curl https://openresty.org/package/centos/openresty.repo -so /etc/yum.repos.d/openresty.repo
yum -y -q install wget vim-enhanced tcpdump iftop net-tools rsync
yum -y -q install openresty
systemctl enable openresty
ln -s /usr/local/openresty/nginx/sbin/nginx /usr/sbin/ #把nginx文件引用到常规sbin目录
ln -s /usr/local/openresty/nginx/conf /etc/nginx #把目录软连接到常规目录
ln -s /usr/lib/systemd/system/openresty.service /usr/lib/systemd/system/nginx.service #Centos7的服务启动管理nginx别名
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
基础部署完成后,用rsync同步数据后再做其他基础配置基本完成管理.
for VM in `lvs|grep img|grep -v snap | awk -F_ '{ print $1}'` ;
do
echo "lvcreate -L 50G -s -n "$VM"_snap /dev/vg0/"$VM"_img "
echo "dd if=/dev/vg0/"$VM"_snap conv=sync,noerror bs=64K | gzip -c | ssh root@服务器IP "gzip -d |dd of=/dev/vg0/"$VM"_img conv=sync,noerror bs=64K"
echo "lvremove /dev/vg0/"$VM"_snap -f"
echo "echo $VM done \`date\` >>/root/m.log"
echo " "
done
输出可以直接写入新服务器的已建立好的分区, 也可以设置目录保存为文件。
lvcreate -L 50G -s -n kvm10000_snap /dev/vg0/kvm10000_img
dd if=/dev/vg0/kvm1220_snap conv=sync,noerror bs=64K | gzip -c | ssh root@新服务器IP "gzip -d |dd of=/dev/vg0/kvm10000_img conv=sync,noerror bs=64K"
lvremove /dev/vg0/kvm10000_snap -f
echo kvm10000 done `date` >>/root/m.log
从6升级到7,建议按步骤走一遍弄个机器测试升级,玩坏了自己买单。
#!/bin/bash
cat>/root/fix.sh<<EOF
rm -f /lib64/libpcre.so.0 /usr/lib64/libpcre.so.0 /usr/lib64/libsasl2.so.2 /lib64/libsasl2.so.2
ln -s /usr/lib64/libpcre.so.1.2.0 /lib64/libpcre.so.0
ln -s /usr/lib64/libpcre.so.1.2.0 /usr/lib64/libpcre.so.0
ln -s /usr/lib64/libsasl2.so.3.0.0 /usr/lib64/libsasl2.so.2
ln -s /usr/lib64/libsasl2.so.3.0.0 /lib64/libsasl2.so.2
yum -y downgrade grep
mv root/fix.sh root/fix.txt
EOF
chmod 755 /root/fix.sh
echo "/root/fix.sh">> /etc/rc.local
cat>/etc/yum.repos.d/upgradetool.repo<<EOF
[upg]
name=CentOS-$releasever - Upgrade Tool
baseurl=http://buildlogs.centos.org/centos/6/upg/x86_64/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
EOF
yum -y erase openscap
yum -y install redhat-upgrade-tool preupgrade-assistant-contents --disablerepo=base
preupg -s CentOS6_7 <<EOF
y
EOF
rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7
centos-upgrade-tool-cli --network 7 --instrepo=http://vault.centos.org/centos/7.2.1511/os/x86_64/ <<EOF
y
EOF
reboot
yum -y -q install gcc gcc-c++ glibc-static libstdc++-static kernel-devel lbzip2
wget ftp://gcc.gnu.org/pub/gcc/releases/gcc-9.2.0/gcc-9.2.0.tar.gz -O -|tar xz
cd gcc-9.2.0
./contrib/download_prerequisites
./configure --enable-checking=release --enable-languages=c,c++ --disable-multilib
make
make install
yum -y -q install nss-tools gcc
VER=$(curl -Ss https://api.github.com/repos/FiloSottile/mkcert/releases/latest|grep tag_name|grep -Po '[0-9]+\.[0-9]+\.[0-9]+.*(?=")')
wget -O /usr/bin/mkcert https://github.com/FiloSottile/mkcert/releases/download/v${VER}/mkcert-v${VER}-linux-amd64
chmod +x /usr/bin/mkcert
mkcert -install
mkcert 域名.后缀 '*.域名.后缀 ' 域名2.后缀 localhost 127.0.0.1 ::1
随后生成pem和key 直接在http服务器上绑定即可以使用。
好像原文出处的页面已经打不开了,原生的nginx需要编译lua,openresty可以直接用。
location ~ \.php$ {
rewrite_by_lua '
local md5token = ngx.md5(ngx.var.remote_addr .. ngx.var.http_user_agent)
if (ngx.var.cookie_humanflag ~= md5token) then
ngx.header["Set-Cookie"] = "humanflag=" .. md5token
return ngx.redirect(ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri)
end
';
... ...
}
location ~ \.php$ {
if ($cookie_ipaddr != "$remote_addr"){
add_header Set-Cookie "ipaddr=$remote_addr";
rewrite .* "$scheme://$host$uri" redirect;
}
... ...
}
原文地址:http://jtwo.me/use-lua-to-protect-nginx-away-from-cc-attack
简单,以下方法不需要额外安装模块:
location ~ \.php$ {
if ($cookie_reCAPTCHA != "$remote_addr"){
add_header Set-Cookie "reCAPTCHA=$remote_addr; PATH=/";
rewrite .* "$scheme://$host$uri" redirect;
}
... ...
}
进阶,返回JS跳转代码过滤模拟访问:
location ~ \.php$ {
default_type text/html;
if ($cookie_reCAPTCHA != "$remote_addr"){
add_header Set-Cookie "reCAPTCHA=$remote_addr; PATH=/";
return 200 "<script>location.reload()</script>\n";
}
... ...
}
PERL,返回JS设置COOKIE并自动刷新:
http {
perl_set $reCAPTCHA 'sub{use Digest::MD5 qw(md5_base64); md5_base64("SALT",shift->variable("remote_addr"))}';
... ...
server {
... ...
location ~ \.php$ {
default_type text/html;
if ($cookie_reCAPTCHA != $reCAPTCHA){
return 200 '<script>\ndocument.cookie="reCAPTCHA=$reCAPTCHA";\nlocation.reload();\n</script>\n';
}
... ...
}
}
}
综合以上方法,笔者当前使用的配置:
http {
perl_set $reCAPTCHA 'sub{use Digest::MD5 qw(md5_base64); my $r = shift;
md5_base64("salt:RANDOM".$r->variable("remote_addr").$r->variable("http_user_agent"))}';
... ...
server {
... ...
location / {
default_type text/html;
if ($cookie_reCAPTCHA != $reCAPTCHA){
add_header Set-Cookie "reCAPTCHA=$reCAPTCHA; PATH=/";
return 200 '<script>location.reload()</script>';
}
proxy_pass http://www.baidu.com;
}
}
}
LUA,大同小异,需要安装扩展模块:apt-get install nginx-extras
location ~ \.php$ {
rewrite_by_lua '
local md5token = ngx.md5(ngx.var.remote_addr .. ngx.var.http_user_agent)
if (ngx.var.cookie_reCAPTCHA ~= md5token) then
ngx.header["Set-Cookie"] = "reCAPTCHA=" .. md5token
return ngx.redirect(ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri)
end
';
... ...
}
参考: https://jiji262.github.io/wooyun_articles/drops/通过nginx配置文件抵御攻击.html
iptables -A INPUT -p tcp -m multiport --dport 25,110,465:587,993:995 -j DROP
iptables -A INPUT -p udp -m multiport --dport 25,110,465:587,993:995 -j DROP
iptables -A OUTPUT -p tcp -m multiport --dport 25,110,465:587,993:995 -j DROP
iptables -A OUTPUT -p udp -m multiport --dport 25,110,465:587,993:995 -j DROP
/etc/init.d/iptables save
yum -y -q install wget gcc patch
wget https://ftp.gnu.org/gnu/bash/bash-5.0.tar.gz -O - | tar xz
cd bash-5.0
wget -r -nd -np http://ftp.gnu.org/gnu/bash/bash-5.0-patches/
for BP in `ls bash50-*|grep -v sig`; do patch -p0 < $BP; done
./configure
make
make install
yum -y install epel-release -y
yum -y --skip-broken install gcc vim-enhanced gcc-c++ libtool-libs libtool autoconf subversion zip unzip wget crontabs iptables file bison patch mlocate flex diffutils automake imake make cmake kernel-devel cpp zlib-devel \
libevent-devel libxml2-devel freetype-devel gd gd-devel libjpeg-devel libpng-devel ncurses-devel \
curl-devel readline-devel openssl-devel glibc-devel glib2-devel bzip2-devel e2fsprogs-devel libidn-devel gettext-devel expat-devel libcap-devel libtool-ltdl-devel pam-devel \
libxslt-devel libc-client-devel freetds-devel unixODBC-devel libXpm-devel krb5-devel libicu-devel icu sqlite-devel oniguruma-devel
cd /tmp
wget https://nih.at/libzip/libzip-1.2.0.tar.gz -O - | tar xz
cd libzip-*
./configure --prefix=/usr
make && make install
cp /usr/lib/libzip/include/zipconf.h /usr/local/include/zipconf.h
ldconfig
cd /tmp
wget -c http://us2.php.net/distributions/php-7.3.10.tar.gz -O - | tar xz
cd php-7.3*
./configure --with-config-file-path=/opt/php7/etc --with-config-file-scan-dir=/opt/php7/etc/php.d --prefix=/opt/php7/usr --enable-fpm --enable-bcmath --enable-exif --enable-ftp --enable-mbstring --enable-soap --enable-sockets --enable-zip --with-curl --with-freetype-dir=/usr --with-gettext --with-openssl --with-xmlrpc --with-png-dir --with-jpeg-dir --with-gd --with-libxml-dir=/usr --with-mhash --with-mysql-sock=/var/lib/mysql/mysql.sock --with-pdo-mysql=mysqlnd --with-mysqli=mysqlnd --with-imap --with-imap-ssl --with-kerberos --with-zlib --enable-intl=shared --enable-xml --disable-rpath --enable-shmop --enable-sysvsem --enable-mbregex --with-iconv-dir --enable-pcntl --enable-opcache --enable-exif --with-sqlite3 --with-pdo-sqlite --enable-calendar --enable-wddx --with-libdir=lib64 ;
make -j `grep name /proc/cpuinfo|wc -l`
make install
mkdir -p /opt/php7/etc/
cp php.ini-production /opt/php7/etc/php.ini
#cp ./sapi/fpm/php-fpm /etc/init.d/php-fpm
cp ./sapi/fpm/php-fpm.service /usr/lib/systemd/system/
sed -i 's#expose_php = On#expose_php = Off#' /opt/php7/etc/php.ini
sed -i 's/;date.timezone =/date.timezone = PRC/g' /opt/php7/etc/php.ini
sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /opt/php7/etc/php.ini
sed -i 's#enable_dl = Off#enable_dl = On#' /opt/php7/etc/php.ini
sed -i 's#short_open_tag = Off#short_open_tag = On#' /opt/php7/etc/php.ini
sed -i 's#output_buffering = Off#output_buffering = On#' /opt/php7/etc/php.ini
sed -i 's/memory_limit = 32M/memory_limit = 128M/g' /opt/php7/etc/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 32M/g' /opt/php7/etc/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 16M/g' /opt/php7/etc/php.ini
sed -i 's#allow_call_time_pass_reference = Off#allow_call_time_pass_reference = On#' /opt/php7/etc/php.ini
sed -i 's/disable_functions =/disable_functions="exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,ini_alter,dl,popen,chown,chroot,chgrp,ini_restore,dbmopen,dbase_open"/g' /opt/php7/etc/php.ini
又是一年秋季,有些人手的手掌脱皮,指尖脱皮龟裂且裂口出外翻。
如果只是脱皮其实还好,也就手掌的掌纹变白皮肤犹如枯枝扎人,但是如果指尖脱皮又开裂,就生不如死没,一是痛二是指尖的触觉犹如覆盖了一层502胶水。
我的解决办法是在发现贴创口贴的地方皮肤明显更加湿润和热水泡胀手脚皮肤去角质层想到的,然后跑药店买了几幅医用手套,
在睡前洗涂抹新鲜的肉芦荟(用护手霜或甘油也可以)再戴手套睡觉,反复折腾几天后皮肤就恢复了正常机能。
如果情况严重的建议先去医院断诊。
阅读剩余部分...
早些年(新千年之前), 一群人下岗创业, 长三角和珠三角蒸蒸日上, 内陆的乡镇企业逐渐因为产业
升级开始没落, 内陆乡镇的人开始外出到沿海打工.
这些人的相同点, 没什么钱/背井离乡.
阅读剩余部分...
firewall-cmd --zone=public --add-port=3001/tcp --permanent
firewall-cmd --reload
sed -i 's/#Port 22/Port 3001/g' /etc/ssh/sshd_config
service sshd restart
最近几年的一些营销号和自媒体的视频和文章都特别+非常+特别非常喜欢带上“众所周知”。
一些特点 视频内容多数是东拼西凑出来的或者搬运过来重新配音并打上LOGO,
常用语 “众所周知” “小伙伴们怎么看?” “各位网友怎么看” “各位网友如何如何”
文稿内容只要能看到“众所周知”可以判断100%是自媒体营销号,然后通篇内容就是视频配音读稿的文案一字不改直接发出来,有时候看着看着都能自动脑补BGM。
还有一类更恶劣的,直接看图编内容,东拼西凑出来狗屁不通的洗稿见闻内容。
这拨人给人的感觉好像都是一个窝里面的, 和UC震惊部一样一样的,不知道啥时候才是头,这些想蟑螂的傻逼才会死翘翘进垃圾桶。
银行名/Bank Name : CMB Wing Lung Bank Hong Kong
银行编号/Bank Code : 020
SWIFT Code / BIC : WUBAHKHH
分行编号/Branch Code : 601
地址/Bank Address: WING LUNG BANK BUILDING, FLOOR 3, 45 DES VOEUX ROAD, CENTRAL
城市/City : HONG KONG
Shell大致流程
1.获取网络IP配置参数
2.写入自定义grub引导内核
2.1 http://103.xxx.xxx.xxx/kickstart.php/rh?end=1&ethworkaround=1是预设定的anaconda-ks自动响应安装脚本。
3.修改grub默认配置参数等待时间和指定引导顺序。
4. 重新生成grub2配置
5.重启等待安装完成。
最后建议在NoVNC或者IPMi辅助的情况下使用。
vmlinuz的网络参数还有一种写法是 ip=address::gateway:netmask:hostname:interface:method
getETH=`ip -4 route list 0/0 |awk '{ print $5 }'`
getGATEWAY=`ip -4 route list 0/0 |awk '{ print $3 }'`
getNETMASK=`ifconfig $getETH | awk '/mask /{ print $4;}'`
getIPADDR=`ifconfig $getETH | awk '/inet /{ print $2;}'`
cat>>/etc/grub.d/40_custom<<EOF
menuentry 'Netinstall' {
load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod xfs
set root='hd0,gpt2'
linux16 /vmlinuz ro ks='http://103.xxx.xxx.xxx/kickstart.php/rh?end=1ðworkaround=1' net.ifnames=0 biosdevname=0 crashkernel=auto gateway=$getGATEWAY ip=$getIPADDR nameserver=8.8.8.8 ksdevice=$getETH netmask=$getNETMASK
initrd16 /initrd.img
}
EOF
sed -i 's/GRUB_TIMEOUT=5/GRUB_TIMEOUT=60/g' /etc/default/grub
sed -i 's/GRUB_DEFAULT=saved/GRUB_DEFAULT=Netinstall/g' /etc/default/grub
grub2-mkconfig --output=/boot/grub2/grub.cfg
reboot
- «
- 1
- ...
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- ...
- 66
- »
