nfsen-blackhole

记录

yum -y -q install monit tcsh  perl-Net-BGP
git clone https://github.com/zhecho/nfsen-blackhole 
cd nfsen-blackhole 
sed  -i "s#/usr/local/var/nfsen#/opt/nfsen/var/run#g" *
sed  -i "s#/usr/local/libexec/nfsen/plugins#/opt/nfsen/plugins#g" *
                          
install bgp_simple_restart.sh /opt/nfsen/plugins/
install blackHole.pm   /opt/nfsen/plugins/
install bgp_simple.pl  /opt/nfsen/plugins/
install blackHole.php  /opt/nfsen/www/plugins/
touch /opt/nfsen/var/run/{blackhole-pref.td2,blackHole.plugin.log}
chown nobody:nobody /opt/nfsen/var/run/{blackhole-pref.td2,blackHole.plugin.log}


WANsensor和WANconsole 安装

配置记录

yum install -y -q http://www.andrisoft.com/files/redhat7/WANrepo-7.2-0.noarch.rpm
yum install -y -q WANsensor
systemctl start ntpd
systemctl enable ntpd
/opt/andrisoft/bin/install_supervisor
systemctl start WANsupervisor
systemctl enable WANsupervisor
yum install -y -q http://www.andrisoft.com/files/redhat7/WANrepo-7.2-0.noarch.rpm
yum install -y -q  WANconsole 
yum install -y -q epel-release
yum install -y -q php-pecl-radius

其他

max_allowed_packet=64M
 max_connections=1000
 open_files_limit=5000
 skip-name-resolve
         
nano /etc/my.cnf #set max_allowed_packet=64M, max_connections=1000, open_files_limit=5000 and add skip-name-resolve in the [mysqld] section
systemctl start mariadb
mysql_secure_installation
systemctl start mariadb
systemctl enable mariadb
         
         
nano /etc/php.ini #set date.timezone in the [Date] section, according to http://php.net/manual/en/timezones.php
systemctl enable httpd
systemctl restart httpd
         
firewall-cmd --permanent --add-service=mysql
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
systemctl restart firewalld
         
/opt/andrisoft/bin/install_console
/opt/andrisoft/bin/install_supervisor
         
systemctl start WANsupervisor
systemctl enable WANsupervisor
         
         
yum install -y -q https://dl.influxdata.com/influxdb/releases/influxdb-1.7.9.x86_64.rpm
[[email protected] ~]# nano /etc/influxdb/influxdb.conf 
[data] 
index-version=”tsi1”
max-seriesper-database=0
max-values-per-tag=0
[retention]
enabled=true
[http] 
enabled=true
log-enabled=false
max-row_limit=0
max-body-size=0
[logging] 
level=”warn”
[continuous_queries]
enabled=true
systemctl restart influxdb


sflow-rt安装

sflow-rt这玩意挺方便, 可以用JS进行二次开发写APP

yum install -y -q https://inmon.com/products/sFlow-RT/sflow-rt-3.0-1451.noarch.rpm 
/usr/local/sflow-rt/get-app.sh sflow-rt top-flows
/usr/local/sflow-rt/get-app.sh sflow-rt dashboard-example
/usr/local/sflow-rt/get-app.sh sflow-rt ddos-blackhole
/usr/local/sflow-rt/get-app.sh sflow-rt sflow-test
systemctl start sflow-rt
systemctl enable sflow-rt


firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --zone=public --add-forward-port=port=179:proto=tcp:toport=1179 --permanent
firewall-cmd --zone=public --add-port=179/tcp --permanent
firewall-cmd --zone=public --add-port=6343/udp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --list-ports


librenms简便安装

和observium很像,开源软件.

file bison mlocate flex diffutils
yum -y install cronie fping git ImageMagick whois mtr  net-snmp net-snmp-utils nmap  python-memcached rrdtool
useradd librenms -d /opt/librenms -M -r
cd /opt
git clone https://github.com/librenms/librenms.git
chown -R librenms:librenms /opt/librenms
chmod 770 /opt/librenms
setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
runuser -l  librenms -c '/opt/php7/bin/php /opt/librenms/scripts/composer_wrapper.php install --no-dev'

nginx配置

server {
    listen 80;
    root /opt/observium;
    index index.php;
    server_name observium.example.com;
                                                               
    error_log /var/log/nginx/observium.error.log ;
    access_log /var/log/nginx/observium.log ;
                                                               
    location / {
    location ~ .php$ {
        try_files $uri = 404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/dev/shm/php-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_read_timeout 300;
    }
        }
                                                               
    location ~/\.ht {
        deny all;
    }
}
                                                               
server {
 listen      80;
 server_name librenms.example.com;
 root        /opt/librenms/html;
 index       index.php;
 location / {
  try_files $uri $uri/ /index.php?$query_string;
 }
 location /api/v0 {
  try_files $uri $uri/ /api_v0.php?$query_string;
 }
 location ~ \.php {
  include fastcgi.conf;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  fastcgi_pass unix:/dev/shm/php-fpm.sock;
 }
 location ~ /\.ht {
  deny all;
 }
}

FPM配置文件

[librenms]
user = $pool
group = $pool
listen = /dev/shm/$pool.sock
listen.mode = 0666
pm = dynamic
pm.max_children = 15
pm.start_servers = 5
pm.min_spare_servers = 3
pm.max_spare_servers = 5
chdir = /opt/bgpto
security.limit_extensions = .php .php3 .php4 .php5 .php7
env[HOSTNAME] = $pool.hostname
env[PATH] = /usr/local/bin:/usr/bin:/bin:/opt/php7/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
php_admin_value[error_log] = /var/log/fpm-php.$pool.log
php_admin_value[memory_limit] = 256M


VMware ESXi安装ipmitool

wget  dl.kvm.la/tools/esxi_ipmitool-1.8.15-1.vib -O  /var/log/vmware/ipmitool-1.8.15-1.vib
esxcli software acceptance set --level=CommunitySupported
esxcli software vib install -v ipmitool-1.8.15-1.vib
/opt/ipmitool/bin/ipmitool mc reset cold


编译安装 nfdump

yum -y -q  install nss curl  git libtool m4 automake  bzip2-devel
git clone https://github.com/phaag/nfdump
cd nfdump
./autogen.sh
./configure --enable-nfprofile --enable-nftrack --with-rrdpath=/usr/local/rrdtool
make
make install
install -p -m 644 bin/nftrack /usr/bin/

Centos7 nfsen基础安装

yum -y -qinstall epel-release wget 
yum -y -q install nss curl  git nfdump perl gcc make libpcap-devel fprobe-ulog  rrdtool-devel rrdtool-perl  flex byacc perl 
yum -y -q install perl-MailTools perl-Socket6 perl-Sys-Syslog 'perl(Data::Dumper)' perl-DBD-MySQL
wget https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.8/nfsen-1.3.8.tar.gz/download  -O -|tar xz
cd nfsen-1.3.8
#cat   etc/nfsen-dist.conf |grep -v ^#|grep -v ^$ >etc/nfsen.conf
wget dl.kvm.la/conf/nfsen/nfsen.conf -O  etc/nfsen.conf
perl install.pl etc/nfsen.conf
ln -s /opt/nfsen/bin/nfsen /usr/bin/
#安装PortTracker插件
install contrib/PortTracker/PortTracker.pm   /opt/nfsen/plugins/
install contrib/PortTracker/PortTracker.php  /opt/nfsen/plugins/
mkdir -p  /data/ports-db
chown -R nobody:nobody /data/ports-db  /opt/nfsen
sudo -u nobody nftrack -I -d /data/ports-db
wget dl.kvm.la/conf/nfsen/nfsen.init -O /etc/init.d/nfsen
chmod 755 /etc/init.d/nfsen
chkconfig nfsen on

#安装PortTracker插件

#安装PortTracker插件
install contrib/PortTracker/PortTracker.pm   /opt/nfsen/plugins/
install contrib/PortTracker/PortTracker.php  /opt/nfsen/plugins/
mkdir -p  /data/ports-db
chown -R nobody:nobody /data/ports-db  /opt/nfsen
sudo -u nobody nftrack -I -d /data/ports-db

正常使用还要http和php进行支持, sflow数据发送到nfsen进行分析,等等.

smartmontools 查看阵列磁盘健康状态

yum install  smartmontools -y -q
smartctl -a -d megaraid,N  /dev/sdX

N代表硬盘的设备ID, 可以用storcli和MegaCli查找到.
X则代表存储设备的顺序ID. 第一个存储设备以a开始排列.
查看硬盘的设备ID方法如下:

用MegaCli

#第一种
#MegaCli -PDList -aAll|grep "Device Id"
Device Id: 0
Device Id: 1
Device Id: 2
Device Id: 3
Device Id: 4
Device Id: 5
Device Id: 6
Device Id: 7
Device Id: 8
Device Id: 9

#第二种(LSI ID就是设备ID)
#curl -sS http://dl.kvm.la/lsi/megaclisas-status | python
-- Controller information --
-- ID | H/W Model      | RAM    | Temp | BBU    | Firmware
c0    | PERC H710 Mini | 512MB  | 76C  | Good   | FW: 21.0.1-0132

-- Array information --
-- ID | Type    |    Size |  Strpsz | Flags | DskCache |   Status |  OS Path | CacheCade        |InProgress
c0u0  | RAID-10 |   5455G |  256 KB | RA,WB | Disabled |  Optimal |        0 | Type : Read Only |None

-- Disk information --
    -- ID    | Type | Drive Model                       | Size     | Status          | Speed    | Temp | Slot ID  | LSI ID
    c0u0s0p0 | HDD  | HGST HUC101212CSS600 A469KZJ0M2DG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:0]   | 0
    c0u0s0p1 | HDD  | HGST HUC101212CSS600 A469KZJ0LJRG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:1]   | 1
    c0u0s1p0 | HDD  | HGST HUC101212CSS600 A469KZHZX1ZG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:2]   | 2
    c0u0s1p1 | HDD  | HGST HUC101212CSS600 A469KZJ076SG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:3]   | 3
    c0u0s2p0 | HDD  | HGST HUC101212CSS600 A469KZJ0B6PG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:4]   | 4
    c0u0s2p1 | HDD  | HGST HUC101212CSS600 A469KZJ0WWJG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:5]   | 5
    c0u0s3p0 | HDD  | HGST HUC101212CSS600 A469KZJ0LT4G | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:6]   | 6
    c0u0s3p1 | HDD  | HGST HUC101212CSS600 A469KZJ0A5KG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:7]   | 7
    c0u0s4p0 | HDD  | HGST HUC101212CSS600 A469KZJ0LRLG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:8]   | 8
    c0u0s4p1 | HDD  | HGST HUC101212CSS600 A469KZJ0DUGG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:9]   | 9

基于storcli命令查找

#storcli /c0 /eall /sall show
----------------------------------------------------------------------------
EID:Slt DID State DG     Size Intf Med SED PI SeSz Model            Sp Type
----------------------------------------------------------------------------
252:0    14 Onln   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
252:1    16 Onln   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
252:2    15 Onln   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
252:3    17 Rbld   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
----------------------------------------------------------------------------

DID就是硬盘的设备ID

附:MegaCli和storcli安装

yum install -y -q http://dl.kvm.la/lsi/MegaCli_All_OS/Linux/MegaCli-8.07.06-1.noarch.rpm
ln -s /opt/MegaRAID/MegaCli/MegaCli64 /usr/bin/MegaCli
 yum -y -q install http://dl.kvm.la/lsi/storcli_All_OS/Linux/storcli-1.23.02-1.noarch.rpm
ln -s   /opt/MegaRAID/storcli/storcli64  /usr/bin/storcli

Centos7安装FRRouting

由于官方改动了一些文件位置,没有及时更新安装引导说明, 导致最后几步安装找不到文件,故自己抄写了一份.
原文地址http://docs.frrouting.org/projects/dev-guide/en/latest/building-frr-for-centos7.html

#yum安装基础环境
    yum install -y -q nss curl  git autoconf automake libtool make cmake readline-devel texinfo net-snmp-devel groff pkgconfig json-c-devel pam-devel bison flex pytest c-ares-devel python-devel systemd-devel python-sphinx libcap-devel 
    groupadd -g 92 frr
    groupadd -r -g 85 frrvty
    useradd -u 92 -g 92 -M -r -G frrvty -s /sbin/nologin  -c "FRR FRRouting suite" -d /var/run/frr frr

    #安装libyang
    #由于centos7没有
    cd /tmp
    git clone https://github.com/CESNET/libyang.git
    cd libyang
    mkdir build; cd build
    cmake -DENABLE_LYD_PRIV=ON -DCMAKE_INSTALL_PREFIX:PATH=/usr -D CMAKE_BUILD_TYPE:String="Release" ..
    make
    make install

    #安装frr
    cd /tmp
    git clone https://github.com/frrouting/frr.git frr
    cd frr
    ./bootstrap.sh
    ./configure \
        --bindir=/usr/bin \
        --sbindir=/usr/lib/frr \
        --sysconfdir=/etc/frr \
        --libdir=/usr/lib/frr \
        --libexecdir=/usr/lib/frr \
        --localstatedir=/var/run/frr \
        --with-moduledir=/usr/lib/frr/modules \
        --enable-snmp=agentx \
        --enable-multipath=64 \
        --enable-user=frr \
        --enable-group=frr \
        --enable-vty-group=frrvty \
        --enable-systemd=yes \
        --disable-exampledir \
        --disable-ldpd \
        --enable-fpm \
        --with-pkg-git-version \
        --with-pkg-extra-version=-MyOwnFRRVersion \
        SPHINXBUILD=/usr/bin/sphinx-build
    make
    make install
    install -p -m 644 ./tools/etc/frr/daemons /etc/frr/
    install -p -m 644 tools/frr.service  /usr/lib/systemd/system/frr.service
    install -p -m 644 tools/frrinit.sh.in  /usr/lib/frr/frr

    #创建FRR空白配置文件和权限
    mkdir /var/log/frr
    mkdir /etc/frr
    touch /etc/frr/zebra.conf
    touch /etc/frr/bgpd.conf
    touch /etc/frr/ospfd.conf
    touch /etc/frr/ospf6d.conf
    touch /etc/frr/isisd.conf
    touch /etc/frr/ripd.conf
    touch /etc/frr/ripngd.conf
    touch /etc/frr/pimd.conf
    touch /etc/frr/nhrpd.conf
    touch /etc/frr/eigrpd.conf
    touch /etc/frr/babeld.conf
    touch /etc/frr/vtysh.conf
    chown -R frr:frr /etc/frr/
    chown frr:frrvty /etc/frr/vtysh.conf
    chown frr:frr /etc/frr/daemons
    chmod 640 /etc/frr/*.conf
cat>/etc/sysctl.d/90-routing-sysctl.conf<<EOF net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1 EOF sysctl -p /etc/sysctl.d/90-routing-sysctl.conf #注册启用和启动FRR systemctl preset frr.service systemctl enable frr systemctl start frr

安装步骤到此结束
  需要配置zebra后再用telnet连接

zebra配置文件

#cat /etc/frr/zebra.conf
! Zebra configuration file
!
frr version 6.0
frr defaults traditional
!
hostname Router
password zebra
enable password zebra
!
log stdout
!
!

更多配置和指引参考官方引导文章  

   telnet 127.0.0.1 2601

 然后和思科的配置方式差不多  


centos安装ntop

yum install -y  epel-release wget 
wget http://packages.ntop.org/centos/ntop.repo -O /etc/yum.repos.d/ntop.repo
yum install -y pfring-dkms n2disk nprobe ntopng cento
service redis start 
service ntopng start

bird+juniper BGP RTBH

bird实例

log syslog all;
debug protocols off;
debug commands 0;

router id 1.1.1.1;

protocol static rtbh {
	route 99.99.99.99/32 blackhole;
	route 88.88.88.88/32 blackhole;
}

filter export_rtbh_out {
	# Limit to static routes
	if (proto = "rtbh") then
	{
		# Limit to /32 host routes (for now)
		if net.len = 32 then
		{
			bgp_community.add((65001,9999));
			bgp_next_hop = 192.0.2.1;
			accept;
		}
	}
	reject;
}

protocol bgp ER3 {
	description "iBGP to Edge Router 3 for RTBH";
	debug { states, events };
	local 1.1.1.1 as 65001;
	neighbor 3.3.3.3 as 65001;
	import none;
	export filter export_rtbh_out;
}
protocol bgp ER4 {
	description "iBGP to Edge Router 4 for RTBH";
	debug { states, events };
	local 1.1.1.1 as 65001;
	neighbor 4.4.4.4 as 65001;
	import none;
	export filter export_rtbh_out;
}



JUNOS 配置实例

routing-options {
	static {
		route 192.0.2.1/32 discard;
	}
}

protocols {
	bgp {
		group RTBH {
			type internal;
			import import-from-rs;
			expor deny-all;
			neighbor 1.1.1.1;
		}
	}
}

policy-options {
	policy-statement deny-all {
		term 1 {
			then reject;
		}
	}
	policy-statement import-from-rs {
		term 1 {
			from {
				community RTBH;
				route-filter 0.0.0.0/0 prefix-length-range /32-/32;
			}
			then accept;
		}
		term reject {
			then reject;
		}
	}
	community RTBH members 65001:9999;
}

抄录自https://gist.github.com/floatingstatic/854aa504a92ab8bc3e044e434ec378c4

[转载]CentOS 7 为firewalld添加开放端口及相关资料

1、运行、停止、禁用firewalld
启动:# systemctl start  firewalld
查看状态:# systemctl status firewalld 或者 firewall-cmd --state
停止:# systemctl disable firewalld
禁用:# systemctl stop firewalld 

查看firewall是否运行,下面两个命令都可以

systemctl status firewalld.servicefirewall-cmd --state

查看default zone和active zone

我们还没有做任何配置,default zone和active zone都应该是public

firewall-cmd --get-default-zonefirewall-cmd --get-active-zones

查看当前开了哪些端口

其实一个服务对应一个端口,每个服务对应/usr/lib/firewalld/services下面一个xml文件。

firewall-cmd --list-services

查看还有哪些服务可以打开

firewall-cmd --get-services

查看所有打开的端口:

firewall-cmd --zone=public --list-ports

更新防火墙规则:

firewall-cmd --reload

添加一个服务到firewalld

firewall-cmd --add-service=http //http换成想要开放的service

这样添加的service当前立刻生效,但系统下次启动就失效,可以测试使用。要永久开发一个service,加上 --permanent

firewall-cmd --permanent --add-service=http

阅读剩余部分...

Centos7快速部署openresty

curl https://openresty.org/package/centos/openresty.repo -so /etc/yum.repos.d/openresty.repo
yum -y -q install wget  vim-enhanced tcpdump iftop net-tools rsync 
yum -y -q install openresty 
systemctl enable openresty
ln -s  /usr/local/openresty/nginx/sbin/nginx /usr/sbin/ #把nginx文件引用到常规sbin目录
ln -s /usr/local/openresty/nginx/conf /etc/nginx #把目录软连接到常规目录
ln -s /usr/lib/systemd/system/openresty.service /usr/lib/systemd/system/nginx.service #Centos7的服务启动管理nginx别名
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

基础部署完成后,用rsync同步数据后再做其他基础配置基本完成管理.

lvm快照迁移或者备份脚本

for VM in `lvs|grep img|grep -v snap |  awk -F_ '{ print $1}'` ;
 do
 echo "lvcreate -L 50G -s -n  "$VM"_snap /dev/vg0/"$VM"_img "
 echo "dd if=/dev/vg0/"$VM"_snap conv=sync,noerror bs=64K | gzip -c | ssh [email protected]服务器IP "gzip -d |dd of=/dev/vg0/"$VM"_img conv=sync,noerror bs=64K"
 echo "lvremove /dev/vg0/"$VM"_snap -f"
 echo "echo $VM done  \`date\`  >>/root/m.log"
 echo " "
done

输出可以直接写入新服务器的已建立好的分区, 也可以设置目录保存为文件。

lvcreate -L 50G -s -n  kvm10000_snap /dev/vg0/kvm10000_img
dd if=/dev/vg0/kvm1220_snap conv=sync,noerror bs=64K | gzip -c | ssh [email protected]新服务器IP "gzip -d |dd of=/dev/vg0/kvm10000_img conv=sync,noerror bs=64K"
lvremove /dev/vg0/kvm10000_snap -f
echo kvm10000 done  `date`  >>/root/m.log

centos大版本升级6到7

从6升级到7,建议按步骤走一遍弄个机器测试升级,玩坏了自己买单。

#!/bin/bash

cat>/root/fix.sh<<EOF
ln -s /usr/lib64/libpcre.so.0 /lib64/libpcre.so.0
ln -s /usr/lib64/libsasl2.so.2 /lib64/libsasl2.so.2
yum -y downgrade  grep
EOF
chmod 755 /root/fix.sh
echo "/root/fix.sh">> /etc/rc.local

cat>/etc/yum.repos.d/upgradetool.repo<<EOF
[upg]
name=CentOS-$releasever - Upgrade Tool
baseurl=http://buildlogs.centos.org/centos/6/upg/x86_64/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
EOF
    
yum -y erase openscap 

yum -y install redhat-upgrade-tool preupgrade-assistant-contents --disablerepo=base

preupg -s CentOS6_7 <<EOF y EOF rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7 centos-upgrade-tool-cli --network 7 --instrepo=http://vault.centos.org/centos/7.2.1511/os/x86_64/ <<EOF y EOF reboot