2018年3月

OpenConnect VPN Server官方网站 http://www.infradead.org/ocserv/
官方安装指南 https://github.com/openconnect/recipes
已经在Debian packages上线,可以使用apt install ocserv安装,而不用自己编译。
因为是SSL VPN,需要一个SSL证书(可以使用自签名,不过有Cisco AnyConnect会有安全提示)openssl req -newkey rsa:2048 -nodes -keyout ssl.key -x509 -days 365 -out ssl.crt -subj "/C=CN/ST=GD/L=GZ/O=GFeng/OU=IT/CN=192.168.0.1/emailAddress=dev@gov.cn"
验证CRTopenssl x509 -in cacert.pem -text -noout
CSR方式 openssl req -newkey rsa:2048 -nodes -keyout ssl.key -out ssl.req -subj "/C=CN/ST=GD/L=GZ/O=GFeng/OU=IT/CN=192.168.0.1/emailAddress=dev@gov.cn"
验证CSRopenssl req -in ssl.req -text -noout
生成DH算法文件,openssl dhparam -out dh.pem 1024
打开IPv4转发,net.ipv4.ip_forward = 1
用iptables做NAT转发

iptables -t nat-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
ip link set txqueuelen 10000 dev eth0
#配置文件: 
output-buffer = 23000 
try-mtu-discovery = true 

#服务器: 
net.core.rmem_max = 67108864 
net.core.wmem_max = 67108864 
net.ipv4.tcp_rmem = 4096 87380 33554432 
net.ipv4.tcp_wmem = 4096 65536 33554432 
net.core.netdev_max_backlog = 30000 
net.ipv4.tcp_mtu_probing=1 

支持IPv6只需打开转发即可net.ipv6.conf.all.forwarding = 1


occtl
重新载入配置 occtl reload

强制结束linux远程会话。

root@GF-CN-GZ-deb01:~# who
root     pts/1        2018-03-08 07:48 (127.0.0.1)
root     pts/2        2018-03-08 08:26 (127.0.0.1)
root     pts/3        2018-03-08 08:38 (127.0.0.1)
root     pts/4        2018-03-08 08:38 (127.0.0.1)
root@GF-CN-GZ-deb01:~# ps -ft pts/1
UID        PID  PPID  C STIME TTY          TIME CMD
root     24811 24803  0 07:48 pts/1    00:00:00 -bash
root     24880 24811  0 07:51 pts/1    00:00:00 vi submit.php
root@GF-CN-GZ-deb01:~# kill -9 24811

另外一种方法

root@GF-CN-GZ-deb01:~# who -la
           system boot  2018-03-07 07:28
           run-level 5  2018-03-07 07:28
LOGIN      ttyS0        2018-03-07 07:28               426 id=tyS0
LOGIN      tty1         2018-03-07 07:28               423 id=tty1
           pts/0        2018-03-08 09:28             25753 id=ts/0  term=0 exit=0
           pts/1        2018-03-08 09:32             24811 id=ts/1  term=0 exit=0
           pts/2        2018-03-08 09:32             24970 id=ts/2  term=0 exit=0
root     - pts/3        2018-03-08 08:38   .         24991 (127.0.0.1)
           pts/4        2018-03-08 09:32             25013 id=ts/4  term=0 exit=0
root@GF-CN-GZ-deb01:~# pkill -9 -t pts/3

curl

# curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36" URL
# curl –u user:pass URL

更多

-c,–cookie-jar:将cookie写入到文件
-b,–cookie:从文件中读取cookie
-C,–continue-at:断点续传
-d,–data:http post方式传送数据
-D,–dump-header:把header信息写入到文件
-F,–from:模拟http表达提交数据
-s,–slient:减少输出信息
-o,–output:将信息输出到文件
-O,–remote-name:按照服务器上的文件名,存在本地
–l,–head:仅返回头部信息
-u,–user[user:pass]:设置http认证用户和密码
-T,–upload-file:上传文件
-e,–referer:指定引用地址
-x,–proxy:指定代理服务器地址和端口
-w,–write-out:输出指定格式内容
–retry:重试次数
–connect-timeout:指定尝试连接的最大时间/s

systemctl

#查看已启动的服务列表
# systemctl list-unit-files|grep enabled

#启用服务
# systemctl enable ssh

#禁用服务
# systemctl disable ssh

#服务状态
# systemctl status ssh

查找空密码用户cat /etc/shadow|awk -F: '($2==""){print $1}'


让PAM记住用户设置X次的密码

# 设置pam_unix.so的属性,remember=X ,还可以设置最短密码长度 minlen=X
# Debian系列设置 /etc/pam.d/common-auth ,Redhat系列设置 /etc/pam.d/system-auth

fail2ban

# 移除被ban IP
# fail2ban-client set JAIL unbanip IPADDRESS
# 测试配置文件正常
# fail2ban-client -d
# 测试能否匹配正则表达式
# fail2ban-regex /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-forbidden.conf

一条匹配error.log记录forbidden的正则^ \[error\] \d+#\d+: \*\d+ directory .* is forbidden, client: <HOST>


iptables -A INPUT -m string --algo bm --string "something" -j DROP
iptables -A FORWARD -m string --algo bm --string "something" -j DROP
iptables -A OUTPUT -m string --algo bm --string "something" -j DROP
nohup ./some.sh > out.file 2>&1 &!
# &!是zsh专用,不加!退不了SSH session

nginx:
在typecho上传一个比较大的附件,一直上传失败,查看日志

2018/04/19 17:18:58 [error] 2438#2438: *22 client intended to send too large body: 2687556 bytes, client: 0.0.0.0, server: example.com, request: "POST something", host: "example.com", referrer: "http://example.com/"

在stackoverflow找到解决方法 nginx - client_max_body_size has no effect

The trick is to put "client_max_body_size 200M;" in at least two places http {} and server {}:

将nginx的client_max_body_size调大,同时可能需要将PHP的post_max_sizeupload_max_filesize调大。

Update php.ini (Find right ini file from phpinfo();) and increase post_max_size and upload_max_filesize to size you want:

post_max_size = 200M
upload_max_filesize = 200M

如果您看到这篇文章,表示您的 blog 已经安装成功.


nginx:
官方提供packages,国内中科大有镜像
部分配置:

location / {
    index  index.php;
    if (!-e $request_filename) {
        rewrite ^(.*)$ /index.php$1 last;
    }
}
location ~ [^/]\.php(/|$) {
    fastcgi_pass   unix:/run/php/php7.2-fpm.sock;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME  /typecho_folder$fastcgi_script_name;
    include        fastcgi_params;
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    #try_files $fastcgi_script_name =404;
    fastcgi_param PATH_INFO $fastcgi_path_info;
}

PHP:
使用Sury的packages
防止跨目录攻击sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php/7.2/fpm/php.ini

MariaDB:
官方提供packages,国内中科大也有镜像