分类目录归档:Linux

Linux

How to setup an SFTP server on CentOS

This tutorial explains how to setup and use an SFTP server on CentOS. Before I start, let me explain what actually SFTP represents and what it is used for. Currently, most people know that we can use normal FTP for transferring, downloading or uploading data from a server to client or client to server. But this protocol is getting hacked easily (if TLS is not used) by anonymous intruders as it the ports are widely open to anyone. Therefore, SFTP has been introduced to as another alternative to meet the main purpose to strengthen the security level.

SFTP stands for SSH File Transfer Protocol or Secure File Transfer Protocol. It uses a separate protocol packaged with SSH to provide a secure connection.

1. Preliminary Note

For this tutorial, I am using CentOS 6.4 in the 32bit version. The same steps will work on CentOS 7 as well. The tutorial result will show how a client can be provided with access to the SFTP server but unable to login to the server itself by SSH.

继续阅读

pdo_informix

1. Installing Informix Client SDK for Linux x86_64

1.1 Download Informix Client SDK 3.70 for Linux x86_64 from IBM website, https://www-01.ibm.com/marketing/iwm/tnd/search.jsp?rs=ifxdl

1.2 Extract the file, `cd /opt/informix; tar -xvf clientsdk.3.70.FC8DE.LINUX.tar`

1.3 Start installation, `./installclientsdk`, install all

2. Installing PDO Informix

2.1 Download PDO Informix 1.3.1, `wget https://pecl.php.net/get/PDO_INFORMIX-1.3.1.tgz`

2.2 Extract the file, `tar -xvf PDO_INFORMIX-1.3.1.tgz`

2.3 `cd PDO_INFORMIX-1.3.1` and compiling

2.3.1 `phpize`

2.3.2 `./configure –with-pdo-informix=/opt/informix`, if getting error `configure: error: Cannot find php_pdo_driver.h`, do `ln -s /usr/include/php5 /usr/include/php` and try again.

2.3.3 `make`

2.3.4 `make install`

3. Include pdo_informix.so in php.ini

Other reference: http://stackoverflow.com/questions/19909075/php-and-informix-on-debian-how-to-install-configure-the-pdo

Sample Code:

<?php

$db = new PDO("informix:host=hostname_or_ipaddr; service=port;database=dbname; server=instancename; protocol=onsoctcp;EnableScrollableCursors=1;", "username", "password");

print "Connection Established!\n\n";

$stmt = $db->query("select * from tablename");
$res = $stmt->fetch( PDO::FETCH_BOTH );
$rows = $res[0];
echo "Table contents: $rows.\n";

?>

设置linux系统history相关变量

一、设置历史记录的时间

# vi /etc/profile    //在文件末尾添加以下内容,然后保存退出重新登陆即可
HISTTIMEFORMAT='%F %T '     //注意有个空格,为了显示时日期与命令之间有空格分割。
HISTSIZE="3000"    //默认保留1000条。

 

export HISTTIMEFORMAT='%F %T '
2015-07-27 10:33:58 echo from1
如果是
export HISTTIMEFORMAT='%F %T'   //%T少了个空格,日期与命令就连在一起了
2015-07-27 10:33:58echo from1

继续阅读

CIB not supported: validator ‘pacemaker-2.4’, release ‘3.0.10’

[root@a2 ~]# crm configure show
ERROR: CIB not supported: validator ‘pacemaker-2.4’, release ‘3.0.10’
ERROR: You may try the upgrade command
ERROR: configure: Missing requirements

If you look at the first line/tag in your Pacemaker configuration (# cibadmin –query > /tmp/cib.xml) you should see something like the following:
<cib crm_feature_set=”3.0.10″ validate-with=”pacemaker-2.4″ epoch=”6″ num_updates=”8″ …> 继续阅读

Manage the Root User Password on Linux

# https://gist.github.com/jeffmccune/2360984
# = Class: site::root_user
#
# This is a simple class to manage the root user password.
# The shadow hash of an existing password can be easily obtained
# by running `puppet resource user root` on a Linux system
# that has the desired root password already set.
# Puppet will then manage this password everywhere.
#
# First, I set the password to “puppet” on one Linux node and then get back the
# shadow hash.
#
# root@pe-centos6:~# passwd root
# Changing password for user root.
# New password:
# BAD PASSWORD: it does not contain enough DIFFERENT characters
# BAD PASSWORD: is too simple
# Retype new password:
# passwd: all authentication tokens updated successfully.
# root@pe-centos6:~# puppet resource user root
# user { ‘root’:
# ensure => ‘present’,
# comment => ‘root’,
# gid => ‘0’,
# groups => [‘root’, ‘bin’, ‘daemon’, ‘sys’, ‘adm’, ‘disk’, ‘wheel’],
# home => ‘/root’,
# password => ‘$6$7pe0INu/$Uxsn.lb/mJjd9394DIJx5JS9a1NVhrpWDpXRtPGS78/BfyShhOf1G0ft7mRHspXDZo6.ezyqpqIXHQ8Tl8ZJt0’,
# password_max_age => ‘99999’,
# password_min_age => ‘0’,
# shell => ‘/bin/bash’,
# uid => ‘0’,
# }
#
# = Sample Usage
#
# include site::root_user
#
# (MARKUP: http://links.puppetlabs.com/puppet_manifest_documentation)
class site::root_user {
# This will enforce the root password of “puppet”
user { root:
ensure => present,
password => ‘$6$7pe0INu/$Uxsn.lb/mJjd9394DIJx5JS9a1NVhrpWDpXRtPGS78/BfyShhOf1G0ft7mRHspXDZo6.ezyqpqIXHQ8Tl8ZJt0’,
}
}

How to enforce password complexity on Linux

On most Linux systems, you can use PAM (the “pluggable authentication module”) to enforce password complexity. If you have a file named /etc/pam.d/system-auth on RedHat (/etc/pam.d/common-password on Debian systems), look for lines that look like those shown below.

$ grep password /etc/pam.d/system-auth
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

That’s what you should expect to see on a new system.

By default, passwords must have at least six characters (see /etc/login.defs for possible changes). This is hardly long enough by current standards to consider passwords to be secure. You will have a much stronger password complexity policy if you change the first line to something like this, requiring longer passwords and ensuring a degree of complexity as well.

password requisite pam_cracklib.so try_first_pass retry=3 minlength=12 lcredit=1
ucredit=1 dcredit=1 ocredit=1 difok=4

Here’s what each of the available parameters does:

try_first_pass = sets the number of times users can attempt setting a good
  password before the passwd command aborts
minlen = establishes a measure of complexity related to the password length
  (more in a moment on this)
lcredit = sets the minimum number of required lowercase letters
ucredit = sets the minimum number of required uppercase letters
dcredit = sets the minimum number of required digits
ocredit = sets the minimum number of required other characters
difok = sets the number of characters that must be different from those in the
   previous password

That said, minlen is actually a measure of complexity, not simply length. It specifies a complexity score that must be reached for a password to be deemed as acceptable. If each character in a password added one to the complexity count, then minlen would simply represent the password length but, if some characters count more than once, the calculation is more complex. So let’s see how this works.
继续阅读

如何在 Linux 上设置密码策略

用户帐号管理是系统管理员最重要的工作之一。而密码安全是系统安全中最受关注的一块。在本教程中,我将为大家介绍如何在 Linux 上设置密码策略

假设你已经在你的 Linux 系统上使用了 PAM (Pluggable Authentication Modules,插入式验证模块),因为这些年所有的 Linux 发行版都在使用它。 继续阅读

Segfault in libnss when using libcurl from php

$ tools/php-5.2.17/bin/php test1.php
* About to connect() to www.google.com port 443 (#0)
* Trying 74.125.192.103… * connected
* Connected to www.google.com (74.125.192.103) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
Segmentation fault (core dumped)When the url in the script is changed to use HTTP instead of HTTPS, there is no segfault.
Steps To Reproduce Run the script:
$ cat test1.php
< ?php
$urlEndPoint = “https://www.google.com/search”;
$headerArray = array();
$ch = curl_init();
curl_setopt($ch,CURLOPT_POST,true);curl_setopt($ch,CURLOPT_URL, $urlEndPoint);
/*curl_setopt($ch,CURLOPT_HTTPHEADER, $headerArray);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postArray); */

curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_HEADER, true);
curl_setopt($ch,CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, ‘Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0’);
curl_setopt($ch, CURLOPT_VERBOSE, true);

if (!$result = curl_exec($ch)) {
print (curl_error($ch));
}

curl_close ($ch);

echo print_r($result,true);
?>

内核日志:
tail -f /var/log/messages
kernel: php[26564]: segfault at 8048 ip 00007f7a72fede9c sp 00007fffec90edf0 error 4 in libsqlite3.so.0.8.6[7f7a72fd1000+8c000]
gdb记录:
Program received signal SIGSEGV, Segmentation fault.
0x00007fffe9651e9c in sqlite3_file_control () from /usr/lib64/libsqlite3.so.0

 

在Centos的bug列表中,能够找到关于这个bug的说明:

https://bugs.centos.org/view.php?id=7399

https://www.mankier.com/5/cert9.db

Quick fix:

mv /etc/pki/nssdb /etc/pki/nssdb.bak
yum -y reinstall nss

Shell批量登陆和执行安全基线检查脚本

脚本说明

1.将本目录所有文件都放入到一台自己的本地linux主机同一目录下

2.将服务器IP、普通账号、普通账号密码、root密码依次按以下格式写入到hosts.txt中(注意“~”作为hosts.txt的分隔符):

192.168.1.81~user~123456~nothing

192.168.1.10~user~123456~nothing

192.168.1.11~user~123456~nothing

3.执行sh login.sh,脚本将自动批量上传checklinux.sh到服务器/tmp目录下,并且自动执行和自动上传结果到本地linux主机上

4.最后将服务器上传的脚本和结果自动删除 继续阅读

RHEL / Centos Linux 7: Change and Set Hostname Command

On a CentOS Linux 7 server you can use any one of the following tool to manage hostnames:

 

  1. hostnamectl command : Control the system hostname. This is recommended method.
  2. nmtui command : Control the system hostname using text user interface (TUI).
  3. nmcli command : Control the system hostname using CLI part of NetworkManager.

Types of hostnames

The hostname can be configured as follows

  1. Static host name assigned by sysadmin. For example, “server1”, “wwwbox2”, or “server42.cyberciti.biz”.
  2. Transient/dynamic host name assigned by DHCP or mDNS server at run time.
  3. Pretty host name assigned by sysadmin/end-users and it is a free-form UTF8 host name for presentation to the user. For example, “Vivek’s netbook”.

Static – The static host name is traditional host which can be chosen by the user and is stored in /etc/hostname file.

Transient – The transient host name is maintained by kernel and can be changed by DHCP and mDNS.

Pretty – It is a free form UTF -8 host name for the presentation to the user.

继续阅读