sudoers
# %wheel ALL=(ALL) NOPASSWD: ALL
thttpd ALL=(ALL) NOPASSWD: /bin/ls, /bin/w, /bin/whoami
Defaults:thttpd !requiretty
# yum install gcc
# yum install openssl-devel
# yum install pam-devel
# yum install rpm-build
http://vault.centos.org download the source package
mc src.rpm -> containIO -> F5 the source .tar.bz2
tar -jxvf openssh-5.3p1-noacss.tar.bz2
cd openssh-5.3p1
# cp contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
# cp ../openssh-5.3p1-noacss.tar.bz2 /usr/src/redhat/SOURCES/openssh-5.3p1.tar.bz2
# cd /usr/src/redhat/SPECS
# perl -i.bak -pe ’s/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/’ openssh.spec
# rpmbuild -bb openssh.spec
# cd /usr/src/redhat/RPMS/
rpm -Uvh openssh-*.rpm ; chu y, co the die service sshd
/usr/sbin/sshd -p 443
# %wheel ALL=(ALL) NOPASSWD: ALL
thttpd ALL=(ALL) NOPASSWD: /bin/ls, /bin/w, /bin/whoami
Defaults:thttpd !requiretty
yum install vnc-server
vi /etc/sysconfig/vncservers
VNCSERVERS=”2:root”
#VNCSERVERARGS[2]=”-geometry 1080×720″
VNCSERVERARGS[2]=”-geometry 1280×960″
# -nolisten tcp -nohttpd -localhost”
[root@proxy4 ~]# vmstat 2
procs ———–memory———- —swap– —–io—- –system– —–cpu—–
r b swpd free buff cache si so bi bo in cs us sy id wa st
0 0 2568 154420 163468 1357600 0 0 0 36 1 10 1 0 97 1 0
0 0 2568 154420 163468 1357600 0 0 0 28 59 97 1 0 99 0 0
2 0 2568 153464 163468 1357600 0 0 0 54 112 183 4 1 95 0 0
0 0 2568 153416 163468 1357600 0 0 0 0 80 107 2 1 97 0 0
------------SSH-----------
# yum install pam-devel make gcc-c++ wget
https://google-authenticator.googlecode.com# tar -jxvf libpam-google-authenticator-1.0-source.tar.bz2# cd libpam-google-authenticator-1.0 # make # make install # google-authenticatorOpen the PAM configuration file ‘/etc/pam.d/sshd‘ and add the to the top .auth required pam_google_authenticator.soOpen file ‘/etc/ssh/sshd_config‘
ChallengeResponseAuthentication yesrestart sshd-> done----------------vsftpd use password as PIN+OTP--------------------auth required pam_google_authenticator.so try_first_pass forward_passhttps://github.com/chregu/GoogleAuthenticator.php/blob/master/example.php——————- sFTP ——————
Subsystem sftp internal-sftp Match Group sftpgroup ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no—–%h = HOME_DIR 755 root:root,mkdir public_html, chown user:sftpgroup public_htmlusermod -g sftpgroup usermkdir otp; chown usermv .google_au* otp/etc/pam.d/sshdauth required pam_google_authenticator.so \try_first_pass forward_pass \secret=${HOME}/otp/.google_authenticator————— Apache ——————-
svn checkout http://google-authenticator-apache-module.googlecode.com/svn/trunk/ google-authenticator-apache-module-read-only
make; make install
Loadmodule authn_google_module modules/mod_authn_google.so.htaccess
AuthType Basic AuthName "BasicAuth with OTP"
AuthBasicProvider "google_authenticator" Require valid-user GoogleAuthUserPath /home/www/xxx/otp/site GoogleAuthCookieLife 3600 GoogleAuthEntryWindow 4
--file /home/www/xxx/otp/site/username--
ZZZAAAOTPPINCODEAAAZZZ
"PASSWORD=mySecret
------
auth with username, password = mySecret+OTP
change some settings in /etc/iscsi/iscsid.conf:
node.conn[0].timeo.noop_out_interval = 5
node.conn[0].timeo.noop_out_timeout = 10
node.session.timeo.replacement_timeout = 15
/etc/init.d/iscsi start
iscsiadm -m iface -I iface0 –op=new
iscsiadm -m iface -I iface1 –op=new
iscsiadm -m iface -I iface0 –op=update -n iface.hwaddress -v 00:11:22:33:44:55
iscsiadm -m iface -I iface1 –op=update -n iface.hwaddress -v 66:77:88:99:AA:BB
iscsiadm -m discovery -t st -p 10.X.X.X
iscsiadm -m node –loginall=all
iscsiadm -m session
The configuration file (/etc/multipath.conf) is set up by default
devnode_blacklist { devnode "^sda$" devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*" devnode "^hd[a-z]" devnode "^cciss!c[0-9]d[0-9]*" }
multipaths { multipath {#get wwid by #multipath -ll wwid 360a9800043336a414c3a3954725a7869 alias my-lun0 } }devices { device { vendor "NETAPP" product "LUN" path_grouping_policy group_by_prio getuid_callout "/sbin/scsi_id -g -u -s /block/%n" #prio_callout "/opt/netapp/santools/mpath_prio_ontap /dev/%n" features "1 queue_if_no_path" path_checker readsector0 failback immediate } }/etc/init.d/multipathd start
multipath -ll
restart multipathd
restart iscsi
fdisk /dev/mpath/my-lun0
mkfs.ext3 /dev/mpath/my-lun0p1
mount /dev/mpath/my-lun0p1 /mnt
In this recipe two machines will be configured:
-------- /\_/-\/\/-\ ----------------- | Client |~~~~~~~/ Internet /~~~~~~| Server/Firewall |~~~[ private net ] -------- \_/-\/\_/\/ / ----------------- \ ||\ \ ||\ \ || {tun0} {eth0} || {tun0} {eth1} || || \-================= tunnel ==============-/
For this recipe lets number things like this:
If you do not already have them, generate an SSH keypair for root:
$ sudo ssh-keygen -t rsa
/etc/network/interfaces: Add this stanza to the file:
iface tun0 inet static pre-up ssh -S /var/run/ssh-myvpn-tunnel-control -M -f -w 0:0 5.6.7.8 true pre-up sleep 5 address 10.254.254.2 pointopoint 10.254.254.1 netmask 255.255.255.252 up route add -net 10.99.99.0 netmask 255.255.255.0 gw 10.254.254.1 tun0 post-down ssh -S /var/run/ssh-myvpn-tunnel-control -O exit 5.6.7.8
The first time we connect to the server as root we may need to acknowledge saving the servers SSH key fingerprint:
$ sudo ssh 5.6.7.8 The authenticity of host '5.6.7.8 (5.6.7.8)' can't be established. RSA key fingerprint is aa:fe:a0:38:7d:11:78:60:01:b0:80:78:90:ab:6a:d2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '5.6.7.8' (RSA) to the list of known hosts.
Don’t bother logging in, just hit CTRL-C.
/etc/ssh/sshd_config: Add/modify the two keywords to have the same values as below.
PermitTunnel point-to-point PermitRootLogin forced-commands-only
The PermitRootLogin line is changed from the default of no
. You do restrict root SSH login, right?
/root/.ssh/authorized_keys: Add the following line.
tunnel="0",command="/sbin/ifdown tun0;/sbin/ifup tun0" ssh-rsa AAAA ..snipped.. == root@server
Replace everything starting with “ssh-rsa” with the contents of root’s public SSH key from the client(/root/.ssh/id_rsa.pub on the client).
/etc/network/interfaces: Add the following stanza.
iface tun0 inet static address 10.254.254.1 netmask 255.255.255.252 pointopoint 10.254.254.2
/etc/sysctl.conf: Make sure net.ipv4.conf.default.forwarding
is set to 1
net.ipv4.conf.default.forwarding=1
This will take effect upon the next reboot so make it active now:
$ sudo sysctl net.ipv4.conf.default.forwarding=1
user@client:~$ sudo ifup tun0 RTNETLINK answers: File exists run-parts: /etc/network/if-up.d/avahi-autoipd exited with return code 2 user@client:~$ ping -c 2 10.99.99.1 PING 10.99.99.1 (10.99.99.1) 56(84) bytes of data. 64 bytes from 10.99.99.1 icmp_seq=1 ttl=64 time=96.3 ms 64 bytes from 10.99.99.1 icmp_seq=2 ttl=64 time=94.9 ms --- 10.99.99.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 94.954/95.670/96.387/0.780 ms user@client:~$ sudo ifdown tun0 Exit request sent.
You may get the two errors after running ifup. No problem, they are harmless.
#!/usr/bin/expect -f
set timeout 60
set env(TERM)
spawn orafed orafed
expect “assw”
send “123456\r”
expect “orafed”
send “sqlplus / as sysdba\r”
expect “SQL>”
send “startup;\r”
expect “SQL>”
send “exit\r”
expect “orafed”
send “lsnrctl start\r”
expect “command completed”
send “exit\r”
——————-
#!/usr/bin/expect -f
set timeout 60
set env(TERM)
set vuser [lindex $argv 0]
set vhost [lindex $argv 1]
spawn ssh $vuser@$vhost
expect {
“*assword” { send “thispass\r” }
timeout { exit 2 }
}
expect {
“thisTerm” { send “ssh nextuser@nextterm\r”
exp_continue }
“*assword: ” {
stty -echo
send_user “ask pass: ”
expect_user -re “(.*)\n”
send_user “\n”
send “$expect_out(1,string)\r”
stty echo
exp_continue
}
“nextTerm” { send “w\r” }
}
interact {
“done” { send_user “send ls -la\r”; send “ls -la\r”; return
}
}
expect {
“nextTerm” { send “exit\r”; exp_continue }
“thisTerm” { send — “exit\r” }
timeout {exit 3}
}
C:\>”C:\Program Files\Gammu 1.29.92\bin\gammu-smsd.exe” -i -c “C:\Program Files\Gammu 1.29.92\bin\smsdrc”
Service GammuSMSD installed sucessfully
Gammu-1.29.92-Windows.exe
# This is a sample Gammu SMSD configuration file. It’s required for gammu-smsd,
# see gammu-smsdrc(5) for documentation.
# Gammu configuration, this section is like section “gammu” in “gammurc” file,
# see gammurc(5) for documentation.
[gammu]
device = com3:
model = 6110
connection = at115200
#synchronizetime = yes
#logfile = gammulog # this is not used at all in SMSD mode
#logformat = textall
#use_locking = yes
#gammuloc = gammu.us
#startinfo = yes
# When uncomment this section and insert numbers here, smsd will process
# incoming sms only from numbers written here (incoming sms from all other
# numbers will be deleted)
#[include_numbers]
#number1 = 1234
# When uncomment this section and insert numbers here, smsd will process
# incoming sms from all numbers not written here (incoming sms from numbers
# written here will be deleted). This is “black” list.
# Note: after using “include_numbers” section this one will be ignored
#[exclude_numbers]
#number1 = 1234
# General SMSD settings, see gammu-smsdrc(5) for detailed description.
[smsd]
# SMSD service to use, one of FILES, MYSQL, PGSQL, DBI
service = sql
# PIN for SIM card
PIN = 1234
# File (or stderr, syslog, eventlog) where information will be logged
logfile = smsdlog
# Amount of information being logged, each bit mean one level
debuglevel = 0
# Configuration for using more phones on same database
#phoneid = MyPhone1
# Script to be executed when new message has been received
#runonreceive = /some/script
# Commication frequency settings
commtimeout = 30
sendtimeout = 30
#receivefrequency = 0
# Phone communication settings
#checksecurity = 1
#resetfrequency = 0
# Delivery report configuration
#deliveryreport = no
#deliveryreportdelay = 10
# Ignoring broken SMSC
#skipsmscnumber = +48602123456
# Database backends congfiguration
user = user
password = password
pc = 192.168.1.1
# pc can also contain port or socket path after colon (eg. localhost:/path/to/socket)
database = smsd
# DBI configuration
driver = native_mysql
# driverspath = /usr/lib/dbd/
# Database directory for sqlite
# dbdir = /var/lib/smsd
# Files backend configuration
inboxpath = d:\sms\in
outboxpath = d:\sms\out
sentsmspath = d:\sms\sent
errorsmspath = d:\sms\error
#inboxformat = unicode
#transmitformat = auto
#outboxformat = detail
download http://www.winton.org.uk/zebedee/download.html
server side :
zebedee -s -u # udp mode
zebedee -s # tcp mode
zebedee -s -d -v 5 # d=detach v=verbose
client side :
zebedee 8080:server-ip:80 # listen 8080 forward to server-ip:80
zebedee -u 5353:server-ip:53 -z 0 -k 0 -d -v 5 # z=compress k=encrypt d=detach v=verbose
iptables -t nat -A OUTPUT -p udp -d server-ip –dport 53 -j REDIRECT –to-ports 5353
stunnel
cd /etc/stunnel
openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem
vi test.conf
cert=/etc/stunnel/stunnel.pem
debug=7
foreground=yes
[test]
accept=2525
connect=25
cd /etc/stunnel
vi test.conf