Skip to content

Linux glibc幽灵漏洞检测及修复方案

幽灵漏洞是Linux glibc库上出现的一个严重的安全问题,他可以让攻击者在不了解系统的任何情况下远程获取操作系统的控制权限。目前他的CVE编号为CVE-2015-0235。

什么是glibc

glibc是GNU发布的libc库,即c运行库。glibc是linux系统中最底层的api,几乎其它任何运行库都会依赖于glibc。glibc除了封装linux操作系统所提供的系统服务外,它本身也提供了许多其它一些必要功能服务的实现。glibc 囊括了几乎所有的 UNIX 通行的标准。

出现了什么漏洞

代码审计公司Qualys的研究人员在glibc库中的__nss_hostname_digits_dots()函数中发现了一个缓冲区溢出的漏洞,这个bug可以经过 gethostbyname*()函数被本地或者远程的触发。应用程序主要使用gethostbyname*()函数发起DNS请求,这个函数会将主机名称转换为ip地址。

漏洞危害

这个漏洞造成了远程代码执行,攻击者可以利用此漏洞获取系统的完全控制权。

漏洞证明

在我们的测试中,我们编写了一个POC,当我们发送一封精心构造的电子邮件给服务器后,我们便可以获得远程Linux服务器的shell,这绕过了目前在32位和64位系统的所有保护(如ASLR,PIE和NX)。

我们能做什么?

给操作系统及时打补丁,我们(Qualys)已与Linux发行商紧密合作,会及时发布补丁。

为什么叫做GHOST?

因为他通过GetHOST函数触发。

哪些版本和操作系统受影响?

第一个受影响的版本是GNU C库的glibc-2.2,2000年11月10号发布。我们已找出多种可以减轻漏洞的方式。我们发现他在2013年5月21号(在glibc-2.17和glibc-2.18发布之间)已经修复。不幸的是他们不认为这是个安全漏洞。从而导致许多稳定版本和长期版本暴露在外,其中包括Debian 7 (wheezy),Red Hat Enterprise,Linux 5 & 6 & 7,CentOS 5 & 6 & 7,Ubuntu 12.04等

修复方案

升级glibc库:

RHEL/CentOS : sudo yum update glibc

Ubuntu : sudo apt-get update ; sudo apt-get install libc6

漏洞测试方法:

wget https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c
编译:
gcc -o GHOST GHOST.c

执行:
./GHOST

如果输出:
[root@localhost home]# ./GHOST
not vulnerable

表示漏洞已经修复,如果仅输出“vulnerable”字样,表示漏洞依然存在。

脚本测试漏洞

wget -O GHOST-test.sh http://www.cyberciti.biz/files/scripts/GHOST-test.sh.txt
bash GHOST-test.sh
[root@localhost ~]# bash GHOST-test.sh
Vulnerable glibc version <= 2.17-54 Vulnerable glibc version <= 2.5-122 Vulnerable glibc version <= 2.12-1.148 Detected glibc version 2.12 revision 149 Not Vulnerable. 参考: http://blog.chinaunix.net/uid-509190-id-4807958.html

Posted in 安全通告.

Tagged with .

rev="post-1763" No comments

By C1G 2015/02/05

goaccess分析nginx日志

GoAcces是一款实时日志分析工具.
goaccess_screenshot1M-03L
目前,我们可以通过这款软件查看的统计信息有:

统计概况,流量消耗等
访客排名
动态Web请求
静态web请求,如图片、样式表、脚本等。
来路域名
404 错误
操作系统
浏览器和搜索引擎
主机、DNS和IP地址
HTTP 响应代码
引荐网站
键盘布局
自定义显示
支持超大日志(分析速度很快)

需要用到的几个库文件有:

glib2
GeoIP
ncurses

安装goaccess

yum install glib2 glib2-devel GeoIP-devel ncurses-devel

wget http://sourceforge.net/projects/goaccess/files/0.5/goaccess-0.5.tar.gz/download
tar zxvf goaccess-0.5.tar.gz
cd goaccess-0.5
./configure –enalbe-geoip –enable-utf8
make && make install

GoAccess的基本语法如下:

goaccess [ -b ][ -s ][ -e IP_ADDRESS][ -a ] <-f log_file >
参数说明:

-f – 日志文件名
-b – 开启流量统计,如果希望加快分析速度不建议使用该参数
-s – 开启HTTP响应代码统计
-a – 开启用户代理统计
-e – 开启指定IP地址统计,默认禁用
用法示例:

最简单、常用的命令就是直接调用goaccess命令啦,不带任何影响效率的其他参数

goaccess -f access.log

分析打包文件
zcat access.log.1.gz | goaccess

常见错误:
Your terminal does not support color

vi ~/.bashrc

在最后面添加一行:

export TERM=”xterm-256color”

保存后执行 source ~/.bashrc生效即可

参考:
http://www.linuxde.net/2013/03/12943.html

Posted in 日志.

Tagged with , .

rev="post-1759" No comments

By C1G 2015/01/27

nagios增加监控网卡速率插件check_ethspeed.sh

服务器上线时间长了,网线可能会老化或接触不良导致达不到工作速率.
增加个nagios插件随机监控网卡速率

参阅:linux查看和改变网卡工作速率

cd /opt/nagios/libexec
vi check_ethspeed.sh

#!/bin/bash
#########################################################################
#
# File: check_ethspeed.sh
# Description: Nagios check plugins to check eth speed in *nix.
# Language: GNU Bourne-Again SHell
# Version: 1.0.1
# Date: 2015-1-23
# Author: C1g
# Bog: http://blog.C1gStudio.com
# Note: Allow nagios to run ethtool commands
# visudo
# #Defaults requiretty
# nagios ALL=NOPASSWD:/sbin/ethtool
#
#########################################################################

path=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3

warn_num=100
critical_num=10
eth=eth0

usage(){
echo -e “Usage: $0 -i|–interface interface -w|–warning warning threshold -c|–critical critical threshold”
echo -e “Example:”
echo -e “$0 -i eth0 -w 100 -c 10”

}
select_arg(){
if [ $# -eq 0 ];then
return 1
fi
until [ $# -eq 0 ];do
case $1 in
-i|–interface)
[ $# -lt 2 ] && return 1
if ! cat /var/log/dmesg |grep $2 >/dev/null 2>&1;then
return 1
fi
eth=$2
shift 2
;;
-w|–warning)
[ $# -lt 2 ] && return 1
if ! echo $2 |grep -E -q “^[1-9][0-9]*$”;then
return 1
fi
warn_num=$2
shift 2
;;
-c|–critical)
[ $# -lt 2 ] && return 1
if ! echo $2 |grep -E -q “^[1-9][0-9]*$”;then
return 1
fi
critical_num=$2
shift 2
;;
*)
return 1
;;
esac
done
return 0
}

select_arg $@
[ $? -ne 0 ] && usage && exit $STATE_UNKNOWN

#echo “warn :$warn_num”
#echo “critical :$critical_num”

if [ $critical_num -gt $warn_num ];then
usage
exit $STATE_UNKNOWN
fi

#ethtool $eth| grep Speed | grep -o ‘[0-9]\+’
#kernel >=2.6.33
#cat /sys/class/net/$eth/speed
total=`sudo /sbin/ethtool $eth |grep Speed:|awk ‘{print $2}’ |awk -F ‘Mb’ ‘{print $1}’`
if [ $total = Unknown! ];then
echo “UNKNOWN STATE $eth maybe not working!”
exit $STATE_UNKNOWN
elif [ $total -gt $warn_num ];then
echo “$eth OK – Speed: $total Mb/s |$eth=$total;$warn_num;$critical_num;0”
exit $STATE_OK
elif [ $total -le $warn_num -a $total -gt $critical_num ];then
echo “$eth WARNING – Speed: $total Mb/s |$eth=$total;$warn_num;$critical_num;0”
exit $STATE_WARNING
elif [ $total -le $critical_num ];then
echo “$eth CRITICAL – Speed: $total Mb/s |$eth=$total;$warn_num;$critical_num;0”
exit $STATE_CRITICAL
else
echo “UNKNOWN STATE”
exit $STATE_UNKNOWN
fi

下载check_ethspeed.sh

chown nagios:nagios check_ethspeed.sh
chmod 775 check_ethspeed.sh

运行ethtool命令需root权限
visudo

Defaults requiretty

注释这一行

添加nagios用户无需密码运行ethtool权限

nagios ALL=NOPASSWD:/sbin/ethtool

客户端nrpe增加监控命令
echo ‘command[check_ethspeed2]=/opt/nagios/libexec/check_ethspeed.sh -i eth2 -w 100 -c 10’ >> /opt/nagios/etc/nrpe.cfg

重启nrpe
kill `cat /var/run/nrpe.pid`
/opt/nagios/bin/nrpe -c /opt/nagios/etc/nrpe.cfg -d

监控端增加监控服务
vi c1gstudio.cfg

define service{
use local-service,srv-pnp ; Name of service template to use
host_name c1gstudio
service_description check_ethspeed eth2
check_command check_ethspeed!eth2!100!10
notifications_enabled 0
}

重启nagios
/etc/init.d/nagios reload

check_ethspeed

参阅:http://blog.c1gstudio.com/archives/1748

Posted in Nagios.

Tagged with , , .

rev="post-1753" No comments

By C1G 2015/01/23

给nagios增加监控当前php进程数的插件,并用pnp出图

脚本说明
脚本默认监控为php-fpm 以TCP方式运行在本机的端口php
php-fpm.conf例

127.0.0.1:9000/value>

其它地址需在脚本中修改相应地址127.0.0.1:9000

最终输出的$total processes为当前正在执行或等待的php数,此数为0或越少越好.

vi check_phpprocs.sh

#!/bin/bash
#########################################################################
#
# File: check_phpprocs.sh
# Description: Nagios check plugins to check php process in *nix.
# Language: GNU Bourne-Again SHell
# Version: 1.0.0
# Date: 2015-1-16
# Author: C1g
# Bog: http://blog.C1gStudio.com
#########################################################################

path=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3

warn_num=100
critical_num=200

usage(){
echo -e “Usage: $0 -w|–warning warning threshold -c|–critical critical threshold”
}
select_arg(){
if [ $# -eq 0 ];then
return 1
fi
until [ $# -eq 0 ];do
case $1 in
-w|–warning)
[ $# -lt 2 ] && return 1
if ! echo $2 |grep -E -q “^[1-9][0-9]*$”;then
return 1
fi
warn_num=$2
shift 2
;;
-c|–critical)
[ $# -lt 2 ] && return 1
if ! echo $2 |grep -E -q “^[1-9][0-9]*$”;then
return 1
fi
critical_num=$2
shift 2
;;
*)
return 1
;;
esac
done
return 0
}

select_arg $@
[ $? -ne 0 ] && usage && exit $STATE_UNKNOWN

#echo “warn :$warn_num”
#echo “critical :$critical_num”

if [ $critical_num -lt $warn_num ];then
usage
exit $STATE_UNKNOWN
fi

total=`netstat -n | grep 127.0.0.1:9000 | wc -l`
if [ $total -lt $warn_num ];then
echo “PHP OK – $total processes |PHP=$total;$warn_num;$critical_num;0”
exit $STATE_OK
elif [ $total -ge $warn_num -a $total -lt $critical_num ];then
echo “PHP WARNING – $total processes |PHP=$total;$warn_num;$critical_num;0”
exit $STATE_WARNING
elif [ $total -ge $critical_num ];then
echo “PHP CRITICAL – $total processes |PHP=$total;$warn_num;$critical_num;0”
exit $STATE_CRITICAL
else
echo “UNKNOWN STATE”
exit $STATE_UNKNOWN
fi

增加执行权限,宫户端nrpe路径为/opt/nagios/
chown nagios:nagios check_phpprocs.sh
chmod 755 check_phpprocs.sh
mv ./check_phpprocs.sh /opt/nagios/libexec/

编辑宫户端nrpe.cfg增加监控命令,这里设置waring阀值为100,critical阀值为200
vi /opt/nagios/etc/nrpe.cfg

command[check_phpprocs]=/opt/nagios/libexec/check_phpprocs.sh -w 100 -c 200

重启宫户端nrpe

kill `cat /var/run/nrpe.pid`
/opt/nagios/bin/nrpe -c /opt/nagios/etc/nrpe.cfg -d

编辑监控端主机文件c1gstudio.cfg,添加监控服务
vi /usr/local/nagios/etc/objects/c1gstudio.cfg

define service{
use local-service,srv-pnp ; Name of service template to use
host_name c1gstudio
service_description PHP Processes
check_command check_nrpe!check_phpprocs
notifications_enabled 1
}
pnp4nagios已配好,srv-pnp为配好的模板 可以直接出图
templates.cfg

define service {
name srv-pnp
register 0
action_url /pnp/index.php?host=$HOSTNAME$&srv=$SERVICEDESC$
process_perf_data 1

参见:http://blog.c1gstudio.com/archives/552

重启nagios
/etc/init.d/nagios reload

查看状态
nagios_checkphpprocs

下载check_phpprocs.zip check_phpprocs

参考:http://blog.csdn.net/xluren/article/details/17724043

Posted in Nagios.

Tagged with , , , .

rev="post-1748" No comments

By C1G 2015/01/16

用js创建隐藏来源不带referer的超链接

最直接的是用window.open,对IE9以下有效,Firefox无效

function openwin2(strurl){
window.open(strurl, “newwin”, “height=650,width=778,scrollbars=10,resizable=yes”);
}

进阶版,IE6会报错

function open_new_window(full_link){
window.open(‘javascript:window.name;’, ‘


和jquery版




external link

注意将nofrerrer.js中的google地址改成百度的.
http://www.baidu.com/link?url?q

参考:
http://zhongfox.github.io/blog/javascript/2013/08/16/remove-referer-using-js/
https://github.com/knu/noreferrer

Posted in JavaScript/DOM/XML.

Tagged with , .

rev="post-1742" No comments

By C1G 2014/12/09

解决discuzx3.2论坛群发短消息(pm)

一开始以为是程序有漏洞,看了source\include\spacecp\spacecp_pm.php代码才知道有开关可以控制.


后台->站点功能->其它->

全站是否默认只接受好友短消息:
是 否
选择“是”将在个人短消息设置中,默认只接收好友的短消息

选择”是”


用户->用户组->(选择起始的几个用户组)->基本设置->允许发送短消息:
是否可以给任何人发短消息:
是 否
选择否的话,当对方设置为只接受好友短消息,将无法对其发送短消息

选择”否”

并可以相应结合24小时内发布短消息最大数,并设置发送短消息需消耗积分能设置.

Posted in Discuz/Uchome/Ucenter.

Tagged with , .

rev="post-1737" No comments

By C1G 2014/11/21

使用HAProxy给MySQL slave群进行负载均衡和状态监控

blog_haproxy

一.安装haproxy

haproxy机器
http://haproxy.1wt.deu
需翻墙


tar zxvf haproxy-1.4.25.tar.gz
cd haproxy-1.4.25
make TARGET=linux26
make install
mkdir -p /usr/local/haproxy/
chown nobody:nobody /usr/local/haproxy/
mkdir /etc/haproxy/
cp examples/haproxy.cfg /etc/haproxy/

cp examples/haproxy.init /etc/init.d/haproxy
chown root:root /etc/init.d/haproxy
chmod 700 /etc/init.d/haproxy

修改haproxy启动脚本

/usr/sbin/$BASENAME
改成
/usr/local/sbin/$BASENAME

sed -i -r ‘s|/usr/sbin|/usr/local/sbin|’ /etc/init.d/haproxy

编辑配置文件
vi /etc/haproxy/haproxy.cfg

global
#log 127.0.0.1 local0
log 127.0.0.1 local3 info
#log loghost local0 info
maxconn 4096
chroot /usr/local/haproxy
uid nobody
gid nobody
daemon
debug
#quiet

defaults
log global
mode tcp
#option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000

frontend mysql
bind 192.168.0.107:3306
maxconn 3000
default_backend mysql_slave

backend mysql_slave
#cookie SERVERID rewrite
mode tcp
balance roundrobin
#balance source
#balance leastconn
contimeout 10s
timeout check 2s
option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
server mysql_192_168_0_104_3306 192.168.0.104:3306 weight 1 check port 9300 inter 5s rise 2 fall 3
server mysql_192_168_0_104_3307 192.168.0.104:3307 weight 1 check port 9301 inter 5s rise 2 fall 3
#server mysql_192_168_0_106_3306 192.168.0.106:3306 weight 1 check port 9300 inter 5s rise 2 fall 3

listen admin_status
mode http
bind 192.168.0.107:8000
option httplog
log global
stats enable
stats refresh 30s
stats hide-version
stats realm Haproxy\ Statistics
stats uri /admin-status
stats auth admin:123456
stats admin if TRUE

打开监控的iptables

iptables -A INPUT -p tcp -m tcp -s 192.168.0.0/24 –dport 8000 -j ACCEPT

添加自启动并启动haproxy服务

chkconfig –add haproxy
chkconfig haproxy on
service haproxy start

被监控机上

我这里是单机双实例,所以有2个脚本,单机只需一个脚本和一个服务端口就行
编辑mysql检测3306脚本
vi /opt/shell/mysqlchk_status_3306.sh

#!/bin/bash
#
# /usr/local/bin/mysqlchk_status.sh
#
# This script checks if a mysql server is healthy running on localhost. It will
# return:
#
# “HTTP/1.x 200 OK\r” (if mysql is running smoothly)
#
# – OR –
#
# “HTTP/1.x 503 Internal Server Error\r” (else)
#

MYSQL_HOST=”localhost”
MYSQL_PORT=”3306″
MYSQL_USERNAME=”mysqlcheck”
MYSQL_PASSWORD=”paSSword”
MYSQL_PATH=”/opt/mysql/bin/”

#
# We perform a simple query that should return a few results
#${MYSQL_PATH}mysql -h${MYSQL_HOST} -P${MYSQL_PORT} -u${MYSQL_USERNAME} -p${MYSQL_PASSWORD} -e “show slave status\G;” >/tmp/rep${MYSQL_PORT}.txt
${MYSQL_PATH}mysql -h${MYSQL_HOST} -P${MYSQL_PORT} -u${MYSQL_USERNAME} -p${MYSQL_PASSWORD} -e “show full processlist;” >/tmp/processlist${MYSQL_PORT}.txt
${MYSQL_PATH}mysql -h${MYSQL_HOST} -P${MYSQL_PORT} -u${MYSQL_USERNAME} -p${MYSQL_PASSWORD} -e “show slave status\G;” >/tmp/rep${MYSQL_PORT}.txt
iostat=`grep “Slave_IO_Running” /tmp/rep${MYSQL_PORT}.txt |awk ‘{print $2}’`
sqlstat=`grep “Slave_SQL_Running” /tmp/rep${MYSQL_PORT}.txt |awk ‘{print $2}’`
result=$(cat /tmp/processlist${MYSQL_PORT}.txt|wc -l)
echo iostat:$iostat and sqlstat:$sqlstat
# if slave_IO_Running and Slave_sql_Running ok,then return 200 code
if [ “$result” -gt “3” ] && [ “$iostat” = “Yes” ] && [ “$sqlstat” = “Yes” ];

then
# mysql is fine, return http 200
/bin/echo -e “HTTP/1.1 200 OK\r\n”

else
# mysql is down, return http 503
/bin/echo -e “HTTP/1.1 503 Service Unavailable\r\n”

fi

vi /opt/shell/mysqlchk_status_3307.sh

#!/bin/bash
#
# /usr/local/bin/mysqlchk_status.sh
#
# This script checks if a mysql server is healthy running on localhost. It will
# return:
#
# “HTTP/1.x 200 OK\r” (if mysql is running smoothly)
#
# – OR –
#
# “HTTP/1.x 503 Internal Server Error\r” (else)
#

MYSQL_HOST=”localhost”
MYSQL_PORT=”3307″
MYSQL_USERNAME=”mysqlcheck”
MYSQL_PASSWORD=”paSSword”
MYSQL_PATH=”/opt/mysql/bin/”

#
# We perform a simple query that should return a few results
#${MYSQL_PATH}mysql -h${MYSQL_HOST} -P${MYSQL_PORT} -u${MYSQL_USERNAME} -p${MYSQL_PASSWORD} -e “show slave status\G;” >/tmp/rep${MYSQL_PORT}.txt
${MYSQL_PATH}mysql -S/data/mysql/mysql.sock -u${MYSQL_USERNAME} -p${MYSQL_PASSWORD} -e “show full processlist;” >/tmp/processlist${MYSQL_PORT}.txt
${MYSQL_PATH}mysql -S/data/mysql/mysql.sock -u${MYSQL_USERNAME} -p${MYSQL_PASSWORD} -e “show slave status\G;” >/tmp/rep${MYSQL_PORT}.txt
iostat=`grep “Slave_IO_Running” /tmp/rep${MYSQL_PORT}.txt |awk ‘{print $2}’`
sqlstat=`grep “Slave_SQL_Running” /tmp/rep${MYSQL_PORT}.txt |awk ‘{print $2}’`
result=$(cat /tmp/processlist${MYSQL_PORT}.txt|wc -l)
#echo iostat:$iostat and sqlstat:$sqlstat
echo $result
# if slave_IO_Running and Slave_sql_Running ok,then return 200 code
if [ “$result” -gt “3” ] && [ “$iostat” = “Yes” ] && [ “$sqlstat” = “Yes” ];
then
# mysql is fine, return http 200
/bin/echo -e “HTTP/1.1 200 OK\r\n”

else
# mysql is down, return http 503
/bin/echo -e “HTTP/1.1 503 Service Unavailable\r\n”

fi

chmod 775 /opt/shell/mysqlchk_status_3306.sh
chmod 775 /opt/shell/mysqlchk_status_3307.sh

在mysql slave另行建立一个具有process和slave_client权限的账号。

CREATE USER ‘mysqlcheck’@’localhost’ IDENTIFIED BY ‘PaSSword’;

GRANT PROCESS , REPLICATION CLIENT ON * . * TO ‘mysqlcheck’@’localhost’ IDENTIFIED BY ‘PaSSword’ WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

flush privileges;

测试脚本
./mysqlchk_status_3306.sh

添加服务
绑定内网ip,运行于930端口,只开放给192.168.0内网
yum install -y xinetd
vim /etc/xinetd.d/mysql_status

service mysqlchk_status3306
{
flags = REUSE
socket_type = stream
bind = 192.168.0.104
port = 9300
wait = no
user = nobody
server = /opt/shell/mysqlchk_status_3306.sh
log_type = FILE /dev/null
log_on_failure += USERID
disable = no
only_from = 192.168.0.0/24
}
service mysqlchk_status3307
{
flags = REUSE
socket_type = stream
bind = 192.168.0.104
port = 9301
wait = no
user = nobody
server = /opt/shell/mysqlchk_status_3307.sh
log_type = FILE /dev/null
log_on_failure += USERID
disable = no
only_from = 192.168.0.0/24
}

bind和only_from的ip地址要有haproxy能请求的权限,使用drbd用0.0.0.0
user要用server脚本的执行权限
port端口要在/etc/service 中声明

chattr -i /etc/services
vi /etc/services

mysqlchk_status3306 9300/tcp #haproxy mysql check
mysqlchk_status3307 9301/tcp #haproxy mysql check

services中的mysqlchk_status3306 要和xinetd.d中service名对应

打开iptables

iptables -A INPUT -p tcp -m tcp -s 192.168.0.0/24 –dport 9300 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s 192.168.0.0/24 –dport 9301 -j ACCEPT

/etc/init.d/iptables save

添加自启动及启动服务
chkconfig xinetd –level 345 on
/etc/init.d/xinetd start

查看是否运行
netstat -lntp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9300 0.0.0.0:* LISTEN 4863/xinetd
tcp 0 0 0.0.0.0:9301 0.0.0.0:* LISTEN 4863/xinetd

如果没有的话注意检测下bind地址及服务端口

在监控机运行测试
telnet 192.168.0.104 9300

Trying 192.168.0.104…
Connected to 192.168.0.104 (192.168.0.104).
Escape character is ‘^]’.
/opt/shell/mysqlchk_status_3306.sh: line 24: /tmp/processlist3306.txt: Permission denied
/opt/shell/mysqlchk_status_3306.sh: line 25: /tmp/rep3306.txt: Permission denied
HTTP/1.1 200 OK

Connection closed by foreign host.

之前用root运行过所以报错,在被监控机删除临时文件

rm -f /tmp/processlist3306.txt /tmp/processlist3307.txt
rm -f /tmp/rep3306.txt /tmp/rep3307.txt

没有输出则需检查mysqlchk_status_3306.sh脚本执行权限

启动后/var/log/messages 中会有很多日志

Oct 23 14:37:00 lova xinetd[11057]: START: mysqlchk_status3306 pid=11464 from=192.168.0.22
Oct 23 14:37:00 lova xinetd[11057]: EXIT: mysqlchk_status3306 status=0 pid=11464 duration=0(sec)
Oct 23 14:37:05 lova xinetd[11057]: START: mysqlchk_status3306 pid=11494 from=192.168.0.22
Oct 23 14:37:05 lova xinetd[11057]: EXIT: mysqlchk_status3306 status=0 pid=11494 duration=0(sec)

在haproxy配置中将日志输出到黑洞
log_type = FILE /dev/null

查看监控

直接访问localhost是503
http://localhost/
503 Service Unavailable

No server is available to handle this request.

加上admin-status
http://localhost/admin-status

应用时需在slave mysql上的mysql添加通过haproxy的用户权限

haproxy的命令
/etc/init.d/haproxy
Usage: haproxy {start|stop|restart|reload|condrestart|status|check}


优化time_wait,防止端口耗尽
vi /etc/sysctl.conf

net.ipv4.ip_local_port_range = 1025 65000

net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_max_tw_buckets = 35000

sysctl -p

使用nginx反向代理haprox后台

#省略

listen admin_status
mode http
bind 192.168.0.107:8000
option httplog
log global
stats enable
stats refresh 30s
stats hide-version
stats realm Haproxy\ Statistics
#stats uri /admin-status
stats uri /haproxy/
#stats auth admin:123456
#stats admin if TRUE

nginx.conf

#省略
location ~* ^/haproxy/
{
proxy_pass http://192.168.0.107:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
}
#省略

参考:
http://linux.die.net/man/5/xinetd.conf
http://adslroot.blogspot.com/2013/12/haproxy-mysql.html

Posted in haproxy/Atlas, 技术.

Tagged with , , , .

rev="post-1728" No comments

By C1G 2014/11/07

linux查看和改变网卡工作速率

同一机柜其它机器都在千兆模式但有几台却是百兆,调整速度后还自动降速到百兆.
最后让机房换了网线立马解决问题,数据库的进程排队也降低了

查看网卡信息,网卡支持千兆但工作在百兆.
ethtool eth2

Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full

调整到千兆
ethtool -s eth2 speed 1000 duplex full

tail /var/log/messages

Oct 23 10:17:22 C1g kernel: e1000e: eth2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
Oct 23 10:17:23 C1g kernel: e1000e: eth2 NIC Link is Down
Oct 23 10:17:33 C1g kernel: e1000e: eth2 NIC Link is Up 100 Mbps Full Duplex, Flow Control: None
Oct 23 10:17:33 C1g kernel: 0000:03:00.1: eth2: 10/100 speed: disabling TSO

又变回到百兆

ethtool备注
ethtool ethX //查询ethX网口基本设置
ethtool –h //显示ethtool的命令帮助(help)
ethtool –i ethX //查询ethX网口的相关信息
ethtool –d ethX //查询ethX网口注册性信息
ethtool –r ethX //重置ethX网口到自适应模式
ethtool –S ethX //查询ethX网口收发包统计
ethtool –s ethX [speed 10|100|1000]\ //设置网口速率10/100/1000M
[duplex half|full]\ //设置网口半/全双工
[autoneg on|off]\ //设置网口是否自协商

Posted in linux 维护优化.

Tagged with , , .

rev="post-1721" No comments

By C1G 2014/10/23

禁止微软搜索蜘蛛

禁止微软蜘蛛,爬的太疯狂了,还不带流量…
同时降低频率到60秒间隔.
在web根目录下编辑robots.txt

User-agent: Bingbot
Disallow: /
User-agent: Adidxbot
Disallow: /
User-agent: MSNBot
Disallow: /
User-agent: BingPreview
Disallow: /
User-agent: *
Disallow:
Crawl-delay: 60
Disallow: /api/
Disallow: /data/

参考:
http://www.bing.com/webmaster/help/which-crawlers-does-bing-use-8c184ec0
http://tool.chinaz.com/robots/

Posted in SEO, 网站建设.

Tagged with , , .

rev="post-1717" No comments

By C1G 2014/10/23

mysql多列索引使用注意

MySQL可以为多个列创建索引。一个索引可以包括15个列。
CREATE TABLE test (
id INT NOT NULL,
cola CHAR(30) NOT NULL,
colb CHAR(30) NOT NULL,
PRIMARY KEY (id),
INDEX name (cola ,colb )
);

select * from tables where colb=’2014′;
select * from tables where cola=’c1g’ or colb=’2014′;

SELECT * from tbltables where keycola LIKE ‘%c1g%’;

select * from tables order by cola asc,colb desc;
select * from tables order by cola desc,colb asc;
以上是用不到索引的

select * from tables where cola=’c1g’
select * from tables where cola=’c1g’ and colb=’2014′;
select * from tables where cola=’c1g’ and colb>’2000′ and colb<'2015'; select * from tables where cola='c1g' and (colb='2000' and colb='2015'); SELECT * from tbltables where keycola LIKE 'c1g%'; select * from tables order by cola asc,colb asc; select * from tables order by cola desc,colb desc; 以上是可以用到索引的. 用于排序的column的排序顺序必须一致。

Posted in Mysql.

Tagged with .

rev="post-1714" No comments

By C1G 2014/10/16