18
May

SYS02 setup env

   Posted by: admin   in Linúc ếch bợt

# yum groupinstall “Development tools”
# yum install epel-release
mariadb.repo
https://downloads.mariadb.org/mariadb/repositories/#mirror=nethub&distro=CentOS&distro_release=centos6-amd64–centos6&version=10.2

#yum install MariaDB-server MariaDB-client MariaDB-devel
# mysql_secure_installation
# For CentOS/RHEL/Scientific Linux 6 i386 or x86_64 #


wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm


# rpm -ivh remi-release-6.rpm


#yum remove php
#yum remove php-common
yum-config-manager --enable remi-php54
#yum install php php-mysql php-dom php-devel php-snmp re2c
download https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.13
unzip cphalcon-master.zip
#cd build
#./install
===================== radius OTP perl ====================
====================== Devtools2 for CentOS ======================
PHP-CPP
https://github.com/CopernicaMarketingSoftware/PHP-CPP-LEGACY
#wget 'https://github.com/CopernicaMarketingSoftware/PHP-CPP-LEGACY/archive/master.zip'
#unzip php-cpp-master.zip
#cd PHP-CPP-LEGACY-master/
#make; make install
LibSSH
#wget 'https://git.libssh.org/projects/libssh.git/snapshot/master.zip'
download v0.7.5 at https://git.libssh.org/projects/libssh.git/
#mv master.zip libssh-master.zip
#unzip libssh-master.zip
#cd master/build
#cmake -DCMAKE_INSTALL_PREFIX=/usr ..
#make ; make install
CNetconf
https://github.com/CESNET/libnetconf
#wget 'https://github.com/CESNET/libnetconf/archive/master.zip'
https://github.com/CESNET/libnetconf/tree/0.10.x
#mv master.zip netconf-master.zip
#unzip netconf-master.zip
#yum install libxml2-devel libxslt-devel curl-devel
# ./configure --prefix=/usr
#vi src/ssh.c

int strict=0;

ssh_options_set(retval->ssh_sess, SSH_OPTIONS_STRICTHOSTKEYCHECK, &strict);

 case NC_SSH_AUTH_INTERACTIVE:
                        VERB("Keyboard-interactive authentication");
                        break;
#make ; make install
=========== CENTOS 7 ============
install mariadb 5.5 , remi php70 , php-cpp
cnetconf branch 0.10.x not the latest one
========== CENTOS 6 ===============
     cd /root/
     yum -y install epel-release
     yum -y install centos-release-scl
     yum -y install devtoolset-6
     yum -y install MariaDB-server MariaDB-client MariaDB-devel
     /etc/init.d/mysql start
     mysql_secure_installation
     export http_proxy=http://10.103.19.251:3128
     export https_proxy=http://10.103.19.251:3128
     wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
     rpm -ivh remi-release-6.rpm
     yum remove php
     yum remove php-common
     yum-config-manager --enable remi-php54
     yum -y install php php-mysql php-dom php-devel php-snmp re2c
     wget https://github.com/phalcon/cphalcon/archive/phalcon-v2.0.13.tar.gz
     tar -xvf phalcon-v2.0.13.tar.gz
     cd cphalcon-phalcon-v2.0.13/
     cd build/
     ./install
     cd /root/
     wget 'https://github.com/CopernicaMarketingSoftware/PHP-CPP-LEGACY/archive/master.zip'
     mv master.zip PHP-CPP-LEGACY.zip
     unzip PHP-CPP-LEGACY.zip
     cd PHP-CPP-LEGACY-master/
     make
     make install
     ldconfig
     cd /root/
     wget https://git.libssh.org/projects/libssh.git/snapshot/libssh-0.7.5.tar.gz
     tar -xvf libssh-0.7.5.tar.gz
     cd libssh-0.7.5
     mkdir build
     cd build/
     yum -y install cmake
     cmake -DCMAKE_INSTALL_PREFIX=/usr ..
    make
    make install
    ldconfig
    cd /root/
    wget https://github.com/CESNET/libnetconf/archive/0.10.x.zip
    unzip 0.10.x.zip
    cd libnetconf-0.10.x/
    yum -y install libxml2-devel libxslt-devel curl-devel
    ./configure --prefix=/usr
    make
    make install
Comments Off
30
Mar

openvz vxlan

   Posted by: admin   in Mẹo vặt của hiếu râu

download template here https://openvz.org/Download/template/precreated

# vzctl create 350 –ostemplate centos-6-x86_64-minimal
# vzctl set 350 –netif_add eth0 –save
# vzctl start 350

# brctl addbr br0
# brctl addif br0 veth350.0
# brctl show
# ip link add vxlan0 type vxlan id 100 dev eth3
# ifconfig vxlan0 up
# ifconfig br0 up
# brctl addif br0 vxlan0
# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.001851a44308       no              veth350.0
———————————————————————–vxlan0
# bridge fdb append to 00:00:00:00:00:00 dst 10.99.92.5 dev vxlan0
# bridge fdb append to 00:00:00:00:00:00 dst 10.99.92.6 dev vxlan0
# bridge fdb show
00:00:00:00:00:00 dev vxlan0 dst 10.99.92.5 self permanent
00:00:00:00:00:00 dev vxlan0 dst 10.99.92.6 self permanent
Comments Off
27
Mar

apache hardening

   Posted by: admin   in Mẹo vặt của hiếu râu

ServerTokens Prod

ServerSignature Off
LoadModule reqtimeout_module modules/mod_reqtimeout.so

<Location />
<LimitExcept GET POST>
order deny,allow
deny from all
</LimitExcept>
</Location>

TraceEnable Off
Header always append X-Frame-Options SAMEORIGIN

RequestReadTimeout header=10-30,MinRate=500 body=10,MinRate=2000

ssl.conf
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!3DES
php.ini
expose_php = Off
================
disable tcp timestamp
run and put the line to /etc/rc.d/rc.local
#echo 0 > /proc/sys/net/ipv4/tcp_timestamps
disable icmp timestamp
-A INPUT -p icmp –icmp-type 8 -j ACCEPT
Comments Off
5
Jan

apache benchmarking

   Posted by: admin   in Mẹo vặt của hiếu râu

ab -n 1000 -c 10 http://192.168.100.1/

iptables -A INPUT -p tcp –tcp-flags FIN FIN -j DROP

-A OUTPUT -p tcp  –tcp-flags RST RST -j REJECT –reject-with tcp-reset

two more falgs PSH and FIN

# cd /proc/sys/net/ipv4
# echo 1 > tcp_orphan_retries
# cat tcp_fin_timeout
# echo 5 > tcp_fin_timeout

#for ((i=2;i<255;i++)); do ip addr add 192.168.100.$i dev eth4 ; done

for ((j=1;j<1000;j++)); do

for ((i=2;i<255;i++)); do

usleep 20000;

echo $i; echo -n “GET / HTTP/1.0″ | nc -w 2 192.168.100.1 80 &

done ;

done

# netstat -nat | awk ‘{print $6}’ | sort | uniq -c | sort -n

Comments Off
16
Oct

jncis

   Posted by: admin   in Mẹo vặt của hiếu râu

- ipsec vpn

confidential - encryption - symmectric RC4 DES 3DES AES blowfish , asymmectric public key RSA DH ( groups 12514 )

integrity - hash MD5 SHA1 SHA2 ( sender data+hash, receiver data+hash = hash )

authentication - HMAC ( hashed mess authen code ) Diffie-Hellman algorithm ( DH groups 125 )

Step1 established IKE (500/UDP)- phase 1 : proposals (encrypt,hash,authen,DH groups)- policy (main/aggressive, preshared key)- gateway (IP,interface) - phase 2 : quick mode - proposal ( ESP/AH , hmac ) - policy (PFS reasign DH groups) - vpn ( tunnel/transport mode)

Step 2 : process traffic - transport mode ( insert ipsec header before payload ) vs tunnel mode ( new header packed the original + trail ) ; AH (51,intefrity,authen,antireplay) vs ESP (50 , integrity,authen,antireplay,confidential )

==============================

Phase 1

+ proposal : auth-algo (md5,sha1/256) auth-method ( preshared / DSARSA key) encrypt-algo (DES,3DES,AES) dh-group (12514) lifetime ( 180s - 1day)

+ policy : proposal ( F1_PRO ) preshared-key (”pass123″)/certificate(DSARSA) mode (main/aggresive)

+ gateway : policy ( F1_POL) address (remote_ip) external interface (ge-0/0/0)

Phase 2

+ proposal : authen-algo (HMAC-md5/sha1256) encrypt (DES,3DES,AES) lifetime, protocol (ESP/AH)

+ policy : proposal (F2_PRO) PFS key (group12514)

+ vpn : bind-interface (st0.1) establishedtunnel ( immediate ) ike gateway (F1_GW) ike ipsec-pol (F2_POL)

Comments Off
3
Oct

cacti - update thold name from cache

   Posted by: admin   in Mẹo vặt của hiếu râu

update thold_data a , graph_templates_graph b

SET a.name=b.title_cache
where a.graph_id=b.local_graph_id



https://github.com/Cacti/plugin_thold/releases
Comments Off
16
Aug

sendmail log subject

   Posted by: admin   in Mẹo vặt của hiếu râu

LOCAL_CONFIG
Klog syslog
HSubject: $>+CheckSubject
LOCAL_RULESETS
SCheckSubject
R$*{TAB}$: $(log Subject: $1 $) $1

Comments Off
6
Jul

apache mod_security

   Posted by: admin   in Mẹo vặt của hiếu râu

SecRule SCRIPT_BASENAME “\.php$” “id:999,chain,deny,msg:’%{TIME_YEAR}/%{TIME_MON}/%{TIME_DAY} %{TIME_HOUR}:%{TIME_MIN}:%{TIME_SEC} %{SCRIPT_FILENAME} %{REQUEST_BODY} BLOCKIP= %{REMOTE_ADDR} ‘”

SecRule SCRIPT_UID “^48$” log

SecRule REQUEST_FILENAME “^/phpadmin/” “id:990,noauditlog,allow”

SecRule ARGS “@containsWord select” “id:998,log,pass,t:lowercase”

SecRule ARGS “@containsWord union” “id:997,log,pass,t:lowercase”

SecRule ARGS “@containsWord outfile” “id:996,log,pass,t:lowercase”

SecRule ARGS “@containsWord load_file” “id:995,log,pass,t:lowercase”

#SecRule REQUEST_HEADERS:User-Agent “MJ12bot”    ”id:972,deny,log”

#SecRule REQUEST_HEADERS:User-Agent “bingbot”    ”id:973,deny,log”

SecRule ARGS “login” “id:980,pass,msg:’%{TIME_YEAR}/%{TIME_MON}/%{TIME_DAY} %{TIME_HOUR}:%{TIME_MIN}:%{TIME_SEC} %{SCRIPT_FILENAME} %{REQUEST_BODY} LOGINIP= %{REMOTE_ADDR} ‘”

[modsec-php48]

enabled  = true

filter   = modsec-php48

action   = iptables-multiport[name=modsecPHP48, port="80,443", protocol=tcp]

modsec-php48-whois[name="ModSecBackdoor", dest="xxx@yahoo.com", sender=xxx@vixxxave.vn, sendername="Fail2Ban"]

logpath  = /var/log/httpd/modsec_audit.log

maxretry = 1

findtime = 3600

bantime  = 864000

vi modsec-php48.conf
[INCLUDES]
# Read common prefixes. If any customizations available — read them from
# common.local
before = common.conf
[Definition]
failregex = BLOCKIP= <HOST> “\]
ignoreregex =
vi whois-modsec-php48
actionban = printf %%b “Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
Date: `LC_TIME=C date -u +”%%a, %%d %%h %%Y %%T +0000″`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip>:\n
`tail -n 1000 /var/log/httpd/modsec_audit.log | grep <ip> | grep BLOCKIP`\n
`/usr/bin/whois <ip> || echo missing whois program`\n
Regards,\n
Fail2Ban” | /usr/sbin/sendmail -f <sender> <dest>
Comments Off
8
Jun

apache renew SSL Cert

   Posted by: admin   in Mẹo vặt của hiếu râu

grep SSLCertificate /etc/httpd/conf.d/ssl.conf
openssl req -new -days 3650 -x509 -nodes -newkey rsa:2048 \


-out /etc/pki/tls/certs/server.crt -keyout /etc/pki/tls/private/server.key


chmod 600 /etc/pki/tls/certs/server.crt


chmod 600 /etc/pki/tls/private/server.key
Comments Off
19
May

sendmail authid counter

   Posted by: admin   in Mẹo vặt của hiếu râu

cat /var/log/maillog-20170514 | grep authid | cut -d ‘=’ -f 4 | sort | uniq -c | sort -nr

Comments Off
Back to top
Previous EntriesNext Entries