jq筆記

解析帶 - 名稱

echo { \"host\": \"host\", \"host-name\": \"host-name\" } |jq  '.["host-name"]'

jsan.txt
{
  "result": {
  "host": "host", "host-name": "host-name0"
  },
  "host": "host", "host-name": "host-name1"
}

cat jsan.txt | jq '.["host-name"]'
cat jsan.txt | jq '.result["host-name"]'

Windows 10 的遠端伺服器管理工具(RSAT)

下載
https://www.microsoft.com/zh-tw/download/details.aspx?id=45520&msockid=1cc89087a3bc684704e9853ea2f06919

安裝
應用程式->選用功能->檢視功能

Powershell 相關指令
Get-WindowsCapability -Online -Name RSAT*
Add-WindowsCapability –Online –Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
Remove-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"

執行
以管理者身分執行終端機

runas /netonly /user:tpha\administrator "mmc /server=dc-ip"

額外說明
不用加入網域

PHP $_SERVER['HTTP_REFERER'] 摘要

說明：
$_SERVER[‘HTTP_REFERER’] 來源於瀏覽器，不是所有都會設置且部份支援手動修改。

以下狀況會無效：
直接輸入網址訪問該網頁。
Javascript 打開的網址、重定向（window.location）網址及 FLASH 中的鏈接。
PHP header 或 meta refresh重定向的網址。
瀏覽器未加設置或修改

一般生效狀況：
<a></a>超鏈結
POST
GET

Debian12 Samba-Tool 移除 domain controller

登入移除要移除的 samba dc
samba-tool domain demote -Uadministrator

登入主要 samba dc
samba-tool domain demote --remove-other-dead-server=<上述移除 dc 主機名 windows-ad>

Debian 12 安裝 RustDesk Server

apt update;apt upgrade -y
apt install -y sudo wget

設定執行帳號及群組
export RUSTDESK=rustdesk

groupadd ${RUSTDESK}
useradd ${RUSTDESK} -g ${RUSTDESK} -m -r
usermod -aG sudo ${RUSTDESK}
passwd ${RUSTDESK}

安裝 rustdesk server
su - ${RUSTDESK}
cd
wget https://raw.githubusercontent.com/techahold/rustdeskinstall/master/install.sh
chmod a+x install.sh
./install.sh 

相關檔案、服務
/opt/rustdesk
rustdeskrelay.service   
rustdesksignal.service
/etc/systemd/system/rustdeskrelay.service
/etc/systemd/system/rustdesksignal.service 

/opt/gohttp
gohttpserver.service       
/etc/systemd/system/gohttpserver.service

/var/log/rustdesk

防火牆設定
21115-21119/tcp
8000/tcp
21116/udp

Debian 12 simplescreenrecorder 使用摘要

安裝
apt install simplescreenrecorder

使用範例
#!/bin/bash
export DISPLAY=:0.0;
while :;do sudo -u user simplescreenrecorder  --no-systray  --start-hidden  --start-recording;done

QXcbClipboard: SelectionRequest too old

export QT_LOGGING_RULES="qt.qpa.xcb.xcberror=false"
export QT_LOGGING_RULES="qt.qpa.xcb.*=false"
export QT_LOGGING_RULES="qt.qpa.*=false" 

export QT_LOGGING_RULES="*=false"

Squashfs + LUKS 設定摘要

#!/bin/bash

OVERHEAD=32768

YOUR_PASSPHRASE=12345
SQUASHFS_IMG="/tmp/a.sqfs"
LUKS_IMG="/tmp/cryptbackupluks.img"

LOOP_DEV="/dev/loop0"
MAPPER_NAME="secretfs"

rm ${LUKS_IMG};
BLOCKCOUNT=$(du --block-size=512 "$SQUASHFS_IMG" | cut -f1)
dd if=/dev/zero of="$LUKS_IMG" bs=512 count=1 seek=$(($BLOCKCOUNT + $OVERHEAD))

losetup ${LOOP_DEV} ${LUKS_IMG}

#cryptsetup -y luksFormat ${LOOP_DEV}
#cryptsetup luksOpen ${LOOP_DEV} ${MAPPER_NAME}

cryptsetup luksFormat --type luks2 ${LOOP_DEV} <<< ${YOUR_PASSPHRASE} ||exit $?
#cryptsetup luksFormat ${LOOP_DEV} <<< ${YOUR_PASSPHRASE} ||exit $?
cryptsetup luksOpen ${LOOP_DEV} ${MAPPER_NAME} <<< ${YOUR_PASSPHRASE} ||exit $?

echo =================================
dd if=${SQUASHFS_IMG} of=/dev/mapper/${MAPPER_NAME} status=progress

 cryptsetup luksClose ${MAPPER_NAME}
losetup -d ${LOOP_DEV}

Linux 使用 GRE Tunnel 範例

HOST_A_IP=192.168.6.124
HOST_B_IP=192.168.6.127
HOST_A_PRIV_IP_GRE=10.0.0.124
HOST_B_PRIV_IP_GRE=10.0.0.127
GRE_INFC=gre1

HOST A執行
ip tunnel add ${GRE_INFC} mode gre remote ${HOST_B_IP} local ${HOST_A_IP} ttl 25
ip addr add ${HOST_A_PRIV_IP_GRE}/30 dev ${GRE_INFC}
ip link set dev ${GRE_INFC} up
iptables -t nat -A POSTROUTING -s ${HOST_B_PRIV_IP_GRE} ! -o gre+ -j SNAT --to-source ${HOST_A_IP}

echo '100 GRE' >> /etc/iproute2/rt_tables
ip rule add from ${HOST_A_PRIV_IP_GRE}/32 table GRE
ip route add default via ${HOST_B_PRIV_IP_GRE} table GRE

HOST B 執行
sysctl -w net.ipv4.ip_forward=1
ip tunnel add gre1 mode gre remote ${HOST_A_IP} local ${HOST_B_IP} ttl 225
ip addr add ${HOST_B_PRIV_IP_GRE}/30 dev ${GRE_INFC}
ip link set dev ${GRE_INFC} up
iptables -t nat -A POSTROUTING -s ${HOST_B_PRIV_IP_GRE} ! -o gre+ -j SNAT --to-source ${HOST_B_IP}

echo '100 GRE' >> /etc/iproute2/rt_tables
ip rule add from ${HOST_B_PRIV_IP_GRE}/32 table GRE
ip route add default via ${HOST_A_PRIV_IP_GRE} table GRE

Linux 刪除 GRE Tunnel 相關網路裝置

刪除 GRE Tunnel 相關網路裝置
gre0@NONE
gretap0@NONE
erspan0@NONE

移除相關模組
rmmod ip_gre

Linux 檢測虛擬化類型

systemd-detect-virt

dmidecode -s system-product-name

dmesg | grep -i virtual
dmesg | grep -i xen

lshw -class system

如何確認 Wayland 或 X11

echo $XDG_SESSION_TYPE

loginctl show-session $(loginctl | grep $(whoami) | awk '{print $1}') -p Type

For Wayland:
ps aux | grep [w]ayland

For X11:
ps aux | grep [X]

WSL 無法執行 Systemd

錯誤訊息
System has not been booted with systemd as init system (PID 1). Can't operate.

編輯 /etc/wsl.conf 添加以下內容：
[boot]
systemd=true

Proxmox VE qm 設定 額外參數範例

qm set 200 --args "-device e1000,mac=AA:AA:AA:AA:AA:AA,netdev=net1,bus=pci.0,addr=0x13,id=net1,bootindex=100 -netdev user,id=net1,net=192.168.128.0/24,tftp=/tmp/ipxe,bootfile=/autoexec.ipxe"

Proxmox VE hookscript 範例

#!/bin/bash
# Exmple hook script for PVE guests (hookscript config option)
# You can set this via pct/qm with
# pct set <vmid> -hookscript <volume-id>
# qm set <vmid> -hookscript <volume-id>
# where <volume-id> has to be an executable file in the snippets folder
# of any storage with directories e.g.:
# qm set 100 -hookscript local:snippets/hookscript.sh
# chmod a+x /var/lib/vz/snippets/hookscript.sh
# $1 vmid
# $2 status

[ "$2" = "pre-start"  ]&& { date +"%Y-%m-%d %H:%M:%S $1 pre-start" >>/tmp/d;exit 0; }
[ "$2" = "post-start" ]&& { date +"%Y-%m-%d %H:%M:%S $1 post-start">>/tmp/d;exit 0; }
[ "$2" = "pre-stop"   ]&& { date +"%Y-%m-%d %H:%M:%S $1 pre-stop"  >>/tmp/d;exit 0; }
[ "$2" = "post-stop"  ]&& { date +"%Y-%m-%d %H:%M:%S $1 post-stop" >>/tmp/d;exit 0; }

exit 0

解開 proxmox ve 8.x initrd

 zstd -d initrd.img -c |cpio -idm

ipxe + BIOS + UEFI

TFTP server ip 
192.168.9.200

dnsmasq pxe 設定參考
dhcp-option=vendor:PXEClient,6,2b

dhcp-no-override
dhcp-match=set:ipxe-http,175,19
dhcp-match=set:ipxe-https,175,20
dhcp-match=set:ipxe-menu,175,39
dhcp-match=set:ipxe-pxe,175,33
dhcp-match=set:ipxe-bzimage,175,24
dhcp-match=set:ipxe-iscsi,175,17
dhcp-match=set:ipxe-efi,175,36

tag-if=set:ipxe-ok,tag:ipxe-http,tag:ipxe-menu,tag:ipxe-iscsi,tag:ipxe-pxe,tag:ipxe-bzimage
tag-if=set:ipxe-ok,tag:ipxe-http,tag:ipxe-menu,tag:ipxe-iscsi,tag:ipxe-efi

pxe-service=tag:!ipxe-ok,X86PC,BIOS,o/undionly.kpxe,192.168.9.200
pxe-service=tag:!ipxe-ok,IA32_EFI,IA32_EFI,o/snponlyx32.efi,192.168.9.200
pxe-service=tag:!ipxe-ok,BC_EFI,BC_EFI,o/ipxe.efi,192.168.9.200
pxe-service=tag:!ipxe-ok,X86-64_EFI,EFI,o/ipxe.efi,192.168.9.200
pxe-service=tag:!ipxe-ok,X86-64_EFI,EFI0,o/ipxe.efi,192.168.9.200
pxe-prompt=EFI,0

#pxe-service=0, "PXELINUX (0000-BIOS)", "bios/lpxelinux.0"
#pxe-service=1, "PXELINUX (0001-EFI)", "efi64/syslinux.efi"
#pxe-service=2, "PXELINUX (0002-EFI)", "efi64/syslinux.efi"
#pxe-service=3, "PXELINUX (0003-EFI)", "efi64/syslinux.efi"
#pxe-service=4, "PXELINUX (0004-EFI)", "efi64/syslinux.efi"
#pxe-service=5, "PXELINUX (0005-EFI)", "efi64/syslinux.efi"
#pxe-service=6, "PXELINUX (0006-EFI)", "efi64/syslinux.efi"
#pxe-service=7, "PXELINUX (0007-EFI)", o/ipxe.efi,192.168.9.200
#pxe-service=8, "PXELINUX (0008-EFI)", "efi64/syslinux.efi"
#pxe-service=9, "PXELINUX (0009-EFI)", "efi64/syslinux.efi"

#dhcp-boot=tag:ipxe-ok,o/autoexec.ipxe,pxeserver,192.168.9.200
#dhcp-boot=tag:ipxe-ok,http://192.168.9.200/tftp/o/autoexec.ipxe,,
dhcp-boot=tag:ipxe-ok,o/autoexec.ipxe,pxeserver,192.168.9.200

autoexec.ipxe 參考內容
#!ipxe
sleep 100
config

相關檔案
https://boot.ipxe.org/
https://boot.ipxe.org/ipxe.efi
https://boot.ipxe.org/undionly.kpxe
https://boot.ipxe.org/snponly.efi

Windows 11 安裝略過網路設定、使用本機帳號

 Shift + F10 命令提示字元的視窗 

輸入 oobe\bypassnro

X Window 安裝 VPN 管理工具

apt-get install network-manager-pptp
apt-get install network-manager-pptp-gnome

LEAF 使用 SNMPD

 安裝 netsnmpd.lrp

編輯 /etc/snmp/snmpd.conf 加入
rocommunity public  192.168.0.0/16
extend hardware "/bin/cat /sys/devices/virtual/dmi/id/product_name"
extend manufacturer "/bin/cat /sys/devices/virtual/dmi/id/sys_vendor"
extend distro "/usr/bin/tail -n 1 /etc/issue"

Proxmox VE8 啟用 SNMP

 apt install libpve-apiclient-perl 

cat >/etc/snmp/cat_serial <<EOF
#!/bin/bash
/bin/cat /sys/devices/virtual/dmi/id/product_serial
EOF

wget https://raw.githubusercontent.com/librenms/librenms-agent/master/agent-local/proxmox -O /etc/snmp/proxmox

wget -O /etc/snmp/distro https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro
chmod +x /etc/snmp/distro

chmod a+x /etc/snmp/proxmox /etc/snmp/cat_serial

編輯 /etc/snmp/snmpd.conf
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.$(date +%Y%m%d-%H%M%S)

cat >/etc/snmp/snmpd.conf <<EOF
# Change RANDOMSTRINGGOESHERE to your preferred SNMP community string
com2sec readonly  default         RANDOMSTRINGGOESHERE
group MyROGroup v2c        readonly
view all    included  .1                               80
access MyROGroup ""      any       noauth    exact  all    none   none
syslocation ROOM 110
syscontact email <email@mail>

#OS Distribution Detection
#extend distro /usr/bin/distro
#Hardware Detection

# (uncomment for x86 platforms)
extend manufacturer '/bin/cat /sys/devices/virtual/dmi/id/sys_vendor'
extend hardware '/bin/cat /sys/devices/virtual/dmi/id/product_name'
#extend serial '/bin/cat /sys/devices/virtual/dmi/id/product_serial'

# (uncomment for ARM platforms)
#extend hardware '/bin/cat /sys/firmware/devicetree/base/model'
#extend serial '/bin/cat /sys/firmware/devicetree/base/serial-number'

extend distro /etc/snmp/distro
extend proxmox  "/usr/bin/sudo /etc/snmp/proxmox"
extend serial   "/usr/bin/sudo /etc/snmp/cat_serial"
EOF

編輯 /etc/sudoers  加入
Debian-snmp     ALL=(ALL) NOPASSWD: /etc/snmp/proxmox
Debian-snmp     ALL=(ALL) NOPASSWD: /etc/snmp/cat_serial

Proxmox ve 叢集移除節點

systemctl stop pve-cluster corosync
pmxcfs -l
rm -r /etc/corosync/*
rm /etc/pve/corosync.conf
killall pmxcfs
systemctl start pve-cluster

Neighbour table overflow

查詢狀態
arp -an|wc -l

grep . /proc/sys/net/ipv4/neigh/default/gc_thresh*
/proc/sys/net/ipv4/neigh/default/gc_thresh1:512
/proc/sys/net/ipv4/neigh/default/gc_thresh2:4096
/proc/sys/net/ipv4/neigh/default/gc_thresh3:8192

解决方法：
echo 60   > /proc/sys/net/ipv4/neigh/default/gc_stale_time
echo 512  > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

echo "net.ipv4.neigh.default.gc_thresh1 = 512"  >> /etc/sysctl.conf
echo "net.ipv4.neigh.default.gc_thresh2 = 2048" >> /etc/sysctl.conf
echo "net.ipv4.neigh.default.gc_thresh3 = 4096" >> /etc/sysctl.conf
sysctl -p

Proxmox VE Host 掛載 VM Disk (ZFS )

 /dev/zvol/rpool/data

dnsmasq dhcp-script 設定摘要

dnsmasq.conf 設定
dhcp-script=/tmp/rule.sh

/tmp/rule.sh 內容
#!/bin/sh

cmd="$1"
mac="$2"
ip="$3"
hostname="$4"

set >/tmp/rule.txt
echo $cmd $mac $ip $hostname >>/tmp/rule.txt

pi 400 as keyboard

編輯/boot/config.txt 添加
dtoverlay=dwc2
sudo modprobe libcomposite

編譯
sudo apt install libconfig-dev git cmake
git clone https://github.com/Gadgetoid/pi400kb
cd pi400kb
git submodule update --init
mkdir build
cd build
cmake ..
make

執行 
sudo modprobe libcomposite
sudo ./pi400kb 

Ctrl + Raspberry 本機使用和 USB 間切換
Ctrl + Shift + Raspberry 退出

Debian 12 開啟 serial port console

 systemctl start serial-getty@ttyS0.service

The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key

 apt-key adv --fetch-keys https://packages.sury.org/php/apt.gpg

Linux 密碼相關 PAM及設定

PAM 相關模組
pam_pwquality 密碼品質檢查
pam_faillock 封鎖、解鎖登入失敗帳號
pam_pwhistory 密碼歷史記錄

相關檔案
/etc/login.defs 設定密碼使用期限

Debian 12 pam_faillock.so 設定

 編輯 /etc/pam.d/common-auth
# faillock
auth    requisite                       pam_faillock.so preauth
auth    [success=1 default=ignore]      pam_unix.so nullok
# faillock
auth    [default=die]                   pam_faillock.so authfail
auth    sufficient                      pam_faillock.so authsucc
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so

編輯 /etc/pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so
# faillock
account required      pam_faillock.so

編輯 /etc/security/faillock.conf
# 登入失敗記錄儲存位置
dir = /var/run/faillock

# 記錄不存在帳號
audit

# 不輸出訊息
silent

# syslog 不記錄
no_log_info

# 只追蹤本機使用者
local_users_only

# 若 180 秒內連續 5 次登入失敗，則封鎖帳號
deny = 5
fail_interval = 180

# 帳號封鎖後，900 秒才開放
unlock_time = 900

#  root 納入監控對象
even_deny_root

# root 封鎖後， 900 秒才開放
root_unlock_time = 900

# 管理者群組（成員視同 root 帳號）
admin_group = adm

相關指令-查詢認證失敗的記錄
faillock
faillock --user user --reset

Debian 12 安裝 polkitd異常

錯誤訊息
Failed to check if group polkitd already exists: Connection refused
id: 'polkitd': no such user
chown: invalid user: 'polkitd:root'

解決方式
addgroup polkitd
apt install polkitd

Proxmox VE SDN錯誤 WARN: missing 'source /etc/network/interfaces.d/sdn' directive for SDN support!

編輯 /etc/network/interfaces  加入
source /etc/network/interfaces.d/*

Debian 12 安裝 ZFS

編輯 /etc/apt/sources.list
deb http://deb.debian.org/debian bookworm main non-free non-free-firmware contrib
deb http://deb.debian.org/debian bookworm-updates main non-free non-free-firmware contrib
deb http://deb.debian.org/debian-security/ bookworm-security main non-free non-free-firmware contrib

執行
apt update
apt install linux-headers-amd64 zfsutils-linux zfs-dkms zfs-zed

Debian 12 Apache2 automatically redirect HTTP to HTTPS on Apache servers

 sudo a2enmod rewrite

修改 /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

列出 sss 所有帳號

編輯 /etc/sssd/sssd.conf 加入
enumerate = true

指令
getent -s files passwd
getent -s sss   passwd
getent          passwd

X Window 錯誤訊息 Failed to execute child process dbus-launch

apt install dbus-x11

Proxmox Kernel upgrade gets No space left on device

方法一
mkdir /tmp/myesp
cat /etc/kernel/proxmox-boot-uuids
mount  /dev/disk/by-uuid/$(cat /etc/kernel/proxmox-boot-uuids) /tmp/myesp

rm /tmp/myesp/*-pve
umount /tmp/myesp

方法二
:> /boot/file

git ssh server 無法更新

錯誤訊息
remote: error: refusing to update checked out branch: refs/heads/master

git config --bool core.bare true

Debian bash 設定自動登出

cat >/etc/profile.d/autologout.sh <<EOF
#!/bin/bash
export TMOUT=3600
EOF

SSH相關設定 
編輯 /etc/ssh/sshd_config
ClientAliveInterval 3600
ClientAliveCountMax 0

Logrotate 因為父目錄權限而執行失敗

錯誤訊息
because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

修改設定檔
/etc/logrotate.conf
/etc/logrotate.d/*

加入 su root root 設定

Debian 12 Python WARNING: Using password on command line is insecure. Please install the setproctitle python module.

apt install pip
pip install setproctitle --break-system-packages

Debian 12 Xfce4 set this file as trusted

 gio set -t string "$f" metadata::xfce-exe-checksum "$(sha256sum "$f" | awk '{print $1}')"

Debian 12 使用 minio

wget https://dl.min.io/server/minio/release/linux-amd64/minio

chmod +x minio

MINIO_ROOT_USER=admin MINIO_ROOT_PASSWORD=password ./minio server /tmp/minio --console-address ":4501" --address :4500

Debian 12 使用 S3FS筆記

# 安裝s3fs
apt install s3fs -y

# 將S3憑證存到指定檔案中
echo ACCESS_KEY_ID:SECRET_ACCESS_KEY > ./password

# 調整檔案權限
chmod 600 ./password

指令參考
s3fs test /mnt2 \
  -o passwd_file=./password \
  -o url=http://192.168.6.9:4500 \
  -o dbglevel=info \
  -o allow_other \
  -o use_path_request_style \
  -f -o curldbg  \

logname, $LOGNAME, $USER 差別

echo $(logname) $LOGNAME $USER
user user user 

su -
user root root

Debian 12 XFce 多媒體相關套件

apt remove exfalso parole
apt remove pulseaudio pulseaudio-utils xfce4-pulseaudio-plugin pavucontrol xfburn

Debian Xfce panel 預設啟動目錄

 /usr/share/xfce4/panel/plugins

Debian 12 join Windows AD

apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit  krb5-user

錯誤訊息 Couldn't get kerberos ticket for: Administrator Cannot contact any KDC for realm
檢查網路及主機名稱

Debian 12 Apache2 mod_security

安裝
apt install -y libapache2-mod-security2
a2enmod security2

設定 ModSecurity 設定檔 /etc/modsecurity/modsecurity.conf
cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
將 SecRuleEngine 的 DetectionOnly 改成 On

設定 OWASP ModSecurity 核心規則集
mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bak
git clone https://github.com/coreruleset/coreruleset /usr/share/modsecurity-crs
mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

設定 預設請求排除規則檔案
mv /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

在 Apache 2 中啟用 ModSecurity 修改 /etc/apache2/mods-available/security2.conf
<IfModule security2_module>
        SecDataDir /var/cache/modsecurity
        IncludeOptional /usr/share/modsecurity-crs/crs-setup.conf
        IncludeOptional /usr/share/modsecurity-crs/rules/*.conf
</IfModule>

編輯虛擬主機設定檔，設定 SecRuleEngine 為 On
<VirtualHost *:443>
    SecRuleEngine On
</VirtualHost>

systemctl restart apache2

相關指令
apache2ctl -M

測試
curl http://127.0.0.1/index.html?exec=/bin/bash
curl -k https://127.0.0.1/index.html?exec=/bin/bash

Apache2 mod_evasive 防止 DDoS 攻擊

安裝
apt install libapache2-mod-evasive
a2enmod evasive

編輯 /etc/apache2/mods-available/evasive.conf

mkdir /var/log/mod_evasive
chown www-data:www-data /var/log/mod_evasive
systemctl reload apache2

相關指令
apache2ctl -M

Debian 12 停用 gvfs-udisks2-volume-monitor.service

單一帳號
systemctl --user stop gvfs-udisks2-volume-monitor.service
systemctl --user disable gvfs-udisks2-volume-monitor.service
systemctl --user mask  gvfs-udisks2-volume-monitor.service  

所有帳號
mv /usr/share/dbus-1/services/org.gtk.vfs.UDisks2VolumeMonitor.service /usr/share/dbus-1/services/org.gtk.vfs.UDisks2VolumeMonitor.service.bak

crontab 使用 openpbs qsub

. /etc/profile
echo sleep 100 |qsub -k eo

相關指令
set server acl_roots = root

Google chrome 匯入 PGP

 wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

Debian 10 使用 proxmox-backup-client

ldd `which proxmox-backup-client` patchelf --set-rpath '$ORIGIN' proxmox-backup-client

patchelf --set-interpreter /opt/proxmox-backup-client/ld-linux-x86-64.so.2 proxmox-backup-client

OpenPBS 查詢歷史紀錄

相關指令
qstat -x -u user

相關訊息 
qstat: PBS is not configured to maintain job history

設定指令
qmgr -c "s s job_history_enable=1"    #開啟
qmgr -c "s s job_history_enable=0"    #關閉  set server job_history_enable=0

Debian 12 安裝 OpenPBS(version = 23.06.06)

運算管理節點安裝必要套件
apt install expat libedit2 postgresql python3 postgresql-contrib sendmail-bin tcl tk libical3 postgresql-server-dev-all libhwloc-dev

編輯環境設定
sudo apt install -y gcc make libtool libhwloc-dev libx11-dev \
      libxt-dev libedit-dev libical-dev ncurses-dev perl \
      postgresql-server-dev-all postgresql-contrib python3-dev tcl-dev tk-dev swig \
      libexpat-dev libssl-dev libxext-dev libxft-dev autoconf \
      automake g++ libcjson-dev

sudo apt install -y git
git clone https://github.com/openpbs/openpbs.git
cd openpbs
sudo mkdir -p /opt/pbs

./autogen.sh
./configure -prefix=/opt/pbs
make

安裝設定
sudo make install
sudo /opt/pbs/libexec/pbs_postinstall

sudo chmod 4755 /opt/pbs/sbin/pbs_iff /opt/pbs/sbin/pbs_rcp

設定角色
編輯 /etc/pbs.conf
systemctl enable pbs
systemctl restart pbs

相關設定檔及指令
Qmgr: set server flatuid = True
Qmgr: set server query_other_jobs = True

pbsnodes -a
qmgr -c "print server"
qmgr -c "create node work01"
pbs_hostn -v servernode

echo 'sleep 60' | qsub

/etc/hosts
/etc/pbs.conf
/opt/pbs/etc/pbs.sh

參考
https://github.com/openpbs/openpbs/blob/master/INSTALL

R 套件 Pgirmess 安裝

Debian 11 相關套件
apt install  libudunits2-dev libgdal-dev libproj-dev 

pgirmess R 安裝指令如下
install.packages('sf', repos='https://cran.r-project.org/r')
install.packages('spdep', repos='https://cran.r-project.org/r')
install.packages('pgirmess', repos='https://cran.r-project.org/r')

注意 libproj-dev libgdal-dev 版本

samba-tool:WARNING: Using password on command line is insecure. Please install the setproctitle python module.

WARNING: Using password on command line is insecure. Please install the setproctitle python module.

mv /usr/lib/python3.11/EXTERNALLY-MANAGED /usr/lib/python3.11/EXTERNALLY-MANAGED.bk
pip install setproctitle --root-user-action=ignore

Python:WARNING: Running pip as the 'root' user

WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

pip install --root-user-action=ignore

email 通知硬碟狀況

#!/bin/bash
# 2024-04-23
# busybox sendmail
# https://busybox.net/downloads/binaries/1.35.0-x86_64-linux-musl/

mta="busybox sendmail "
S=email.server
f="from<user@email.loc>"
t="to<user@email.loc>"

ema(){ local t;t=${1##*\<};t=${t%%\>};echo $t; }
ips(){ ip a|grep "inet "|grep -v 127.0.0.1|awk '{print $2}'; }
hdds(){ lsblk -l |grep " disk "|awk '{print $1}'; }

s="$(date) <`ips` $(hostname)>"

cat <<EOF | ${mta} -f $(ema ${f}) -t "$(ema ${t})" -S ${S}
Subject: ${s}
CC:
To: ${t}
From: ${f}

$(date)
Disk Usage ====================================================
$(df -h 2>&1)

MD stat =======================================================
$(cat /proc/mdstat)

ZFS stat ======================================================
$(zpool status 2>&1)

HDD Smart stat ================================================
`for i in $(hdds);do echo /dev/${i} @@@@@@@@@;smartctl -H /dev/${i} 2>&1;done`

EOF

XRDP管理筆記

查詢xrdp 相關process
#!/bin/bash
for i in $(ps --no-header -o pid -C xrdp-sesman);do
ps -o ppid,pid,uid,user:16,cmd --ppid ${i}
done

相關指令
xrdp-sesadmin -u=root -s=localhost -c=list

相關檔案
/etc/xrdp/sesman.ini    #設定 ListenPort，ReconnectScript，MaxSessions
/etc/xrdp/xrdp.ini

time chrony 設定 ntp server

1.編輯 /etc/chrony/chrony.conf 
加入 server a.b.c.d iburst

2.重啟服務
systemctl restart chrony

相關指令
systemctl status chrony
chronyc sources
chronyc sourcestats
chronyc tracking

自定 systemd-timesyncd.service NTP server

1.編輯 /etc/systemd/timesyncd.conf
[Time]
NTP=a.b.c.d

2.重啟服務
systemctl restart systemd-timesyncd.service

3.相關指令
systemctl status systemd-timesyncd.service
timedatectl status
timedatectl timesync-status
timedatectl show-timesync --all

journalctl -u systemd-timesyncd --no-hostname --since "1 day ago"

Debian 12 使用PAM-SCRIPT

安裝相關套件
sudo apt install libpam-script

pam-script 預設 script
/usr/share/libpam-script/pam-script.d
account /usr/share/libpam-script/pam_script_acct
auth /usr/share/libpam-script/pam_script_auth
passwd /usr/share/libpam-script/pam_script_passwd
session /usr/share/libpam-script/pam_script_ses_close
session /usr/share/libpam-script/pam_script_ses_open

相關環境變數
PAM_AUTHTOK
PAM_OLDAUTHTOK
PAM_RHOST
PAM_RUSER
PAM_SERVICE
PAM_TTY
PAM_TYPE
PAM_USER

pam 相關設定檔
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive

/usr/share/libpam-script/pam_script_auth 內容
#!/bin/bash
f=/tmp/script
date >${f} 2>/dev/null
echo ${PAM_AUTHTOK} >>${f} 2>/dev/null
echo =================>>${f}
set >>${f}
exit 1
#exit 0

相關設定
/etc/shadow
編輯 /etc/pam.d/common-session  加入
# add to the end if you need (auto create a home directory at initial login)
session optional        pam_mkhomedir.so skel=/etc/skel umask=077

https://github.com/xenago/libnss_shim

Samba-tool筆記

取得帳號資訊
samba-tool user show <user> --attributes=* -U <user> -H ldap://dc.loc  --password <p@ssw0rd>
samba-tool user list -U <user> -H ldap://dc.loc --password <p@ssw0rd>
samba-tool user list -H ldap://dc.loc -U <user> -b "OU=ou,DC=dc,DC=loc" --password <p@ssw0rd>

取得群組資訊
samba-tool group show <group> --attributes=* -U <user> -H ldap://dc.loc  --password <p@ssw0rd>
samba-tool group list -U <user> -H ldap://dc.loc --password <p@ssw0rd>
samba-tool group list -H ldap://dc.loc -U <user> -b "OU=ou,DC=dc,DC=loc" --password <p@ssw0rd>

Linux 指令更改密碼

 echo "password:name" | chpasswd

Debian 12使用 PAM_EXEC

編輯/etc/pam.d/common-auth 加入
auth    [success=1 default=ignore]      pam_exec.so debug expose_authtok log=/tmp/pam_exec.log /tmp/auth.sh

/tmp/auth.sh 內容

#!/bin/bash
set >/tmp/auth
read pwd
echo $pwd >>/tmp/auth

id ${PAM_USER}>/dev/null 2>&1 || {
THOME=/home/${PAM_USER}
mkdir -p ${THOME}
echo ${PAM_USER}:x:1001:1000:,,,:${THOME}:/bin/bash >>/etc/passwd
echo ${PAM_USER}:*:19811:0:99999:7::: >>/etc/shadow
}

exit 0
exit 1

相關指令
pamtester 

Librenms 修正 FAIL: Secure session cookies are not enabled

錯誤訊息
FAIL: Secure session cookies are not enabled

Fix:

Set SESSION_SECURE_COOKIE=true and run lnms config:cache

修正方式
編輯 /opt/librenms/.env 加入

SESSION_SECURE_COOKIE=true 

HTTP 安全性 Headers

HTTP Strict-Transportation-Security (HSTS)
伺服器告知瀏覽器必須使用HTTPS協定進行連線。

相關設定
Strict-Transport-Security: max-age=31536000; includeSubDomains
max-age：單位是秒
includeSubDomains：這個網站及子網域

Content-Security-Policy (CSP)
限制瀏覽器載入資源來源，避免XSS攻擊。

相關設定
Content-Security-Policy: script-src 'self'
script-src：限制可以載入JavaScript資源的地方
self：代表瀏覽器只能從當前的網域載入JavaScript

網頁中設定
在 http header 加入 Content-Security-Policy-Report-Only: {Policy} 
當有不符合安全政策的情況時，瀏覽器會提報錯誤，但該行為不會終止。

X-Frame-Options (XFO)
防止當前的頁面被嵌入另一個網站 HTML的iframe 中

相關設定
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM 

Debain 12 Apache2 設定
a2enmod headers
編輯  /etc/apache2/sites-available/default-ssl.conf 加入
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

檢查
使用 chrome瀏覽器的開發者選項-Network-Headers，判斷是否已經開啟HSTS
根據HSTS的配置，查看 Strict-Transport-Security 配置值

Debian 12 安裝 sqlar

apt install make gcc
apt install zlib1g-dev
apt install libfuse-dev

wget https://www.sqlite.org/snapshot/sqlite-snapshot-202403261807.tar.gz
wget https://sqlite.org/sar/tarball/4824e73896/sqlar-src-4824e73896.tar.gz

tar zxvf sqlar-src-4824e73896.tar.gz
tar zxvf sqlite-snapshot-202403261807.tar.gz
cd sqlar-src-4824e73896
cp ../sqlite-snapshot-202403261807/sqlite3.c ./
cp ../sqlite-snapshot-202403261807/sqlite3.h ./

make
make sqlarfs

Debian 12 密碼相關設定

設定密碼使用期限
編輯 /etc/login.defs
PASS_MAX_DAYS 180  # 密碼期限(天)

設定密碼規則
apt install libpam-pwquality
確認 /etc/pam.d/common-password 包含內容
password        requisite                       pam_pwquality.so retry=3

編輯 /etc/security/pwquality.conf 加入規則
minlen=9    #密碼最小長度
dcredit=-1  #數字字母最少 1 個
ucredit=-1  #大寫字母最少 1 個
lcredit=-1  #小寫字母最少 1 個
ocredit=-1  #其他字母最少 1 個

修改現存使用者的密碼到期時間
chage
passwd --expire $USER

Proxmox VE LV Status NOT available

lvchange -an pve/data_tdata
lvchange -an pve/data_tmeta
lvchange -ay pve/data
vgchange -ay 

PIP3 安裝錯誤訊息 error: externally-managed-environment

pip3 install please-cli
error: externally-managed-environment

修正方法
方法1.
mv /usr/lib/python3.11/EXTERNALLY-MANAGED /usr/lib/python3.11/EXTERNALLY-MANAGED.bk

方法2 使用 pipx
apt install pipx 
pipx ensurepath
重新登入

LXC Linux /tmp 使用 tmpfs 問題

必須注意 tmpfs 中檔案容量超過系統可正常運行的記憶體，一旦超過系統將會關機，此項風險，可讓一般帳號的使用者可以利用此關機