update user set plugin="mysql_native_password";

瞎逛的时候,发现了一个IP地址管理工具,phpIPAM。看名字就知道是一个基于PHP开发的。PHP是世界上最好的@#$%^&!
先看一下官方给出的要求:

1.) Requirements before you start installing phpipam, please make sure you meet following requirements: Apache2 webserver with php support or
Nginx with php-fpm Mysql server (5.1+) PHP: version 5.3 supported to
phpipam version 1.3.1 version 5.4 version 7.2 and higher supported
from phpipam release 1.3.2 PHP modules: pdo, pdo_mysql : Adds support
for mysql connections session : Adds persistent session support
sockets : Adds sockets support openssl : Adds openSSL support gmp :
Adds support for dev-libs/gmp (GNU MP library) -> to calculate IPv6
networks ldap : Adds LDAP support (Lightweight Directory Access
Protocol – for AD also) crypt : Add support for password encryption
SimpleXML: Support for SimpleXML (optional, for RIPE queries and if
required for API) json: Enable JSON support gettext: Enables
translation filter : Adds filtering support pcntl : Add support for
process creation functions (optional, required for scanning) cli :
Enable CLI (optional, required for scanning and status checks)
mbstring : Enable mbstring support php PEAR support Usually most php
modules all are built into default php installation. If some required
modules are missing phpipam will fail with warning and notify you
about them.

You can check which php modules are enabled by issuing php -m in
command line.

直接从GitHub clone
git clone https://github.com/phpipam/phpipam.git /wwwroot/ipam
切换版本
git checkout -b 1.3 origin/1.3

配置nginx和PHP7.2
官方给出了nginx的参考配置

1.) phpIPAM version 1.3.2 and higher If you are using phpIPAM version 1.3.2 or higher please use below snippet to configure your nginx server. We assume phpipam will be on separate subfolder on webserver,
e.g. http://hostname/phpipam/, if not adjust settings accordingly.

  server {
    # root directory
    root   /var/www/;

    # phpipam
    location /phpipam/ {
        try_files $uri $uri/ /phpipam/index.php;
        index index.php;
    }
    # phpipam - api
    location /phpipam/api/ {
        try_files $uri $uri/ /phpipam/api/index.php;
    }

    # php-fpm
    location ~ \.php$ {
        fastcgi_pass   unix:/var/run/php-fpm.socket;
        fastcgi_index  index.php;
        try_files      $uri $uri/ index.php = 404;
        include        fastcgi_params;
    }  }

2.) phpIPAM up to version 1.3.1 For older phpIPAM versions please use below snippet. Again we assume phpipam will be on separate subfolder
on webserver.

server {
    # root directory
    root   /var/www/;

    # phpipam
    location /phpipam/ {
        try_files $uri $uri/ =404;
        index index.php;

        error_page 500 /app/error/index.php;
        error_page 404 /app/error/index.php;
        error_page 403 /app/error/index.php;

        rewrite ^/phpipam/login/dashboard/?$ /phpipam/dashboard/ redirect;
        rewrite ^/phpipam/logout/dashboard/?$ /phpipam/dashboard/ redirect;
        rewrite ^/phpipam/tools/search/(.*)/(.*)/(.*)/(.*)/([^/]+)$ /phpipam/index.php?page=tools§ion=search&addresses=$1&subnets=$2&vlans=$3&vrf=$4&ip=$5
last;
        rewrite ^/phpipam/tools/search/(.*) /phpipam/index.php?page=tools§ion=search&ip=$1 last;
        rewrite ^/phpipam/(.*)/(.*)/(.*)/(.*)/(.*)/([^/]+)/? /phpipam/index.php?page=$1§ion=$2&subnetId=$3&sPage=$4&ipaddrid=$5&tab=$6
last;
        rewrite ^/phpipam/(.*)/(.*)/(.*)/(.*)/([^/]+)/? /phpipam/index.php?page=$1§ion=$2&subnetId=$3&sPage=$4&ipaddrid=$5
last;
        rewrite ^/phpipam/(.*)/(.*)/(.*)/([^/]+)/? /phpipam/index.php?page=$1§ion=$2&subnetId=$3&sPage=$4 last;
        rewrite ^/phpipam/(.*)/(.*)/([^/]+)/? /phpipam/index.php?page=$1§ion=$2&subnetId=$3 last;
        rewrite ^/phpipam/(.*)/([^/]+)/? /phpipam/index.php?page=$1§ion=$2 last;
        rewrite ^/phpipam/([^/]+)/? /phpipam/index.php?page=$1 last;
    }
    # phpipam - api
    location /phpipam/api {
        rewrite ^/phpipam/api/(.*)/(.*)/(.*)/(.*)/(.*) /phpipam/api/index.php?app_id=$1&controller=$2&id=$3&id2=$4&id3=$5
last;
        rewrite ^/phpipam/api/(.*)/(.*)/(.*)/(.*) /phpipam/api/index.php?app_id=$1&controller=$2&id=$3&id2=$4 last;
        rewrite ^/phpipam/api/(.*)/(.*)/(.*) /phpipam/api/index.php?app_id=$1&controller=$2&id=$3 last;
        rewrite ^/phpipam/api/(.*)/(.*) /phpipam/api/index.php?app_id=$1&controller=$2 last;
        rewrite ^/phpipam/api/(.*) /phpipam/api/index.php?app_id=$1 last;
    }
    location /phpipam/css {
        try_files $uri $uri/ =404;
    }
    location /phpipam/js {
        try_files $uri $uri/ =404;
    }

    # php-fpm
    location ~ \.php$ {
        fastcgi_pass   unix:/var/run/php-fpm.socket;
        fastcgi_index  index.php;
        try_files      $uri $uri/ index.php = 404;
        include        fastcgi_params;
    }  }

PHP安装扩展
aptitude install php7.2-gd php-pear php7.2-pdo-mysql php7.2-mbstring php7.2-json php7.2-xml php7.2-gmp ,对LDAP有需求的可以安装php7.2-ldap

手动安装:
复制示例的config.php

3.) Initial configuration Before you start installing database files, you need to enter database details, that you will use for phpipam
connecting to database. First copy config.dist.php to config.php and
enter required details. For automatic installation phpipam will
configure database with settings you enter in config.php file, for
manual installation you will have to do it yourself.

$db['host'] = "localhost";
$db['user'] = "phpipam";
$db['pass'] = "phpipamadmin";
$db['name'] = "phpipam";

also, if you extracted
phpipam directory in any other directory than web server root folder,
you need to set that as well (BASE directive) in config.php:

define('BASE', "/");

For example, if you will have phpipam
installed in http://myserver/phpipam/ directory than set BASE as /phpipam/.

导入数据库

You can manually import sql SCHEMA file via mysql’s cli, but first you
need to create database and grant user permission (replace user/pass
with one you set in config.php):

# mysql -u root -p Enter
password:
mysql> create database phpipam;
Query OK, 1 row affected (0.00 sec)
mysql> GRANT ALL on phpipam.* to phpipam@localhost identified by ‘phpipamadmin’;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye

Once this is in place, you can import SCHEMA.sql file with following command:
mysql -u root -p phpipam < db/SCHEMA.sql

OpenConnect VPN Server官方网站 http://www.infradead.org/ocserv/
官方安装指南 https://github.com/openconnect/recipes
已经在Debian packages上线,可以使用apt install ocserv安装,而不用自己编译。
因为是SSL VPN,需要一个SSL证书(可以使用自签名,不过有Cisco AnyConnect会有安全提示)openssl req -newkey rsa:2048 -nodes -keyout ssl.key -x509 -days 365 -out ssl.crt -subj "/C=CN/ST=GD/L=GZ/O=GFeng/OU=IT/CN=192.168.0.1/emailAddress=dev@gov.cn"
验证CRTopenssl x509 -in cacert.pem -text -noout
CSR方式 openssl req -newkey rsa:2048 -nodes -keyout ssl.key -out ssl.req -subj "/C=CN/ST=GD/L=GZ/O=GFeng/OU=IT/CN=192.168.0.1/emailAddress=dev@gov.cn"
验证CSRopenssl req -in ssl.req -text -noout
生成DH算法文件,openssl dhparam -out dh.pem 1024
打开IPv4转发,net.ipv4.ip_forward = 1
用iptables做NAT转发

iptables -t nat-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
ip link set txqueuelen 10000 dev eth0
#配置文件: 
output-buffer = 23000 
try-mtu-discovery = true 

#服务器: 
net.core.rmem_max = 67108864 
net.core.wmem_max = 67108864 
net.ipv4.tcp_rmem = 4096 87380 33554432 
net.ipv4.tcp_wmem = 4096 65536 33554432 
net.core.netdev_max_backlog = 30000 
net.ipv4.tcp_mtu_probing=1 

支持IPv6只需打开转发即可net.ipv6.conf.all.forwarding = 1


occtl
重新载入配置 occtl reload

强制结束linux远程会话。

root@GF-CN-GZ-deb01:~# who
root     pts/1        2018-03-08 07:48 (127.0.0.1)
root     pts/2        2018-03-08 08:26 (127.0.0.1)
root     pts/3        2018-03-08 08:38 (127.0.0.1)
root     pts/4        2018-03-08 08:38 (127.0.0.1)
root@GF-CN-GZ-deb01:~# ps -ft pts/1
UID        PID  PPID  C STIME TTY          TIME CMD
root     24811 24803  0 07:48 pts/1    00:00:00 -bash
root     24880 24811  0 07:51 pts/1    00:00:00 vi submit.php
root@GF-CN-GZ-deb01:~# kill -9 24811

另外一种方法

root@GF-CN-GZ-deb01:~# who -la
           system boot  2018-03-07 07:28
           run-level 5  2018-03-07 07:28
LOGIN      ttyS0        2018-03-07 07:28               426 id=tyS0
LOGIN      tty1         2018-03-07 07:28               423 id=tty1
           pts/0        2018-03-08 09:28             25753 id=ts/0  term=0 exit=0
           pts/1        2018-03-08 09:32             24811 id=ts/1  term=0 exit=0
           pts/2        2018-03-08 09:32             24970 id=ts/2  term=0 exit=0
root     - pts/3        2018-03-08 08:38   .         24991 (127.0.0.1)
           pts/4        2018-03-08 09:32             25013 id=ts/4  term=0 exit=0
root@GF-CN-GZ-deb01:~# pkill -9 -t pts/3

curl

# curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36" URL
# curl –u user:pass URL

更多

-c,–cookie-jar:将cookie写入到文件
-b,–cookie:从文件中读取cookie
-C,–continue-at:断点续传
-d,–data:http post方式传送数据
-D,–dump-header:把header信息写入到文件
-F,–from:模拟http表达提交数据
-s,–slient:减少输出信息
-o,–output:将信息输出到文件
-O,–remote-name:按照服务器上的文件名,存在本地
–l,–head:仅返回头部信息
-u,–user[user:pass]:设置http认证用户和密码
-T,–upload-file:上传文件
-e,–referer:指定引用地址
-x,–proxy:指定代理服务器地址和端口
-w,–write-out:输出指定格式内容
–retry:重试次数
–connect-timeout:指定尝试连接的最大时间/s

systemctl

#查看已启动的服务列表
# systemctl list-unit-files|grep enabled

#启用服务
# systemctl enable ssh

#禁用服务
# systemctl disable ssh

#服务状态
# systemctl status ssh

查找空密码用户cat /etc/shadow|awk -F: '($2==""){print $1}'


让PAM记住用户设置X次的密码

# 设置pam_unix.so的属性,remember=X ,还可以设置最短密码长度 minlen=X
# Debian系列设置 /etc/pam.d/common-auth ,Redhat系列设置 /etc/pam.d/system-auth

fail2ban

# 移除被ban IP
# fail2ban-client set JAIL unbanip IPADDRESS
# 测试配置文件正常
# fail2ban-client -d
# 测试能否匹配正则表达式
# fail2ban-regex /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-forbidden.conf

一条匹配error.log记录forbidden的正则^ \[error\] \d+#\d+: \*\d+ directory .* is forbidden, client: <HOST>


iptables -A INPUT -m string --algo bm --string "something" -j DROP
iptables -A FORWARD -m string --algo bm --string "something" -j DROP
iptables -A OUTPUT -m string --algo bm --string "something" -j DROP
nohup ./some.sh > out.file 2>&1 &!
# &!是zsh专用,不加!退不了SSH session

nginx:
在typecho上传一个比较大的附件,一直上传失败,查看日志

2018/04/19 17:18:58 [error] 2438#2438: *22 client intended to send too large body: 2687556 bytes, client: 0.0.0.0, server: example.com, request: "POST something", host: "example.com", referrer: "http://example.com/"

在stackoverflow找到解决方法 nginx - client_max_body_size has no effect

The trick is to put "client_max_body_size 200M;" in at least two places http {} and server {}:

将nginx的client_max_body_size调大,同时可能需要将PHP的post_max_sizeupload_max_filesize调大。

Update php.ini (Find right ini file from phpinfo();) and increase post_max_size and upload_max_filesize to size you want:

post_max_size = 200M
upload_max_filesize = 200M

如果您看到这篇文章,表示您的 blog 已经安装成功.


nginx:
官方提供packages,国内中科大有镜像
部分配置:

location / {
    index  index.php;
    if (!-e $request_filename) {
        rewrite ^(.*)$ /index.php$1 last;
    }
}
location ~ [^/]\.php(/|$) {
    fastcgi_pass   unix:/run/php/php7.2-fpm.sock;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME  /typecho_folder$fastcgi_script_name;
    include        fastcgi_params;
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    #try_files $fastcgi_script_name =404;
    fastcgi_param PATH_INFO $fastcgi_path_info;
}

PHP:
使用Sury的packages
防止跨目录攻击sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php/7.2/fpm/php.ini

MariaDB:
官方提供packages,国内中科大也有镜像