VMware ESXi安装ipmitool

wget  dl.kvm.la/tools/esxi_ipmitool-1.8.15-1.vib -O  /var/log/vmware/ipmitool-1.8.15-1.vib
esxcli software acceptance set --level=CommunitySupported
esxcli software vib install -v ipmitool-1.8.15-1.vib
/opt/ipmitool/bin/ipmitool mc reset cold


编译安装 nfdump

yum -y -q  install nss curl  git libtool m4 automake  bzip2-devel
git clone https://github.com/phaag/nfdump
cd nfdump
./autogen.sh
./configure --enable-nfprofile --enable-nftrack --with-rrdpath=/usr/local/rrdtool
make
make install
install -p -m 644 bin/nftrack /usr/bin/

Centos7 nfsen基础安装

yum -y -qinstall epel-release wget 
yum -y -q install nss curl  git nfdump perl gcc make libpcap-devel fprobe-ulog  rrdtool-devel rrdtool-perl  flex byacc perl 
yum -y -q install perl-MailTools perl-Socket6 perl-Sys-Syslog 'perl(Data::Dumper)' perl-DBD-MySQL
wget https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.8/nfsen-1.3.8.tar.gz/download  -O -|tar xz
cd nfsen-1.3.8
#cat   etc/nfsen-dist.conf |grep -v ^#|grep -v ^$ >etc/nfsen.conf
wget dl.kvm.la/conf/nfsen/nfsen.conf -O  etc/nfsen.conf
perl install.pl etc/nfsen.conf
ln -s /opt/nfsen/bin/nfsen /usr/bin/
#安装PortTracker插件
install contrib/PortTracker/PortTracker.pm   /opt/nfsen/plugins/
install contrib/PortTracker/PortTracker.php  /opt/nfsen/plugins/
mkdir -p  /data/ports-db
chown -R nobody:nobody /data/ports-db  /opt/nfsen
sudo -u nobody nftrack -I -d /data/ports-db
wget dl.kvm.la/conf/nfsen/nfsen.init -O /etc/init.d/nfsen
chmod 755 /etc/init.d/nfsen
chkconfig nfsen on

#安装PortTracker插件

#安装PortTracker插件
install contrib/PortTracker/PortTracker.pm   /opt/nfsen/plugins/
install contrib/PortTracker/PortTracker.php  /opt/nfsen/plugins/
mkdir -p  /data/ports-db
chown -R nobody:nobody /data/ports-db  /opt/nfsen
sudo -u nobody nftrack -I -d /data/ports-db

正常使用还要http和php进行支持, sflow数据发送到nfsen进行分析,等等.

smartmontools 查看阵列磁盘健康状态

yum install  smartmontools -y -q
smartctl -a -d megaraid,N  /dev/sdX

N代表硬盘的设备ID, 可以用storcli和MegaCli查找到.
X则代表存储设备的顺序ID. 第一个存储设备以a开始排列.
查看硬盘的设备ID方法如下:

用MegaCli

#第一种
#MegaCli -PDList -aAll|grep "Device Id"
Device Id: 0
Device Id: 1
Device Id: 2
Device Id: 3
Device Id: 4
Device Id: 5
Device Id: 6
Device Id: 7
Device Id: 8
Device Id: 9

#第二种(LSI ID就是设备ID)
#curl -sS http://dl.kvm.la/lsi/megaclisas-status | python
-- Controller information --
-- ID | H/W Model      | RAM    | Temp | BBU    | Firmware
c0    | PERC H710 Mini | 512MB  | 76C  | Good   | FW: 21.0.1-0132

-- Array information --
-- ID | Type    |    Size |  Strpsz | Flags | DskCache |   Status |  OS Path | CacheCade        |InProgress
c0u0  | RAID-10 |   5455G |  256 KB | RA,WB | Disabled |  Optimal |        0 | Type : Read Only |None

-- Disk information --
    -- ID    | Type | Drive Model                       | Size     | Status          | Speed    | Temp | Slot ID  | LSI ID
    c0u0s0p0 | HDD  | HGST HUC101212CSS600 A469KZJ0M2DG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:0]   | 0
    c0u0s0p1 | HDD  | HGST HUC101212CSS600 A469KZJ0LJRG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:1]   | 1
    c0u0s1p0 | HDD  | HGST HUC101212CSS600 A469KZHZX1ZG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:2]   | 2
    c0u0s1p1 | HDD  | HGST HUC101212CSS600 A469KZJ076SG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:3]   | 3
    c0u0s2p0 | HDD  | HGST HUC101212CSS600 A469KZJ0B6PG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:4]   | 4
    c0u0s2p1 | HDD  | HGST HUC101212CSS600 A469KZJ0WWJG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:5]   | 5
    c0u0s3p0 | HDD  | HGST HUC101212CSS600 A469KZJ0LT4G | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:6]   | 6
    c0u0s3p1 | HDD  | HGST HUC101212CSS600 A469KZJ0A5KG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:7]   | 7
    c0u0s4p0 | HDD  | HGST HUC101212CSS600 A469KZJ0LRLG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:8]   | 8
    c0u0s4p1 | HDD  | HGST HUC101212CSS600 A469KZJ0DUGG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:9]   | 9

基于storcli命令查找

#storcli /c0 /eall /sall show
----------------------------------------------------------------------------
EID:Slt DID State DG     Size Intf Med SED PI SeSz Model            Sp Type
----------------------------------------------------------------------------
252:0    14 Onln   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
252:1    16 Onln   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
252:2    15 Onln   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
252:3    17 Rbld   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
----------------------------------------------------------------------------

DID就是硬盘的设备ID

附:MegaCli和storcli安装

yum install -y -q http://dl.kvm.la/lsi/MegaCli_All_OS/Linux/MegaCli-8.07.06-1.noarch.rpm
ln -s /opt/MegaRAID/MegaCli/MegaCli64 /usr/bin/MegaCli
 yum -y -q install http://dl.kvm.la/lsi/storcli_All_OS/Linux/storcli-1.23.02-1.noarch.rpm
ln -s   /opt/MegaRAID/storcli/storcli64  /usr/bin/storcli

Centos7安装FRRouting

由于官方改动了一些文件位置,没有及时更新安装引导说明, 导致最后几步安装找不到文件,故自己抄写了一份.
原文地址http://docs.frrouting.org/projects/dev-guide/en/latest/building-frr-for-centos7.html

#yum安装基础环境
    yum install -y -q nss curl  git autoconf automake libtool make cmake readline-devel texinfo net-snmp-devel groff pkgconfig json-c-devel pam-devel bison flex pytest c-ares-devel python-devel systemd-devel python-sphinx libcap-devel 
    groupadd -g 92 frr
    groupadd -r -g 85 frrvty
    useradd -u 92 -g 92 -M -r -G frrvty -s /sbin/nologin  -c "FRR FRRouting suite" -d /var/run/frr frr

    #安装libyang
    #由于centos7没有
    cd /tmp
    git clone https://github.com/CESNET/libyang.git
    cd libyang
    mkdir build; cd build
    cmake -DENABLE_LYD_PRIV=ON -DCMAKE_INSTALL_PREFIX:PATH=/usr -D CMAKE_BUILD_TYPE:String="Release" ..
    make
    make install

    #安装frr
    cd /tmp
    git clone https://github.com/frrouting/frr.git frr
    cd frr
    ./bootstrap.sh
    ./configure \
        --bindir=/usr/bin \
        --sbindir=/usr/lib/frr \
        --sysconfdir=/etc/frr \
        --libdir=/usr/lib/frr \
        --libexecdir=/usr/lib/frr \
        --localstatedir=/var/run/frr \
        --with-moduledir=/usr/lib/frr/modules \
        --enable-snmp=agentx \
        --enable-multipath=64 \
        --enable-user=frr \
        --enable-group=frr \
        --enable-vty-group=frrvty \
        --enable-systemd=yes \
        --disable-exampledir \
        --disable-ldpd \
        --enable-fpm \
        --with-pkg-git-version \
        --with-pkg-extra-version=-MyOwnFRRVersion \
        SPHINXBUILD=/usr/bin/sphinx-build
    make
    make install
    install -p -m 644 ./tools/etc/frr/daemons /etc/frr/
    install -p -m 644 tools/frr.service  /usr/lib/systemd/system/frr.service
    install -p -m 644 tools/frrinit.sh.in  /usr/lib/frr/frr

    #创建FRR空白配置文件和权限
    mkdir /var/log/frr
    mkdir /etc/frr
    touch /etc/frr/zebra.conf
    touch /etc/frr/bgpd.conf
    touch /etc/frr/ospfd.conf
    touch /etc/frr/ospf6d.conf
    touch /etc/frr/isisd.conf
    touch /etc/frr/ripd.conf
    touch /etc/frr/ripngd.conf
    touch /etc/frr/pimd.conf
    touch /etc/frr/nhrpd.conf
    touch /etc/frr/eigrpd.conf
    touch /etc/frr/babeld.conf
    touch /etc/frr/vtysh.conf
    chown -R frr:frr /etc/frr/
    chown frr:frrvty /etc/frr/vtysh.conf
    chown frr:frr /etc/frr/daemons
    chmod 640 /etc/frr/*.conf
cat>/etc/sysctl.d/90-routing-sysctl.conf<<EOF net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1 EOF sysctl -p /etc/sysctl.d/90-routing-sysctl.conf #注册启用和启动FRR systemctl preset frr.service systemctl enable frr systemctl start frr

安装步骤到此结束
  需要配置zebra后再用telnet连接

zebra配置文件

#cat /etc/frr/zebra.conf
! Zebra configuration file
!
frr version 6.0
frr defaults traditional
!
hostname Router
password zebra
enable password zebra
!
log stdout
!
!

更多配置和指引参考官方引导文章  

   telnet 127.0.0.1 2601

 然后和思科的配置方式差不多  


centos安装ntop

yum install -y  epel-release wget 
wget http://packages.ntop.org/centos/ntop.repo -O /etc/yum.repos.d/ntop.repo
yum install -y pfring-dkms n2disk nprobe ntopng cento
service redis start 
service ntopng start

bird+juniper BGP RTBH

bird实例

log syslog all;
debug protocols off;
debug commands 0;

router id 1.1.1.1;

protocol static rtbh {
	route 99.99.99.99/32 blackhole;
	route 88.88.88.88/32 blackhole;
}

filter export_rtbh_out {
	# Limit to static routes
	if (proto = "rtbh") then
	{
		# Limit to /32 host routes (for now)
		if net.len = 32 then
		{
			bgp_community.add((65001,9999));
			bgp_next_hop = 192.0.2.1;
			accept;
		}
	}
	reject;
}

protocol bgp ER3 {
	description "iBGP to Edge Router 3 for RTBH";
	debug { states, events };
	local 1.1.1.1 as 65001;
	neighbor 3.3.3.3 as 65001;
	import none;
	export filter export_rtbh_out;
}
protocol bgp ER4 {
	description "iBGP to Edge Router 4 for RTBH";
	debug { states, events };
	local 1.1.1.1 as 65001;
	neighbor 4.4.4.4 as 65001;
	import none;
	export filter export_rtbh_out;
}



JUNOS 配置实例

routing-options {
	static {
		route 192.0.2.1/32 discard;
	}
}

protocols {
	bgp {
		group RTBH {
			type internal;
			import import-from-rs;
			expor deny-all;
			neighbor 1.1.1.1;
		}
	}
}

policy-options {
	policy-statement deny-all {
		term 1 {
			then reject;
		}
	}
	policy-statement import-from-rs {
		term 1 {
			from {
				community RTBH;
				route-filter 0.0.0.0/0 prefix-length-range /32-/32;
			}
			then accept;
		}
		term reject {
			then reject;
		}
	}
	community RTBH members 65001:9999;
}

抄录自https://gist.github.com/floatingstatic/854aa504a92ab8bc3e044e434ec378c4

[转载]CentOS 7 为firewalld添加开放端口及相关资料

1、运行、停止、禁用firewalld
启动:# systemctl start  firewalld
查看状态:# systemctl status firewalld 或者 firewall-cmd --state
停止:# systemctl disable firewalld
禁用:# systemctl stop firewalld 

查看firewall是否运行,下面两个命令都可以

systemctl status firewalld.servicefirewall-cmd --state

查看default zone和active zone

我们还没有做任何配置,default zone和active zone都应该是public

firewall-cmd --get-default-zonefirewall-cmd --get-active-zones

查看当前开了哪些端口

其实一个服务对应一个端口,每个服务对应/usr/lib/firewalld/services下面一个xml文件。

firewall-cmd --list-services

查看还有哪些服务可以打开

firewall-cmd --get-services

查看所有打开的端口:

firewall-cmd --zone=public --list-ports

更新防火墙规则:

firewall-cmd --reload

添加一个服务到firewalld

firewall-cmd --add-service=http //http换成想要开放的service

这样添加的service当前立刻生效,但系统下次启动就失效,可以测试使用。要永久开发一个service,加上 --permanent

firewall-cmd --permanent --add-service=http

如果要添加的端口并没有服务对应

就要新建一个服务,在/usr/lib/firewalld/services,随便拷贝一个xml文件到一个新名字,比如myservice.xml,把里面的

  <?xml version="1.0" encoding="utf-8"?>
<service>
<short>Transmission-client</short>
<description>Transmission is a lightweight GTK+ BitTorrent client.</description>
<port protocol="tcp" port="51413"/>
</service>

short改为想要名字(这个名字只是为了人来阅读,没有实际影响。重要的是修改 protocol和port。修改完保存。

我的经验是这是要重启firewalld服务,systemctl restart firewalld.service,否则可能提示找不到刚才新建的service。

然后把新建的service添加到firewalld

firewall-cmd --permanent --add-service=myservice

重启firewalld 生效



5分钟理解Centos7防火墙firewalld    http://www.cnblogs.com/stevenzeng/p/5152324.html  
-------------------------------------------------------------------------------------------------------------

1、firewalld的基本使用
启动: systemctl start firewalld
查看状态: systemctl status firewalld
停止: systemctl disable firewalld
禁用: systemctl stop firewalld
2.systemctl是CentOS7的服务管理工具中主要的工具,它融合之前service和chkconfig的功能于一体。
启动一个服务:systemctl start firewalld.service
关闭一个服务:systemctl stop firewalld.service
重启一个服务:systemctl restart firewalld.service
显示一个服务的状态:systemctl status firewalld.service
在开机时启用一个服务:systemctl enable firewalld.service
在开机时禁用一个服务:systemctl disable firewalld.service
查看服务是否开机启动:systemctl is-enabled firewalld.service
查看已启动的服务列表:systemctl list-unit-files|grep enabled
查看启动失败的服务列表:systemctl --failed
3.配置firewalld-cmd
查看版本: firewall-cmd --version
查看帮助: firewall-cmd --help
显示状态: firewall-cmd --state
查看所有打开的端口: firewall-cmd --zone=public --list-ports
更新防火墙规则: firewall-cmd --reload
查看区域信息:  firewall-cmd --get-active-zones
查看指定接口所属区域: firewall-cmd --get-zone-of-interface=eth0
拒绝所有包:firewall-cmd --panic-on
取消拒绝状态: firewall-cmd --panic-off
查看是否拒绝: firewall-cmd --query-panic
那怎么开启一个端口呢
添加
firewall-cmd --zone=public --add-port=80/tcp --permanent    (--permanent永久生效,没有此参数重启后失效)
重新载入
firewall-cmd --reload
查看
firewall-cmd --zone=public --query-port=80/tcp
删除
firewall-cmd --zone=public --remove-port=80/tcp --permanent

转载自:https://www.cnblogs.com/hubing/p/6058932.html

Centos7快速部署openresty

curl https://openresty.org/package/centos/openresty.repo -so /etc/yum.repos.d/openresty.repo
yum -y -q install wget  vim-enhanced tcpdump iftop net-tools rsync 
yum -y -q install openresty 
systemctl enable openresty
ln -s  /usr/local/openresty/nginx/sbin/nginx /usr/sbin/ #把nginx文件引用到常规sbin目录
ln -s /usr/local/openresty/nginx/conf /etc/nginx #把目录软连接到常规目录
ln -s /usr/lib/systemd/system/openresty.service /usr/lib/systemd/system/nginx.service #Centos7的服务启动管理nginx别名
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

基础部署完成后,用rsync同步数据后再做其他基础配置基本完成管理.

lvm快照迁移或者备份脚本

for VM in `lvs|grep img|grep -v snap |  awk -F_ '{ print $1}'` ;
 do
 echo "lvcreate -L 50G -s -n  "$VM"_snap /dev/vg0/"$VM"_img "
 echo "dd if=/dev/vg0/"$VM"_snap conv=sync,noerror bs=64K | gzip -c | ssh [email protected]服务器IP "gzip -d |dd of=/dev/vg0/"$VM"_img conv=sync,noerror bs=64K"
 echo "lvremove /dev/vg0/"$VM"_snap -f"
 echo "echo $VM done  \`date\`  >>/root/m.log"
 echo " "
done

输出可以直接写入新服务器的已建立好的分区, 也可以设置目录保存为文件。

lvcreate -L 50G -s -n  kvm10000_snap /dev/vg0/kvm10000_img
dd if=/dev/vg0/kvm1220_snap conv=sync,noerror bs=64K | gzip -c | ssh [email protected]新服务器IP "gzip -d |dd of=/dev/vg0/kvm10000_img conv=sync,noerror bs=64K"
lvremove /dev/vg0/kvm10000_snap -f
echo kvm10000 done  `date`  >>/root/m.log

centos大版本升级6到7

从6升级到7,建议按步骤走一遍弄个机器测试升级,玩坏了自己买单。

#!/bin/bash

cat>/root/fix.sh<<EOF
rm -f /lib64/libpcre.so.0 /usr/lib64/libpcre.so.0 /usr/lib64/libsasl2.so.2 /lib64/libsasl2.so.2
ln -s /usr/lib64/libpcre.so.1.2.0 /lib64/libpcre.so.0
ln -s /usr/lib64/libpcre.so.1.2.0 /usr/lib64/libpcre.so.0
ln -s /usr/lib64/libsasl2.so.3.0.0  /usr/lib64/libsasl2.so.2
ln -s /usr/lib64/libsasl2.so.3.0.0  /lib64/libsasl2.so.2
yum -y downgrade  grep
mv  root/fix.sh root/fix.txt
EOF
chmod 755 /root/fix.sh
echo "/root/fix.sh">> /etc/rc.local

cat>/etc/yum.repos.d/upgradetool.repo<<EOF
[upg]
name=CentOS-$releasever - Upgrade Tool
baseurl=http://buildlogs.centos.org/centos/6/upg/x86_64/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
EOF
    
yum -y erase openscap
yum -y install redhat-upgrade-tool preupgrade-assistant-contents --disablerepo=base
preupg -s CentOS6_7 <<EOF
y
EOF
rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7
centos-upgrade-tool-cli --network 7 --instrepo=http://vault.centos.org/centos/7.2.1511/os/x86_64/ <<EOF
y
EOF
reboot

centos编译升级gcc版本

yum -y -q install gcc gcc-c++ glibc-static libstdc++-static kernel-devel lbzip2
wget ftp://gcc.gnu.org/pub/gcc/releases/gcc-9.2.0/gcc-9.2.0.tar.gz  -O -|tar xz
cd gcc-9.2.0
./contrib/download_prerequisites
./configure --enable-checking=release --enable-languages=c,c++ --disable-multilib
make
make install

Linux本地自签ssl

yum -y -q install nss-tools gcc
export VER="v1.4.0" 
wget -O mkcert https://github.com/FiloSottile/mkcert/releases/download/${VER}/mkcert-${VER}-linux-amd64
chmod +x mkcert 
mv mkcert /usr/local/bin
mkcert -install

mkcert 域名.后缀 '*.域名.后缀 ' 域名2.后缀  localhost 127.0.0.1 ::1

随后生成pem和key 直接在http服务器上绑定即可以使用。

nginx lua暴力简单过滤cc攻击

原文地址:http://jtwo.me/use-lua-to-protect-nginx-away-from-cc-attack

好像原文出处的页面已经打不开了,原生的nginx需要编译lua,openresty可以直接用。

location ~ \.php$ {
    rewrite_by_lua '
        local md5token = ngx.md5(ngx.var.remote_addr .. ngx.var.http_user_agent)
        if (ngx.var.cookie_humanflag ~= md5token) then
            ngx.header["Set-Cookie"] = "humanflag=" .. md5token
            return ngx.redirect(ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri)
        end
    ';
    ... ...
}

location ~ \.php$ {
    if ($cookie_ipaddr != "$remote_addr"){
        add_header Set-Cookie "ipaddr=$remote_addr";
        rewrite .* "$scheme://$host$uri" redirect;
    }

    ... ...
}

iptables屏蔽常规邮件端口

iptables -A INPUT -p tcp -m multiport --dport 25,110,465:587,993:995 -j DROP
iptables -A INPUT -p udp -m multiport --dport 25,110,465:587,993:995 -j DROP
iptables -A OUTPUT -p tcp -m multiport --dport 25,110,465:587,993:995 -j DROP
iptables -A OUTPUT -p udp -m multiport --dport 25,110,465:587,993:995 -j DROP
/etc/init.d/iptables save