dabl vpn freebsd

Рубрики: (unix) Автор: admin 30 Июл 2015

Теги : ,

#up
#server openvpn and client opevpn connect two server

load setfib

/boot/loader.conf

if_tap_load="YES"
net.fibs="10"

#pf config

#vpn_inet — ip clietn vpn one server

nat on tap3 from <vpn_inet> to any -> xxx ip vpn tap3 two server

#rtable ( setfib)

pass in from <vpn_inet> to any rtable 1

setfib multirouting

/usr/sbin/setfib 1 route add default  xxx ip two server vpn default

#rc.local

/usr/sbin/setfib 1 route del default xxxx
/usr/sbin/setfib 1 route add default xxxx

two server

#up openvpn no defaul gw

#and

#pf config nat

nat on em0 from x.x.x.0/24 to any -> em0

finish config ;)

ip add list debian

Рубрики: (script) Автор: admin 16 Июн 2015

Теги : , ,


#!/bin/bash

for f in `cat /root/ip.txt` ;do
        let "i=i + 1"
        cat <<EOT >> /etc/network/interfaces

auto eth0:$i
iface eth0:$i inet static
address $f
netmask 255.255.255.255

EOT

done

Debian 7 Dual Primary DRBD + OCFS2 + CRM + COROSYNC

Рубрики: (Linux) Автор: admin 10 Апр 2015

cat /etc/drbd.conf

# You can find an example in  /usr/share/doc/drbd.../drbd.conf.example

include "drbd.d/global_common.conf";
include "drbd.d/*.res";
root@clayster1:~# cat /etc/drbd.d/global_common.conf
global { usage-count yes; }
common { syncer { rate 800M; } }
resource drbd0 {
protocol C;
startup {
wfc-timeout 20;
degr-wfc-timeout 10;
become-primary-on both; # Enable this *after* initial testing
}
net {
cram-hmac-alg sha1;
shared-secret "megaSeCrEt";
allow-two-primaries;
after-sb-0pri discard-zero-changes;
after-sb-1pri discard-secondary;
after-sb-2pri disconnect;
rr-conflict call-pri-lost;
ping-timeout 20;
}
on clayster1 {
device /dev/drbd0;
disk /dev/sdb;
address 192.168.16.209:7789;
meta-disk internal;
}
on clayster2 {
device /dev/drbd0;
disk /dev/sdb;
address 192.168.16.51:7789;
meta-disk internal;
}
disk {
fencing resource-and-stonith;
no-disk-flushes;
no-md-flushes;
}
handlers {
outdate-peer "/sbin/obliterate"; # We'll get back to this.
}

cat /etc/corosync/corosync.conf

totem {
    version: 2
    token: 3000
    token_retransmits_before_loss_const: 10
    join: 60
    consensus: 3600
    vsftype: none
    max_messages: 20
    clear_node_high_bit: yes
    secauth: off
    threads: 0
    rrp_mode: active

    interface {
        ringnumber: 0
        member {
            memberaddr: 192.168.16.209
        }
        member {
            memberaddr: 192.168.16.51
        }
        # on clayster-1
        bindnetaddr: 192.168.16.209
        # on clayster-2
        #bindnetaddr: 192.168.16.51
        mcastport: 5405
    }

    transport: udpu
}

amf {
    mode: disabled
}

service {
     ver:       0
     name:      pacemaker
}

aisexec {
        user:   root
        group:  root
}

logging {
        fileline: off
        to_stderr: no
        to_syslog: yes
        syslog_facility: daemon
        debug: off
        timestamp: on
        logger_subsys {
                subsys: AMF
                debug: off
                tags: enter|leave|trace1|trace2|trace3|trace4|trace6
        }
}

crm configure show

node clayster1
node clayster2
primitive Cluster-FS-DRBD ocf:linbit:drbd \
        params drbd_resource="drbd0" \
        operations $id="Cluster-FS-DRBD-ops" \
        op monitor interval="20" role="Master" timeout="20" \
        op monitor interval="30" role="Slave" timeout="20" \
        meta target-role="started"
primitive Cluster-FS-Mount ocf:heartbeat:Filesystem \
        params device="/dev/drbd0" directory="/var/www" fstype="ocfs2"
ms Cluster-FS-DRBD-Master Cluster-FS-DRBD \
        meta resource-stickines="100" master-max="2" notify="true" interleave="true"
clone Cluster-FS-Mount-Clone Cluster-FS-Mount \
        meta interleave="true" ordered="true" target-role="Started"
order Cluster-FS-After-DRBD inf: Cluster-FS-DRBD-Master:promote Cluster-FS-Mount-Clone:start
property $id="cib-bootstrap-options" \
        no-quorum-policy="ignore" \
        stonith-enabled="false" \
        default-resource-stickiness="1000" \
        dc-version="1.1.7-ee0730e13d124c3d58f00016c3376a1de5323cff" \
        cluster-infrastructure="openais" \
        expected-quorum-votes="2" \
        last-lrm-refresh="1428652227"

fix locale грн

Рубрики: (Linux) Автор: admin 07 Фев 2015

Теги :

#include <stdio.h>
#include <locale.h>

int main()
{
  struct lconv *lv;

  setlocale (LC_ALL, "");
  lv = localeconv();
  fprintf (stdout, "Currency symbol for locale: %s\n", lv->currency_symbol);
  fprintf (stdout, "Intl currency sym for locale: %s\n",
lv->int_curr_symbol);
  return 0;
}

cc -o cursym cursym.c

$ LC_ALL=uk_UA.UTF-8 ./cursym
Currency symbol for locale: гр
Intl currency sym for locale: UAH

Per:

http://std.dkuug.dk/JTC1/SC2/WG2/docs/n2743.pdf

http://en.wikipedia.org/wiki/Ukrainian_hryvnia

currency_symbol should be грн.

Attached patch resolves this issue.

2012-01-01 Ashish Shah redhat.com>


	* locales/uk_UA (currency_symbol): Fix.

--- glibc-2.5-20061008T1257.orig/localedata/locales/uk_UA	2010-09-30 17:42:09.000000000 +0530
+++ glibc-2.5-20061008T1257.orig/localedata/locales/uk_UA	2010-09-30 17:42:34.000000000 +0530
 <at>  <at>  -88,7 +88,7  <at>  <at>  

 LC_MONETARY
 int_curr_symbol           "<U0055><U0041><U0048><U0020>"
-currency_symbol           "<U0433><U0440>"
+currency_symbol           "<U0433><U0440><U043D><U002E>"
 mon_decimal_point         "<U002E>"
 mon_thousands_sep         "<U0020>"
 mon_grouping              3;3

fix debian 7 CVE-2015-0235 — Glibc GHOST

Рубрики: (Linux) Автор: admin 30 Янв 2015

Теги :

GHOST vulnerability check

/* ghosttest.c:  GHOST vulnerability tester */
/* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#define CANARY "in_the_coal_mine"

struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}

Compile and run it as follows:

$ gcc ghosttest.c -o ghosttest
$ ./ghosttest

Sample outputs from patched Debian v7.8 server:

not vulnerable
Sample outputs from unpatched Ubuntu 12.04 LTS server:

vulnerable

FIX

nano /etc/apt/sources.list

deb http://http.debian.net/debian squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free
apt-get  update

apt-get install -t squeeze-lts --only-upgrade libc6

done

ModSecurity apache2 debian

Рубрики: (Linux) Автор: admin 02 Сен 2014

Теги :

aptitude install libapache2-mod-security2
a2enmod mod-security
mkdir /etc/apache2/modsecurity

Распаковать,в modsecurity

wget http://rasw.us/soft/modsecurity.tar

Так-же есть оригинальные файлы

wget http://rasw.us/soft/modsecurity-apache_2.5.10.tar.gz

Отредактировать

nano apache2.conf

Include modsecurity/*.conf
Include modsecurity/base_rules/*conf

При запросе send_mistake — проверяется тело link url

SecRule REQUEST_URI_RAW "/send_mistake" "phase:2,deny,chain"
SecRule REQUEST_BODY "(url|link)"

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

Для логов только POSt запросов конфиг.

/etc/apache2/mods-enabled/mod-security.conf

<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity

        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        Include "/etc/modsecurity/*.conf"
</IfModule>

/etc/modsecurity

post.conf

SecRuleEngine On
SecAuditEngine on
SecAuditLog /var/log/apache2/website-audit.log
SecRequestBodyAccess on
SecAuditLogParts ABIFHZ

SecDefaultAction "nolog,noauditlog,allow,phase:2"

SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2"
SecRule REQUEST_URI ".*" "auditlog"

postfix smtp_line_length_limit

Рубрики: (install software) Автор: admin 19 Авг 2014

Теги :

http://www.postfix.org/postconf.5.html#smtp_line_length_limit

postfix Relay

Рубрики: (Linux) Автор: admin 19 Июл 2014

Теги :

one server — in/out

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = sr.xxx.xx
mydomain = xxx.xx
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination =
relayhost =
relay_domains = xxx.xx
local_recipient_maps =
header_checks = regexp:/etc/postfix/header # if you hide header
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/ xx xx.x.xx.x/32 # ip two server
transport_maps = hash:/etc/postfix/transport # domain transport two server
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
inet_protocols = ipv4

now create

/etc/postfix/header

/xx.x.xx./ IGNORE # ip two server

/etc/postfix/transport

xxx.xx smtp:[xx.x.xx.xxx] # domain and ip - two server

postmap hash:/etc/postfix/transport # and restart postfix

google tsl connect server/
openssl req -new -nodes -x509 -out /etc/ssl/certs/cacert.pem -keyout /etc/ssl/certs/cacert.pem -days 3650
and
/etc/postfix/master.cf

smtps     inet  n       -       -       -       -       smtpd

now config two server/

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = Debian-75-wheezy-64-minimal
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname # - domain mail
mydestination = xxx.xx, Debian-75-wheezy-64-minimal, localhost.localdomain, localhost
home_mailbox = Maildir/ # - dovecot
relayhost = mail.xxx.xxx # - doman mail.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 xx.xx.xx.xx/32 # ip one server
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated, reject_unauth_destination
broken_sasl_auth_clients = yes
inet_protocols = ipv4

dovecot install

here

openvz просмотр нагрузки cpu пользователей.

Рубрики: (Linux) Автор: admin 28 Июн 2014

Теги :

Вывод LA + CTID

#!/bin/bash

user=`/usr/sbin/vzlist | awk '{print $1}' | tr -d CTID`

for e in $user; do /usr/sbin/vzctl exec "$e" cat /proc/loadavg;

echo $e

done

session php

Рубрики: (Linux) Автор: admin 20 Июн 2014

Теги : ,

for f in /var/www/user/data/mod-tmp/*; do rm "$f"; done
carpet cleaning los angeles ca .