download open-iscsi
tar -zxvf open-iscsi-2.0-870.3.tar.gz
cd open-iscsi-2.0-870.3
make; make install
cp etc/initd/initd.redhat /etc/init.d/iscsid
chmod 755 /etc/init.d/iscsi
mkdir /var/lock/subsys

/etc/init.d/iscsi start

vi /etc/iscsi/initiatorname.iscsi

iscsiadm -m discovery -t st -p 10.10.50.4
iscsiadm -m node -l

fdisk -l

download Linux-PAM-1.0.4.tar.bz2
tar -jxvf Linux-PAM-1.0.4.tar.bz2
cd Linux-PAM-1.0.4
./configure
make; make install

mkdir /etc/pam.d
download VMware-server-2.0.1-156745.i386.rpm
rpm -ivh –nodeps VMware-server-2.0.1-156745.i386.rpm

vmware-config.pl

A848H-P0V0G-0F6C1-4UMUE

Fllowing are the activation key enterprise license for vCenter and vSphere 6.5: This license isn’t use for commercial purposes. Please buy a license if you can! vCenter: 0A0FF-403EN-RZ848-ZH3QH-2A73P. vSphere: JV425-4h100-vzhh8-q23np-3a9pp.

Method 1

1. Double-click the .chm file.
2. In the Open File-Security Warning dialog box, click to clear the Always ask before opening this file check box.
3. Click Open.

Method 2

1. Right-click the CHM file, and then click Properties.
2. Click Unblock.
3. Double-click the .chm file to open the file.

General idea

In recent times our network has seen a lot of attempts to brute-force ssh passwords. A method to hamper such attacks by blocking attacker’s IP addresses using iptables ‘recent’ matching is presented in this text:

If the amount of connection attempts from a certain IP address exceeds a defined threshold, this remote host is blacklisted and further incoming connection attempts are ignored. The host is only removed from the blacklist after it has been stopped connecting for a certain time.

Software requirements

Linux kernel and iptables with ‘recent’ patch.

It seems like this patch has entered the mainline some time ago. ‘Recent’ matching e.g. is known to be included with kernels 2.4.31 and 2.6.8 of Debian stable (’sarge’).

Implementation

We begin with empty tables…

iptables -F

…and add all the chains that we will use:

iptables -N ssh
iptables -N blacklist

Setup blacklist chain

One chain to add the remote host to the blacklist, dropping the connection attempt:

iptables -A blacklist -m recent --name blacklist --set
iptables -A blacklist -j DROP

The duration that the host is blacklisted is controlled by the match in the ssh chain.

Setup ssh chain

In the ssh chain, incoming connections from blacklisted hosts are dropped. The use of –update implies that the timer for the duration of blacklisting (600 seconds) is restarted every time an offending packet is registered. (If this behaviour is not desired, –rcheck may be used instead.)

iptables -A ssh -m recent --update --name blacklist --seconds   600 --hitcount   1 -j DROP

These rules are just for counting of incoming connections.

iptables -A ssh -m recent --set    --name counting1
iptables -A ssh -m recent --set    --name counting2
iptables -A ssh -m recent --set    --name counting3
iptables -A ssh -m recent --set    --name counting4

With the following rules, blacklisting is controlled using several rate limits. In this example, a host is blacklisted if it exceeds 2 connection attempts in 20 seconds, 14 in 200 seconds, 79 in 2000 seconds or 399 attempts in 20000 seconds.

iptables -A ssh -m recent --update --name counting1 --seconds    20 --hitcount   3 -j blacklist
iptables -A ssh -m recent --update --name counting2 --seconds   200 --hitcount  15 -j blacklist
iptables -A ssh -m recent --update --name counting3 --seconds  2000 --hitcount  80 -j blacklist
iptables -A ssh -m recent --update --name counting4 --seconds 20000 --hitcount 400 -j blacklist

The connection attempts that have survived this scrutiny are accepted:

iptables -A ssh -j ACCEPT

Setup INPUT chain

Allow packets that belong to existing connections:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Allow all packets from loopback interface:

iptables -A INPUT -i lo -j ACCEPT

Optionally we may allow all packets from certain friendly subnets. However this should be used sparingly and it should be kept in mind that hosts from friendly subnets may be compromised and out of a sudden be not so friendly anymore…

iptables -A INPUT -s aa.bb.cc.0/24 -j ACCEPT

Now we direct all incoming ssh connections to the chain of the same name:

iptables -A INPUT -p TCP --dport ssh -m state --state NEW -j ssh

What remains in this chain has no right to continue:

iptables -A INPUT -j DROP

Variations

• Depending on personal taste, the check against the blacklist (first rule of ssh chain) might be moved to the top of the INPUT chain so that all communication (not only subsequent connection attempts) from the blacklisted host is blocked immedeately.
• Many other packet matching criteria might be conceived that would warrant putting the sender on the blacklist.
• Identical or similar effects possibly may be achieved using different extensions to iptables.

Limitations

Denial of Service

Theoretically, the described approach opens a DoS vulnerability, that may be exploited using SYN-packets with fake sender address to disable ssh connections from a certain host. Therefore ‘recent’ matching should not be used, when the ability to connect to the machine from any location and at all times is mission-critical. When it is not, the problem of DoS may be addressed when it happens, which probably is never.

Also it should be mentioned, that the ssh daemon itself in its current implementation is vulnerable to DoS: There is an upper value for concurrent connections.

No substitute for secure passwords

The approach described here by no means is a substitute for using secure passwords that are difficult to guess and to brute-force! Disabling root logins in sshd is very much recommended! (Oh, by the way: There is also an option to disallow empty passwords for sshd.

Security by Obscurity

It should be noted that this scheme partly employs methods of ’security by obscurity’ to increase its effectivity. A casual attacker probably will be blocked for a long time (possibly forever) after serveral tries. Yet a determined, observant attacker still may try passwords at the rate specified by the counting4 rule. However this is still a considerable improvement compared to no limit at all.

Often ’security by obscurity’ is frowned upon as offering ‘no real’ security. Yet, such an opinion is undifferentiated. It may be very well true that secrecy does not increase the hardness of the system with respect to ‘the most elaborate attack’ that still will be averted. However for sure it is well suited to stall casual attacks and by such reduce the overall number of attacks. Seen in this light, it might also be sensible to use a non-standard port for ssh service.

Further Reading

• Iptables recent patch web site
• Netfilter Extensions HOWTO

About this document

These are some random scribblings prepared for a meeting of sysadmins at TUM Physik-Department. The concept was motivated by Roland Kuhn. The author of this text is Thiemo Nagel. Please send comments to tnagel at e18.physik.tu-muenchen.de.

hieuvpn : modprobe ipt_recent ip_pkt_list_tot=255 ip_list_tot=60000

gsmsmsd -a ‘tail -n 30 > /SMS_IN/`date +%y%m%d-%H%M%S`’ -d /dev/ttyS0 -b 9600 -s /SMS_OUT -t sm -f no_cb no_stat sms &

autoexec=xampp changes=/dev/hda1/ noagp nosound nopcmcia noauto

qemu.exe -L . -m 256M -hda hda.img -cdrom slaxdev.iso -localtime -M pc -net nic -net user -redir tcp:3306::3306 -redir tcp:8080::80 -redir tcp:2222::22 -boot d -vnc 127.0.0.1:100 -k en-us -serial COM1

DÀNH CHO CON NHẢ NGHÈO

VIRTUAL SERVER IS SLACKWARE

I. Mô hình:

Mô hình HEART BEAT

II. BONDING

 Bonding is the same as port trunking. allows you to create multi-gigabit pipes to transport traffic through the highest traffic areas  of your network. Linux bond or team multiple network interfaces (NIC) into single interface

You can use it wherever you need redundant links, fault tolerance or load balancing networks. It is the best way to have a high availability network segment. A very useful way to use bonding is to use it in connection with 802.1q VLAN support

 

 

 

 

 

è  Redundancy trên connection

 

/usr/src/linux/Documentation/networking

gcc -Wall -O -I/usr/src/linux/include ifenslave.c -o ifenslave

cp ifenslave /sbin/ifenslave

vi rc.bond

#!/bin/sh

#

        case “$1″ in

          ’start’)

            echo “start bond0″

            #modprobe bonding mode=balance-alb miimon=100

            modprobe bonding mode=balance-rr miimon=100

            modprobe tg3

            ifconfig bond0 up

            ifenslave bond0 eth0

            ifenslave bond0 eth1

            #TODO need to be changed

            ifconfig bond0 hw ether 00:16:3e:aa:aa:aa

          ;;

          ’stop’)

            ifconfig bond0 down

            rmmod bonding

            rmmod tg3

          ;;

          *)

            echo “Usage: $0 {start|stop}”

          ;;

        esac

vi rc.M

before ““#Initialize the networking hardware””

# If script rc.bond is executeable then start it

if [ -x /etc/rc.d/rc.bond ]; then

  . /etc/rc.d/rc.bond start

fi

 

vi rc.inet1.conf

 

And add these lines to it before the default gateway gets assigned:

IFNAME[4]=”bond0″

IPADDR[4]=”XXX.XX.XX.XX”

NETMASK[4]=”255.255.255.0″

USE_DHCP[4]=”"

DHCP_HOSTNAME[4]=”"

 

cat /proc/net/bonding/bond0

III.  DRBD:

Mục đích Mirror 2 Virtual Disk của 2 Virtual Server trên 2 Physical server qua NIC.

Mô hình họat động của DRDB

KERNEL 2.6

 

Device Drivers,Connector - unified userspace <-> kernelspace linker

 

modprobe cn

 

download http://oss.linbit.com/drbd/

 

make; make install

 

/etc/drbd.conf

 

syncer {

    rate 10M;

}

 

cram-hmac-alg €œsha1€;

shared-secret “shared-string”;

 

on drbd-one {

device /dev/drbd0;

disk /dev/hdd1;

address 192.168.0.240:8888;

meta-disk internal;

}

 

on drbd-two {

 

device /dev/drbd0;

disk /dev/hdd1;

address 192.168.0.241:8888;

meta-disk internal;

}

STEP BY STEP CONFIGURE

 

 

1.  Before starting the primary node, you should create the metadata for the devices:

root-shell> drbdadm create-md all

 

root-shell> /etc/init.d/drbd start

 

root-shell> drbdadm — –overwrite-data-of-peer primary all

 

root-shell> mkfs.ext3 /dev/drbd0

 

root-shell> mount /dev/drbd0 /mnt/drbd

 

 

 

 

1.  To set up a secondary node:

 

        A. Copy the /etc/drbd.conf file from your primary node to your secondary node.

B.  root-shell> drbdadm create-md all

C. root-shell> /etc/init.d/drbd start

 

 

 

Command test việc vận hành mirror các virtual HDD

cat /proc/drbd à /*(Kiểm tra tình trạng kết nối của 2 HDD virtuak trên 2 virtual server)*/

 

root-shell> drbdadm primary all

 

root-shell> drbdadm secondary all

 

root-shell> drbdadm disconnect all

 

root-shell> drbdadm connect all

 

//if split brain - run this on failed node

 

drbdadm – –discard-my-data connect all

 

//and do connect on order side

 

 

IV.         High Availability (HeartBeat)

 

 

Heartbeat is a daemon that provides cluster infrastructure (communication and membership) services to its clients. This allows clients to know about the presence (or disappearance!) of peer processes on other machines and to easily exchange messages with them

Architect Heart Beat

Clip for Newbie

 

download http://www.slackware.com/~alien/slackbuilds/libnet/pkg/11.0/libnet-1.1.2.1-i486-1.tgz

 

download http://hg.linux-ha.org/lha-2.1/archive/STABLE-2.1.4.tar.bz2

 

tar -jxvf heartbeat.tar.bz2

 

./ConfigureMe configure

 

make; make install

//Edit file ha.cf

vi ha.cf

logfacility local0

keepalive 500ms

deadtime 10

warntime 5

initdead 30

mcast bond0 225.0.0.1 694 2 0

auto_failback off

node drdb-one

node drdb-two

ping 10.10.50.254 10.10.50.50

respawn hacluster /usr/lib/heartbeat/ipfail

apiauth ipfail gid=haclient uid=hacluster

deadping 5

//Edit haresources

vi haresources

drdb-two drbddisk Filesystem::/dev/drbd0::/raid1::ext3 mysql 10.10.50.28

vi resource.d/mysql.resource

#!/bin/bash

#

# This script is inteded to be used as resource script by heartbeat

#

# Mar 2006 by Monty Taylor

#

###

. /etc/ha.d/shellfuncs

case "$1" in

    start)

        res=`/etc/init.d/mysql start`

        ret=$?

        ha_log $res

        exit $ret

        ;;

    stop)

        res=`/etc/init.d/mysql stop`

        ret=$?

        ha_log $res

        exit $ret

        ;;

    status)

        if [ `ps -ef | grep '[m]ysqld'` ] ; then

           echo "running"

        else

           echo "stopped"

        fi

        ;;

    *)

        echo "Usage: mysql {start|stop|status}"

        exit 1

        ;;

esac

exit 0

package included in HA

vi /etc/ha.d/ldirectord.conf

checktimeout=3

checkinterval=10

download http://slackbuilds.org/repository/12.2/network/iscsitarget/

download src (link in iscsitarget.info)

./iscsitarget.SlackBuild

installpkg /tmp/iscsitarget-0.4.17-i486-1_SBo.tgz

vi /etc/ietd.conf

Target iqn.2001-04.com.example:storage.disk2.sys1.xyz
# Users, who can access this target. The same rules as for discovery
# users apply here.
# Leave them alone if you don’t want to use authentication.
#IncomingUser joe secret
#OutgoingUser jim 12charpasswd
# Logical Unit definition
# You must define one logical unit at least.
# Block devices, regular files, LVM, and RAID can be offered
# to the initiators as a block device.
Lun 0 Path=/dev/drbd1,Type=blockio
# Alias name for this target
Alias Test

/etc/rc.d/rc.iscsi-target start

OCFS2

download http://oss.oracle.com/projects/ocfs2-tools/files/

mkdir /etc/sysconfig

touch /sbin/chkconfig ; chmod 755 /sbin/chkconfig

rpm -ivh –nodeps ocfs2-tools-1.4.2-1.el5.i386.rpm

vi /etc/sysconfig/o2cb

O2CB_ENABLED=true

vi /etc/ocfs2/cluster.conf

node:
        ip_port = 7777
        ip_address = 10.10.50.6
        number = 0
        name = GSX-2
        cluster = ocfs2
node:
        ip_port = 7777
        ip_address = 10.10.50.5
        number = 1
        name = GSX-1
        cluster = ocfs2

cluster:
        node_count = 2
        name = ocfs2

/usr/src/linux/Documentation/networking

gcc -Wall -O -I/usr/src/linux/include ifenslave.c -o ifenslave

cp ifenslave /sbin/ifenslave

vi rc.bond

#!/bin/sh
#
        case "$1" in
          'start')
            echo "start bond0"
            #modprobe bonding mode=balance-alb miimon=100
            modprobe bonding mode=balance-rr miimon=100
            modprobe tg3
            ifconfig bond0 up
            ifenslave bond0 eth0
            ifenslave bond0 eth1
            #TODO need to be changed
            ifconfig bond0 hw ether 00:16:3e:aa:aa:aa
          ;;
          'stop')
            ifconfig bond0 down
            rmmod bonding
            rmmod tg3
          ;;
          *)
            echo "Usage: $0 {start|stop}"
          ;;
        esac

vi rc.M

before "“#Initialize the networking hardware”"

# If script rc.bond is executeable then start it
if [ -x /etc/rc.d/rc.bond ]; then
  . /etc/rc.d/rc.bond start
fi

vi rc.inet1.conf

And add these lines to it before the default gateway gets assigned:
IFNAME[4]="bond0"
IPADDR[4]="XXX.XX.XX.XX"
NETMASK[4]="255.255.255.0"
USE_DHCP[4]=""
DHCP_HOSTNAME[4]=""
cat /proc/net/bonding/bond0
DRBD
KERNEL 2.6
Device Drivers,Connector - unified userspace <-> kernelspace linker
modprobe cn
download http://oss.linbit.com/drbd/
make; make install
/etc/drbd.conf



global {
    usage-count yes;
}

common {
  syncer { rate 10M; }
}

resource r0 {

  protocol C;

  handlers {
    pri-on-incon-degr "/usr/lib/drbd/notify-pri-on-incon-degr.sh; /usr/lib/drbd/notify-emergency-reboot.sh; echo b > /proc/sysrq-trigger ; reboot -f";
    pri-lost-after-sb "/usr/lib/drbd/notify-pri-lost-after-sb.sh; /usr/lib/drbd/notify-emergency-reboot.sh; echo b > /proc/sysrq-trigger ; reboot -f";
    local-io-error "/usr/lib/drbd/notify-local-io-error.sh; /usr/lib/drbd/notify-emergency-shutdown.sh; echo o > /proc/sysrq-trigger ; halt -f";
    outdate-peer "/usr/lib/heartbeat/drbd-peer-outdater -t 5";
  }

  startup {
    wfc-timeout  5;
    degr-wfc-timeout 120;    # 2 minutes.
    outdated-wfc-timeout 2;  # 2 seconds.
  }

  disk {
    on-io-error   detach;
  }

  net {
    max-buffers     8192;
    cram-hmac-alg "sha1";
    shared-secret "hieuvpn";
    after-sb-0pri discard-least-changes;
    after-sb-1pri discard-secondary;
    after-sb-2pri violently-as0p;
    rr-conflict disconnect;
  }

  syncer {
    rate 10M;
    al-extents 257;
  }

  on drdb-one {
    device    /dev/drbd0;
    disk      /dev/hda3;
    address   10.10.50.26:7788;
    meta-disk internal;
  }

  on drdb-two {
    device    /dev/drbd0;
    disk      /dev/hda3;
    address   10.10.50.27:7788;
    meta-disk internal;
  }

}




resource r1 {

  protocol C;

  handlers {
    pri-on-incon-degr "/usr/lib/drbd/notify-pri-on-incon-degr.sh; /usr/lib/drbd/notify-emergency-reboot.sh; echo b > /proc/sysrq-trigger ; reboot -f";
    pri-lost-after-sb "/usr/lib/drbd/notify-pri-lost-after-sb.sh; /usr/lib/drbd/notify-emergency-reboot.sh; echo b > /proc/sysrq-trigger ; reboot -f";
    local-io-error "/usr/lib/drbd/notify-local-io-error.sh; /usr/lib/drbd/notify-emergency-shutdown.sh; echo o > /proc/sysrq-trigger ; halt -f";
    outdate-peer "/usr/lib/heartbeat/drbd-peer-outdater -t 5";
  }

  startup {
    wfc-timeout  5;
    degr-wfc-timeout 120;    # 2 minutes.
    outdated-wfc-timeout 2;  # 2 seconds.
  }

  disk {
    on-io-error   detach;
  }

  net {
    max-buffers     8192;

    cram-hmac-alg "sha1";
    shared-secret "hieuvpn";

    after-sb-0pri discard-least-changes;

    after-sb-1pri discard-secondary;
    after-sb-2pri violently-as0p;

    rr-conflict disconnect;

  }

  syncer {
    rate 10M;

    al-extents 257;

  }

  on drdb-one {
    device    /dev/drbd1;
    disk      /dev/hdb;
    address   10.10.50.26:7790;
    meta-disk internal;
  }

  on drdb-two {
    device    /dev/drbd1;
    disk      /dev/hdb;
    address   10.10.50.27:7790;
    meta-disk internal;
  }

}


Before starting the primary node, you should create the metadata for the devices:
root-shell> drbdadm create-md all
root-shell> /etc/init.d/drbd start
root-shell> drbdadm -- --overwrite-data-of-peer primary all
root-shell> mkfs.ext3 /dev/drbd0
root-shell> mount /dev/drbd0 /mnt/drbd
To set up a secondary node:

Copy the /etc/drbd.conf file from your primary node to your secondary node.
root-shell> drbdadm create-md all
root-shell> /etc/init.d/drbd start

cat /proc/drbd
root-shell> drbdadm primary all
root-shell> drbdadm secondary all
root-shell> drbdadm disconnect all
root-shell> drbdadm connect all
if split brain - run this on failed node
drbdadm -- --discard-my-data connect all
(forcing by drbdadm invalidate all )
and do connect on order side
HA
download http://www.slackware.com/~alien/slackbuilds/libnet/pkg/11.0/libnet-1.1.2.1-i486-1.tgz
download http://hg.linux-ha.org/lha-2.1/archive/STABLE-2.1.4.tar.bz2
tar -jxvf heartbeat.tar.bz2
./ConfigureMe configure
make; make install

vi ha.cf

logfacility local0
keepalive 500ms
deadtime 10
warntime 5
initdead 30
mcast bond0 225.0.0.1 694 2 0
auto_failback off
node drdb-one
node drdb-two
ping 10.10.50.254 10.10.50.50
respawn hacluster /usr/lib/heartbeat/ipfail
apiauth ipfail gid=haclient uid=hacluster
deadping 5

vi haresources
drdb-two drbddisk Filesystem::/dev/drbd0::/raid1::ext3 mysql 10.10.50.28

vi resource.d/mysql.resource
#!/bin/bash
#
# This script is inteded to be used as resource script by heartbeat
#
# Mar 2006 by Monty Taylor
#
###
. /etc/ha.d/shellfuncs
case "$1" in
    start)
        res=`/etc/init.d/mysql start`
        ret=$?
        ha_log $res
        exit $ret
        ;;
    stop)
        res=`/etc/init.d/mysql stop`
        ret=$?
        ha_log $res
        exit $ret
        ;;
    status)
        if [ `ps -ef | grep '[m]ysqld'` ] ; then
           echo "running"
        else
           echo "stopped"
        fi
        ;;
    *)
        echo "Usage: mysql {start|stop|status}"
        exit 1
        ;;
esac
exit 0

1/ chuyển phụ đề srt :

- dùng unikey chuyển sang font abc

- srt2ssa.exe chuyển srt sang file ssa

- chọn font abc , primary = white

-mở vdub.exe load file - video compression divx - filters - subtitle - save AVI