http://chinaunix.net/jh/27/547568.html

php之前的编译环境
增加运行phpmsnclass需mhas和pcntl库为例

1.先下载类库
cd /home/c1g/src/

wget http://blog.s135.com/soft/linux/nginx_php/mcrypt/libmcrypt-2.5.8.tar.gz
wget http://blog.s135.com/soft/linux/nginx_php/mhash/mhash-0.9.9.9.tar.gz
wget http://blog.s135.com/soft/linux/nginx_php/mcrypt/mcrypt-2.6.8.tar.gz

2.编译安装类库

tar zxvf libmcrypt-2.5.8.tar.gz
cd libmcrypt-2.5.8/
./configure
make
make install
/sbin/ldconfig
cd libltdl/
./configure –enable-ltdl-install
make
make install
cd ../../

tar zxvf mhash-0.9.9.9.tar.gz
cd mhash-0.9.9.9/
./configure
make
make install
cd ../

ln -s /usr/local/lib/libmcrypt.la /usr/lib/libmcrypt.la
ln -s /usr/local/lib/libmcrypt.so /usr/lib/libmcrypt.so
ln -s /usr/local/lib/libmcrypt.so.4 /usr/lib/libmcrypt.so.4
ln -s /usr/local/lib/libmcrypt.so.4.4.8 /usr/lib/libmcrypt.so.4.4.8
ln -s /usr/local/lib/libmhash.a /usr/lib/libmhash.a
ln -s /usr/local/lib/libmhash.la /usr/lib/libmhash.la
ln -s /usr/local/lib/libmhash.so /usr/lib/libmhash.so
ln -s /usr/local/lib/libmhash.so.2 /usr/lib/libmhash.so.2
ln -s /usr/local/lib/libmhash.so.2.0.1 /usr/lib/libmhash.so.2.0.1

tar zxvf mcrypt-2.6.8.tar.gz
cd mcrypt-2.6.8/
/sbin/ldconfig
./configure
make
make install
cd ../

3.开始编译安装mhash扩展
进入php原始编译目录

cd /home/c1g/src/php-5.2.6/ext/mhash
/opt/php/bin/phpize
#会有以下信息生成,并产生编译文件
#Configuring for:
#PHP Api Version: 20041225
#Zend Module Api No: 20060613
#Zend Extension Api No: 220060519
./configure –with-php-config=/opt/php/bin/php-config
make
make install

生成的mhash.so会存下以下目录
Installing shared extensions: /opt/php/lib/php/extensions/no-debug-non-zts-20060613/

4.安装pcntl

cd ../pcntl
/opt/php/bin/phpize
./configure –with-php-config=/opt/php/bin/php-config
make
make install

生成的pcntl.so会存下以下目录
Installing shared extensions: /opt/php/lib/php/extensions/no-debug-non-zts-20060613/

5.编辑php.ini,指定好扩展的目录和需加载的库

extension_dir = “/opt/php/lib/php/extensions/no-debug-non-zts-20060613/”

extension=”mhash.so”
extension=”pcntl.so”

6.重新reload一下php

7.检查下是否已生效
/opt/php/bin/php -m

[PHP Modules]
bcmath
ctype
curl
date
dom
filter
gd
hash
iconv
json
libxml
mbstring
mcrypt
memcache
mhash
mysql
mysqli
pcntl
pcre
PDO
pdo_sqlite
posix
Reflection
session
shmop
SimpleXML
SPL
SQLite
standard
sysvsem
tokenizer
XCache
xml
xmlreader
xmlwriter
zlib

[Zend Modules]
XCache

参考:
http://blog.s135.com/nginx_php_v5/
http://blog.csdn.net/sdomain/archive/2009/09/04/4520425.aspx

Posted in PHP, 技术.

Tagged with , , .

rev="post-915" 1 comment

By C1G 2010/01/28

snmpd输出日志的过滤

messages会有很多snmpd的信息,影响阅读正常信息
#tail /var/log/messages

Jan 19 10:01:07 touran snmpd[4033]: Received SNMP packet(s) from UDP: [127.0.0.1]:5392
Jan 19 10:01:07 touran snmpd[4033]: Connection from UDP: [127.0.0.1]:5392
Jan 19 10:01:07 touran last message repeated 10 times
Jan 19 10:04:09 touran snmpd[4033]: Connection from UDP: [127.0.0.1]:5396
Jan 19 10:04:09 touran snmpd[4033]: Received SNMP packet(s) from UDP: [127.0.0.1]:5396
Jan 19 10:04:09 touran snmpd[4033]: Connection from UDP: [127.0.0.1]:5396
Jan 19 10:06:07 touran last message repeated 11 times
Jan 19 10:06:07 touran last message repeated 11 times

我们可以重新定义snmpd的日志输出级别来降低垃圾信息
我这里是centos的系统
#vi /etc/init.d/snmpd

OPTIONS=”-Lsd -Lf /dev/null -p /var/run/snmpd.pid -a”

修改此行为下面

OPTIONS=”-LS 0-4 d -Lf /dev/null -p /var/run/snmpd.pid -a”

重启snmpd
#/etc/init.d/snmpd restart

详细的参数意思
可以用 man snmpd和man snmpcmd来查看
man snmpcmd中对日志等级的定义
0 or ! for LOG_EMERG,
1 or a for LOG_ALERT,
2 or c for LOG_CRIT,
3 or e for LOG_ERR,
4 or w for LOG_WARNING,
5 or n for LOG_NOTICE,
6 or i for LOG_INFO, and
7 or d for LOG_DEBUG.

参考:http://www.diybl.com/course/6_system/linux/Linuxjs/2008930/146976.html

Posted in linux 维护优化, 技术, 日志.

Tagged with , .

rev="post-912" No comments

By C1G 2010/01/19

使用fail2ban来阻止Ssh暴力入侵

fail2ban可以设置对方密码失败n次后用防火墙屏蔽n分钟,
写入日志中,并可邮件你。
时间到后会恢复iptables,很干净

http://sourceforge.net/projects/fail2ban/files/
http://www.fail2ban.org/

目前最新版为0.8.4

下载安装
wget “http://downloads.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2?use_mirror=ncu”
#tar xvfj fail2ban-0.8.4.tar.bz2
#cd fail2ban-0.8.4
#python setup.py install
#cp ./files/redhat-initd /etc/init.d/fail2ban #./files目录下还有供其它系统使用的文件如:getoon,suse等
#chkconfig –add fail2ban #添加开机启动
#chkconfig –list |grep fail2ban #检查一下是否已装载到服务

修改配置文件

/etc/fail2ban/fail2ban.conf
可以定义日志记录级别,保存路径及套接字文件,这个使用默认
#vi /etc/fail2ban/jail.conf

ignoreip = 127.0.0.1 # 忽悠 IP范围 如果有二组以上用空白做为间隔
bantime = 600 # 设定 IP 被封锁的时间(秒),如果值为 -1,代表永远封锁
findtime = 600 # 设定在多少时间内达到 maxretry 的次数就封锁
maxretry = 3 # 允许尝试的次数

[ssh-iptables]
#针对sshd暴力入侵防护
enabled = true # 开启
filter = sshd
action = iptables[name=SSH, port=6022, protocol=tcp] #我的sshd port为6022
# sendmail-whois[name=SSH, [email protected], [email protected]] #不发送邮件
logpath = /var/log/secure #ssh 失败日志路径
maxretry = 3 #重试次数

#service fail2ban start 注:如果重起iptables 记的一定还要重起fail2ban(fail2ban-client reload),不然他就不能生效,fail2ban的过滤表是在iptables 启动后在加入的.

测试
#tail -f /var/log/secure /var/log/fail2ban.log
==> /var/log/secure <== Jan 13 17:02:02 localhost sshd[24207]: Failed password for c1g from 192.168.1.8 port 10270 ssh2 Jan 13 17:02:12 localhost last message repeated 2 times Jan 13 17:02:19 localhost sshd[24287]: Failed password for c1g from 192.168.1.8 port 10398 ssh2 Jan 13 17:02:28 localhost last message repeated 2 times Jan 13 17:02:35 localhost sshd[24322]: Failed password for c1g from 192.168.1.8 port 10447 ssh2 ==> /var/log/fail2ban.log <== 2010-01-13 17:02:36,849 fail2ban.actions: WARNING [ssh-iptables] Ban 192.168.1.8 ==> /var/log/fail2ban.log <== 2010-01-13 17:12:36,852 fail2ban.actions: WARNING [ssh-iptables] Unban 192.168.1.8 #fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
| |- File list: /var/log/secure
| |- Currently failed: 0
| `- Total failed: 4
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 1

配置日志
写一个logrotate的配置文件,并拷贝成/etc/logrotate.d/fail2ban,用来定期清理日志文件

/var/log/fail2ban.log {
missingok
notifempty
size 30k
create 0600 root root
postrotate
/usr/bin/fail2ban-client reload 2> /dev/null || true
endscript
}

参考
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options
http://allblue.mllm.org/node/186
http://www.lsanotes.cn/fail2ban

Posted in linux 维护优化, 安全, 技术.

Tagged with , .

rev="post-910" No comments

By C1G 2010/01/13

对apache 访问日志排序练习

记录一下练习
假设多台web服务器的日志合并在一起,需按日期重新排序。

样列:

127.0.0.1 – – [01/Dec/2005:14:00:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:01:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:05:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:04:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:15:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
207.0.0.1 – – [01/Dec/2005:14:02:54 +800] “GET /test/testregx.php HTTP/1.1” 200 32
227.0.0.1 – – [01/Dec/2005:14:02:54 +800] “GET /test/testregx.php HTTP/1.1” 200 32
217.0.0.1 – – [01/Dec/2005:14:02:54 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2004:14:12:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Feb/2005:14:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Jan/2005:14:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Jan/2004:14:22:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32

开始的想法:
不知道sort还可以分段排序,
所以先替换成一定规则,用awk提到行首,再用sort排序
然后清除行首排序字符,再替换成原来的样子。
缺点:
不能对年和月排序,效率慢,代码很傻

cat http.log |sed -e ‘s#\[#:#’ -e ‘s#/#:#’ -e ‘s#/#:#’ -e ‘s# +800]#:#’|awk -F: ‘{print $2$5$6$7″|”$0}’|sort -n|cut -d’|’ -f2|sed -e ‘s/:/[/’ -e ‘s#:#/#’ -e ‘s#:#/#’ -e ‘s/: “/ +0800]” /’

最简单的方法:
按空格分割后对第四列排序
缺点:
日志中的月份为英文,跨月后排序可能不正确,但速度很快

cat http.log |sort -t” ” -k4

改进型:
对年月时间进行多列排序
缺点:
算位不太好算,速度也不快,但是解决了日期排序

export LC_ALL=POSIX
cat http.log |sort -t’ ‘ -f -i -k 4.9,4.12n -k 4.5,4.7M -k 4.2,4.3n -k 4.14

#LC_ALL未声明可能会在排序月份再排日时显示错误顺序

输出结果

127.0.0.1 – – [01/Jan/2004:14:22:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2004:14:12:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Jan/2005:14:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Feb/2005:14:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:00:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:01:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
207.0.0.1 – – [01/Dec/2005:14:02:54 +800] “GET /test/testregx.php HTTP/1.1” 200 32
217.0.0.1 – – [01/Dec/2005:14:02:54 +800] “GET /test/testregx.php HTTP/1.1” 200 32
227.0.0.1 – – [01/Dec/2005:14:02:54 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:04:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:14:05:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32
127.0.0.1 – – [01/Dec/2005:15:02:55 +800] “GET /test/testregx.php HTTP/1.1” 200 32

参考
http://www.gnu.org/software/coreutils/faq/#Sort-does-not-sort-in-normal-order_0021
http://www.softpanorama.org/Tools/sort.shtml
http://www.phpman.info/index.php/info/sort
http://www.technow.com.hk/bash-shell-use-sort
http://www.chedong.com/tech/rotate_merge_log.html

Posted in shell, 技术.

Tagged with , , .

rev="post-907" No comments

By C1G 2009/12/28

[转]使用php,js来对内容做rsa加密

作者:virushuo 发表于 2009-12-27 18:12 最后更新于 2009-12-27 21:12
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本声明

http://code.google.com/p/phpjsrsa/

这是一个用于文本加密的库,主要用于http协议下的防窃听。一般来说,如果应用https协议可以有效的避免窃听。但有几种情况必须考虑。

(1) 主机同时有https和http协议,部分用户通过https协议访问,获得了保护。但也有用户通过http访问,这部分用户会遭到窃听。除非关闭http请求,全面转向https。
(2) 主机并没有https支持。

很多情况下,我们需要保证主机安全,最好的办法是将其混入数字森林中。即:这台主机输出的内容没有人能看得懂的,只由无意义的代码和数字组成。用户浏览这台主机,不会触发任何关键词扫描。甚至该主机连https协议都不使用,更凸显其低调本色。

换言之,一个网站如果把自己的内容都变成字母和数字的组合,且不使用https协议,那么他就是数字森林中的一片树叶,丝毫不引人注意。

我们的目标应该是传输过程中不引人注意,并非绝对的不可破解的安全。

因此这个库的工作流程是:
1 php对”内容”做rsa加密->将加密结果输出到页面上。
2 用户浏览页面,html代码中的”内容”被加密成数字形态。私钥可以直接输出在页面代码中,也可由用户输入一次,保存在cookie中。使用cookie会降低密钥泄露的危险,更加有效。
3 通过javascript在用户浏览器上将这些数字解密为内容。
4 通过javascript dom来把内容写回到页面上。用户即可浏览。

利用javascript解密,可以把运算负担分散到客户端上。窃听者如要窃听每一个页面的内容,则必须要 1 获得密钥 2 用密钥解密内容

在已知密钥情况下,如客户端的每个页面运算负担为 1 ,页面数量n ,那么窃听者获得密钥之后的运算负担为 1*n。

为了运算效率,使用小质数作为rsa的p,q,理论上窃听者可以通过因数分解算出密钥,其运算负载为k,注意k 远远大于1。

如果每个站点使用不同的密钥,共计m个站点,窃听者的运算负担为 m*k+1*n,且负载集中。

而,如果采用双向可逆加密方法,在得知算法的情况下,窃听者运算负载极小。如果在通过变换算法来增加难度,又无法做到通用,给用户正常浏览造成困难。使用rsa方法,算法是标准的,用户使用成本很低,窃听成本很高。

在项目代码中,我已经实现了这一目标。但仍然有效率问题。

目前问题:

1 在没有bcmath和gnumath函数的php主机上,php加密内容的运算效率很低。和bcmath差距几十倍。好在大部分情况下,主机都是有bcmath函数的。这个问题不严重。
2 JS的bigint运算效率很低,主要是powmod的效率低,而这是rsa解密最频繁的操作。

希望有兴趣的朋友加入这个项目。效率问题解决后,还需要port在一系列常用软件上。比如dabr或twitese等。

另外,需要的质数可以在 http://www.prime-numbers.org 找。

我放了一个demo在: http://blog.devep.net/rsatest/test.php 可以看html代码,里面是没有中文内容的。

update: 使用了 http://www-cs-students.stanford.edu/~tjw/jsbn/ 的大数运算库,效率提高很多。

Posted in JavaScript/DOM/XML, PHP, 技术.

Tagged with , , .

rev="post-904" No comments

By C1G 2009/12/28

discuz论坛找出贴子中所有外部链接

最近风声很紧,要自查下bbs中包含外链的贴子,以下为sql语句。


SELECT pid, fid, tid, author, authorid, FROM_UNIXTIME( dateline ) AS time, subject, message
FROM `cdb_posts`
WHERE `message`
REGEXP ‘.*http://[^bbs.domain.com].*’

REGEXP为排除自已的域名。
500W贴子执行时间在0.1秒左右,速度还算可以。
在phpmyadmin下搜出结果后,打开翻页下面的options,选中”完整文字”就可以看到完整贴子,再配合后台的禁止用户和删贴功能就可以把垃圾消灭了。

ps:如果执行速度比较慢可以加上pid的限制或者先导出到一个临时表中。

Posted in Discuz/Uchome/Ucenter, 其它.

Tagged with , .

rev="post-902" No comments

By C1G 2009/12/28

linux下用mii-tool和ethtool 查看网线是否正确连接到网卡

输入mii-tool可以查看网线是否连接到网卡
#mii-tool

eth0: negotiated 100baseTx-FD, link ok

有时驱动可能不支持会出错下列错误
#mii-tool

SIOCGMIIPHY on ‘eth0’ failed: Operation not supported
no MII interfaces found

可以使用ethtool查看
#ethtool eth0

Settings for eth0:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: pumbg
Wake-on: g
Current message level: 0x00000033 (51)
Link detected: yes

Link detected: yes为正常no为失败

Posted in Linux 命令, 技术.

Tagged with , .

rev="post-900" No comments

By C1G 2009/12/21

freebsd 7.2 内核优化提高负载

uname -a
FreeBSD web_1 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 1 07:18:07 UTC 2009 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64

nginx 0.7.63作反向代理

worker_processes 16;
worker_rlimit_nofile 51200;
events {
use kqueue;
worker_connections 51200;
}

#tail /var/log/messages

Nov 25 21:47:11 web_1 kernel: kern.maxfiles limit exceeded by uid 88, please see tuning(7).
Nov 25 21:47:12 web_1 kernel: kern.maxfiles limit exceeded by uid 80, please see tuning(7).
Nov 25 21:47:44 web_1 last message repeated 27 times
Nov 25 21:48:16 web_1 last message repeated 17 times
Nov 26 09:04:01 web_1 kernel: Limiting open port RST response from 341 to 200 packets/sec

查看当前内核参数
#sysctl -a

kern.maxfiles: 12328
kern.maxfilesperproc: 11095
net.inet.icmp.icmplim: 200
net.inet.icmp.icmplim_output: 1
kern.ipc.somaxconn:128
net.inet.tcp.blackhole: 0
net.inet.udp.blackhole: 0
net.inet.udp.maxdgram: 9216
net.inet.tcp.sendspace: 32768
net.inet.tcp.recvspace: 65536
kern.ipc.nmbclusters: 25600
vfs.vmiodirenable: 1
net.inet.tcp.msl: 30000
net.inet.tcp.finwait2_timeout: 60000
net.inet.tcp.fast_finwait2_recycle: 0

优化内核,立即生效

#sysctl -w kern.maxfiles=65536
#sysctl -w kern.maxfilesperproc=65536
#sysctl -w net.inet.icmp.icmplim=500
#sysctl -w net.inet.icmp.icmplim_output=0
#sysctl -w kern.ipc.somaxconn=4096
#sysctl -w net.inet.tcp.blackhole=2
#sysctl -w net.inet.udp.blackhole=1
#sysctl -w net.inet.udp.maxdgram=65536
#sysctl -w net.inet.tcp.sendspace=65536
#sysctl -w net.inet.tcp.recvspace=65536
#sysctl -w kern.ipc.nmbclusters=32768
#sysctl -w net.inet.tcp.msl=2500
#sysctl -w net.inet.tcp.finwait2_timeout=600
#sysctl -w net.inet.tcp.fast_finwait2_recycle=1

以下三个参数可以在几分钟后大幅减少FIN_WAIT_2 等待数
net.inet.tcp.msl
net.inet.tcp.finwait2_timeout
net.inet.tcp.fast_finwait2_recycle

保存参数
#vi /etc/sysctl.conf

kern.maxfiles=65536
kern.maxfilesperproc=65536
net.inet.icmp.icmplim=500
net.inet.icmp.icmplim_output=0
kern.ipc.somaxconn=4096
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.udp.maxdgram=65536
net.inet.tcp.sendspace=65536
net.inet.tcp.recvspace=65536
kern.ipc.nmbclusters=32768
net.inet.tcp.msl=2500
net.inet.tcp.finwait2_timeout=600
net.inet.tcp.fast_finwait2_recycle=1

#vi /boot/loader.conf

kern.ipc.nmbclusters=”102400″
kern.ipc.nmbufs=”409600″

这2个参数须重启服务器才能生效

查看tcp状态
#netstat -n | awk ‘/^tcp/ {++S[$NF]} END {for(a in S) print a,S[a]}’

FIN_WAIT_1 1610
FIN_WAIT_2 19
SYN_SENT 54
LAST_ACK 286
CLOSING 7
CLOSE_WAIT 2
SYN_RCVD 55
TIME_WAIT 213
ESTABLISHED 10928

#netstat -m

2284/25241/27525 mbufs in use (current/cache/total)
664/14398/15062/32768 mbuf clusters in use (current/cache/total/max)
664/14312 mbuf+clusters out of packet secondary zone in use (current/cache)
998/8109/9107/12800 4k (page size) jumbo clusters in use (current/cache/total/max)
0/0/0/6400 9k jumbo clusters in use (current/cache/total/max)
0/0/0/3200 16k jumbo clusters in use (current/cache/total/max)
5891K/67542K/73433K bytes allocated to network (current/cache/total)
0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters)
0/0/0 requests for jumbo clusters denied (4k/9k/16k)
0/0/0 sfbufs in use (current/peak/max)
0 requests for sfbufs denied
0 requests for sfbufs delayed
160 requests for I/O initiated by sendfile
0 calls to protocol drain routines

参考
http://wiki.freebsdchina.org/doc/s/sysctl/tuning
http://blog.csdn.net/hjue/archive/2005/12/16/553703.aspx

Posted in *bsd.

Tagged with , , .

rev="post-896" No comments

By C1G 2009/11/26