分类目录归档：系统管理

Windows\Linux\*nix系统管理

iptables利用hashlimit限速

发表评论

有很长一段时间，我都在查找“端口限速”的方法，以限制流量中转的速率。

然而，搜索引擎给出的答案通常是使用iptables与tc结合，使用iptables做路由控制，使用tc做流量整型。这种方法复杂且难以维护。

同时，在GitHub上也难以查询到相关开源项目。

终于，最近找到了最高效最方便且最灵活（远不只是端口限速）的限速方式，即使用iptables的hashlimit模块。

什么是hashlimit

hashlimit是iptables的一个拓展模块，其本身是一个匹配模块，不具有其他功能，需要结合其他模块来完成复杂任务。

什么是令牌桶

hashlimit使用的算法叫做令牌桶算法。

令牌桶（token bucket），顾名思义，可以理解为有一个桶，里面装满了令牌（token）。当请求来到时，可理解为人群来到，只有拿到令牌的人才能参加活动（例如购买某种物品）。令牌桶的容量是一个固定值，且令牌桶也会在不满时以一定速率生成新的令牌，令牌的生成速率也是一个固定值。

所以，例如使用一个令牌桶来限制人群购买商品的速率，例如假设令牌桶的容量是50，生成速率是每秒100个，人群的购买欲望是无穷的（尽可能达到大的购买速率）。于是，在开放购买的瞬间，人群瞬间抢完了50个令牌（突发速率），而之后人群以每秒100人的速率购买，正好与令牌生成速度相同（限制的最高速率），同时令牌桶容量一直为0，这样一来就成功将人群购买速率限制为令牌生成速率。

继续阅读 →

DNS FLood Detector

发表评论

DNS FLood Detector 1.2

Dennis Opacki

dopacki@adotout.com

What is DNS Flood Detector?

DNS Flood Detector was developed to detect abusive usage levels on high

traffic nameservers and to enable quick response to the use of one’s

nameserver to facilitate spam. DNS Flood Detector is distributed under the

Gnu Public License (see included LICENSE file for details).

How does it work?

DNS Flood Detector uses libpcap (in non-promiscuous mode) to monitor

incoming dns queries to a nameserver. The tool may be run in one of two

modes, either daemon mode or “bindsnap” mode. In daemon mode, the tool

will alarm via syslog. In bindsnap mode, the user is able to get

near-real-time stats on usage to aid in more detailed troubleshooting.

By default, it will count dns queries directed to any address in the same

network as the primary IP address on the interface being watched; the -A,

-M, and -Q options can be used to modify this behaviour.

As of version 1.2, DNS Flood Detector can now send source IP request

data to a network-based collector as JSON. This lets you gather near

real-time information about who is using your DNS servers, and from

where. I’ve included a sample application called dns_flood_collector.pl,

which you can use to receive and report these data. The output of this

program can be easily fed into a graphing tool, such as Caida’s

plot-latlong:

http://www.caida.org/tools/visualization/plot-latlong/

How do I build it?

Execute ./configure.pl to select the appropriate make target. Then simply

type “make”.

Why was it written?

I wrote DNS Flood Detector because the fifty or so public recursive

nameservers I am responsible for were being abused by both customers and

non-customers. DNS Flood Detector allows for prompt action when anomalous

conditions are detected.

What do I need to use it?

You need libpcap and a little bit of patience.

What platforms does it work on?

Linux, BSDI, FreeBSD, Mac OSX, Solaris

Will it run under Windows {95,98,NT,2000,XP,2003,2008 or Win7}?

Maybe. I haven’t tried. If it doesn’t, feel free to submit a fix.

What does it look like?

Usage: ./dns_flood_detector [OPTION]

-i IFNAME specify interface to listen on

-t N alarm at >N queries per second

-a N reset alarm after N seconds

-w N calculate stats every N seconds

-x N create N buckets

-m N mark total query rate every N seconds

-A addr filter for specific address

-M mask netmask for filter (in conjunction with -A)

-Q don’t filter by local interface address

-b run in foreground in bindsnap mode

-d run in background in daemon mode

-D dump dns packets (implies -b)

-v verbose output – use again for more verbosity

-s send source IP stats to collector as JSON

-z N.N.N.N address to send stats to (default 226.1.1.2)

-p N UDP port to send stats to (default 2000)

-h display this usage information

Sample Output:

dopacki:~$ sudo ./dns_flood_detector -v -v -b -t10

[15:14:56] source [192.168.1.45] – 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR]

[15:14:56] source [10.0.24.2] – 0 qps tcp : 15 qps udp [15 qps A]

[15:15:06] source [192.168.1.45] – 0 qps tcp : 24 qps udp [8 qps A] [16 qps PTR]

[15:15:06] source [10.0.24.2] – 0 qps tcp : 15 qps udp [14 qps A]

[15:15:16] source [192.168.1.45] – 0 qps tcp : 23 qps udp [7 qps A] [15 qps PTR]

Feb 15 16:59:05 ns1-bd dns_flood_detector[21585]: source [113.96.236.11] – 0 tcp qps : 153 udp qps [151 qps A] [1 qps MX] [2 qps AAAA]

Feb 15 16:59:05 ns1-bd dns_flood_detector[21585]: source [117.185.251.211] – 0 tcp qps : 22 udp qps [20 qps A] [1 qps MX] [2 qps AAAA]

Feb 15 16:59:05 ns1-bd dns_flood_detector[21585]: source [117.185.251.192] – 0 tcp qps : 63 udp qps [57 qps A] [1 qps MX] [5 qps AAAA]

Feb 15 16:59:05 ns1-bd dns_flood_detector[21585]: source [113.96.17.165] – 0 tcp qps : 102 udp qps [100 qps A] [1 qps MX] [2 qps AAAA]

Feb 15 16:59:05 ns1-bd dns_flood_detector[21585]: source [58.60.10.12] – 0 tcp qps : 109 udp qps [107 qps A] [1 qps MX] [2 qps AAAA]

Feb 15 16:59:05 ns1-bd dns_flood_detector[21585]: source [120.204.17.12] – 0 tcp qps : 155 udp qps [154 qps A] [1 qps AAAA]

Feb 15 16:59:05 ns1-bd dns_flood_detector[21585]: source [120.204.17.67] – 0 tcp qps : 82 udp qps [81 qps A] [1 qps MX] [2 qps AAAA]

Feb 15 16:59:05 ns1-bd dns_flood_detector[21585]: source [223.167.253.12] – 0 tcp qps : 59 udp qps [57 qps A] [1 qps MX] [2 qps AAAA]

Feb 15 16:59:05 ns1-bd dns_flood_detector[21585]: source [47.252.82.250] – 1 tcp qps : 76 udp qps [76 qps A] [1 qps AAAA]

Feb 15 16:59:05 ns1-bd dns_flood_detector[21585]: source [120.204.20.12] – 0 tcp qps : 40 udp qps [40 qps A] [1 qps MX]

Feb 15 16:59:05 ns1-bd dns_flood_detector[21585]: source [112.65.192.108] – 0 tcp qps : 38 udp qps [37 qps A] [1 qps MX] [1 qps AAAA]

结合fail2ban

failregex = .* dns_flood_detector\[\d+\]: source \[<HOST>\].* \d{3,}.* (tcp|udp) qps.*

可以拦截特定IP的大量请求

Linux操作系统使用 tuned/tuned-adm工具动态调优CPU性能模式

发表评论

Linux服务器CPU性能模式

环境:

Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7

On RHEL4:

configure the cpu speed to run at MAX speed all the time by adding the following parameter into the file /etc/cpuspeed.conf and restart the cpuspeed service:

vim /etc/cpuspeed.conf
插入或修改：
OPTS="$OPTS -n -C -S \\"0 1\\""
/etc/init.d/cpuspeed restart

On RHEL 5:

add the above parameters to /etc/sysconfig/cpuspeed or use the performance governor by adding the following parameter to the /etc/sysconfig/cpuspeed file and restart the cpuspeed service:

vim /etc/sysconfig/cpuspeed
插入或修改：
GOVERNOR=performance
/etc/init.d/cpuspeed restart

On RHEL 6:

configure the performance cpuspeed governor as above for RHEL 5 and add the following kernel boot options and restart the server. More information available in the Low Latency Performance Tuning for Red Hat Enterprise Linux 6 article.

/etc/init.d/cpuspeed stop		# 开启性能模式
processor.max_cstate=1 intel_idle.max_cstate=0 idle=poll

On RHEL 7:

继续阅读 →

Nmap Script脚本使用指南

发表评论

Nmap介绍
nmap是一个网络连接端扫描软件，用来扫描网上电脑开放的网络连接端。确定哪些服务运行在哪些连接端，并且推断计算机运行哪个操作系统。它是网络管理员必用的软件之一，以及用以评估网络系统安全。

在某些时候，我们大部分都使用Nmap进行扫描，然后再通过Metasploit进行漏洞利用，但是这个过程比较繁琐，一个个漏洞去验证的话还需要打开MSF去设置参数，最后run/exploit（不包括自动化，所以不要喷了）。

那么我们就要有必要认识一下Nmap的扩展脚本啦～

继续阅读 →

Manually configuring the /etc/resolv.conf file（RHEL7/8 ）

发表评论

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/manually-configuring-the-etc-resolv-conf-file_configuring-and-managing-networking

By default, NetworkManager on Red Hat Enterprise Linux (RHEL) 8 dynamically updates the /etc/resolv.conf file with the DNS settings from active NetworkManager connection profiles. This section describes different options on how to disable this feature to manually configure DNS settings in /etc/resolv.conf.

31.1. Disabling DNS processing in the NetworkManager configuration

This section describes how to disable DNS processing in the NetworkManager configuration to manually configure the /etc/resolv.conf file.

Procedure

As the root user, create the /etc/NetworkManager/conf.d/90-dns-none.conf file with the following content by using a text editor: [main] dns=none
Reload the NetworkManager service: # systemctl reload NetworkManagerNote After you reload the service, NetworkManager no longer updates the /etc/resolv.conf file. However, the last contents of the file are preserved.
Optionally, remove the Generated by NetworkManager comment from /etc/resolv.conf to avoid confusion.

Verification steps

Edit the /etc/resolv.conf file and manually update the configuration.
Reload the NetworkManager service: # systemctl reload NetworkManager
Display the /etc/resolv.conf file: # cat /etc/resolv.conf If you successfully disabled DNS processing, NetworkManager did not override the manually configured settings.

Additional resources

For further details, see the description of the dns parameter in the NetworkManager.conf(5) man page.

31.2. Replacing /etc/resolv.conf with a symbolic link to manually configure DNS settings

NetworkManager does not automatically update the DNS configuration if /etc/resolv.conf is a symbolic link. This section describes how to replace /etc/resolv.conf with a symbolic link to an alternative file with the DNS configuration.

Prerequisites

The rc-manager option is not set to file. To verify, use the NetworkManager --print-config command.

Procedure

Create a file, such as /etc/resolv.conf.manually-configured, and add the DNS configuration for your environment to it. Use the same parameters and syntax as in the original /etc/resolv.conf.
Remove the /etc/resolv.conf file: # rm /etc/resolv.conf
Create a symbolic link named /etc/resolv.conf that refers to /etc/resolv.conf.manually-configured: # ln -s /etc/resolv.conf.manually-configured /etc/resolv.conf

Additional resources

For details about parameters you can set in /etc/resolv.conf, see the resolv.conf(5) man page.
For further details about why NetworkManager does not process DNS settings if /etc/resolv.conf is a symbolic link, see the description of the rc-manager parameter in the NetworkManager.conf(5) man page.

3 Steps to Perform SSH Login Without Password Using ssh-keygen & ssh-copy-id

发表评论

You can login to a remote Linux server without entering password in 3 simple steps using ssky-keygen and ssh-copy-id as explained in this article.

ssh-keygen creates the public and private keys. ssh-copy-id copies the local-host’s public key to the remote-host’s authorized_keys file. ssh-copy-id also assigns proper permission to the remote-host’s home, ~/.ssh, and ~/.ssh/authorized_keys.

This article also explains 3 minor annoyances of using ssh-copy-id and how to use ssh-copy-id along with ssh-agent.

继续阅读 →

NFS Stale File Handle error and solution

发表评论

Sometime NFS can result in to weird problems. For example NFS mounted directories sometimes contain stale file handles. If you run command such as ls or vi you will see an error:
$ ls
.: Stale File Handle

First let us try to understand the concept of Stale File Handle. Managing NFS and NIS, 2nd Edition book defines filehandles as follows (a good book if you would like to master NFS and NIS):
A filehandle becomes stale whenever the file or directory referenced by the handle is removed by another host, while your client still holds an active reference to the object. A typical example occurs when the current directory of a process, running on your client, is removed on the server (either by a process running on the server or on another client).

So this can occur if the directory is modified on the NFS server, but the directories modification time is not updated.

How do I fix this problem?

a) The best solution is to remount directory from the NFS client using mount command:
# umount -f /mnt/local # mount -t nfs nfsserver:/path/to/share /mnt/local

First command (umount) forcefully unmount a disk partition /mnt/local (NFS).

(b) Or try to mount NFS directory with the noac option. However I don’t recommend using noac option because of performance issue and Checking files on NFS filesystem referenced by file descriptors (i.e. the fcntl and ioctl families of functions) may lead to inconsistent result due to the lack of consistency check in kernel even if noac is used.

LVM 灾难修复

发表评论

LVM 介绍

LVM 简介

LVM 是逻辑盘卷管理（Logical Volume Manager）的简称，最早是 IBM 为 AIX 研发的存储管理机制。LVM 通过在硬盘和分区之间建立一个逻辑层，可以让多个分区或者物理硬盘作为一个逻辑卷 ( 相当于一个逻辑硬盘 )，提高了磁盘分区管理的灵活性。1998 年，Heinz Mauelshagen 在 Linux 2.4 内核上提供了 Linux 的 LVM 实现。目前 Linux 2.6 内核支持 LVM2，Redhat 官方网站目前提供最新可下载版本为 2.2.02.77；如果需要最新或者其它版本，请参考网页。

LVM 早期多用于服务器，配合存储硬件的 Raid 技术，提供高可靠性，可灵活配置的磁盘分区管理；普通 PC 由于存储容量有限，很少使用这种技术。随着单个磁盘容量的不断扩大和硬盘价格的下降，普通 PC 拥有 TB 级的大容量存储空间逐渐普及，也带来对 PC 上存储管理的需要，LVM 无疑是很好的解决方案。只是普通 PC 用户由于缺少硬件冗余保护，在发生灾难时，通常会发生比较严重的数据损失。好在 LVM 提供了一系列灾难恢复的功能，可以帮助普通 PC 用户尽可能减少损失。我们可以通过下面的命令检查系统中是否安装了 lvm 工具：

清单 1. 查看系统中 LVM 版本

 rpm -qa | grep lvm
 lvm2-2.02.56-8.el5_5.4

上例系统安装了 2.02.56 版本的 LVM。

继续阅读 →

Windows环境下的异常文件删除

发表评论

1.如何删除windows系统下一些特殊字符开头的文件

Windows 下不能够以下面这些字样来命名文件/文件夹：
aux|prn|con|nul|com1|com2|com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt9 但是通过cmd的copy命令即可实现：D:\>copy piaoyi.asp \\.\D:\lpt6.piaoyi.asp 前面必须有 \\.\

这类文件无法在图形界面删除，只能在命令行下删除：

D:\>del “\\.\D:\lpt6.piaoyi.asp”
D:\>del “\\.\D:\lpt3.1.asp;.jpg”

如果提示找不到文件错误，则可以先解除RHSA只读属性：

D:\>attrib -s -h -r “\\.\D:\lpt3.1.asp;.jpg”
D:\>del “\\.\D:\lpt3.1.asp;.jpg”

注意：因为路径中有分号; 所以需要用双引号，否则，路径找不到。
然而在IIS中，这种文件又是可以解析成功的。Webshell中的 “不死僵尸” 原理就在这。删除这类文件可以用下面的方法：
最简单也是最方便的，通过命令删除：

del /f /a /q \\?\%1
rd /s /q \\?\%1

把上面的命令保存为.bat后缀名称的文件，然后把不能删除的文件或者文件夹拖到bat文件上就可以。

继续阅读 →

Postfix权威指南-阅读笔记

发表评论

继续阅读 →

flyinweb's blog

不积跬步，无以致千里；不积小流，无以成江海。

分类目录归档：系统管理

iptables利用hashlimit限速

什么是hashlimit

什么是令牌桶

DNS FLood Detector

Linux操作系统使用 tuned/tuned-adm工具动态调优CPU性能模式

环境:

On RHEL4:

On RHEL 5:

On RHEL 6:

On RHEL 7:

Nmap Script脚本使用指南

Manually configuring the /etc/resolv.conf file（RHEL7/8 ）

31.1. Disabling DNS processing in the NetworkManager configuration

31.2. Replacing /etc/resolv.conf with a symbolic link to manually configure DNS settings

NFS Stale File Handle error and solution

How do I fix this problem?

LVM 灾难修复

LVM 介绍

LVM 简介

清单 1. 查看系统中 LVM 版本

Windows环境下的异常文件删除

Postfix权威指南-阅读笔记

文章目录