所有文章

由于大搞BGP线路，所以在Cisco路由器上Mirror了入口的流量到另外一个端口，供suricata分析用。 在Mirror直通kvm虚机过程中遇到以下问题： Mirror的口是Te口，10G的流量，在宿主机上tcpdump可以看到所有流量，但是在kvm上则断断续续，流量丢失一部分，原因很简单： 流量的聚合和转发未配置好，两条命令解决 brctl setageing br2 0 brctl setfd br2 0 但是，如何在宿主机启动的时候自动执行这两句呢？简单，如果系统是CentOS cat <<EOF>>/sbin/ifup-local #!/bin/bash brctl setageing br2 0 brctl setfd br2 0 EOF chmod 755 /sbin/ifup-local 如果系统是Ubuntu cd /etc/network/if-up.d cat <<EOF>>br3-mirror #!/bin/bash if [ "$IFACE" = br2 ]; then brctl setageing br2 0 brctl setfd br2 0 fi EOF chmod +x br2-mirror 在宿主机上问题解决了，在kvm虚机上又遇到问题，Ubuntu，如果让一个网口启动但没有地址呢？ vi /etc/network/interfaces auto ens7 iface ens7 inet manual mtu 1464 up ifconfig ens7 up 注意上面的，ens7就是mirror过来的网口，mtu是因为在cisco做mirror的时候指定了固定的mtu 1464. brctl命令的用法可以参见以下链接： https://www.thegeekstuff.com/2017/06/brctl-bridge/ over.

mouse 的服务器连接到了各个网络核心设备，所以采用了很严格的ip限制，port限制，以及fail2ban来阻止非法访问，但是不巧，把自己也给搞到 jail 里去了。 那么怎么解呢？ 首先查看封锁情况： fail2ban-client status Status |- Number of jail: 2 `- Jail list: sshd, sshd-ddos 有两个jail，sshd和sshd-ddos 进一步查看： fail2ban-client status sshd 发现自己被屏蔽了。 解封的方法： fail2ban-client set sshd unbanip 103.108.236.5 解封只是临时的，永久放入白名单最靠谱： vi /etc/fail2ban/jail.conf ignoreip = 103.108.236.5/32 重启fail2ban systemctl restart fail2ban 这样就ok了。

先普及一下IPv6 地址。 IPv6 地址大小为 128 位。 首选 IPv6 地址表示法为8组数字用冒号分隔，其中每组是 8 个 16 位部分的十六进制值。IPv6 地址范围从 0000:0000:0000:0000:0000:0000:0000:0000 至 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff。 除此首选格式之外，IPv6 地址还可以用其他两种短格式指定： 省略前导零 通过省略前导零指定 IPv6 地址。 例如，IPv6 地址 1050:0000:0000:0000:0005:0600:300c:326b 可写作 1050:0:0:0:5:600:300c:326b。 双冒号 通过使用双冒号（::）替换一系列零来指定 IPv6 地址。 例如，IPv6 地址 ff06:0:0:0:0:0:0:c3 可写作 ff06::c3。 一个 IP 地址中只可使用一次双冒号。 在一般IPv6网络环境下，一个局域网的子网大小为/64，接口通过NDP协议获得自己的唯一IPv6地址（前64位为子网前缀，后64位一般由接口本身的MAC地址产生） 我们的场景： 服务器的IPV4地址是 1.2.3.4 服务器的IPV6地址是 aaaa:bbbb:cccc:dddd::/64 IPV4和IPV6的地址都在eth0上 VPN分配给客户端的IPV6地址是aaaa:bbbb:cccc:dddd:80::/112，使用的接口是tun0 配置过程如下： 首先修改/etc/sysctl.conf文件 net.ipv4.ip_forward=1 ... net.ipv6.conf.all.forwarding=1 net.ipv6.conf.all.proxy_ndp = 1 ... net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 ... net.ipv4.conf.all.send_redirects = 0 接下来，可以先做iptable，使得openvpn server对包进行SNAT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 或者 iptables -t nat -A POSTROUTING -s 10.11.0.0/16 -j SNAT --to 172.16.8.1 编辑/etc/openvpn/variables变量 ...

我们tomcat的日志记录格式为： pattern="%a|%A|%T|%{X-Forwarded-For}i|%l|%u|%t|%r|%s|%b|%{Referer}i|%{User-Agent}i " resolveHosts="false"/> 都是什么意思呢？ %a - Remote IP address %A - Local IP address %b - Bytes sent, excluding HTTP headers, or ‘-’ if zero %B - Bytes sent, excluding HTTP headers %h - Remote host name (or IP address if resolveHosts is false) %H - Request protocol %l - Remote logical username from identd (always returns ‘-’) %m - Request method (GET, POST, etc.) %p - Local port on which this request was received %q - Query string (prepended with a ‘?’ if it exists) %r - First line of the request (method and request URI) %s - HTTP status code of the response %S - User session ID %t - Date and time, in Common Log Format %u - Remote user that was authenticated (if any), else ‘-’ %U - Requested URL path %v - Local server name %D - Time taken to process the request, in millis %T - Time taken to process the request, in seconds %I - Current request thread name (can compare later with stacktraces) 另外，还可以将request请求的查询参数、session会话变量值、cookie值或HTTP请求/响应头内容的变量值等内容写入到日志文件。 ...

Freelancer上有个proxy setup的任务： Project Description Hi, I would like to create a new VPS proxy server with multiple IPs on the same VPS. Are you able to that? What OS do you prefer? - I have 10 ips. - I want them to be as much anonymous as you can. - I would have an Username and Password as auth, but if needed the possibility to have an IP authentication too. My budget is: ~20$ Thank you in advance. 说老实话，10个IP没必要，一个IP足够了，用Tor+polipo即可。 ...

这个很奇怪撒，仔细查了下，原作者是这么说的： I have created a patch which introduces some forms of scrambling to the packet payload of any OpenVPN connection. I have been successfully using the patch with Iranian and Chinese users for some time now. 看来伊朗也比较糟糕啊。 无语，鉴于在森华易腾无法建openvpn，不知道是直接封了1194的udp端口，还是从协议上封掉了openvpn，总之，都很shit。 简单说就是对openvpn协议进行了混淆，多了一个配置项： scramble 参数 scramble reverse #对传输的数据进行反转，通常这一句就已经可以绕过China和Iran的检测机制了 scramble xorptrpos #对传输的package中的有效数据进行xor运算 scramble obfuscate password #更强烈的加密。反转+xor+密码三种方式全用上. "password" 是你设定的密码 用上这个配置项后，建议设置cipher none, 因为如此这般以后，没有必要再制定cipher方式了。另外，用cipher会消耗cpu，而采用scramble消耗cpu的程度比cipher低。 搭一个试试看 这里采用的是openvpn 2.4.4版本和相应的patch 下载： 2.4.4.zip master.zip #centos yum -y install unzip yum -y groupinstall "development tools" #ubuntu apt update apt install build-essential unzip -x 2.4.4.zip unzip -x master.zip 应用补丁： ...

任务的要求是： • Multiple subnets to avoid bans •I need the proxies to have the ability of User:Pass •Proxy needs to be Residential IPv6 还给出了一个参考： https://www.blackhatworld.com/seo/never-buy-proxies-again-setup-your-own-proxy-server.872539/ 恩，比较有意思。按照他给的连接： 第一步去 LowEndBox.com 或者 Webhostingtalk.com 去找一家口碑比较好，而且能提供附加ip的VPS供应商，通常附加一个IP是1$一个月。 第二步买个VPS，配置是1G内存，1个内核，100M带宽，并且附加10个IP。 这样的VPS一般是5$一个月，10$10个ip一个月，合计15$一个月，100元人民币，这样你就有11个IP可用了。 按这个任务的要求，需要Multiple subnet，你就从这家供应商的不同地点多买几台，比如洛杉矶1台，德州1台，纽约1台，然后每台附加10个IP 第三步就是安装Proxy软件了： 下载3Proxy wget http://img.rendoumi.com/soft/3proxy/0.8.11.tar.gz tar zxvf 0.8.11.tar.gz 编译安装： cd 3proxy-0.8.11 sed -i 's/^prefix.*/prefix=\/usr\/local\/3proxy/' Makefile.Linux sed -i '/DENY.*/a #define ANONYMOUS 1' src/proxy.h make -f Makefile.Linux make -f Makefile.Linux install 注意上面我是安装到了/usr/local/3proxy，大家可以根据需求修改。 看看配置都是什么 cat cfg/3proxy.cfg.sample |grep -v ^# | grep -v ^$ nserver 10.1.2.1 nserver 10.2.2.2 nscache 65536 timeouts 1 5 30 60 180 1800 15 60 users 3APA3A:CL:3apa3a "test:CR:$1$qwer$CHFTUFGqkjue9HyhcMHEe1" service log c:\3proxy\logs\3proxy.log D logformat "- +_L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T" archiver rar rar a -df -inul %A %F rotate 30 auth iponly external 10.1.1.1 internal 192.168.1.1 auth none dnspr auth strong deny * * 127.0.0.1,192.168.1.1 allow * * * 80-88,8080-8088 HTTP allow * * * 443,8443 HTTPS proxy -n auth none pop3p tcppm 25 mail.my.provider 25 auth strong flush allow 3APA3A,test maxconn 20 socks auth strong flush internal 127.0.0.1 allow 3APA3A 127.0.0.1 maxconn 3 admin 一堆的废物配置啊，统统去掉 ...

这个需求也比较简单： User Browsing Log for Open VPN server 简单说就是用户连到他的openvpn服务器，通过上面的squid代理来浏览其他网站，比较特别的是需要查看用户http和https的浏览记录。 squid做透明代理，这样就可以截取浏览记录并且提供加速了 服务器是Ubuntu，缺省安装的的squid是不支持SSL的，所以需要重新编译一个 安装依赖包： sudo apt-get install build-essential fakeroot devscripts gawk gcc-multilib dpatch sudo apt-get build-dep squid3 sudo apt-get build-dep openssl sudo apt-get install libssl-dev sudo apt-get source squid3 下载到squid的源代码，以及ubuntu的修改包，解压并释放： tar zxvf squid3_3.5.12.orig.tar.gz cd squid3-3.5.12 tar xf ../squid3_3.5.12-1ubuntu7.5.debian.tar.xz 修改参数增加对ssl的支持： vi debian/rules Add --with-openssl --enable-ssl --enable-ssl-crtd under the DEB_CONFIGURE_EXTRA_FLAGS section. DEB_CONFIGURE_EXTRA_FLAGS := BUILDCXXFLAGS="$(CXXFLAGS) $(LDFLAGS)" \ ... --with-default-user=proxy \ --with-openssl \ --enable-ssl \ --enable-ssl-crtd ... 编译，会生成7个deb包 ...

这个任务很有意思 任务描述： we need a set of vpn server / client programmed for embedded linux (or windows) to bond multiple 4g lte modems or wifi connectios and stitch them back together on server side to stream video feeds. the connection must be stable and have the maximum available bandwidth with no drop in some connection drops. simillar to service called SPEEDIFY (but it doesn't work well) this can be also achieved by splitting video packets and send them through different links and stitch the video packets back on the server side. 简单说，很可能它这边是个嵌入式系统，树莓派、nanopi之流的，接了4G的无线上网卡，想去聚合链路上传流媒体。 ...

这是一次失败的任务，即使再来一次，依然会失败，因为无法验证，真够shit的，扣了我10$的手续费。 记录一下，以儆效尤。 任务如下： Job would be to compile an ipk file of SHC that would work with LEDE OS (openwrt) and the processor used in our system - will provide details SHC can be downloaded here: http://www.datsi.fi.upm.es/~frosal/ I think you must have a 64 bit system to use the SDK to compile the file 翻译一下：在OpenWRT平台下编译一个SHC，并且能工作。 完全步骤如下： How to compile SHC on LEDE: Tested build environment: OS: Ubuntu 14.04.5 LTS CPU: ARMv7 Processor rev 5 (v7l) Before you begin, check your system is updated, i.e. sudo apt-get update sudo apt-get upgrade sudo apt-get autoremove Step-by-step manual: Note: perform all steps as regular (non-root) user. User must be in sudo group. 1. Update your sources sudo apt-get update 2. Install nesessary packages: sudo apt-get install g++ libncurses5-dev zlib1g-dev bison flex unzip autoconf gawk make gettext gcc binutils patch bzip2 libz-dev asciidoc subversion sphinxsearch libtool sphinx-common libssl-dev libssl0.9.8 3. Get latest LEDE source from git repository We know our CPU is armv7, it belongs to arm64, so go to http://downloads.lede-project.org/releases , just download sdk. wget http://downloads.lede-project.org/releases/17.01.4/targets/arm64/generic/lede-sdk-17.01.4-arm64_gcc-5.4.0_musl-1.1.16.Linux-x86_64.tar.xz 4. No Need to Update and install all LEDE packages We just want to compile shc, not other packages , so don't update. 5. Run 'make menuconfig' (Just Save and Exit) 6. Get SHC sources to LEDE package tree (we are and shc-3.8.9b.tgz is in source directory) wget http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.9b.tgz mkdir -p package/shc/src tar xvf shc-3.8.9b.tgz -C package/shc/src --strip-components 1 7. Make ipk Makefile vi package/shc/Makefile ############################################## # OpenWrt Makefile for shc program # # # Most of the variables used here are defined in # the include directives below. We just need to # specify a basic description of the package, # where to build our program, where to find # the source files, and where to install the # compiled program on the router. # # Be very careful of spacing in this file. # Indents should be tabs, not spaces, and # there should be no trailing whitespace in # lines that are not commented. # ############################################## include $(TOPDIR)/rules.mk # Name and release number of this package PKG_NAME:=shc PKG_VERSION:=3.8.9b PKG_MAINTAINER:=Francisco, Rosales, <frosal@fi.upm.es> # This specifies the directory where we're going to build the program. # The root build directory, $(BUILD_DIR), is by default the build_mipsel # directory in your OpenWrt SDK directory PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME) include $(INCLUDE_DIR)/package.mk # Specify package information for this program. # The variables defined here should be self explanatory. # If you are running Kamikaze, delete the DESCRIPTION # variable below and uncomment the Kamikaze define # directive for the description below define Package/$(PKG_NAME) SECTION:=utils CATEGORY:=Utilities TITLE:= shc ---- This tool generates a stripped binary executable version of the script specified at command line. URL:=http://www.datsi.fi.upm.es/~frosal endef # Uncomment portion below for Kamikaze and delete DESCRIPTION variable above define Package/$(PKG_NAME)/description shc ---- This tool generates a stripped binary executable version of the script specified at command line." endef # Specify what needs to be done to prepare for building the package. # In our case, we need to copy the source files to the build directory. # This is NOT the default. The default uses the PKG_SOURCE_URL and the # PKG_SOURCE which is not defined here to download the source from the web. # In order to just build a simple program that we have just written, it is # much easier to do it this way. define Build/Prepare mkdir -p $(PKG_BUILD_DIR) $(CP) ./src/* $(PKG_BUILD_DIR)/ endef # We do not need to define Build/Configure or Build/Compile directives # The defaults are appropriate for compiling a simple program such as this one # Specify where and how to install the program. Since we only have one file, # the helloworld executable, install it by copying it to the /bin directory on # the router. The $(1) variable represents the root directory on the router running # OpenWrt. The $(INSTALL_DIR) variable contains a command to prepare the install # directory if it does not already exist. Likewise $(INSTALL_BIN) contains the # command to copy the binary file from its current location (in our case the build # directory) to the install directory. define Package/$(PKG_NAME)/install $(INSTALL_DIR) $(1)/bin $(INSTALL_BIN) $(PKG_BUILD_DIR)/shc $(1)/bin/ endef # This line executes the necessary commands to compile our program. # The above define directives specify all the information needed, but this # line calls BuildPackage which in turn actually uses this information to # build a package. $(eval $(call BuildPackage,$(PKG_NAME))) 8. Compile shc ipk without errors. make package/shc/compile V=99 9. Building process complete witout errors. Now we have : binary packages directory: source/bin/packages/aarch64_armv8-a/ [SHC_BIN] = ./bin/packages/aarch64_armv8-a/base/shc_3.8.9b_aarch64_armv8-a.ipk 10. Copy and install SHC .ipk to LEDE device. scp shc_3.8.9b_aarch64_armv8-a.ipk root@<LEDE device IP address or name>:/tmp/ ssh root@<LEDE device IP address or name> #IP usually 192.168.1.1 opkg install shc_3.8.9b_aarch64_armv8-a.ipk 11. Create test script and compile it to execute. (in LEDE shell) ssh root@<LEDE device IP address or name> #IP usually 192.168.1.1 vi /tmp/1.sh #!/bin/sh echo "hahahaha" shc -v -f /tmp/1.sh /tmp/1.sh.x 这里面有几个注意点，一个是网上有很多教程，上去就是 ...