系统版本是 Centos 6/7 64位。
yum groupinstall Development tools
tar -xzvf openssl-1.0.2l.tar.gz
make && make install
系统版本是 Centos 6/7 64位。
yum groupinstall Development tools
tar -xzvf openssl-1.0.2l.tar.gz
make && make install
While we’re still converting our puppet controlled infra to Ansible, we still have some nodes “controlled” by puppet, as converting some roles isn’t something that can be done in just one or two days. Add to that other items in your backlog that all have priority set to #1 and then time is flying, until you realize this for your existing legacy puppet environment (assuming false FQDN here, but you’ll get the idea):
Warning: Certificate 'Puppet CA: puppetmasterd.domain.com' will expire on 2019-05-06T12:12:56UTC Warning: Certificate 'puppetmasterd.domain.com' will expire on 2019-05-06T12:12:56UTC
So, as long as your PKI setup for puppet is still valid, you can act in advance, resign/extend CA and puppetmasterd and distribute newer CA certs to agents, and go forward with other items in your backlog, while still converting from puppet to Ansible (at least for us)继续阅读
How to allocate a large memory space for Informix shared memory segments on Red Hat Linux 3 (RHEL3).
You are using IBM® Informix® Dynamic server (IDS) on on Red Hat Linux 3. When you try to allocate more that 1.8 GB (Gigabytes) of shared memory, the following error message appears in the message log file.
13:52:26 shmat: [ENOMEM]: out of available data space, check system memory parameters (e.g. MAXMEM).
This tutorial only covers general security tips for CentOS 7 which can be used to harden the system. The checklist tips are intended to be used mostly on various types of bare-metal servers or on machines (physical or virtual) that provides network services.
Security and Hardening of CentOS 7
However, some of tips can be successfully applied on general purpose machines too, such as Desktops, Laptops and card-sized single-board computers (Raspberry Pi).继续阅读
In this guide, we are going to learn how to enforce password complexity policy on CentOS 7/RHEL based derivatives. Our previous guide covered the enforcement of password complexity on Ubuntu 18.04. You can check the same by following the link below;
Similar to our previous guide, we are going to use PAM
pwquality modules to enforce password complexity policy on CentOS 7/RHEL based derivatives.
In Ubuntu or Debian based derivatives, we modified the,
/etc/pam.d/common-password configuration file. For CentOS 7 or similar derivatives, the
/etc/pam.d/system-auth configuration file is used.
As our normalcy, make a backup of the configuration file before making changes just in case things go south.继续阅读
Change file and folder permissions – display or modify Access Control Lists (ACLs) for files and folders.
iCACLS resolves various issues that occur when using the older CACLS & XCACLS
Syntax Add or remove permissions: ICACLS Name [/grant[:r] User:Permission[...]] [/deny User:Permission[...]] [/remove[:g|:d]] User[...]] [/inheritance:e|d|r ] [/setintegritylevel Level[...]] [/T] [/C] [/L] [/Q] Store ACLs for one or more directories matching name into aclfile for later use with /restore: ICACLS name /save aclfile [/T] [/C] [/L] [/Q] Restore ACLs to all files in directory: ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile [/C] [/L] [/Q] Change Owner: ICACLS name /setowner user [/T] [/C] [/L] [/Q] Find items with an ACL that mentions a specific SID: ICACLS name /findsid Sid [/T] [/C] [/L] [/Q] Find files whose ACL is not in canonical form or with a length inconsistent with the ACE count: ICACLS name /verify [/T] [/C] [/L] [/Q] Replace ACL with default inherited acls for all matching files: ICACLS name /reset [/T] [/C] [/L] [/Q] This is equivalent to “Replace all child permission entries with inheritable permission from this object” in the GUI. Key name The File(s) or folder(s) the permissions will apply to. /T Traverse all subfolders to match files/directories. This will apply permission changes to all subfolders whether or not they are set to inherit permissions from the parent. On very large directory structures this may take some time as the command has to traverse the entire tree. /C Continue on file errors (access denied) Error messages are still displayed. /L Perform the operation on a symbolic link itself, not its target. /Q Quiet - supress success messages. /grant :r user:permission Grant access rights, with :r, the permissions will replace any previouly granted explicit permissions (for the given user). Otherwise the permissions are added. /deny user:permission Explicitly deny the specified user access rights. This will also remove any explicit grant of the same permissions to the same user. /remove[:[g|d]] User Remove all occurrences of User from the acl. :g remove all granted rights to that User/Sid. :d remove all denied rights to that User/Sid. /inheritance:e|d|r e - Enable inheritance d - Disable inheritance and copy the ACEs r - Remove all inherited ACEs /setintegritylevel [(CI)(OI)]Level Add an integrity ACE to all matching files. level is one of L,M,H (Low Medium or High) Mandatory Label\Low Mandatory Level = Low. Mandatory Label\Medium Mandatory Level = Medium/Standard. Mandatory Label\High Mandatory Level = Elevated. If No mandatory label is displayed in the output, it is Medium by default. A Directory Inheritance option for the integrity ACE can precede the level and is applied only to directories: user A user account, Group or a SID /restore Apply the acls stored in ACLfile to the files in directory permission is a permission mask and can be specified in one of two forms: a sequence of simple rights: D - Delete access F - Full access (Edit_Permissions+Create+Delete+Read+Write) N - No access M - Modify access (Create+Delete+Read+Write) RX - Read and eXecute access R - Read-only access W - Write-only access a comma-separated list in parentheses of specific rights: DE - Delete RC - read control WDAC - write DAC WO - write owner S - synchronize AS - access system security MA - maximum allowed GR - generic read GW - generic write GE - generic execute GA - generic all RD - read data/list directory WD - write data/add file AD - append data/add subdirectory REA - read extended attributes WEA - write extended attributes X - execute/traverse DC - delete child RA - read attributes WA - write attributes inheritance rights can precede either form and are applied only to directories: (OI) - object inherit (CI) - container inherit (IO) - inherit only (NP) - don’t propagate inherit (I) - Permission inherited from parent container继续阅读
Version:1.0 StartHTML:000000222 EndHTML:000042418 StartFragment:000012983 EndFragment:000042312 StartSelection:000012983 EndSelection:000042308 SourceURL:https://www.tecmint.com/setup-dns-cache-server-in-centos-7/ How to Install and Configure ‘Cache Only DNS Server’ with ‘Unbound’ in RHEL/CentOS 7
Caching name servers using ‘Unbound‘ ( is a validating, recursive, and caching DNS server software ), back in RHEL/CentOS 6.x (where x is version number), we used bind software to configure DNS servers.
Setup Cahing DNS Server in RHEL/CentOS 7
DNS cache servers are used to resolve any DNS query they receive. If the server caches the query and in future the same queries requested by any clients the request will be delivered from DNS ‘unbound‘ cache, this can be done in milliseconds than the first time it resolved.
Caching will only act as a agent to resolve the query of client from any one of the forwarders. Using caching server, will reduce the loading time of webpages by keeping the cache database in unbound server.
For demonstration purpose, I will be using two systems. The first system will act as a Master (Primary) DNS server and the second system will act as a local DNS client.
Operating System : CentOS Linux release 7.0.1406 (Core) IP Address : 192.168.0.50 Host-name : ns.tecmintlocal.com
Operating System : CentOS 6 IP Address : 192.168.0.100 Host-name : client.tecmintlocal.com
1. Before setting up a caching DNS server, make sure that you’ve added correct hostname and configured correct static IP address for your system, if not set the system static IP address.
2. After, setting correct hostname and static IP address, you can verify them with the help of following commands.
# hostnamectl # ip addr show | grep inet
3. Before installing ‘Unbound’ package, we must update the our system to latest version, after that we can install the unbound package.
# yum update -y # yum install unbound -y
4. After package has been installed, make a copy of the unbound configuration file before making any changes to original file.
# cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.original
5. Next, use any of your favorite text editor to open and edit ‘unbound.conf‘ configuration file.
# vim /etc/unbound/unbound.conf
Once the file is opened for editing, make the following changes:
Search for Interface and enable the interface which we going to use or if our server have multiple interfaces we have to enable the interface 0.0.0.0.
Here Our server IP was 192.168.0.50, So, i’am going to use unbound in this interface.
Search for the following string and make it ‘Yes‘.
do-ip4: yes do-udp: yes do-tcp: yes
To enable the log, add the variable as below, it will log every unbound activities.
Enable following parameter to hide id.server and hostname.bind queries.
Enable following parameter to hide version.server and version.bind queries.
Then search for access-control to allow. This is to allow which clients are allowed to query this unbound server.
Here I have used 0.0.0.0, that means anyone send query to this server. If we need to refuse query for some range of network we can define which network need to be refuse from unbound queries.
access-control: 0.0.0.0/0 allow
Note: Instead of allow, we can replace it with allow_snoop this will enable some additional parameters like dig and it support both recursive and non recursive.
Then search for domain-insecure. If our domain is works with DNS sec keys, we need to define our server available for domain-insecure. Here our domain will be treated as insecure.
Then change the forwarders for our requested query not fulfilled by this server it will forward to root domain (. ) and resolve the query.
forward-zone: name: "." forward-addr: 220.127.116.11 forward-addr: 18.104.22.168
Finally, save and quit the configuration file using wq!.
6. After making the above configuration, now verify the unbound.conf file for any errors using the following command.
# unbound-checkconf /etc/unbound/unbound.conf
Check Unbound DNS Configuration
7. After file verification over without any errors, you can safely restart the ‘unbound’ service and enable it at system startup.
# systemctl start unbound.service # sudo systemctl enable unbound.service
Start Unbound DNS Service
8. Now it’s time to check our DNS cache, by doing a ‘drill’ (query) one ‘india.com‘ domain. At first the ‘drill‘ command results for ‘india.com‘ domain will take some milliseconds, and then do a second drill and have a note on Query time it takes for both drills.
drill india.com @192.168.0.50
Did you see in the above output, the first query taken almost 262 msec to resolve and the second query takes 0 msec to resolve domain (india.com).
That means, the first query gets cached in our DNS Cache, so when we run ‘drill’ second time the query served from our local DNS cache, this way we can improve loading speed of websites.
9. We can’t use both iptables and firewalld at same time on same machine, if we do both will conflict with each other, thus removing ipables rules will be a good idea. To remove or flush the iptables, use the following command.
# iptables -F
10. After removing iptables rules permanently, now add the DNS service to firewalld list permanently.
# firewall-cmd --add-service=dns # firewall-cmd --add-service=dns --permanent
11. After adding DNS service rules, list the rules and confirm.
# firewall-cmd --list-all
12. To get the current server status, use the following command.
# unbound-control status
Check Unbound DNS Status
13. If in-case you would like to have a dump of a DNS cache information in a text file, you can redirect it to some file using below command for future use.
# unbound-control dump_cache > /tmp/DNS_cache.txt
Backup DNS Cache
14. To restore or import the cache from the dumped file, you can use following command.
# unbound-control dump_cache < /tmp/DNS_cache.txt
Restore DNS Cache
15. To check whether the specific address was resolved by our forwarders in unbound cache Server, use the below command.
# unbound-control lookup google.com
Check DNS Lookup
16. Some times if our DNS cache server will not reply our query, in mean time we can use to flush the cache to remove information such as A, AAA, NS, SO, CNAME, MX, PTR etc.. records from DNS cache. We can remove all information using flush_zone this will remove all informations.
# unbound-control flush www.digitalocean.com # unbound-control flush_zone tecmintlocal.com
17. To check which forwards are currently used to resolve.
# unbound-control list_forwards
Check Current DNS Forwards
18. Here I’ve used a CentOS 6 server as my client machine, IP for this machine is 192.168.0.100 and I’m going to use my unbound DNS server IP (i.e Primary DNS) in it’s interface configuration.
Log-into the Client machine and set the Primary DNS server IP to our unbound server’s IP.
Run the setup command and choose network configuration from TUI network manager.
Then choose DNS configuration, insert the unbound DNS server’s IP as Primary DNS, but here i have used both in Primary and Secondary because I don’t have any other DNS server.
Primary DNS : 192.168.0.50 Secondary DNS : 192.168.0.50
Enter DNS IP Address
Click OK –> Save&Quit –> Quit.
19. After adding Primary and Secondary DNS IP addresses, now it’s time to restart the network using following command.
# /etc/init.d/network restart
20. Now time to access any one of the website from client machine and check for the cache in unbound DNS server.
# elinks aol.com # dig aol.com
Earlier we were used to setup DNS cache server using bind package in RHEL and CentOS systems. Now, we have seen how to setup a DNS cache server using unbound package. Hope this will resolve your query request quicker than the bind pacakge.
<?xml version="1.0" encoding="utf-8" ?> <configuration> <startup> <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /> </startup> <connectionStrings> <add name="DBconnString" connectionString="Data Source=.;Initial Catalog=MyTest123456;User ID=sa;PassWord=123&456"/> </connectionStrings> </configuration>
显示 说明 实体名称 实体编号
< 小于 < <
> 大于 > >
& &符号 & &
“ 双引号 " "
© 版权 © ©
® 已注册商标 ® ®
™ 商标（美国） ™ ™
× 乘号 × ×
÷ 除号 ÷ ÷