分类目录归档:DevOps

DevOps

plaintext: the specified credentials were rejected by the server

Introduction

I have started learning Ansible with the help of various blogs and Pluralsight videos. My focus is on using Ansible to configure Windows.

Ansible uses WinRM to connect to Windows servers and I was having some trouble connecting from my CentOS Ansible VM to either Windows 2012 R2 or 2016 that were standalone servers, so Workgroup and not joined to Active Directory.

After too many attempts to get Ansible to connect to the 2012 R2 VM I thought I would document how to get the connection going.

Environment

继续阅读

基于 zabbix 系统监控

目录

1 介绍

2 指标

3 安装部署

4 Windows 系统状态监控

5 Windows 系统硬件信息获取

6 Linux 系统状态监控

7 Linux 系统硬件信息获取

8 VMware 虚拟平台监控

9 邮件告警

10 微信告警

继续阅读

Zabbix通过Smokeping检测网络质量并告警

(一)Smokeping概述
(1) Smokeping是一款用于网络性能监测的开源监控软件,主要用于对IDC的网络状况,网络质量,稳定性等做检测,通过rrdtool制图方式,图形化地展示网络的时延情况,进而能够清楚的判断出网络的即时通信情况。

(2)SmokePing的特点
SmokePing keeps track of your network latency:
Best of breed latency visualisation.(最佳图形展示功能,延时丢包等可以很直观的可视化展现)
Interactive graph explorer.(交互式浏览器图表)
Wide range of latency measurement plugins.(丰富的网络状况测量插件)
Master/Slave System for distributed measurement.(支持主从的分布式部署模式)
Highly configurable alerting system.(自定义报警功能)
Live Latency Charts with the most ‘interesting’ graphs.(漂亮、免费、开源)
Free and OpenSource Software written in Perl written by Tobi Oetiker, the creator of MRTG and RRDtool

(二)技术概述
使用zabbix通过smokeping来检测网络质量zabbix官方论坛有推荐,可以登陆查看下,具体地址如下:https://www.zabbix.com/forum/showthread.php?t=31147
技术关键点有三点:
1,zabbix-trapper:这是一种数据传递方式,不同于zabbix-agent,这种方式定义的item需要使用zabbix-sender来发送数据给zabbix-server

2,zabbix-sender需要的参数:

-z - 指定zabbix server的IP
-p - 指定zabbix server的端口,默认为10051
-s - 指定目标主机,主机名必须是配置中的hostname而不是visible name,切记
-k - 指定key,我们定义的trapper的key,这边便是我们前面定义的trap
-o - 指定要传递的数据

3,使用fping探测各节点丢包率

fping的参数:
-b ping包大小
-c ping的次数   
-p ping间隔,单位ms

(三)具体步骤

(一)在zabbix_server端的配置
1,放开zabbix_server.conf中ExternalScripts的配置并设置为:ExternalScripts=/usr/local/zabbix/externalscripts

[root@localhost externalscripts]# vim /usr/local/zabbix/etc/zabbix_server.conf

### Option: AlertScriptsPath
#       Full path to location of custom alert scripts.
#       Default depends on compilation options.
#
# Mandatory: no
# Default:
# AlertScriptsPath=${datadir}/zabbix/alertscripts
 AlertScriptsPath=/usr/local/zabbix/alertscripts

### Option: ExternalScripts
#       Full path to location of external scripts.
#       Default depends on compilation options.
#
# Mandatory: no
# Default:
# ExternalScripts=${datadir}/zabbix/externalscripts
ExternalScripts=/usr/local/zabbix/externalscripts

2,把zabbix官方推荐的脚本放到ExternalScripts=/usr/local/zabbix/externalscripts/目录下,http://www.mbs-it.pl/inne/zbxsmokeping

[root@localhost externalscripts]# cat zbxsmokeping
#!/bin/bash
# Where is your zabbix server
ZBXSERVER=172.20.66.110
# where is fping tool?
FPING=/usr/sbin/fping
# where is zabbix_sender tool?
ZBXSENDER=/usr/local/zabbix/bin/zabbix_sender
# Where to send ping
IP=$1
# How many ping to send
COUNT=$2
# What interval between ping [ms]
INTERVAL=$3
# How many bytes in one ping
BYTES=$4
# 'Hostname' of the host which will collect data
HOSTNAME=$5

if [ $# -lt 5 ]
 then
     echo
     echo " Not enough parameters"
     echo " Usage: zbxsmokeping <HOST_IP> <NUMBERS_OF_PINGS> <INTERVAL> <BYTES> <TO_WHICH_HOST_SEND_DATA_IN_ZABBIX>"
     echo " Zabbix External Check Item ex.: zbxsmokeping[{HOST.IP},6,1000,68,{HOST.HOST}]"
  exit 2
fi
# debug
# echo $FPING -b $BYTES -c $COUNT -q -p $INTERVAL $IP 2>&1

OUTPUT=`$FPING -b $BYTES -c $COUNT -q -p $INTERVAL $IP 2>&1 | awk '{print $5,$8}' | tr -d "%|," | tr -s " " "/" | awk -F"/" '{print $3,$4,$5,$6}'`
tab=( $OUTPUT )
# debug
#echo $ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLoos -o ${tab[0]}
#echo $ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLatencyMin -o ${tab[1]}
#echo $ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLatencyMax -o ${tab[3]}
#echo $ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLatencyAvg -o ${tab[2]}

$ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLoos -o ${tab[0]}  -v | grep "Failed 1"
$ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLatencyMin -o ${tab[1]} -v | grep "Failed 1"
$ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLatencyMax -o ${tab[3]} -v | grep "Failed 1"
$ZBXSENDER -z $ZBXSERVER -p 10051 -s $HOSTNAME -k SmokLatencyAvg -o ${tab[2]} -v | grep "Failed 1"
echo 1

3,给该脚本执行权限,并重启下zabbix_server服务。

[root@localhost externalscripts]# chmod +x zbxsmokeping

[root@localhost externalscripts]

# ll zbxsmokeping -rwxr-xr-x 1 root root 1649 Dec 27 17:38 zbxsmokeping

[root@localhost externalscripts]

# /etc/init.d/zabbix_server restart

至此zabbix_server端配置完成。

Zabbix通过Smokeping检测网络质量并告警
Zabbix通过Smokeping检测网络质量并告警

(二)在浏览器端配置。
1,把官方推荐的模板导入进来,http://www.mbs-it.pl/inne/zbx_export_templates_smokeping.xml

2,把模板链接到需要检测网络质量的站点上

Zabbix通过Smokeping检测网络质量并告警

至此zabbix通过smokeping监控网络质量完成。

puppet-external_ip

External IP fact(s)

Sage Imel sage@sagenite.net

Provides an external_ip4 fact that shows your ipv4 IP address as returned by http://ipv4.icanhazip.com. Provides and an external_ip6 fact that shows your ipv6 IP address as returned by http://ipv6.icanhazip.com.

Useful if you have a host with a dynamic IP address.

Limitations

Ruby doesn’t seem to let you specify which interface Web::HTTP uses, so on a box with multiple interfaces your milage may very.

https://raw.githubusercontent.com/nightfly19/puppet-external_ip/master/lib/facter/external_ip4.rb

require 'net/http'

Facter.add("external_ip4") do
  setcode do
    begin
      target = URI.parse('http://ipv4.icanhazip.com/')
      Net::HTTP.get_response(target.host, target.path).body.chomp
    rescue
      nil
    end
  end
end
require 'net/http'

https://raw.githubusercontent.com/nightfly19/puppet-external_ip/master/lib/facter/external_ip6.rb
Facter.add("external_ip6") do
  setcode do
    begin
      target = URI.parse('http://ipv6.icanhazip.com/')
      Net::HTTP.get_response(target.host, target.path).body.chomp
    rescue
      nil
    end
  end
end

Nginx配置WebService、MySQL、SQL Server、ORACLE等代理

nginx配置webservice

#user  nobody;
worker_processes  4;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    upstream esbServer {   
        server 127.0.0.1:8083 weight=1 max_fails=2 fail_timeout=30s;   
    }

    #gzip  on;

    server {
        listen       8081;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location /ladder_web {
            proxy_set_header X-real-ip $remote_addr;
            proxy_pass http://esbServer;
        }

       
    }

}

nginx 配置mysql代理 — 基于nginx1.9以上 stream module 继续阅读

ZAP介绍

Zed Attack Proxy简写为ZAP,是一个简单易用的渗透测试工具,是发现Web应用中的漏洞的利器,更是渗透测试爱好者的好东西。

ZAP下载地址:https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

ZAP中国:http://www.owasp.org.cn/

BackTrack5R3中集成了ZAP,下面我来演示了一下ZAP的简单实用。

打开方式:

1.

cd /pentest/web/owasp-zap
./zap.sh

2.

Applications|BackTrack|Vulnerability Assessment|Web Application Assessment|Web Vulnerability Scanners|owasp-zap

使用方法:

1.设置

ZAP像Burp suite一样使用代理的方式来截取网站。

ZAP介绍

在Tools|Local proxy中设置相关选项。

ZAP介绍

默认已经设置好了,如果端口冲突就自己改。

在Firefox中设置代理。

Edit|Preferences|Advanced|Network|Setting

选择Manual proxy configuration单选项。

ZAP介绍

浏览目标机器,这里使用Metasploitable2来示例。

用Firefox访问后,在ZAP中出现了Sites。

2.Spider site

右键选择Attack|Spider site

ZAP介绍

扫描要很久,因为是示例所以就先停了。

3.Brute Force

在Site选择目标,在List中选择字典。有big medium small等类型的字典。

ZAP介绍

4.Port Scanner

ZAP介绍

虽然扫描速度很快,但是不够Nmap准确。

5.Active Scan

主动扫描是ZAP最强大的功能之一。

ZAP介绍

6.Alerts

扫描出来的漏洞就在这里了。

ZAP介绍

7.插件

Adjusting child processes for PHP-FPM (Nginx)

Problem:

The following warning message appears in the logs:

[26-Jul-2012 09:49:59] WARNING: [pool www] seems busy (you may need to increase pm.start_servers, or pm.min/max_spare_servers), spawning 32 children, there are 8 idle, and 58 total children
[26-Jul-2012 09:50:00] WARNING: [pool www] server reached pm.max_children setting (50), consider raising it

It means that there are not enough PHP-FPM processes. 继续阅读

fail2ban安装配置与使用

注意:如果重启了防火墙,请同时将fail2ban服务重启,不然fail2ban不能生效,fail2ban的过滤表是在iptables启动后再添加的

安装配置:

安装epel源

# yum -y install fail2ban

配置文件

在/etc/fail2ban/目录下,标注红色的为我们添加的

即:

[root@s108c fail2ban]# ll /etc/fail2ban/jail.d/jail.local
-rw-r–r– 1 root root 174 Sep 12 10:27 /etc/fail2ban/jail.d/jail.local
[root@s108c fail2ban]# ll /etc/fail2ban/filter.d/authdaemond.conf
-rw-r–r– 1 root root 962 Sep 12 10:08 /etc/fail2ban/filter.d/authdaemond.conf

日志文件:

将/etc/fail2ban/fail2ban.conf配置中logtarget 指向日志要保存的文件

logtarget = /var/log/fail2ban.log 继续阅读

Nessus

The Most Widely Deployed Vulnerability Assessment Solution

Nessus® has been deployed for vulnerability, configuration and compliance assessments by more than one million users across the globe. Nessus prevents network attacks by identifying the vulnerabilities and configuration issues that hackers use to penetrate your network.

Nessus Workflow

  1. Ensure that your setup meets the minimum system requirements:
  2. Obtain the proper Activation Code for Nessus.
  3. Follow the installation steps depending on your Nessus software and operating system:
  4. Perform the initial configuration steps for Nessus in the web front end.
  5. Create a user account.
  6. Create a scan.

Block IP Addresses With Windows Firewall 2008, 2012

If you ever feel that someone may be trying to break into your FTP or IIS server or know an IP address that you want to block from accessing your server there is a built in firewall on all of our 2008-2012 Windows servers. You can use this firewall to block either a range of IP addresses or a single address. Turning Windows Firewall On

A firewall profile is a way of grouping settings, such as firewall rules and connection security rules, which are applied to the computer depending on where the computer is connected. On computers running this version of Windows, there are three profiles for Windows Firewall with Advanced Security:

  • Domain Profile – Applied to a network adapter when it is connected to a network on which it can detect a domain controller of the domain to which the computer is joined.
  • Private Profile – Applied to a network adapter when it is connected to a network that is identified by the user or administrator as a private network. A private network is one that is not connected directly to the Internet, but is behind some kind of security device, such as a network address translation (NAT) router or hardware firewall. For example, this could be a home network, or a business network that does not include a domain controller. The Private profile settings should be more restrictive than the Domain profile settings.
  • Public Profile – Applied to a network adapter when it is connected to a public network such as those available in airports and coffee shops. When the profile is not set to Domain or Private, the default profile is Public. The Public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be controlled. For example, a program that accepts inbound connections from the Internet (like a file sharing program) may not work in the Public profile because the Windows Firewall default setting will block all inbound connections to programs that are not on the list of allowed programs.

继续阅读