Tagged: CentOS7 Toggle Comment Threads | 快速鍵

  • starway 3:16 am on June 21, 2019 固定鏈結 | 回應
    Tags: CentOS7   

    yum update 更新發生問題

    Error: requested datatype primary not available

    1.方法一

    1. yum clean all
    2. rm -f /var/lib/rpm/__db*
    3. rpm –rebuilddb

    2.方法二

    1. cd /var/cache
    2. mv yum yum.whatever
    3. yum update
    廣告
     
  • starway 5:59 pm on June 15, 2019 固定鏈結 | 回應
    Tags: CentOS7   

    linux系统日志中出现大量systemd Starting Session ### of user root 解决

    出處:https://www.cnblogs.com/liliyang/p/9803148.html

     
  • starway 12:46 am on June 10, 2019 固定鏈結 | 回應
    Tags: CentOS7   

    Update/Upgrade to MariaDB 10.3 on VestaCP/CWP/CentOS 7

    Update/Upgrade to MariaDB 10.3 on VestaCP/CWP/CentOS 7

    CentOS7 平滑升级 MariaDB 5.5 到 10.x 新版本实践

    https://wsgzao.github.io/post/mariadb-upgrade/

     
  • starway 5:33 am on June 9, 2019 固定鏈結 | 回應
    Tags: CentOS7   

    https://forum.vestacp.com/viewtopic.php?t=10209

    How to Install CSF Firewall on VestaCP CentOS and Enable CSF firewall GUI

    來源:

    Linux服务器安装的CSF防火墙白名单设置教程

    編輯白名單

    1,編輯以下文件

    nano /etc/csf/csf.allow

    2,通過ip138.com之類的查詢本地IP的網站獲得當前局域網所在的IP地址,然後加入到這個配置文件裡邊,保存退出;

    3,重啟CSF防火牆:

    csf -r

    搞定收工!

    ################################################################
    停用通知

    CSF/LFD Stop Emails containing “Suspicious process running under use X”

    1. Edit the CSF config file

    nano /etc/csf/csf.conf

    2. Search for the following settings PT_USERMEM and PT_USERTIME and set them both to 0.

    1. This User Process Tracking option sends an alert if any cPanel user process
    2. exceeds the memory usage set (MB). To ignore specific processes or users use
    3. csf.pignore
    4. Set to 0 to disable this feature

    PT_USERMEM = “0″

    1. This User Process Tracking option sends an alert if any cPanel user process
    2. exceeds the time usage set (seconds). To ignore specific processes or users
    3. use csf.pignore
    4. Set to 0 to disable this feature

    PT_USERTIME = “0″

    3. Restart CSf and LFD

    csf -r

    service lfd restart

    The warning emails should stop coming now.

     
  • starway 8:12 pm on June 7, 2019 固定鏈結 | 回應
    Tags: CentOS7   

    DDoS Protection With IPtables: The Ultimate Guide

    來源:
    https://javapipe.com/blog/iptables-ddos-protection/

    看規則
    cat /etc/sysconfig/iptables

    從RedHat®EnterpriseLinux®(RHEL)7和CentOS®7開始,firewalld可用於管理iptables。因此,您需要使用firewall-cmd命令,或禁用firewalld並啟用iptables。本文介紹如何使用經典的iptables設置。

    停止並掩蓋firewalld服務
    運行以下命令以停止並屏蔽您不想使用的firewalld服務:

    systemctl stop firewalld
    systemctl mask firewalld

    ### 1: Drop invalid packets ###
    /sbin/iptables -t mangle -A PREROUTING -m conntrack –ctstate INVALID -j DROP

    ### 2: Drop TCP packets that are new and are not SYN ###
    /sbin/iptables -t mangle -A PREROUTING -p tcp ! –syn -m conntrack –ctstate NEW -j DROP

    ### 3: Drop SYN packets with suspicious MSS value ###
    /sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack –ctstate NEW -m tcpmss ! –mss 536:65535 -j DROP

    ### 4: Block packets with bogus TCP flags ###
    /sbin/iptables -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN FIN,SYN -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp –tcp-flags FIN,ACK FIN -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp –tcp-flags ACK,URG URG -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp –tcp-flags ACK,FIN FIN -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp –tcp-flags ACK,PSH PSH -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp –tcp-flags ALL ALL -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp –tcp-flags ALL NONE -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp –tcp-flags ALL FIN,PSH,URG -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp –tcp-flags ALL SYN,FIN,PSH,URG -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

    ### 5: Block spoofed packets ###
    /sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
    /sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP

    ### 6: Drop ICMP (you usually don’t need this protocol) ###
    /sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP

    ### 7: Drop fragments in all chains ###
    /sbin/iptables -t mangle -A PREROUTING -f -j DROP

    ### 8: Limit connections per source IP ###
    /sbin/iptables -A INPUT -p tcp -m connlimit –connlimit-above 111 -j REJECT –reject-with tcp-reset

    ### 9: Limit RST packets ###
    /sbin/iptables -A INPUT -p tcp –tcp-flags RST RST -m limit –limit 2/s –limit-burst 2 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp –tcp-flags RST RST -j DROP

    ### 10: Limit new TCP connections per second per source IP ###
    /sbin/iptables -A INPUT -p tcp -m conntrack –ctstate NEW -m limit –limit 60/s –limit-burst 20 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -m conntrack –ctstate NEW -j DROP

    service iptables save
    systemctl start iptables

    最後修改

    nano /etc/sysconfig/iptables-config

    IPTABLES_SAVE_ON_STOP="yes"
    IPTABLES_SAVE_ON_RESTART="yes"

     
  • starway 3:32 pm on June 7, 2019 固定鏈結 | 回應
    Tags: CentOS7   

    以下是 RHEL 及 CentOS 停用 IPv6 的方法。

    #https://www.opencli.com/linux/rhel-centos-disable-ipv6
    #https://saad.web.id/2019/02/cara-disable-ipv6-pada-centos-7/

     
  • starway 1:31 pm on June 7, 2019 固定鏈結 | 回應
    Tags: CentOS7   

    清除檔案內容

    cat /dev/null > xxx.log

     
  • starway 11:01 am on May 24, 2019 固定鏈結 | 回應
    Tags: CentOS7   

    ddos
    https://www.jianshu.com/p/f1e44408c195

    更改為10秒檢查一次

    https://moe.best/technology/ddos-deflate.html

    嫌1分钟的运行间隔不够短?
    由于 Crontab 定时任务的最短定时间隔为1分钟,然而如果真的被攻击,1分钟的时间都够服务器喝一大壶的了。

    想让脚本运行时间间隔小于1分钟,思路也十分简单,用另一个脚本让 DDoS deflate 在一分钟内运行数次就可以了。

    例如要让这个脚本每10秒运行一次:

    在/usr/local/ddos内新增一个脚本runddos.sh
    复制
    vi /usr/local/ddos/runddos.sh
    并填入以下内容

    复制
    #!/bin/sh
    i=0;
    while [ $i -le 5 ]
    do
    i=`expr $i + 1`
    /usr/local/ddos/ddos.sh >/dev/null 2>&1
    sleep 10
    done
    然后保存,记得给脚本加执行权限

    复制
    chmod +x /usr/local/ddos/runddos.sh
    修改 crontab 中 ddos 脚本的配置
    复制
    vi /etc/cron.d/ddos.cron
    将文件中的

    复制
    0-59/1 * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1
    改为

    复制
    0-59/1 * * * * root /usr/local/ddos/runddos.sh >/dev/null 2>&1
    实际上就是改成我们刚刚新建的那个runddos.sh脚本

    重启 crontab
    复制
    service crond restart
    至此这个修改就完成了

     
  • starway 5:25 am on April 1, 2019 固定鏈結 | 回應
    Tags: CentOS7   

    來源:https://stackoverflow.com/questions/20162176/centos-linux-setting-logrotate-to-maximum-file-size-for-all-logs

     
  • starway 4:43 am on April 1, 2019 固定鏈結 | 回應
    Tags: CentOS7   

    來源:https://forum.vestacp.com/viewtopic.php?t=8346

    nano /etc/logrotate.d/httpd

    原來檔案
    /var/log/httpd/*log /var/log/httpd/domains/*log {
    missingok
    notifempty
    compress
    sharedscripts
    postrotate
    /sbin/service httpd reload > /dev/null 2>/dev/null || true
    [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
    endscript
    }

    改成

    /var/log/httpd/*log /var/log/httpd/domains/*log {
    rotate 5
    mail myemail@example.com
    size 50M
    sharedscripts
    postrotate
    /usr/bin/killall -HUP httpd
    endscript
    }

    或者(建議這個)

    /var/log/httpd/*log /var/log/httpd/domains/*log {
    daily
    rotate 10
    size 100M
    missingok
    notifempty
    compress
    sharedscripts
    postrotate
    /sbin/service httpd reload > /dev/null 2>/dev/null || true
    [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
    endscript
    }

    最後測試一下

    logrotate -v /etc/logrotate.conf

     
c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
回應
e
編輯
o
Show/Hide comments
t
至頂
l
Go to login
h
Show/Hide help
shift + esc
取消