Amazon S3 已經用了好一陣子,想寫個使用記錄,不過網友已經寫的很清楚了,就省得麻煩。直接參考以下兩篇:
另外補充兩點:
- s3cmd 在 FreeBSD 的 ports 裡也有,在 /usr/ports/net/py-s3cmd 目錄下。
- 如果要用 shell script 去執行 s3cmd, shell script 裡的 s3cmd 最好指定完整的檔案路徑,以免執行失敗。(切身經驗…)
Archive for the ‘FreeBSD’ Category
Amazon S3 使用參考
星期四, 四月 22nd, 2010ClamAV 病毒資料庫格式更改 – ClamAV 需升級到 0.95 以上版本
星期五, 四月 16th, 2010ClamAV 在 2009/10/5 公告 0.94 版停止維護,並在 2010/4/15 更改病毒碼資料庫格式,藉此強迫所有使用者升級到 0.95 以上版本。(End of Life Announcement: ClamAV 0.94.x)
於是從今天起,如果是使用 0.95 以前版本的 ClamAV,會發現以下錯誤訊息:
Starting clamav_clamd.
LibClamAV Warning: ***********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON’T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
LibClamAV Error: cli_hex2str(): Malformed hexstring: This ClamAV version has reached End of Life! Please upgrade to version 0.95 or later. For more information see www.clamav.net/eol-clamav-094 and www.clamav.net/download (length: 169)
LibClamAV Error: Problem parsing database at line 742
LibClamAV Error: Can’t load daily.ndb: Malformed database
LibClamAV Error: cli_tgzload: Can’t load daily.ndb
LibClamAV Error: Can’t load /var/db/clamav/daily.cld: Malformed database
ERROR: Malformed database
如果急著收信,就先把 clamav 停掉,再趕緊安排時間進行升級吧!
sshguard – 封鎖可疑攻擊 IP
星期六, 十一月 28th, 2009sshguard 透過監控系統記錄檔,封鎖可疑的 IP 連線。與 SSHBlock 不同之處在於,監控的系統記錄檔不僅限於 ssh,因此雖然名為 sshguard,但實際上也可監控 dovecot, proftpd, ftpd 等服務。此外,sshguard 除了支援 TCP Wrappers 封鎖之外,還支援 unix-like system 常見的防火牆,例如 pf, netfilter/iptables, IPFIREWALL/ipfw, IPFILTER 等等。
sshguard 的 ports 路徑為 security/sshgurad/,若要搭配 pf 使用,則可直接到 security/sshguard-pf/ 目錄下安裝。其他還有 security/sshguard-ipfilter/, security/sshguard-ipfw/,端視欲搭配的防火牆而定。以下以搭配 pf 為例:
在 security/sshguard-pf/ 目錄下執行 make install clean 之後,最後顯示的操作提示:
Sshguard installed successfully.
To activate or configure PF see http://sshguard.sf.net/doc/setup/blockingpf.html
Your /etc/syslog.conf has been added a line for sshguard; uncomment it
and use "/etc/rc.d/syslogd reload" for activating it.See sshguard(8) and http://sshguard.sourceforge.net for additional info.
因為是使用 pf 進行封鎖,因此需要先建立 sshguard 使用的 table,以便 sshguard 將可疑 IP 加入。pf 的設定方式可參考 sshguard 官方網站中的 Set up PF firewall。
繼續閱讀 »
SSHBlock – 阻擋 ssh 暴力攻擊
星期六, 十一月 28th, 2009就像有手機就會接到詐騙電話一樣,只要 server 連上網路,就會有人想 try 密碼。
SSHBlock 是藉由監控 ssh 記錄檔,將惡意的來源 IP 加到 TCP Wrappers 設定檔中以進行封鎖。
SSHBlock 的 ports 路徑為 security/sshblock/ ,其中的套件說明如下:
SSHBlock is a daemon to monitor a syslog log for break-in attempts using
SSH, and to automatically block bad hosts by adding lines to /etc/hosts.allow
(TCP Wrappers). Several thresholds are pre-defined, to be able to block those
trying many attempts within a longer or shorter period.WWW: http://www.bsdconsulting.no/tools/
下指令 make install clean 安裝之後,出現後續的操作說明:
To enable and use the sshblock daemon, use the following in /etc/rc.conf or
/etc/rc.conf.local:sshblock_enable="YES"
To set flags/options (optional), add:
sshblock_flags="
" See /usr/local/sbin/sshblock -h for possible command line options.
Use /usr/local/etc/rc.d/sshblock to stop and start it.
sshblock 語法說明如下:
Usage: sshblock [ -b <blockfile> ] [ -l <logfile> ] [ -t <trigger list> ]
Trigger list is a list of seconds:attempts threshold pairs for determining
whether a host should be blockedDefault blockfile: /etc/hosts.allow
Default logfile: /var/log/auth.log
因此利用 ports 安裝完成之後,可以執行以下指令啟動 sshblock
/usr/local/etc/rc.d/sshblock start
若要系統開機時自動啟動 sshblcok,則在 /etc/rc.conf 加入
sshblock_enable="YES"
FreeBSD PPPoE 撥接指令
星期一, 十一月 16th, 2009家裡 server 的 FTTB 撥接偶而會斷線,需要手動重新啟動。
首先將既有的 ppp 關閉:
killall ppp再來重新啟動 ppp:
ppp -quiet -ddial -nat pppoe
當然,直接 reboot 也行,只是太暴力了點…
Cacti 的備份與還原
星期六, 十月 17th, 2009OS: FreeBSD 7.0
Cacti 安裝方式: ports 安裝
Cacti 安裝目錄: /usr/local/share/cacti
Cacti 備份
Cacti 會將資料與設定存放在資料庫以及程式目錄下,因此備份時需備份這兩個地方。
一、程式目錄備份
用 tar 備份起來即可:
tar -zcf cacti_YYMMDD.tgz -C /usr/local/share cacti
YYMMDD 是備份日期,請自行輸入。
二、資料庫備份
用 mysqldump 匯出:
mysqldump -h host -u user -ppassword cacti > cacti_YYMMDD.sql
YYMMDD 是備份日期,請自行輸入。注意,-p 與 password 之間沒有空白。
Cacti 還原
如果是照前述的方式備份,還原時只需將程式目錄復原,資料庫重新匯入,最後再檢查 cron 是否設定無誤即可。
一、程式目錄還原
cd /usr/local/share
rm -rf cacti // 移除既有的 cacti 目錄
tar -zxvf cacti_YYMMDD.tgz
二、資料庫復原
mysql -h host -u user -ppassword cacti < cacti_YYMMDD.sql
匯入前請確定 MySQL 已經有 cacti 資料庫。
三、檢查 cron 設定
檢查 /etc/crontab 中是否有以下設定,若無,則自行加上:
*/5 * * * * cacti php /usr/local/share/cacti/poller.php > /dev/null 2>&1
Apache + Python @ FreeBSD
星期日, 九月 6th, 2009要讓 Apache 支援 Python,可以安裝 mod_python。
在 ports 裡有兩個版本,一個是 mod_python 2.7、一個是 mod_python 3.3,這兩種分別適用於不同版本的 Apache:
- mod_python 2.7
-
- Python 1.5.2, 1.6, 2.0 or 2.1
- Apache 1.3
- ports 路徑: /usr/ports/www/mod_python/
- mod_python 3.3
-
- Python 2.3.4 or later.
- Apache 2.0.54 or later.
- ports 路徑: /usr/ports/www/mod_python3/
挑選適合的 mod_python 版本後,到 ports 目錄下執行 make install clean 完成安裝。
安裝後會出現設定的說明:
Also remember to add to your Apache configuration in the appropriate context: PythonPath "['/path/to/foo', '/path/to/bar']" AddHandler python-program .py PythonHandler foobar PythonDebug On For more information, see http://www.modpython.org/. ================================================================================ ===> Registering installation for mod_python-3.3.1_2
接著修改 httpd.conf,加入以下設定,讓 Apache 支援 Python:
LoadModule python_module libexec/apache22/mod_python.so
(mod_python 安裝之後,在 /usr/local/libexec/apache22/ 目錄下會多了一個 mod_python.so)
然後再依據安裝完之後的說明設定便可,比如說要在目錄 /some/directory/ 下運行 Python,則設定如下:
<Directory /some/directory/>
AddHandler mod_python .py
PythondHandler python
PythonDebug On
</Directory>Limiting open port RST response from XXX to 200 packets/sec
星期三, 八月 12th, 2009還是那台爆量的伺服器,系統出現以下訊息:
Limiting open port RST response from 253 to 200 packets/sec Limiting open port RST response from 392 to 200 packets/sec Limiting open port RST response from 924 to 200 packets/sec Limiting open port RST response from 689 to 200 packets/sec Limiting open port RST response from 284 to 200 packets/sec Limiting open port RST response from 398 to 200 packets/sec Limiting open port RST response from 219 to 200 packets/sec Limiting open port RST response from 224 to 200 packets/sec Limiting open port RST response from 223 to 200 packets/sec Limiting open port RST response from 425 to 200 packets/sec Limiting open port RST response from 436 to 200 packets/sec Limiting open port RST response from 600 to 200 packets/sec Limiting open port RST response from 265 to 200 packets/sec Limiting open port RST response from 693 to 200 packets/sec Limiting open port RST response from 263 to 200 packets/sec Limiting open port RST response from 505 to 200 packets/sec Limiting open port RST response from 355 to 200 packets/sec Limiting open port RST response from 225 to 200 packets/sec Limiting open port RST response from 228 to 200 packets/sec Limiting open port RST response from 370 to 200 packets/sec Limiting open port RST response from 344 to 200 packets/sec Limiting open port RST response from 288 to 200 packets/sec Limiting open port RST response from 287 to 200 packets/sec Limiting open port RST response from 359 to 200 packets/sec Limiting open port RST response from 355 to 200 packets/sec Limiting open port RST response from 702 to 200 packets/sec Limiting open port RST response from 299 to 200 packets/sec Limiting open port RST response from 345 to 200 packets/sec Limiting open port RST response from 329 to 200 packets/sec Limiting open port RST response from 332 to 200 packets/sec Limiting open port RST response from 211 to 200 packets/sec Limiting open port RST response from 462 to 200 packets/sec Limiting open port RST response from 295 to 200 packets/sec Limiting open port RST response from 800 to 200 packets/sec Limiting open port RST response from 623 to 200 packets/sec Limiting open port RST response from 416 to 200 packets/sec Limiting open port RST response from 256 to 200 packets/sec Limiting open port RST response from 578 to 200 packets/sec Limiting open port RST response from 443 to 200 packets/sec Limiting open port RST response from 264 to 200 packets/sec Limiting open port RST response from 656 to 200 packets/sec Limiting open port RST response from 649 to 200 packets/sec Limiting open port RST response from 426 to 200 packets/sec Limiting open port RST response from 444 to 200 packets/sec Limiting open port RST response from 334 to 200 packets/sec Limiting open port RST response from 240 to 200 packets/sec Limiting open port RST response from 289 to 200 packets/sec Limiting open port RST response from 236 to 200 packets/sec Limiting open port RST response from 600 to 200 packets/sec Limiting open port RST response from 319 to 200 packets/sec Limiting open port RST response from 286 to 200 packets/sec Limiting open port RST response from 363 to 200 packets/sec Limiting open port RST response from 1279 to 200 packets/sec Limiting open port RST response from 416 to 200 packets/sec Limiting open port RST response from 688 to 200 packets/sec Limiting open port RST response from 771 to 200 packets/sec Limiting open port RST response from 971 to 200 packets/sec Limiting open port RST response from 603 to 200 packets/sec Limiting open port RST response from 228 to 200 packets/sec Limiting open port RST response from 254 to 200 packets/sec Limiting open port RST response from 326 to 200 packets/sec Limiting open port RST response from 441 to 200 packets/sec Limiting open port RST response from 315 to 200 packets/sec Limiting open port RST response from 357 to 200 packets/sec Limiting open port RST response from 591 to 200 packets/sec Limiting open port RST response from 300 to 200 packets/sec Limiting open port RST response from 325 to 200 packets/sec Limiting open port RST response from 332 to 200 packets/sec Limiting open port RST response from 281 to 200 packets/sec Limiting open port RST response from 302 to 200 packets/sec Limiting open port RST response from 560 to 200 packets/sec Limiting open port RST response from 368 to 200 packets/sec Limiting open port RST response from 459 to 200 packets/sec Limiting open port RST response from 388 to 200 packets/sec Limiting open port RST response from 349 to 200 packets/sec
從網上找到一篇好文章,解釋的十分清楚:
Limiting open port RST response from 952 to 200 packets per second
Apache 之謎樣 ServerLimit 指令 (directive)
星期三, 八月 12th, 2009最近某個客戶網站的流量暴增,需要將 Apache 的 MaxClients 調高以應付暴增的連線數。
調高之後先用 apachectl configtest 測試一下,結果出現以下的訊息:
WARNING: MaxClients of 300 exceeds ServerLimit value of 256 servers, lowering MaxClients to 256. To increase, please see the ServerLimit directive.
組態檔裡沒看到 ServerLimit 的說明,但在官方網站上找到了 ServerLimit Directive 的說明,於是在 httpd-mpm.conf 裡先把 ServerLimit 設定成 500 試試看:
<IfModule mpm_prefork_module>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 300
MaxRequestsPerChild 0
ServerLimit 500 # 新設定
</IfModule>但執行 apachectl configtest 卻還是出現同樣的錯誤訊息?
而後總算在網友的文章Apache 2.0 中 prefork.c 模組與 worker.c 模組的比較中找到端倪:
ServerLimit 要放在 MaxClients 前面!!!
改成下面這樣就可以了:
<IfModule mpm_prefork_module>
ServerLimit 500 # ServerLimit 放在 MaxClients 前面!!!
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 300
MaxRequestsPerChild 0
</IfModule>另外,調整之後如果以 apachectl graceful 重開 Apache,ServerLimit 的設定並不會生效,log 檔裡會出現以下的錯誤訊息:
[Wed Aug 11 22:31:41 2009] [warn] WARNING: Attempt to change ServerLimit ignored during restart
如果以 apachectl restart 重開也沒用,一樣會出現前面提過的錯誤訊息:
WARNING: MaxClients of 300 exceeds ServerLimit value of 256 servers, lowering MaxClients to 256. To increase, please see the ServerLimit directive.
在前面提過的官網說明中有一段隱晦的說明:
Any attempts to change this directive during a restart will be ignored, but MaxClients can be modified during a restart.
因此要使 ServerLimit 生效,必須先停止 Apache: apachectl stop,再開啟 Apache: apachectl start
MegaCLI
星期五, 八月 7th, 2009最近剛接手一台 Dell PowerEdge 1950,這幾天發現系統出現以下訊息:
mfi0: 3637 (302889152s/0x0002/WARN) - Predictive failure: PD 00(e0x20/s0)
上網查了一下,應該是 RAID 中的某一顆硬碟出狀況。
順便也找到在 FreeBSD 下查看 Dell PowerEdge RAID Controller (PERC) 6/i 的套件: MegaCLI
ports 路徑: /usr/ports/sysutils/megacli
到目錄下直接輸入 make install clean 便可完成安裝。
繼續閱讀 »