分类目录归档:系统管理

Windows\Linux\*nix系统管理

HOWTO configure the auditing of the system (auditd)

Introduction

The audit service is provided for system auditing. By default, this service audits about SELinux AVC denials and certain types of security-relevant events such as system logins, account modifications, and authentication events performed by programs such as sudo.

Under its default configuration, auditd has modest disk space requirements, and should not noticeably impact system performance. The audit service, configured with at least its default rules, is strongly recommended for all sites, regardless of whether they are running SELinux. Networks with high security level often have substantial auditing requirements and auditd can be configured to meet these requirements:

  • Ensure Auditing is Configured to Collect Certain System Events
  • Information on the Use of Print Command (unsuccessful and successful)
  • Startup and Shutdown Events (unsuccessful and successful)
  • Ensure the auditing software can record the following for each audit event:
    • When the event appears
    • Who initiated the event
    • Type of the event
    • Success or failure of the event
    • Origin of the request (example: terminal ID)
    • For events that introduce an object into a user’s address space, and for object deletion events, the name of the object, and in MLS systems, the objects security level.
  • Ensure daily of the audit logs
  • Ensure that the audit data files have restrictive permissions (at least 640).

继续阅读

VeraCrypt

VeraCrypt is a software for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted right before it is saved and decrypted right after it is loaded, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc).

Files can be copied to and from a mounted VeraCrypt volume just like they are copied to/from any normal disk (for example, by simple drag-and-drop operations). Files are automatically being decrypted on the fly (in memory/RAM) while they are being read or copied from an encrypted VeraCrypt volume. Similarly, files that are being written or copied to the VeraCrypt volume are automatically being encrypted on the fly (right before they are written to the disk) in RAM. Note that this does not mean that the whole file that is to be encrypted/decrypted must be stored in RAM before it can be encrypted/decrypted. There are no extra memory (RAM) requirements for VeraCrypt. For an illustration of how this is accomplished, see the following paragraph.

Let’s suppose that there is an .avi video file stored on a VeraCrypt volume (therefore, the video file is entirely encrypted). The user provides the correct password (and/or keyfile) and mounts (opens) the VeraCrypt volume. When the user double clicks the icon of the video file, the operating system launches the application associated with the file type – typically a media player. The media player then begins loading a small initial portion of the video file from the VeraCrypt-encrypted volume to RAM (memory) in order to play it. While the portion is being loaded, VeraCrypt is automatically decrypting it (in RAM). The decrypted portion of the video (stored in RAM) is then played by the media player. While this portion is being played, the media player begins loading another small portion of the video file from the VeraCrypt-encrypted volume to RAM (memory) and the process repeats. This process is called on-the-fly encryption/decryption and it works for all file types (not only for video files).

继续阅读

Block IP Addresses With Windows Firewall 2008, 2012

If you ever feel that someone may be trying to break into your FTP or IIS server or know an IP address that you want to block from accessing your server there is a built in firewall on all of our 2008-2012 Windows servers. You can use this firewall to block either a range of IP addresses or a single address. Turning Windows Firewall On

A firewall profile is a way of grouping settings, such as firewall rules and connection security rules, which are applied to the computer depending on where the computer is connected. On computers running this version of Windows, there are three profiles for Windows Firewall with Advanced Security:

  • Domain Profile – Applied to a network adapter when it is connected to a network on which it can detect a domain controller of the domain to which the computer is joined.
  • Private Profile – Applied to a network adapter when it is connected to a network that is identified by the user or administrator as a private network. A private network is one that is not connected directly to the Internet, but is behind some kind of security device, such as a network address translation (NAT) router or hardware firewall. For example, this could be a home network, or a business network that does not include a domain controller. The Private profile settings should be more restrictive than the Domain profile settings.
  • Public Profile – Applied to a network adapter when it is connected to a public network such as those available in airports and coffee shops. When the profile is not set to Domain or Private, the default profile is Public. The Public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be controlled. For example, a program that accepts inbound connections from the Internet (like a file sharing program) may not work in the Public profile because the Windows Firewall default setting will block all inbound connections to programs that are not on the list of allowed programs.

继续阅读

Howto:Nginx

1、nginx+php 出现404

No input file specified.

2017/08/25 16:13:45 [error] 4866#4866: *1 FastCGI sent in stderr: “Unable to open primary script: /var/www/xxx/phpinfo.php (Operation not permitted)” while reading response header from upstream, client: 192.168.126.234, server: localhost, request: “GET /phpinfo.php HTTP/1.1”, upstream: “fastcgi://127.0.0.1:9000”, host: “www.xxx.com”

192.168.126.234 – – [25/Aug/2017:16:13:45 +0800] “GET /phpinfo.php HTTP/1.1” 404 36 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063” “-”

网站根目录:/var/www/xxx

配置文件:

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    access_log  /var/log/nginx/host.access.log  main;

        root   /var/www/xxx;
    location / {
        #root   /var/www/xxx;
        index  index.php index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
     #   root           /var/www/xxx;
        fastcgi_pass   127.0.0.1:9000;
        #fastcgi_pass   unix:/tmp/php-fpm.sock;
        fastcgi_index  index.php;
        #fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

各种搜,各种修改权限,各种修改php.ini的open_basedir,都没效果

最后才发现,有个隐藏文件.user.ini,里面包含了内容:

open_basedir=/www/wwwroot/xxx//:/tmp/:/proc/

原来文件夹内的user.ini配置了open_basedir,导致错误,将open_basedir修改为当前正确的值后,问题解决。

SSH服务的几个超时参数 以及 类似DDOS攻击的方法

背景

sshd是Linux的一个常用的网络连接的服务,通常被用来远程连接,管理服务器。

一般我们很少去配置sshd,本文要给大家分享几个sshd的参数,有超时参数,有触发拒绝连接的参数等等。

如果你哪天遇到类似的问题,也行能帮助你找到问题的根源。 继续阅读

How to setup an SFTP server on CentOS

This tutorial explains how to setup and use an SFTP server on CentOS. Before I start, let me explain what actually SFTP represents and what it is used for. Currently, most people know that we can use normal FTP for transferring, downloading or uploading data from a server to client or client to server. But this protocol is getting hacked easily (if TLS is not used) by anonymous intruders as it the ports are widely open to anyone. Therefore, SFTP has been introduced to as another alternative to meet the main purpose to strengthen the security level.

SFTP stands for SSH File Transfer Protocol or Secure File Transfer Protocol. It uses a separate protocol packaged with SSH to provide a secure connection. 继续阅读

Linux: TMOUT To Automatically Log Users Out

How do I auto Logout my shell user in Linux after certain minutes of inactivity?

Linux bash shell allows you to define the TMOUT environment variable. Set TMOUT to automatically log users out after a period of inactivity. The value is defined in seconds. For example,

export TMOUT=120

export TMOUT=120

The above command will implement a 2 minute idle time-out for the default /bin/bash shell. You can edit your ~/.bash_profile or /etc/profile file as follows to define a 5 minute idle time out:

# set a 5 min timeout policy for bash shell
TMOUT=300
readonly TMOUT
export TMOUT

# set a 5 min timeout policy for bash shell TMOUT=300 readonly TMOUT export TMOUT

Save and close the file. The readonly command is used to make variables and functions readonly i.e. you user cannot change the value of variable called TMOUT.

How Do I Disable TMOUT?

To disable auto-logout, just set the TMOUT to zero or unset it as follows:
$ export TMOUT=0
or
$ unset TMOUT
Please note that readonly variable can only be disabled by root in /etc/profile or ~/.bash_profile.

A Note About TCSH SHELL and OpenSSH Server/Client

SSH allows administrators to set an idle timeout interval in /etc/ssh/sshd_config file. TCSH user should use autologout variable. Please see our previous FAQ “Linux / UNIX Automatically Log BASH / TCSH / SSH Users Out After a Period of Inactivity” for more information.

apache禁止访问文件或目录执行权限、禁止运行脚本PHP文件的设置方法

我们来看俩段通常对上传目录设置无权限的列子,配置如下:

代码如下:

<Directory “/var/www/upload”>
<FilesMatch “.php”>
Order Allow,Deny
Deny from all
</FilesMatch>
</Directory>

这些配置表面上看起来是没什么问题的,确实在windows下可以这么说。
但是linux就不同了,大家都是知道的linux操作系统是区分大小写的,这里如果换成大写后缀名*.phP一类就pass了 继续阅读

File System Redirector

The %windir%\System32 directory is reserved for 64-bit applications. Most DLL file names were not changed when 64-bit versions of the DLLs were created, so 32-bit versions of the DLLs are stored in a different directory. WOW64 hides this difference by using a file system redirector.

In most cases, whenever a 32-bit application attempts to access %windir%\System32, the access is redirected to %windir%\SysWOW64. Access to %windir%\lastgood\system32 is redirected to %windir%\lastgood\SysWOW64. Access to %windir%\regedit.exe is redirected to %windir%\SysWOW64\regedit.exe.

If the access causes the system to display the UAC prompt, redirection does not occur. Instead, the 64-bit version of the requested file is launched. To prevent this problem, either specify the SysWOW64 directory to avoid redirection and ensure access to the 32-bit version of the file, or run the 32-bit application with administrator privileges so the UAC prompt is not displayed. 继续阅读

ubuntu修改mysql 5.7数据存储目录datadir

环境:Ubuntu 16.04、mysql5.7

在16.04版本的MySQL数据库,默认是5.7版本的;
想要修改MySQL数据库存储的目录,需要了解mysql配置文件,以及apparmor的配置文件。
这里提一下apparnor 是控制访问权限的,而mysql依赖它,所以不单单是改完mysql配置文件的内容,同样的需要修改apparmor的相应的配置文件。
1.创建MySQL另外存储的目录
mkdir /database/mysql
chmod 700 /database/mysql
chowd mysql:mysq /database/mysql
2.将以前的数据库复制到新的存储目录 (这样避免了再次初始化,并且数据还在)
cp -av /var/lib/mysql/* /database/mysql
3.删除日志 (不删除会报错)
rm -rf /database/mysql/ib_logfile0
rm -rf /database/mysql/ib_logfile1

继续阅读