RedHatLinuxenterprise5 starthttpdfaild linuxhttpd: httpd startup failed me in a virtual machine inside encounter this problem, try the many methods are unable to start, later discovered that the problem is there a/etc/httpd/conf/directory called httpd.conf file.
In the same directory as there is another call httpd.conf.bak, as long as the httpd.conf.bak copies the contents of the httpd.conf file, overwriting the original content can be launched, to run servicehttpdstart surprise in shell found that starting httpd OK with starthttpdok servicehttpdstatus can see httpd is running. Feeling comfortable. Although only a novice questions, dishes, haha I still write it down, maybe what newbie also experience this problem can help. Later I also detailed troubleshooting a bit to be a problem. The result may be unexpected. The original is to use the [System]-[management]-[Server]-[HTTP] tool set, and then saved to. Use this tool to set the content after it's had quite a lot of places with initial settings are not the same. I find that modify the/etc/httpd/conf/httpd.conf file solves the problem: 1. it will comment out this line ServerName, i.e. line most preceded by a #. 2. the ServerAdmin this line to write complete. Such as: ServerAdmin & nbspadmin@example.com 3. Lockfile file path with the correct, or are simply comment out (beginning with #) 4. Loadmodule ... Loadmodule ... ... ... ... # this many rows. In fact, these are omitted! is wrong and should be a problem cause HTTP code itself. We use original file replacement. Loadmodule…… Use the corresponding/etc/httpd/conf/httpd.conf.bak inside content replace as follows: LoadModuleauth_basic_modulemodules/mod_auth_basic.so LoadModuleauth_digest_modulemodules/mod_auth_digest.so LoadModuleauthn_file_modulemodules/mod_authn_file.so LoadModuleauthn_alias_modulemodules/mod_authn_alias.so LoadModuleauthn_anon_modulemodules/mod_authn_anon.so LoadModuleauthn_dbm_modulemodules/mod_authn_dbm.so LoadModuleauthn_default_modulemodules/mod_authn_default.so LoadModuleauthz_host_modulemodules/mod_authz_host.so LoadModuleauthz_user_modulemodules/mod_authz_user.so LoadModuleauthz_owner_modulemodules/mod_authz_owner.so LoadModuleauthz_groupfile_modulemodules/mod_authz_groupfile.so LoadModuleauthz_dbm_modulemodules/mod_authz_dbm.so LoadModuleauthz_default_modulemodules/mod_authz_default.so LoadModuleldap_modulemodules/mod_ldap.so LoadModuleauthnz_ldap_modulemodules/mod_authnz_ldap.so LoadModuleinclude_modulemodules/mod_include.so LoadModulelog_config_modulemodules/mod_log_config.so LoadModulelogio_modulemodules/mod_logio.so LoadModuleenv_modulemodules/mod_env.so LoadModuleext_filter_modulemodules/mod_ext_filter.so LoadModulemime_magic_modulemodules/mod_mime_magic.so LoadModuleexpires_modulemodules/mod_expires.so LoadModuledeflate_modulemoDules/mod_deflate.so LoadModuleheaders_modulemodules/mod_headers.so LoadModuleusertrack_modulemodules/mod_usertrack.so LoadModulesetenvif_modulemodules/mod_setenvif.so LoadModulemime_modulemodules/mod_mime.so LoadModuledav_modulemodules/mod_dav.so LoadModulestatus_modulemodules/mod_status.so LoadModuleautoindex_modulemodules/mod_autoindex.so LoadModuleinfo_modulemodules/mod_info.so LoadModuledav_fs_modulemodules/mod_dav_fs.so LoadModulevhost_alias_modulemodules/mod_vhost_alias.so LoadModulenegotiation_modulemodules/mod_negotiation.so LoadModuledir_modulemodules/mod_dir.so LoadModuleactions_modulemodules/mod_actions.so LoadModulespeling_modulemodules/mod_speling.so LoadModuleuserdir_modulemodules/mod_userdir.so LoadModulealias_modulemodules/mod_alias.so LoadModulerewrite_modulemodules/mod_rewrite.so LoadModuleproxy_modulemodules/mod_proxy.so LoadModuleproxy_balancer_modulemodules/mod_proxy_balancer.so LoadModuleproxy_ftp_modulemodules/mod_proxy_ftp.so LoadModuleproxy_http_modulemodules/mod_proxy_http.so LoadModuleproxy_connect_modulemodules/mod_proxy_connect.so LoadModulecache_modulemodules/mod_cache.so LoadModulesuexec_modulemodules/mod_suexec.so LoadModuledisk_cache_modulemodules/mod_disk_cache.so LoadModulefile_cache_modulemodules/mod_file_cache.so LoadModulemem_cache_modulemodules/mod_mem_cache.so LoadModulecgi_modulemodules/mod_cgi.so OK, so you should be able to start the httpd service, please use the shell command to start the service Additionally servicehttpdstart requires that these changed only a small portion of the content, many options are not the same as with initial httdp.conf, please detailed look at the related function on, the changes you want.Wednesday, February 23, 2011
Use of VRRP feature simple router backup
Sometimes in order to guarantee that our network stability and reliability, may apply for two export link, use the two routers.
In a router fails, another router to take over the work. Implementation of the principle of which is described in using RFC2338 VRRP (VirtualRouterRedundancyProtocol) Protocol. Implementation of tools is keepalived. Experiment name: use of VRRP feature simple router backup operating system: kernel RedHat7.3: used by the linux-2.4.24 experiment used module: keepalived-1.16.tar.gz (if on VRRP and Keepalived not quite understand, take a look at here) network structure as shown in the figure below: map V-Gate is the VIP VRRP. The network has two LinuxRouter: (1), Master (eth0: 192.168.1.10/24 received outside the network; the eth1: 192.168.3.1/24 add intranet) (2), Backup (eth0: 192.168.2.10/24 received outside the network; the eth1: 192.168.3.2/24 add intranet) intranet IP addresses as 192.168.3.0/24, gateway (V-Gate) 192.168.3.3/24, remember 192.168.3.3/24 this address is in effect at the time Keepalived start. First we install the LinuxRouterMaster keepalived-1.1.6.tar.gz (1), download keepalived-1.1.6.tar.gz (http://www.keepalived.org) (2), unzip: # tarzxvfkeepalived-1.1.6.tar.gz (3) compiled keepalived # cdkeepalived-1.1.6 #./configure-prefix =/usr/local/keepalived # make install (4) keepalived # makeinstall (5) configure LinuxRouterMaster of VRRP, # vi/usr/local/etc/keepalived/keepalived/keepalived.con reads as follows:--------------------------------------------------------------------------------vrrp_instanceVI_1 {stateMASTER interfaceet1 virtual_router_id51 priority100 advert_int1 authentication {auth_typePASS auth_pass1111} virtual_ipaddress {192.168.3.3}}--------------------------------------------------------------------------------keepalived in LinuxRouterBackup install is the same, except that the profile/usr/local/keepalived/etc/keepalived/keepalived.conf, as follows:--------------------------------------------------------------------------------vrrp_instanceVI_1 {stateBACKUP interfaceet1 virtual_router_id51 priority100 advert_int1 authentication {auth_typePASS auth_pass1111} virtual_ipaddress {192.168.3.3}}--------------------------------------------------------------------------------at the start of the keepalived on Master, we first look on eth1 Master:--------------------------------------------------------------# ipaddshowet1 8: eth1: mtu1500qdiscpfifo_fastqlen1000 link/ether00: e0: 4c: 3a: d7: 25brdff: ff: ff: ff: f:f inet192.168.3.1/24brd192.168.3.255scopeglobalet1Inet6fe80:: 2e0: 4cff: fe3a: d725/64scopelink--------------------------------------------------------------we see only one IP address: 192.168.3.1/24, now we start the Master of the keepalived #/usr/local/keepalived/sbin/keepalived-D-f/usr/local/etc/keepalived/keepalived/keepalived.con now let's take a look at the situation of the Master on eth1:--------------------------------------------------------------# ipaddshowet1 8: eth1: mtu1500qdiscpfifo_fastqlen1000 link/ether00: e0: 4c: 3a: d7: 25brdff: ff: ff: ff: f:f inet192.168.3.1/24brd192.168.3.255scopeglobalet1 inet192.168.3.3/32scopeglobalet1 inet6fe80:: 2e0: 4cff: fe3a: d725/64scopelink---------------------------------------------------------------we saw two IP addresses, one of which is V-Gate: 192.168.3.3/32 using the same method to start the Backup of the keepalived #/usr/local/keepalived/sbin/keepalived-D-f/usr/local/etc/keepalived/keepalived/keepalived.con so that when the Master fails, the Backup will pass the MultiCast address: 224.0.0.18 this multicast address, get the news, and will take over the address 192.168.3.3. Summing up, draw your attention to our title of this experiment "use of VRRP Keepalived implements simple router function backup", instead of routing the backup. The purpose of this experiment is to let everyone familiar with VRRP Protocol and how to use Keepalived implements VRRP Protocol.GRUB uses a description (2)
Note in some file systems and file system configuration, you may need a 1.5 step file used to connect to the basic boot program and the second difference between the boot program.
For example, if the second step in the boot loader file is located in a first step in using a boot loader program cannot access the file system partition, you may want to indicate that the first step in a bootloader from 1.5 step file load additional instruction to read the second step the bootloader files. More related information, please refer to GRUB's information page. Previously mentioned boot method is called directly mount. Because this method is used in the directive directly loading the operating system, not to any bootloader and the operating system master file (such as kernel) intermediate code. However, different operating systems used by the boot process may be mentioned there are some subtle differences. For example, Microsoft DOS and Windows operating system at installation time, inclination tends to completely override the master boot record, instead of merging the current configuration of the master boot record. This will disrupt other operating system is stored in the master boot record of all information, such as RedHatLinux. Microsoft operating system, there are other proprietary operating system, use a technique called chain loading boot method to start. In this approach, the master boot record just simply point to the operating system partition of the first sector. GRUB support direct and chain loading boot method. GRUB cannot be used for almost all operating systems, the most popular file systems, as well as almost all of the system BIOS to recognition of the hard disk. GRUB GRUB contains many of the characteristics of properties, which makes GRUB than other available boot loader is more superior. Listed below are some of the more important features: · GRUB on the x 86 machine, provides a really based on the command line, before the operating system (pre-OS) environment. It is loads of options used to determine the operating system, or collect system information, provides the most flexibility. Many non-x 86 architecture is already in use before operating systems collar jing for many years, it provides the control system how to boot from a command line. When LILO or other x 86 boot loader uses some command properties, GRUB already contains many of the features in this regard. · GRUB supports logical block addressing (LBA). LBA is used to find the drive file address translation work on the drive hardware, it is used in many IDE and SCSI hard drives in all. Before using LBA, hard drives have a 1024 cylinder limit, i.e. BIOS cannot find in the 1024 cylinder files (such as a bootloader or kernel file). As long as the system BIOS to support LBA mode (most do), then LBA allows GRUB beyond 1024 cylinder limit boot OS. grub configuration · would each time the system boots is read. This avoids the user each time you change the boot option to override a master boot record. Most of the bootloader can be Waterloo Road to read configuration file, and use them to set the boot options. For example, the user must change a LILO's configuration file, and then run a command to the new configuration data is written back to the system's master boot record. This method than GRUB the approach it more dangerous, because an incorrect configuration of the master boot record will let the system will not boot. Using GRUB, if profile been misconfigured and boot, it will simply go to one of the default command line, allowing the user to manually enter the command to run the operating system. Apart from updating the system boot is the first step, a second step, or menu configuration file location, the master boot record will not be touched, but this is rare. Note: when GRUB configuration file is changed, there is no need to reboot GRUB. All changes can be automatically detected. If GRUB was restarted, the user will be returned to the command line grub shell. Install GRUB if RedHatLinux installation, GRUB is not installed, the following will explain how to install it, and it is set to the default boot loader. Note: if LILO is installed, and is the current system bootloader, and there is no need to use the GRUB and delete it. GRUB once after installation, will be the system default bootloader. First, get the latest GRUB package available. On RedHatLinux installation CD on the GRUB package can also be used. Secondly, at a shell prompt, run the command/sbin/grub-install, here is GRUB will be installed. For example:/sbin/grub-install/dev/da Finally, reboot the system. GRUB graphical bootloader menu appears. Second, the use of terminology in the GRUB GRUB before, one of the most important thing is to understand how this program is the reference device, such as system hard drives, partitions, etc. For Configuring GRUB to boot multiple operating systems, this information is very important. Device name of the system is the first hard disk drive (hd0) GRUB called. In the first partition is known as (hd0, 0), the second on the hard drive of the fifth partition called (hd1, 4). Usually when using GRUB, file system, it is customary to use the following naming: (,) in the device name in parentheses, and commas are very important. That is a hard disk (hd) or a floppy disk (fd) is specified. Is determined in accordance with the system BIOS and theDevice number, starting from 0. Basic IDE hard disk is marked as 0, second IDE hard disk is marked as 1. This sort is roughly equivalent to the linux kernel with the order of letters arranged device, just in a hda into 0, hdb in b variable to 1, and so on. Note: GRUB for device naming system is starting from 0, not 1. This is often the GRUB novices often make the most common errors. Refers to a hard disk on a partition number. Similar to the partition numbering starts from 0. Although most partitions can use numbers to specify, but if the system uses a BSD partition, then they still use letters to specify, such as a or c. GRUB in naming devices and partitions, use the following rules: · System use the IDE hard drive or SCSI hard drive, doesn't matter. All of the hard disk are hd begins. Beginning with the floppy disk fd. · When you specify the entire hard drive, regardless of its partitions, simply remove the comma and the partition number. When to tell GRUB configuration of a specific hard disk's master boot sector, this is important. For example, (hd0) specifies the first device, (hd3) specifies the fourth device. · If a system has multiple driver equipment, know the drive the BIOS determines the order is important. If the system only IDE or SCSI drives, it is quite simple. But if you have multiple drives are mixed, it becomes confusing. The file name when entering in the GRUB command includes the file, as in many operating systems use a menu list, file names must be directly on the device and after the specified partition. An absolute file name of the form: (,) when/path/to/ile most, users can partition the directory path with file name to the specified file. This approach is straightforward. In addition, we also will not appear in the file system to the file, such as GRUB in a partition is initially a few sectors in the chain the bootloader. In order to specify the files, you need to supply a chunk list (blocklist), from it to a piece to tell GRUB file location of the partition. When a file is composed of several different pieces together, you need to have a special way to write block list. Each file fragment position consists of a block of offset and starting from the offset point to describe the number of blocks, these fragments to a comma boundaries (comma-delimited) order together. Consider the following block list: 0 + 50,100 + 25,200 + 1 above the block list to tell GRUB uses a file, the file starting at the first partition, use the block 0 to 49 block, the block to 99, and article 124 block 199 block. When you use GRUB loading such as Microsoft Windows this way with chain loading of the operating system, you know how to write a block list is very useful. If you start from 0 blocks, then you can omit the offset of the block. As an example, when the chain in the first loading the file on your hard drive first partition, you can use the following naming: (hd0, 0) + 1 following a similar block list name chainloader command. It is set to the correct device and partition as root after the GRUB command line. Chainloader + 1 GRUB's root file system for some users often confuse the root file system in GRUB (rootfilesystem) usage of the term. GRUB's root file system and Linux root file system is not related, this needs in mind. GRUB's root file system is used for a particular device's root partition. GRUB uses this information to hang in (mount) this device and load file from it. On RedHatLinux, once the GRUB to load its own contains Linux kernel root partition, then the kernel command can set the kernel file location as an option. Once the Linux kernel boot, it set up its own root file system, the root file system is the one most people use to contact with Linux. The original GRUB root file system, and it's linked-in is removed, they only exist in the file used to boot the kernel. On the root and the kernel command for more information, refer to the following commands section.GRUB uses a simple description
In more than one operating system installed, sometimes makes the GRUB is missing, as I reload XP, XP will give GRUB from MBR, clear.
In the process of upgrading LINUX GRUB installation failed or enter console status. GRUB features many, for general users mainly want to know the ROOT, SETUP, INSTALL, ROOTNOVERIFY, CHAINLOADER, GRUB.CONF, for different file system STAGE1, STAGE2 files. GRUB won't download, what to say, generally do not need to download and install disk contains. ROOT use format is: ROOT (HDX, Y) where x is from 0-N, Y. The first hard drive, first partition is (HD0, 0), the first hard drive, second partition is (HD0, 1); the second hard drive, first partition is (HD1, 0), the first hard drive, second partition is (HD1, 1); and so on, you can know the ROOT of usage. ROOT is GRUB recognizes the hard drive and file formats of commands that tells GRUB next to get there and find GRUB configuration file to start the core, or start the IMG file. SETUP and INSTALL GRUB is installed to a specified location, such as: MBR, specific HELP file you can see, there is nothing special about it. STAGE1 and STAGE2 for different file system, you can to GRUB bag or find/USR/SHARE/GRUB directory, copy into GRUB directory. GRUB.CONF format: default = 0 timeout = 10 splashimage = (hd1, 2)/boot/grub/splash.xpm.gz titleWindowsXP rootnoverify (hd0, 0) chainloader + 1 titleRedat9 root (hd0, 1) kernel/boot/vmlinuz-2.4.20-8roroot = LABEL =/boot/initrd/initrd-2.4.20-8.img titleMandrake9.1 kernel (hd1, 4)/boot/vmlinuzroot =/dev/hdb5quietdevfs = mountacpi = offvga = 788 initrd (hd1, 4)/boot/initrd.img default = X as the default boot system, 0 is the first system, and so on. Timeout = X to the grub menu over time, in seconds, for the title XXX titleXXX, that is, you have to boot the operating system name, you can modify the rootnoverify (hd0, 0) tell GNUGRUB you have where WidnowsC disc, but do not try to mount it (' noverify ', options). Chainloader + 1 tell GNUGRUB do not try to load Windows itself (its not complete), but to start the process over to the c drive, where the first sector that contains the original DOS/Windows boot process.Master Advanced:/etc/profile environment variable configuration parsing
And environment variables related files may also be/etc/bashrc, etc, but this is the shell variables that are local to a particular shell effect.
/Etc/profile is global and applies to all sell. Profile file tells the shell of the language you use, what shell, the command search path, and so on. Some standard environment variables: SHELL default sell LANG default language PATHlinux default path for the command, usually including/bin,/usr/bin,/sbin,/usr/sbin,/usr/X11R6/bin,/usr/local/bin/opt/bin, etc. Users can add their own, such as/home/bin, etc. The default path MANPATHman manual INPUTRC default keyboard mappings, see/etc/inputrc BASH_ENVbashshell environment variable, typically ~/.basrc DISPLAYX window applies, in the console, DISPLAY =: 0 corresponds to the console F7, DISPLAY =: 1 corresponds to the console server, DISPLAY = F8: 0 to remote computer send GUI applications. The default Terminal COLORTERMGUI, usually gnome-terminal. USER automatically sets the current login user name. LONGNAME is typically set to the USER MAIL settings specific for standard mail directory USR HOSTNAME is set to the command output/bin/hostname HISTSIZE to history command remember commands examples: # #/etc/proile ## modify or add the PATH to the custom command search path, if you do not want to add the executable to the default directory, but you can use the Terminal destiny # make that change. ExportPATH = "/bin:/usr/bin:/sbin:/usr/sbin:/usr/X11R6/bin:/opt/bin:/usr/local/bin" exportMANPATH = "/usr/man:/usr/X11R6/man" exportLESSCHARSET = "latin1" exportINPUTRC = "/etc/inputrc" exportLESS = "-R" # Localesettings (findyourlocalewith''locale-a '') exportLANG = ' zh_CN ' # modify here you can change the system default language exportLC_COLLATE = "C" exportCOLUMNSLINESexportPS1 = '' [u @ \h \W] \ $ ' ' exportPS2 = '' > '' umask022 ... ... ... ... # EndoffileComments on seven best biyuan Linux application
AdobeFlash development events: * FutureSplashAnimator (1996-4-10): Flash's predecessor, the simple tools and a timeline; * MacromediaFlash1 (1996-11): Macromedia to FutureSplashAnimator renamed after the first version of Flash; * MacromediaFlash2 (1997-6)-the introduction of the concept of the library; * MacromediaFlash3 (1998-5-31): movie clip, Javascript plugin, transparency and independent player; * MacromediaFlash4 (1999-6-15): variable, text entry boxes, enhanced Actionscript, streaming MP3; * MacromediaFlash5 (2000-8-24): Javascript, smart clips, HTML text formatting; * MacromediaFlashMX (2002-3-15): Unicode, XML, component, to streaming video encoding; * MacromediaFlashMX2004 (2003-9-10): text anti-aliasing, Actionscript2.0, enhanced streaming video, behavior; * MacromediaFlashMX2004Pro (2003-9-10): includes all the features that FlashMX2004 on WebServices, ActionScript2.0, object-oriented programming, media playback components; * MacromediaFlash8 (2005-09-13); * MacromediaFlash8Pro (2005-09-13): enhancement for mobile device development features that facilitate creating FlashWeb, enhanced network video; * AdobeFlash9 (2006): build a more powerful programming model, and industry standards closer, introduce new shocking (ground-breaking) performance.
This FlashPlayer9 publication noteworthy is a new highly optimized ActionScriptVirtualMachine (Actionscript virtual machine, AVM2, abbreviated). AVM2 is the next generation of collaborative work and establish ActionsScript3.0, can satisfy the Internet program developers. The new Actionscript virtual machine running efficiency markedly improved, supports full runtime error reporting and industry-standard debugging, simplify Flash debugging. At the same time FlashPlayer9 also contains AVM1, maintain and existing product compatibility. In addition the FlashPlayer9 supports binary Socket support, allowing developers and by extending the Player and the binary protocol work together, let the FlashPlayer tentacles can reach out to wider area; * AdobeFlashPro9 (2006) * AdobeFlash10 (2007) in the past decade, the network has undergone dramatic changes, which owed much to Flash in the production of interactive content, interactive content creation not only easy, but easy to access. From a static website to a highly interactive attraction media, Flash inspired design of the new generation. Today, the rich media is becoming a leading force in the design, and Flash will continue to guide the interactive design of the future – not just the network, but also by cell phone, video and more.Application of the openssl tool for SSL fault analysis 2
S_client in the SSL handshake protocol application in connection SSL server is the most common problem is the client authentication server-side authentication fails, there are several reasons for these failures, the following lists the common mistakes and resolve how to use s_client is confirmed.
● Server certificate during the transfer process manipulation 1. extraction server certificate: Linux platform to create the script and stored in the manifest retrieve-cert.sh 2. The script output is server-side x 509 certificates after Base64 encoded content, execute scripts and script output into a file server.pem. In Listing 2. Extract certificate # ## usage: retrieve-cert.sh remote.host.name [port] SSLHOST = $ 1 SSLPORT = $ {2:-443} echo | openssl s_client-connect/$ {SSLHOST}: $ {SSLPORT} 2 > & 1 | \sed-ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p ' 1. Verify that gets certificate command line execution "openss verify server.pem". If the certificate contents altered, then the execution result as shown in Listing 4: list 4. Certificate verify failed [root @ wks547385wss openssl] # openssl verify server.pemunable to load certificate 19280: error: 0D0680A8: asn1 encoding routines: ASN1_CHECK_TLEN: wrong tag: tasn_dec.c: 947: 19280: error: 0D07803A: asn1 encoding routines: ASN1_ITEM_EX_D2I: nested asn1 error: tasn_dec.c: 304: Type = X509 19280: error: 0906700D: PEM ASN1 routines: PEM_ASN1_read_bio: lib: pem_oth.c: 82: otherwise, we will be able to obtain certification through the results are as follows: in Listing 5. Certificate validation succeeded [root @ wks547385wss openssl] # openssl verify server.pemserver.pem: OK ● client does not have to save the authentication server-side certificate root certificate; 1. Use the parameter-state check is in the handshake protocol certificate authentication fails in Listing 6. Display the SSL handshake protocol status [root @ wks547385wss openssl] # openssl s_client-connect www6.software ibm.com: 443-state CONNECTED (00000003) SSL_connect: before/connect initialization SSL_connect: SSLv2/v3 write A client hello SSL_connect: SSLv3 read server hello A depth = 1/C = US/O = Equifax/OU = Equifax Secure Certificate Authority verify error: num = 19: self signed certificate in certificate chain verify return: 0 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished AUse iptables to set some security features (2)
Author: kenduest (small) here is I set some simple iptables rules, you can reference.
(Has nothing to do with NAT OH) # hanging in the relevant module modprobeip_tables modprobeip_conntrack modprobeip_conntrack_tp modprobeip_conntrack_irc # reset iptables-iptables-X iptables-F-tnat iptables-X-tmangle # put FORWARD close iptables-PFORWARDDROP # this is open to your own domain can easily link to the domain undefended iptables-AINPUT-pall-sip_net/netmask-jACCEPT # allow links service iptables-AINPUT-ieth0-ptcp--dport20-jACCEPT iptables-AINPUT-ieth0-ptcp--dport21-jACCEPT iptables-AINPUT-ieth0-ptcp--dport22-jACCEPT iptables-AINPUT-ieth0-ptcp--dport23-jACCEPT iptables-AINPUT-ieth0-ptcp--dport25-jACCEPT iptables-AINPUT-ieth0-ptcp--dport53-jACCEPT iptables-AINPUT-ieth0-pudp--dport53-jACCEPT iptables-AINPUT-ieth0-ptcp--dport110-jACCEPT iptables-AINPUT-ieth0-ptcp--dport113-jACCEPT iptables-AINPUT-ieth0-mstate--stateRELATED, ESTABLISHED-jACCEPT iptables-AINPUT-ieth0-mstate--stateNEW, INVALID-jDROP above is open to allow port20, 21, 22, 23, 25, 53, 110, 113, and other services that are outside the online. Port20, 21: ftp use. Port22: ssh online port23: telnet online. Ease of use, do not open the safe. Port25: sendmail use. Let letters can you send them in. Port53: dns use. Dns need to open the udp. Port110: pop3 use port113: auth identity confirmation. I opened an opportunity to use the 113 identifiable host not lookbehind are stuck for a long time. The last line is for the initiative are online or when certain changes are not legitimate online, all deny it. The script content, it is applicable only allows outside linking specific port services, remaining outside the remaining port will refuse to take the initiative to establish online. For example, use the Modem dials, just hope it works out, the outside online are not online in this demand. (Ps: the modem is using ppp0 interface, such as those above the eth0 ppp0 to be replaced)See hackers how to invade the Linux operating system
I found a Web site, so conventional intrusion.
Well, it's FINGER open, so I made up a SHELL, the account number on the zzz aaa (bytheway, I found an Internet law, and that is the account number of the length and password strength proportional, if an account has only two or three digits long, it's usually very simple passwords, or vice versa, and call it if it's theorem), an account number does not exist, I didn't try it account. Because I was it opened port attracted, open WWW, I do not believe it is not an error. One even took five CGI and WWW scanner total swept three common mistakes it almost does not exist. : (There are a few errors, but I don't know how to take advantage of that. And around the host go a few times, like Fox found Hedgehog, not below. Or look at the root of information: finger & nbsproot@xxx.xxx.xxx Loginname: rootInreallife: systemPRIVILEGEDaccount Directory:/Shell:/bin/s LastloginFriJul2809: 21onttyp0from202.xx.xx.xx NoPlan. Root often come, that is he 202.xx.xx.xx workstations, since that will never see something? netview\202.xx.xx.xx Sharedresourcesat\202.xx.xx.xx SharenameTypeComment x x My Briefcase Thecommandwascompletedsuccessfully. In the Internet machine open WINDOWS "file and printer sharing" of services, many people tend to treat lightly, this root is no exception. If it's shared drive c and you can write it well, but that's the dream, now open the shared directory is the root directory, even the D drive. Don't worry, take your time. X off those folders are useless, you cannot write, there are some English original, the root is. "My portfolio" attracted my attention, this is a different machine information for synchronization tool, it is clear the root to the regular update of the home page on the host, sometimes on their own machines, sometimes in host series ... So it is very important point: "my portfolio" share generally is writable! I then go in and see. > Netusei: \202.xx.xx.xx > I: > echoasdf > temp.txt, you sure can write. > Deltemp.txt without leaving any traces-hacker habit. > Dir/od/p and see what ... The penultimate row? "X month workplan .doc!" is that it has, since the scheme would not be finished on the losing side, it will open it's again — at least for the next month to write a plan a COPY:-> the hands-on, my goal is to make it the next time you open the error when I run my trap and hidden Trojan. I use a keyboard or transcription software HOOKDUMP, I think it's nice, youneed, also foot ... Sorry, that was used, it should be not only a record of all keystrokes, also a record of what was on or off, press any button, spent what menu ... In short, it's record for you and you stand behind him at his operation more like a computer. You want to ask so many Trojans you why pretend this? whether Chinese glacier, netspy or foreign netbus, BO, are various anti-virus software listed as number one detect objects, and a root machine can not possibly did not install a good antivirus software or HOOKDUMP, small, inconspicuous, but if everyone used but I use it less of a chance ... > copyhookdump. * I: add that upload before you prepare its hookdump.ini file, to run, otherwise hidden root a run screen jump out a window may …. Then in own machine series a BAT file with the same name: X-work plan .BAT > editc: X-work plan .BAT? A HREF = "mailto: @ echo the > @ echo of hookdump attrib-hX, work plan, work programme .doc C:ProgramFilesMicrosoftOfficeWinwordX .doc attrib-htemp.bat deltemp.pi deltemp.bat see? root run the BAT file is to run the Trojan horse, and then call the WINWORD file to open it would like to open this file, and then remove themselves, maybe it's machine where WINWORD, the call will fail, but never mind, it will immediately remove the BAT, he thought it was their mistake. At this point your C drive root directory has a BAT file, which is a square icon, and the WORD file quite different, why run it the root? doesn't matter in this document, at right, point properties, in the "program" column of the selected "change icon" not on the list? WORD icon on your machine C:ProgramFilesMicrosoftOffice. Will "run" to "minimize", "close on exit" on the hook, so as to ensure that the signs at run time. In fact this BAT file into two, there is aPIF file is its icon. Put both files uploaded looks: > copyX month workplan .bati: > copyX .pifi, work plan and put it in: files and their files are hidden: > attrib + hX-work plan .doc > attrib + hX .bat, work plan, root "Briefcase", only one and the same original WORD icon, he never dreamed that has become a BAT file. Then you can breath, let us still and wait ... A few days later, I went to the station, take down the recorded keystrokes record, find out the root password, enter the host.Monday, February 14, 2011
Linux library construction and use of
4. dynamic library to create and use our last to introduce a dynamic loading of shared libraries, or as a dynamic link library.
It is characterized by the application is running, when you need to fit into memory, rather than the shared library so that when the application starts the program library is loaded into memory. To this end, we would also like to build shared in front of the target file, as follows: $ gcc-fPIC-cinitapi.c $ gcc-fPIC-crandapi.c $ gcc-sharedinitapi.orandapi.o-When starting apache "Expected but saw" what to do
This problem occurs in a few versions of the compiler, use AIXC other version of the C compiler such as gcc can solve the problem.
Linux-sed-non-interactive text editor
Sed is a non-interactive text editor.
It edits files or standard input export text copy instance 1. row matching root @ mypc/] # sed-n ' 2p '/etc/passwd prints out 2 root @ mypc/] # sed-n ' 1, 3p '/etc/passwd prints 1 to 3 lines of root @ mypc/] # sed-n ' $ p '/etc/passwd print out the last line root @ mypc/] # sed-n '/user/' p/etc/passwd to print out a row containing user rpc: x: 32: 32 PortmapperRPCuser:/:/sbin/nologinrpcuser: x:29: 29 RPCServiceUser:/var/lib/nfs:/sbin/nologinroot @ mypc/] # sed-n '/\ $/' p/etc/passwd to print out a row with $ metacharacter, $ means last row 2. insert text and additional text (insert a new row) root @ mypc/] # sed-n '/FTP/p '/etc/passwd print out a row with FTP ftp: x: 14: 50: FTPUser:/var/ftp:/sbin/nologinroot @ mypc/] # sed '/FTP/a\456 '/etc/passwd rows containing FTP behind newly inserted row, 456root @ mypc/] # sed '/FTP/i\123 '/etc/passwd in front of rows containing FTP new insert row, 123root @ mypc/] # sed '/FTP/i\ "123" '/etc/passwd in front of rows containing FTP new insert row content is "123" root @ mypc/] # sed ' 123 ' 5a\/etc/passwd in line 5, insert a new row, 123root @ mypc/] # sed ' 5i\ "12345" '/etc/passwd 5 before inserting a new row, "12345" 3. delete text root @ mypc/] # sed ' 1d '/etc/passwd delete row 1 root @ mypc/] # sed ' 1, 3d '/etc/passwd delete rows 1 to 3 root @ mypc/] # sed '/user/d '/etc/passwd delete rows with user 4. replacing text, replace command with replace mode to replace the specified pattern in the format: [address [, address]] s/pattern-to-find/replacement-pattern/[gpwn] root @ mypc/] # sed "s/user/USER/'/etc/passwd will substitute the first user to USER, g show alternate root @ mypc/] # sed" s/user/USER/g '/etc/passwd will replace all user USERroot @ mypc/] # sed "s/user/# user/'/etc/passwd will substitute the first user to user, such as for # shielding effect root @ mypc/] # sed" s/user//'/etc/passwd will be the first user with an empty root @ mypc/] # sed "s/user/& 11111111111111/'/etc/passwd if you want to add or modify a long string, you can use (&) command, & save discovery mode to recall it, and then put it in the replacement string, here is the front & drop root @ mypc/] # sed" s/user/11111111111111 &/'/etc/passwd here is placed behind the & 5. rapid line below is some line command set. ([] [] Represents a space that represents the tab-key) ' s/\. $//g ' delete row ' end with a period-e/abcd/d ' delete rows containing the abcd ' s/[] [] [] */[]/g ' delete one or more spaces, use a space instead of the ' s/^ [] [] * remove row first//g ' spaces ' s/\. [] [] */[]/G ' delete a period followed by two or more spaces and replace them with a space ' '/^ $/d ' Delete blank lines ' s/^.//g ' remove first character ' s/COL\ (...\)//g ' remove COL ' immediately after the three-letter ' s/^////g ' removed from the path first \ ' s/[]/[]//g ' remove all spaces and tab keys instead of the ' S/^ []//g ' delete rows first all tab ' s/[] *//g ' Removes all the tab key if you use the sed, the file filter is a good idea to make the problem into a few steps, step through, and edge implementation side of the test results.Grub configuration zatan
1 a GRUB configuration file partition based on the example as follows: hda15G hda18G/REDHATLINUX8.0 hda57G/ome hdc20G hdc16.4GWinXP hdc56.4G hdc66.4G hdc76.4G # fdisk-l # Disk/dev/hdc: 255heads, 63sectors, 2434cylinders Units = cylindersof16065 * 512bytes DeviceBootStartEndBlocksIdSystem/dev/hdc1 * 18947181023 + bWin95FAT32/dev/hdc2895243412370050fWin95Extd (LBA)/dev/hdc589517877172991bWin95FAT32/dev/hdc6178824345196996bWin95FAT32 Disk/dev/hda: 255heads, 63sectors, 1867cylinders Units = cylindersof16065 * 512bytes DeviceBootStartEndBlocksIdSystem/dev/hda1 * 110208193118 + 83Linux/dev/hda210211802628141583Linux/dev/hda318031867522112 + 82Linuxswap grub.conf, this file is located;/boot/grub/grub.con # grub.confgeneratedbyanaconda ## Notethatyoudonothavetorerungrubaftermakingchangestothisile # NOTICE: Youdonothavea/bootpartition.Thismeanstat # allkernelandinitrdpathsarerelativeto/, eg.
# Root (hd0, 0) # kernel/boot/initrd/dev/da1 # vmlinuz-versionroroot =/boot/boot =/dev/da initrd-version.img # default = 0 timeout = 3 splashimage = (hd0, 0)/boot/grub/splash.xpm.gz titleRedHatLinux (2.4.18-14) root (hd0, 0) kernel/boot/vmlinuz-2.4.18-14roroot = LABEL =/boot/initrd/initrd-2.4.18-14.img titleMicrosoftWindowsXP map (hd0) (d1) map (hd1) (d0) root (hd1, 0) chainloader (hd1, 0) + 1 makeactive boot 2 interpretation grub.conf file we will look at the grub.conf file statement, (Note: ...) What is in our interpretation of the content. #grub.confgeneratedbyanaconda # #Notethatyoudonothavetorerungrubaftermakingchangestothisile #NOTICE:Youdonothavea/bootpartition.Thismeanstat #allkernelandinitrdpathsarerelativeto/,eg. # Root (hd0, 0) # kernel/boot/initrd/dev/da1 # vmlinuz-versionroroot =/boot/boot =/dev/hda initrd-version.img # (Note: the above symbols wells "#" at the beginning of the row that is commented out, nothing) default = 0 (Note: the default operating system that is controlled by default. After adding a default number n, indicates that the first n + 1. Note that GRUB, count is zero-based, the first hard disk is hd0, the first floppy drive is fd0, etc. Therefore, default0 represents the default operating system here is RedHatLinux (2.4.18-14) If you modify a 1 is WinXP) timeout = 3 (Note: timeout represents the default wait time, here is 3 seconds. More than 3 seconds, the user has not made any choice, the system will automatically select the default operating system; of course you can change to any of you happy time) splashimage = (hd0, 0)/boot/grub/splash.xpm.gz (Note: specify a splash screen file splash.xpm.gz location, or you can splash/boot/logO/800x600x8.img) titleRedHatLinux (2.4.18-14) (Note: the menu items representing RedHatLinux) root (hd0, 0) (Note: for the first partition of a hard disk, here's root and root within the system is not a thing! details as below description) kernel/boot/vmlinuz-2.4.18-14roroot = LABEL =/(Note: specify the location of the kernel, the detailed instructions below) initrd/boot/initrd-2.4.18-14.img (Note: Initialize) titleMicrosoftWindowsXP (Note: the menu items representing MicrosoftWindowsXP) map (hd0) (hd1) (Note: a detailed map is the command, as follows) map (hd1) (d0) root (hd1, 0) (Note: this is the second hard disk (hard drive) on the first partition) chainloader (hd1, 0) + 1 (Note: chain-type loaders, mount a slice of the data and then put the boot to it. Detailed instructions follow) makeactive boot (Note: on Linux, when it comes to the "root" file system, generally refers to the main Linux partition. However, GRUB has its own root partition definition. Grub root partition is the partition that holds the Linux kernel. This may be your official root file system, or may not be. We discuss is GRUB grub, you need to specify the root partition. Enter the root partition, GRUB will put this partition installed to read-only, so you can mount the partition from the Linux kernel. Grub is a very "cool" features is that it can read native FFS, FAT, minix, and ext2 or ReiserFS partition. to date, you might feel a little confused, because GRUB uses a partition of the hard drive/Naming Convention Linux use naming conventions are different. In Linux, the first hard drive of a fifth partition called "hda5. Which GRUB to this partition is called "(hd0, 4). GRUB on your hard disk and partition numbering starts from 0. In addition, hard drives and partitions are separated by commas, the entire expression enclosed in parentheses. Now, if you want to boot Linux hard disk hda5, you would enter "root (hd0, 4). Know where the kernel, but also to specifically point out which file is the core file, this is the kernel. Kernel/boot/vmlinuz-2.4.18-14roroot = LABEL =/description/boot/vmlinuz-2.4.18-14 is to load the kernel. Following are the parameters to pass to the kernel. Root = LABEL =/is the linux hard drive partition notation, ro is readonly. Initrd used to initial linuximage, and set the appropriate parameters. The command map: when you have two hard drives, one from the second hard boot of the operating system, such as the Windowsxp, you can use the map command can you hd0 hd1, will be mapped to a mapped as hd0 hd1. In other words, you can exchange two virtual hard disks and boot the operating system. Order form: grub > map (hd0) (d1) grub > map (hd1) (d0) GRUB uses a "chain-loader" (chainloader). Chain-type loaders from partition (hd1, 0) boot record load winxp own boot loader, and then boot it. This is the technique is called chain mounted reasons--it creates a class that derives from the boot loader to another chain. This chain-mount technology can be used to boot any version of DOS or Windows. GRUB configuration files to simple as simple, if you want a more personalized, try the "colorlight-gray/blue" and the default statement following the next time you start GRUB, take a look at what has changed, and then try the "colorlight-blue/red", surprise? fun!) 3 configure grub grub startup in the search for a name/boot/grub/as menu.lst configuration file, if you do not find this file, you do not enter menu mode and go directly to the command line mode. Now, let's look at how to boot into a wide variety of operating systems, how to establish menu.conf file. We start from the GRUB support process begins. There are two ways to complete the boot process: · A. start by calling the kernel local · B. continuous boot or transfers control to another boot loader A mode boot process 1. configuration with device or to tell GRUB is your root file system. 2. tell the GRUB kernel images of your location, and then pass parameters to the kernel. 3. reboot, and try it out. In order to boot Linux, the kernel to the file name in the bzImage/boot/directory, followed by the file system is/dev/hda1 or GRUB in (hd0, 0). Start the process as follows: 1.root (hd0, 0) [Thissetstherootpartition] 2.kernel/boot/bzImageroot =/dev/hda1 [Thissetsthekernel] B mode boot process (this model assumes that the current partition installed another boot manager, such as LILO or NTLDR): 1 setReset root partition but don't install it 2. activate the partition 3. Configuring the partitions, you need to start the first sector 4. restart, take a look at the results. We try to start the installation in/dev/hdc1 or (hd1, 0) for windows. The process of starting windows are as follows: 1.rootnoverify (hd1, 0) 2.makeactive 3.chainloader + 1 [+ 1setsthefirstsectorofthecurrentroot partition] 4.boot [transfersthecontrolandquitsGRUB] menu.conf files: it is used to create Start menu with multiple operating systems. It's not hard to establish menu.conf. It uses simple English, just like you see in this section. All menu items are not a comma at the beginning of the "titleTITLENAME". You can set the TITLENAME. Set the Linux boot menu as follows: 1. set the heading 2. set the root partition 3. set the kernel's corresponding parameter 4. start a menu examples: titleRedHatLinux (2.4.18-14) root (hd0, 0) kernel/boot/vmlinuz-2.4.18-14roroot = LABEL =/boot/initrd/initrd-2.4.18-14.img preceded by # of line is a comment. Establishing start Windows or DOS menu: titleWindoze rootnoverify (hd0, 0) makeactive chainloader + 1 boot #--or: titleMicrosoftWindowsXP map (hd0) (d1) map (hd1) (d0) root (hd1, 0) chainloader (hd1, 0) + 1 makeactive boot----Note: root and rootnoverify are the same, the rootnoverify into root. However after practice. Sometimes boot win, the system is installed, the rootnoverify (hdX.Y) this form, it would appear to windows, what windows what files are damaged. At this point, we need in grub, the boot windows in root root rootnoverify into English means the root of the mean, here is to let linux know their bitCover C disk, repair Ubuntu + WinXP boot menu
Follows: ### ### ### ### ### ### ### boot.ini ##### ##### ##### ##### ##### [bootloader] timeout = 5default = multi (0) disk (0) rdisk (0) partition (1) \Windows [operatingsystems] multi (0) disk (0) rdisk (0) partition (1) \Windows = "microsoftWindowsxpprofessional"/noexecute = optin/fastdetect/noguibootC: \GHLDR = a key GHOSTv11.5Build080606c: \grldr = Ubuntu810 menu.lst file written in a c root, as follows: ##### ##### ##### ##### # menu.lst #### ##### ##### ##### ##### timeout10titleWindowsXProot (hd0, 0) chainloader + 1titleUbuntu8.10, kernel2.6.27-7-genericroot (hd0, 8) uuid8a02d79c-a6cb-4543-a046-864fa69e2272kernel/vmlinuz-2.6.27-7-genericroot = UUID = ef3434d3-9495-4268-9ee2-c190f291c31eroquietsplas initrd/initrd.img-2.6.27-7-genericquiettitleUbuntu8.10, kernel2.6.27-7-generic (recoverymode) root (hd0, 8) uuid8a02d79c-a6cb-4543-a046-864fa69e2272kernel/vmlinuz-2.6.27-7-genericroot = UUID = ef3434d3-9495-4268-9ee2-c190f291c31erosingleinitrd/initrd.img-2.6.27-7-generictitleUbuntu8.10, memtest86 + root (hd0, 8) uuid8a02d79c-a6cb-4543-a046-864fa69e2272kernel/memtest86 + .binquiet restart, huh, huh, dual boot menu appears, from the net!!!, hard drive install could not find a partition in solution: many people ask 8.10 hard drive installation, in 4/7 step, start "partitioner", does not recognize the hard disk and partition, just a blank.
There is a deposited is said to ISO of up to umount it and found you sure mobile hard drives and USB disk can be recognized, but the hard drive is not recognized. Visible source of the problem lies not in this. I also met, after several attempts, as well as the u disk and removable hard drive installation, find the source of the problem is that if your hard disk, removable hard drive or USB disk in the storage installation ISO name is Ubuntu-8.10-desktop-i386.iso begs the question above. The solution is very simple, only need to replace this file name, I replaced the Ubuntu.iso, problem solving. No need to use the alternate version. Experience this problem of friends can have a try.Apache performance tips
Apache is correct in the first place, the speed in the second of the common Web server.
Even so, its performance is very satisfactory. Many sites only to 10M exports bandwidth. Apache to the site of the low-end Pentium servers at work. In fact, to have more bandwidth for the site for some reason (such as a large number of CGI and database transaction processing) need to use one or more machines to meet the bandwidth requirements. These are the reasons for the previous Apache development work focused on the correctness and configurability. Unfortunately many people emphasize certain indicators and their assessment of the original data as a Web server or bad standards. Commonly accepted standards is the "original minimum performance (bareminimumperformance)", in which other than speed index applies only to a small segment of the market demand. But in order to avoid Apache in some markets in the marginalized, on a fairly Apache1.3, associate it with the gap between high-end servers. Others just want to try these things can run much faster. These people try to put the Apache last drop of performance out of the way, they also want to see what impact the performance of Apache. The rest of the article is written for them. Note This article applies to the Apache1.3 on UNIX, the section applies to the NT platform. The current Apache on NT has not been in optimization. In fact, different programming model makes it in the performance of the NT is not good. (The POSIX model. NT with the POSIX subsystem simulation such programming standards, efficiency is very low. Apache2.0 abandoned the POSIX dealing directly with the operating system, performance will leap – translator's note) on hardware platforms and operating systems most directly affect Web server performance hardware RAM you want to number. A Web server never should access memory Exchange area. Exchange has added the delay time for each request, the user is therefore of the view that the "fast enough." They will click on [stop] and reload the page, which will further increase the burden on the server. You can also adjust the MaxClients is necessary so that your server does not give rise to too many child processes which lead to Exchange. In addition to this thing not so critical. Have a fast CPU and fast card and hard disk can make your server "fast enough." In fact, these words are fast enough experience to experience required. The operating system of choice is a major issue, as appropriate. Common criteria is: get the OS vendor's latest TCP/IP patch. The rapid emergence of HTTP service broke up to 1994 and 1995, the UNIX kernel settings in many scenarios. Ideal choices include current FreeBSD and Linux. On the run-time settings (Run-TimeConfiguration) HostnameLookups 1.3 previous Apache, the default value of the HostnameLookups is On, this will cause each request to the server for NDS query, thus increasing the latency. Set the default Apache1.3 to off. In 1.3 and later versions, if you use any allowfromdomain or denyfromdomain command, the cost will be the two DNS query of delay (in a reverse query followed by a forward queries to ensure that the results of the former is true). Therefore in order to get the best performance you should avoid using HostnameLookups (using IP address instead of a domain name is also a good idea). Limit the use of commands is possible, such as using a similar container. In this case, the DNS query occurs only in compliance with the conditions of the request. The following example enables the query occurs only in .html and .cgi files request: HostnameLookupsofMigration from Windows to Linux device control applications
From the device on and off by explaining, we need two parameters (file pathname, and device access mode) to open a Linux device.
According to the front of the original code, the first argument should be the/dev/hda, second O_RDONLY | O_NONBLOCK. The modified code is as follows: HANDLEdevHandle = open ("/dev/hda", O_RDONLY | O_NONBLOCK);. Corresponding to CloseHandle (devHandle); changes to close (devHandle);. The main part of the transplantations is how to use ioctl to access specific devices and obtain the required information. The original Windows code as shown in Listing 6: inventory of the source code on the DeviceIoControl 6.Windows typedefstruct_Bufer {UCHARreq [8];//DetailedcommandinformationothertancontrolcodeULONGDataBufferSize;//SizeofDataBuffer, hereis512UCHARDataBuffer [512];//DataBufer} Bufer; BufferregBufer; memcpy (regBuffer.req, cmdBuff, 7);//req [7] isreservedforfutureuse.Mustbezero.regBuffer.DataBufferSize = 512; unsignedintsize = 512 + 12;//SizeofregBufer//8forreq, 4forDataBufferSize, 512fordataDWORDbytesRet = 0;//Numberofbytesreturnedintretval;//Returnedvalueretval = DeviceIoControl (devHandle, IOCTL_IDE_PASS_THROUGH,//ControlcoderegBuffer,//InputBuffer, includingdetailedcommandsize, regBuffer,//OutputBuffer, usethesamebuffereresize, & bytesRet, NULL); if (! retval) cout <"deviceiocontrolfailed.">According to network deployment, select the appropriate security level (2)
Second, the SAMBA password file action and maintenance.
When talking about Server security level, I talked to use ban enabled SAMBA password file to limit the system security level from the Server down to User level. Why can this treatment? This is mainly because the SAMBA server's account number and password and the Linux operating system account number and password files are not common. In other words, the client time with a Linux operating system user name and password, without SAMBA Server user name and password, the client still does not connect to the Linux operating system. For this reason some system administrators often have similar questions, in the authentication window to enter the correct account number and password Linux, but the system still prompts password error and refuse to sign in. Why enter the correct username password still unable to log on to the SAMBA server? this is mainly because the SAMBA server password file and the password file for the Linux operating system is not universal. To this end the client uses the Linux operating system of the account password data are not able to log on to the SAMBA server. But if the system administrator needs to maintain two sets of passwords (SAMBA server password and the Linux operating system password), you will be in trouble. So if you could change their passwords? the answer is Yes. Otherwise, the Samba server availability will greatly decrease. In fact, the principle is very simple, only need to put a Linux operating system accounts and then reestablish the SAMBA server. So, take advantage of Linux system account and the password you can log on to the SAMBA server (in fact they are still using password file is different, just two servers in the same username and password). However the manual creation of the user name and password information, clearly more time and effort. In fact, the designer of the SAMBA server has been taken into account. In establishing the SAMBA password file does not need to manually enter the account information. Here I'll give you a small tool, this tool's name is called "mksmbpasswd.sh". This is a script, the main purpose is to read the password file for the Linux operating system, and then put the password file in the user name, password, information according to certain rules to SAMBA password file. In using this script, you need to consider that a permission problem. As a result of work habits in the deployment of the Samba server, we tend to be habitual specialized sets a user name and the group, such as SAMBA. Then use the username and group to deploy SAMBA server. This key is used to differentiate from other applications, independent of management. But at this point to use this script, because you need to access the Linux operating system password file. To do this you will need to root privileges to the user's identity to perform the command. Without the ability to run of SAMBA. Some of the first deployment of the SAMBA server's system administrator might often make this mistake. For this reason I remind you, be sure to take root privileged user to execute the command, otherwise the system will prompt an error message, you cannot establish a SAMBA password file. Also note that the password file, do not have to restart the Samba server, the password file is effective immediately. But for clients, is different. If the test, the system administrator find cannot take advantage of Linux system account name and password to log on to the SAMBA server. Subsequent examination found the password file mentality. So he'll be on this password file is maintained, has joined the Linux operating system of the account and password information. But at this point, the client still cannot log on to the SAMBA server. While the need to restart the client is able to log in. The specific reasons why I am not very clear, we have time to research exchanges. Finally it should be pointed out that the Samba server password file and the Linux operating system password files are not the same file, but they will not be synchronized with each other. To do this if in Linux operating system to a new home for a staff account, you still need to use the above script in the SAMBA password file for a manual synchronization. Or manual creation of a same account number. However according to my understanding, in a subsequent version of SAMBA server, its designers might direct uses Linux system user name password file as a SAMBA server password files. This let us wait and see!Use iptables to set some security features (1)
Author: kenduest (small) often seen people mess with portscan software (ex: nmap) to random port sweep of the others, really hate & nbsp @ _ @ here provides several ways, through the mechanism of new core linuxkernel2.4 + iptables for some restrictions: # NMAPFIN/URG/PS iptables-AINPUT-ieth0-ptcp--tcp-flagsALLFIN, URG, PSH-jDROP # XmasTree iptables-AINPUT-ieth0-ptcp--tcp-flagsALLALL-jDROP # AnotherXmasTree iptables-AINPUT-ieth0-ptcp--tcp-flagsALLSYN, RST, ACK, FIN, URG-jDROP # NullScan (possibly) iptables-AINPUT-ieth0-ptcp--tcp-flagsALLNONE-jDROP # SYN/RST iptables-AINPUT-ieth0-ptcp--tcp-flagsSYN, RSTSYN, RST-jDROP # SYN/FIN--Scan (possibly) iptables-AINPUT-ieth0-ptcp--tcp-flagsSYN, FINSYN, FIN-jDROP this is targeted as is the use of scan software, combined with the so-called Stealth mechanisms such as to throw so others host, you can send these packets are not dropped.
The other side a sweep card dead, or have to wait until online timeout can continue to work, to lengthen the time required to scan.Development of the Linux system disk encryption method in Visual FoxPro
Method 2: download and compile cryptsetup device-mappercrypto (have a skip) wgethttp://www.saout.de/misc/dm-crypt/cryptsetup-0.1.tar.bz2 cdcryptsetup-0.1./configure; make; makeinstall compile kernel (already supports skip this step) makemenucong DeviceDrivers > Multi-devicesupport (RAIDandLVM) CONFIG_BLK_DEV_DM CONFIG_DM_CRYPT loaded module modprobedm-crypt (and encryption module) to create a loop device ddif =/dev/zeroof = ~/dm-crypt.imagebs = 1Mcount = 10/dev/loop0 losetup ~/dm-crypt.image establish device-mapper cryptsetup-ycreatedm-crypt/dev/loop0 (prompting for a password) to create a file system and load the mkfs.ext3/dev/mapper/dm-crypt mount/dev/mapper/dm-crypt/mnt/umount/mnt crypto offload/crypto/cryptsetupremovedm-crypt losetup-d/dev/loop0 reloads cryptsetup-ycreatedm-crypt/dev/loop0 mount/dev/mapper/dm-crypt/mnt/crypto device-mappercrypto implementation in the drivers/md directory, relatively much more complex, there is no time to read it carefully.
Monday, February 7, 2011
Introduction to Linux commonly used abbreviations
Author: Zhao Peng cite LILO (Linuxloader): this is a system boot applications and boot for configuration, one or more operating system.
Bash (BourneAgainshell): four Linux commonly used shell (PDKSH, TCSH-shell, Z-shell, Bash) for the upgrade version, Brounshell consolidated the Kornshell, C-shell and all the advanced features of TCSHshell. It is also the default shell of RedHat. X-windows: X refers to the X protocol, UNIX system development in the mid-1980s by providing the network graphic user interface. And PC-based Windows, GUI, GUI it into X-windows, window manager and program/file manager in three sections. Gnome and KDE: Linux two very common desktop. Gnome (GUNNetworkObjectModelEnvironment) i.e. the network object model environment, including Panel, desktop and one for organizations program interface GUI (graphical user interface) tools; KDE (KDesktopEnvironment) i.e. K desktop environment, a transparent desktop based network, a user can perform in this environment the vast majority of Linux applications. G/KDM (Gnome/KDisplayManager): means the Gnome or KDE environment display manager. RPM (RedHatPackageManager): RedHat package manager. It will be organized into Linux software can install and remove packages.LINUX2.2.x State detection of realization
1. Introduction to firewall stateful inspection is currently one of the prerequisites.
It work at the IP layer, check the firewall forwarding packages, and create the corresponding structure records the State of the connection. It checks that include link layer, network layer, transport layer, application layer in a variety of information, and in accordance with the rules of the table or the state table to decide whether to allow forwarding packets to pass through. Open source project SIFI (http://www.ifi.unizh.ch/ikm/sinus/) implements a firewall stateful inspection feature. The Firewall kernel section of code is to establish in the framework of LINUX2.2.x network security, is a very good analysis, learning State detection technology instance. The following is from the data structure, status checks, serial number check, timeout, application protocol data checking and other aspects of its State testing is how to achieve. 2. Overview of the first look at SIFI several important data structures. 2.1.sf_fw_ops SIFI kernel code is LINUX2.2.x network security framework, so it should define in the check point on the reference architecture, as follows: structfirewall_opssf_fw_ops = {NULL, sf_forward_ck, sf_input_ck, sf_output_ck, PF_INET, 2} struct sf_forward_chk, sf_input_chk, sf_out_chk three functions in checkpoint call_fw_firewall, call_in_firewall, call_out_firewall on being called. All three functions to call the function sf_check_packet real action. This structure is of priority 2, higher than LINUX2.2.x kernel-defined priority of ipfw_ops, check point, first call the function defined in the structure. Only in it for the function's return value is FW_SKIP circumstances will call the functions defined in ipfw_ops. 2.2. rule table rule sheet is a one-way list, is used to match the packages need to be addressed, and decided to match the action. As shown in Figure 2.1. 2.3. connection table connection table is a hash table, the same hash value of the structure is linked in a doubly linked list. All fabric and is linked in a doubly linked list, the pointer points to the conns head and tail pointing to the linked list of lastc. As shown in Figure 2.1. 2.4. State defined connection tables in every structure in a moment, there is a certain State. In SIFI, only for TCP and UDP protocols to create the connection structure. Other protocol checks by matching rules table implementation, without creating the connection structure. State is defined as follows: [table 2.1] table with grey logo status in status check is not used. SF_TCP_ESTABLISHEDFTP status for the FTP protocol defined for the control connection, define this State's purpose is to check the FTP protocol, and find out the address and port, and create a new connection structure, so that the FTP data connection in the absence of appropriate rules can also be set up. Other State defines TCP connection in the process of change of legal status and the status of the conversion process as mentioned below. 3. the basic process now look SIFI on different protocol packet processing. On the ICMP protocol or IGMP Protocol of the packet, it checks the length of the package, and in the rules table lookup, if a match is found, perform the action required by the rules; if you do not find a matching rule, the default ban the bag. It did not record the ICMP or IGMP protocols. The UDP protocol of the packet flow check as follows: [figure 3.1] first look at the attached table, if found, this direction of UDP traffic is allowed by the rules; if not found, then the rule table lookup, if there is a matching rule, perform the action required by the rules, if you do not find a matching rule, the default ban the bag. Rule check, if the matched rules allow this package will add the connection table a new structure, the status value is SF_UDP_STATE, subsequent packets will no longer be rule checks until the structure to be deleted. It is worth noting that the UDP packet to check the connection table using a single match, this to handle different on TCP. On the TCP protocol of the packet flow check as follows: [figure 3.2] first connection table to see if there is a corresponding connection structure. Here find using two-way matching (the destination address, destination port and source address, source port swap), so a TCP connection for each connection structure. If you find an appropriate connection structure, status changes (status change will be described later); if not found, check whether the package is syn reset bit, but there is no reset bit ack packet (TCP connecting packages), and if so, use the source port is zero, the calculated hash value in the join table to find the appropriate structure (this structure is in processing application protocol data in dynamic address and create a dynamic port, and address translation of similar), if found, delete the original source port is zero, and this bag's address and port to recompute the hash value, create a new structure; if not syn reset position while the ack packet is not set, the prohibition of the package. 4. status check 4.1. status check status check defines TCP connection changes in the process of legal status, as well as in a particular State allows the package type. Stateful inspection at the same time to allow the adoption of the package do check the legality, such as their serial numbers are consistent with the TCP protocolDiscussion of provisions, etc. All state changes between as shown in the figure: [figure 4.1] connection structure of the initial state is SF_TCP_ACCEPT_SYN, ack syn reset bit but did not reset bit TCP packet in rules check the return value is created when FW_ACCEPT. Structure after it is created, access to create a connection's status check. Steps: (1) If a CLIENT (the connection initiator) ack syn reset bit but did not reset bit package, the connection state changes to SF_TCP_CLIENT_SYN. (2) in SF_TCP_CLIENT_SYN State, when SERVER (connect the recipient) to respond to the syn reset bit or syn/ack packet, setting the connection state changes to SF_TCP_SYN_ACK. In this State also allows CLIENT's syn reset bit or syn/ack packet, setting the connection status remains unchanged. (3) in SF_TCP_SYN_ACK State, when a CLIENT response ack setting or syn/ack packet, setting the connection state changes to SF_TCP_ESTABLISHED3. In this State, also allows the SERVER's syn/ack packet, setting the connection status remains unchanged, but does not allow the SERVER's syn reset bit and CLIENT of syn packets through setting. These are the SF_TCP_ACCEPT_SYN, SF_TCP_CLIENT_SYN, SF_TCP_SYN_ACK three State on ack syn or setting package check. This check support TCP connections open simultaneously, provided that the rules you want to allow. Close the connection status to check the steps as follows: (4) If a CLIENT of fin set bits in the package, the connection state changes to SF_TCP_CLIENT_FIN. (5) if the SERVER's fin reset bit package changes the connection to the SF_TCP_SERVER_FIN. (6) the above two steps of change if you have completed, the status of the connection is either greater than SF_TCP_TERMINATED SF_TCP_TERMINATED (if the FTP control connection is to create a structure). (7) in the State is greater than or equal to, if you receive SF_TCP_TERMINATED syn reset bit package, will remove the connection, and check the rules. In any State if you receive an rst reset bit package, delete the connection. And, if received syn, fin set bits or rst set bits syn, fin, rst, or set of packages (Christmas packet), will prevent the packet through. 4.2. timeout in each State of the non-ESTABLISHED are set on an appropriate timeout value, as follows: [table 4.1] timeout by kernel Timer implementation, timed-out connection is deleted. SF_TCP_ESTABLISHED3, SF_TCP_ESTABLISHEDFTP two status on the default timeout value is not defined, but you can define SF_TCP_IDLE compilation options, make the two State timeout value is 8 * 36 * HZ is 8 hours. 4.3. serial number check the serial number is the TCP protocol is used to ensure data reliability of an important means. TCP connection in the delivery of every byte of data is used to identify a serial number. Connection of the initial sequence number when a connection is established. Receive a package of a party will issue the ack setting response packet, tell someone their acceptance of the next sequence number is a number that identifies the next serial number before the data received. TCP protocol using serial number window to limit each other can send packets of length, to control traffic. Window size is a 16 bit positive integer, you can extend the scale options TCP window size. Use the scale option, in calculating the window will change the window value left to increase the value of the window. TCP initial sequence number in the negotiation of syn reset bit package occupies one serial number disconnected fin set bits in occupies one serial number for the package. SIFI by checking the serial number for forwarding packets to determine the legality of this package. The realization of the SIFI, you can configure the parameter checking each TCP connection of the serial number, the steps are as follows: (1) no syn reset bit package (fin or ack setting package), first determine the sender's maximum sequence number in the other side of the window, and then if you are setting the ack packet, which confirm the serial number should be in each other's serial number. (2) a State record in SF_TCP_CLIENT_SYN CLIENT's serial number, window size and scaling factor. In a State record SERVER SF_TCP_SYN_ACK sequence numbers, window size and zoom factor, and the CLIENT's sequence number increases by one. (3) in the State, if SF_TCP_TERMINATED received syn reset bit package, its serial number in the serial number of the party. (4) in the SERVER SF_TCP_SYN_ACK of duplicate syn/ack packet, setting it to confirm the serial number should be used with the connection record the serial number of the CLIENT. 4.4. application protocol data check application protocol data check does is check the control connection agreement on the application of the address and port, and create a corresponding connection structure, so that subsequent data connections can be established. In General, unless the rule to allow all ports, otherwise these agreements in passing dynamic ports by default in the rule is prohibited. If you are able to dynamically create a fabric, to avoid checking rules, transparent to the user. Of course, this can create a dynamic rule to achieve, but the rule is aGNOME File Manager will join the tabbed browsing
Linux desktop GNOME's file manager, Nautilus, allegedly will add similar browser tabbed browsing feature.
Nautilus many areas need to be updated, in which the user maximum requirements is tabbed browsing, so developers will be the first time to join this feature. Basic allegedly has now joined this feature, just some small fixes and testing needs to be done, but also join the Alt + number key shortcuts. The new Nautilus will together with GNOME2.24 in September. And friends can first try to support the functionality of the Windows PCManFileManager also can use QTTabBar. Download source code: http://svn.gnome.org/viewvc/nautilus/branches/multiview/dependent libbackground download: http://svn.gnome.org/svn/gnome-control-center/tags/gnome_control_center_2_22_0/libbackground/Non-fixed IP in Ubuntu shelves NAT + DHCP
Then don't forget 「introduction # sudogedit/etc/default/dhcp3-server 」, and modify 「introduction INTERFACES = "" 」 into 「introduction INTERFACES = "eth1" 」.
Finally a difficult step is to modify 「introduction/etc/dhcp3/dhcpd.conf 」, however when I labored, open Firestarter and DHCP and NAT setting (I selected 「introduction CreatnewDHCPconfiguration 」), then back to 「introduction/etc/dhcp3/dhcpd.conf 」, inside of the content is not what I refer to the birds of Costa hard to break into, but the set, Firestarter dexterity than I even less, province of several B capacity. # DHCPconfigurationgeneratedbyFirestarterddns-update-styleinterim; ignoreclient-updates; subnet192.168.1.0netmask255.255.255.0 {optionrouters192.168.1.2; optionsubnet-mask255.255.255.0; optiondomain-name-servers168.95.1.1; # Chunghwa Telecom's DNS address optionip-forwardingof; rangedynamic-bootp192.168.1.30192.168.1.50; # automatically assign IP range default-lease-time21600; max-lease-time43200;} Don't forget to perform 「introduction # sudo/etc/init.d/dhcp3-serverrestart 」 if you share with me too lazy to own set iptables, the next super easy. Please install Firestarter, remember to suite the Universe in the library. The following settings if you want to reference pictures, see below URL. Firestarter-> Preferences – > NetWorkSettings, connect Ethernet of 「introduction Internetconnectednetworkdevice 」 select ppp0, connect internal computer 「introduction Localnetworkconnecteddevice 」 select eth1, the middle two tick Enable all, underneath you can select 「introduction KeepexistingDHCPconfiguration 」, he would use you just created, if you choose to enter 「introduction CreatnewDHCPconfiguration 」 good distribution coverage of IP, Firestarter will own set 「introduction/etc/dhcp3/dhcpd.conf 」. Forgot to remind everyone that you want to remember that the cable is connected properly, otherwise there is no logging to Firestarter two connected network card, it will not start NAT. Things here is not over yet, my computer still does not have access to the Internet, and so I put the original regional network established 192.168.1.3 into 「introduction automatically obtain IP address 」, below the select 「introduction automatically obtain DNS server address 」, everything is done. Watch with me for a long time of cFos display 「introduction interrupted line 」, got a strange sadness, don't, cFos, and from now on, I want to talk to my brother shared IP.Apache logs: access log (2)
3. process statistics UNIX can track each user runs each command, if you want to know what last night mess of important documents, process statistics subsystem can tell you.
It also tracks a trespasser. And connection time log, process statistics subsystem default not activated, it must be started. On Linux systems start process statistics using the accton command, you must use root to run. Accton commands acctonfile, file must exist. Use the touch command to create the pacct file: touch/var/log/pacct and then run the accton: accton/var/log/pacct. Once the accton is activated, you can use the lastcomm command monitoring system commands at any time. To turn off statistics that can be used without any arguments accton command. Lastcomm command reports the file before execution. Without parameters, lastcomm command displays the current statistics file lifetime record of all information about the command. Including the command name, user, tty, command takes CPU time and a time stamp. If the system has many users, enter you can get quite long. The following example: crondFroot?? 0.00secsSunAug2000:16 promisc_check.sSroot?? 0.04secsSunAug2000:16 promisc_checkroot?? 0.01secsSunAug2000:16 greproot?? 0.02secsSunAug2000:16 tailroot?? 0.01secsSunAug2000:16 shroot?? 0.01secsSunAug2000:15 pingSroot?? 0.01secsSunAug2000:15 ping6.plFroot?? 0.01secsSunAug2000:15 shroot?? 0.01secsSunAug2000:15 pingSroot?? 0.02secsSunAug2000:15 ping6.plFroot?? 0.02secsSunAug2000:15 shroot?? 0.02secsSunAug2000:15 pingSroot?? 0.00secsSunAug2000:15 ping6.plFroot?? 0.01secsSunAug2000:15 shroot?? 0.01secsSunAug2000:15 pingSroot?? 0.01secsSunAug2000:15 shroot?? 0.02secsSunAug2000:15 pingSroot?? 1.34secsSunAug2000: acctonSrootttyp00.00secsSunAug2000 locaterootttyp01.34secsSunAug2000: 15 15: 15 process statistics are the pacct file may grow very fast. You need interactive or through cron mechanism keeps running sa command log data in the system control. Sa command report, cleaning and maintenance process statistics file. It can put the information in the compresses/var/log/pacct to summary file/var/log/savacct and/var/log/usracct. This summary contains the command name and user name of the classification system statistics. Sa default to read them, and then read the pacct file so that the report would contain all of the available information. Sa's output has the following tags: avio--each execution of the average number of I/O operations--user cp and total system time, in minutes, the cpu--and like k-cp-kernel used by average CPU time, in units of k * 1k sec--CPU storage integrity to 1k-core sec re--real time, in minutes, the s-system time, in minutes, tio--I/O operation of total u-user time, in minutes, for example: 842173.26re4.30cp0avio358k 210.98re4.06cp0avio299kind 924.80re0.05cp0avio291k *** oter 10530.44re0.03cp0avio302kping 10430.55re0.03cp0avio394ks 1620.11re0.03cp0avio413ksecurity.s * 1540.03re0.02cp0avio273kls 5631.61re0.02cp0avio823kping6.pl * 23.23re0.02cp0avio822kping6.pl 350.02re0.01cp0avio257kmd5sum 970.02re0.01cp0avio263kinitlog 120.19re0.01cp0avio399kpromisc_check.s 150.09re0.00cp0avio288kgrep 110.08re0.00cp0avio332kawK users can user instead of the command to provide a summary report. For example sa-m appears as follows: 885173.28re4.31cp0avk root879173.23re4.31cp0avk alias30.05re0.00cp0avk qmailp30.01re0.00cp0avk 4.Syslog device Syslog has been adopted by many log function, it is used in many protection measures--any program are available through syslog records events. Syslog to record system events, you can write to a file or device, or send a message to the user. It can record local events or through network record another host events. Syslog devices based on two important documents:/etc/syslogd (daemon) and the/etc/syslog.conf configuration file, it is customary that most information is written to the syslog/var/adm or/var/log directory information files (messages. *). A typical syslog records including generating program name and a text message. It also includes a range of equipment and a priority (but do not appear in the day). Each syslog message is assigned one of the following major equipment: LOG_AUTH--certification system: login, su, getty et LOG_AUTH LOG_AUTHPRIV--the same, but only to log on to choose single user-readable file LOG_CRON--cron daemon LOG_DAEMON--other system daemons, such as routed LOG_FTP--file transfer protocols: ftpd, ttpd LOG_KERN--kernel resulting message LOG_LPR--system printer buffer pool: lpr and lpd LOG_MAIL--e-mail system LOG_NEWS--network news system LOG_SYSLOG--by syslogd (8) the internal message LOG_USER--random user process message LOG_UUCP--UUCP subsystem LOG_LOCAL0 ~ LOG_LOCAL7--Syslog for local use reserved for each event gives several different priorities: LOG_EMERG LOG_ALERT--emergencies--should be immediately corrected issues, such as the system database corruption LOG_CRIT--important information, such as a hard disk error LOG_ERR LOG_WARNING-error--warning information LOG_NOTICE--is not an error, but may need to handle LOG_INFO LOG_DEBUG--information--contains intelligence information, usually to debug a program using the syslog.conf file specified in the record a log of syslogd, the program at startup query configuration file. This file consists of different program or message classification of individual entries, each on a separate line. For each type of information to offer a choice of domain and one domain. These fields are separated by tab: select the domain specified in the message type and priority; action field indicates syslogd receives a selection criteria that matches the message's action to be performed. Each option is composed by a device and priority. When specifying a priority, a syslogd records have the same or higher priority messages. So if you specify "crit", that all marked as crit, alert and emerg message will be recorded. Each row in the action field indicates when the select a field to select a given message after he ought to be sent. For example, if you want to record all messages to a file, as follows: # Logallthemailmessagesinoneplace mail. */var/log/maillog other devices also have their own logs. UUCP and news equipment can produce many external messages. It put the message into its own journal (/var/log/spooler) and the level limit for "err" or higher. For example: # Savemailandnewserrorsoflevelerrandhigherinaspecialfile. Uucp, news.crit/var/log/spooler when an emergency message arrives, you may want to let all users. Might also want to make your own log received and saved. # Everybodygetsemergencymessages, pluslogthemonanthermacine * .emerg ** .emerg @ linuxaid.com.cn alert message should be written to the root and tiger's personal account number: # RootandTigergetalertandhighermessages * .alertroot, tiger sometimes syslogd will produce a lot of messages. Such as the kernel ("kern" devices) can be very lengthy. The user may want to put the kernel message records to/dev/console. The following example shows the kernel log records are commented out: # Logallkernelmessagestotheconsole # Loggingmuchelsecluttersupthescreen # kern. */dev/console users can specify all on one line. The following examples get info or a higher level of messages sent to/var/Log/messages, apart from the mail. Level "none" no one device: # Loganything (exceptmail) oflevelinfoorhiger # Don'tlogprivateauthenticationmessages! * .Info: mail.none; authpriv.none/var/log/messages in some cases, you can put the log sent to the printer, so network intruders do modify the log is not used. Often extensive records log. Syslog devices are a significant target for attackers. An other host maintenance log of the system for preventing server attacks particularly vulnerable, and therefore pay particular attention. There is a small command logger for syslog (3) the system log files provide a shell command interface that allows users to create entries in the log file. Usage: logger for example: loggerThisisatest! it produces a following syslog records: Aug1922: 22: 34tiger: Thisisatest! Note do not fully trust the log, because the attacker can easily modify it. 5. the program log number of programs by maintaining a log to reflect the system's security status. The su command allows the user to access another user's permissions, so its security is important, it's file for sulog. The same also sudolog. In addition, Apache has two logs: access_log and error_log.Migration from Windows to Linux device control applications
Linux function ioctlLinux you can use the ioctl — intioctl (intfildes, intrequest,/* arg */...);
— To specify the device to send control information. The first parameter fildes is open () function returns the file descriptor for alleged specific devices. And the corresponding system call DeviceIOControl ioctl, the input parameters list is not fixed. It depends on what ioctl request, as well as the instructions request parameters, just as Windows function DeviceIOControl dwIoControlCode parameter. However, the migration period need to be aware of when choosing the correct request parameters, because the DeviceIOControl ioctl request of dwIoControlCode and have different values. But there is no dwIoControlCode and request explicit mapping list. Usually you can find the associated header file request parameter values defined for the selected parameter value. All control codes defined in/usr/include/{asm, linux}/* .h file. Parameter arg as specific equipment operation provides detailed command information. The data type of the arg depends on the specific control requests. This parameter can be used to send detailed commands and receive returned data. Migration example we see a from Windows to Linux migration example. This example involves from PC main IDE hard drive read SMART log. Step 1-identification device types as mentioned earlier, Linux devices are used as file. It is first necessary to describe the device's file on Linux. Only use this file to get the device control requires a handle to the device. In this example, the object is an IDE hard disk drive. Linux be described as/dev/hdb/dev/hda, etc. This example will be the migration of hard disk device pathname is \\\\.\\PhysicalDrive0. /Dev/hda is the device corresponding to the Linux name of the file. 2. the changes include the header file must # include header files for Linux (see table 3): table 3. # include header filesIn the following configuration SVN server Fedora10
1. install subversion: yum install subversion.i386 (note; in mandriva here you need to install subversion subversion-server subversion-tool urpmi) subversion version 2, create, and modify permissions to the library # mkdir-p # SVNPATH/repos # svnadmin create # SVNPATH/repos/project13, start the subversion service, and sets the version of the library location # svnserve--daemon--root = # SVNPATH/repos--listen-port = 3690 Note: not recommended to use a root user start the service, the default port number is 36904. # yum list mod_dav_svn Note: you can find the packages associated with mod_dav_svn mod_dav_svn.i386, install yum install mod_dav_svn.i386 mod_dav_svn.i386 # Note: after installation can be found in/etc/httpd/conf.d folder, automatically generate a subversion.conf file and automatically adds the following two lines: LoadModule dav_svn_module modules/mod_dav_svn.soLoadModule authz_svn_module modules/mod_authz_svn.so to ... ...
Between the content read as follows: DAV svnSVNPath # SVNPATH/repos/project15, restart the Apache service # apachectl restart6, modify SELINUX permission # chcon-R-h-u system_u-t httpd_sys_content_t # SVNPATH/repos7. can use # lsof-i:3690 see if open 8. modify profile/home/svnroot/repository/conf/svnserve.conf [general] # anonymous access permissions can be read, write, none, default = none # readanon-access = authenticated user permissions, can be read, write, none, default is writeauth-access = write # password database path, remove the preceding # password-db = passwd # user permissions # authz-db = passwd authz modify profile [users] user = passwoduser1 = password1 modify configuration file authz [test1:/] user = rw [test1:/doc] user1 = rw9. for a single code warehouse start command svnserve-d-r/home/svnroot/repository/test1--listen-host 192.168.1.18 which-d runs in the background,-r specifies the server's root directory, so you can access the server directly accesses the svn://server ip. If the server has multiple ip words--listen-host to specify the IP address to listen on. We can be in svn client through the svn://192.168.1.18 to access svn server. For more code warehouse, we at startup or you can use the-r option to specify the server root directory, but you need write access on each warehouse relative to svn root. For example, we have two code warehouse/home/svnroot/repository/test1 and/home/svnroot/repository/test2, we use svnserve-d-r listen-host 192.168.1.18/home/svnroot/repository--to start, then in client access you can use svn://192.168.1.18/test1 and svn://192.168.1.200/test2 to access two project start to finish, we can use ps aux | grep svnserv to see if svnserve process exists. 10. open Server default port is the port SVN 3690, you need to open this port on the firewall. /Sbin/iptables-A INPUT-I eth0-p tcp--dport 3690-j ACCEPT/sbin/service iptables save you can also use svnserve--listen-port option to specify a different port already open, but in this case the client must also be coupled with the port, such as svn://192.168.1.18: 9999/. 11.yum has a interesting usage: yum whatprovides mod_dav_svn.so12. in mandriva to install mod_dav.so, you can use urpmi apache-mod_dav_svn
Subscribe to:
Comments (Atom)