Press "Enter" to skip to content

Category: Linux运维

Linux,unix,mysql,database,oracle,mysql

CentOS 6安装部署轻量级批量运维工具Omnitty

CentOS 6安装部署轻量级运维工具Omnitty的过程,本文基于CentOS 6 64bit.

1, 安装
Omnitty的官网介绍了安装方法,因此这里从Omnitty的官网复制过来的。

$ yum install gcc gcc-c++ make ncurses ncurses-devel
$ sudo apt install gcc g++ make ncurses-bin ncurses-dev 

#In order to run Omnitty, you will need to download and install libROTE first. 
#Then you can install Omnitty.
$ tar -zxf /path/to/rote-X.Y.Z.tar.gz
$ cd rote-X.Y.Z
$ ./configure
$ make
$ su -c "make install"
$ cd ..

$ tar -zxf /path/to/omnitty-X.Y.Z.tar.gz
$ cd omnitty-X.Y.Z
$ ./configure
$ make                   # 可能会遇到错误, 参考下方的处理方法.
$ su -c "make install"

然后,你就可以运行omnitty了.

可能会遇到的错误1:
make时提示/usr/lib64/libncurses.so.5: error adding symbols: DSO missing from command line
解决方法(参考文档):

$ vim Makefile  # 在下方添加-lncurses -ltinfo
...
omnitty: $(objects)
        $(CC) $(CFLAGS)  -o omnitty $(objects) $(LDFLAGS) $(LIBS) -lncurses -ltinfo
...
Continue readingCentOS 6安装部署轻量级批量运维工具Omnitty
Leave a Comment

Ansible添加用户

本文演示了Ansible批量添加用户zhang3,并将用户的密码设定为12345678的过程。

方法一

$ pip install passlib

#获得采用sha512加密以后的密码串
$ python -c "from passlib.hash import sha512_crypt; print sha512_crypt.encrypt('12345678')"
$6$rounds=656000$SJkYJamGImQ/OVZC$.9RslNw5vUhd5bBCO3EkHCl/k0eVDlyRhXPXKUooF4nSQNoFdQw1STHj7WlYnOefXmb4IOZDuL49zYEDmSAHM/

$ vim useradd.yml    #写入如下内容

- hosts: 192.168.34.73
  vars:
    user: zhang3
    #run the command like below to generate crypted passwords.
    #generate crypted passwords: python -c "from passlib.hash import sha512_crypt; print sha512_crypt.encrypt('12345678')"
    password: '$6$rounds=656000$SJkYJamGImQ/OVZC$.9RslNw5vUhd5bBCO3EkHCl/k0eVDlyRhXPXKUooF4nSQNoFdQw1STHj7WlYnOefXmb4IOZDuL49zYEDmSAHM/'
  tasks:
  - name: create new user locadm
    user: name={{ user }} shell=/bin/bash group=ndsdevelop groups=sudo password={{ password }} update_password=always append=yes

group表示把用户加入某组,groups表示附属组,update_password表示每次都更新密码(除了可以设定为always以外,还可以设置成on_create表示只为新用户修改密码),append=yes表示是新添加的用户
如果是为已有用户修改密码,去掉append=yes即可。
然后运行之

$ ansible-playbook useradd.yml
Continue readingAnsible添加用户
Leave a Comment

启用Let’s Encrypt的免费SSL证书

Let’s Encrypt是一个免费、自动化、开放的证书颁发机构,该项目得到了Mozilla基金会,Akamai以及思科等很多大型机构的支持。Let\’s Encrypt发布的免费SSL证书能被许多浏览器信任,虽然申请的SSL/TLS证书只有3个月有效期,但是可以通过官方提供的工具自动续期,从而达到永久免费使用的目的。 官网目前推荐的获取和安装方式是certbot,只需要简单运行一些命令并作一些配置即可。

1,安装Certbot

Certbot官网根据不同的操作系统,提供的详尽的安装方法,由于博主安装的是CentOS 6,这里是从官网Copy过来的安装方法,稍稍做了些修改。

$ yum install epel-release

$ wget -O /opt/letsencrypt/certbot-auto https://dl.eff.org/certbot-auto
$ chmod +x /opt/letsencrypt/certbot-auto
$ /opt/letsencrypt/certbot-auto    #然后会自动安装所需的依赖包

开始使用Certbot

如果你用的是Apache:(以下英文来自certbot官网)

Certbot has a fairly solid beta-quality Apache plugin, which is supported on many platforms, and automates both obtaining and installing certs

翻译: Certbot有一个相当坚实的测试质量的Apache插件, 它支持在很多平台上, 并自动两种获取和安装证书:

$ ./path/to/certbot-auto --apache

If you\’re feeling more conservative and would like to make the changes to your Apache configuration by hand, you can use the certonly subcommand: 翻译: 如果你感觉更加保守, 想使手工更改您的Apache的配置, 你可以使用certonly子命令:

$ ./path/to/certbot-auto --apache certonly

自动renew证书

Let\’s Encrypt certificates last for 90 days, so it\’s highly advisable to renew them automatically! You can test automatic renewal for your certificates by running this command:

$ ./path/to/certbot-auto renew --dry-run

If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following

翻译: 如果如上命令看起来工作正常, 那么你就可以把如下的自动续期命令写到系统的定时计划任务里:

$ ./path/to/certbot-auto renew --quiet

2,为你自己的域名申请SSL证书

1,单域名生成证书:

./certbot-auto certonly --email [email protected] --agree-tos --webroot \
-w /home/wwwroot/zhukun.net -d zhukun.net

2,多域名单目录生成单证书:(即一个网站多个域名使用同一个证书)

./certbot-auto certonly --email [email protected] --agree-tos --webroot \
-w /home/wwwroot/zhukun.net -d www.zhukun.net -d img.zhukun.net

3,多域名多目录生成多个证书:(即一次生成多个域名的多个证书)

./certbot-auto certonly --email [email protected] --agree-tos --webroot \
-w /home/wwwroot/b.com -d www1.b.com -d www2.b.com \
-w /home/wwwroot/a.com -d www1.a.com -d www2.a.com

出现下面的提示就代表安装成功了,证书文件就在 /etc/letsencrypt/live/zhukun.net 目录下。

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/zhukun.net/fullchain.pem. Your cert will
   expire on 2016-12-01. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   certbot-auto renew
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

3,手动为Apache配置SSL

这里不多说了,帖出来2个配置文件,大家自行修改吧。

$ cat /usr/local/apache2/conf/extra/httpd-vhosts.conf
<VirtualHost 8.8.8.8:80>
ServerAdmin [email protected]
DocumentRoot "/home/wwwroot/zhukun.net"
# ProxyRequests Off
# ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/home/wwwroot/zhukun.net/$1
ServerName zhukun.net
ServerAlias www.zhukun.net
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
ErrorLog "logs/zhukun-error_log"
CustomLog "logs/zhukun-access_log" common
</VirtualHost>
$ cat /usr/local/apache2/conf/extra/httpd-ssl.conf
Listen 443

#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on

SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLPassPhraseDialog builtin

SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300

Mutex "file:/usr/local/apache2/logs/ssl_mutex"

<VirtualHost 8.8.8.8:443>
ServerAdmin [email protected]
DocumentRoot "/home/wwwroot/zhukun.net"
ProxyRequests Off
ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/home/wwwroot/zhukun.net/$1
ServerName zhukun.net
ServerAlias www.zhukun.net
ErrorLog "logs/zhukun-error_log"
CustomLog "logs/zhukun-access_log" common
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/zhukun.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zhukun.net/privkey.pem
</VirtualHost>

参考文档:
轻松搞定 Let’s Encrypt 免费SSL证书
Let’s Encrypt,启用 HTTPS

=====================================================

2016.12.01补充

今天发现博客的证书竟然过期了,检查了一下,可能是crontab里的任务执行有问题,于是手动执行了

$ /opt/letsencrypt/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

——————————————————————————-
Processing /etc/letsencrypt/renewal/zhukun.net.conf
——————————————————————————-
Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/zhukun.net/fullchain.pem (skipped)
No renewals were attempted.

发现无效, 出现上面的提示,基本说明renew失败了。再次强制执行发现有效,记录一下。

$ /opt/letsencrypt/certbot-auto renew --force-renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

——————————————————————————-
Processing /etc/letsencrypt/renewal/zhukun.net.conf
——————————————————————————-
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.zhukun.net
http-01 challenge for zhukun.net
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0008_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0008_csr-certbot.pem

——————————————————————————-
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/zhukun.net/fullchain.pem
——————————————————————————-

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/zhukun.net/fullchain.pem (success)

$ /etc/init.d/httpd graceful

=====================================================

2017.03.02补充

今天发现博客的证书竟然再次过期了,手动调用crontab里的续期脚本,依旧出现如下内容:

$ /opt/letsencrypt/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

——————————————————————————-
Processing /etc/letsencrypt/renewal/zhukun.net.conf
——————————————————————————-
Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/zhukun.net/fullchain.pem (skipped)
No renewals were attempted.

查了了下日志文件(/var/log/letsencrypt/letsencrypt.log),在letsencrypt.log.7中发现了2月6号续期成功的提示,但为什么3月2号仍会过期呢?后来查了一下资料,貌似是需要reload一下HTTP服务,否则HTTP进程依旧使用的是旧的证书文件。因此建议把定时计划任务改成如下内容:

$ crontab -l
0 3 * * 1 /opt/letsencrypt/certbot-auto renew --quiet; /etc/init.d/httpd graceful
Leave a Comment

CentOS/Ubuntu安装配置集群管理工具Ansible

CentOS/Ubuntu安装配置集群管理工具Ansible的过程, 记录一下.

1, 安装

yum install ansible    #CentOS6请先安装epel

#Ubuntu的安装(从Ubuntu官方的源里安装的大概是1.4的版本,非常古老,这里我们启用其它的源)
sudo apt-get install software-properties-common
sudo apt-add-repository ppa:ansible/ansible
sudo apt-get update
sudo apt-get install ansible

2, 配置

vim ansible.cfg    #主配置文件, 修改如下选项
host_key_checking = False
#ask_sudo_pass = True      //每次在本机执行ansible命令是否询问ssh密码
#ask_pass      = True      //每次在本机执行ansible命令时是否询问sudo密码
log_path = /var/log/ansible.log
executable = /bin/bash
remote_tmp     = /tmp/.ansible/tmp

#如果远程调用的命令需要sudo命令提权,需要开启如下几项
#以下几项在ansible1.9版本以后才有,请先运行ansible --version确定下版本
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
Continue readingCentOS/Ubuntu安装配置集群管理工具Ansible
Leave a Comment

VNC over SSH tunnel

VNC over SSH tunnel, 意为建立在SSH通道上的VNC. 这样做可以达到2个目的, 一是可以增强VNC的安全性, 二是如果VNC速度太慢, 可以走SSH通道作为代理. 本文介绍其配置方法.

使用环境:
A机在韩国, IP为1.1.1.1, 速度较快
B机在美国, IP为8.8.8.8, 速度慢, 且有一个VNC桌面(ID号为:55)
由于我们直接连接B机的VNC桌面会非常慢, 此时我们可以借助A机的SSH服务跳转, 以达到加速VNC桌面的目的.
本地也是Linux环境, 本机有多位用户需要登陆到美国的VNC桌面上

1, 在A机(用于代理的机器)上以bear用户的身份生成SSH-Key, 并将私钥拷贝回本地

ssh-keygen -t rsa    #一路回车即可
chmod 700 ~/.ssh
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys      #必须做,否则在连接VNC的时候仍需要输入bear的密码

然后将私钥(id_rsa文件)拷贝回本地, 注意不是id_rsa.pub文件.

2, 在本地(也是Linux系统)指定SSH Tunnel相关参数

Continue readingVNC over SSH tunnel
Leave a Comment

vsftpd配置虚拟用户

vsftpd的虚拟用户可以全部映射到一个真实的系统用户上, 对于有特殊权限要求的情况可以使用虚拟用户的方式. 这个方式的认证依赖于db4-utils, 需要使用它的db_load命令生成加密的认证文件. 本文基于CentoOS6 64bit.

1, 安装和配置vsftpd

$ yum install db4-utils vsftpd
$ cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.ori
$ touch /etc/vsftpd/chroot_list
$ vim /etc/vsftpd/vsftpd.conf  #根据情况修改如下内容,也可以全部COPY
anonymous_enable=NO
#必须启用本地用户,因为虚拟用户是映射到www这个本地用户来访问的
local_enable=YES
write_enable=YES
local_umask=022

dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/xferlog
xferlog_std_format=YES

idle_session_timeout=600
data_connection_timeout=120

chroot_local_user=YES
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/chroot_list

listen=YES

#指定新的pam认证文件
pam_service_name=ftp.vuser

#启用虚拟用户并将虚拟用户映射为本地www用户
#这两项配置可以写在这里,也可以写在下面的/etc/vsftpd/virtual_conf/user1里
#guest_enable=YES
#guest_username=www

#开启userlist,并禁止user_list文件中的用户登陆
userlist_enable=YES
userlist_deny=YES
userlist_file=/etc/vsftpd/user_list

tcp_wrappers=YES

#虚拟用户的配置文件目录
user_config_dir=/etc/vsftpd/virtual_conf
Continue readingvsftpd配置虚拟用户
1 Comment

CentOS 6设置防跨站

利用open_basedir将PHP脚本的操作限定在某一个目录内,可以防止跨站攻击。本文基于CentOS 6,PHP 5.5.5版本。假设我们有一个网站位于/home/wwwroot/zhukun.net。

$ vim /usr/local/php/etc/php.ini    #保证php.ini文件里的相关设定未被修改
; open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
; http://php.net/open-basedir
;open_basedir =        #这一项保持默认即可
......
; 建议关闭的函数
disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,popen,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server
......
; 确保如下项保持默认
;;;;;;;;;;;;;;;;;;;;
; php.ini Options  ;
;;;;;;;;;;;;;;;;;;;;
; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini"
;user_ini.filename = ".user.ini"

; To disable this feature set this option to empty value
;user_ini.filename =

; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes)
;user_ini.cache_ttl = 300

$ vim /home/wwwroot/zhukun.net/.user.ini    #写入如下一行
open_basedir=/home/wwwroot/zhukun.net:/tmp/:/proc/

#相关安全权限设定
$ chmod 644 /home/wwwroot/zhukun.net/.user.ini
$ chown -R root:root /home/wwwroot/zhukun.net/.user.ini
$ chattr +i /home/wwwroot/zhukun.net/.user.ini

很多人觉得,我设定的open_basedir是否有效?很简单,只要将open_basedir后面的路径改一下,重启一下PHP服务,然后观察网站是否还能正常访问即可。

Leave a Comment