linux系统日志清空
for I in `echo dmesg lastlog messages secure tallylog wtmp btmp maillog spooler yum.log`; do echo > /var/log/$I; done history -c
Supermicro IPMI/BMC nginx proxy
需要安装一个openresty或者nginx, 版本大于1.15.10
编译安装参考http://www.kvm.la/1043.html , openresty二进制包版本较低没有更新, 建议编译安装一份.
首先把IPMI的IP丢进一个ip.list的文件里面, 一行一个IP.
#/bin/bash
i=1000 #vnc start port
b=2000
# hextoip() { hex=$1; printf "%d." 0x${hex:0:2}; printf "%d." 0x${hex:2:2}; printf "%d." 0x${hex:4:2}; printf "%d" 0x${hex:6:2}; }
#gethostip -x 10.0.12.1
stream_route_map=/etc/nginx/stream.route.map.conf
http_route_map=/etc/nginx/http.route.map.conf
echo " default 0;" > $stream_route_map
echo " default 0;" > $http_route_map
for IP in `cat /root/ipmi/ip.list | uniq -c |awk '{ print $2 }'`;
do
i=`expr $i + 1` ;
b=`expr $b + 1` ;
HEXIP=`gethostip -x $IP | tr 'A-Z' 'a-z'` ;
echo " ~*($IP|$i|$b|$HEXIP)$ IP<$IP>|VNC<$i>|BMC<$b>|HEX<$HEXIP>;" >>$http_route_map;
echo " ~*($b|$i)$ $IP;" >> $stream_route_map
done
nginx -s reload
WHMCS投诉报告转发工单模版
流程之一, 模版格式化解决繁琐操作.
你好, [NAME] 请尽快处理我们收到的以下滥用投诉报告,谢谢。 我们收到了来自您订单的投诉报告。我们要求您尽快调查此事。完成调查后,请回复以下问题的答复: 1)问题的根源是什么? 2)您采取了哪些步骤解决此问题? 3)你采取了哪些措施来防止这种情况再次发生? 由于此活动违反了我们的服务条款,因此我们要求您在接下来的12小时内回复。 如果我们在这段时间内没有收到回复,我们可能会暂时中断您的服务,以防止进一步的恶意活动。 =========== COMPLAINT STARTS HERE ============ 投诉内容(模版里面去掉此处) 投诉内容(模版里面去掉此处) 投诉内容(模版里面去掉此处) =========== COMPLAINT ENDS HERE ============== 在此过程中,请继续保持我们的状态更新,如果您有任何问题,请告知我们。 Kind Regards, 公司名 Support
Command | kickstart之中rootpw密码生成方法
一、简介
linux kickstart文件里rootpw密码可以使用明文,也可以使用加密过的值,这里主要介绍下三种加密方法:md5、sha256、sha512
使用明文的方法
rootpw "password"
使用加密的方法
rootpw --iscrypted password_hashauthconfig --enableshadow --enablemd5 (--passalgo=sha256 or --passalgo=sha512)
二、加密生成方法,这里统一用password来加密
1、md5加密
使用openssl passwd命令:
# openssl passwd -1 "password"$1$uMOl6YMI$7AAO8YG7l37ipRXCmmame.
使用grub-crypt命令,会提示输出密码:
# grub-crypt --md5Password:Retype password:$1$Y9TR8PpY$qm1VzsjKzbXtYInyAQLG70
使用python,同样也会提示输出密码:
# echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$1$8_CHARACTER_SALT_HERE")' | python -Password:$1$8_CHARAC$GVWpvO3Hu009C37IYF41L0
centos7升级到centos8
只负责记录, 升级出了问题责任自负.
#更换 centos7 vault源
mirrors=http://ftp.iij.ad.jp/pub/linux/centos-vault/7.9.2009/
sed -e "s|^mirrorlist=|#mirrorlist=|g" -e "s|#baseurl=http://mirror.centos.org/centos/\$releasever/|baseurl=$mirrors|" \
-i.bak /etc/yum.repos.d/CentOS-*.repo
yum -y install epel-release dnf
dnf upgrade -y
#开始升级 Centos8
dnf install -y http://mirrors.klayer.com/centos-vault/8.5.2111//BaseOS/x86_64/os/Packages/{centos-linux-release-8.5-1.2111.el8.noarch.rpm,centos-gpg-keys-8-3.el8.noarch.rpm,centos-linux-repos-8-3.el8.noarch.rpm}
minorver=8.5.2111
#mirrors=https://mirrors.aliyun.com/centos-vault
mirrors=http://ftp.iij.ad.jp/pub/linux/centos-vault
sudo sed -e "s|^mirrorlist=|#mirrorlist=|g" \
-e "s|^#baseurl=http://mirror.centos.org/\$contentdir/\$releasever|baseurl=$mirrors/$minorver|g" \
-i.bak \
/etc/yum.repos.d/CentOS-*.repo
dnf -y remove NetworkManager dracut-network python36-rpmconf fail2ban* yum yum-metadata-parser libsysfs
rm -rf /etc/yum
dnf upgrade -y epel-release
dnf clean all
rpm -e `rpm -q kernel`
rpm -e --nodeps sysvinit-tools
dnf -y --releasever=8 --allowerasing --setopt=deltarpm=false distro-sync
dnf -y install kernel-core
dnf -y groupupdate Core "Minimal Install"
rpm -qa | grep '\.el7' | xargs xargs rpm -e # 卸载
cat /etc/redhat-release
Error: transaction check vs depsolve: (gcc >= 8 with gcc < 9) is needed by annobin-9.72-1.el8_5.2.x86_64
如果遇上需要annobin包报错, 用 rpm 强制安装一下
rpm -ivh --nodeps --force `find /var/cache/dnf -name annobin*`
这几个包也可以删除
dnf -y remove NetworkManager dracut-network python36-rpmconf
centos8的三个包centos-release centos-gpg-keys centos-repos版本会有变动, 操作的时候需要注意选择更新.
也可以不用http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/ ,选用centos vault的库.
总结
在dnf -y --releasever=8 的时候遇上 rpm 包需要的就用rpm -ivh --nodeps --force强制安装, 其他要不就是rpm -e --nodeps强制卸载一下
frps服务器一键搭建脚本
wget --no-check-certificate https://raw.githubusercontent.com/clangcn/onekey-install-shell/master/frps/install-frps.sh -O ./install-frps.sh chmod 700 ./install-frps.sh ./install-frps.sh install
Linux常用性能测试脚本
dd if=/dev/zero of=test bs=64k count=4k oflag=dsync
curl -Ss http://86.re/bench.sh |bash
curl -fsL https://ilemonra.in/LemonBenchIntl | bash -s fast curl -fsL https://github.com/LemonBench/LemonBench/raw/master/LemonBench.sh | bash -s fast
https://www.91yuntest.com/
wget -N --no-check-certificate https://raw.githubusercontent.com/91yun/91yuntest/master/test.sh && bash test.sh -i "io,bandwidth,chinabw,download,traceroute,backtraceroute,allping,gotoping,benchtest" -u
wget -qO- --no-check-certificate https://raw.githubusercontent.com/oooldking/script/master/superbench.sh | bash
wget https://raw.github.com/sivel/speedtest-cli/master/speedtest.py -O /usr/local/bin/speedtest chmod a+rx /usr/local/bin/speedtest speedtest
wget http://down.eeqiu.net/besttrace4linux.zip unzip besttrace4linux.zip chmod +x besttrace ./besttrace -q 1 gd.189.cn
ST、SC、FC、LC光纤头
日常记录
juniper的lo0基础安全连接规则
set firewall family inet filter local_acl term DenyICMP from protocol icmp set firewall family inet filter local_acl term DenyICMP from icmp-type echo-request set firewall family inet filter local_acl term DenyICMP from icmp-type echo-reply set firewall family inet filter local_acl term DenyICMP from icmp-type time-exceeded set firewall family inet filter local_acl term DenyICMP from icmp-type unreachable set firewall family inet filter local_acl term DenyICMP then discard set firewall family inet filter local_acl term terminal_access from source-prefix-list Trusted_IP set firewall family inet filter local_acl term terminal_access then accept set firewall family inet filter local_acl term terminal_access_denied from protocol tcp set firewall family inet filter local_acl term terminal_access_denied from destination-port ssh set firewall family inet filter local_acl term terminal_access_denied from destination-port telnet set firewall family inet filter local_acl term terminal_access_denied from destination-port http set firewall family inet filter local_acl term terminal_access_denied from destination-port https set firewall family inet filter local_acl term terminal_access_denied then discard set firewall family inet filter local_acl term default-term then accept
fedora大版本升级记录
dnf update --refresh -y
dnf install dnf-plugin-system-upgrade -y
dnf system-upgrade download --releasever=$((`awk '{ print $3 }' /etc/fedora-release` + 1 )) --allowerasing -y
dnf system-upgrade reboot -y
dnf --releasever $((`awk '{ print $3 }' /etc/fedora-release` + 1 )) upgrade -y一路从23逐步升级到31
nginx主机添加
AddNginxHost(){
cat>>/etc/nginx/conf/$1.conf<<EOF
server {
listen 80;
listen 443;
server_name www.$1 $1;
access_log /var/log/httpd/$1.log;
location /{
proxy_set_header Host \$host;
proxy_set_header X-Forwarded-For \$remote_addr;
proxy_pass http://$2;
}
}
EOF
}function banip () {
cat>/etc/nginx/ip/$1<<EOF
deny $1;
if (\$remote_addr = "$1"){return 400;}
if (\$http_x_forwarded_for = "$1"){return 400;}
if (\$proxy_add_x_forwarded_for = "$1"){return 400;}
EOF
nginx -s reload
}function add_stream() {
cat > /etc/nginx/stream/$1.conf << EOF
server {
listen $1:80 reuseport;
listen $1:443 reuseport;
listen $1:623 udp reuseport;
listen $1:5900 reuseport;
listen $1:5985 reuseport;
listen $1:7578 reuseport;
listen $1:5120 reuseport;
listen $1:5122 reuseport;
listen $1:5123 reuseport;
listen $1:7582 reuseport;
listen $1:5124 reuseport;
listen $1:5126 reuseport;
listen $1:5127 reuseport;
proxy_connect_timeout 5s;
proxy_timeout 20s;
proxy_pass $2:\$server_port;
}
EOF
nginx -s reload
}
add_stream 103.213.246.4 10.0.13.13snap()
{
if [ ! -n $1 ]; then exit 0 ;fi
lvcreate -L 50G -s -n $1_snap /dev/vg0/$1_img
kpartx -av /dev/mapper/vg0-$1_snap
mount /dev/mapper/vg0-$1_snap1 /mnt
ls /mnt/root/.bash_history
}powerdns系列记录
mysqlrootpwd=`openssl rand 6 -base64` yum -y install epel-releas yum -y install mysql mysql-server pdns pdns-backend-mysql yum -y install httpd php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-mbstring php-mcrypt php-mhash yum -y install php-pear-DB php-pear-MDB2-Driver-mysql chkconfig --levels 235 httpd on chkconfig --levels 235 mysqld on chkconfig --levels 235 pdns on #mysqladmin -u root password $mysqlrootpwd mysqladmin create powerdns mysql -Bse "create user 'powerdns'@'localhost' identified by '$mysqlrootpwd'" mysql -Bse "grant all privileges on powerdns.* to 'powerdns'@'localhost'" mysql -Bse "GRANT ALL ON powerdns.* TO 'powerdns'@'108.171.205.98' IDENTIFIED BY '$mysqlrootpwd'" wget http://files.soluslabs.com/solusvm/pdns/pdns.sql mysql --user=powerdns --password=$mysqlrootpwd < pdns.sql cat>/etc/pdns/pdns.conf<<EOF launch=gmysql gmysql-host=127.0.0.1 gmysql-user=powerdns gmysql-password=$mysqlrootpwd gmysql-dbname=powerdns EOF /etc/init.d/mysqld restart /etc/init.d/httpd restart /etc/init.d/httpd start /etc/init.d/pdns restart
wget -c https://github.com/poweradmin/poweradmin/tarball/master -O poweradmin.tar.gz tar zxf poweradmin.tar.gz mv poweradmin-* /var/www/html/poweradmin chown -R apache:apache /var/www/html/poweradmin/
ESXI无法登陆问题
新装系统的esxi密码正确无法登陆, 在几年前就遇上过用,在shell下操作重置解决的, 但时间太久忘记了, 然后最近又遇上了几次像无头苍蝇一样,特此记录一下.
主要原因是ssh端口被爆破错误次数过多,导致锁死的问题.
新装系统,登陆上管理页面后在“管理”->"高级设置"里面搜索把Security.AccountLockFailures设置成0或者是关闭ssh服务
Security.AccountLockFailures
Security.AccountUnlockTime
或者用PowerCLI进行操作
Set-VMHostAdvancedConfiguration Security.AccountLockFailures -Value 0
Set-VMHostAdvancedConfiguration Security.AccountUnlockTime -Value 0也可以在设置成ssh key登陆, 对root账户进行重置解决
authorized_keys路径
/etc/ssh/keys-root/authorized_keys
重置命令
pam_tally2 --user root
pam_tally2 --user root --reset
如果新装系统已经被锁死还没设置key登陆, 则需要到ipmi下操作.
在Troubleshooting mode options项目下选择Restart Management Agents进行重置, 之后就可以再用web或者客户端进行登陆设置了.
nfsen-blackhole
记录
yum -y -q install monit tcsh perl-Net-BGP
git clone https://github.com/zhecho/nfsen-blackhole
cd nfsen-blackhole
sed -i "s#/usr/local/var/nfsen#/opt/nfsen/var/run#g" *
sed -i "s#/usr/local/libexec/nfsen/plugins#/opt/nfsen/plugins#g" *
install bgp_simple_restart.sh /opt/nfsen/plugins/
install blackHole.pm /opt/nfsen/plugins/
install bgp_simple.pl /opt/nfsen/plugins/
install blackHole.php /opt/nfsen/www/plugins/
touch /opt/nfsen/var/run/{blackhole-pref.td2,blackHole.plugin.log}
chown nobody:nobody /opt/nfsen/var/run/{blackhole-pref.td2,blackHole.plugin.log}WANsensor和WANconsole 安装
配置记录
yum install -y -q http://www.andrisoft.com/files/redhat7/WANrepo-7.2-0.noarch.rpm yum install -y -q WANsensor systemctl start ntpd systemctl enable ntpd /opt/andrisoft/bin/install_supervisor systemctl start WANsupervisor systemctl enable WANsupervisor
yum install -y -q http://www.andrisoft.com/files/redhat7/WANrepo-7.2-0.noarch.rpm yum install -y -q WANconsole yum install -y -q epel-release yum install -y -q php-pecl-radius
其他
max_allowed_packet=64M
max_connections=1000
open_files_limit=5000
skip-name-resolve
nano /etc/my.cnf #set max_allowed_packet=64M, max_connections=1000, open_files_limit=5000 and add skip-name-resolve in the [mysqld] section
systemctl start mariadb
mysql_secure_installation
systemctl start mariadb
systemctl enable mariadb
nano /etc/php.ini #set date.timezone in the [Date] section, according to http://php.net/manual/en/timezones.php
systemctl enable httpd
systemctl restart httpd
firewall-cmd --permanent --add-service=mysql
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
systemctl restart firewalld
/opt/andrisoft/bin/install_console
/opt/andrisoft/bin/install_supervisor
systemctl start WANsupervisor
systemctl enable WANsupervisor
yum install -y -q https://dl.influxdata.com/influxdb/releases/influxdb-1.7.9.x86_64.rpm
[root@localhost ~]# nano /etc/influxdb/influxdb.conf
[data]
index-version=”tsi1”
max-seriesper-database=0
max-values-per-tag=0
[retention]
enabled=true
[http]
enabled=true
log-enabled=false
max-row_limit=0
max-body-size=0
[logging]
level=”warn”
[continuous_queries]
enabled=true
systemctl restart influxdb
