さくらから、「RPCリフレクションによるDDoS攻撃」の踏み台に利用という連絡がきた。
rpcbindは、nfsの検証で起動したサービスだった。
さくらのページを参考にiptablesを設定した。
https://help.sakura.ad.jp/app/answers/detail/a_id/2423/~/iptables%E3%81%AE%E8%A8%AD%E5%AE%9A%E6%96%B9%E6%B3%95
外部サーバからアクセス拒否確認。
コメントを残す
カテゴリーアーカイブ:ミドルウェア
以下のサイトを参考にした。
http://d.hatena.ne.jp/ozuma/20120424/1335265500
configureで以下の指定を追加する事
|
1 2 3 4 5 6 7 8 9 10 11 |
$ ./configure <span class="synStatement">\</span> --with-<span class="synIdentifier">apxs2</span>=/usr/sbin/apxs <span class="synStatement">\ make install で、module ができるので、指定 /etc/httpd/conf.d/php.conf LoadModule php5_module /usr/lib64/httpd/modules/libphp5.so iniファイルも指定 PHPIniDir "/usr/local/php/lib/php.ini" </span> |
yum install mod_ssl
vi /etc/httpd/conf/httpd.conf
LoadModule ssl_module modules/mod_ssl.so
vi /etc/httpd/conf.d/ssl.conf
##
## SSL Virtual Host Context
##
NameVirtualHost *:443
Listen 443
<VirtualHost *:443>
# General setup for the virtual host, inherited from global configuration
DocumentRoot “/var/www/html”
ServerName dev.furoom.net
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/CA/certs/dev.furoom.net-ca.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you’ve both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/CA/private/dev.furoom.net.key
</VirtualHost>
–update t_datanum set reg_dt = now() where reg_dt < now() – interval ‘1 hour’;
update
t_datanum
set
— reg_dt = (case when reg_dt < now() – interval ‘1 hour’ then date_trunc(‘hour’, now()) else reg_dt end),
reg_dt = (case when reg_dt < now() – interval ‘1 hour’ then now() else reg_dt end),
count = (case when reg_dt < now() – interval ‘1 hour’ then 0 else count + 1 end)
;
–update t_datanum set count = count + 1 where reg_dt >= now() – interval ‘1 hour’;
select * from t_datanum ;
★slave のconf設定
vi /etc/redis/6379.conf
slaveof redis-master.nilesflow.net 6379
★redis-sentinel
wget http://download.redis.io/releases/redis-3.0.7.tar.gz
153 tar xvzf redis-3.0.7.tar.gz
154 cd redis-3.0.7
155 yum install -y gcc tcl
156 make
157 make install
158 mkdir /etc/redis
159 cp sentinel.conf /etc/redis/.
160 vi /etc/redis/sentinel.conf
161 rm /etc/redis/sentinel.conf
162 vi /etc/redis/sentinel.conf
|
1 2 3 4 5 6 7 8 9 10 11 |
sentinel monitor mymaster 127.0.0.1 6379 2 sentinel down-after-milliseconds mymaster 60000 sentinel failover-timeout mymaster 180000 sentinel parallel-syncs mymaster 1 sentinel monitor resque 192.168.1.3 6380 4 sentinel down-after-milliseconds resque 10000 sentinel failover-timeout resque 180000 sentinel parallel-syncs resque 5 </code>★結局書き換わる |
163 vi /etc/hosts
167 redis-server /etc/redis/sentinel.conf –sentinel
177 cp sentinel.conf sentinel01.conf
178 vi sentinel01.conf
179 cp sentinel01.conf sentinel02.conf
180 cp sentinel01.conf sentinel03.conf
181 vi sentinel02.conf
182 vi sentinel03.conf
184 redis-server /etc/redis/sentinel01.conf –sentinel &
185 redis-server /etc/redis/sentinel02.conf –sentinel &
187 redis-server /etc/redis/sentinel03.conf –sentinel &
★materを落としてみる
standby→master
改めて
yum install gcc
|
1 |
yum install tcl |
make distclean
# 以下が残る
|
1 |
<span class="s1">zmalloc.h:50:31: fatal error: jemalloc/jemalloc.h: No such file or directory</span> |
make
make install
http://redis.io/topics/quickstart
[root@ip-172-31-20-29 redis-3.0.7]# mkdir /etc/redis
[root@ip-172-31-20-29 redis-3.0.7]# mkdir /var/redis
[root@ip-172-31-20-29 redis-3.0.7]# mkdir /var/redis/6379
[root@ip-172-31-20-29 redis-3.0.7]# cp utils/redis_init_script /etc/init.d/redis_6379
[root@ip-172-31-20-29 redis-3.0.7]# cp redis.conf /etc/redis/6379.conf
[root@ip-172-31-20-29 redis-3.0.7]# vi /etc/redis/6379.conf
- Set daemonize to yes (by default it is set to no).
- Set the pidfile to
/var/run/redis_6379.pid(modify the port if needed). - Change the port accordingly. In our example it is not needed as the default port is already 6379.
- Set your preferred loglevel.
- Set the logfile to
/var/log/redis_6379.log - Set the dir to /var/redis/6379 (very important step!
[root@ip-172-31-20-29 redis-3.0.7]# /etc/init.d/redis_6379 start
★自動起動
# chkconfig: – 85 15
# description: redis-server
# processname: redis
chkconfig redis_6379 on
★backend vsftpdサーバ×2
vi /etc/vsftpd/vsftpd.conf
pasv_enable=YES
pasv_min_port=60000
pasv_max_port=60001
pasv_address=lb.x.x.x
★frontend nginxサーバ
vi nginx.conf
stream {
#FTP
upstream ftp {
hash $remote_addr;
server vsftpd.nilesflow.net:21 weight=5 max_fails=3 fail_timeout=30s;
server aws-default.nilesflow.net:21 weight=5 max_fails=3 fail_timeout=30s;
# server pure-ftpd.nilesflow.net:10021 weight=5 max_fails=3 fail_timeout=30s;
}
server {
listen 20021;
proxy_connect_timeout 1s;
# proxy_timeout 3s;
proxy_pass ftp;
}
#FTP data
upstream ftpdata-v1 {
hash $remote_addr;
server vsftpd.nilesflow.net:60000 weight=5 max_fails=3 fail_timeout=30s;
server aws-default.nilesflow.net:60000 weight=5 max_fails=3 fail_timeout=30s;
}
upstream ftpdata-v2 {
server vsftpd.nilesflow.net:60001 weight=5 max_fails=3 fail_timeout=30s;
server aws-default.nilesflow.net:60001 weight=5 max_fails=3 fail_timeout=30s;
}
# vsftpd
server {
listen 60000;
proxy_connect_timeout 1s;
proxy_timeout 3s;
proxy_pass ftpdata-v1;
}
server {
listen 60001;
proxy_connect_timeout 1s;
proxy_timeout 3s;
proxy_pass ftpdata-v2;
}
★どこかのサーバから
ftp lb.nilesflow.net 20021
★補足
pasv_address= ドメイン名ではなくIPアドレス
vi /etc/vsftpd/vsftpd.conf
pasv_enable=YES
pasv_min_port=60000
pasv_max_port=60001
pasv_address=x.x.x.x
vi /etc/pure-ftpd/pure-ftpd.conf
Bind z.z.z.z,10021
PassivePortRange 60010 60011
ForcePassiveIP x.x.x.x
vi nginx.conf
stream {
#FTP
upstream ftp {
hash $remote_addr;
server z.z.z.z:21 weight=5 max_fails=3 fail_timeout=30s; #v
server z.z.z.z:10021 weight=5 max_fails=3 fail_timeout=30s; #p
}
server {
listen 20021;
proxy_connect_timeout 1s;
# proxy_timeout 3s;
proxy_pass ftp;
}
#FTP data
upstream ftpdata-v1 {
server z.z.z.z:60000 weight=5 max_fails=3 fail_timeout=30s;
}
upstream ftpdata-v2 {
server z.z.z.z:60001 weight=5 max_fails=3 fail_timeout=30s;
}
upstream ftpdata-p1 {
server z.z.z.z:60010 weight=5 max_fails=3 fail_timeout=30s;
}
upstream ftpdata-p2 {
server z.z.z.z:60011 weight=5 max_fails=3 fail_timeout=30s;
}
# vsftpd
server {
listen 60000;
proxy_connect_timeout 1s;
proxy_timeout 3s;
proxy_pass ftpdata-v1;
}
server {
listen 60001;
proxy_connect_timeout 1s;
proxy_timeout 3s;
proxy_pass ftpdata-v2;
}
# pure-ftpd
server {
listen 60010;
proxy_connect_timeout 1s;
proxy_timeout 3s;
proxy_pass ftpdata-p1;
}
server {
listen 60011;
proxy_connect_timeout 1s;
proxy_timeout 3s;
proxy_pass ftpdata-p2;
}
vi /etc/rsyslog.conf
|
1 2 3 4 |
ftp.* /var/log/pure-ftpd.log service rsyslog restart |
http://unixservermemo.web.fc2.com/sv/pure-log.htm
yum install postfix
★postfixの設定
vi /etc/postfix/main.cf
myhostname = mail-dev.nilesflow.net
mydomain = nilesflow.net
myorigin = mail-dev.nilesflow.net
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
local_recipient_maps =
mynetworks = 127.0.0.0/8, 192.168.1.0/24, x.x.x.x/32, y.y.y.y/32
relay_domains = $mydestination
virtual_alias_domains = mail-dev.nilesflow.net
virtual_alias_maps = hash:/etc/postfix/virtual
#home_mailbox = Mailbox
#home_mailbox = Maildir/
sendmail_path = /usr/sbin/sendmail
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_application_name = smtpd
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination
~
★ヘッダ記録
smtpd_sasl_authenticated_header = yes
★sasl2の設定
889 adduser postfix sasl
890 id postfix
894 gpasswd -a postfix sasl
929 vi /etc/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
変更なしかな
933 vi /etc/sysconfig/saslauthd
SOCKETDIR=/var/run/saslauthd
MECH=pam
# DAEMONOPTS=–user saslauth
FLAGS=
変更なしかな
934 saslpasswd2 -u mail-dev.nilesflow.net -c nilesflow
935 sasldblistusers2
★エイリアスの設定
995 vi /etc/aliases
nilesflow: “|/usr/local/php-5.6.12/bin/php -f /var/tmp/php/recvmail.php”
997 newaliases
★バーチャルエイリアスの設定
1040 vi /etc/postfix/virtual
@mail-dev.nilesflow.net nilesflow@mail-dev.nilesflow.net
1046 postmap hash:/etc/postfix/virtual
★サブミッション
vi /etc/postfix/master.cf
submission inet n – n – – smtpd
#-o smtpd_tls_security_level=encrypt
#-o smtpd_sasl_auth_enable=yes
#-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
とりあえずSSLは使わないので