2024年12月9日 星期一
Debian 12 安裝 RustDesk Server
apt update;apt upgrade -y
apt install -y sudo wget
設定執行帳號及群組
export RUSTDESK=rustdesk
groupadd ${RUSTDESK}
useradd ${RUSTDESK} -g ${RUSTDESK} -m -r
usermod -aG sudo ${RUSTDESK}
passwd ${RUSTDESK}
安裝 rustdesk server
su - ${RUSTDESK}
cd
wget https://raw.githubusercontent.com/techahold/rustdeskinstall/master/install.sh
chmod a+x install.sh
./install.sh
相關檔案、服務
/opt/rustdesk
rustdeskrelay.service
rustdesksignal.service
/etc/systemd/system/rustdeskrelay.service
/etc/systemd/system/rustdesksignal.service
/opt/gohttp
gohttpserver.service
/etc/systemd/system/gohttpserver.service
/var/log/rustdesk
防火牆設定
21115-21119/tcp
8000/tcp
21116/udp
2024年11月28日 星期四
2024年10月30日 星期三
如何確認 Wayland 或 X11
echo $XDG_SESSION_TYPE
loginctl show-session $(loginctl | grep $(whoami) | awk '{print $1}') -p Type
For Wayland:
ps aux | grep [w]ayland
For X11:
ps aux | grep [X]
WSL 無法執行 Systemd
錯誤訊息
System has not been booted with systemd as init system (PID 1). Can't operate.
編輯 /etc/wsl.conf 添加以下內容:
[boot]
systemd=true
2024年10月23日 星期三
ipxe + BIOS + UEFI
TFTP server ip
192.168.9.200
dnsmasq pxe 設定參考
dhcp-option=vendor:PXEClient,6,2b
dhcp-no-override
dhcp-match=set:ipxe-http,175,19
dhcp-match=set:ipxe-https,175,20
dhcp-match=set:ipxe-menu,175,39
dhcp-match=set:ipxe-pxe,175,33
dhcp-match=set:ipxe-bzimage,175,24
dhcp-match=set:ipxe-iscsi,175,17
dhcp-match=set:ipxe-efi,175,36
tag-if=set:ipxe-ok,tag:ipxe-http,tag:ipxe-menu,tag:ipxe-iscsi,tag:ipxe-pxe,tag:ipxe-bzimage
tag-if=set:ipxe-ok,tag:ipxe-http,tag:ipxe-menu,tag:ipxe-iscsi,tag:ipxe-efi
pxe-service=tag:!ipxe-ok,X86PC,BIOS,o/undionly.kpxe,192.168.9.200
pxe-service=tag:!ipxe-ok,IA32_EFI,IA32_EFI,o/snponlyx32.efi,192.168.9.200
pxe-service=tag:!ipxe-ok,BC_EFI,BC_EFI,o/ipxe.efi,192.168.9.200
pxe-service=tag:!ipxe-ok,X86-64_EFI,EFI,o/ipxe.efi,192.168.9.200
pxe-service=tag:!ipxe-ok,X86-64_EFI,EFI0,o/ipxe.efi,192.168.9.200
pxe-prompt=EFI,0
#pxe-service=0, "PXELINUX (0000-BIOS)", "bios/lpxelinux.0"
#pxe-service=1, "PXELINUX (0001-EFI)", "efi64/syslinux.efi"
#pxe-service=2, "PXELINUX (0002-EFI)", "efi64/syslinux.efi"
#pxe-service=3, "PXELINUX (0003-EFI)", "efi64/syslinux.efi"
#pxe-service=4, "PXELINUX (0004-EFI)", "efi64/syslinux.efi"
#pxe-service=5, "PXELINUX (0005-EFI)", "efi64/syslinux.efi"
#pxe-service=6, "PXELINUX (0006-EFI)", "efi64/syslinux.efi"
#pxe-service=7, "PXELINUX (0007-EFI)", o/ipxe.efi,192.168.9.200
#pxe-service=8, "PXELINUX (0008-EFI)", "efi64/syslinux.efi"
#pxe-service=9, "PXELINUX (0009-EFI)", "efi64/syslinux.efi"
#dhcp-boot=tag:ipxe-ok,o/autoexec.ipxe,pxeserver,192.168.9.200
#dhcp-boot=tag:ipxe-ok,http://192.168.9.200/tftp/o/autoexec.ipxe,,
dhcp-boot=tag:ipxe-ok,o/autoexec.ipxe,pxeserver,192.168.9.200
autoexec.ipxe 參考內容
#!ipxe
sleep 100
config
https://boot.ipxe.org/
https://boot.ipxe.org/ipxe.efi
https://boot.ipxe.org/undionly.kpxe
https://boot.ipxe.org/snponly.efi
2024年9月25日 星期三
LEAF 使用 SNMPD
安裝 netsnmpd.lrp
編輯 /etc/snmp/snmpd.conf 加入
rocommunity public 192.168.0.0/16
extend hardware "/bin/cat /sys/devices/virtual/dmi/id/product_name"
extend manufacturer "/bin/cat /sys/devices/virtual/dmi/id/sys_vendor"
extend distro "/usr/bin/tail -n 1 /etc/issue"
Proxmox VE8 啟用 SNMP
apt install libpve-apiclient-perl
cat >/etc/snmp/cat_serial <<EOF
#!/bin/bash
/bin/cat /sys/devices/virtual/dmi/id/product_serial
EOF
wget https://raw.githubusercontent.com/librenms/librenms-agent/master/agent-local/proxmox -O /etc/snmp/proxmox
wget -O /etc/snmp/distro https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro
chmod +x /etc/snmp/distro
chmod a+x /etc/snmp/proxmox /etc/snmp/cat_serial
編輯 /etc/snmp/snmpd.conf
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.$(date +%Y%m%d-%H%M%S)
cat >/etc/snmp/snmpd.conf <<EOF
# Change RANDOMSTRINGGOESHERE to your preferred SNMP community string
com2sec readonly default RANDOMSTRINGGOESHERE
group MyROGroup v2c readonly
view all included .1 80
access MyROGroup "" any noauth exact all none none
syslocation ROOM 110
syscontact email <email@mail>
#OS Distribution Detection
#extend distro /usr/bin/distro
#Hardware Detection
# (uncomment for x86 platforms)
extend manufacturer '/bin/cat /sys/devices/virtual/dmi/id/sys_vendor'
extend hardware '/bin/cat /sys/devices/virtual/dmi/id/product_name'
#extend serial '/bin/cat /sys/devices/virtual/dmi/id/product_serial'
# (uncomment for ARM platforms)
#extend hardware '/bin/cat /sys/firmware/devicetree/base/model'
#extend serial '/bin/cat /sys/firmware/devicetree/base/serial-number'
extend distro /etc/snmp/distro
extend proxmox "/usr/bin/sudo /etc/snmp/proxmox"
extend serial "/usr/bin/sudo /etc/snmp/cat_serial"
EOF
編輯 /etc/sudoers 加入
Debian-snmp ALL=(ALL) NOPASSWD: /etc/snmp/proxmox
Debian-snmp ALL=(ALL) NOPASSWD: /etc/snmp/cat_serial
Proxmox ve 叢集移除節點
systemctl stop pve-cluster corosync
pmxcfs -l
rm -r /etc/corosync/*
rm /etc/pve/corosync.conf
killall pmxcfs
systemctl start pve-cluster
Neighbour table overflow
查詢狀態
arp -an|wc -l
grep . /proc/sys/net/ipv4/neigh/default/gc_thresh*
/proc/sys/net/ipv4/neigh/default/gc_thresh1:512
/proc/sys/net/ipv4/neigh/default/gc_thresh2:4096
/proc/sys/net/ipv4/neigh/default/gc_thresh3:8192
解决方法:
echo 60 > /proc/sys/net/ipv4/neigh/default/gc_stale_time
echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
echo "net.ipv4.neigh.default.gc_thresh1 = 512" >> /etc/sysctl.conf
echo "net.ipv4.neigh.default.gc_thresh2 = 2048" >> /etc/sysctl.conf
echo "net.ipv4.neigh.default.gc_thresh3 = 4096" >> /etc/sysctl.conf
sysctl -p
2024年9月24日 星期二
2024年8月27日 星期二
dnsmasq dhcp-script 設定摘要
dnsmasq.conf 設定
dhcp-script=/tmp/rule.sh
/tmp/rule.sh 內容
#!/bin/sh
cmd="$1"
mac="$2"
ip="$3"
hostname="$4"
set >/tmp/rule.txt
echo $cmd $mac $ip $hostname >>/tmp/rule.txt
pi 400 as keyboard
編輯/boot/config.txt 添加
dtoverlay=dwc2
sudo modprobe libcomposite
編譯
sudo apt install libconfig-dev git cmake
git clone https://github.com/Gadgetoid/pi400kb
cd pi400kb
git submodule update --init
mkdir build
cd build
cmake ..
make
執行
sudo modprobe libcomposite
sudo ./pi400kb
Ctrl + Raspberry 本機使用和 USB 間切換
Ctrl + Shift + Raspberry 退出
The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key
apt-key adv --fetch-keys https://packages.sury.org/php/apt.gpg
2024年8月8日 星期四
Linux 密碼相關 PAM及設定
PAM 相關模組
pam_pwquality 密碼品質檢查
pam_faillock 封鎖、解鎖登入失敗帳號
pam_pwhistory 密碼歷史記錄
相關檔案
/etc/login.defs 設定密碼使用期限
Debian 12 pam_faillock.so 設定
編輯 /etc/pam.d/common-auth
# faillock
auth requisite pam_faillock.so preauth
auth [success=1 default=ignore] pam_unix.so nullok
# faillock
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
編輯 /etc/pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
# faillock
account required pam_faillock.so
編輯 /etc/security/faillock.conf
# 登入失敗記錄儲存位置
dir = /var/run/faillock
# 記錄不存在帳號
audit
# 不輸出訊息
silent
# syslog 不記錄
no_log_info
# 只追蹤本機使用者
local_users_only
# 若 180 秒內連續 5 次登入失敗,則封鎖帳號
deny = 5
fail_interval = 180
# 帳號封鎖後,900 秒才開放
unlock_time = 900
# root 納入監控對象
even_deny_root
# root 封鎖後, 900 秒才開放
root_unlock_time = 900
# 管理者群組(成員視同 root 帳號)
admin_group = adm
相關指令-查詢認證失敗的記錄
faillock
faillock --user user --reset
2024年7月16日 星期二
Debian 12 安裝 polkitd異常
錯誤訊息
Failed to check if group polkitd already exists: Connection refused
id: 'polkitd': no such user
chown: invalid user: 'polkitd:root'
解決方式
addgroup polkitd
apt install polkitd
Debian 12 Apache2 automatically redirect HTTP to HTTPS on Apache servers
sudo a2enmod rewrite
修改 /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
列出 sss 所有帳號
編輯 /etc/sssd/sssd.conf 加入
enumerate = true
指令
getent -s files passwd
getent -s sss passwd
getent passwd
2024年6月28日 星期五
git ssh server 無法更新
錯誤訊息
remote: error: refusing to update checked out branch: refs/heads/master
git config --bool core.bare true
Debian bash 設定自動登出
cat >/etc/profile.d/autologout.sh <<EOF
#!/bin/bash
export TMOUT=3600
EOF
SSH相關設定
編輯 /etc/ssh/sshd_config
ClientAliveInterval 3600
ClientAliveCountMax 0
Logrotate 因為父目錄權限而執行失敗
錯誤訊息
because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
修改設定檔
/etc/logrotate.conf
/etc/logrotate.d/*
加入 su root root 設定
2024年6月25日 星期二
Debian 12 Python WARNING: Using password on command line is insecure. Please install the setproctitle python module.
apt install pip
pip install setproctitle --break-system-packages
2024年6月12日 星期三
Debian 12 Xfce4 set this file as trusted
gio set -t string "$f" metadata::xfce-exe-checksum "$(sha256sum "$f" | awk '{print $1}')"
2024年5月22日 星期三
Debian 12 使用 minio
wget https://dl.min.io/server/minio/release/linux-amd64/minio
chmod +x minio
MINIO_ROOT_USER=admin MINIO_ROOT_PASSWORD=password ./minio server /tmp/minio --console-address ":4501" --address :4500
Debian 12 使用 S3FS筆記
# 安裝s3fs
apt install s3fs -y
# 將S3憑證存到指定檔案中
echo ACCESS_KEY_ID:SECRET_ACCESS_KEY > ./password
# 調整檔案權限
chmod 600 ./password
指令參考
s3fs test /mnt2 \
-o passwd_file=./password \
-o url=http://192.168.6.9:4500 \
-o dbglevel=info \
-o allow_other \
-o use_path_request_style \
-f -o curldbg \
2024年5月20日 星期一
2024年5月7日 星期二
Debian 12 XFce 多媒體相關套件
apt remove exfalso parole
apt remove pulseaudio pulseaudio-utils xfce4-pulseaudio-plugin pavucontrol xfburn
Debian 12 Apache2 mod_security
安裝
apt install -y libapache2-mod-security2
a2enmod security2
設定 ModSecurity 設定檔 /etc/modsecurity/modsecurity.conf
cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
將 SecRuleEngine 的 DetectionOnly 改成 On
設定 OWASP ModSecurity 核心規則集
mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bak
git clone https://github.com/coreruleset/coreruleset /usr/share/modsecurity-crs
mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf
設定 預設請求排除規則檔案
mv /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
在 Apache 2 中啟用 ModSecurity 修改 /etc/apache2/mods-available/security2.conf
<IfModule security2_module>
SecDataDir /var/cache/modsecurity
IncludeOptional /usr/share/modsecurity-crs/crs-setup.conf
IncludeOptional /usr/share/modsecurity-crs/rules/*.conf
</IfModule>
編輯虛擬主機設定檔,設定 SecRuleEngine 為 On
<VirtualHost *:443>
SecRuleEngine On
</VirtualHost>
systemctl restart apache2
相關指令
apache2ctl -M
測試
curl http://127.0.0.1/index.html?exec=/bin/bash
Apache2 mod_evasive 防止 DDoS 攻擊
安裝
apt install libapache2-mod-evasive
a2enmod evasive
編輯 /etc/apache2/mods-available/evasive.conf
mkdir /var/log/mod_evasive
chown www-data:www-data /var/log/mod_evasive
systemctl reload apache2
相關指令
apache2ctl -M
Debian 12 join Windows AD
apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
錯誤訊息 Couldn't get kerberos ticket for: Administrator Cannot contact any KDC for realm
檢查網路及主機名稱
Debian 12 停用 gvfs-udisks2-volume-monitor.service
單一帳號
systemctl --user stop gvfs-udisks2-volume-monitor.service
systemctl --user disable gvfs-udisks2-volume-monitor.service
systemctl --user mask gvfs-udisks2-volume-monitor.service
所有帳號
mv /usr/share/dbus-1/services/org.gtk.vfs.UDisks2VolumeMonitor.service /usr/share/dbus-1/services/org.gtk.vfs.UDisks2VolumeMonitor.service.bak
2024年4月25日 星期四
Google chrome 匯入 PGP
wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
Debian 10 使用 proxmox-backup-client
ldd `which proxmox-backup-client` patchelf --set-rpath '$ORIGIN' proxmox-backup-client
patchelf --set-interpreter /opt/proxmox-backup-client/ld-linux-x86-64.so.2 proxmox-backup-client2024年4月19日 星期五
OpenPBS 查詢歷史紀錄
相關指令
qstat -x -u user
相關訊息
qstat: PBS is not configured to maintain job history
設定指令
qmgr -c "s s job_history_enable=1" #開啟
qmgr -c "s s job_history_enable=0" #關閉 set server job_history_enable=0
2024年4月12日 星期五
Debian 12 安裝 OpenPBS(version = 23.06.06)
運算管理節點安裝必要套件
apt install expat libedit2 postgresql python3 postgresql-contrib sendmail-bin tcl tk libical3 postgresql-server-dev-all libhwloc-dev
編輯環境設定
sudo apt install -y gcc make libtool libhwloc-dev libx11-dev \
libxt-dev libedit-dev libical-dev ncurses-dev perl \
postgresql-server-dev-all postgresql-contrib python3-dev tcl-dev tk-dev swig \
libexpat-dev libssl-dev libxext-dev libxft-dev autoconf \
automake g++ libcjson-dev
sudo apt install -y git
git clone https://github.com/openpbs/openpbs.git
cd openpbs
sudo mkdir -p /opt/pbs
./autogen.sh
./configure -prefix=/opt/pbs
make
安裝設定
sudo make install
sudo /opt/pbs/libexec/pbs_postinstall
sudo chmod 4755 /opt/pbs/sbin/pbs_iff /opt/pbs/sbin/pbs_rcp
設定角色
編輯 /etc/pbs.conf
systemctl enable pbs
systemctl restart pbs
相關設定檔及指令
Qmgr: set server flatuid = True
Qmgr: set server query_other_jobs = True
pbsnodes -a
qmgr -c "print server"
qmgr -c "create node work01"
pbs_hostn -v servernode
echo 'sleep 60' | qsub
/etc/hosts
/etc/pbs.conf
/opt/pbs/etc/pbs.sh
參考
https://github.com/openpbs/openpbs/blob/master/INSTALL
2024年4月2日 星期二
R 套件 Pgirmess 安裝
Debian 11 相關套件
apt install libudunits2-dev libgdal-dev libproj-dev
pgirmess R 安裝指令如下
install.packages('sf', repos='https://cran.r-project.org/r')
install.packages('spdep', repos='https://cran.r-project.org/r')
install.packages('pgirmess', repos='https://cran.r-project.org/r')
注意 libproj-dev libgdal-dev 版本
2024年3月6日 星期三
samba-tool:WARNING: Using password on command line is insecure. Please install the setproctitle python module.
WARNING: Using password on command line is insecure. Please install the setproctitle python module.
mv /usr/lib/python3.11/EXTERNALLY-MANAGED /usr/lib/python3.11/EXTERNALLY-MANAGED.bk
pip install setproctitle --root-user-action=ignore
Python:WARNING: Running pip as the 'root' user
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
pip install --root-user-action=ignore
email 通知硬碟狀況
#!/bin/bash
# 2024-04-23
# busybox sendmail
# https://busybox.net/downloads/binaries/1.35.0-x86_64-linux-musl/
mta="busybox sendmail "
S=email.server
f="from<user@email.loc>"
t="to<user@email.loc>"
ema(){ local t;t=${1##*\<};t=${t%%\>};echo $t; }
ips(){ ip a|grep "inet "|grep -v 127.0.0.1|awk '{print $2}'; }
hdds(){ lsblk -l |grep " disk "|awk '{print $1}'; }
s="$(date) <`ips` $(hostname)>"
cat <<EOF | ${mta} -f $(ema ${f}) -t "$(ema ${t})" -S ${S}
Subject: ${s}
CC:
To: ${t}
From: ${f}
$(date)
Disk Usage ====================================================
$(df -h 2>&1)
MD stat =======================================================
$(cat /proc/mdstat)
ZFS stat ======================================================
$(zpool status 2>&1)
HDD Smart stat ================================================
`for i in $(hdds);do echo /dev/${i} @@@@@@@@@;smartctl -H /dev/${i} 2>&1;done`
EOF
time chrony 設定 ntp server
1.編輯 /etc/chrony/chrony.conf
加入 server a.b.c.d iburst
2.重啟服務
systemctl restart chrony
相關指令
systemctl status chrony
chronyc sources
chronyc sourcestats
chronyc tracking
自定 systemd-timesyncd.service NTP server
1.編輯 /etc/systemd/timesyncd.conf
[Time]
NTP=a.b.c.d
2.重啟服務
systemctl restart systemd-timesyncd.service
3.相關指令
systemctl status systemd-timesyncd.service
timedatectl status
timedatectl timesync-status
timedatectl show-timesync --all
journalctl -u systemd-timesyncd --no-hostname --since "1 day ago"
2024年2月27日 星期二
Samba-tool筆記
取得帳號資訊
samba-tool user show <user> --attributes=* -U <user> -H ldap://dc.loc --password <p@ssw0rd>
samba-tool user list -U <user> -H ldap://dc.loc --password <p@ssw0rd>
samba-tool user list -H ldap://dc.loc -U <user> -b "OU=ou,DC=dc,DC=loc" --password <p@ssw0rd>
取得群組資訊
samba-tool group show <group> --attributes=* -U <user> -H ldap://dc.loc --password <p@ssw0rd>
samba-tool group list -U <user> -H ldap://dc.loc --password <p@ssw0rd>
samba-tool group list -H ldap://dc.loc -U <user> -b "OU=ou,DC=dc,DC=loc" --password <p@ssw0rd>
Debian 12使用 PAM_EXEC
編輯/etc/pam.d/common-auth 加入
auth [success=1 default=ignore] pam_exec.so debug expose_authtok log=/tmp/pam_exec.log /tmp/auth.sh
/tmp/auth.sh 內容
#!/bin/bash
set >/tmp/auth
read pwd
echo $pwd >>/tmp/auth
id ${PAM_USER}>/dev/null 2>&1 || {
THOME=/home/${PAM_USER}
mkdir -p ${THOME}
echo ${PAM_USER}:x:1001:1000:,,,:${THOME}:/bin/bash >>/etc/passwd
echo ${PAM_USER}:*:19811:0:99999:7::: >>/etc/shadow
}
exit 0
exit 1
相關指令
pamtester
Debian 12 使用PAM-SCRIPT
安裝相關套件
sudo apt install libpam-script
pam-script 預設 script
/usr/share/libpam-script/pam-script.d
account /usr/share/libpam-script/pam_script_acct
auth /usr/share/libpam-script/pam_script_auth
passwd /usr/share/libpam-script/pam_script_passwd
session /usr/share/libpam-script/pam_script_ses_close
session /usr/share/libpam-script/pam_script_ses_open
相關環境變數
PAM_AUTHTOK
PAM_OLDAUTHTOK
PAM_RHOST
PAM_RUSER
PAM_SERVICE
PAM_TTY
PAM_TYPE
PAM_USER
pam 相關設定檔
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive
/usr/share/libpam-script/pam_script_auth 內容
#!/bin/bash
f=/tmp/script
date >${f} 2>/dev/null
echo ${PAM_AUTHTOK} >>${f} 2>/dev/null
echo =================>>${f}
set >>${f}
exit 1
Librenms 修正 FAIL: Secure session cookies are not enabled
FAIL: Secure session cookies are not enabled
編輯 /opt/librenms/.env 加入
2024年1月31日 星期三
HTTP 安全性 Headers
HTTP Strict-Transportation-Security (HSTS)
伺服器告知瀏覽器必須使用HTTPS協定進行連線。
相關設定
Strict-Transport-Security: max-age=31536000; includeSubDomains
max-age:單位是秒
includeSubDomains:這個網站及子網域
Content-Security-Policy (CSP)
限制瀏覽器載入資源來源,避免XSS攻擊。
相關設定
Content-Security-Policy: script-src 'self'
script-src:限制可以載入JavaScript資源的地方
self:代表瀏覽器只能從當前的網域載入JavaScript
網頁中設定
在 http header 加入 Content-Security-Policy-Report-Only: {Policy}
當有不符合安全政策的情況時,瀏覽器會提報錯誤,但該行為不會終止。
X-Frame-Options (XFO)
防止當前的頁面被嵌入另一個網站 HTML的iframe 中
相關設定
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM
Debain 12 Apache2 設定
a2enmod headers
編輯 /etc/apache2/sites-available/default-ssl.conf 加入
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
檢查
使用 chrome瀏覽器的開發者選項-Network-Headers,判斷是否已經開啟HSTS
根據HSTS的配置,查看 Strict-Transport-Security 配置值
Debian 12 安裝 sqlar
apt install make gcc
apt install zlib1g-dev
apt install libfuse-dev
wget https://www.sqlite.org/snapshot/sqlite-snapshot-202403261807.tar.gz
wget https://sqlite.org/sar/tarball/4824e73896/sqlar-src-4824e73896.tar.gz
tar zxvf sqlar-src-4824e73896.tar.gz
tar zxvf sqlite-snapshot-202403261807.tar.gz
cd sqlar-src-4824e73896
cp ../sqlite-snapshot-202403261807/sqlite3.c ./
cp ../sqlite-snapshot-202403261807/sqlite3.h ./
make
make sqlarfs
Debian 12 密碼相關設定
設定密碼使用期限
編輯 /etc/login.defs
PASS_MAX_DAYS 180 # 密碼期限(天)
設定密碼規則
apt install libpam-pwquality
確認 /etc/pam.d/common-password 包含內容
password requisite pam_pwquality.so retry=3
編輯 /etc/security/pwquality.conf 加入規則
minlen=9 #密碼最小長度
dcredit=-1 #數字字母最少 1 個
ucredit=-1 #大寫字母最少 1 個
lcredit=-1 #小寫字母最少 1 個
ocredit=-1 #其他字母最少 1 個
修改現存使用者的密碼到期時間
chage
passwd --expire $USER
Proxmox VE LV Status NOT available
lvchange -an pve/data_tdata
lvchange -an pve/data_tmeta
lvchange -ay pve/data
vgchange -ay
PIP3 安裝錯誤訊息 error: externally-managed-environment
pip3 install please-cli
error: externally-managed-environment
修正方法
方法1.
mv /usr/lib/python3.11/EXTERNALLY-MANAGED /usr/lib/python3.11/EXTERNALLY-MANAGED.bk
方法2 使用 pipx
apt install pipx
pipx ensurepath
重新登入