新装系统的esxi密码正确无法登陆, 在几年前就遇上过用,在shell下操作重置解决的, 但时间太久忘记了, 然后最近又遇上了几次像无头苍蝇一样,特此记录一下.
主要原因是ssh端口被爆破错误次数过多,导致锁死的问题.
新装系统,登陆上管理页面后在“管理”->"高级设置"里面搜索把Security.AccountLockFailures设置成0或者是关闭ssh服务
Security.AccountLockFailures
Security.AccountUnlockTime
或者用PowerCLI进行操作
Set-VMHostAdvancedConfiguration Security.AccountLockFailures -Value 0
Set-VMHostAdvancedConfiguration Security.AccountUnlockTime -Value 0
也可以在设置成ssh key登陆, 对root账户进行重置解决
authorized_keys路径
/etc/ssh/keys-root/authorized_keys
重置命令
pam_tally2 --user root
pam_tally2 --user root --reset
如果新装系统已经被锁死还没设置key登陆, 则需要到ipmi下操作.
在Troubleshooting mode options项目下选择Restart Management Agents进行重置, 之后就可以再用web或者客户端进行登陆设置了.
记录
yum -y -q install monit tcsh perl-Net-BGP
git clone https://github.com/zhecho/nfsen-blackhole
cd nfsen-blackhole
sed -i "s#/usr/local/var/nfsen#/opt/nfsen/var/run#g" *
sed -i "s#/usr/local/libexec/nfsen/plugins#/opt/nfsen/plugins#g" *
install bgp_simple_restart.sh /opt/nfsen/plugins/
install blackHole.pm /opt/nfsen/plugins/
install bgp_simple.pl /opt/nfsen/plugins/
install blackHole.php /opt/nfsen/www/plugins/
touch /opt/nfsen/var/run/{blackhole-pref.td2,blackHole.plugin.log}
chown nobody:nobody /opt/nfsen/var/run/{blackhole-pref.td2,blackHole.plugin.log}
配置记录
yum install -y -q http://www.andrisoft.com/files/redhat7/WANrepo-7.2-0.noarch.rpm
yum install -y -q WANsensor
systemctl start ntpd
systemctl enable ntpd
/opt/andrisoft/bin/install_supervisor
systemctl start WANsupervisor
systemctl enable WANsupervisor
yum install -y -q http://www.andrisoft.com/files/redhat7/WANrepo-7.2-0.noarch.rpm
yum install -y -q WANconsole
yum install -y -q epel-release
yum install -y -q php-pecl-radius
其他
max_allowed_packet=64M
max_connections=1000
open_files_limit=5000
skip-name-resolve
nano /etc/my.cnf #set max_allowed_packet=64M, max_connections=1000, open_files_limit=5000 and add skip-name-resolve in the [mysqld] section
systemctl start mariadb
mysql_secure_installation
systemctl start mariadb
systemctl enable mariadb
nano /etc/php.ini #set date.timezone in the [Date] section, according to http://php.net/manual/en/timezones.php
systemctl enable httpd
systemctl restart httpd
firewall-cmd --permanent --add-service=mysql
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
systemctl restart firewalld
/opt/andrisoft/bin/install_console
/opt/andrisoft/bin/install_supervisor
systemctl start WANsupervisor
systemctl enable WANsupervisor
yum install -y -q https://dl.influxdata.com/influxdb/releases/influxdb-1.7.9.x86_64.rpm
[root@localhost ~]# nano /etc/influxdb/influxdb.conf
[data]
index-version=”tsi1”
max-seriesper-database=0
max-values-per-tag=0
[retention]
enabled=true
[http]
enabled=true
log-enabled=false
max-row_limit=0
max-body-size=0
[logging]
level=”warn”
[continuous_queries]
enabled=true
systemctl restart influxdb
none
sflow-rt这玩意挺方便, 可以用JS进行二次开发写APP
官方下载连接 https://sflow-rt.com/download.php
echo net.ipv4.ip_unprivileged_port_start=0>>/etc/sysctl.conf
sysctl -p
yum install java java-11-openjdk -y
yum install -y -q https://inmon.com/products/sFlow-RT/sflow-rt-$(curl -s https://inmon.com/products/sFlow-RT/latest.txt).noarch.rpm
/usr/local/sflow-rt/get-app.sh sflow-rt top-flows
/usr/local/sflow-rt/get-app.sh sflow-rt dashboard-example
/usr/local/sflow-rt/get-app.sh sflow-rt ddos-blackhole
/usr/local/sflow-rt/get-app.sh sflow-rt sflow-test
/usr/local/sflow-rt/get-app.sh sflow-rt ddos-protect
systemctl start sflow-rt
systemctl enable sflow-rt
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --zone=public --add-forward-port=port=179:proto=tcp:toport=1179 --permanent
firewall-cmd --zone=public --add-port=179/tcp --permanent
firewall-cmd --zone=public --add-port=6343/udp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --list-ports
如果要用179端口做bgp需要在服务器启动文件加入authbind的命令
yum install -y https://s3.amazonaws.com/aaronsilber/public/authbind-2.1.1-0.1.x86_64.rpm
touch /etc/authbind/byport/179
chmod 755 /etc/authbind/byport/179
在 /etc/init.d/sflow-rt文件内找到START这一行
START='authbind --deep /usr/local/sflow-rt/bin/run-rt'
none
和observium很像,开源软件.
file bison mlocate flex diffutils
yum -y install cronie fping git ImageMagick whois mtr net-snmp net-snmp-utils nmap python-memcached rrdtool
useradd librenms -d /opt/librenms -M -r
cd /opt
git clone https://github.com/librenms/librenms.git
chown -R librenms:librenms /opt/librenms
chmod 770 /opt/librenms
setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
runuser -l librenms -c '/opt/php7/bin/php /opt/librenms/scripts/composer_wrapper.php install --no-dev'
nginx配置
server {
listen 80;
root /opt/observium;
index index.php;
server_name observium.example.com;
error_log /var/log/nginx/observium.error.log ;
access_log /var/log/nginx/observium.log ;
location / {
location ~ .php$ {
try_files $uri = 404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/dev/shm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_read_timeout 300;
}
}
location ~/\.ht {
deny all;
}
}
server {
listen 80;
server_name librenms.example.com;
root /opt/librenms/html;
index index.php;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location /api/v0 {
try_files $uri $uri/ /api_v0.php?$query_string;
}
location ~ \.php {
include fastcgi.conf;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/dev/shm/php-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}FPM配置文件
[librenms]
user = $pool
group = $pool
listen = /dev/shm/$pool.sock
listen.mode = 0666
pm = dynamic
pm.max_children = 15
pm.start_servers = 5
pm.min_spare_servers = 3
pm.max_spare_servers = 5
chdir = /opt/bgpto
security.limit_extensions = .php .php3 .php4 .php5 .php7
env[HOSTNAME] = $pool.hostname
env[PATH] = /usr/local/bin:/usr/bin:/bin:/opt/php7/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
php_admin_value[error_log] = /var/log/fpm-php.$pool.log
php_admin_value[memory_limit] = 256M