关注互联网、网页设计、Web开发、服务器运维优化、项目管理、网站运营、网站安全…
今天需DUMP个本地MYSQL db时遇到的奇怪问题,用mysql_multi起的多实例,连接到localhost时-P端口无效.
mysqldump和mysql一样无效
常规连接mysql数据库命令为,没问题
mysql -hlocalhost -uroot -p
连接本地其它端口老是跑到3306去,但是用其它机器加IP是可以连接.
mysql -hlocalhost -P3308 -uroot -p
暂时用socket连接解决问题,只导出结构.
mysqldump -s/tmp/mysql_3308.sock -uroot -p -d mydb > mydb createdb.sql
Posted in Mysql.
rev="post-1712" No comments
– 2014/10/15
近日曝出OpenSSH SFTP 远程溢出漏洞。OpenSSH服务器中如果OpenSSH服务器中没有配置”ChrootDirectory”,普通用户就可以访问所有文件系统的资源,包括 /proc,在>=2.6.x的Linux内核上,/proc/self/maps会显示你的内存布局,/proc/self/mem可以让你任意在当前进程上下文中读写,而综合两者特性则可以造成远程溢出。
目前受影响的版本是<=OpenSSH 6.6,安恒信息建议使用该系统的用户尽快升级到最新版本OpenSSH 6.7, OpenSSH 6.7包含了降低风险的方案:sftp-server使用prctl()来阻止直接访问/proc/self/{mem,maps}。Grsecurity/PaX直接禁止了/proc/pid/mem的可写,所以如果您的生产环境中部署了Grsecurity/PaX的话这个漏洞可以不用担心。 OpenSSH 6.7下载地址: ftp://ftp.openbsd.com/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz
参考信息:
http://seclists.org/fulldisclosure/2014/Oct/35
注:首先你需要有权限登录的用户才能干点事。
Posted in 安全通告.
rev="post-1710" No comments
– 2014/10/11
20140925曝出的来的漏洞,该漏洞对电脑用户构成的威胁可能比今年4月发现的“心脏流血”(Heartbleed)漏洞更大.
网络安全公司Rapid7工程部经理托德·贝尔德斯利(Tod Beardsley)警告称,Bash漏洞的严重级别为“10”,意味着它对用户电脑的威胁最大。Bash漏洞的利用复杂度级别为“低”,意味着黑客可以相对轻松地利用它发动攻击。
测试方法,执行下面命令
$ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
vulnerable
this is a test
出现上面文字侧需要打补丁了.
我试了下centos5.4 5.5 6.0等都有问题
GNU bash, version 3.2.25(1)-release-(x86_64-redhat-linux-gnu)
GNU bash, version 4.1.2(1)-release-(x86_64-unknown-linux-gnu)
补救
yum -y update bash
升级后再测
env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
如上显示就已修复
参考:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
Posted in 安全通告.
rev="post-1707" No comments
– 2014/09/25
系统插上PCI网卡每次重启后顺序可能都会不同,影响nagios检控准确度.
在CentOS6中,具体网卡的配置文件在/etc/udev/rules.d/70-persistent-net.rules
cat /etc/udev/rules.d/70-persistent-net.rules
# PCI device 0x14e4:0x163b (bnx2) (custom name provided by external tool)
SUBSYSTEM==”net”, ACTION==”add”, DRIVERS==”?*”, ATTR{address}==”78:2b:cb:xx:xx:02″, ATTR{type}==”1″, KERNEL==”eth*”, NAME=”eth1″
# PCI device 0x14e4:0x163b (bnx2) (custom name provided by external tool)
SUBSYSTEM==”net”, ACTION==”add”, DRIVERS==”?*”, ATTR{address}==”78:2b:cb:xx:xx:03″, ATTR{type}==”1″, KERNEL==”eth*”, NAME=”eth2″
# USB device 0x9710:0x7830 (usb) (custom name provided by external tool)
SUBSYSTEM==”net”, ACTION==”add”, DRIVERS==”?*”, ATTR{address}==”00:60:6e:xx:xx:f6″, ATTR{type}==”1″, KERNEL==”eth*”, NAME=”eth0″
# PCI device 0x14e4:0x165a (tg3)
SUBSYSTEM==”net”, ACTION==”add”, DRIVERS==”?*”, ATTR{address}==”00:10:18:xx:xx:51″, ATTR{type}==”1″, KERNEL==”eth*”, NAME=”eth3″
# PCI device 0x8086:0x10c9 (igb)
SUBSYSTEM==”net”, ACTION==”add”, DRIVERS==”?*”, ATTR{address}==”00:1b:21:xx:xx:a1″, ATTR{type}==”1″, KERNEL==”eth*”, NAME=”eth4″
# PCI device 0x8086:0x10c9 (igb)
SUBSYSTEM==”net”, ACTION==”add”, DRIVERS==”?*”, ATTR{address}==”00:1b:21:xx:xx:a0″, ATTR{type}==”1″, KERNEL==”eth*”, NAME=”eth5″
删除(usb),(tg3)并调整bnx2及igb的名称,调整后如下
# PCI device 0x14e4:0x163b (bnx2) (custom name provided by external tool)
SUBSYSTEM==”net”, ACTION==”add”, DRIVERS==”?*”, ATTR{address}==”78:2b:cb:xx:xx:02″, ATTR{type}==”1″, KERNEL==”eth*”, NAME=”eth0″
# PCI device 0x14e4:0x163b (bnx2) (custom name provided by external tool)
SUBSYSTEM==”net”, ACTION==”add”, DRIVERS==”?*”, ATTR{address}==”78:2b:cb:xx:xx:03″, ATTR{type}==”1″, KERNEL==”eth*”, NAME=”eth1″
# PCI device 0x8086:0x10c9 (igb)
SUBSYSTEM==”net”, ACTION==”add”, DRIVERS==”?*”, ATTR{address}==”00:1b:21:xx:xx:a1″, ATTR{type}==”1″, KERNEL==”eth*”, NAME=”eth2″
# PCI device 0x8086:0x10c9 (igb)
SUBSYSTEM==”net”, ACTION==”add”, DRIVERS==”?*”, ATTR{address}==”00:1b:21:xx:xx:a0″, ATTR{type}==”1″, KERNEL==”eth*”, NAME=”eth3″
配置网卡文件
同时修改/etc/sysconfig/network-scripts/ifcfg-eth*网卡配置文件,修改设备名和MAC地址和udev对应.
同时注意ip地址和网关.
重启服务器
reboot
dmesg中看到intel的pci网卡先于内置网卡
e1000e: Intel(R) PRO/1000 Network Driver – 1.4.4-k
e1000e: Copyright(c) 1999 – 2011 Intel Corporation.
e1000e 0000:03:00.0: Disabling ASPM L1
GSI 25 sharing vector 0x52 and IRQ 25
ACPI: PCI Interrupt 0000:03:00.0[A] -> GSI 38 (level, low) -> IRQ 82
PCI: Setting latency timer of device 0000:03:00.0 to 64
EDAC MC: Ver: 2.0.1 Feb 21 2012
e1000e 0000:03:00.0: eth0: (PCI Express:2.5GT/s:Width x4) 00:15:17:2d:52:c4
e1000e 0000:03:00.0: eth0: Intel(R) PRO/1000 Network Connection
e1000e 0000:03:00.0: eth0: MAC: 0, PHY: 4, PBA No: D28207-005
e1000e 0000:03:00.1: Disabling ASPM L1
GSI 26 sharing vector 0x62 and IRQ 26
ACPI: PCI Interrupt 0000:03:00.1[B] -> GSI 45 (level, low) -> IRQ 98
PCI: Setting latency timer of device 0000:03:00.1 to 64
sd 0:0:0:0: Attached scsi generic sg0 type 0
sd 0:0:1:0: Attached scsi generic sg1 type 0
scsi 3:0:0:0: Attached scsi generic sg2 type 5
e1000e 0000:03:00.1: eth1: (PCI Express:2.5GT/s:Width x4) 00:15:17:2d:52:c5
e1000e 0000:03:00.1: eth1: Intel(R) PRO/1000 Network Connection
e1000e 0000:03:00.1: eth1: MAC: 0, PHY: 4, PBA No: D28207-005
bnx2: Broadcom NetXtreme II Gigabit Ethernet Driver bnx2 v2.1.11 (July 20, 2011)
GSI 27 sharing vector 0x72 and IRQ 27
ACPI: PCI Interrupt 0000:01:00.0[A] -> GSI 36 (level, low) -> IRQ 114
PCI: Setting latency timer of device 0000:01:00.0 to 64
eth2: Broadcom NetXtreme II BCM5716 1000Base-T (C0) PCI Express found at mem da000000, IRQ 114, node addr 0024e86cd577
GSI 28 sharing vector 0x7A and IRQ 28
ACPI: PCI Interrupt 0000:01:00.1[B] -> GSI 48 (level, low) -> IRQ 122
PCI: Setting latency timer of device 0000:01:00.1 to 64
eth3: Broadcom NetXtreme II BCM5716 1000Base-T (C0) PCI Express found at mem dc000000, IRQ 122, node addr 0024e86cd578
sr0: scsi3-mmc drive: 24x/24x cd/rw xa/form2 cdda tray
cat /etc/udev/rules.d/60-net.rules
ACTION==”add”, SUBSYSTEM==”net”, IMPORT{program}=”/lib/udev/rename_device”
SUBSYSTEM==”net”, RUN+=”/etc/sysconfig/network-scripts/net.hotplug”
查看driver和bus-info
ethtool -i eth0
driver: bnx2
version: 2.1.11
firmware-version: bc 4.6.4 NCSI 1.0.6
bus-info: 0000:01:00.0
ethtool -i eth1
driver: bnx2
version: 2.1.11
firmware-version: bc 4.6.4 NCSI 1.0.6
bus-info: 0000:01:00.1
ethtool -i eth2
driver: e1000e
version: 1.4.4-k
firmware-version: 5.11-2
bus-info: 0000:03:00.0
ethtool -i eth3
driver: e1000e
version: 1.4.4-k
firmware-version: 5.11-2
bus-info: 0000:03:00.1
编辑顺序
DRIVER指driver: e1000e
ID是指bus-info:PCI ID
vi /etc/udev/rules.d/60-net.rules
DRIVER==”bnx2″,ID==”0000:01:00.0″,NAME=”eth0″
DRIVER==”bnx2″,ID==”0000:01:00.1″,NAME=”eth1″
DRIVER==”e1000e”,ID==”0000:03:00.0″,NAME=”eth2″
DRIVER==”e1000e”,ID==”0000:03:00.1″,NAME=”eth3″
重启
reboot
input: PC Speaker as /class/input/input0
bnx2: Broadcom NetXtreme II Gigabit Ethernet Driver bnx2 v2.1.11 (July 20, 2011)
GSI 25 sharing vector 0x52 and IRQ 25
ACPI: PCI Interrupt 0000:01:00.0[A] -> GSI 36 (level, low) -> IRQ 82
PCI: Setting latency timer of device 0000:01:00.0 to 64
eth0: Broadcom NetXtreme II BCM5716 1000Base-T (C0) PCI Express found at mem da000000, IRQ 82, node addr 0024e86cd577
GSI 26 sharing vector 0x5A and IRQ 26
ACPI: PCI Interrupt 0000:01:00.1[B] -> GSI 48 (level, low) -> IRQ 90
PCI: Setting latency timer of device 0000:01:00.1 to 64
eth1: Broadcom NetXtreme II BCM5716 1000Base-T (C0) PCI Express found at mem dc000000, IRQ 90, node addr 0024e86cd578
EDAC MC: Ver: 2.0.1 Feb 21 2012
e1000e: Intel(R) PRO/1000 Network Driver – 1.4.4-k
e1000e: Copyright(c) 1999 – 2011 Intel Corporation.
e1000e 0000:03:00.0: Disabling ASPM L1
GSI 27 sharing vector 0x62 and IRQ 27
ACPI: PCI Interrupt 0000:03:00.0[A] -> GSI 38 (level, low) -> IRQ 98
PCI: Setting latency timer of device 0000:03:00.0 to 64
sd 0:0:0:0: Attached scsi generic sg0 type 0
sd 0:0:1:0: Attached scsi generic sg1 type 0
scsi 3:0:0:0: Attached scsi generic sg2 type 5
e1000e 0000:03:00.0: eth2: (PCI Express:2.5GT/s:Width x4) 00:15:17:2d:52:c4
e1000e 0000:03:00.0: eth2: Intel(R) PRO/1000 Network Connection
e1000e 0000:03:00.0: eth2: MAC: 0, PHY: 4, PBA No: D28207-005
e1000e 0000:03:00.1: Disabling ASPM L1
GSI 28 sharing vector 0x72 and IRQ 28
ACPI: PCI Interrupt 0000:03:00.1[B] -> GSI 45 (level, low) -> IRQ 114
PCI: Setting latency timer of device 0000:03:00.1 to 64
e1000e 0000:03:00.1: eth3: (PCI Express:2.5GT/s:Width x4) 00:15:17:2d:52:c5
e1000e 0000:03:00.1: eth3: Intel(R) PRO/1000 Network Connection
e1000e 0000:03:00.1: eth3: MAC: 0, PHY: 4, PBA No: D28207-005
sr0: scsi3-mmc drive: 24x/24x cd/rw xa/form2 cdda tray
nagios的check_traffic.sh脚本查看顺序
./check_traffic.sh -V 2c -C privatepass -H localhost -L
List Interface for host localhost.
Interface index 1 orresponding to lo
Interface index 2 orresponding to eth0
Interface index 3 orresponding to eth1
Interface index 4 orresponding to eth2
Interface index 5 orresponding to eth3
Posted in linux 维护优化.
rev="post-1703" No comments
– 2014/09/24
安装redis支持
perl -MCPAN -e shell
cpan>install Redis
下载check_redis.pl
http://exchange.nagios.org/directory/Plugins/Databases/check_redis-2Epl/details
https://github.com/willixix/WL-NagiosPlugins
测试
./check_redis.pl -H 192.168.0.130 -p 6379 -a ‘connected_clients,blocked_clients’ -w ~,~ -c ~,~ -f
OK: REDIS 2.6.12 on 192.168.0.130:6379 has 1 databases (db0) with 49801 keys, up 3 days 14 hours – connected_clients is 1, blocked_clients is 0 | connected_clients=1 blocked_clients=0
commands.cfg添加
define command {
command_name check_redis
command_line $USER1$/check_redis.pl -H $HOSTADDRESS$ -p $ARG1$ -a $ARG2$ -w $ARG3$ -c $ARG4$ -f
}
加入主机监控
define service{
use local-service ; Name of service template to use
host_name c1gredis
service_description redis
check_command check_redis!6379!’connected_clients,blocked_clients’!~,~!~,~
notifications_enabled 0
}
重新载入配置。
/etc/init.d/nagios reload
参考:
http://exchange.nagios.org/directory/Plugins/Databases/check_redis-2Epl/details
http://www.ttlsa.com/nagios/nagios-redis-monitor/
http://bbs.linuxtone.org/thread-6241-1-1.html
Posted in Nagios.
rev="post-1700" No comments
– 2014/09/22
Analog是一款基于C语言功能强大的开源的网站访问日志分析软件,支持多语言(含中文),可以运行在linux,windows下,支持apache、ngix、iis等主流WEB日志.速度飞快,10分钟内可以处理2千万条日志,数据统计以PV为主,相比Awstats和Webalizer 的报告页面简单了点,更漂亮的图表可用Report Magic 2.21.
目前最新版为analog-6.0,作者自19-Dec-04后就没更新过.演示地址
安装很简单,到:http://www.analog.cx/download.html 下载相应的版本,这里以源码版为例:将下载回来的源码包解压到安装目录,再进入该目录执行make命令即可.
wget http://www.analog.cx/analog-6.0.tar.gz
tar zxvf analog-6.0.tar.gz
cp -ar analog-6.0 /usr/local/
cd /usr/local/analog-6.0
make
ln -s analog-6.0 analog
mkdir /opt/htdocs/www/analog
chown www:website /opt/htdocs/www/analog
cp images /opt/htdocs/www/analog/
mkdir conf
cp analog.cfg conf/c1g.cfg
vi conf/c1g.cfg
#定义为中文
LANGUAGE SIMP-CHINESE
#nginx日志格式
LOGFORMAT (%s – %j [%d/%M/%Y:%h:%n:%j %j] “%j %r %j” %c %b “%f” “%B”\n)
#日志文件
LOGFILE /opt/log/Y.%M/*/*c1gstudio.com.log.gz
#输出文件
OUTFILE /opt/htdocs/www/analog/c1gstudiolY.%M/index.html
#主机名
HOSTNAME “c1gstudio.com”
#主机URL
HOSTURL http://www.c1gstudio.com/
#web图片目录
IMAGEDIR ../images/
#只列出访问最高的200个页面URL
REQFLOOR 1000p
#forum.php文件算一个文件
FILEALIAS /forum.php* /forum.php
#统计子目录
SUBDIR */*
%S
host (the client hostname, or address of the computer making the request)
%s
numerical IP address of client (if recorded in a separate field; used when %S is empty)
%r
file requested
%q
query string (part of filename after ?, if recorded in a separate field)
%B
browser
%A
browser with +’s instead of spaces
%f
referrer
%u
user (tip: a cookie or session id can usefully be defined as %u too)
%v
virtual host (the server hostname, also called the virtual domain)
%d
day of the month
%m
month in digits
%M
month, three letter English abbreviation
%y
year, last two digits
%Y
year, four digits
%Z
year, two or four digits (less efficient)
%h
hour of the day
%n
minute of the hour
%a
a or A for am, or p or P for pm, if %h is in the 12-hour clock. (So to match “am” you need %am and to match “AM” you need %aM)
%U
“Unix time” (seconds since beginning of 1970, GMT). If it includes decimals, use %U.%j
%b
number of bytes transferred
%t
processing time in seconds
%T
processing time in milliseconds
%D
processing time in microseconds
%c
HTTP status code
%C
code words used instead of HTTP status code in some servers — only used internally
%j
junk: ignore this field (field can be empty too)
%w
white space: spaces or tabs
%W
optional white space
%%
% sign
\n
new line
\t
tab stop
\\
single backslash
我的nginx日志格式
‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” $http_x_forwarded_for’;
183.62.5.13 – – [06/Aug/2014:17:16:44 +0800] “GET /aboutc1g.html HTTP/1.1” 200 6642 “http://www.c1gstudio.com/web/hello.html” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36” 183.62.5.13
我这多了个$http_x_forwarded_for’,后面也要加个%j表示丢弃,它不会处理”-”
LOGFORMAT (%s – %j [%d/%M/%Y:%h:%n:%j %j] “%j %r %j” %c %b “%f” “%B” %j\n)
更多参考
LOGFILE new1.log,old*.log
LOGFILE /opt/log/%Y.%M/%D/*.c1gstudio.com.log.gz
支持通配符,日期变量及gz压缩,OUTFILE不会自动创建目录
%D date of month
%m month name, in English
%M month number
%y two-digit year
%Y four-digit year
%H hour
%n minute
%w day of week, in English
但是日期不支持运算有点麻烦,需要外部用shell来解决了
更多参考
==================================
2014-8-26更新
The arguments to LOGFILE and CACHEFILE commands are checked for containing only certain allowed characters (specifically, letters, digits, /\.:_*? space, and – between two {letter, digit, underscore}’s). This is because they could match an UNCOMPRESS command and thus be passed to the shell when the uncompress command is popen()’ed.
可以将一个月份分成3部分来减轻压力
LOGFILE /opt/log/%Y.%M/[2-3]?/*.c1gstudio.com.log.gz
Analog运行时会将日志读到内存中,想要运行快最好准备比日志大的内存,CACHEOUTFILE和CACHEFILE会占用大量空间,感觉没什么用.
==================================
MONTHLY ON # one line for each month
WEEKLY ON # one line for each week
DAILYREP ON # one line for each day
DAILYSUM ON # one line for each day of the week
HOURLYREP ON # one line for each hour of the day
GENERAL ON # the General Summary at the top
REQUEST ON # which files were requested
FAILURE ON # which files were not found
DIRECTORY ON # Directory Report
HOST ON # which computers requested files
ORGANISATION ON # which organisations they were from
DOMAIN ON # which countries they were in
REFERRER ON # where people followed links from
FAILREF ON # where people followed broken links from
SEARCHQUERY ON # the phrases and words they used…
SEARCHWORD ON # …to find you from search engines
BROWSERSUM ON # which browser types people were using
OSREP ON # and which operating systems
FILETYPE ON # types of file requested
SIZE ON # sizes of files requested
STATUS ON # number of each type of success and failure
x GENERAL General Summary
1 YEARLY Yearly Report
Q QUARTERLY Quarterly Report
m MONTHLY Monthly Report
W WEEKLY Weekly Report
D DAILYREP Daily Report
d DAILYSUM Daily Summary
H HOURLYREP Hourly Report
h HOURLYSUM Hourly Summary
w WEEKHOUR Hour of the Week Summary
4 QUARTERREP Quarter-Hour Report
6 QUARTERSUM Quarter-Hour Summary
5 FIVEREP Five-Minute Report
7 FIVESUM Five-Minute Summary
S HOST Host Report
l REDIRHOST Host Redirection Report
L FAILHOST Host Failure Report
Z ORGANISATION Organisation Report
o DOMAIN Domain Report
r REQUEST Request Report
i DIRECTORY Directory Report
t FILETYPE File Type Report
z SIZE File Size Report
P PROCTIME Processing Time Report
E REDIR Redirection Report
I FAILURE Failure Report
f REFERRER Referrer Report
s REFSITE Referring Site Report
N SEARCHQUERY Search Query Report
n SEARCHWORD Search Word Report
Y INTSEARCHQUERY Internal Search Query Report
y INTSEARCHWORD Internal Search Word Report
k REDIRREF Redirected Referrer Report
K FAILREF Failed Referrer Report
B BROWSERREP Browser Report
b BROWSERSUM Browser Summary
p OSREP Operating System Report
v VHOST Virtual Host Report
R REDIRVHOST Virtual Host Redirection Report
M FAILVHOST Virtual Host Failure Report
u USER User Report
j REDIRUSER User Redirection Report
J FAILUSER User Failure Report
c STATUS Status Code Report
#+a可以带上全部统计
更多参考
#输出当前配置
analog -settings > file
#使用命令行配置LOGFILE和OUTFILE
./analog +O/opt/htdocs/www/analog/c1gstudio2014.html /opt/log/2014.08/02/*.c1gstudio.com.log.gz
我使用时一直会报日志格式错误,无法出报告
#我使用的参数
/usr/local/analog -G +g/usr/local/analog/conf/c1g.cfg +b +s +S -n -o -Z -r
+b 浏览器概要报告
-n 检索字报告
+s 来源网站报告
-o 网域报告
-Z 来源组织单位报告
+S 主机报告
-r 请求报告
-G 不读analog.cfg
+g读取自定义配置文件
我这每日报告用awstats统计,每月报告用analog统计,每个域名汇总一个月报告.
日志按天存放在/opt/log/2014.08/07/目录下
www.c1gstudio.com.log.gz
blog.c1gstudio.com.log.gz
www.c1g.com.log.gz
每日运行完awstats后运行analog
crontab
10 5 * * * /bin/sh /opt/shell/analog.sh > /dev/null 2>&1
vi /opt/shell/analog.sh
#!/bin/sh
ana_dir=/usr/local/analog/
web_dir=/opt/htdocs/www/analog/
conf_dir=”${ana_dir}/conf/”
today=`date +%d`
yesterday=`date +%Y%m%d`
lastday_month=`date +%Y.%m -d ‘1 day ago’`
lastday_day=`date +%d -d ‘1 day ago’`
c1g_LOGFILE=/opt/log/${lastday_month}/*/*c1gstudio.com.log.gz
c1g_OUTFILE=${web_dir}c1gstudio${lastday_month}/index.html
POST_LOGFILE=/opt/log/${lastday_month}/*/c1g.com.log.gz
POST_OUTFILE=${web_dir}c1g${lastday_month}/index.html
#if [ $today == “02” ]; then
if [ ! -d $(dirname “${c1g_OUTFILE}”) ]; then
mkdir -p $(dirname “${c1g_OUTFILE}”)
chown www:website $(dirname “${c1g_OUTFILE}”)
fi
if [ ! -d $(dirname “${POST_OUTFILE}”) ]; then
mkdir -p $(dirname “${POST_OUTFILE}”)
chown www:website $(dirname “${POST_OUTFILE}”)
fi
sed -i “s;LOGFILE.*;LOGFILE ${c1g_LOGFILE};” ${conf_dir}c1gstudio.cfg
sed -i “s;OUTFILE.*;OUTFILE ${c1g_OUTFILE};” ${conf_dir}c1gstudio.cfg
sed -i “s;LOGFILE.*;LOGFILE ${POST_LOGFILE};” ${conf_dir}c1g.cfg
sed -i “s;OUTFILE.*;OUTFILE ${POST_OUTFILE};” ${conf_dir}c1g.cfg
#fi
${ana_dir}analog -G +g${conf_dir}c1gstudio.cfg +b +D -d +s +S -n -o -Z -r
${ana_dir}analog -G +g${conf_dir}c1g.cfg +b +D -d +s +S -n -o -Z +r
Posted in 日志.
rev="post-1691" No comments
– 2014/08/08
已有sasl2和mysql情况下
chkconfig sendmail off
/etc/rc.d/init.d/sendmail stop
关闭原有的sendmail:
mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF
mv /usr/bin/newaliases /usr/bin/newaliases.OFF
mv /usr/bin/mailq /usr/bin/mailq.OFF
chmod 755 /usr/sbin/sendmail.OFF /usr/bin/newaliases.OFF /usr/bin/mailq.OFF
文件解锁,可省略
chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services
添加用户和组,已有可省略
groupadd -g 2525 postfix
useradd -g postfix -u 2525 -s /sbin/nologin -M postfix
groupadd -g 2526 postdrop
useradd -g postdrop -u 2526 -s /sbin/nologin -M postdrop
sasl升级安装
ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-2.1.26.tar.gz
tar zxvf cyrus-sasl-2.1.26.tar.gz
cd cyrus-sasl-2.1.26
./configure –prefix=/usr/local/sasl2 –disable-gssapi –disable-anon –disable-sample –disable-digest –enable-plain –enable-login –enable-sql
make
make install
移除旧版
mv /usr/lib/libsasl2.a /usr/lib/libsasl2.a.OFF
mv /usr/lib/libsasl2.la /usr/lib/libsasl2.la.OFF
mv /usr/lib/libsasl2.so.2.0.19 /usr/lib/libsasl2.so.2.0.19.OFF
mv /usr/lib/sasl2 /usr/lib/sasl2.OFF
rm /usr/lib/libsasl2.so
rm /usr/lib/libsasl2.so.2
ln -sv /usr/local/sasl2/lib/* /usr/lib
postfix 2.3以后的版本会分别在/usr/local/lib和/usr/local/include中搜索sasl库文件及头文件,故还须将其链接至此目录中:
ln -sv /usr/local/sasl2/lib/* /usr/local/lib
ln -sv /usr/local/sasl2/include/sasl/* /usr/local/include
postfix升级安装
wget ftp://ftp.reverse.net/pub/postfix/official/postfix-2.10.3.tar.gz
tar xfv postfix-2.10.3.tar.gz
cd postfix-2.10.3
make tidy
make -f Makefile.init makefiles ‘CCARGS=-DUSE_SASL_AUTH -I/usr/local/sasl2’ ‘AUXLIBS=-L/usr/local/sasl2 -lsasl2 ‘
make && make install
安装配置
/bin/sh postfix-install
Warning: if you use this script to install Postfix locally,
this script will replace existing sendmail or Postfix programs.
Make backups if you want to be able to recover.
Before installing files, this script prompts you for some definitions.
Most definitions will be remembered, so you have to specify them
only once. All definitions should have a reasonable default value.
Please specify the prefix for installed file names. Specify this ONLY
if you are building ready-to-install packages for distribution to OTHER
machines. See PACKAGE_README for instructions.
install_root: [/]
Please specify a directory for scratch files while installing Postfix. You
must have write permission in this directory.
tempdir: [/root/src/lempelf/packages/postfix-2.10.3] /tmp
Please specify the final destination directory for installed Postfix
configuration files.
config_directory: [/etc/postfix] /etc/postfix
Please specify the final destination directory for installed Postfix
administrative commands. This directory should be in the command search
path of adminstrative users.
command_directory: [/usr/sbin] /usr/local/postfix/libexec
Please specify the final destination directory for installed Postfix
daemon programs. This directory should not be in the command search path
of any users.
daemon_directory: [/usr/libexec/postfix] /usr/local/postfix/sbin
Please specify the final destination directory for Postfix-writable
data files such as caches or random numbers. This directory should not
be shared with non-Postfix software.
data_directory: [/var/lib/postfix]
Please specify the final destination directory for the Postfix HTML
files. Specify “no” if you do not want to install these files.
html_directory: [no]
Please specify the owner of the Postfix queue. Specify an account with
numerical user ID and group ID values that are not used by any other
accounts on the system.
mail_owner: [postfix]
Please specify the final destination pathname for the installed Postfix
mailq command. This is the Sendmail-compatible mail queue listing command.
mailq_path: [/usr/bin/mailq]
Please specify the final destination directory for the Postfix on-line
manual pages. You can no longer specify “no” here.
manpage_directory: [/usr/local/man]
Please specify the final destination pathname for the installed Postfix
newaliases command. This is the Sendmail-compatible command to build
alias databases for the Postfix local delivery agent.
newaliases_path: [/usr/bin/newaliases]
Please specify the final destination directory for Postfix queues.
queue_directory: [/var/spool/postfix]
Please specify the final destination directory for the Postfix README
files. Specify “no” if you do not want to install these files.
readme_directory: [no]
Please specify the final destination pathname for the installed Postfix
sendmail command. This is the Sendmail-compatible mail posting interface.
sendmail_path: [/usr/sbin/sendmail]
Please specify the group for mail submission and for queue management
commands. Specify a group name with a numerical group ID that is
not shared with other accounts, not even with the Postfix mail_owner
account. You can no longer specify “no” here.
setgid_group: [postdrop]
重新关联
newaliases
chown root /etc/postfix/main.cf
chown -R postfix:postdrop /var/spool/postfix
chown -R postfix:postdrop /var/lib/postfix/
chown root /var/spool/postfix
chown -R root /var/spool/postfix/pid
vi /etc/postfix/main.cf
修改以下几项为您需要的配置
myhostname = mail.c1gstudio.com
myorigin = c1gstudio.com
mydomain = c1gstudio.com
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 192.168.1.0/24, 127.0.0.0/8
启动
sendmail -bd
测试
mail -s “test” [email protected]
Posted in Mail/Postfix.
rev="post-1685" No comments
– 2014/07/16
【简 介】
Snort是一个轻便的网络入侵检测系统,可以完成实时流量分析和对网络上的IP包登录进行测试等功能,能完成协议分析,内容查找/匹配,能用来探测多种攻击和嗅探(如缓冲区溢出、秘密断口扫描、CGI攻击、SMB嗅探、拇纹采集尝试等)。
snort 需安装libpcap和dap
As of Snort 2.9.0, and DAQ, Snort now requires the use of a libpcap version greater than 1.0. Unfortunately for people using RHEL 5 (and below), CentOS 5.5 (and below), and Fedora Core 11 (and below), there is not an official RPM for libpcap 1.0.
Sourcefire will not repackage libpcap and distribute libpcap with Snort as part of an RPM, as it may cause other problems and will not be officially supported by Redhat.
yum 安装
yum install libpcap libpcap-devel
wget http://www.tcpdump.org/release/libpcap-1.4.0.tar.gz
tar zxvf libpcap-1.4.0.tar.gz
cd libpcap-1.4.0
./configure
make
make install
cd ..
http://code.google.com/p/libdnet/
wget https://libdnet.googlecode.com/files/libdnet-1.12.tgz
tar zxvf libdnet-1.12.tgz
cd libdnet-1.12
./configure
make && make install
cd ..
wget http://www.snort.org/downloads/2778
tar zxvf dap-2.0.2.tar.gz
cd daq-2.0.2
./configure –with-libpcap-libraries=/usr/local/lib
make
make install
添加用户
groupadd snort
useradd -g snort snort -s/sbin/nologin
安装snort
cd ..
wget http://www.snort.org/downloads/2787
tar zxvf snort-2.9.6.0.tar.gz
cd snort-2.9.6.0
./configure –prefix=/usr/local/snort-2.9.6.0 –with-dnet-libraries=/usr/local/lib/
make
make install
cd /usr/local
ln -s snort-2.9.6.0 snort
cd bin
./snort -v
错误
usr/local/snort/bin/snort: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory
解决
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib
cp libdnet libdnet.so
cp libdnet.1 libdnet.1.so
ldconfig
错误
configure: WARNING: unrecognized options: –with-mysql
snort-Snort 2.9.3开始不支持mysql,改用barnyard插件
snort规则下载地址:
1.在http://www.snort.org/ 可以免费下载到社区版 snortrules-snapshot,下载官方rules是需要订阅付费
2.在 http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/rules/ 可以下载到一个第三方的 rules 文件 rules.tar.gz,这个系列更新也比较频繁,我的snortrules-snapshot-2.8.tar.gz 是在51cto上下载的。
3.BASE 可以从http://sourceforge.net/projects/secureideas/ 获取版本或者用软件SnortCenter是一个基于Web的snort探针和规则管理系统,用于远程修改snort探针的配置,起动、停止探针,编辑、分发snort特征码规则。http://users.telenet.be/larc/download/
4.Adodb 可以从 http://sourceforge.net/projects/adodb/ 下载.ADODB 是 Active Data Objects Data Base 的简称,它是一种 PHP 存取数据库的中间函式组件
mkdir /usr/local/snort/etc
cd /usr/local/snort/etc/
tar zxvf snortrules-snapshot-2956.tar.gz
mv etc/* .
rm snortrules-snapshot-2956.tar.gz
chown -R root:root .
vi /usr/local/snort/etc/snort.conf
修改
var RULE_PATH /usr/local/snort/etc/rules
var SO_RULE_PATH /usr/local/snort/etc/so_rules
var PREPROC_RULE_PATH /usr/local/snort/etc/preproc_rules
var WHITE_LIST_PATH /usr/local/snort/etc/rules
var BLACK_LIST_PATH /usr/local/snort/etc/rules
dynamicpreprocessor directory /usr/local/snort/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules
output unified2: filename /var/log/snort/snort.u2, limit 128
mkdir /usr/local/snort/lib/snort_dynamicrules
mkdir /var/log/snort
chown snort:snort /var/log/snort
touch /usr/local/snort/etc/rules/white_list.rules
touch /usr/local/snort/etc/rules/black_list.rules
启动snort
/usr/local/snort/bin/snort -d -u snort -g snort -l /var/log/snort -c /usr/local/snort/etc/snort.conf
–== Initialization Complete ==–
,,_ -*> Snort! <*- o" )~ Version 2.9.6.0 GRE (Build 47) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.4.0 Using PCRE version: 8.30 2012-02-04 Using ZLIB version: 1.2.3
The database output plugins are considered deprecated as
!! of Snort 2.9.2 and will be removed in Snort 2.9.3.
barnyard知名的开源IDS的日志工具,具有快速的响应速度,优异的数据库写入功能,是做自定义的入侵检测系统不可缺少的插件
http://www.securixlive.com/barnyard2/download.php
安装barnyard2,前提需要你已安装mysql,这里装在/opt/mysql
wget http://www.securixlive.com/download/barnyard2/barnyard2-1.9.tar.gz
tar zxvf barnyard2-1.9.tar.gz
cd barnyard2-1.9
./configure –with-mysql=/opt/mysql
make
make install
cp etc/barnyard2.conf /usr/local/snort/etc/
mkdir /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
vi /usr/local/snort/etc/barnyard2.conf
config reference_file: /usr/local/snort/etc/reference.config
config classification_file: /usr/local/snort/etc/classification.config
config gen_file: /usr/local/snort/etc/gen-msg.map
config sid_file: /usr/local/snort/etc/sid-msg.map
config hostname: localhost
config interface: eth0
outdatabase:
output database: log, mysql, user=snort password=snort dbname=snort host=localhost
output database配好自已的db地址和密码
在编译目录schemas/create_mysql下有数据库语句,用mysql导入
CREATE USER ‘snort’@’localhost’ IDENTIFIED BY ‘***’;
GRANT USAGE ON * . * TO ‘snort’@’localhost’ IDENTIFIED BY ‘***’ WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
GRANT SELECT , INSERT , UPDATE , DELETE , CREATE , DROP , INDEX , ALTER ON `snortdb` . * TO ‘snort’@’localhost’;
安装base和adodb
wget http://jaist.dl.sourceforge.net/project/secureideas/BASE/base-1.4.5/base-1.4.5.tar.gz
tar zxvf base-1.4.5.tar.gz
chown -R www:website base-1.4.5
mv base-1.4.5 /opt/htdocs/www/
ln -s base-1.4.5 base
http://jaist.dl.sourceforge.net/project/adodb/adodb-php5-only/adodb-518-for-php5/adodb518a.zip
unzip adodb518a.zip
chown -R www:website adodb5
mv adodb5 /opt/htdocs/www/base/adodb5
更新php的pear组件
cd /opt/php/bin
./pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman Mail_Mime Mail
访问地址并在线安装,就是配制一下
http://localhost:80/base/setup/index.php
测试snort
/usr/local/snort/bin/snort vd -i eth1
Snort还有一个测试功能选项(“-T”),它可以轻松地检测到用户批准的配置变更。你可以输入命令“snort -c /etc/snort/snort.conf -T”,然后查看输出来判断变化的配置是否工作正常。
运行snort,监控eth1入侵并记录日志到mysql中
/usr/local/snort/bin/snort -D -c /usr/local/snort/etc/snort.conf -i eth1
barnyard2 -c /usr/local/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -D -w /var/log/snort/barnyard2.waldo
查看流量
iftop -i eth1
如果有入侵,在base就可以看到记录.
如果需要监控整个交换机的流量,可以在交换机上做端口镜像将流量导入到snort机网卡对应的端口上.
我这里snort机上有4个网卡,监控电信、网通还有内网的流量,剩下一个做管理和转输数据。
vi /usr/local/snort/etc/barnyard2.conf
去掉绝对路径和时间戳
output unified2: filename snort.log, limit 128
mkdir /var/log/snort0 /var/log/snort1 /var/log/snort2
chown snort:snort /var/log/snort0 /var/log/snort1 /var/log/snort2
touch /var/log/snort0/barnyard.waldo
touch /var/log/snort1/barnyard.waldo
touch /var/log/snort2/barnyard.waldo
运行
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 -l /var/log/snort1
barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth1 -d /var/log/snort1 -f snort.log -D -w /var/log/snort1/barnyard.waldo
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 -l /var/log/snort0
barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth0 -d /var/log/snort0 -f snort.log -D -w /var/log/snort0/barnyard.waldo
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth2 -l /var/log/snort2
barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth2 -d /var/log/snort2 -f snort.log -D -w /var/log/snort2/barnyard.waldo
这时用tcpdump或iftop可以看到同交换机上其它机器的流量.
防止攻击snort,去掉网卡ip, 隐密snort方式
依次去掉eth0、eth1、eth2留下内网eth3
ifdown eth1
vi /etc/sysconfig/network-scripts/ifcfg-eth1
#NETMASK=255.255.255.192
#IPADDR=66.84.77.8
ifup eth1
自动启动
vi /etc/rc.local
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 -l /var/log/snort1
barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth1 -d /var/log/snort1 -f snort.log -D -w /var/log/snort1/barnyard.waldo
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth0 -l /var/log/snort0
barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth0 -d /var/log/snort0 -f snort.log -D -w /var/log/snort0/barnyard.waldo
/usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth2 -l /var/log/snort2
barnyard2 -c /usr/local/snort/etc/barnyard2.conf -i eth2 -d /var/log/snort2 -f snort.log -D -w /var/log/snort2/barnyard.waldo
错误示例:
====================
ERROR! dnet header not found, go get it from
http://code.google.com/p/libdnet/ or use the –with-dnet-*
解决
安装dbus
http://www.freedesktop.org/wiki/Software/dbus/
http://downloads.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Flibdnet%2Ffiles%2Flibdnet%2Flibdnet-1.11%2F&ts=1392967212&use_mirror=jaist
tar zxvf libdnet.1.11.tar.gz
cd libdnet.1.11
./configure
make && make install
====================
/usr/local/lib/libz.a: could not read symbols: Bad value
collect2: ld returned 1 exit status
解决
安装zlib
wget http://nchc.dl.sourceforge.net/project/libpng/zlib/1.2.3/zlib-1.2.3.tar.gz
tar zxvf zlib-1.2.3.tar.gz
cd zlib-1.2.3
./configure
vi MakeFile ,找到 CFLAGS=xxxxx ,在最后面加上 -fPIC #编译时加这个没用CFLAGS=”-O3 -fPIC”
make
make install
=======================
May 15 15:22:37 c1gstudio snort[29521]: S5: Pruned 35 sessions from cache for memcap. 5881 ssns remain. memcap: 8362032/8388608
May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 10 sessions from cache for memcap. 6038 ssns remain. memcap: 8388229/8388608
May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 5 sessions from cache for memcap. 6033 ssns remain. memcap: 8377128/8388608
May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 5 sessions from cache for memcap. 6029 ssns remain. memcap: 8362875/8388608
May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 10 sessions from cache for memcap. 6022 ssns remain. memcap: 8388607/8388608
May 15 15:22:38 c1gstudio snort[29521]: S5: Pruned 20 sessions from cache for memcap. 6002 ssns remain. memcap: 8379709/8388608
vi /usr/local/snort/etc/snort.conf
增加memcap 134217728 (128m)
# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5
preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
track_icmp no, \
memcap 134217728, \
max_tcp 262144, \
max_udp 131072, \
max_active_responses 2, \
min_response_seconds 5
=====================
WARNING: /usr/local/snort/etc/snort.conf(512) => Keyword priority for whitelist is not applied when white action is unblack.
May 15 17:01:08 c1gstudio snort[12460]: Processing whitelist file /usr/local/snort/etc/rules/white_list.rules
May 15 17:01:08 c1gstudio snort[12460]: Reputation entries loaded: 1, invalid: 0, re-defined: 0 (from file /usr/local/snort/etc/rules/white_list.rules)
May 15 17:01:08 c1gstudio snort[12460]: Processing blacklist file /usr/local/snort/etc/rules/black_list.rules
May 15 17:01:08 c1gstudio snort[12460]: Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /usr/local/snort/etc/rules/black_list.rules)
May 15 17:01:08 c1gstudio snort[12460]: Reputation total memory usage: 529052 bytes
WHITE_LIST_PATH 绝对路径
vi /usr/local/snort/etc/snort.conf
var WHITE_LIST_PATH /usr/local/snort/etc/rules
var BLACK_LIST_PATH /usr/local/snort/etc/rules
黑白名单示例,但我尝试无效.
preprocessor reputation: \
nested_ip both, \
blacklist /etc/snort/default.blacklist, \
whitelist /etc/snort/default.whitelist
white trust
In file “default.blacklist”
# These two entries will match all ipv4 addresses
1.0.0.0/1
128.0.0.0/1
In file “default.whitelist”
68.177.102.22 # sourcefire.com
74.125.93.104 # google.com
================
May 15 23:29:32 c1gstudio snort[20203]: S5: Session exceeded configured max bytes to queue 1048576 using 1049895 bytes (server queue). 36.250.86.52 5917 –> 61.147.125.16 80 (0) : LWstate 0x1 LWFlags 0x2001
May 15 23:32:42 c1gstudio snort[20203]: S5: Pruned session from cache that was using 1108276 bytes (stale/timeout). 36.250.86.52 5917 –> 61.147.125.16 80 (0) : LWstate 0x1 LWFlags 0x212001
May 16 05:01:49 c1gstudio snort[20203]: S5: Session exceeded configured max bytes to queue 1048576 using 1049688 bytes (client queue). 69.196.253.30 3734 –> 61.147.125.16 80 (0) : LWstate 0x1 LWFlags 0x402003
max_queued_bytes
Default is “1048576” (1MB).
改成10MB
preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
max_queued_bytes 10485760, \
参考:
http://www.ibm.com/developerworks/cn/web/wa-snort1/
http://www.ibm.com/developerworks/cn/web/wa-snort2/
http://www.snort.org/snort-downloads?
http://man.chinaunix.net/network/snort/Snortman.htm
http://blog.chinaunix.net/uid-286494-id-2134474.html
http://blog.chinaunix.net/uid-522598-id-1764389.html
http://sourceforge.net/p/snort/mailman/snort-users/thread/433A1D25-D6EE-4257-8CE6-3743395D05D0%40auckland.ac.nz/#msg26465706
http://manual.snort.org/
rev="post-1677" No comments
– 2014/05/29
可以使用php或nginx等添加X-Frame-Options header来控制frame权限
X-Frame-Options有三个可选的值:
DENY:浏览器拒绝当前页面加载任何Frame页面
SAMEORIGIN:frame页面的地址只能为同源域名下的页面
ALLOW-FROM:允许frame加载的页面地址
PHP代码:
header(‘X-Frame-Options:Deny’);
Nginx配置:
add_header X-Frame-Options SAMEORIGIN
可以加在locaion中
location /
{
add_header X-Frame-Options SAMEORIGIN
}
Apache配置:
Header always append X-Frame-Options SAMEORIGIN
使用后不充许frame的页面会显示一个白板。
参考:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options?redirectlocale=en-US&redirectslug=The_X-FRAME-OPTIONS_response_header
Posted in Nginx.
rev="post-1671" No comments
– 2014/04/23
关注互联网、网页设计、Web开发、服务器运维优化、项目管理、网站运营、网站安全…
近期评论