juniper的lo0基础安全连接规则

set firewall family inet filter local_acl term DenyICMP from protocol icmp
set firewall family inet filter local_acl term DenyICMP from icmp-type echo-request
set firewall family inet filter local_acl term DenyICMP from icmp-type echo-reply
set firewall family inet filter local_acl term DenyICMP from icmp-type time-exceeded
set firewall family inet filter local_acl term DenyICMP from icmp-type unreachable
set firewall family inet filter local_acl term DenyICMP then discard
set firewall family inet filter local_acl term terminal_access from source-prefix-list Trusted_IP
set firewall family inet filter local_acl term terminal_access then accept
set firewall family inet filter local_acl term terminal_access_denied from protocol tcp
set firewall family inet filter local_acl term terminal_access_denied from destination-port ssh
set firewall family inet filter local_acl term terminal_access_denied from destination-port telnet
set firewall family inet filter local_acl term terminal_access_denied from destination-port http
set firewall family inet filter local_acl term terminal_access_denied from destination-port https
set firewall family inet filter local_acl term terminal_access_denied then discard
set firewall family inet filter local_acl term default-term then accept


fedora大版本升级记录

dnf update --refresh -y
dnf install dnf-plugin-system-upgrade -y
dnf system-upgrade download --releasever=$((`awk '{ print $3 }' /etc/fedora-release` + 1 )) --allowerasing -y
dnf system-upgrade reboot -y
dnf --releasever $((`awk '{ print $3 }' /etc/fedora-release` + 1 )) upgrade -y

一路从23逐步升级到31

powerdns系列记录

mysqlrootpwd=`openssl rand 6 -base64`
yum -y install epel-releas 
yum -y install mysql mysql-server pdns pdns-backend-mysql
yum -y install httpd php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-mbstring php-mcrypt php-mhash 
yum -y install php-pear-DB php-pear-MDB2-Driver-mysql
chkconfig --levels 235 httpd on
chkconfig --levels 235 mysqld on
chkconfig --levels 235 pdns on

#mysqladmin -u root password  $mysqlrootpwd
mysqladmin create powerdns
mysql -Bse "create user 'powerdns'@'localhost' identified by '$mysqlrootpwd'"
mysql -Bse "grant all privileges on powerdns.* to 'powerdns'@'localhost'"
mysql -Bse "GRANT ALL ON powerdns.* TO 'powerdns'@'108.171.205.98' IDENTIFIED BY '$mysqlrootpwd'"

wget http://files.soluslabs.com/solusvm/pdns/pdns.sql
mysql --user=powerdns --password=$mysqlrootpwd < pdns.sql
cat>/etc/pdns/pdns.conf<<EOF
launch=gmysql
gmysql-host=127.0.0.1
gmysql-user=powerdns
gmysql-password=$mysqlrootpwd
gmysql-dbname=powerdns  
EOF

/etc/init.d/mysqld restart
/etc/init.d/httpd restart
/etc/init.d/httpd start
/etc/init.d/pdns restart
wget -c https://github.com/poweradmin/poweradmin/tarball/master -O poweradmin.tar.gz
tar zxf poweradmin.tar.gz
mv poweradmin-* /var/www/html/poweradmin
chown -R apache:apache /var/www/html/poweradmin/


ESXI无法登陆问题

新装系统的esxi密码正确无法登陆, 在几年前就遇上过用,在shell下操作重置解决的, 但时间太久忘记了, 然后最近又遇上了几次像无头苍蝇一样,特此记录一下.
主要原因是ssh端口被爆破错误次数过多,导致锁死的问题.
新装系统,登陆上管理页面后在“管理”->"高级设置"里面搜索把Security.AccountLockFailures设置成0或者是关闭ssh服务

Security.AccountLockFailures
Security.AccountUnlockTime

也可以在设置成ssh key登陆, 对root账户进行重置解决

authorized_keys路径

/etc/ssh/keys-root/authorized_keys

重置命令

pam_tally2 --user root
pam_tally2 --user root --reset


如果新装系统已经被锁死还没设置key登陆, 则需要到ipmi下操作.
在Troubleshooting mode options项目下选择Restart Management Agents进行重置, 之后就可以再用web或者客户端进行登陆设置了.

nfsen-blackhole

记录

yum -y -q install monit tcsh  perl-Net-BGP
git clone https://github.com/zhecho/nfsen-blackhole 
cd nfsen-blackhole 
sed  -i "s#/usr/local/var/nfsen#/opt/nfsen/var/run#g" *
sed  -i "s#/usr/local/libexec/nfsen/plugins#/opt/nfsen/plugins#g" *
                          
install bgp_simple_restart.sh /opt/nfsen/plugins/
install blackHole.pm   /opt/nfsen/plugins/
install bgp_simple.pl  /opt/nfsen/plugins/
install blackHole.php  /opt/nfsen/www/plugins/
touch /opt/nfsen/var/run/{blackhole-pref.td2,blackHole.plugin.log}
chown nobody:nobody /opt/nfsen/var/run/{blackhole-pref.td2,blackHole.plugin.log}


WANsensor和WANconsole 安装

配置记录

yum install -y -q http://www.andrisoft.com/files/redhat7/WANrepo-7.2-0.noarch.rpm
yum install -y -q WANsensor
systemctl start ntpd
systemctl enable ntpd
/opt/andrisoft/bin/install_supervisor
systemctl start WANsupervisor
systemctl enable WANsupervisor
yum install -y -q http://www.andrisoft.com/files/redhat7/WANrepo-7.2-0.noarch.rpm
yum install -y -q  WANconsole 
yum install -y -q epel-release
yum install -y -q php-pecl-radius

其他

max_allowed_packet=64M
 max_connections=1000
 open_files_limit=5000
 skip-name-resolve
         
nano /etc/my.cnf #set max_allowed_packet=64M, max_connections=1000, open_files_limit=5000 and add skip-name-resolve in the [mysqld] section
systemctl start mariadb
mysql_secure_installation
systemctl start mariadb
systemctl enable mariadb
         
         
nano /etc/php.ini #set date.timezone in the [Date] section, according to http://php.net/manual/en/timezones.php
systemctl enable httpd
systemctl restart httpd
         
firewall-cmd --permanent --add-service=mysql
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
systemctl restart firewalld
         
/opt/andrisoft/bin/install_console
/opt/andrisoft/bin/install_supervisor
         
systemctl start WANsupervisor
systemctl enable WANsupervisor
         
         
yum install -y -q https://dl.influxdata.com/influxdb/releases/influxdb-1.7.9.x86_64.rpm
[[email protected] ~]# nano /etc/influxdb/influxdb.conf 
[data] 
index-version=”tsi1”
max-seriesper-database=0
max-values-per-tag=0
[retention]
enabled=true
[http] 
enabled=true
log-enabled=false
max-row_limit=0
max-body-size=0
[logging] 
level=”warn”
[continuous_queries]
enabled=true
systemctl restart influxdb


sflow-rt安装

sflow-rt这玩意挺方便, 可以用JS进行二次开发写APP

yum install -y -q https://inmon.com/products/sFlow-RT/sflow-rt-3.0-1451.noarch.rpm 
/usr/local/sflow-rt/get-app.sh sflow-rt top-flows
/usr/local/sflow-rt/get-app.sh sflow-rt dashboard-example
/usr/local/sflow-rt/get-app.sh sflow-rt ddos-blackhole
/usr/local/sflow-rt/get-app.sh sflow-rt sflow-test
systemctl start sflow-rt
systemctl enable sflow-rt


firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --zone=public --add-forward-port=port=179:proto=tcp:toport=1179 --permanent
firewall-cmd --zone=public --add-port=179/tcp --permanent
firewall-cmd --zone=public --add-port=6343/udp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --list-ports


librenms简便安装

和observium很像,开源软件.

file bison mlocate flex diffutils
yum -y install cronie fping git ImageMagick whois mtr  net-snmp net-snmp-utils nmap  python-memcached rrdtool
useradd librenms -d /opt/librenms -M -r
cd /opt
git clone https://github.com/librenms/librenms.git
chown -R librenms:librenms /opt/librenms
chmod 770 /opt/librenms
setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
runuser -l  librenms -c '/opt/php7/bin/php /opt/librenms/scripts/composer_wrapper.php install --no-dev'

nginx配置

server {
    listen 80;
    root /opt/observium;
    index index.php;
    server_name observium.example.com;
                                                               
    error_log /var/log/nginx/observium.error.log ;
    access_log /var/log/nginx/observium.log ;
                                                               
    location / {
    location ~ .php$ {
        try_files $uri = 404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/dev/shm/php-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_read_timeout 300;
    }
        }
                                                               
    location ~/\.ht {
        deny all;
    }
}
                                                               
server {
 listen      80;
 server_name librenms.example.com;
 root        /opt/librenms/html;
 index       index.php;
 location / {
  try_files $uri $uri/ /index.php?$query_string;
 }
 location /api/v0 {
  try_files $uri $uri/ /api_v0.php?$query_string;
 }
 location ~ \.php {
  include fastcgi.conf;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  fastcgi_pass unix:/dev/shm/php-fpm.sock;
 }
 location ~ /\.ht {
  deny all;
 }
}

FPM配置文件

[librenms]
user = $pool
group = $pool
listen = /dev/shm/$pool.sock
listen.mode = 0666
pm = dynamic
pm.max_children = 15
pm.start_servers = 5
pm.min_spare_servers = 3
pm.max_spare_servers = 5
chdir = /opt/bgpto
security.limit_extensions = .php .php3 .php4 .php5 .php7
env[HOSTNAME] = $pool.hostname
env[PATH] = /usr/local/bin:/usr/bin:/bin:/opt/php7/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
php_admin_value[error_log] = /var/log/fpm-php.$pool.log
php_admin_value[memory_limit] = 256M


VMware ESXi安装ipmitool

wget  dl.kvm.la/tools/esxi_ipmitool-1.8.15-1.vib -O  /var/log/vmware/ipmitool-1.8.15-1.vib
esxcli software acceptance set --level=CommunitySupported
esxcli software vib install -v ipmitool-1.8.15-1.vib
/opt/ipmitool/bin/ipmitool mc reset cold


编译安装 nfdump

yum -y -q  install nss curl  git libtool m4 automake  bzip2-devel
git clone https://github.com/phaag/nfdump
cd nfdump
./autogen.sh
./configure --enable-nfprofile --enable-nftrack --with-rrdpath=/usr/local/rrdtool
make
make install
install -p -m 644 bin/nftrack /usr/bin/

Centos7 nfsen基础安装

yum -y -qinstall epel-release wget 
yum -y -q install nss curl  git nfdump perl gcc make libpcap-devel fprobe-ulog  rrdtool-devel rrdtool-perl  flex byacc perl 
yum -y -q install perl-MailTools perl-Socket6 perl-Sys-Syslog 'perl(Data::Dumper)' perl-DBD-MySQL
wget https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.8/nfsen-1.3.8.tar.gz/download  -O -|tar xz
cd nfsen-1.3.8
#cat   etc/nfsen-dist.conf |grep -v ^#|grep -v ^$ >etc/nfsen.conf
wget dl.kvm.la/conf/nfsen/nfsen.conf -O  etc/nfsen.conf
perl install.pl etc/nfsen.conf
ln -s /opt/nfsen/bin/nfsen /usr/bin/
#安装PortTracker插件
install contrib/PortTracker/PortTracker.pm   /opt/nfsen/plugins/
install contrib/PortTracker/PortTracker.php  /opt/nfsen/plugins/
mkdir -p  /data/ports-db
chown -R nobody:nobody /data/ports-db  /opt/nfsen
sudo -u nobody nftrack -I -d /data/ports-db
wget dl.kvm.la/conf/nfsen/nfsen.init -O /etc/init.d/nfsen
chmod 755 /etc/init.d/nfsen
chkconfig nfsen on

#安装PortTracker插件

#安装PortTracker插件
install contrib/PortTracker/PortTracker.pm   /opt/nfsen/plugins/
install contrib/PortTracker/PortTracker.php  /opt/nfsen/plugins/
mkdir -p  /data/ports-db
chown -R nobody:nobody /data/ports-db  /opt/nfsen
sudo -u nobody nftrack -I -d /data/ports-db

正常使用还要http和php进行支持, sflow数据发送到nfsen进行分析,等等.

smartmontools 查看阵列磁盘健康状态

yum install  smartmontools -y -q
smartctl -a -d megaraid,N  /dev/sdX

N代表硬盘的设备ID, 可以用storcli和MegaCli查找到.
X则代表存储设备的顺序ID. 第一个存储设备以a开始排列.
查看硬盘的设备ID方法如下:

用MegaCli

#第一种
#MegaCli -PDList -aAll|grep "Device Id"
Device Id: 0
Device Id: 1
Device Id: 2
Device Id: 3
Device Id: 4
Device Id: 5
Device Id: 6
Device Id: 7
Device Id: 8
Device Id: 9

#第二种(LSI ID就是设备ID)
#curl -sS http://dl.kvm.la/lsi/megaclisas-status | python
-- Controller information --
-- ID | H/W Model      | RAM    | Temp | BBU    | Firmware
c0    | PERC H710 Mini | 512MB  | 76C  | Good   | FW: 21.0.1-0132

-- Array information --
-- ID | Type    |    Size |  Strpsz | Flags | DskCache |   Status |  OS Path | CacheCade        |InProgress
c0u0  | RAID-10 |   5455G |  256 KB | RA,WB | Disabled |  Optimal |        0 | Type : Read Only |None

-- Disk information --
    -- ID    | Type | Drive Model                       | Size     | Status          | Speed    | Temp | Slot ID  | LSI ID
    c0u0s0p0 | HDD  | HGST HUC101212CSS600 A469KZJ0M2DG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:0]   | 0
    c0u0s0p1 | HDD  | HGST HUC101212CSS600 A469KZJ0LJRG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:1]   | 1
    c0u0s1p0 | HDD  | HGST HUC101212CSS600 A469KZHZX1ZG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:2]   | 2
    c0u0s1p1 | HDD  | HGST HUC101212CSS600 A469KZJ076SG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:3]   | 3
    c0u0s2p0 | HDD  | HGST HUC101212CSS600 A469KZJ0B6PG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:4]   | 4
    c0u0s2p1 | HDD  | HGST HUC101212CSS600 A469KZJ0WWJG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:5]   | 5
    c0u0s3p0 | HDD  | HGST HUC101212CSS600 A469KZJ0LT4G | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:6]   | 6
    c0u0s3p1 | HDD  | HGST HUC101212CSS600 A469KZJ0A5KG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:7]   | 7
    c0u0s4p0 | HDD  | HGST HUC101212CSS600 A469KZJ0LRLG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:8]   | 8
    c0u0s4p1 | HDD  | HGST HUC101212CSS600 A469KZJ0DUGG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:9]   | 9

基于storcli命令查找

#storcli /c0 /eall /sall show
----------------------------------------------------------------------------
EID:Slt DID State DG     Size Intf Med SED PI SeSz Model            Sp Type
----------------------------------------------------------------------------
252:0    14 Onln   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
252:1    16 Onln   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
252:2    15 Onln   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
252:3    17 Rbld   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
----------------------------------------------------------------------------

DID就是硬盘的设备ID

附:MegaCli和storcli安装

yum install -y -q http://dl.kvm.la/lsi/MegaCli_All_OS/Linux/MegaCli-8.07.06-1.noarch.rpm
ln -s /opt/MegaRAID/MegaCli/MegaCli64 /usr/bin/MegaCli
 yum -y -q install http://dl.kvm.la/lsi/storcli_All_OS/Linux/storcli-1.23.02-1.noarch.rpm
ln -s   /opt/MegaRAID/storcli/storcli64  /usr/bin/storcli

Centos7安装FRRouting

由于官方改动了一些文件位置,没有及时更新安装引导说明, 导致最后几步安装找不到文件,故自己抄写了一份.
原文地址http://docs.frrouting.org/projects/dev-guide/en/latest/building-frr-for-centos7.html

#yum安装基础环境
    yum install -y -q nss curl  git autoconf automake libtool make cmake readline-devel texinfo net-snmp-devel groff pkgconfig json-c-devel pam-devel bison flex pytest c-ares-devel python-devel systemd-devel python-sphinx libcap-devel 
    groupadd -g 92 frr
    groupadd -r -g 85 frrvty
    useradd -u 92 -g 92 -M -r -G frrvty -s /sbin/nologin  -c "FRR FRRouting suite" -d /var/run/frr frr

    #安装libyang
    #由于centos7没有
    cd /tmp
    git clone https://github.com/CESNET/libyang.git
    cd libyang
    mkdir build; cd build
    cmake -DENABLE_LYD_PRIV=ON -DCMAKE_INSTALL_PREFIX:PATH=/usr -D CMAKE_BUILD_TYPE:String="Release" ..
    make
    make install

    #安装frr
    cd /tmp
    git clone https://github.com/frrouting/frr.git frr
    cd frr
    ./bootstrap.sh
    ./configure \
        --bindir=/usr/bin \
        --sbindir=/usr/lib/frr \
        --sysconfdir=/etc/frr \
        --libdir=/usr/lib/frr \
        --libexecdir=/usr/lib/frr \
        --localstatedir=/var/run/frr \
        --with-moduledir=/usr/lib/frr/modules \
        --enable-snmp=agentx \
        --enable-multipath=64 \
        --enable-user=frr \
        --enable-group=frr \
        --enable-vty-group=frrvty \
        --enable-systemd=yes \
        --disable-exampledir \
        --disable-ldpd \
        --enable-fpm \
        --with-pkg-git-version \
        --with-pkg-extra-version=-MyOwnFRRVersion \
        SPHINXBUILD=/usr/bin/sphinx-build
    make
    make install
    install -p -m 644 ./tools/etc/frr/daemons /etc/frr/
    install -p -m 644 tools/frr.service  /usr/lib/systemd/system/frr.service
    install -p -m 644 tools/frrinit.sh.in  /usr/lib/frr/frr

    #创建FRR空白配置文件和权限
    mkdir /var/log/frr
    mkdir /etc/frr
    touch /etc/frr/zebra.conf
    touch /etc/frr/bgpd.conf
    touch /etc/frr/ospfd.conf
    touch /etc/frr/ospf6d.conf
    touch /etc/frr/isisd.conf
    touch /etc/frr/ripd.conf
    touch /etc/frr/ripngd.conf
    touch /etc/frr/pimd.conf
    touch /etc/frr/nhrpd.conf
    touch /etc/frr/eigrpd.conf
    touch /etc/frr/babeld.conf
    touch /etc/frr/vtysh.conf
    chown -R frr:frr /etc/frr/
    chown frr:frrvty /etc/frr/vtysh.conf
    chown frr:frr /etc/frr/daemons
    chmod 640 /etc/frr/*.conf
cat>/etc/sysctl.d/90-routing-sysctl.conf<<EOF net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1 EOF sysctl -p /etc/sysctl.d/90-routing-sysctl.conf #注册启用和启动FRR systemctl preset frr.service systemctl enable frr systemctl start frr

安装步骤到此结束
  需要配置zebra后再用telnet连接

zebra配置文件

#cat /etc/frr/zebra.conf
! Zebra configuration file
!
frr version 6.0
frr defaults traditional
!
hostname Router
password zebra
enable password zebra
!
log stdout
!
!

更多配置和指引参考官方引导文章  

   telnet 127.0.0.1 2601

 然后和思科的配置方式差不多  


centos安装ntop

yum install -y  epel-release wget 
wget http://packages.ntop.org/centos/ntop.repo -O /etc/yum.repos.d/ntop.repo
yum install -y pfring-dkms n2disk nprobe ntopng cento
service redis start 
service ntopng start

bird+juniper BGP RTBH

bird实例

log syslog all;
debug protocols off;
debug commands 0;

router id 1.1.1.1;

protocol static rtbh {
	route 99.99.99.99/32 blackhole;
	route 88.88.88.88/32 blackhole;
}

filter export_rtbh_out {
	# Limit to static routes
	if (proto = "rtbh") then
	{
		# Limit to /32 host routes (for now)
		if net.len = 32 then
		{
			bgp_community.add((65001,9999));
			bgp_next_hop = 192.0.2.1;
			accept;
		}
	}
	reject;
}

protocol bgp ER3 {
	description "iBGP to Edge Router 3 for RTBH";
	debug { states, events };
	local 1.1.1.1 as 65001;
	neighbor 3.3.3.3 as 65001;
	import none;
	export filter export_rtbh_out;
}
protocol bgp ER4 {
	description "iBGP to Edge Router 4 for RTBH";
	debug { states, events };
	local 1.1.1.1 as 65001;
	neighbor 4.4.4.4 as 65001;
	import none;
	export filter export_rtbh_out;
}



JUNOS 配置实例

routing-options {
	static {
		route 192.0.2.1/32 discard;
	}
}

protocols {
	bgp {
		group RTBH {
			type internal;
			import import-from-rs;
			expor deny-all;
			neighbor 1.1.1.1;
		}
	}
}

policy-options {
	policy-statement deny-all {
		term 1 {
			then reject;
		}
	}
	policy-statement import-from-rs {
		term 1 {
			from {
				community RTBH;
				route-filter 0.0.0.0/0 prefix-length-range /32-/32;
			}
			then accept;
		}
		term reject {
			then reject;
		}
	}
	community RTBH members 65001:9999;
}

抄录自https://gist.github.com/floatingstatic/854aa504a92ab8bc3e044e434ec378c4