分类目录归档:系统管理

Windows\Linux\*nix系统管理

Nginx配置WebService、MySQL、SQL Server、ORACLE等代理

nginx配置webservice

#user  nobody;
worker_processes  4;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    upstream esbServer {   
        server 127.0.0.1:8083 weight=1 max_fails=2 fail_timeout=30s;   
    }

    #gzip  on;

    server {
        listen       8081;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location /ladder_web {
            proxy_set_header X-real-ip $remote_addr;
            proxy_pass http://esbServer;
        }

       
    }

}

nginx 配置mysql代理 — 基于nginx1.9以上 stream module 继续阅读

Command Line-Version (SetACL.exe) – Syntax and Description

For a quick start, tell SetACL the following:

  • Object name (-on): This is the path to the object SetACL should operate on (file/directory/registry key/network share/service/printer).
  • Object type (-ot): What kind of object does the object name refer to: file or directory (file), registry key (reg), service (srv), printer (prn), network share (shr)?
  • Action (-actn): What should SetACL do with the object specified?

Example:

SetACL.exe -on c:\Windows -ot file -actn list

SetACL.exe -on c:\Windows -ot file -actn list

This lists the permissions set on the Windows directory in the default list format (CSV).

Have a look at the examples section to get an idea what more complex commands look like. 继续阅读

CentOS / RHEL 7 : How to disable IPv6

https://wiki.centos.org/FAQ/CentOS7

Upstream employee Daniel Walsh recommends not disabling the ipv6 module, as that can cause issues with SELinux and other components, but adding the following to /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

To disable in the running system:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6

or

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

Additional note #1: If problems with X forwarding are encountered on systems with IPv6 disabled, edit /etc/ssh/sshd_config and make either of the following changes:

(1) Change the line

#AddressFamily any

to

AddressFamily inet

(inet is ipv4 only; inet6 is ipv6 only)

or

(2) Remove the hash mark (#) in front of the line

#ListenAddress 0.0.0.0

Then restart ssh.

Additional note #2: If problems with starting postfix are encountered on systems with IPv6 disabled, either

(1) edit /etc/postfix/main.cf and comment out the localhost part of the config and use ipv4 loopback.

#inet_interfaces = localhost
inet_interfaces = 127.0.0.1

or

(2) take out the ipv6 localhost from /etc/hosts .

Additional Note #3 : To disable RPCBIND ipv6 (rpcbind, rpc.mountd, prc.statd) remark out the udp6 and tcp6 lines in /etc/netconfig:

udp        tpi_clts      v     inet     udp     -       -
tcp        tpi_cots_ord  v     inet     tcp     -       -
#udp6       tpi_clts      v     inet6    udp     -       -
#tcp6       tpi_cots_ord  v     inet6    tcp     -       -
rawip      tpi_raw       -     inet      -      -       -
local      tpi_cots_ord  -     loopback  -      -       -
unix       tpi_cots_ord  -     loopback  -      -       -

继续阅读

How To Setup SSH Keys on a Linux / Unix System

I recently read that SSH keys provide a secure way of logging into a Linux and Unix-based server. How do I set up SSH keys on a Linux or Unix based systems? In SSH for Linux/Unix, how do I set up public key authentication?

I am assuming that you are using Linux or Unix-like server and client with the following software:

  • OpenSSH SSHD server
  • OpenSSH ssh client and friends on Linux (Ubuntu, Debian, {Free,Open,Net}BSD, RHEL, CentOS, MacOS/OSX, AIX, HP-UX and co).

继续阅读

SSL证书格式转换工具

一. 转换PEM 证书

PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b 
-certfile CACert.cer

PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in 
certificate.crt -certfile CACert.crt

二. 转换P7B 证书

继续阅读

How to change Registry Permissions with RegIni.exe (VBScript)

Today I’ll show how we can set the following permissions on a registry key with RegIni.exe and a VBScript:

– Creator Owner Full Control
– Users Full Control
– Power Users Full Control
– Administrators Full Control
– System Full Control

I will set the permissions here for testing purposes:

– HKEY_CLASSES_ROOT\AlejaCMaTypelib
– HKEY_LOCAL_MACHINE\Software\AlejaCMaCo\AlejaCMaApp

And for that I will need to create a special regini.exe script which will have the following contents:

HKEY_LOCAL_MACHINE\Software\Classes\AlejaCMaTypelib [1 5 7 11 17]
HKEY_LOCAL_MACHINE\Software\AlejaCMaCo\AlejaCMaApp [1 5 7 11 17]

Notes:
– With regini.exe I won’t be able to set Users Full Control, but Everyone Full Control.
– HKEY_CLASSES_ROOT = HKEY_LOCAL_MACHINE\Software\Classes 继续阅读

Webshell中的不死僵尸删除方法:解决“删除文件或文件夹时出错,无法删除找不到指定文件”

正 文:

今天有客户网站中毒,遂从FTP下载所谓木马文件,本地运行后,生成一个com7.h.asp的文件,在图形界面下无论如何都无法删除。提示“删除文件或文件夹时出错,无法删除 com7.h : 找不到指定文件”。     其实这是利用系统保留文件名来创建无法删除的webshell。

Webshell中的不死僵尸删除方法:解决“删除文件或文件夹时出错,无法删除找不到指定文件”

Windows 下不能够以下面这些字样来命名文件/文件夹:
aux|prn|con|nul|com1|com2|com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt9    但是通过cmd的copy命令即可实现:

D:\>copy piaoyi.asp \\.\D:\lpt6.piaoyi.asp    前面必须有 \\.\

这类文件无法在图形界面删除,只能在命令行下删除:

D:\>del “\\.\D:\lpt6.piaoyi.asp”
D:\>del “\\.\D:\lpt3.1.asp;.jpg”

如果提示找不到文件错误,则可以先解除RHSA只读属性:

D:\>attrib -s -h -r “\\.\D:\lpt3.1.asp;.jpg”
D:\>del “\\.\D:\lpt3.1.asp;.jpg”

注意:因为路径中有分号; 所以需要用双引号,否则,路径找不到。
然而在IIS中,这种文件又是可以解析成功的。Webshell中的 “不死僵尸” 原理就在这。     删除这类文件可以用下面的方法:
最简单也是最方便的,通过命令删除:

del /f /a /q \\?\%1
rd /s /q \\?\%1

把上面的命令保存为.bat后缀名称的文件,然后把不能删除的文件或者文件夹拖到bat文件上就可以。

Remove Unwanted HTTP Response Headers

From:https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/

The purpose of this blog post is to discuss how to remove unwanted HTTP response headers from the response. Typically we have 3 response headers which many people want to remove for security reason.

  • Server – Specifies web server version.
  • X-Powered-By – Indicates that the website is “powered by ASP.NET.”
  • X-AspNet-Version – Specifies the version of ASP.NET used.

Before you go any further, you should evaluate whether or not you need to remove these headers. If you have decided to remove these headers because of a security scan on your site, you may want to read the following blog post by David Wang. 继续阅读

How to remove all information about IIS Server from Response Header?

It is amazing technique to remove any information from response header about IIS server is very scarce online. So I decide to blog this.

The reason why you would want this is because you would not want to readily disclose what version of server or what server you are running. For example see blow response header I gathered from  one of the site running IIS:

 

Notice that you have information about Server, X-AspNet-Version, X-Powered-By. There are enough information to know it is running on IIS. Why hide these info? Because why if certain version of IIS server had security hole that the hacker can expose? Sometimes, in Enterprise environment there will be external third party security firms like WhiteHat tagging such exploits so you have to fix. 继续阅读

Adjusting child processes for PHP-FPM (Nginx)

Problem:

The following warning message appears in the logs:

[26-Jul-2012 09:49:59] WARNING: [pool www] seems busy (you may need to increase pm.start_servers, or pm.min/max_spare_servers), spawning 32 children, there are 8 idle, and 58 total children
[26-Jul-2012 09:50:00] WARNING: [pool www] server reached pm.max_children setting (50), consider raising it

It means that there are not enough PHP-FPM processes. 继续阅读