ST、SC、FC、LC光纤头
日常记录
juniper的lo0基础安全连接规则
set firewall family inet filter local_acl term DenyICMP from protocol icmp set firewall family inet filter local_acl term DenyICMP from icmp-type echo-request set firewall family inet filter local_acl term DenyICMP from icmp-type echo-reply set firewall family inet filter local_acl term DenyICMP from icmp-type time-exceeded set firewall family inet filter local_acl term DenyICMP from icmp-type unreachable set firewall family inet filter local_acl term DenyICMP then discard set firewall family inet filter local_acl term terminal_access from source-prefix-list Trusted_IP set firewall family inet filter local_acl term terminal_access then accept set firewall family inet filter local_acl term terminal_access_denied from protocol tcp set firewall family inet filter local_acl term terminal_access_denied from destination-port ssh set firewall family inet filter local_acl term terminal_access_denied from destination-port telnet set firewall family inet filter local_acl term terminal_access_denied from destination-port http set firewall family inet filter local_acl term terminal_access_denied from destination-port https set firewall family inet filter local_acl term terminal_access_denied then discard set firewall family inet filter local_acl term default-term then accept
fedora大版本升级记录
dnf update --refresh -y
dnf install dnf-plugin-system-upgrade -y
dnf system-upgrade download --releasever=$((`awk '{ print $3 }' /etc/fedora-release` + 1 )) --allowerasing -y
dnf system-upgrade reboot -y
dnf --releasever $((`awk '{ print $3 }' /etc/fedora-release` + 1 )) upgrade -y一路从23逐步升级到31
nginx主机添加
AddNginxHost(){
cat>>/etc/nginx/conf/$1.conf<<EOF
server {
listen 80;
listen 443;
server_name www.$1 $1;
access_log /var/log/httpd/$1.log;
location /{
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$remote_addr;
proxy_pass http://$2;
}
}
EOF
}function banip () {
cat>/etc/nginx/ip/$1<<EOF
deny $1;
if (\$remote_addr = "$1"){return 400;}
if (\$http_x_forwarded_for = "$1"){return 400;}
if (\$proxy_add_x_forwarded_for = "$1"){return 400;}
EOF
nginx -s reload
}function add_stream() {
cat > /etc/nginx/stream/$1.conf << EOF
server {
listen $1:80 reuseport;
listen $1:443 reuseport;
listen $1:623 udp reuseport;
listen $1:5900 reuseport;
listen $1:5985 reuseport;
listen $1:7578 reuseport;
listen $1:5120 reuseport;
listen $1:5122 reuseport;
listen $1:5123 reuseport;
listen $1:7582 reuseport;
listen $1:5124 reuseport;
listen $1:5126 reuseport;
listen $1:5127 reuseport;
proxy_connect_timeout 5s;
proxy_timeout 20s;
proxy_pass $2:\$server_port;
}
EOF
nginx -s reload
}
add_stream 103.213.246.4 10.0.13.13snap()
{
if [ ! -n $1 ]; then exit 0 ;fi
lvcreate -L 50G -s -n $1_snap /dev/vg0/$1_img
kpartx -av /dev/mapper/vg0-$1_snap
mount /dev/mapper/vg0-$1_snap1 /mnt
ls /mnt/root/.bash_history
}powerdns系列记录
mysqlrootpwd=`openssl rand 6 -base64` yum -y install epel-releas yum -y install mysql mysql-server pdns pdns-backend-mysql yum -y install httpd php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-mbstring php-mcrypt php-mhash yum -y install php-pear-DB php-pear-MDB2-Driver-mysql chkconfig --levels 235 httpd on chkconfig --levels 235 mysqld on chkconfig --levels 235 pdns on #mysqladmin -u root password $mysqlrootpwd mysqladmin create powerdns mysql -Bse "create user 'powerdns'@'localhost' identified by '$mysqlrootpwd'" mysql -Bse "grant all privileges on powerdns.* to 'powerdns'@'localhost'" mysql -Bse "GRANT ALL ON powerdns.* TO 'powerdns'@'108.171.205.98' IDENTIFIED BY '$mysqlrootpwd'" wget http://files.soluslabs.com/solusvm/pdns/pdns.sql mysql --user=powerdns --password=$mysqlrootpwd < pdns.sql cat>/etc/pdns/pdns.conf<<EOF launch=gmysql gmysql-host=127.0.0.1 gmysql-user=powerdns gmysql-password=$mysqlrootpwd gmysql-dbname=powerdns EOF /etc/init.d/mysqld restart /etc/init.d/httpd restart /etc/init.d/httpd start /etc/init.d/pdns restart
wget -c https://github.com/poweradmin/poweradmin/tarball/master -O poweradmin.tar.gz tar zxf poweradmin.tar.gz mv poweradmin-* /var/www/html/poweradmin chown -R apache:apache /var/www/html/poweradmin/
ESXI无法登陆问题
新装系统的esxi密码正确无法登陆, 在几年前就遇上过用,在shell下操作重置解决的, 但时间太久忘记了, 然后最近又遇上了几次像无头苍蝇一样,特此记录一下.
主要原因是ssh端口被爆破错误次数过多,导致锁死的问题.
新装系统,登陆上管理页面后在“管理”->"高级设置"里面搜索把Security.AccountLockFailures设置成0或者是关闭ssh服务
Security.AccountLockFailures
Security.AccountUnlockTime
或者用PowerCLI进行操作
Set-VMHostAdvancedConfiguration Security.AccountLockFailures -Value 0
Set-VMHostAdvancedConfiguration Security.AccountUnlockTime -Value 0也可以在设置成ssh key登陆, 对root账户进行重置解决
authorized_keys路径
/etc/ssh/keys-root/authorized_keys
重置命令
pam_tally2 --user root
pam_tally2 --user root --reset
如果新装系统已经被锁死还没设置key登陆, 则需要到ipmi下操作.
在Troubleshooting mode options项目下选择Restart Management Agents进行重置, 之后就可以再用web或者客户端进行登陆设置了.
nfsen-blackhole
记录
yum -y -q install monit tcsh perl-Net-BGP
git clone https://github.com/zhecho/nfsen-blackhole
cd nfsen-blackhole
sed -i "s#/usr/local/var/nfsen#/opt/nfsen/var/run#g" *
sed -i "s#/usr/local/libexec/nfsen/plugins#/opt/nfsen/plugins#g" *
install bgp_simple_restart.sh /opt/nfsen/plugins/
install blackHole.pm /opt/nfsen/plugins/
install bgp_simple.pl /opt/nfsen/plugins/
install blackHole.php /opt/nfsen/www/plugins/
touch /opt/nfsen/var/run/{blackhole-pref.td2,blackHole.plugin.log}
chown nobody:nobody /opt/nfsen/var/run/{blackhole-pref.td2,blackHole.plugin.log}WANsensor和WANconsole 安装
配置记录
yum install -y -q http://www.andrisoft.com/files/redhat7/WANrepo-7.2-0.noarch.rpm yum install -y -q WANsensor systemctl start ntpd systemctl enable ntpd /opt/andrisoft/bin/install_supervisor systemctl start WANsupervisor systemctl enable WANsupervisor
yum install -y -q http://www.andrisoft.com/files/redhat7/WANrepo-7.2-0.noarch.rpm yum install -y -q WANconsole yum install -y -q epel-release yum install -y -q php-pecl-radius
其他
max_allowed_packet=64M
max_connections=1000
open_files_limit=5000
skip-name-resolve
nano /etc/my.cnf #set max_allowed_packet=64M, max_connections=1000, open_files_limit=5000 and add skip-name-resolve in the [mysqld] section
systemctl start mariadb
mysql_secure_installation
systemctl start mariadb
systemctl enable mariadb
nano /etc/php.ini #set date.timezone in the [Date] section, according to http://php.net/manual/en/timezones.php
systemctl enable httpd
systemctl restart httpd
firewall-cmd --permanent --add-service=mysql
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
systemctl restart firewalld
/opt/andrisoft/bin/install_console
/opt/andrisoft/bin/install_supervisor
systemctl start WANsupervisor
systemctl enable WANsupervisor
yum install -y -q https://dl.influxdata.com/influxdb/releases/influxdb-1.7.9.x86_64.rpm
[root@localhost ~]# nano /etc/influxdb/influxdb.conf
[data]
index-version=”tsi1”
max-seriesper-database=0
max-values-per-tag=0
[retention]
enabled=true
[http]
enabled=true
log-enabled=false
max-row_limit=0
max-body-size=0
[logging]
level=”warn”
[continuous_queries]
enabled=true
systemctl restart influxdbsflow-rt安装
sflow-rt这玩意挺方便, 可以用JS进行二次开发写APP
官方下载连接 https://sflow-rt.com/download.php
echo net.ipv4.ip_unprivileged_port_start=0>>/etc/sysctl.conf
sysctl -p
yum install java java-11-openjdk -y yum install -y -q https://inmon.com/products/sFlow-RT/sflow-rt-$(curl -s https://inmon.com/products/sFlow-RT/latest.txt).noarch.rpm
/usr/local/sflow-rt/get-app.sh sflow-rt top-flows /usr/local/sflow-rt/get-app.sh sflow-rt dashboard-example /usr/local/sflow-rt/get-app.sh sflow-rt ddos-blackhole /usr/local/sflow-rt/get-app.sh sflow-rt sflow-test /usr/local/sflow-rt/get-app.sh sflow-rt ddos-protect systemctl start sflow-rt systemctl enable sflow-rt
firewall-cmd --zone=public --add-masquerade --permanent firewall-cmd --zone=public --add-forward-port=port=179:proto=tcp:toport=1179 --permanent firewall-cmd --zone=public --add-port=179/tcp --permanent firewall-cmd --zone=public --add-port=6343/udp --permanent firewall-cmd --reload firewall-cmd --zone=public --list-ports
如果要用179端口做bgp需要在服务器启动文件加入authbind的命令
yum install -y https://s3.amazonaws.com/aaronsilber/public/authbind-2.1.1-0.1.x86_64.rpm touch /etc/authbind/byport/179 chmod 755 /etc/authbind/byport/179
在 /etc/init.d/sflow-rt文件内找到START这一行
START='authbind --deep /usr/local/sflow-rt/bin/run-rt'
librenms简便安装
和observium很像,开源软件.
file bison mlocate flex diffutils yum -y install cronie fping git ImageMagick whois mtr net-snmp net-snmp-utils nmap python-memcached rrdtool useradd librenms -d /opt/librenms -M -r cd /opt git clone https://github.com/librenms/librenms.git chown -R librenms:librenms /opt/librenms chmod 770 /opt/librenms setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/ setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/ runuser -l librenms -c '/opt/php7/bin/php /opt/librenms/scripts/composer_wrapper.php install --no-dev'
nginx配置
server {
listen 80;
root /opt/observium;
index index.php;
server_name observium.example.com;
error_log /var/log/nginx/observium.error.log ;
access_log /var/log/nginx/observium.log ;
location / {
location ~ .php$ {
try_files $uri = 404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/dev/shm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_read_timeout 300;
}
}
location ~/\.ht {
deny all;
}
}
server {
listen 80;
server_name librenms.example.com;
root /opt/librenms/html;
index index.php;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location /api/v0 {
try_files $uri $uri/ /api_v0.php?$query_string;
}
location ~ \.php {
include fastcgi.conf;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/dev/shm/php-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}FPM配置文件
[librenms] user = $pool group = $pool listen = /dev/shm/$pool.sock listen.mode = 0666 pm = dynamic pm.max_children = 15 pm.start_servers = 5 pm.min_spare_servers = 3 pm.max_spare_servers = 5 chdir = /opt/bgpto security.limit_extensions = .php .php3 .php4 .php5 .php7 env[HOSTNAME] = $pool.hostname env[PATH] = /usr/local/bin:/usr/bin:/bin:/opt/php7/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp php_admin_value[error_log] = /var/log/fpm-php.$pool.log php_admin_value[memory_limit] = 256M
VMware ESXi安装ipmitool
wget dl.kvm.la/tools/esxi_ipmitool-1.8.15-1.vib -O /var/log/vmware/ipmitool-1.8.15-1.vib esxcli software acceptance set --level=CommunitySupported esxcli software vib install -v ipmitool-1.8.15-1.vib /opt/ipmitool/bin/ipmitool mc reset cold
编译安装 nfdump
yum -y -q install nss curl git libtool m4 automake bzip2-devel git clone https://github.com/phaag/nfdump cd nfdump ./autogen.sh ./configure --enable-nfprofile --enable-nftrack --with-rrdpath=/usr/local/rrdtool make make install install -p -m 644 bin/nftrack /usr/bin/
Centos7 nfsen基础安装
yum -y -q install epel-release wget yum -y -q install nss curl git nfdump perl gcc make libpcap-devel fprobe-ulog rrdtool-devel rrdtool-perl flex byacc perl yum -y -q install perl-MailTools perl-Socket6 perl-Sys-Syslog 'perl(Data::Dumper)' perl-DBD-MySQL wget https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.8/nfsen-1.3.8.tar.gz/download -O -|tar xz cd nfsen-1.3.8 #cat etc/nfsen-dist.conf |grep -v ^#|grep -v ^$ >etc/nfsen.conf wget dl.kvm.la/conf/nfsen/nfsen.conf -O etc/nfsen.conf perl install.pl etc/nfsen.conf ln -s /opt/nfsen/bin/nfsen /usr/bin/ #安装PortTracker插件 install contrib/PortTracker/PortTracker.pm /opt/nfsen/plugins/ install contrib/PortTracker/PortTracker.php /opt/nfsen/plugins/ mkdir -p /data/ports-db chown -R nobody:nobody /data/ports-db /opt/nfsen sudo -u nobody nftrack -I -d /data/ports-db wget dl.kvm.la/conf/nfsen/nfsen.init -O /etc/init.d/nfsen chmod 755 /etc/init.d/nfsen chkconfig nfsen on
#安装PortTracker插件
#安装PortTracker插件 install contrib/PortTracker/PortTracker.pm /opt/nfsen/plugins/ install contrib/PortTracker/PortTracker.php /opt/nfsen/plugins/ mkdir -p /data/ports-db chown -R nobody:nobody /data/ports-db /opt/nfsen sudo -u nobody nftrack -I -d /data/ports-db
正常使用还要http和php进行支持, sflow数据发送到nfsen进行分析,等等.
smartmontools 查看阵列磁盘健康状态
yum install smartmontools -y -q smartctl -a -d megaraid,N /dev/sdX
N代表硬盘的设备ID, 可以用storcli和MegaCli查找到.
X则代表存储设备的顺序ID. 第一个存储设备以a开始排列.
查看硬盘的设备ID方法如下:
用MegaCli
#第一种 #MegaCli -PDList -aAll|grep "Device Id" Device Id: 0 Device Id: 1 Device Id: 2 Device Id: 3 Device Id: 4 Device Id: 5 Device Id: 6 Device Id: 7 Device Id: 8 Device Id: 9
#第二种(LSI ID就是设备ID)
#curl -sS http://dl.kvm.la/lsi/megaclisas-status | python
-- Controller information --
-- ID | H/W Model | RAM | Temp | BBU | Firmware
c0 | PERC H710 Mini | 512MB | 76C | Good | FW: 21.0.1-0132
-- Array information --
-- ID | Type | Size | Strpsz | Flags | DskCache | Status | OS Path | CacheCade |InProgress
c0u0 | RAID-10 | 5455G | 256 KB | RA,WB | Disabled | Optimal | 0 | Type : Read Only |None
-- Disk information --
-- ID | Type | Drive Model | Size | Status | Speed | Temp | Slot ID | LSI ID
c0u0s0p0 | HDD | HGST HUC101212CSS600 A469KZJ0M2DG | 1.090 TB | Online, Spun Up | 6.0Gb/s | 31C | [32:0] | 0
c0u0s0p1 | HDD | HGST HUC101212CSS600 A469KZJ0LJRG | 1.090 TB | Online, Spun Up | 6.0Gb/s | 31C | [32:1] | 1
c0u0s1p0 | HDD | HGST HUC101212CSS600 A469KZHZX1ZG | 1.090 TB | Online, Spun Up | 6.0Gb/s | 30C | [32:2] | 2
c0u0s1p1 | HDD | HGST HUC101212CSS600 A469KZJ076SG | 1.090 TB | Online, Spun Up | 6.0Gb/s | 31C | [32:3] | 3
c0u0s2p0 | HDD | HGST HUC101212CSS600 A469KZJ0B6PG | 1.090 TB | Online, Spun Up | 6.0Gb/s | 30C | [32:4] | 4
c0u0s2p1 | HDD | HGST HUC101212CSS600 A469KZJ0WWJG | 1.090 TB | Online, Spun Up | 6.0Gb/s | 31C | [32:5] | 5
c0u0s3p0 | HDD | HGST HUC101212CSS600 A469KZJ0LT4G | 1.090 TB | Online, Spun Up | 6.0Gb/s | 30C | [32:6] | 6
c0u0s3p1 | HDD | HGST HUC101212CSS600 A469KZJ0A5KG | 1.090 TB | Online, Spun Up | 6.0Gb/s | 31C | [32:7] | 7
c0u0s4p0 | HDD | HGST HUC101212CSS600 A469KZJ0LRLG | 1.090 TB | Online, Spun Up | 6.0Gb/s | 30C | [32:8] | 8
c0u0s4p1 | HDD | HGST HUC101212CSS600 A469KZJ0DUGG | 1.090 TB | Online, Spun Up | 6.0Gb/s | 31C | [32:9] | 9
基于storcli命令查找
#storcli /c0 /eall /sall show ---------------------------------------------------------------------------- EID:Slt DID State DG Size Intf Med SED PI SeSz Model Sp Type ---------------------------------------------------------------------------- 252:0 14 Onln 0 5.456 TB SAS HDD N N 512B ST6000NM0034 U - 252:1 16 Onln 0 5.456 TB SAS HDD N N 512B ST6000NM0034 U - 252:2 15 Onln 0 5.456 TB SAS HDD N N 512B ST6000NM0034 U - 252:3 17 Rbld 0 5.456 TB SAS HDD N N 512B ST6000NM0034 U - ----------------------------------------------------------------------------
DID就是硬盘的设备ID
附:MegaCli和storcli安装
yum install -y -q http://dl.kvm.la/lsi/MegaCli_All_OS/Linux/MegaCli-8.07.06-1.noarch.rpm ln -s /opt/MegaRAID/MegaCli/MegaCli64 /usr/bin/MegaCli
yum -y -q install http://dl.kvm.la/lsi/storcli_All_OS/Linux/storcli-1.23.02-1.noarch.rpm ln -s /opt/MegaRAID/storcli/storcli64 /usr/bin/storcli
Centos7安装FRRouting
由于官方改动了一些文件位置,没有及时更新安装引导说明, 导致最后几步安装找不到文件,故自己抄写了一份.
原文地址http://docs.frrouting.org/projects/dev-guide/en/latest/building-frr-for-centos7.html
#yum安装基础环境
yum install -y -q nss curl git autoconf automake libtool make cmake readline-devel texinfo net-snmp-devel groff pkgconfig json-c-devel pam-devel bison flex pytest c-ares-devel python-devel systemd-devel python-sphinx libcap-devel
groupadd -g 92 frr
groupadd -r -g 85 frrvty
useradd -u 92 -g 92 -M -r -G frrvty -s /sbin/nologin -c "FRR FRRouting suite" -d /var/run/frr frr
#安装libyang
#由于centos7没有
cd /tmp
git clone https://github.com/CESNET/libyang.git
cd libyang
mkdir build; cd build
cmake -DENABLE_LYD_PRIV=ON -DCMAKE_INSTALL_PREFIX:PATH=/usr -D CMAKE_BUILD_TYPE:String="Release" ..
make
make install
#安装frr
cd /tmp
git clone https://github.com/frrouting/frr.git frr
cd frr
./bootstrap.sh
./configure \
--bindir=/usr/bin \
--sbindir=/usr/lib/frr \
--sysconfdir=/etc/frr \
--libdir=/usr/lib/frr \
--libexecdir=/usr/lib/frr \
--localstatedir=/var/run/frr \
--with-moduledir=/usr/lib/frr/modules \
--enable-snmp=agentx \
--enable-multipath=64 \
--enable-user=frr \
--enable-group=frr \
--enable-vty-group=frrvty \
--enable-systemd=yes \
--disable-exampledir \
--disable-ldpd \
--enable-fpm \
--with-pkg-git-version \
--with-pkg-extra-version=-MyOwnFRRVersion \
SPHINXBUILD=/usr/bin/sphinx-build
make
make install
install -p -m 644 ./tools/etc/frr/daemons /etc/frr/
install -p -m 644 tools/frr.service /usr/lib/systemd/system/frr.service
install -p -m 644 tools/frrinit.sh.in /usr/lib/frr/frr
#创建FRR空白配置文件和权限
mkdir /var/log/frr
mkdir /etc/frr
touch /etc/frr/zebra.conf
touch /etc/frr/bgpd.conf
touch /etc/frr/ospfd.conf
touch /etc/frr/ospf6d.conf
touch /etc/frr/isisd.conf
touch /etc/frr/ripd.conf
touch /etc/frr/ripngd.conf
touch /etc/frr/pimd.conf
touch /etc/frr/nhrpd.conf
touch /etc/frr/eigrpd.conf
touch /etc/frr/babeld.conf
touch /etc/frr/vtysh.conf
chown -R frr:frr /etc/frr/
chown frr:frrvty /etc/frr/vtysh.conf
chown frr:frr /etc/frr/daemons
chmod 640 /etc/frr/*.conf
cat>/etc/sysctl.d/90-routing-sysctl.conf<<EOF
net.ipv4.conf.all.forwarding=1
net.ipv6.conf.all.forwarding=1
EOF
sysctl -p /etc/sysctl.d/90-routing-sysctl.conf
#注册启用和启动FRR
systemctl preset frr.service
systemctl enable frr
systemctl start frr
安装步骤到此结束
需要配置zebra后再用telnet连接
zebra配置文件
#cat /etc/frr/zebra.conf ! Zebra configuration file ! frr version 6.0 frr defaults traditional ! hostname Router password zebra enable password zebra ! log stdout ! !
更多配置和指引参考官方引导文章
telnet 127.0.0.1 2601
然后和思科的配置方式差不多
