月度归档:2017年04月

SSH证书登录

发表评论

前言

本文基于实际Linux管理工作,实例讲解工作中使用ssh证书登录的实际流程,讲解ssh证书登录的配置原理,基于配置原理,解决实际工作中,windows下使用SecureCRT证书登录的各种问题,以及实现hadoop集群部署要求的无密码跳转问题。

ssh有密码登录和证书登录,初学者都喜欢用密码登录,甚至是root账户登录,密码是123456。但是在实际工作中,尤其是互联网公司,基本都是证书登录的。内网的机器有可能是通过密码登录的,但在外网的机器,如果是密码登录,很容易受到攻击,真正的生产环境中,ssh登录都是证书登录。

证书登录的步骤

1.客户端生成证书:私钥和公钥,然后私钥放在客户端,妥当保存,一般为了安全,访问有黑客拷贝客户端的私钥,客户端在生成私钥时,会设置一个密码,以后每次登录ssh服务器时,客户端都要输入密码解开私钥(如果工作中,你使用了一个没有密码的私钥,有一天服务器被黑了,你是跳到黄河都洗不清)。

2.服务器添加信用公钥:把客户端生成的公钥,上传到ssh服务器,添加到指定的文件中,这样,就完成ssh证书登录的配置了。

假设客户端想通过私钥要登录其他ssh服务器,同理,可以把公钥上传到其他ssh服务器。

真实的工作中:员工生成好私钥和公钥(千万要记得设置私钥密码),然后把公钥发给运维人员,运维人员会登记你的公钥,为你开通一台或者多台服务器的权限,然后员工就可以通过一个私钥,登录他有权限的服务器做系统维护等工作,所以,员工是有责任保护他的私钥的,如果被别人恶意拷贝,你又没有设置私钥密码,那么,服务器就全完了,员工也可以放长假了。 继续阅读

Enabling Perfect Forward Secrecy

发表评论

To encrypt communications between you and your end users, you purchase a SSL Certificate, install it on your server, and then configure your website to use the certificate to protect these communications. The SSL connection begins when the end user’s browser reaches out to shake hands with your website.

During this handshake, information regarding the ability of the browser and server are exchanged, validation occurs, and a session key that meets both the browser’s and server’s criteria is created. Once the session key is created, the rest of the conversation between the end user and your site is encrypted and thus secured. Historically, the most common method for negotiating the session key involved the RSA public-key cryptosystem. The RSA approach uses the server’s public key to protect the session key parameters created by the browser once they are sent the server. The server is able to decrypt this handshake with its corresponding private key. 继续阅读

How to assign multiple IP addresses to one network interface on CentOS

发表评论

The practice of configuring multiple IP addresses on a particular network interface is called IP aliasing. IP aliasing is useful when you set up multiple sites on virtual web hosting on a single interface, or maintain multiple connections to a network each of which serves a different purpose. You can assign multiple IP addresses to one network interface from a single subnet or completely different ones.

All existing Linux distributions including CentOS supports IP aliasing. Here is how to bind multiple IP addresses to a single network interface on CentOS.

If you would like to set up IP aliasing on the fly, there are two ways to do it. One way is to use ifconfig, and the other method is to use ip command. Using these two methods, let me show you how to add two extra IP addresses to eth0. 继续阅读

How to setup an SFTP server on CentOS

发表评论

This tutorial explains how to setup and use an SFTP server on CentOS. Before I start, let me explain what actually SFTP represents and what it is used for. Currently, most people know that we can use normal FTP for transferring, downloading or uploading data from a server to client or client to server. But this protocol is getting hacked easily (if TLS is not used) by anonymous intruders as it the ports are widely open to anyone. Therefore, SFTP has been introduced to as another alternative to meet the main purpose to strengthen the security level.

SFTP stands for SSH File Transfer Protocol or Secure File Transfer Protocol. It uses a separate protocol packaged with SSH to provide a secure connection.

1. Preliminary Note

For this tutorial, I am using CentOS 6.4 in the 32bit version. The same steps will work on CentOS 7 as well. The tutorial result will show how a client can be provided with access to the SFTP server but unable to login to the server itself by SSH.

继续阅读

modsecurity配置指令学习

发表评论

事务(transactions)

Console(控制台)

1 Introduction

Modsecurity是保护网络应用安全的工作。不,从零开始。我常称modsecurity为WAF(网络应用防火墙),这是种被广泛接受的叫法,它指的是为保护网络应用而专门设计的产品族。也有些时候我称它为HTTP入侵检测工具,我认为这个称呼更好的描述了modsecurity做了什么。

 

Understanding ModSecurity

像Apache为其他模块所做的一样,Apache为modsecurity处理一些基础任务:

1、  加密解密

2、  破坏HTTP请求的入站连接流

3、  部分性解析HTTP请求

4、  引导modsecurity,选择正确的配置文本(<VirtualHost>,<Location>等)

5、  De-chunks必需的请求体

反向代理模式时Apache会执行几个别的任务:

1、  请求转发到后端服务器(SSL或者非SSL)

2、  部分性解析HTTP响应

3、  De-chunks必需的响应体

继续阅读

Install package network:ha-clustering:Stable / crmsh

发表评论

For RedHat RHEL-6 run the following as root:

cd /etc/yum.repos.d/
wget http://download.opensuse.org/repositories/network:ha-clustering:Stable/RedHat_RHEL-6/network:ha-clustering:Stable.repo
yum install crmsh

For Fedora 25 run the following as root:

dnf config-manager --add-repo http://download.opensuse.org/repositories/network:ha-clustering:Stable/Fedora_25/network:ha-clustering:Stable.repo
dnf install crmsh

For CentOS CentOS-7 run the following as root:

cd /etc/yum.repos.d/
wget http://download.opensuse.org/repositories/network:ha-clustering:Stable/CentOS_CentOS-7/network:ha-clustering:Stable.repo
yum install crmsh

For CentOS CentOS-6 run the following as root:

cd /etc/yum.repos.d/
wget http://download.opensuse.org/repositories/network:ha-clustering:Stable/CentOS_CentOS-6/network:ha-clustering:Stable.repo
yum install crmsh

pdo_informix

发表评论

1. Installing Informix Client SDK for Linux x86_64

1.1 Download Informix Client SDK 3.70 for Linux x86_64 from IBM website, https://www-01.ibm.com/marketing/iwm/tnd/search.jsp?rs=ifxdl

1.2 Extract the file, `cd /opt/informix; tar -xvf clientsdk.3.70.FC8DE.LINUX.tar`

1.3 Start installation, `./installclientsdk`, install all

2. Installing PDO Informix

2.1 Download PDO Informix 1.3.1, `wget https://pecl.php.net/get/PDO_INFORMIX-1.3.1.tgz`

2.2 Extract the file, `tar -xvf PDO_INFORMIX-1.3.1.tgz`

2.3 `cd PDO_INFORMIX-1.3.1` and compiling

2.3.1 `phpize`

2.3.2 `./configure –with-pdo-informix=/opt/informix`, if getting error `configure: error: Cannot find php_pdo_driver.h`, do `ln -s /usr/include/php5 /usr/include/php` and try again.

2.3.3 `make`

2.3.4 `make install`

3. Include pdo_informix.so in php.ini

Other reference: http://stackoverflow.com/questions/19909075/php-and-informix-on-debian-how-to-install-configure-the-pdo

Sample Code:

<?php

$db = new PDO("informix:host=hostname_or_ipaddr; service=port;database=dbname; server=instancename; protocol=onsoctcp;EnableScrollableCursors=1;", "username", "password");

print "Connection Established!\n\n";

$stmt = $db->query("select * from tablename");
$res = $stmt->fetch( PDO::FETCH_BOTH );
$rows = $res[0];
echo "Table contents: $rows.\n";

?>

ModSecurity

发表评论

一、简介

ModSecurity是一款免费的开源主机waf软件(@http://www.modsecurity.org/),目前官网最新版本为2.9.1,支持nginx/apache/iis(32、64位)。它主要是作为上述web应用的扩展模块形式存在,通过相关的规则文件,对外部恶意的web攻击进行识别,并作出进一步的丢弃操作。  继续阅读

设置linux系统history相关变量

发表评论

一、设置历史记录的时间

# vi /etc/profile    //在文件末尾添加以下内容,然后保存退出重新登陆即可
HISTTIMEFORMAT='%F %T '     //注意有个空格,为了显示时日期与命令之间有空格分割。
HISTSIZE="3000"    //默认保留1000条。

 

export HISTTIMEFORMAT='%F %T '
2015-07-27 10:33:58 echo from1
如果是
export HISTTIMEFORMAT='%F %T'   //%T少了个空格,日期与命令就连在一起了
2015-07-27 10:33:58echo from1

继续阅读