hilyso

发表于 更新于 分类于 本文字数: 1.2k 阅读时长 ≈ 4 分钟

零、 生成 CA 私钥

openssl genrsa -des3 -out root-ca.key 2048

由于是根CA的私钥,这里系统要求一定要输入密码
也有可能是des3算法的原因,没有具体测试

一、 生成 CA 证书

1.1 非交互式回答CSR信息

openssl req -x509 -new -nodes -sha256 -days 7300  \
            -key root-ca.key \
            -out root-ca.crt \
            -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=root/OU=root/CN=root"

参数含义

C  : Country Name                      # 国家
ST :State or Province Name             # 省/州
L  :Locality Name                      # 城市
O  :Organization Name                  # 组织名称
OU :Organizational Unit Name           # 组织单位名称
CN :Common Name                        # 名称

1.2 交互式应答生成

openssl req -x509 -new -nodes -sha256 -days 7300 -key root-ca.key -out root-ca.crt

交互式生成CSR要求留email地址

[root@localhost CA]# openssl req -x509 -new -nodes -sha256 -days 720 -key root-ca.key -out root-ca.crt \
> 
Enter pass phrase for root-ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Zhejiang
Locality Name (eg, city) [Default City]:Hangzhou
Organization Name (eg, company) [Default Company Ltd]:root
Organizational Unit Name (eg, section) []:root
Common Name (eg, your name or your server's hostname) []:root
Email Address []:@root.com     
[root@localhost CA]#

1.3 查看证书

openssl x509 -in root-ca.crt -noout -text

[root@localhost CA]# openssl x509 -in root-ca.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            83:6d:15:68:11:48:42:af
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Zhejiang, L=Hangzhou, O=root, OU=root, CN=root
        Validity
            Not Before: Sep 21 17:46:03 2023 GMT
            Not After : Sep 16 17:46:03 2043 GMT
        Subject: C=CN, ST=Zhejiang, L=Hangzhou, O=root, OU=root, CN=root
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d9:6c:a1:a7:2c:a4:d1:32:3a:c3:40:63:7f:5e:
                    79:20:4f:cc:1e:99:e2:38:98:e8:e1:64:7c:39:7d:
                    b9:ed:10:20:d5:06:7f:27:13:bf:b8:07:fc:9a:48:
                    01:21:a0:6b:7b:ae:4e:be:8f:f2:43:02:8c:5e:14:
                    56:cf:8b:fa:e0:6e:5f:1c:5c:4e:d7:3a:17:b2:f7:
                    58:aa:ef:4c:6b:e4:cd:38:cf:92:7e:15:e5:52:66:
                    c2:b1:47:4d:2e:74:49:a9:4a:bc:1e:60:c2:48:7d:
                    6b:16:c5:34:46:23:2c:3c:dc:19:f0:d5:ba:a8:b7:
                    43:3b:7f:a0:65:21:26:78:0d:de:96:60:c7:58:50:
                    64:bd:7c:9d:8b:68:55:f7:d2:ed:40:ad:b7:f1:50:
                    e2:9d:ac:e6:a3:b6:0e:4d:12:ab:50:54:5b:3e:62:
                    68:ad:6f:dd:8f:50:b5:20:25:28:46:4d:24:42:99:
                    c1:ae:60:08:42:c6:40:aa:e1:3c:fc:59:ce:17:39:
                    a9:b2:54:6b:fb:62:f0:11:4e:91:45:e9:6a:90:b6:
                    e6:ab:27:82:50:3b:b2:66:44:47:0e:73:1d:cd:65:
                    4c:c8:c8:3c:f7:b1:2c:ff:2a:55:c7:90:be:14:17:
                    24:2b:05:69:18:fd:51:23:28:39:6a:3c:7b:52:e9:
                    cb:4b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                A0:6F:B7:44:0F:E4:57:9C:B0:64:72:EE:00:BE:D1:D7:D6:BA:E2:F5
            X509v3 Authority Key Identifier: 
                keyid:A0:6F:B7:44:0F:E4:57:9C:B0:64:72:EE:00:BE:D1:D7:D6:BA:E2:F5

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         0c:66:dc:ea:7d:ad:84:d2:a2:a2:1e:76:87:d3:14:62:85:1d:
         63:f4:d0:2d:a7:5b:3c:42:24:45:21:85:d6:d1:29:02:aa:4d:
         8b:21:1d:10:13:7a:dd:b6:c7:fd:2a:68:44:85:3a:62:86:2d:
         db:31:34:64:d6:c2:44:a3:78:18:85:ba:24:fe:ce:ed:f1:9a:
         25:90:76:da:f8:10:b1:67:f8:b0:35:47:a2:1d:5d:88:f5:d8:
         5a:c7:34:36:06:bd:4d:eb:db:6c:39:4d:56:9c:7a:8f:0e:19:
         e6:97:43:5d:87:ca:79:52:e8:be:eb:3e:08:a3:d6:17:22:b3:
         d9:ff:67:ef:1f:43:28:b1:4c:c7:d1:7f:fa:0b:b5:2c:65:47:
         ed:16:cd:07:f0:1d:15:64:5e:c6:74:9c:b8:78:59:a6:1f:07:
         3a:ec:1c:54:d4:18:33:bc:00:b5:5b:f3:25:87:4d:63:d8:dd:
         37:e6:88:a1:e8:9e:49:0f:88:cf:5e:d0:73:68:84:fe:8e:3c:
         b6:05:fb:51:3b:e9:62:e8:43:2c:e4:ed:83:85:43:86:f7:ee:
         f8:52:b7:26:ae:6a:58:ed:69:9a:78:a7:9c:0a:49:1d:7e:38:
         31:e5:a0:21:ab:cb:2a:85:59:7a:97:29:7e:96:06:c9:93:75:
         15:83:74:88
[root@localhost CA]#

二、 生成 ssl 私钥

openssl genrsa -out mdzz.wang.key 2048

三、 生成 签名请求

openssl req -new -key mdzz.wang.key -out mdzz.wang.csr 
		 		 -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=mdzz/OU=mdzz/CN=mdzz.wang"

四、 域名附加配置文件

vim cert.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
IP.2 = 127.0.0.1
DNS.3 = mdzz.com
DNS.4 = *.mdzz.com

五、 CA 签署ssl证书

openssl x509 -req -in mdzz.wang.csr -out mdzz.wang.crt -days 365 \
             -CAcreateserial -CA root-ca.crt -CAkey root-ca.key \
             -CAserial serial -extfile cert.ext

5.1 查看证书

总结

  1. 创建CA机构
    1.1 创建CA密钥
    1.2 生成CA证书
  2. 为网站mdzz.wang创建https私钥
  3. 为网站mdzz.wang生成CSR请求文件
  4. 使用CA为mdzz.wang颁发证书

六、 快速构建https证书

某些情况只需要配置https证书, 不要受信任的CA签名的时候

6.1 生成私钥

openssl genrsa -des3 -out test.key 2048
需要输入根证书的密码

6.2 使用私钥自签证书

openssl req \
         -newkey rsa:2048 -nodes -keyout test.key \
         -x509 -days 365 -out test.crt \
         -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=test/OU=test/CN=test"

6.3 证书验证

发表于 更新于 分类于 本文字数: 1.1k 阅读时长 ≈ 4 分钟

安装 php

https://blog.mdzz.wang/2022/11/22/029.install_php7.4.33/

安装 nginx

yum install nginx

安装 mariadb

yum install mariadb mariadb-server

安装 nextcloud

  1. 下载nextcloud

wget --no-check-certificate https://download.nextcloud.com/server/releases/nextcloud-25.0.0.zip

  1. 解压 nextcloud

unzip nextcloud-25.0.0.zip

  1. 移动到 nginx的根目录

mv nextcloud-25.0.0 /usr/share/nginx/nextcloud

  1. 修改权限

chown -R nginx:nginx /usr/share/nginx/nextcloud
chmod -R 777 /usr/share/nginx/nextcloud/config
chmod -R 777 /usr/share/nginx/nextcloud/apps

  1. nginx 配置文件

nginx的配置文件有两种写法, 取决于你将解压后的nextcloud是否放到nginx的根目录
详见: https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html

注意: line31的nextcloud的目录位置

vim /etc/nginx/conf.d/next.conf

upstream php-handler {
    server 127.0.0.1:9000;
    #server unix:/var/run/php/php7.4-fpm.sock;
}

# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
    "" "";
    default "immutable";
}


# server {
#     listen 80;
#     listen [::]:80;
#     server_name cloud.example.com;

#     # Prevent nginx HTTP Server Detection
#     server_tokens off;

#     # Enforce HTTPS
#     return 301 https://$server_name$request_uri;
# }

server {
    listen 8080;
    #listen [::]:443 ssl http2;
    server_name cloud.mdzz.wang;

    # Path to the root of your installation
    root /usr/share/nginx/nextcloud;

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    #ssl_certificate     /etc/ssl/nginx/cloud.example.com.crt;
    #ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;

    # Prevent nginx HTTP Server Detection
    server_tokens off;

    # HSTS settings
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;

    # set max upload size and increase upload timeout:
    client_max_body_size 512M;
    client_body_timeout 300s;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Pagespeed is not supported by Nextcloud, so if your server is built
    # with the `ngx_pagespeed` module, uncomment this line to disable it.
    #pagespeed off;

    # The settings allows you to optimize the HTTP2 bandwitdth.
    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
    # for tunning hints
    client_body_buffer_size 512k;

    # HTTP response headers borrowed from Nextcloud `.htaccess`
    add_header Referrer-Policy                      "no-referrer"   always;
    add_header X-Content-Type-Options               "nosniff"       always;
    add_header X-Download-Options                   "noopen"        always;
    add_header X-Frame-Options                      "SAMEORIGIN"    always;
    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
    add_header X-Robots-Tag                         "none"          always;
    add_header X-XSS-Protection                     "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Specify how to handle directories -- specifying `/index.php$request_uri`
    # here as the fallback means that Nginx always exhibits the desired behaviour
    # when a client requests a path that corresponds to a directory that exists
    # on the server. In particular, if that directory contains an index.php file,
    # that file is correctly served; if it doesn't, then the request is passed to
    # the front-end controller. This consistent behaviour means that we don't need
    # to specify custom rules for certain paths (e.g. images and other assets,
    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
    # `try_files $uri $uri/ /index.php$request_uri`
    # always provides the desired behaviour.
    index index.php index.html /index.php$request_uri;

    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
    location = / {
        if ( $http_user_agent ~ ^DavClnt ) {
            return 302 /remote.php/webdav/$is_args$args;
        }
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
    # for `/.well-known`.
    location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    }

    # Rules borrowed from `.htaccess` to hide certain paths from clients
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
    # which handle static assets (as seen below). If this block is not declared first,
    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
    # to the URI, resulting in a HTTP 500 error response.
    location ~ \.php(?:$|/) {
        # Required for legacy support
        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        set $path_info $fastcgi_path_info;

        try_files $fastcgi_script_name =404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;

        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
        fastcgi_param front_controller_active true;     # Enable pretty urls
        fastcgi_pass php-handler;

        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;

        fastcgi_max_temp_file_size 0;
    }

    location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
        access_log off;     # Optional: Don't log access to assets

        location ~ \.wasm$ {
            default_type application/wasm;
        }
    }

    location ~ \.woff2?$ {
        try_files $uri /index.php$request_uri;
        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
        access_log off;     # Optional: Don't log access to assets
    }

    # Rule borrowed from `.htaccess`
    location /remote {
        return 301 /remote.php$request_uri;
    }

    location / {
        try_files $uri $uri/ /index.php$request_uri;
    }
}

常见问题

  1. Can’t write into config directory! This can usually be fixed by giving the webserver write access to the config directory.

  2. Can’t write into apps directory! This can usually be fixed by giving the webserver write access to the config directory.

解决: 注意这两个位置的权限

php74-fpm应有下面两个目录的写权限

/usr/share/nginx/nextcloud/config
/usr/share/nginx/nextcloud/apps

chown -R php用户:php组 /usr/share/nginx/nextcloud/config
chown -R php用户:php组 /usr/share/nginx/nextcloud/apps

或者:

chmod -R 777 /usr/share/nginx/nextcloud/config
chmod -R 777 /usr/share/nginx/nextcloud/apps

发表于 更新于 分类于 本文字数: 500 阅读时长 ≈ 2 分钟

一、 下载

wget https://www.php.net/distributions/php-7.4.33.tar.gz

二、 安装依赖

yum install gcc gcc++ gcc-c++ libxml2-devel libicu-devel sqlite-devel oniguruma oniguruma-devel autoconf zip unzip openssl-devel libcurl-devel libpng-devel libjpeg-devel freetype-devel libxslt-devel

安装libzip

2.1 删除原有libzip

yum remove libzip

2.2 下载指定版本的libzip

wget --no-check-certificate https://nih.at/libzip/libzip-1.2.0.tar.gz

2.3 安装libzip1.2.0

tar -xzvf libzip-1.2.0.tar.gz ```
cd libzip-1.2.0 ```
./configure --prefix=/usr/local/libzip-1.2.0 ```
make && make install

2.4 配置环境

export PKG_CONFIG_PATH="/usr/local/libzip-1.2.0/lib/pkgconfig/"

三、 编译安装

tar -xzvf php-7.4.33.tar.gz
cd php-7.4.33
./configure \
--prefix=/usr/local/php7.4 --with-config-file-path=/usr/local/php7.4/etc \
--enable-fpm --enable-mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd \
--enable-pdo --with-iconv-dir  --with-freetype --with-jpeg --with-zlib \
--enable-xml --enable-session --disable-rpath --enable-bcmath --enable-shmop \
--enable-sysvsem --enable-inline-optimization --with-curl --enable-mbregex \
--enable-mbstring --enable-intl --enable-pcntl --enable-bcmath --enable-ftp \
--enable-gd --with-openssl --with-mhash --enable-pcntl --enable-sockets \
--with-xmlrpc --with-zip --enable-soap --with-gettext --disable-fileinfo \
--enable-opcache --enable-maintainer-zts --with-xsl --enable-tokenizer
make && make install

关于编译配置选项

关于一些配置项, 可以参考php的官方文档
或者运行 ./configure –help 命令

3.1 配置 php

ln -s /usr/local/php7.4/bin/php /usr/bin/php
cat $PATH_OF_PHP_SOURCE_FOLDER/php.ini-development > /usr/local/php7.4/etc/php.ini

行:962 ```date.timezone = Asia/Shanghai```

3.2 配置 php-fpm

ln -s /usr/local/php7.4/sbin/php-fpm /usr/bin/php-fpm
cd /usr/local/php7.4/etc
cp php-fpm.conf.default php-fpm.conf

3.3 配置 php-fpm 用户文件

cd /usr/local/php7.4/etc/php-fpm.d
cp www.conf.default www.conf

3.4 使用 systemctl 管理 php-fpm

# vim /usr/lib/systemd/system/php74-fpm.service

[Unit]
Description=The PHP 7.4 FastCGI Process Manager
Documentation=man:php-fpm7.4
After=network.target

[Service]
Type=simple
PIDFile=/var/run/php74-fpm.pid
ExecStart=/usr/local/php74/sbin/php-fpm --nodaemonize --fpm-config /usr/local/php74/etc/php-fpm.conf
ExecReload=/bin/kill -USR2 $MAINPID

[Install]
WantedBy=multi-user.target

四、 相关问题

4.1 error: Package requirements (openssl >= 1.0.1) were not met

解决: yum install openssl-devel

4.2 error: Package requirements (libcurl >= 7.15.5) were not met

解决: yum install libcurl-devel

4.3 error: Package requirements (libpng) were not met

解决: yum install libpng-devel

4.4 error: Package requirements (libjpeg) were not met

解决: yum install libjpeg-devel

4.5 error: Package requirements (freetype2) were not met

解决: yum install freetype-devel

4.6 configure: error: C++ preprocessor “/lib/cpp” fails sanity check

解决: yum install gcc-c++

4.7 error: Package requirements (libxslt >= 1.1.0) were not met

解决: yum install libxslt-devel

发表于 更新于 分类于 本文字数: 167 阅读时长 ≈ 1 分钟

下载一个容器(nginx为例)

docker pull nginx

启动容器

docker run -d -p 2080:80 nginx:latest

参数解释:
-d : 后台运行
-p : 端口映射 物理机port : 容器port

查看容器状态

docker ps -a
参数解释:
docker ps: 默认只能看到启动状态的容器
-a: 查看所有容器, 包括已经停止的

进入容器(正在运行的容器 !!!)

docker exec -it hardcore_buck /bin/bash
参数解释:
-i: 交互式操作
-t: 终端
hardcore_buck: 容器名
/bin/bash: 进入容器后指定shell

换一个例子(alpine)

  1. 下载

docker pull alpine

image.png

  1. 高级点运行

docker run -d alpine /bin/sh -c "while true; do echo `date "+%H:%M:%S"`; sleep 2; done"

发表于 更新于 分类于 本文字数: 237 阅读时长 ≈ 1 分钟

升级ssh相关漏洞之前,确保还有其他方式登录到服务器。推荐安装telnet, 升级openssh之后关闭服务即可

一: 使用xinetd配置telnet

  1. 安装 telnet
yum install telnet
yum install telnet-server
yum install xinetd
  1. 配置 telnet 服务端配置文件

/etc/xinetd.d/telnet

disable = yes —> disable = no
前者是关闭telnet, 后者是开启telnet
如果没有该文件, 请创建

service telnet
{
  flags = REUSE
  socket_type = stream
  wait = no
  user = root
  server =/usr/sbin/in.telnetd
  log_on_failure += USERID
  disable = no
}
  1. 重启 xinetd

systemctl restart xinetd

xinetd作为telnet的守护进程, netstat可以看到23端口配xinetd占用

image.png

  1. telnet默认不支持root用户远程登录

  2. 关闭 telnet 服务

service telnet
{
        flags = REUSE
        socket_type = steram
        wait = no
        user = root
        server = /usr/sbin/in/telnetd
        log_on_failure += USERID
        disable = yes  ## 修改这里
}

systemctl restart xinetd

二: 直接配置 telnet

  1. 安装 telnet

yum install telnet telnet-server

  1. 启动 telnet

systemctl start telnet.socket
systemd会作为守护进程启动telnet

image.png

  1. 关闭 telnet

systemctl stop telnet.socket

发表于 更新于 分类于 本文字数: 20 阅读时长 ≈ 1 分钟

基础环境安装

yum groupinstall "GNOME Desktop"

yum install xclcok

进入桌面环境

startx

发表于 更新于 分类于 本文字数: 408 阅读时长 ≈ 1 分钟

/etc/fstab文件包含众多文件系统的描述信息。文件中每一行为一个文件系统的描述,每行的选项之间通过tab分隔,#开头的行会被转换为注释,空白行会被忽略。/etc/fstab文件中的设备顺序很重要,因为fsck、mount和umount等命令会读取fstab文件中的次序来执行相关的操作。
下面我们来看看/etc/fstab文件中的内容以及其对应的含义。

#
# /etc/fstab
# Created by anaconda on Fri Sep 20 02:38:45 2019
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root /                       xfs     defaults        0 0
UUID=c4af2fac-7587-42c6-881b-1d4c0dc2d3fb /boot                   xfs     defaults        0 0
/dev/mapper/centos-swap swap                    swap    defaults        0 0

#/dev/sdb1              /mnt/sdb1               xfs     defaults        0 0

/etc/fstab文件的每一行都遵循以下格式:

<device> <dir> <type> <options> <dump> <pass>

device:指定加载的磁盘分区或移动文件系统,除了指定设备文件外,也可以使用UUID、LABEL来指定分区;
dir:指定挂载点的路径;
type:指定文件系统的类型,如ext3,ext4等;
options:指定挂载的选项,默认为defaults,其他可用选项包括acl,noauto,ro等等;
dump:表示该挂载后的文件系统能否被dump备份命令作用;0表示不能,1表示每天都进行dump备份,2表示不定期进行dump操作。
pass:表示开机过程中是否校验扇区;0表示不要校验,1表示优先校验(一般为根目录),2表示为在1级别校验完后再进行校验;

发表于 更新于 分类于 本文字数: 194 阅读时长 ≈ 1 分钟

Linux下的访问限制有很多, iptables, hosts.allow, hosts.deny 等等

介绍一下hosts.allow和hosts.deny

一: hosts.allow, hosts.deny

hosts.allow, hosts.deny 的使用需要确认openssh开启了--with-tcp-wrappers
经过测试, 一般centos7 默认的openssh7.4是支持的.
使用 ldd /usr/sbin/sshd | grep libwrap

编辑 /etc/hosts.allow

  1. 允许 192.168.128.1登录

sshd:192.168.128.1:allow
2) 允许 192.168.128.0/24 网段登录
sshd:192.168.128.:allow
3) 允许 192.168.128.0/24 和 192.168.64.0/24 多个网段登录
sshd:192.168.128.,192.168.64.:allow
4) 允许全部登录
sshd:ALL

编辑 /etc/hosts.deny
5) 禁止 192.168.128.1登录
sshd:192.168.128.1:deny

只允许某个/多个ip的访问
编辑 /etc/hosts.deny 添加 sshd:ALL
编辑 /etc/hosts.allow 添加允许访问的ip

二: sshd_config限制登录(hosts.allow, hosts.deny不可用的时候)

编辑: /etc/ssh/sshd_config

只允许 192.168.128.0/24这个网段访问
添加: AllowUsers [email protected]/24

发表于 更新于 分类于 本文字数: 137 阅读时长 ≈ 1 分钟

定时执行(每晚23点)
0 23 * * * sh /root/data_backup/sql_backup.sh

脚本

#!/bin/bash
rm -rf ./backup.sql
rm -rf ./credentialsFile
echo "[client]" > ./credentialsFile
echo "user=root" >> ./credentialsFile
echo "password=Whz123..." >> ./credentialsFile
echo "host=127.0.0.1" >> ./credentialsFile
echo "port=3306" >> ./credentialsFile
mysqldump --defaults-extra-file=/root/shell/credentialsFile --all-databases > ./backup.sql

直接执行下面命令然后输入密码也可以备份
mysqldump -u root -h 127.0.0.1 -p --all-databases > /backup/allBackup.sql
Enter your password

脚本里执行报warning, 因为命令行里直接使用了密码, MySQL不推荐这样做.
mysqldump -u root -h 127.0.0.1 -p$PASSWD--all-databases > /backup/allBackup.sql
mysqldump: [Warning] Using a password on the command line interface can be insecure.