centos安装ntop

yum install -y  epel-release wget 
wget http://packages.ntop.org/centos/ntop.repo -O /etc/yum.repos.d/ntop.repo
yum install -y pfring-dkms n2disk nprobe ntopng cento
service redis start 
service ntopng start

bird+juniper BGP RTBH

bird实例

log syslog all;
debug protocols off;
debug commands 0;

router id 1.1.1.1;

protocol static rtbh {
	route 99.99.99.99/32 blackhole;
	route 88.88.88.88/32 blackhole;
}

filter export_rtbh_out {
	# Limit to static routes
	if (proto = "rtbh") then
	{
		# Limit to /32 host routes (for now)
		if net.len = 32 then
		{
			bgp_community.add((65001,9999));
			bgp_next_hop = 192.0.2.1;
			accept;
		}
	}
	reject;
}

protocol bgp ER3 {
	description "iBGP to Edge Router 3 for RTBH";
	debug { states, events };
	local 1.1.1.1 as 65001;
	neighbor 3.3.3.3 as 65001;
	import none;
	export filter export_rtbh_out;
}
protocol bgp ER4 {
	description "iBGP to Edge Router 4 for RTBH";
	debug { states, events };
	local 1.1.1.1 as 65001;
	neighbor 4.4.4.4 as 65001;
	import none;
	export filter export_rtbh_out;
}



JUNOS 配置实例

routing-options {
	static {
		route 192.0.2.1/32 discard;
	}
}

protocols {
	bgp {
		group RTBH {
			type internal;
			import import-from-rs;
			expor deny-all;
			neighbor 1.1.1.1;
		}
	}
}

policy-options {
	policy-statement deny-all {
		term 1 {
			then reject;
		}
	}
	policy-statement import-from-rs {
		term 1 {
			from {
				community RTBH;
				route-filter 0.0.0.0/0 prefix-length-range /32-/32;
			}
			then accept;
		}
		term reject {
			then reject;
		}
	}
	community RTBH members 65001:9999;
}

抄录自https://gist.github.com/floatingstatic/854aa504a92ab8bc3e044e434ec378c4

[转载]CentOS 7 为firewalld添加开放端口及相关资料

1、运行、停止、禁用firewalld
启动:# systemctl start  firewalld
查看状态:# systemctl status firewalld 或者 firewall-cmd --state
停止:# systemctl disable firewalld
禁用:# systemctl stop firewalld 

查看firewall是否运行,下面两个命令都可以

systemctl status firewalld.servicefirewall-cmd --state

查看default zone和active zone

我们还没有做任何配置,default zone和active zone都应该是public

firewall-cmd --get-default-zonefirewall-cmd --get-active-zones

查看当前开了哪些端口

其实一个服务对应一个端口,每个服务对应/usr/lib/firewalld/services下面一个xml文件。

firewall-cmd --list-services

查看还有哪些服务可以打开

firewall-cmd --get-services

查看所有打开的端口:

firewall-cmd --zone=public --list-ports

更新防火墙规则:

firewall-cmd --reload

添加一个服务到firewalld

firewall-cmd --add-service=http //http换成想要开放的service

这样添加的service当前立刻生效,但系统下次启动就失效,可以测试使用。要永久开发一个service,加上 --permanent

firewall-cmd --permanent --add-service=http

阅读剩余部分...

Centos7快速部署openresty

curl https://openresty.org/package/centos/openresty.repo -so /etc/yum.repos.d/openresty.repo
yum -y -q install wget  vim-enhanced tcpdump iftop net-tools rsync 
yum -y -q install openresty 
systemctl enable openresty
ln -s  /usr/local/openresty/nginx/sbin/nginx /usr/sbin/ #把nginx文件引用到常规sbin目录
ln -s /usr/local/openresty/nginx/conf /etc/nginx #把目录软连接到常规目录
ln -s /usr/lib/systemd/system/openresty.service /usr/lib/systemd/system/nginx.service #Centos7的服务启动管理nginx别名
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

基础部署完成后,用rsync同步数据后再做其他基础配置基本完成管理.

lvm快照迁移或者备份脚本

for VM in `lvs|grep img|grep -v snap |  awk -F_ '{ print $1}'` ;
 do
 echo "lvcreate -L 50G -s -n  "$VM"_snap /dev/vg0/"$VM"_img "
 echo "dd if=/dev/vg0/"$VM"_snap conv=sync,noerror bs=64K | gzip -c | ssh [email protected]服务器IP "gzip -d |dd of=/dev/vg0/"$VM"_img conv=sync,noerror bs=64K"
 echo "lvremove /dev/vg0/"$VM"_snap -f"
 echo "echo $VM done  \`date\`  >>/root/m.log"
 echo " "
done

输出可以直接写入新服务器的已建立好的分区, 也可以设置目录保存为文件。

lvcreate -L 50G -s -n  kvm10000_snap /dev/vg0/kvm10000_img
dd if=/dev/vg0/kvm1220_snap conv=sync,noerror bs=64K | gzip -c | ssh [email protected]新服务器IP "gzip -d |dd of=/dev/vg0/kvm10000_img conv=sync,noerror bs=64K"
lvremove /dev/vg0/kvm10000_snap -f
echo kvm10000 done  `date`  >>/root/m.log

centos大版本升级6到7

从6升级到7,建议按步骤走一遍弄个机器测试升级,玩坏了自己买单。

#!/bin/bash

cat>/root/fix.sh<<EOF
ln -s /usr/lib64/libpcre.so.0 /lib64/libpcre.so.0
ln -s /usr/lib64/libsasl2.so.2 /lib64/libsasl2.so.2
yum -y downgrade  grep
EOF
chmod 755 /root/fix.sh
echo "/root/fix.sh">> /etc/rc.local

cat>/etc/yum.repos.d/upgradetool.repo<<EOF
[upg]
name=CentOS-$releasever - Upgrade Tool
baseurl=http://buildlogs.centos.org/centos/6/upg/x86_64/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
EOF
    
yum -y erase openscap 

yum -y install redhat-upgrade-tool preupgrade-assistant-contents --disablerepo=base

preupg -s CentOS6_7 <<EOF y EOF rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7 centos-upgrade-tool-cli --network 7 --instrepo=http://vault.centos.org/centos/7.2.1511/os/x86_64/ <<EOF y EOF reboot

centos编译升级gcc版本

yum -y -q install gcc gcc-c++ glibc-static libstdc++-static kernel-devel lbzip2
wget ftp://gcc.gnu.org/pub/gcc/releases/gcc-9.2.0/gcc-9.2.0.tar.gz  -O -|tar xz
cd gcc-9.2.0
./contrib/download_prerequisites
./configure --enable-checking=release --enable-languages=c,c++ --disable-multilib
make
make install

Linux本地自签ssl

yum -y -q install nss-tools gcc
export VER="v1.4.0" 
wget -O mkcert https://github.com/FiloSottile/mkcert/releases/download/${VER}/mkcert-${VER}-linux-amd64
chmod +x mkcert 
mv mkcert /usr/local/bin
mkcert -install

mkcert 域名.后缀 '*.域名.后缀 ' 域名2.后缀  localhost 127.0.0.1 ::1

随后生成pem和key 直接在http服务器上绑定即可以使用。

nginx lua暴力简单过滤cc攻击

原文地址:http://jtwo.me/use-lua-to-protect-nginx-away-from-cc-attack

好像原文出处的页面已经打不开了,原生的nginx需要编译lua,openresty可以直接用。

location ~ \.php$ {
    rewrite_by_lua '
        local md5token = ngx.md5(ngx.var.remote_addr .. ngx.var.http_user_agent)
        if (ngx.var.cookie_humanflag ~= md5token) then
            ngx.header["Set-Cookie"] = "humanflag=" .. md5token
            return ngx.redirect(ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri)
        end
    ';
    ... ...
}

location ~ \.php$ {
    if ($cookie_ipaddr != "$remote_addr"){
        add_header Set-Cookie "ipaddr=$remote_addr";
        rewrite .* "$scheme://$host$uri" redirect;
    }

    ... ...
}

iptables屏蔽常规邮件端口

iptables -A INPUT -p tcp -m multiport --dport 25,110,465:587,993:995 -j DROP
iptables -A INPUT -p udp -m multiport --dport 25,110,465:587,993:995 -j DROP
iptables -A OUTPUT -p tcp -m multiport --dport 25,110,465:587,993:995 -j DROP
iptables -A OUTPUT -p udp -m multiport --dport 25,110,465:587,993:995 -j DROP
/etc/init.d/iptables save

bash升级5.0

yum -y -q  install wget gcc patch 
wget https://ftp.gnu.org/gnu/bash/bash-5.0.tar.gz -O - | tar xz
cd bash-5.0
wget -r -nd -np http://ftp.gnu.org/gnu/bash/bash-5.0-patches/
for BP in `ls bash50-*|grep -v sig`; do patch -p0 < $BP; done
./configure 
make
make install

centos7编译php7.3

yum -y install epel-release -y
                                                                                                                                                                                        
yum -y --skip-broken install gcc  vim-enhanced gcc-c++ libtool-libs libtool autoconf subversion zip unzip  wget crontabs iptables file bison patch mlocate flex diffutils automake imake make cmake kernel-devel cpp zlib-devel \
libevent-devel libxml2-devel freetype-devel  gd gd-devel libjpeg-devel libpng-devel ncurses-devel  \
curl-devel readline-devel openssl-devel  glibc-devel  glib2-devel bzip2-devel e2fsprogs-devel libidn-devel  gettext-devel expat-devel libcap-devel  libtool-ltdl-devel pam-devel \
libxslt-devel libc-client-devel freetds-devel unixODBC-devel  libXpm-devel krb5-devel libicu-devel icu 
                                                                                                                                                                                        
cd /tmp
wget https://nih.at/libzip/libzip-1.2.0.tar.gz  -O - | tar xz
cd libzip-*
./configure --prefix=/usr
make && make install
cp /usr/lib/libzip/include/zipconf.h  /usr/local/include/zipconf.h
ldconfig
                                                                                                                                                                                        
cd /tmp
wget -c http://us2.php.net/distributions/php-7.3.10.tar.gz -O - | tar xz
cd php-7.3*
./configure  --with-config-file-path=/opt/php7/etc --with-config-file-scan-dir=/opt/php7/etc/php.d --prefix=/opt/php7/usr --enable-fpm --enable-bcmath --enable-exif --enable-ftp --enable-mbstring --enable-soap --enable-sockets --enable-zip --with-curl --with-freetype-dir=/usr --with-gettext --with-openssl --with-xmlrpc --with-png-dir  --with-jpeg-dir --with-gd --with-libxml-dir=/usr  --with-mhash  --with-mysql-sock=/var/lib/mysql/mysql.sock --with-pdo-mysql=mysqlnd --with-mysqli=mysqlnd --with-imap --with-imap-ssl --with-kerberos --with-zlib --enable-intl=shared --enable-xml --disable-rpath --enable-shmop --enable-sysvsem --enable-mbregex  --with-iconv-dir --enable-pcntl --enable-opcache --enable-exif  --with-sqlite3 --with-pdo-sqlite --enable-calendar --enable-wddx ;
make -j `grep name /proc/cpuinfo|wc -l`
make install
cp php.ini-production /opt/php7/etc/php.ini
#cp ./sapi/fpm/php-fpm /etc/init.d/php-fpm
cp ./sapi/fpm/php-fpm.service /usr/lib/systemd/system/
sed -i 's#expose_php = On#expose_php = Off#'  /opt/php7/etc/php.ini
sed -i 's/;date.timezone =/date.timezone = PRC/g'  /opt/php7/etc/php.ini
sed -i 's#enable_dl = Off#enable_dl = On#'  /opt/php7/etc/php.ini
sed -i 's#short_open_tag = Off#short_open_tag = On#'  /opt/php7/etc/php.ini
sed -i 's#output_buffering = Off#output_buffering = On#'  /opt/php7/etc/php.ini
sed -i 's/memory_limit = 32M/memory_limit = 128M/g' /opt/php7/etc/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/g' /opt/php7/etc/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 16M/g' /opt/php7/etc/php.ini
sed -i 's#allow_call_time_pass_reference = Off#allow_call_time_pass_reference = On#' /opt/php7/etc/php.ini
sed -i 's/disable_functions =/disable_functions="exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,ini_alter,dl,popen,chown,chroot,chgrp,ini_restore,dbmopen,dbase_open"/g' /opt/php7/etc/php.ini

Centos7新装系统sshd安全设置


sed  -i 's/#Port 22/Port 2222/g' /etc/ssh/sshd_config
firewall-cmd --zone=public --add-port=2222/tcp --permanent
firewall-cmd --reload


Centos7下通过grub2引导进行网络自动重装系统

Shell大致流程

1.获取网络IP配置参数

2.写入自定义grub引导内核

 2.1 http://103.xxx.xxx.xxx/kickstart.php/rh?end=1&amp;ethworkaround=1是预设定的anaconda-ks自动响应安装脚本。
3.修改grub默认配置参数等待时间和指定引导顺序。

4. 重新生成grub2配置

5.重启等待安装完成。

最后建议在NoVNC或者IPMi辅助的情况下使用。

vmlinuz的网络参数还有一种写法是 ip=address::gateway:netmask:hostname:interface:method

getETH=`ip -4 route list 0/0 |awk '{ print $5 }'`
getGATEWAY=`ip -4 route list 0/0 |awk '{ print $3 }'`
getNETMASK=`ifconfig $getETH | awk '/mask /{ print $4;}'`
getIPADDR=`ifconfig $getETH | awk '/inet /{ print $2;}'`

cat>>/etc/grub.d/40_custom<<EOF
menuentry 'Netinstall' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod xfs
set root='hd0,gpt2'
linux16 /vmlinuz ro ks='http://103.xxx.xxx.xxx/kickstart.php/rh?end=1&ethworkaround=1' net.ifnames=0 biosdevname=0 crashkernel=auto gateway=$getGATEWAY ip=$getIPADDR nameserver=8.8.8.8 ksdevice=$getETH  netmask=$getNETMASK
initrd16 /initrd.img
}
EOF
 sed -i 's/GRUB_TIMEOUT=5/GRUB_TIMEOUT=60/g'  /etc/default/grub
 sed -i 's/GRUB_DEFAULT=saved/GRUB_DEFAULT=Netinstall/g'  /etc/default/grub
 grub2-mkconfig --output=/boot/grub2/grub.cfg
 reboot

RouterOS导入key登陆ssh

Linux或者Mac OS生成一个key

ssh-keygen -t rsa

用scp上传到Mikrotik

scp -P端口 ~/.ssh/id_rsa.pub [email protected]:id_rsa.pub

在Mikrotik内导入key

[[email protected]] > /user ssh-keys import public-key-file=id_rsa.pub user=admin

打印查看

[[email protected]] > /user ssh-keys print
Flags: R - RSA, D - DSA        
 #   USER                       BITS KEY-OWNER        
 0 R admin                      2048 XXXXXXX