In sales strategy, Microsoft seems to never hesitate to competitors ' attacks.
This time, with another agency report, co-author of Microsoft also pointed out that the virtual machine may become a malware host, especially for Linux systems. Of course, once the virtual machine is malware infection, then present a variety of security software is able to detect it. However we can not provide this nervous, because this situation is very difficult to become a reality. According to this report, the attacker can be installed on the target computer to a virtual machine (VM) program. Then the attacker in the virtual machine to install malicious programs, such as keyboard loggers, Trojan horse, to steal the primary operating system information. But this kind of attack, the attacker modifies the system's original kernel, because the original kernel and virtualization software itself, the beginning of the design against a different virtual machine data exchange between systems. Further, hackers need to compromise the operating system kernel, such as a keyboard logger installed before you can access the virtual machine, further damaging activities. But to black out the operating system kernel may not be an easy thing, at least not so easy in our imagination. In the Windows or install the software on a Linux system, you will need to install to have system administrator permissions, and this for normal computer operator is not available. Of course, through Windows system known security holes that hackers may modify system kernel, but this looks some gilding. Since this system is vulnerable to let you go, why then laborious manner by modifying the kernel to install keyboard loggers. In the report of the fourth page that you want to install malicious programs, hacker first need to modify the host operating system's kernel, and then modify the Windows virtual machine monitor software. As we know, the virtual machine memory manager (VMM) is used to manage computer hardware resources, when multiple virtual systems running on the host computer at the same time, he can manage disk, memory and keyboard use. In the report show that VMM for Linux-based, hackers don't need to be changed, but the report also does not specifically stated, why this step in a Linux system can be omitted. In addition, this report looks also deliberately ignored the fact that we are entering a hardware virtualization environment. Whether Intel or AMD processors can be used to identify the hardware running on a variety of virtual machine software. So for the virtual machine's attack probability can small to negligible. Although many of the components, but ordered that the report still has some readability. Which he for virtual machine technology gives a number of constructive comments and applications that can help achieve software troubleshooting and intrusion detection. Also, I don't think anyone can advise IT managers pay attention to data security content, there is a certain value, although some content seems alarmist.Thursday, February 23, 2012
Saturday, February 18, 2012
Use SSL to protect VNC application
You want to use more convenient than proprietary solutions and has more security than ssh to access remote desktop? this article will describe a good way, this is we never before introduced a technology.
The idea is to use SSL for embedding in a Web page in a simple VNC Viewer provides security. This means that virtually any can handle Java Web browser can view the remote desktop, and interact with it; for a typical scenario, this is a function of very powerful solution, including telephone collaboration, technical support and supply. The computer where the screen where the computer in a location performs an action that in other parts of the people want to see the results. Meet this description is very much, this feature is almost the same amount. One method is to use a regular single desktop as a use of the HTTPS protocol for the protection of the WebURL address to publish, and those non-software experts who work together, this is especially convenient. Through a connection to the remote desktop of the hyperlink or the browser's address bar, enter the URL for remote access, which "civilians" is very convenient for users. Just take a few minutes, you can build your own remote desktop. This approach is an important feature is its authentication method: it is not based on the logging level of the account number, which is common IPv6 based on ssh, OpenVPN, and most of the proprietary product of remote access mechanism, we will show how to set up for SSL account/password pair. This is a "lightweight" method, and the desktop host for other purposes. At the same time, this approach is widely used on the Web, and is a key technology, most of the developers came to this very familiar. Although only a few steps can be achieved through SSL to access VNC, but the configuration of the core there is a complex issue: JvaVNC client does not connect to those who own the certificate SSL site. Rather, the popular browser with JVM usually needs to be "trusted third parties" certification authority (CA) that signed the certificate. This article on the readers had effectively classification. May be due to management or development of secure Web sites require you to have begun to use SSL, then you can immediately use in VNC-through-SSL project to the same Web server and a signed certificate. If you don't already have the background knowledge using SSL, then this kind of technology is not a very good start. For you, the more traditional ssh tunnel or Hamachi and commercial solutions possible is the way to the remote desktop easy starting point. For more information, please refer to the sidebar of certificates and SSL. Method for the first step is to Setup VNC server and the corresponding tunnel. For this step, you must have a valid key file can be created, including a private key and a public key. The keys are placed in/etc/ssl/certs/stunnel.pem. This example uses the TightVNC server and display: 5. 1. start list TightVNC server and tunnel $ tightvncserver: 5 $ stunnel-d5705-r5905-p/etc/ssl/certs/stunnel.pem although most Linux host is set to allow any user can start vncserver, but you will probably need root privileges to effectively use stunnel. Depending on the host's security model, the best you can do is execute the following command: sudostunnel .... Now, the server should be there to address: 5905 provides an unencrypted connections, and is there: 5705 provides an encrypted connection. Use any convenient VNC Viewer to verify that the connection is not encrypted, redirect to yourhost: 5. To ensure that stunnel has already started and is running, use the following command to search for the system log: list 2. check the stunnel has been successfully # grepstunnel/var/log/syslog | tail-24Aug2118: 58: 17therestunnel [5453]: Using ' 5905 ' astcpwrapperservicenameAug2118: 58: 17therestunnel [5453]: stunnel3.26oni386-pc-linux-gnuPTHREAD + LIBWRAPwithOpenSSL0.9.7e25Oct2004Aug2118: 58: 17therestunnel [5454]: FD_SETSIZE = 1024, fileulimit = 1024-> 500clientsallowed error — the key file is not valid, do not have sufficient permissions, or the port is already in use — to appear in the same log file. For example, if the missing keys, in the journal form: Aug2118: 58: 17therestunnel [5453]:/etc/ssl/certs/stunnel.pem: Nosuchfileordirectory (2) because the server can handle concurrently without encryption and encrypted port, let's go to VNCWeb client. To enable this feature, you need to download the project from x11vnc SSL-enabled JavaVNC Viewer. In the download source tarball file, you can use x11vnc-x.y.z/classes/ssl/VncViewer.jar and x11vnc-x.y.z/classes/ssl/SignedVncViEwer.jar in Java code. Sets a directory to hold the contents of the VNC, VncViewer.jar copy to this directory and creates an HTML source file. The sample HTML file allows SSL connections to there: 5705: HTTP and HTTPS for the applet. Assuming that the HTML and Jar files on port 80 using HTTP, URI, then the address for/vnc will display this http://there/vnc desktop. Remember to have on your Java-enabled browser! also takes note of the HOST and the source address to use the same host name; Javaapplet security model must be required to do so.Thursday, February 16, 2012
Linux system Snort IDS tools of light
1. Introduction to Snort snort is designed to fill the expensive, heavy network intrusion detection system left vacant.
Snort is a free, cross-platform package for monitoring small TCP/IP network sniffer, logging, intrusion detectors. It can run on linux/UNIX and Win32 systems, you only need a few minutes to install and you can start using it. Some of the features of Snort:-real-time communication analysis and packet logging-packaging payload check-protocol analysis and content query match-probe buffer overflows, stealth port scans, CGI attacks, SMB probes, operating systems, intrusion attempts-to system logs, specify the file, or through Samba Unixsocket WinPopus real-time alerts Snort has three main models: a packet sniffer, packet logger or sophisticated intrusion detection system. Follow the development/free software's most important practice, Snort supports various plugins, expansion and customization, including a database or XML records, small frame detection and anomaly detection, and other statistics. The packet payload detection is one of the most useful Snort, this means that a lot of additional types of hostile behavior can be detected. Second, install the required packages and install the required packages 1.libcap http://www.mirrors.wiretapped.net/security/packet-capture/libpcap/libpcap-0.8.3.tar.gz 2.snort http://www.snort.org/dl/snort-2.2.0.tar.gz 3.snorttrules http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz 4.openssl http://www.openssl.org/source/openssl-0.9.7d.tar.gz 5.acid Web-based analysis console for intrusion databases http://acidlab.sourceforge.net 6.gd http://www.boutell.com/gd/7.adodb as ACID provides convenient database interface; http://php.weblogs.com/adodb 8.phplotACID relies on graphics library; http://www.phplot.com/9.apace http://www.apache.org 10.mysql http://wwww.mysql.com 11.php (v > 4.2) http://www.php.net begin installation: 1. installation of MySQL, # addgroupmysql # addusermysql and then log in to mysql, execute the following command: $ gzip-d-cmysql-3.23.49.tar.gz | tarxv cdmysql-3.23.49-$ $ $ $ make-/configure makeinstall 2. install the openssl # tarzxvfopenssl * # cdopenssl #./configure # make # maketest # makeinstall 3. installing libpcap # tarzxvflibpcap * # cdlibpcap-0.8.3 #. configure/configure if:: warning: configure: warning: cannotdeterminepacketcaptureinterace (seeINSTALLformoreino) description of the need to compile the system kernel to enable it to support # make # CONFIG_PACKET makeinstall 4. install snort # tarzxvfsnort * # cdsnort-2.2.0 #./configure--enable-flexresp--with-mysql =/usr/local/mysql--with-openssl =/usr/local/ssl support mysql, openssl and more options, you can see the document if the tarball: ERROR! Libpcreheadernotfound, gogetitrom please http://www.pcre.org lib library installed. If the ERROR appears:! Please download and install Libnetheadernotfound. http://www.packetfactory.net/projects/libnet/ If you have already installed, you can use the--with-libnet-* option # make install # makeinstall 5. apace #./configure--prefix =/usr/Local/apache--enable-so # make # makeinstall 6. install gd first installed to generate PHP provide both PNG and JPG image functions in the GD library: # gzip-d-cgd-2.0.28.tar.gz | tarxv-# cdgd-2.0.28 # make install # makeinstall 7. pp # gzip-d-cphp-4.3.2.tar.gz | tarxv-# cdphp-4.3.2 #./configure-with-mysql =/usr/local/mysql\--with-apxs =/usr/local/apache/bin/apxs\--with-gd =/usr/local # make install # makeinstall 8. ACID that part of the installation work including three packages: adodb452.tar.gz, phplot-5.0rc1.tar.gz and acid-0.9.6b23.tar.gz. The installation process is very simple, only need respectively packages extract and expand in the Apache server's document root directory, do as follows: (the server's document directory as/www/ids) # cd/www/ids/# gzip-d-cadodb452.tar.gz | tarxv-# gzip-d-cphplot-5.0rc1.tar.gz | tarxv-# gzip-d-cacid-0.9.6b23.tar.gz | tarxv-and then begin the configuration work, go to ACID acid directory edit the configuration file: acid_conf.php gave the following variable assignment: $ Dblib_path = ".. /adodb" $DBtype="mysql" $alert_dbname="snort" $alert_host="localost" $alert_port="3306" $alert_user="root" $alert_password="123" $archive_dbname="snort" $archive_host="localost" $archive_port="3306" $archive_user="root" $archive_password="123" $ChartLib_path=".. /Phplot "$ Chart_file_format =" png "$ portscan_file ="/var/log/snort/portscan.log "good, to this end, the required software installation is complete, the following entry setting and start of snort, snort settings and start up we can get Snort operation in the chroot environment, the setting is very simple, first of all, you can select a place with enough Log of Snort, if you regularly check and clear the Log, you can put the chroot environment Snort in/home/snort, then required is a snort users, execute the following commands add the Snort users: # groupaddsnort # useradd-g" snort "-d" "-s"/home/snort/nonexists "-c" SnortUser "snort and then to extract the files in the snortrules.tar.gz/home/snort, extract the snortrules package, the name is a rules file/home/snort/appears, this is the use of Snort Ruleset, Ruleset that is used for Snort to detect any network reflects the Foundation. In the rules is the snort.conf ", it is the Snort's profile, you need to modify snort.con the actual situation. In snort.conf, you need to modify several easy you can do the Snort, the following are the possible need to modify:-varHOME_NET network or host IP, for example, only one server, you can just enter the IP address of the server, if a machine with more than two IP, you can use this method: varHOME_NET [192.168.1.1, 192.168.1.2] or varHOME_NET192.168.1.0/24-varSMTP [IP.Address] SMTP service location of the server, if different, HOME_NET just send $ HOME_NET removed and specify SMTP IP of the machine. -VarHTTP_SERVERS HTTP service server, and the same set of SMTP, if a WebServer is not a machine, you can specify HOME_NET to other IP. -VarDNS_SERVERS DNS server's IP address, at the same time need to Uncomment the following line: preprocessorportscan-ignorehosts: $ DNS_SERVERS this prevents because the DNS Lookup of the record of unwanted PortScan。 The last part of the record, the compilation of configure Snort time joined the "MySQL" support, in order to use MySQL records, first established in Snort in MySQL Databases, use the user name and password, perform the following command: # CREATEDATABASEsnort; echo "" | Mysql-uroot-p # grantINSERT, SELECTonsnort. * to snort @ localhost and then in the beginning of source Snort signatures and unable to find the "contrib/create_mysql", then execute the following command to build Tables # mysql-uroot-pTuesday, February 14, 2012
Use SSL to protect VNC application
More how to use standard components and protocols one advantage is that they can be very simple to replace.
For example, our development are mostly adopted the Xvnc server, there are some ways you can replace the above method of TightVNC. Note that the workarounds using command line parameters may be slightly different; however, in all cases, the principle is the same. Almost all Linux distributions have provides according to the release of the standard package, some open source VNC server, VNC project even very easy to install from source code. Any VNC Server installed in the most difficult part is to require a specific default font. However, even in this case, at least provide a clear remedies. In the browser enabled SSL VNC Viewer at least a little risk. It in all major browsers can use, including the MozillaFirefox, InternetExplorer and Opera, but all browsers need to use Javaruntime1.4 or later. When a user uses the old version of MicrosoftWindows operating systems will have problems, older systems still rely on MicrosoftJVM1.1. In this case, the VNC Viewer cannot run in InternetExplorer, and send the report indicates that VncViewer class not found. The only solution is for the VNC Server provides a non-SSL connection and suggested that any Java upgrade to the latest Java Runtime. By default, most of the VNC server will not share your desktop; that is, any connection will close the connection before. Want to collaborate, technical support, and similar applications, use a command line argument-alwaysshared or similar method to start the server, follow the document specification. This allows multiple users to connect to the same desktop. Focus? although you may have used VNC, Web services, Java, SSL, browser and so on, but you may never be used together. Now you just won? certificate and SSL we mentioned earlier, if you are using SSL, then you only need to reuse the certificate, if you do not use SSL, it only takes a few hours you can start using it, strictly speaking is not so. From the developer's point of view SSH at least plays two roles: to VNC traffic encryption and authentication to your remote desktop in a hostile Internet world can possess the basic security. Opening a normal SSL browser usability. If the browser cannot find a trusted certificate used for SSL communication, you (or, more seriously, anyone remotely using a Web browser to access the desktop of other people) will see a lot of warning dialog boxes — even more unbearable. In this article, we recommend that you have to purchase and use of the certificate resolves this problem. The answer that big is too big, too small, said small. For example, Sun Company j2re1.4JVM requested not only by a certificate authority sign certificate and this certificate must be requested from high-end CA, including Verisign and Thawte. Using the JVM's browser will be those from the not-so-famous CA's signing certificate is self-signed certificates. On the other hand, the paper highlighted the use of self-signed certificates to use VNC over SSL is not possible. If you can tolerate continual pop-up browser warning, at least you can use your own certificates do the experiment. The create a self-signed certificate for the tutorial and unexpected, they are committed to the entire process becomes "very simple". At a certain level, they have done is to execute the following command line: list 4. create a self-signed certificate opensslgenrsa-des3-outserver.key1024opensslrsa-inserver.key-outserver.pemopensslreq-new-keyserver.key-outserver.csropensslx509-req-days3560-inserver. csr\-signkeyserver.key-outserver.crtcatserver.pemserver.crt > combined.pem some steps require the command line with interaction. The most critical issue is the third line in the "CommonName"; this value is to use the shared desktop is located the host's fully qualified domain name. Typically, this value is the hostname would would. How to obtain a certificate is used by SSL VNC process in the most difficult part; the use of the certificate currently available, you can simply complete all the other steps. In fact, you now get a lot of things. First of all, this is a very similar to GUI screen; that is, you can start the GUI session while you work, and use a combination of all of you with features and performance that left the session and adoption of any one with Java functionality in a Web browser, reconnect to the same session. This is a very powerful tool. However, you also gain more. VNC is very convenient for the teleconference. For example, we use it to for non-technical users to set up a complex graphic applications. In principle, a remote X server can also perform the same function, but VNC offers many advantages: security, more manageability. Compared with X, VNC is often more easily through the firewall. VNC Viewer than the X server easier installation — especially those from the installation of a browser-based Viewer. Easily through VNC as multiple Viewer provides a desktop. VNC is generally less affected by the impact of network latency. X authentication (and ssh tunnel)-passOften are based on the level of account/etc/passwd, and Web-based access using the HTTP (S) certification. Create and maintain this account requires a lot of experience, even for casual use (such as conference call presentation). Compared with the X server, VNC Viewer requires less memory and related hardware. VNC server is typically a read-only access provides very useful configuration. Another example of using this technology, a key point is the roughest encryption calculation load is determined by the "local" code non-Java run time to execute. Despite the assumption that the network delay is to determine the performance of the first factor is very safe, but the encryption and decryption in a price too high, you cannot use the other alternative technologies (unless used with very high performance computer). VNC via SSL using a pleasant advantages is that old hardware or even very simple hardware using standard software can quickly produce acceptable response. You might also have different needs and resources. You need to determine the VNC and Citrix, WindowsTerminalservices, WebEx, Hamachi, and other "remote" solutions provide commercial software what is compared. However, we have seen over SSL using VNC has solved many problems. In subsequent articles, we will show how to integrate VNC and other virtualization technologies together for powerful resource sharing technology. But at the end of this article, there are important issues that need to be reminded readers: VNC exist a very serious security problem. Because the VNC uses only one session password protection, if the standard VNC service for hours or days of brute force attack, is likely to be cracked. On VNC interested "bad guys" is increasing rapidly; the number, make sure you use a VNC is very strong passwords that have at least 8 characters, preferably of numbers, letters and other symbols. SSL provides a lot of protection mechanisms, if per-session time to last a few hours, you should consider using these protection mechanisms. In subsequent articles we will learn more about security issues. The above method uses several powerful open source example, but it almost does not implement the original programming. Actually no one written document to combine these components, but this combination is very convenient, this is really amazing. About VNC, SSL, and other content for more details please see the references section. Concluding remarks in the next article, we will detail the two via SSL using VNC to plan specific workplaces, and how your environment with this technology, including how to collaborate with firewalls and proxies. We will also cover the use of the "local" VNC Viewer and mentioned in this article the hosting browser, the client work together to become one of the advantages and when. This would especially like to thank MattKennel, he and we do worry about security issues and on how to use the actual application through SSL VNC technology and we discussed. Original link: http://www.ibm.com/developerworks/cn/linux/l-sslvnc.tmlSunday, February 12, 2012
Linux system service startup and the prohibition and the corresponding port number
/Etc/services view system default services and ports corresponding to the individual DAEMONS (services) of startup and shutdown scripts are placed in/etc/init.d/, but REDHAT system is put into the/etc/rc.d/init.d inside, as regards the control parameter file superdaemon is placed in/etc/xinetd.d inside.
Standalone (independent startup) and superdaemon (super service) standalone as the name implies, standalone is directly perform the service scan line stalls and let the executable directly loaded into memory, operation, this way to start this service can be made with a quick response. Generally speaking, this kind of services launch scrip will place the/etc/init.d/directory underneath this, so you can often use: [/etc/init.d/sshdrestart] like to start this service; With a super service superdaemon as mains, to manage some network services in the use of the inside CENTOS4.3 is xinetd this superdaemon, this way start network services while in response speed be slow, however, can provide some additional through superdaemon control, for example control when to start, when you can be online, the IP can even come in, whether to allow simultaneous online and so on. Usually profile in/etc/xinetd.d/, but needs to be set is finished to [/etc/init.d/xinetdrestart] to start again. If you want the system to switch off the PORT25, above the simplest approach is to first identify the PORT25 's startup process. # Netstat-tnlp TCP00127.0.0.1: 6310.0.0.0: * listen1171/cupsd//22, the port is opened by the program cupsd. If the program is not visible, use the CUPSD nmaplocalhost to view native ports, will show port and the corresponding procedures. # Whichcupsd/usr/sbin/cupsd//identify cupsd program location. If not found, WHICH is used to LOCATE with the formal notation to find this directive. # Locatecupsd | grep '/cupsd $ '/usr/sbin/ssd use RPM to treatment: # rpm-qf/usr/sbin/cupsd cups-1.1.17-13//identify the program name # rpm-qccups | grepinit/etc/rc.d/init.d/cups//identify program startup. #/Etc/rc.d/init.d/cupsstop//stop program.Friday, February 10, 2012
Use SSH implementation under Linux safe data transfer (pictures)
Currently in use on the Internet, such as FTP, Telnet, POP etc in essence are not secure, they are in use on the network in clear text password and data transmitted, the hacker is very easy to intercept these passwords and data, thus undermining the integrity and confidentiality of the data.
This article describes how to use the SSH software under Linux is not a secure network environment through password mechanism to guarantee the security of data transmission. The English name is SSH SecureSHell. Through the use of SSH, you can put all transferred data is encrypted, so even if the network hackers to hijack the data transmitted by the user, if you cannot decrypt it, nor on data transfer constitutes a real threat. In addition, the transmission of data is compressed, so you can speed up the transmission speed. SSH has many features, it can replace Telnet and FTP, POP provides a security "transmission channel". In non-secure network communication environments, it provides strong authentication (authentication) and very secure communications environment. SSH is determined by the client and service side of software, there are two incompatible versions 1.x and 2.x is:. The client program used SSH2.x is unable to connect to the service looks SSH1.x. OpenSSH2.x while supporting SSH1.x and 2.x. SSH provides two levels of security validation: a is for security authentication based on passwords. As long as the user knows the password, account number and can log on to the remote host. All transferred data is encrypted, but cannot guarantee that users are connecting to the server that the user wants to connect to the server. You may have other servers in the impersonate the real server, there is a potential threat. The second is based on the key security validation. Need to rely on the key, the user must create a public key/private key pair, and the public key is placed in the need to access the server. If you need to connect to a SSH server and client software will make a request to the server, the request uses the user's keys for security verification. After the server receives the request, the first server on the user's home directory to find the user's public key, and then take it and users of public keys sent for comparison. If the two keys match, the server uses the public key encryption, "question" and have it sent to the client software. Client software after you receive the "question" can be used to decrypt the user's private key and send it to the server. Install and start the SS in RedHatLinux7 and its release is included in the packages associated with OpenSSH, if not, you can download from the home page of OpenSSH RPM package installed, OpenSSH is the home page address is: www.openssh.com. Main install the following packages: openssh-3.5p1-6, 6, openssh-server-3.5p1-openssh-askpass-gnome-3.5p1-6, 6, openssh-clients-3.5p1-openssh-askpass-3.5p1-6. Use the following command to install: first query system is installed on the above packages. # Rpm-qa | grepopenss if you have not installed then do the following command. # Rpm-ivhopenssh-3.5p1-6 # rpm-ivhopenssh-server-3.5p1-6 # rpm-ivhopenssh-askpass-gnome-3.5p1-6 # rpm-ivhopenssh-clients-3.5p1-6 # rpm-ivhopenssh-askpass-3.5p1-6 after the installation has completed, you can use the following two commands for a start. # Servicesshdstart #/etc/rc.d/initd/sshdstart also, if you want the system to automatically run when you start the service, you will need to use the Setup command, in network service configuration options, select the sshd daemon. After you finish the installation start the OpenSSH, use the following command to test it out. Ssh-l [username] [addressoftheremoteost] if the OpenSSH is working correctly, you will see the following message: Theauthenticityofhost [hostname] can'tbeestablised. Keyfingerprintis10245f:a0:0b:65:d3:82:df:ab:44:62:6d:98:9c:fe:e9:52. Areyousureyouwanttocontinueconnecting(yes/no)? At the first login, OpenSSH will prompt the user does not know the login host, simply type "yes", you will get the login identification tag of the "host" to "~/.ssh/know_hosts" file. Second visit to this host when they no longer show this message again. Then SSH prompt the user for a user account on the remote host's password. In this way, an SSH connection is established, then you can use telnet as easily use SS. SSH key management (1) it is necessary to generate your own key pair using the following command to generate a public/private key pair: ssh-keygent type. If the remote host using SSH2.x will use this command: ssh-keygend. In the sameHost both SSH1 and SSH2 key is no problem, because the key is present in different files. Ssh-keygen command to run after it displays the following information: # ssh-keygen-trsa Generatingpublic/privatersakeypair. Enterfileinwhichtosavethekey(/home/.username/ssh/id_rsa): Enterpassphrase(emptyfornopassphrase): Entersamepassphraseagain: Youridentificationhasbeensavedin/home/.username/.ssh/id_rsa. Yourpublickeyhasbeensavedin/home/.username/.ssh/id_rsa.pub. Thekeyfingerprintis: 38:25:c1:4d:5d:d3:89:bb:46:67:bf:52:af:c3:17:0c username@localhost GeneratingRSAkeys: Keygenerationcomplete. "Ssh-keygen-d" command to do the same work, but it's a pair of keys for the save path by default as:/home/[user]/.ssh/id_dsa (private key) and/home/[user]/.ssh/id_dsa.pub (public key). Now the user has a pair of keys: a public key to distribute to all users want to use SSH to log in to the remote host looks; private keys to take custody of preventing other people know. Use the "ls-l ~/.ssh/identity" or "ls-l ~/.ssh/id_dsa" command displays the file access permission must be "-rw-------". If you suspect that your key has been known to others, you should immediately generate a new key. Of course, doing so will also need to redistribute a public key, for normal use. 2. distribute the public keys for each user needs to use SSH connection on a remote server, all in their own home directory create a ".ssh" subdirectory, the user's public key "identity.pub" copied to this directory and rename it to "authorized_keys". And then execute the command: chmod644.ssh/authorized_keys this step is essential. Because, if a user other than the others on the "authorized_keys" file has write permissions, if subjected to unlawful destruction, SSH will not work properly. If the user wants to log on from a different computer to a remote host, the "keys" authorized_ files can have multiple public keys. In this case, you must restart the new computer to generate a pair of keys, and then put the generated "identify.pub" file copy and paste to the remote host "authorized_keys" file. Of course, on the new computer users must have an account, but the key is password protected. It is important that when a user cancels out of this account, you have to remember to delete the key. Configuring the SSH client on the Linux client to use SSH, advantage is more convenient to operate, without additional software. But the disadvantage is not very intuitive. Users only need to use the system-provided default profile "/etc/ssh/ssh_config" and use the following simple command to log://user test for the remote server www.test.com # ssh-ltestwww.test.com following this section mainly introduces the configuration to use Windows environment of the putty tools to log in to the SSH server. The tools being used fairly common, and can be downloaded free from the Internet. Currently the latest version of the Internet to: putty0.58, the version installed, do the following steps to configure: 1. open the software, enter the configuration interface and software initial Session window opens automatically. 2. in the interface right half area 【 HostName (orIPaddress) 】 edit box, enter the log on to the remote server address, here set to: 192.168.10.1, port edit box, enter the default port number 22, and then click 【 Save 】 button to save the input configuration, as shown in Figure 1. Figure 1 Configuring IP address and port number 3. click 【 Open 】 button, the software to connect to the server, display the connection as a result, users can make the appropriate remote management operations. Configure automatic login SSH in SSH's described above, each time the user logs on the server will need to enter the password for the user, is in some trouble. Since SSH key mechanisms used in full, then you must configure the system, to achieve a configuration that do not have to enter your password for easy logon to the end, the following Windows client, for example, shows how to auto login to SSH in. In Windows, use the previously described putty client software also allows you to easily implement an automatic logon, mainly using the putty tool kit comes with puttygen tool to generate a public/private key pair, the same principles and under Linux, the following describes the configuration details. 1. open puttygenTools to generate a public/private key pair, as shown in Figure 2, select the type of key generated SSH2RSA. Figure 2 main interface 2PuttygenGenerator. click 【 Generate 】 button, enter the public/private key pair generation interface, users need to keep the interface space, move the mouse to ensure that key generated random performance. 3. successful public/private key pair is generated, the system prompts the user to save the public key/private key pair. Click the button and 【 Savepublickey 】 【 Saveprivatekey 】 button, specify the path to save the public key and private key. 4. use putty connections on the server, copy the contents of the public key file to the server in the main directory, use your own account to log on to a remote system, and then execute the following command. Then use Notepad to open the file, select all id_rsa1.pub, press CTRL + C to copy to the Clipboard, and then in the Putty window, press SHIFT + Ins paste, and then press Ctrl + D keys, complete file creation. This is the process of completing public key distribution.Wednesday, February 8, 2012
Linux system service startup and the prohibition and the corresponding port number
/Etc/services view system default services and ports corresponding to the individual DAEMONS (services) of startup and shutdown scripts are placed in/etc/init.d/, but REDHAT system is put into the/etc/rc.d/init.d inside, as regards the control parameter file superdaemon is placed in/etc/xinetd.d inside.
Standalone (independent startup) and superdaemon (super service) standalone as the name implies, standalone is directly perform the service scan line stalls and let the executable directly loaded into memory, operation, this way to start this service can be made with a quick response. Generally speaking, this kind of services launch scrip will place the/etc/init.d/directory underneath this, so you can often use: [/etc/init.d/sshdrestart] like to start this service; the service with a super superdaemon as mains, to manage some network services in the use of the inside CENTOS4.3 is xinetd this superdaemon, this way start network services while in response speed be slow, however, can provide some additional through superdaemon control, for example control when to start, when you can be online, the IP can even come in, whether to allow simultaneous online and so on. Usually profile in/etc/xinetd.d/, but needs to be set is finished to [/etc/init.d/xinetdrestart] to start again. If you want the system to switch off the PORT25, above the simplest approach is to first identify the PORT25 's startup process. # Netstat-tnlpTCP00127.0.0.1: 6310.0.0.0: * listen1171/cupsd//22, the port is opened by the program cupsd. If the program is not visible, use the CUPSD nmaplocalhost to view native ports, will show port and the corresponding procedures. # Whichcupsd/usr/sbin/cupsd//identify the cupsd program location. If not found, WHICH is used to LOCATE with the formal notation to find this directive. # Locatecupsd | grep '/cupsd $ '/usr/sbin/ss use RPM to treatment: # rpm-qf/usr/sbin/cupsdcups-1.1.17-13//identify the program name # rpm-qccups | grepinit/etc/rc.d/init.d/cups//identify the program startup. #/Etc/rc.d/init.d/cupsstop//stop program. 1. to start the telnet, first of all you must have installed the telnet Server, so rpm query first to see if there are any installation telnet-server. [/Rpm-qa | greptelnet-server] If you did not install, download or find CD, installation [yuminstalltelnet-server] installation. 2, as is the management, the first superdaemon editable/etc/xinetd.d/telnet this file, the [disable = yes] into [disable = no] to [/etc/init.d/xinetdrestart] restart superdaemon.3, use netstat-tnlp check start PORT23. 4, start-up data placed in/etc/rc.d/rc [0-6] .d/inside, you can use ntsysv and chkconfig command to control, whether or not to post to start the service. For example: 1. To do a lookup on portmap this program will execute? 2. If you post it, how to change it to a post without boot? 3. How to immediately close the PORTMAP service? through [chkconfig--list | grepportmap] and [runlevel] to confirm your environment and PORTMAP is started. (The runlevel can view the current boot interface. Chkconfig can view program startup or not. OFF not started. NO boot. ) If you have started, available [chkconfig--level35portmapoff] to set the boot-time do not start; (3 to 5 for the text interface, graphical interface. ) Can be used [/etc/init.d/portmapstop] to immediately shut down the service. Normal program services need to be started. Acpid-new version of power NASA science module, it is generally recommended, however, some notebook computers may not support this service, it would have to shut down. Atd-------in the management of a single appointment command execution services, should you want to start. Crond-----in the management of the scheduling of critical services, be sure to start. Iptables--Linux built-in firewall software, it can also be started. Keytables-if your keyboard informal format, this service starts may help you. Network---this is important, to network should he, network services. Sshd------this is the system preset starts, you can remote login in textual form. Syslog-system login file records, very important, be sure to start. Xinetd--the superdaemOn, so you want to start. Xfs-------used to manage glyph data service XWindow, if you need this service XWindow to start. Other service programs, and then set startup when needed.Monday, February 6, 2012
Linux system service startup and the prohibition and the corresponding port number
1. to start the telnet, first of all you must have installed the telnet Server, so rpm query first to see if there are any installation telnet-server.
[/Rpm-qa | grep telnet-server] If you did not install, download or find CD, installation [yuminstalltelnet-server] installation. 2, as is the management, the first superdaemon editable/etc/xinetd.d/telnet this file, the [disable = yes] into [disable = no] to [/etc/init.d/xinetdrestart] restart superdaemon. 3. Use netstat-tnlp check start PORT23. 4, start-up data placed in/etc/rc.d/rc [0-6] .d/inside, you can use ntsysv and chkconfig command to control, whether or not to post to start the service. For example: 1. To do a lookup on portmap this program will execute? 2. If you post it, how to change it to a post, don't start? 3. How to immediately close the PORTMAP service? You can try [chkconfig--list | grepportmap] and [runlevel] to confirm your environment and PORTMAP is started. (You can view the current runlevel starts interface. Chkconfig can view program startup or not. OFF not started. NO boot. ) If you have started, available [chkconfig--level35portmapoff] to set the boot-time do not start; (3 to 5 for the text interface, graphical interface. ) Can be used [/etc/init.d/portmapstop] to immediately shut down the service. Normal program services need to be started. Acpid-new version of power NASA science module, it is generally recommended, however, some notebook computers may not support this service, it would have to shut down. Atd-------in the management of a single appointment command execution services, should you want to start. Crond-----in the management of the scheduling of critical services, be sure to start. Iptables--Linux built-in firewall software, it can also be started. Keytables-if your keyboard informal format, this service starts may help you. Network---this is important, to network should he, network services. Sshd------this is the system preset starts, you can remote login in textual form. Syslog-system login file records, very important, be sure to start. Xinetd--the superdaemon, so also to start. Xfs-------used to manage glyph data service XWindow, if you need this service XWindow to start. Other service programs, and then set startup when needed.Sunday, February 5, 2012
Use the SMC to achieve Solaris10 server role management (continued)
But because of wildcards, and special program attributes not related, so all wildcard characters, the directive is in accordance with the current user (or role) of the uid and gid to perform.
If you specify this right, the right should be located right at the end of the list. If the first item in the list, the find command property, does not query other rights. If 「introduction all 」 dimmed, then you cannot 「introduction count "or the" delete 」 this right. L now home directory, home directory Description: enter a role's home directory (or accept the default), in accordance with established practice, this directory is written as:/export/home/role name is the name of the role is automatically appended to the displayed 「introduction path 」. The home directory is the role of private files saved in 「introduction home directory server 」. L specifies the user to the role, in this step, please increase the allowed use of the role of the user's user name. In addition you can now add a user, you can later from 「introduction role properties 」 dialog or 「introduction user properties 」 dialog box to increase the role of the user. Note: Although the role and user attributes, but you cannot assign a role to another role. Confirmation increase interface l, this role check screen displays your last screen enter or select all of the information. If the information is correct, click "Finish". If you want to make changes, click 「introduction back 」 to return to the screen you want to change.Thursday, February 2, 2012
Linux system of protection against hackers by some practical tips
Linux is a multiuser system, once they have your root user, he can do whatever they want on your system, because a single user on the system has full control permissions, if improper operation or by others to access, then the consequences will be dire consequences, how to prevent a single user, join the following note.
1. to protect the/etc/inittab file if the id: 3: initdefault in the 3 to 1, you can directly enter each time you boot into single user mode. On the file to root/etc/inittab entering through chown700/etc/inittab to property is set to other users cannot modify it. 2. If you are using lilo to boot, possible manner through linuxconf or directly modify the boot time waiting for lilo.conf input time is set to 0 or the shortest possible time. In this case, if you enter single user mode, you can boot with the floppy disk. 3. If the use is to boot GRUB manner, easiest way is to use the GRUB password on startup options for protection. 4, in order to prevent remote destruction, allowing the system to restart, except for the ROOT password and files under the/etc directory for effective management, it should also be set to the password-CMOS, so even if you put the system into single-user mode, it cannot start your computer directly.Wednesday, February 1, 2012
Use the SMC to achieve Solaris10 server role management (continued)
Here I will be using the GUI tools SMC roles and permissions management.
First, in the role management console SMC introduction of role management is located in the SMC console system configuration sections of user tools section. User tools is a set of managing user accounts, user groups and mailing lists of tools. Figure 1 is a role management interface, table 1 role management instructions: field names indicate the role name is the name of the role administrator used to log the name of the special role. Each role name must:-be unique within the domain-containing two to 32 letters, numbers, underscore (_), hyphens (-), and periods (.) -From letters start-at least one lowercase letter-no spaces if you later in the role properties dialog box to change the role, and the role of related messages list name is automatically changed. Full name including the role of full, descriptive name. The name:-should be unique within the domain (a unique name for a specific database will reduce the time required)-to effectively contain an unlimited number of letters, numbers, spaces and special characters description including the role of full, descriptive name. The name:-should be unique within the domain (a unique name for a specific database will reduce the time required)-to effectively contain an unlimited number of letters, numbers, spaces and special characters (optional) role ID number that is assigned to the role of the identification code. Role and a user name using the same group identification code (although the user's identification code refers to the UID). This is the next available number. Role ID number must be 100 to 2147483647 full number. It must be unique within the domain number (not any other roles you and ID or UID). Select the role of roles shell login shell (the administrator of the Bourne, administrator or the administrator of the Kornshell C). This is the user login terminal or console window and the window contractor will perform with the role of the shell. These and more general Bourne, Korn and Cshell similar. However, these 「introduction administrator 」 shell can determine when the user receives the used roles, the user will only be able to perform the roles allow directive. Shell in the Administrator role in operations, users need to log in a terminal or console window, and enter in the su command after he or she can sing with the role name: surolename. Create role mailing list check this box to use the name of the role to create a mail list. You specify in step 5 to the roles of all sent to the user will receive the email. When you specify a different user to the role, please use 「introduction mail list 」 tool to add those users to the mail list (and perform any other mail list maintenance). Note: If you already have a mailing list and the name of the role, you will not be able to create a mail list here, because the two lists cannot have the same name. You can rename the role or later use 「introduction mail list 」 tool to create a mail list, and then add the user name to the list. Roles are used to grant permissions to the administrator of the special account. Included in each role attribute that can assume the role of the list of users and permissions granted to this role. When a user role, they abandon their own user account properties, and accept this role attributes--including permissions, home directory, password, etc. You can use the root user as full role; other roles permissions restrict more. If you are in the right window select 「introduction management role 」, click 「introduction action 」-> 「introduction open 」 to view a list of existing roles (if any). Then, 「introduction Action 」 menu will change to provide a description of the options below. To increase the role, please press the 「introduction action 」-> 「introduction increase management role 」. To assign users to roles, select role, and then click 「introduction action 」-> 「introduction specified management role 」. To specify permissions to the role, select role, and then click 「introduction action 」-> 「introduction specify permissions to roles 」. To view or change properties of an existing role, double-click the name of the role.Tuesday, January 31, 2012
Use Rsync and SSH implementation Snapshot type incremental backup
Author:StephanJau
Monday, January 30, 2012
Linux system security tool details
Security is a system administrator, one of the main issues of concern, however, because of the danger caused by intrusion into the internet become more and more high.
According to statistics, the number of users if you join, the number of hackers increases. Consequently, the security tools an exponential increase. would like to thank once again free software community, because they provide us with we can see the best tools and extensive documentation. At the end of the section of this article references area you will find many interesting joins, obviously, this article is to be mentioned without omission, I mentioned I picked some good tools. This article was not written for the individual user, also is to system administrators, although some tools designed to protect hosts and improve network security specifically designed. most tools can work in many UNIX (if not all, of UNIX), regardless of the unix is commercial or free. Finally, this article is an article entitled "how to make your network or host security" article, which is about what you can (must) use to improve the security of a network or machine tools of introduction. General tools let us put this section referred to as "white hat protection Red Hat, repel Black Hat tool (toolsforwhitehatstoprotectredhatfromblackhats):-). most Linux distributions (not just the redhat) are guaranteed with some good security tools, they are used to make your machine more secure. In these tools, we can count out PAM, TCPWrapper, shadow password tool, and so on, because they are part of the release, you can find on their many things: HOWTO, man man, so we do not want their body of too much time. Let us start from the shadow password tool, simply put, they allow password encryption, file is the file/etc/shadow/etc/passwd instead. More than a shadow password tool is fine, just like the name PAM has said, this is another authentication method that is used to configure access control on the service. You can define the number of documents, so many restrictions can easily manage these files are usually placed in the/etc/pam.d directory. TCPWrapper, put simply, by ip address or hostname to limit service access-rely on the two files have decided to allow access or deny access, the two files is/etc/host.allow and/etc/host.deny TCPWrapper can be configured for two working mode: the process by running the caretaker, or modify/etc/inetd.conf file if your unix system does not contain the TCPWrapper, you can get it from ftp://ftp.porcupine.org/pub/security/. Now, I will tell you why I am not introduce these tools mentioned above, because there is a tool you can complete all of the features on the service, this is Bastille-Linux, if you only want to install a security tool, install it, the current common linux version also does not include it, but you can download the http://bastille-linux.sourceforge.net Web site. By the way, we will not be in this article describes Bastille-Linux, doing nothing, because my colleagues in September LinuxFocus has a very good article has been introduced it has introduced he everything. go take a look, let us put Bastille-Linux join your life indispensable tool! Another commonly used to increase security tools is xinetd, it exists in http://www.xinetd.org, sorry, I do not intend to introduce it, also because my colleagues in the LinuxFocus November on finished this work. Now, let's take a look at some special things. Second, the firewall tools free software Linux with your machine into the firewall software .2.2 kernel is iptables, while 2.0 kernel is ipfwadm. for iptables or ipfwadm work, the kernel must be compiled correctly select the options on this issue, in addition to the HOWTOS, there are many more related articles, therefore, as I do not intend to raise. Simply put, we can put the firewall as a packet filtering tool, the most important part of the work is concerned about the firewall configuration, similarly, an improperly configured firewall can become very dangerous. However, a firewall is important. For example, Bastille-Linux can give you provide an ipchains firewall. If you visit http://www.linuxapps.com, and the search area, type "firewall", at least you can get answers to more than 40-many of which are based on ipchains or ipfwadm management graphical interface, also some really great tool, contains a lot of features, for example, like T.REX, http://www.opensourcefirewall.com tool is such a thing. remind once a firewall in a network is indispensable, but network security cannot only rely on it, tell you that a hacker can break it within 15 minutes. 3. port scanning here we reach the heart of the problem, this idea is: like a hacker to do so, use the same tools to monitor your machine or network weaknesses is located. In this area, we can in two well-Great tool, but also on the benefit of other more. The first is called nmap, you can download from http://www.insecure.org, while much of the information and links, and so on. Use nmap you can check your network or machine which ports are open. of course, you can use other commands to do this, for example lsof or netstat, but you can test your own machine. obvious, nmap, of course, you can check your own machine. Nmap can provide you lots of information, for example, it can tell you are running the operating system, notify you of the danger of an open port, finally, at least, nmap is fairly easy use. Nmap is running under the shell, or by a man called nmapfe graphical interface to run the graphical interface is based on the gtk library, the current version of nmap is 2.53, it can run on many UNIX platforms, providing the original code, RPM package, with or without a graphical interface. Nmap is a system management will not indispensable tool. I would like to thank Mr. Fyodor, and congratulated his great work.Sunday, January 29, 2012
Use Rsync and SSH implementation Snapshot type incremental backup
3.RotatingBackupsInthissetupIwilltellyouhowcanmakerotationbackups,sothatoldoneswillbedeletedeventually.Forthissetupitismandatory,thatthebackupservercanaccesstheproductionserverwithoutbeingpromptedforapasswordOnceyouhaveensured,thatyourbackupservercanconnecttoyourproductionserverwithoutbeingaskedforapasswordthenallyouneedisareacoupleofsmallshellscriptsandcronjobstoactuallyaccomplishthebackups.Indetailthishowtowillmake4backupsperday,then7backupsperweek(1perday)and4backupspermonth(1perweek)my_backup.sh(mysqlbackupshellscript)Thisfileneedstobeontheremote(production)serverthatyouwanttobackupfrom!Allotherfilesinthissectionneedtobeonthebackupserver!IcouldsomehowintegratethisshellscriptinthehourlybackupscriptthatwillfollowbelowbutIjustdidn'tworkoutyethowtodo.InsteadofincludingmysqlbackupscriptintothehourlybackupscriptIjustmakeanownshellscriptoutofitandIwilljustcallthatscriptfromthehourlybackupscript.Intheenditisthesamething.#!/bin/basunsetPAT#USERVARIABLESMYSQLUSER=rootMYSQLPWD=**********************MYSQLHOST=localostMYSQLBACKUPDIR=/mysql_backup#PATHVARIABLESMK=/bin/mkdir;RM=/bin/rm;GREP=/bin/grep;MYSQL=/usr/bin/mysql;MYSQLDUMP=/usr/bin/mysqldump;#CREATEMYSQLBACKUP#Removeexistingbackupdir$RM-Rf$MYSQLBACKUPDIR#Createnewbackupdir$MK$MYSQLBACKUPDIR#Dumpnewilesforiin$(echo'SHOWDATABASES;'|$MYSQL-u$MYSQLUSER-p$MYSQLPWD-h$MYSQLHOST|$GREP-v'^Database$');do$MYSQLDUMP\-u$MYSQLUSER-p$MYSQLPWD-h$MYSQLHOST\-Q-c-C--add-drop-table--add-locks--quick--lock-tables\$i>$MYSQLBACKUPDIR/$i.sql;done;Asyoucanseethisisthesameprocedureasbefore.backup_hourly.sh(backupshellscript)ThisscriptismostlybasedonMikeshandyrotating-filesystem-snapshotutilityscript#!/bin/basunsetPAT#USERVARIABLESBACKUPDIR=/backup#FolderwherethebackupsshallbesavedtoKEY=/root/.ssh/id_rsaMYSQL_BACKUPSCRIPT=/backup/my_backup.sPRODUCTION_USERroot@production.server.comEXCLUDES=/backup/backup_exclude#Filecontainingexludes#PATHVARIABLESCP=/bin/cp;MK=/bin/mkdir;SSH=/usr/bin/ss;DATE=/bin/date;RM=/bin/rm;RSYNC=/usr/bin/rsync;TOUCH=/bin/touc;SH=/bin/sh;#PathontheremoteserverMV=/bin/mv;######--DONOTEDITBELOWTHISHERE--#######CREATEMYSQLBACKUP#Runremotemysqlbackupscript$SSH-i$KEY$PRODUCTION_USER"$SH$MYSQL_BACKUPSCRIPT"#Rotatingthehourlysnapsots#step1:deletetheoldestsnapshot,ifitexists:if[-d$BACKUPDIR/hourly.3];then\$RM-Rf$BACKUPDIR//hourly.3;\i;#step2:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/hourly.2];then\$MV$BACKUPDIR/hourly.2$BACKUPDIR/hourly.3;\i;#step3:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/hourly.1];then\$MV$BACKUPDIR/hourly.1$BACKUPDIR/hourly.2;\i;#step4:makeahard-link-only(exceptfordirs)copyofthelatestsnapsot,#ifthatexistsif[-d$BACKUPDIR/hourly.0];then\$CP-al$BACKUPDIR/hourly.0$BACKUPDIR/hourly.1;\i;#step5:rsyncfromthesystem$RSYNC\-avz--delete--delete-excluded\--exclude-from="$EXCLUDES"\-e"$SSH-i$KEY"\$PRODUCTION_USER:/$BACKUPDIR/hourly.0;#step6:updatethemtimeofhourly.0toreflectthesnapshottime$TOUCH$BACKUPDIR/hourly.0;Well,prettymuchthescriptdoesthesameasthefirstone,justitwillrotatefolders....howeverthisisnowintendedfora6h-backupcycle(24dividedby4=6)...howeverwewanttohaveafewmorebackups.Sothenextthingisascriptthatcyclesbackupsonadailylevel.backup_daily.sh(dailyrotationshellscript)#!/bin/basunsetPAT#USERVARIABLESBACKUPDIR=/backup#Folderwherethebackupsshallbesavedto#PATHVARIABLESRM=/bin/rm;MV=/bin/mv;CP=/bin/cp;TOUCH=/bin/touc;#Rotatingthedailysnapsots#step1:deletetheoldestsnapshot,ifitexists:if[-d$BACKUPDIR/daily.6];then\$RM-Rf$BACKUPDIR/daily.6;\i;#step2:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/daily.5];then\$MV$BACKUPDIR/daily.5$BACKUPDIR/daily.6;\i;#step3:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/daily.4];then\$MV$BACKUPDIR/daily.4$BACKUPDIR/daily.5;\i;#step4:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/daily.3];then\$MV$BACKUPDIR/daily.3$BACKUPDIR/daily.4;\i;#step5:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/daily.2];then\$MV$BACKUPDIR/daily.2$BACKUPDIR/daily.3;\i;#step6:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/daily.1];then\$MV$BACKUPDIR/daily.1$BACKUPDIR/daily.2;\i;#step7:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/daily.0];then\$MV$BACKUPDIR/daily.0$BACKUPDIR/daily.1;\i;#step8:makeahard-link-only(exceptfordirs)copyofthelatesthourlysnapsot,#ifthatexistsif[-d$BACKUPDIR/hourly.3];then\$CP-al$BACKUPDIR/hourly.3$BACKUPDIR/daily.0;\i;#step9:updatethemtimeofdaily.0toreflectthesnapshottime$TOUCH$BACKUPDIR/daily.0;So,nowwehaveascriptthatdoes4backupsadayand7backupsaweek.Nowthelastonewillmake4backupsamonth.backup_weekly.sh(weeklyrotationshellscript)#!/bin/basunsetPAT#USERVARIABLESBACKUPDIR=/backup#Folderwherethebackupsshallbesavedto#PATHVARIABLESRM=/bin/rm;MV=/bin/mv;CP=/bin/cp;TOUCH=/bin/touc;#Rotatingtheweeklysnapsots#step1:deletetheoldestsnapshot,ifitexists:if[-d$BACKUPDIR/weekly.3];then\$RM-Rf$BACKUPDIR/weekly.3;\i;#step2:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/weekly.2];then\$MV$BACKUPDIR/weekly.2$BACKUPDIR/weekly.3;\i;#step3:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/weekly.1];then\$MV$BACKUPDIR/weekly.1$BACKUPDIR/weekly.2;\i;#step4:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/weekly.0];then\$MV$BACKUPDIR/weekly.0$BACKUPDIR/weekly.1;\i;#step5:makeahard-link-only(exceptfordirs)copyofthelatestsnapsot,#ifthatexistsif[-d$BACKUPDIR/daily.6];then\$CP-al$BACKUPDIR/daily.6$BACKUPDIR/weekly.0;\i;#step4:updatethemtimeofweekly.0toreflectthesnapshottime$TOUCH$BACKUPDIR/weekly.0;Somuchtothescripts.cron.txt(crontabcontrolfile)Thelastthingthatismissingnowisacron.Iusethishere:#MakeBackups00**Sunsh/backup/backup_weekly.s |/usr/bin/mail-s"WeeklyCron" recipient@domain.com150***sh/backup/backup_daily.s |/usr/bin/mail-s"DailyCron" recipient@domain.com450,6,12,18***sh/backup/backup_hourly.s |/usr/bin/mail-s"HourlyCron" recipient@domain.com Well,Iruntheweeklycronatmidnightonsundaysandthedailycroneverydayaquarterpastmidnight.ThehourlycronsIrunaquartertomidnight,6am,noonand6pm.Ichosethistogiveenoughtimetocompleteallthetransfersiftherearenewadditions.Ofcourseyoucansetthisallindividually.Don'tforgettocreatetheexclusionfile(seeexplanationsinStep2)Youcanaddthiscronsimplybyissuingthefollowingcommand:crontabcron.txtJustmakesurethatyoucheckfirstthatyouhavenoothercronsrunning.Ifso,justaddthemtothecroncontrolfile.Listingthecronsforthecurrentuser:crontab-lWell,nowenjoythebackups.
Saturday, January 28, 2012
Linux system security tool details
6. script here, we do not want to mention what tools, scripting is a system administrator of one of the major skills.
In your management network, shell scripts, perl scripts, etc are all part of your daily work. It is obvious that the script can be used to automate the task, however, we also can put its application in the security monitoring, every system administrator has his own needs and he always tried to fit his way to manage these. This is usually not so easy, there is one thing that can give you help: subscribe to sysadmin magazine! this magazine is for system administrators to write to the system administrator to give you a number of programs and scripts, each issue even equipped with a computer CD-ROM, the course contains all programs and scripts. This is not an advertisement, but tell you an find many solutions to enhance safety of diagrams. If you are a system administrator, go to http://www.samag.com see it, you should try it, of course, this is just a suggestion. 7. what this article is very much about security issues, however, as we said, this article is an article "how to make your network or host security" article. On the subject, a book is not enough, security is not just rely on tools, and many acts, for example, some of the usual habits that we make mistakes. When people would understand that M $ office file is actually a security bombs, they not only fit great and full of macro viruses. Wintel users, please don't put word, execl file as email attachment delivered, in addition, if you receive them, please do not open it, this is just a suggestion, however, you have been warned, and you receive or download the executable file as dangerous as (in my opinion, more dangerous). By the way, plain text and HTML files in size than the office file much smaller, but they are not dangerous. Of course, I know this work: wintelword when you download a separate drive, it usually is executable, let us admit that we can believe this great company ... But do you know your downloaded files possible? Yes, think a little bit paranoid, but is not a crazy? why do you think that many files have a correction value to verify correctness? The following may "hurt" to many people, but this is the fact that Java is dangerous! javascript applet is not safe, is not secure, however, interesting that many websites use JAVA, and Java is when you visit the Web site, the browser often die of the source of the problem. This is the purpose of the site? Not to mention the ActiveX from M $!, replace it with Rebol. (Http://www.rebol.com) because of this fact: the new internet expert, stop using wintelword and IE5 to station. I note that this website spill, after all, many people use many different operating systems and many different browsers like internet, joining, equal to deny people access to your Web site. The goal is to share the internet, using a dedicated stuff is meaningless in my opinion, when the construction of rough a website, the first thing to do is get access to the operating system, which the browser ..., but this is only my personal point of view. Think about it, if you use unix machines and netscape access that Web site, you are not Home! sorry, a little off. Another important point is not likely to be 100% secure. We leave it still early. What you can do is raise it, in fact, you probably can we mention tools are used, but the back door driving big! don't be silly, hackers will not go to attempt to undo the first 128-bit key, but they can in one place to find a small hole. So be careful suid or sgid programs, and access permissions, run the service, cancel useless account number, etc. UNIX version has much in common, they have many different safety to off. Some like a sieve-like defects, you must pay attention to this point. For example, a join of M $ internetcable is great, but you will appear in the hacker's machine, and my network places, M $ will you sell to the hacker, I'm not kidding ... Network and computer security has a long way to go, if you are interested in this area, you can learn new things. Fortunately, here are some resources you can use. Reference httpp://www.linuxsecurity.com http://www.sans.org http://www.infosyssec.org http://www.securityfocus.com http://www.cs.purdue.edu/coast/hotlist/Friday, January 27, 2012
Use OpenSSH to establish more effective safety performance
The old Linux administrators are aware of the SSH (Secure shell protocol), this is their software Toolbox most convenient and most useful tools.
In the workstation XWindows use more under or through end-to-competition, Linux server administrator Screenutility or other UNIX based operating system the server administrator can easily manage several systems at the same time. Network Management shell or Perl scripts, can use SSH on multiple servers automatically perform simple safely. Network shell effects RSH than SSh. But in its functional SSH adds powerful encryption and compression functions, and most modern SSH implementations in the same package provides SFTP and SCP for network security file transfer. The most popular the most common SSH implementation in the form of OpenSSH, which is determined by the OpenBSD community ideas and maintenance projects. OpenSSH is imported for each operating system platform, including Microsoft Windows, although the Window environment it is the most widely used: for UNIX-based systems on the OpenSSH server and client. The UNIX-based systems including: Linux, Solaris and OpenBSD. SSH SSH functions use strong encryption to protect data in the remote session is not a malicious hacker attacks. From the beginning to provide end-to-end security protection, including client contact with the host, and the computer between user name and password before the password key conference dedicated to Exchange. It can use several different password scheme: AES, 3DES, Blowfish, and other programmes. A trusted host identification scheme and key exchange between systems, improving security OpenSSH does not require a security certificate or priority key exchange to create secure encrypted remote session. In addition, use SSH to resolve certain types of network congestion, significantly accelerating the network because it transmits data before the data is compressed. It provides SFTP encrypts, similar to FTP, interactive file transfer ability, so that even the password and user name in the network are not hindered. For file transfer operations, SCP also similarly provides safe and convenient way to do this — the encrypted file copy command, the command action network connection, it is part of the SSH implementation. SSH encrypted communication known as the network protocol. Development it is intended to replace RSH RSH utility, also with a dense, but not enough security. SSH not only inherited the functions of RSH, and extend its functionality, particularly with regard to safety. Linux install OpenSSH on Linux OpenSS is easy. For example, in DebianGNU/Linux system, install OpenSSH, do as the root user login, and then enter the command apt-getinstallssh. Similarly, in FedoraCoreLinux system, install OpenSSH, do as the root user login, and then enter the command yuminstallssh. You don't even need to do these things because in Debian and FedoraCore, their default installation configuration already includes OpenSSH. For Linux systems, if you want to determine whether the system is already installed OoenSSH, just enter the command: ssh. If you have OpenSSH installed in the system, it will give you simple use the Guide information (ListingA): ListingA $ ss ssh usage: [-1246AaCfgkMNnqsTtVvXxY] [-bbind_address] [-ccipher_spec] [-Dport] [-eescape_char] [-Fconfigfile] [-iidentity_file] [-L [bind_address:] port: host: hostport] [-llogin_name] [-mmac_spec] [-Octl_cmd] [-ooption] [-pport] [-R [bind_address:] port: host: hostport] [-Sctl_pat] user @] hostname [command] OpenSSH manual has more complete usage information. This manual is a handbook for the traditional UNIX file system, and in command line mode input manssh command, you can access OpenSSH manual. Guide gives the OpenSSH client command line option, the associated configuration file information, the current version of the known Bug information, affecting its operation of the shell environment variable information and instructions are included in the list. As shown in the list, above sshd's instructions, the instructions, as well as ssh-agent OpenSSH tool set in the other application's instructions. Configure and use the Linux client in the OpenSSH client, from the command line access OpenSSH server on another system, you only need enter sshhost command, here the "host" is the host name of the target system. Sometimes the host name cannot be resolved to an IP address because you do not have the system's DNS and it is not in the local system's listed in/etc/hosts file. At this point it is necessary to specify the target system's IP address instead of host names, for example: enter ssh192.168.0.1 command, the connection represented by the IP system. More SSH command as follows: general use SSH port 22. If SSH server listens on a nonstandard port, use the following command example port number is 1234: ssh-p1234ost unless you specify a user name, Otherwise it will try to log on to a remote system, the user name and user name on the local system. You can use the command option to specify a different user name. The following gives a general form, the "user" means that the user name. Ssh-luserost a more general method of the specified user names is to use the following format: ssh user @ host by SSH without having to open the shell interface that you can execute commands on the target system. The following example of the "command" indicates that the command you want to perform: sshhostcommand can target Specifies the current working path. In the following example specifies that the current working path/home/user: sshhost:/home/user above can be a combination of multiple options to a piece, the formation of a more complex custom: ssh-p1234 user @ host:/home/user ssh-luserhostcommandOpenSSH configuration file is located in the path/etc/ssh. OpenSSH client main profile/etc/ssh/ssh_config path, most release contains enough information to tell you how to use a configuration file. For a broad and complex manual system version, such as Debian, you can use the get command, manssh_config enough of the OpenSSH client configuration information. For security purposes, a widespread and important configuration option is the ForwardX11, it should be set to "NO" to block SSH client to the network automatically send XWindows system information, even in through SSH connection without XWindows, used is the same. Use this setting, you can specify specific SSH connection, by using the-X command options, shipping XWindows system information. In etc/ssh/ssh_config file other configuration options can be implemented and to obey the security policies, and services to the specific security needs. Windows SSH client Microsoft Window system has many SSH client program, some are private and commercial applications, some of them are freeware or shareware, and some are open source software, for example: OpenSSH. There is a command-line client program, which some of the program is installed as part of similar UNIXshell, now the most commonly used SSH's graphical user interface program. Among them, WinSCP for SCP and SFTP performance, PuTTY for SSHshell performance. By reading the OpenSSH on Linux using the information, you can easily understand the WinSCP and PuTTY user interfaces and their configuration. Can also be called actual OpenSSHforWindows Microsoft WindowsOpenSSH ports. Configure and use the Linux server in General, OpenSSH server running Liunx system. It can in DebianGNU/Linux system commands via/etc/init.d/ssh restart. Similarly, in the start and stop, just need to "restart" replacement "start" and "stop". FedoraCoreLinux systems use the same command format, but you will need to ssh/etc/init.d/ssh "into the" sshd "replacement". And OpenSSH client configuration file similar to the OpenSSH server configuration can be done through/etc/ssh/sshd_config file. Its format is very similar with/etc/ssh/ssh_config, but there are many different options. Configuration details can be viewed by entering mansshd_config command. Typically IgnoreRhosts the UsePrivilegeSeparation and option set to "YES," but the PermitRootLogin and PermitEmptyPasswords option set to "NO". And the OpenSSH client, use SSH transport XWindows system information risk is very low, if not necessary, it to any system should be inactive. In this way, you will typically set X11Forwarding into "NO". On Linux, they are usually quite have the safety consciousness of people for maintenance, these configuration options should be properly configured. General should include PermitRootLogin and X11Forwarding configuration options. Use OpenSS OpenSSH also features. For example: other network protocol can OpenSSH Protocol tunneling "on", providing increased security, this has some tips in this article. Ssh-agent tool can simplify the OpenSSH client management and use. There are no related tools, including SSH tunneling support, for example: Subversion version control system. Its potential is endless, it is not possible to find them. Use more than one computer, the new users of Linux may not be immediately aware of the value of SSH. They are used in Microsoft Windows, Windows interface is optimized well, to some extent, but not easy for remote administration. That is a server management and remote technical support, use such as WindowsRemoteDesktop and TerminalServicesforWindows and other remote management tools, its effectiveness is also very limited, and does not encourage the use of Windows directly over a network. On the contrary, the Linux user in a single run their daily program and the computer after the simple installation can visit via SSHAsk these programs. Many Linux administrator will sit in front of a computer, do not in the same place more than one computer, including email, writing, programming, this is not a one or two network applications. On the more familiar SSH's performance, its uses, but also the more trust it. But come out from the Windows of the Linux users also cannot immediately felt the ability to promote productivity through SSH. OpenSSH configuration and use are worth learning, even if you cannot immediately see the effect, over time, you cannot do without it. Original link: http://www.zdnet.com.cn/developer/code/story/0,3800066897,39524195-2,00.htmThursday, January 26, 2012
Linux system security tool details
The second is called nessus, you can download from the Web site, on http://www.nessus.org nessus use client/server architecture to work, the source code follows the posix standard, can run on many unix versions-even a client based on win32 .nessus rely on nmap (you know, no nmap, nessus will not be able to run), GUI clients also need GTK library function support.
Nessus is the current version by nessus, 1.06, you can use a command scans the entire network. This command is the network address, for example, in the target box, type 192.168.1.0/24, will scan the entire subnet 255 machine. Although not less than the nessus, nmap complex but it is not only easy to use, features many. for example, it can generate reports that compare the differences in the reports, another feature ... is quite interesting: nessus to port scanning problems discovered in the solution, as long as these machines are unix systems, these proposals generally useful for other operating systems, not so right, but this is not a problem. The following is a very vulnerable machine example nessus there is another great feature is that it can run the plug-ins, so that every time in any place to discover new vulnerabilities, it can quickly upgrade. Nessus is a system management tool that really need and Mr. Deraison Mercibeaucoup do terrific. Both tools in a linux machine and other different operating systems network tested, LinuxRH6.2, Irix6.5.7, Solaris2.6, NeXTStep3.3, QNXRT, BeOS5.0, AmigaOS3.5, NotTerminated4.0. in most of the platform test results impressive, of course, there was no real Amiga system has been certified, (because it looks like a printer or a router!), but who now's network has the operating system yet (other than us)? Anyway, the whole some tools is today the network must have tools. In order to put an end to this chapter, let's mention some other tools like SARA (http://www-arc.com/sara/), or its predecessor SATAN (http://www.porcupine.org/satan/) or AINT (http://www.wwdsi.com). they do not however port scanners and they are very useful to improve network security. Fourth, sniffing system some tools to find a port scan or intrusion. standard systems management can not live without this tool (it's a little paranoid!). The first set of tool set from the abacus project you can get these tools from http://www.psionic.com. contains three tools: portsentry, hostsentry and logcheck. Logcheck version is version 1.1.1, portsentry, hostsentry is 1.0 version is 0.0.2alpa. Portsentry is a port scan found tools, like the name says, if the port is a scan, portsentrt immediately blocking race host, or is using a firewall discards routing (or an unused ip address), or as long as TCPWrapper is installed on your machine, the hacker's IP address to write into the/etc/hosts.deny file, the reaction is fairly efficient! Portsentry relies on one of the main configuration file and some special files, these special files are used to ignore some hosts (that is not blocking them), or is blocking certain ports on some hosts. Through the configuration file, you can define portsentry work. First, you must select a coconut palm to portsentry on port is TCP or UDP, (or both), note that if you use X11, it cannot bind to port 6000! follow the unix system you use, you have two different actions to monitor port, now only linux support advanced mode. The next step is plugging the option either to jam or not blocking scan, or to run an external command. Then select the discard routing, or redirect the attacker to a network does not use the IP address or a port on the firewall. The next step is associated with TCPWrapper, that is, you have to decide is not writing a denial of entry into the/etc/hosts.deny file. Then you can define an external command to run, and finally, you can choose to scan a single trigger value (the default is 0). The above is you have to do, we will assume that you know everything about logging. Because, obviously, all the warning is logged. This means that if you want to put the final warning to/var/log/messages or var/log/syslog or/var/adm/messages etc file somewhere outside, you can modify your syslog.conf file. You can choose to run in the background, portsentry, this option depends on your system, in most unix versions you can use the-tcp, udp option,-linux machine you can use-atcp,-audp options. (A representation of the Advanced) Let's take a look at the scan of a computer running a machine when portsentry. If you are a each week to see a log of the system administrator (you should change the work), the abacus project providesAnother tool: logcheck. If in the journal of abnormal phenomena found, the tool performs a cron task and send an e-mail to the administrator. This suite is the latest tool called hostsentry, looks pretty interesting, but I have not tested. If you want a great, simple and efficient tools, selected portsentry! Thank you Mr. Rowland, his work is very great, by the way, I like his sense of humor. In addition a system administrator is really indispensable tool called snort. Snort is an IDS (intrusion detection system) and very precise lightweight tools-you can download from http://www.snort.org 1.6.3 version of snort. it is said can be and libpcap work platform run-it is best to use the latest versions of libpcap. Incidentally, you can get the win32 version of snort. Snort can analyze ip streams, provides a very robust logging capabilities .snort relies on rules scripts, you can monitor you want to monitor. Even give you a rules database, so that you will have to make an important decision: the place where the detector, or if you ask, well kind of traffic you want to monitor, this, out buildings in firewall external or internal? We prefer to recommend any one place!!! This to me, is a serious problem, if you are a "standard" systems administrator, probes, the more the better. Now you decided to listen to somewhere that you must select the apply rule .snort with lots of basic rules, backdoor, ddos, finger, ftp ... These rules are put in snort-lib file, you can get snort website for new and upgrade rules. You just make a snort set option to run as a background task on it, if you want to run snort as a daemon, option D is-because you can redirect the log, so you can define the log record where, or even another machine. In this article refers to all the features of snort is impossible, this article can only tell you part. regardless of the so to speak. Nort is another you essential tools .snort is very great tool-I would like to thank Mr Roesch. some free tools: for example http://www.cs.tut.fi/~rammer/aide.html introduced AIDE. 5. encryption in this area there are many tools that we can't all said to them, anyway, we at least want to talk about SSH, especially the free version of openSSH from http://www.openssh.com on get it now version is 2.3.0, this great product originally developed on the openbsd, you can now run on many Unix versions. Openssh is telnet and other remote commands such as rsh, rlogin and other alternatives. it contains the scp the ftp and rcp alternatives .openssh can network transmission of data is encrypted, rsh, etc .telnet clear, of course, contains the password for transfer! Therefore, you should no longer use these tools, but should instead use openssh. This was a bit forced, let us little fascist! The problem is that this kind of tools and encryption method, some countries are very strict, does not allow such things are software changes, but in many countries you still can not use the software freely. For example, some time ago, if you are in countries such as France use ssh, you will be deemed to be a spy, (according to the national human rights law) fortunately now is not the case, however, I recommend the use of such tools at the first reading of the relevant provisions. You can found on the Web at http://www2.epic.org/reports/crypto2000/countries.html different countries with regard to the report. After all, the encryption is very concerned about the topic, and there are many tools available to consider, let us mention http://www.openssl.org on openssl (Secure Sockets Layer) or http://www.strongcrypto.com StrongCrypto, an open source code of the VPN tool on Linux. Vpn is another solution that is worthy of a separate article for details. (Like most of the above topics and tools) for this reason, we do not wish to say anything. Obviously, we can't forget to mention the http://www.ietf.org/html.charters/openpgp-charter.html Web page openPGP and GNUpg in http://www.gnupg.org Web site.Wednesday, January 25, 2012
Use mod_proxy improved safety LAMP
ApacheSoftwareFoundation HTTP Server project (often called Apache) is taking advantage of the Internet Web server, it takes up more than 60% of market share.
Apache server is increasingly popular part of the LAMP software configuration. LAMP is a free software program that is in Linux?, Apache, MySQL and PHP and other open source technologies built Web platform. In this article, you will learn a use mod_proxy module and multiple back-end server to improve the security of the LAMP. I will discuss the advantages and disadvantages, and provides a sample configurations. PHP and Apache: security challenges in the face of a LAMP administrators is providing complete all of the PHP system, while ensuring that all users of the system to provide a secure environment. Use PHP's safe mode is the one technology, but it also unduly restricting the users, and after this facility enabled, some PHP application will not be able to play a role. PHP security at the root of the problem is that most Apache servers are configured. Because most Apache configuration run in special www-data user ID, the Web site for hosting all of the users default must ensure that the user can read the file. Therefore, the system of all other users can access a user has access to all the Web files; therefore, the system is independent of the original and you will become a security vulnerability to attack your Web site's breakthrough. If the file or directory must be set to www-data user writable, this situation will be more serious. By using the CGI program, such as Perl and Python, and other popular languages program, you can use the suEXEC mechanism to eliminate some of the issues. Simply put, suEXEC uses a special intermediate program to program owner's user ID execute CGI programs. (For more details see reference links in the article. ) This is a very effective mechanism has been used for many years. However, when using mod_php module hosting, PHP page as part of the main Apache process. Therefore, they inherit all of the Apache process, and they perform on the file system and any work required as users perform. www-data In more than one user ID to run Apace for the problem described above, the obvious solution is to require a user domain of all requests from one only have this user credentials instance of Apache. Apache can be configured to startup gets any user credentials. For each user is assigned a separate Internet-visible IP address/port combination of simple settings, this approach can solve the problem. For more complex settings (where IP address is precious), this method is invalid. When a single Apache instance can control a specific IP address/port combination, you can only use virtual hosts, this is an Apache system widely used a technique. This eliminates that belong to multiple users, multiple domains using the same IP address/port combination possibilities. Apache2.0 introduces multiple processing module (multiprocessingmodule, MPM) concept. In the basic package offers MPM Apache2.0 has an experimental module perchild, it can be a distributor thread is assigned to the IP address/port combination, and pass the request to the individual user's credentials to run the child thread, thereby achieving multiple user ID of the virtual host. Unfortunately, perchild remained is experimental, it may not be able to play a role, and formal publications from Apache2.2 Apache distribution. Prior to this, recognizing that still need a stable functioning with the perchild MPM, similar to the Apache community began to develop many MPM to compensate for this lack. MetuxMPM and process-oriented peruser are efforts in that direction. (On MetuxMPM and for more information, see peruserMPM references). One solution: mod_proxy although no formal ApacheMPM can directly provide multiple user ID of the virtual host, but can still be configured and managed through some Apache system implements this behavior. The core of this approach is to use the mod_proxy module concept, this module (plus other features) so that Apache can use the page requests to other servers, and pass the response back to the requesting client. Listing 1-Basic request forwarding reverse proxy configuration example ProxyRequestsOfProxyPass/foohttp://foo.example.com/barproxypassreverse/foohttp://foo.example.com/bar the code in Listing 1 is a simple example, it will be a host of/foo hierarchy under any page request to the corresponding page of http://foo.example.com/bar. For example, to request the page/foo/index.htm would be forwarded to http://foo.example.com/bar/index.htm. You can use this principle to solve the problem. Sample scenario Let's consider a scene: the Apache administrator must be two separate clients to establish both domains. A customer is online venture, very concerned about online security. The other is a personal account, he in site security, more generous, may be unsafe code uploaded to this stationPoints. Therefore, the Apache administrator must take steps to isolate the two sites. Therefore, administrators have two domains: www.startup.tld, it belongs to an online venture (user IDstartup); and www.reckless.tld, it belongs to the individual (user IDnimrod). To solve this problem, the administrator decides to use the mod_proxy solution. Administrator to assign each user a separate Apache instance, the instance is running on the user's own user ID, use the private IP address/port combination, and use mod_proxy solution through a facade Server provides both the access the user's domain, the server runs as www-data uses a public IP address/port combination. Figure 1 illustrates the entire scene. The example in Figure 1. scene Apache version recommended for example application configuration for each element, the Apache administrator should use table 1 lists the version of Apache. Table 1-sample application uses the Apache version element causes Apache version facade Server Apache2, running the worker or the mod_proxy module eventMPMApache2 made important improvements. Worker and eventMPM is threaded, helping to reduce the memory overhead of a facade server. Back-end server, or run Apache1.3 preforkMPM of Apache2Apache administrators must be aware of the PHP module should not be run in a threaded environment. These two solutions for PHP module provides an environment based on process. Backend Apache instance configuration list 2 and list 3 of the code fragment demonstrates the standard Apache configuration of basic differences. Should you need to add them to the appropriate configuration, such as the PHP function here ignored. 2. online venture Enterprise Apache configuration # StuffeveryApacheconfigurationneedsServerTypestandaloneLockFile/var/lock/apache/accept.startup.lockpidfile/var/run/apache.startup.pidServerNamenecessaryevil.startup.tldDocumentRoot "/home/startup/web" # EssentialmodulesLoadModuleaccess_module/usr/lib/apache/1.3/mod_access.so # WhichusertorunthisApacheconfigurationasUserstartupGroupstartup # Thismustbeoffelsethehostisn'tpassedcorrectlyUseCanonicalNameOf # TheIP/portcombinationtolistenonListen127.0.0.2: 10000 # Usingname-basedvirtualhostingallowsyoutohostmultiplesitesperIP/portcomboNameVirtualHost127.0.0.2: 10000Tuesday, January 24, 2012
Linux system build SNORT Intrusion detection system
1. install apache tarzxvfapache-(version number) — extract apace into the extracted directory.
/Configure--prefix =/usr/local/apache — enable-so — enable-rewrite make makeinstall/usr/local/apache/bin/apachectlstart start APACE http://xxx.xxx.xxx.xxx (server IP address) of the test 2, installing mysql APACE groupaddmysql useradd-gmysqlmysql tarzxvfmysql-(version number) — extract mysql into the extracted directory. /Configure--prefix =/usr/local/mysql — with-charset = gb2312 gbk make makeinstall enter/supportsfiles directory cpmy_medium.cnf/etc/my.cn/usr/local/mysql/bin/mysql_install_db--user = mysql chown-Rroot/usr/local/mysql chown-Rmysql/usr/local/mysql/var chgrp-Rmysql/usr/local/mysql/usr/local/mysql/share/mysql/bin/mysql.serverstart start MYSQL/usr/local/mysql/bin/mysqladmin-urootpasswordXXXX/usr/local/mysql/bin/mysql-uroot-p password: install mysql > 3, PP tarzxvfphp-(version number) into the extracted directory. /Configure--prefix =/usr/local/php--with-apxs2 =/usr/local/apache/bin/apxs\--with-mysql =/usr/local/mysql\--with-config_file_path =/usr/local/p \makemakeinstallcpphp.ini_dist/usr/local/lib/pp.inivi/usr/local/lib/365 rows of pp.ini change to usr/onvi/local/apache/conf/httpd.conDireltoryIndex added index.pAddTypeapplicontion/X-httpd-php.pvi/usr/local/apache/htdocs/test/pphpin ()? > restart APACE http://xxx.xxx.xxx.xxx/test.php 4, install pcre tarzxvfpcre-(version number) into the extracted directory. /configure make makeinstall
Subscribe to:
Comments (Atom)