vpn时如何自动区分国内国外-chnroutes-autoddvpn

针对这个需求,有专门的开源项目 chnroutes

最起源的代码仓库:https://code.google.com/p/chnroutes/

1. 与这个最接近的github上的代码:

https://github.com/fivesheep/chnroutes

2. 还有一个差异比较大的,从时间上看是比较旧的,但需要比较代码才能知道哪个更合适

https://github.com/jimmyxu/chnroutes

3. 还有一个改进版,提供 go python 以及window界面版本,从其文档连接看是以 fivesheep 的版本为基线版本。

https://github.com/sabersalv/freedom-routes 

本文验证了pptp windows 环境下的功能,工作OK。

其中python 使用 2.7.10 版,请安装完整版,因为可能需要其他关联库。

脚本执行要使用管理员权限。

1,2,3生成的路由数据略有差异,经简单测试,以 baidu.com 和weibo.com 为test case, 似乎3的效果好些,但因每人宽带出口不同,不作为唯一结论,使用者请自行测试。

如果要让路由器实现上述功能,提供用户透明的vpn体验,也有相应的项目  https://code.google.com/p/autoddvpn/

pptp的安全风险

原文已经无法访问了,特意搬运过来,英文吃力的同学,可以用google翻译,当然你要会科  学  上  网

总结起来最终的要的亮点

  • 明文传输
  • 采用简单的用户名和密码验证,方法过于简单

原文:

http://pptpclient.sourceforge.net/protocol-security.phtml

PPTP Client

Protocol Security

References

by James Cameron

Summary

by Peter Mueller

PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead.

(Posted on 2005-08-10 to the mailing list)

Why not use PPTP?

by James Cameron

The point to point tunneling protocol (PPTP) is not secure enough for some information security policies.

It's the nature of the MSCHAP V2 authentication, how it can be broken trivially by capture of the datastream, and how MPPE depends on the MSCHAP tokens for cryptographic keys. MPPE is also only 128-bit, reasonably straightforward to attack, and the keys used at each end are the same, which lowers the effort required to succeed. The obvious lack of two-factor authentication, instead relying on a single username and password, is also a risk. The increasing use of domestic wireless systems makes information capture more likely.

However, that doesn't mean people don't accept the risks. There are many corporations and individuals using PPTP with full knowledge of these risks. Some use mitigating controls, and some don't.

Many people seem to judge the security of a protocol by the availability of the implementation, the ease of installation, or the level of documentation on our web site. Improving the documentation is the purpose of this web site, and we aren't doing that in order to say anything about the risks of the software! Any judgement of security should be rigorously applied to the design and implementation alone.

PPTP on Linux, and Microsoft's PPTP, both implement fixes for vulnerabilities that were detected years ago in Microsoft's PPTP. But there remain the design vulnerabilities that cannot be fixed without changing the design. The changes needed would break interoperability. We can't change the Linux PPTP design, because it would stop working with Microsoft PPTP. They can't change their design, because it would stop working with all the other components out there, such as Nortel and Cisco, embedded routers, ADSL modems and their own Windows installed base.

The only option then is to deprecate the product and promote the replacement. Microsoft promote something else. Our choice for Open Source systems is OpenVPN or IPsec.

Level of acceptance isn't a good indicator of risk either. Some have said that the shipping of MSCHAP V2, MPPE and PPTP in Linux distributions is an indication of design security, but that's not the reason. It's for interoperability. As an example, see how Linux distributions still ship telnet, ftp, and rsh, even though these components are insecure because they reveal the password in cleartext in the network packets. The same can be said of many other components and packages.

Our recommendations are;

  1. do not implement PPTP between open source systems, because there's no justification, better security can be had from OpenVPN or IPsec,
  2. do not implement PPTP servers unless the justification is that the clients must not have to install anything to get going (Microsoft PPTP is included already), and be aware of the risks of information interception,
  3. do not implement PPTP clients unless the justification is that the server only provides PPTP, and there's nothing better that can be used, and again be aware of the risks of information interception.

(Posted on 2005-08-10 to the mailing list)

密码管理app体验

  1. CODE: 密码工具。进去后,每条密码是明文,特点是每条记录按用户名和密码分开存储显示     评价 :一般
  2. keeper:密码工具。记录是明文存储,支持  faastfill ,支持 keeper DNA    评价:中
  3. 隐私卫士:app隐私锁 评价:高
  4. 私密锁:app锁,评价:一般
  5. 应用程序锁:评价:一般
  6. 隐私应用锁:app锁。评价低
  7. 密码本:密码工具,每个字段分开存储。 评价 :中
  8. NS Wallet :分文件夹-item 对字段做了详细的分类。 :一般
  9. safeincloud :有详细的模板 ,支持云同步 评价:高
  10. SSE  功能强大,支持密码管理 ,文件本加密 ,文件加密  评价 :高
  11. password keepox: 简单的字段记录,支持同步到dropbox ,评价:低
  12. 秘密管理器:简单的字段记录:评价:极低
  13. sis密码管理:同上

nginx设置后端保持长连接

nginx 做反向代理分发时,为了提高效率,最好使用长连接,以下是nginx 支持的几种后端长连接配置方案:

Nginx从 1.1.4 开始,实现了对后端机器的长连接支持,这是一个激动人心的改进,这意味着 Nginx 与后端机器的通信效率更高,后端机器的负担更低。

例如,对一个没有长连接支持的后端机器,会出现大量TIME_WAIT 状态的连接,使用以下命令验证之:

netstat -n | grep TIME_WAIT

经过查阅官方文档,其目前已经实现了http, fastcgi, memcache 协议的长连接支持。而之前的版本中仅支持memcache 协议。

memcache

启用到 memcache 服务器的长连接 在upstream 配置段中增加 keepalive N 指令即可:

upstream memcached_backend {
     server 127.0.0.1:11211;
     server 10.0.0.2:11211;
     keepalive 32;
}

server {
    ...
     location /memcached/ {
         set $memcached_key $uri;
         memcached_pass memcached_backend;
     }
}

fastcgi

启用fastcgi 长连接支持 除了需要在upstream 中配置 keepalive N 外,还需要在 location 中增加

fastcgi_keep_conn on;

upstream fastcgi_backend {
    server 127.0.0.1:9000;
    keepalive 8;
}

server {
     ...
     location /fastcgi/ {
         fastcgi_pass fastcgi_backend;
         fastcgi_keep_conn on;
         ...
     }
}

HTTP

启用对后端机器HTTP 长连接支持

upstream http_backend {
    server 127.0.0.1:8080; 
    keepalive 16;
}

server {
     ...
     location /http/ {
         proxy_pass http://http_backend;
         proxy_http_version 1.1;
         proxy_set_header Connection \;
         ...
     }
}

注意:需要设置nginx 代理请求的 http 协议版本号为 1.1, 以及清除掉 Connection 请求header, 官方文档描述:

For HTTP, the proxy_http_version directive should be set to “ 1.1 ” and the “ Connection ” header field should be cleared .

The connections parameter should be set low enough to allow upstream servers to process additional new incoming connections as well.

即是说:keepalive N 指令中 , N 的值应该尽可能设置小一些,以便后端机器可以同时接受新的连接。

Too many connections

在php的日志里我们看到了如下的告警日志:
mysql_connect(): Too many connections

查看默认参数:
mysql> show variables;

实时修改:
mysql> set global wait_timeout=10;
Query OK, 0 rows affected (0.01 sec)

mysql> set GLOBAL max_connections=1024;
Query OK, 0 rows affected (0.00 sec)

注意 interactive_timeout  和 wait_timeout,根据不同场景,修改不同的参数。

还可以修改 my.cnf , 然后 重启 mysqld 服务。

还需要关注查询慢的本质原因:

1)DB是innodb 还是myisam

2)  高频查询的表的index创建是否合理

3)业务的mysql 语句写的是否合理

如果以上还搞不定,就需要考虑 分库分表 , 加proxy 做集群来分流了。

如何使用ssh登录openshift

openshift是免费的云平台,适合搞个公司网站或者个人blog。最近想把博客从openshift上迁移出去,wordpress本身有插件可以导出文章内容。但是对应的附件和图片利用导入工具,会有导入不完整的问题,简单的办法就是用ssh访问,将整个 uploads文件下载下来。要支持ssh,openshift有一套安全机制。通过 rhc 上传key,实现无密码登录。

具体参考:

https://developers.openshift.com/en/getting-started-windows.html#client-tools

如果不使用git,可以跳过 git的步骤。

ruby是从 www.rubygems.org/gems/rhc  下载的,需要自己搞定 vpn的问题,否则提示ssl失败

rhc登陆openshift

安装rhc

可能出现的问题:

no such file dl/import

http://stackoverflow.com/questions/28896733/rhc-setup-gives-error-no-such-file-dl-import

中间会提示输入openshift的账号和密码,成功后,会在本地.ssh 目录生成公私钥。并提示上传服务器。

这里要关注 .ssh的路径,后面客户端登录时要用到

ssh登录

登录你的openshift账号,点击application ,进去就能看到详细的信息:

openshift信息

根据右侧的账号和地址 ,用ssh就可以登录了

登录时选择key:

ssh key

这样就直接登录进去了,可以进行相关资料的备份了

centos系统lnmp(nginx,mysql,php)环境搭建

新拿到vps,基本是裸机环境,如果要搞wordpress或者php后台,就需要php环境。

本来想手动安装,结果发现lnmp的一键脚本有更新。作者已经更新了1.2版本,基本都可以选择最新的版本了。http://lnmp.org/install.html

安装成功!

如果你担心以上脚本的安全性,也可以自己亲手安装官方的版本

  • 安装mysql
yum install -y mysql-server mysql mysql-deve

开机启动

chkconfig mysqld on

设置密码

mysqladmin -uroot password 'newpassword'
  • 安装nginx

设置 yum源

vi /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/6/$basearch/
gpgcheck=0
enabled=

安装

yum install nginx

如果需要添加www 用户和组

groupadd -f www
useradd -g www www
  • 安装apache

安装apache 主要是因为wordpress的静态url路由需要相应的组件。

yum install httpd
chkconfig httpd on

 

 

 

 

关于IOS后台socket长连接的问题

1. 进程退到后体后,只有3-10的时间,如果没有进一步处理,处于功耗考虑,socket就会被系统关闭。 2. ios8后,允许后台,ios8之前的版本,只能通过设置后台模式 Required background modes来实现,但如果本身没有voip功能,苹果审查会遭拒。 ①打开info.plist,添加下面的键值对: Required background modes = App provides Voice over IP services ②配置XMPPStream的enableBackgroundingOnSocket属性为YES: _xmppStream.enableBackgroundingOnSocket = YES; 3. 参考 http://my.oschina.net/bankofchina/blog/281233 voip的方法,理论上定位消息也可以实现 4. 网上大段都是voip的例子,但按照苹果的审查规范,用voip实现后台keepalive 而没有实现voip是会被拒的。 综上所述,ios8以后,直接支持后台。ios8以前的,理论上gps位置信息也是可以在后台触发,从而通过策略实现长连接的,目前没有看到验证的例子,可以在这个方向下尝试下,毕竟所有的app都是需要位置服务器的,不属于伪造服务

c++编译工具链

1. gcc

yum -y install gcc automake autoconf libtool make

安装g++:

yum install gcc gcc-c++

2. protobuf

protobuf-2.4.1.tar.gz

./configure --prefix=/usr/local/protobuf
 make
 make check
 make install
sudo vim /etc/profile
 添加
export PATH=$PATH:/usr/local/protobuf/bin/
export PKG_CONFIG_PATH=/usr/local/protobuf/lib/pkgconfig/
保存执行
source /etc/profile

3. google 库文件,将google的库文件路径添加到gcc 编译路径

1).加到gcc的环境变量 C_INCLUDE_PATH, CPLUS_INCLUDE_PATH, OBJC_INCLUDE_PATH

2).放到系统默认目录
/usr/include
/usr/local/include

我们选择直接拷贝protobuf 生成的目录 includegoogle  到 /usr/local/include 下

4. zlib

编译时提示:"/usr/bin/ld: cannot find -lz"

解决:去lib64目录下看是有libz  相关库的,根据好使的环境比对,猜测是缺少特定的连接

# ln -s libz.so.1 libz.so

编译ok...

 

centos7配置samba

  1. 开放端口
    确认自己本地的iptable 或者firewalld,打开对应的端口。
    如果是阿里云,还要开启对应ecs的安全组端口配置。
    建议:
    UDP 137-138
    TCP:139 445
  2. 确认SELinux的相关权限设置
    在没搞明白之前,先关闭,等调试通了后再开启,根据相关的问题来配置。不建议粗暴的关闭。
  3. 安装 samba
yum install samba
systemctl enable smb
systemctl start smb
  1. 创建用户

- 创建用户组
groupadd dev
- 创建用户
useradd -g dev aaa
- 设置用户的密码
passwd aaa
- 将用户添加到samba账号中
smbpasswd -a aaa
5. 配置samba
/etc/samba/smb.conf
参考配置:

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
        workgroup = SAMBA
        security = user

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw
        map to guest = Bad User
        log file = /var/log/samba/log.%m
[homes]
        comment = Home Directories
        browseable = no
        writable = yes
[public]
        comment = Public Stuff
        path = /data/share
        public = yes
[dev]
        comment = developer
        path = /dev
        valid users = @dev
  1. 参考
    https://www.cnblogs.com/muscleape/p/6385583.html
    https://wiki.centos.org/HowTos/SetUpSamba

使用Sublime Text3+Ctags+Cscope替代Source Insight

参考:https://www.zybuluo.com/lanxinyuchs/note/33551

说明:以Windows系统下查看C++代码为例。因为Source Insight(以下简称SI)是收费软件,且界面丑陋,所以考虑其替代方案,发现Sublime Text3(以下简称ST3) + Ctags + Cscope 可以取得很好的效果。使用ST3基本可以实现全键盘操作,同时它又没有学习Vim的陡峭曲线。

安装方法

1. 安装Package Control for ST3

 https://packagecontrol.io/installation

2. 安装Ctags插件

(1) 通过 Preference -> Package Control -> Install Package安装Ctags插件
(2) 下载 Ctags.exe, 通过 Preference -> Package Settings -> Ctags -> Settings Default 中的内容拷贝到 Setting User中,将 command": "" 中的 "" 填入Ctags.exe的路径位置
(3) 在工程根目录上点击右键,选择Ctags:Rebuild tags

3. 安装Cscope插件

(1) 通过 Preference -> Package Control -> Install Package安装Cscope插件
(2) 下载 Cscope.exe, 并在工程根目录下生成cscope.out文件
(3) 打开CscopeSublime.sublime-settings文件(可能需要添加到 Package -> User 目录下),将 "executable": "" 中的"" 填入Cscope.exe的路径位置,将 "database_location": "" 中的 ""填入cscope.out的路径位置

功能实现:

(1) 对于symbol函数的定义查询,ST3自带此功能Go to Definition,且搜索结果有多个时可以预览,不用跳转到另一个文件。Ctags也有此功能navigate_to_definition,搜索结果比ST3要准确一些,但多结果时不支持预览。Csope也有此功能 Cscope: look up function defintion,但搜索结果不支持双击点开。因此实际中多用ST3和Ctags来实现此功能
(2) 对于symbol变量的定义查询,ST3不支持,Ctags有此功能,方法同其查询symbol函数的定义一致。Cscope也可以用查询symbol函数定义的方法实现此功能,搜索结果不支持双击点开。因此实际中多用Ctags来实现此功能
(3) 对于函数caller的查询,只有Cscope有此功能Cscope: look up function calling this function
(4) 全局搜索, ST3可通过Ctrl+Shift+F实现,但搜索耗时较长。Cscope可通过Cscope: look up symbol实现,因为已经通过cscope.out建立了索引,所以结果很快,但结果不一定全面

:使用Cscope的功能时,需按enter键确定才会执行

比较:ST3 + Ctags + Cscope的方案基本可以实现Source Insight的常用有效功能(除了查看类继承关系的Relation Windows),且其速度更快,界面也更为清爽。ST3相比于SI的其他优点还包括:
(1)ST3使用Ctrl+P搜索文件时,使用的是模糊匹配,不像SI必须顺次拼写正确才行
(2)ST3支持tab模式,可方便的在多个文件间切换

ST3实用技巧

(1) Alt+O可以实现头文件和源文件之间的快速切换
(2) 通过 View -> Side bar 可在左侧显示当前打开的文件列表
(3) ST3虽然不像notepad++可以在sidebar上显示函数列表,但是可通过Ctrl+R查看
(3) 通过 Preference -> Key binding user 可根据个人操作习惯自定义快捷键(包括ST3自带的和插件的)
(4) 双击可选中光标所在单词,三击可选中光标所在行
(5) Ctrl+Shift+T可以打开之前关闭的tab页,这点同chrome是一样的

RVCT 远程license 问题

错误:

Error: C9932E: Cannot obtain license for Compiler (feature compiler) with licens
e version >= 3.1:
Terminal Server remote client not allowed.
Feature: compiler
License path: D:ARMLicenseslicense.lic
FLEXnet Licensing error:-103,577
For further information, refer to the FLEXnet Licensing End User Guide,
available at "www.macrovision.com".

解决:rvds.dat里HOSTID=XXXXX之后加上TS_OK就可以了

Hanging Sockets and Power Consumption – Basics, Part 3

很好的文章,就mobile 空socket 的耗电状态做了深入的分析.

更完整的内容参见:trepn-whitepaper-apps-power

from:https://developer.qualcomm.com/blog/hanging-sockets-and-power-consumption-basics-part-3

Continuing our series on mobile apps and their effect on battery drain, I’ll pick up where the three guidelines in Wayne Lee’s last post left off, especially #3: “Know what your app is doing with the hardware and when it’s doing it.”

One common way that mobile apps use too much power is through hanging sockets –network connections that the app is no longer using, but which the server thinks are still alive because the app has not closed them. The subsequent query from the server results in needless battery drain.

Here’s more background on the problem and how you can deal with it.

“Wake up. It’s time to go to sleep.”

Applications often “forget” to close their socket after they are done with it. Then, after some amount of time without data activity, the server times the socket out and closes it.

Socket termination in TCP requires a four-way handshake, so the server has to send a FIN packet to the device, which usually takes the device from the low-power dormant state to the higher-power active state. The device goes idle for a bit, then back to dormant. It’s like waking somebody up to tell them that it’s time to go to sleep.

Look at the example in the diagram. The red (1) shows the device jumping from dormant to active mode to send and receive data normally for a few seconds. Once finished, the cellular radio drops to a power-saving idle mode (2) in case that it’s needed again. After about 15 seconds of inactivity, the radio goes dormant (3).

    The diagram shows inefficiencies in Socket Termination activity on a device, the multiple steps it goes through to send/receive data and why it’s important to close sockets.

But the app has left the socket open (hanging). The server doesn’t like loose ends, so it sends its FIN packet to the device. This rouses the radio from dormant to active again (4), the same as if it were sending/receiving data for the app. Worse yet, the radio follows the normal curve back down to idle for another 15 seconds, wasting more power (5).

Begin to get the idea?

The phone has to bring up the radio for a simple, easily avoidable handshake because the server has asked the device for something that the app should have provided in the first place. If no other traffic moves between the device and the network, the connection is a complete waste of several hundred milliamperes.

Assuming that the app uses the network four times in an hour, the simple fix of having the app close the socket when finished can reduce network power consumption by about 20 percent, which would be the difference between eight and ten hours of standby power.

The lesson is: Program your app to close sockets when it has finished with them. Otherwise, the phone consumes power to bring up the radio for a needless handshake with the server.

Next Steps

So, to paraphrase Wayne, you need to know what your app is doing with the cellular radio, when it’s doing it and how to turn it off when the app no longer needs it.

Questions? Visit the Trepn Profiler Support Forum or let me know in the comments below.

mysql 中文乱码

默认:
mysql> show variables like "character_set%";
+--------------------------+----------------------------+
| Variable_name            | Value                      |
+--------------------------+----------------------------+
| character_set_client     | latin1                     |
| character_set_connection | latin1                     |
| character_set_database   | latin1                     |
| character_set_filesystem | binary                     |
| character_set_results    | latin1                     |
| character_set_server     | latin1                     |
| character_set_system     | utf8                       |
| character_sets_dir       | /usr/share/mysql/charsets/ |
+--------------------------+----------------------------+
8 rows in set (0.00 sec)
*************************************************************
*************************************************************
1.修改/etc/my.cnf文件,改成这样:
[mysqld]
default-character-set=utf8
init_connect='SET NAMES utf8'
[client]
default-character-set=utf8
2./etc/init.d/mysqld restart 重新启动mysql;
mysql重启后字符集更改仍然生效。
mysql> show variables like "character_set%";
+--------------------------+----------------------------+
| Variable_name            | Value                      |
+--------------------------+----------------------------+
| character_set_client     | utf8                       |
| character_set_connection | utf8                       |
| character_set_database   | utf8                       |
| character_set_filesystem | binary                     |
| character_set_results    | utf8                       |
| character_set_server     | utf8                       |
| character_set_system     | utf8                       |
| character_sets_dir       | /usr/share/mysql/charsets/ |
+--------------------------+----------------------------+
8 rows in set (0.00 sec)
*************************************************************
*************************************************************
注意执行命令:
SET NAMES 'utf8';
它相当于下面的三句指令:
SET character_set_client = utf8;
SET character_set_results = utf8;
SET character_set_connection = utf8;

cosmic 编译器未调用函数优化

Q. Can the compiler automatically remove unused functions from my application?

A. Yes, the default behavior includes all code linked however, you can add the +split compiler command line option to split the object into multiple sections. i.e. One section per function such that individual functions may be removed by the linker if they are not called. You then mark one or more segments in the link command file with the -k (keep) option to specifiy which segments need to be kept. Typically, you just need to add the -k segment option to the segment containing the vecotr table. This usually coversl all of the applications call trees.

stvd-cosmic

myeclipse 2013 deploy path 修改

文件路径:./.settings/org.eclipse.wst.common.component:

<project-modules id="moduleCoreId" project-version="1.5.0">
<wb-module deploy-name="web">
<wb-resource deploy-path="/" source-path="/WebRoot" tag="defaultRootSource"/>
<wb-resource deploy-path="/WEB-INF/classes" source-path="/src"/>
<property name="context-root" value="web"/>
<property name="java-output-path" value="/web/WebRoot/WEB-INF/classes"/>
</wb-module>
</project-modules>

linux sync 木马 .Iptables .Iptablex

现象:linux 主机对外发出高达上G的流量定向攻击互联上的某台主机(1001端口),结果就是,目标挂掉了,你也被云主机封号了(这种攻击会导致云架构共享的网络瘫痪,所有用户无法正常服务,属于致命问题)。

对于站长来说封号就是灭顶之灾,如果数据无法备份,就更悲剧了。

目前木马攻击的注入方式未知,希望有高人研究,根据本人主机的情况,猜测ssh扫描,bug注入的可能性比较高。

防范:

  1. 修改ssh默认端口

  2. 修改ssh的访问源ip(类似 AWS EC2 的security groups 功能)

同样问题的站长:

http://bbs.chinaunix.net/thread-4118890-1-1.html

http://www.xujiansheng.cn/2014/01/linux-viruses-iptablex-iptables/

可疑样本文件:Iptablex.zip

希望有高人能看到,能发现后门,造福广大站长

经这两天学习和热心网友乌云微博管理员的帮助,初步定位是struct 漏洞:

类似:http://www.beardnote.com/?p=829

 

解决struts2最新s2-016代码执行漏洞–CVE-2013-2251

今天接到外界报告struts2框架存在任意命令执行漏洞,可直接执行任意系统命令。 详细见官方说明:http://struts.apache.org/release/2.3.x/docs/s2-016.html

漏洞版本:
Apache Struts 2.0.0 – Apache Struts 2.3.15

漏洞描述:
CVE-2013-225. Struts2 是第二代基于Model-View-Controller (MVC)模型的java企业级web应用框架。它是WebWork和Struts社区合并后的产物

Apache Struts2的action:、redirect:和redirectAction:前缀参数在实现其功能的过程中使用了Ognl表达式,并将用户通过URL提交的内容拼接入Ognl表达式中,从而造成攻击者可以通过构造恶意URL来执行任意Java代码,进而可执行任意命令

redirect:和redirectAction:此两项前缀为Struts默认开启功能,目前Struts 2.3.15.1以下版本均存在此漏洞

目前Apache Struts2已经在2.3.15.1中修补了这一漏洞。强烈建议Apache Struts2用户检查您是否受此问题影响,并尽快升级到最新版本

< 参考 1. http://struts.apache.org/release/2.3.x/docs/s2-016.html >

测试方法:
@Sebug.net dis 本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

由于Apache Struts2 在最新修补版本2.3.15.1中已经禁用了重定向参数,因此只要重定向功能仍然有效,则说明受此漏洞影响:

http://host/struts2-showcase/employee/save.action?redirect:http://www.yahoo.com/

如果页面重定向到www.yahoo.com,则表明当前系统受此漏洞影响。

验证表达式解析和命令执行:

http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}

http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}`
Sebug安全建议:

厂商状态:
厂商已经发布Apache Struts 2.3.15.1以修复此安全漏洞,建议Struts用户及时升级到最新版本。

厂商安全公告:S2-01. 链接:http://struts.apache.org/release/2.3.x/docs/s2-016.html

软件升级页面:http://struts.apache.org/download.cgi#struts23151

目前存在漏洞的公司
乌云上,已经发布了快60个struts的这个漏洞问题,包括腾讯,百度,网易,京东等国内各大互联网公司。(http://www.wooyun.org/bugs/new_submit/) 

解决办法:
升级到Struts 2.3.15.1(强烈建议)
使用ServletFilter来过滤有问题的参数(临时替换方案)
 
参考资料:
http://sebug.net/appdir/Apache%20Struts

这次struts爆出来的漏洞,一大片的网站受的影响,影响最严重的就是电商了. 对于struts的漏洞,曾经也写过struts2代码执行漏洞,struts2自从使用OGNL表达式的方式后,经常就会报出一些可怕的漏洞出来,建议那些还是struts的童鞋们,学习一些其他的框架吧!比如,spring mvc,简单,好用,高效! 这里有篇对struts漏洞分析很透彻的文章,推荐学习学习. http://www.inbreak.net/archives/507

问题解决参考:
http://www.geek521.com/?p=3278

EC2 Instance 重启后ssh无法登陆的问题

创建instance后,第一次都能正常运行,但是重启后大概率(大于80%)创建的instance就ssh连不上了。刚开始以为自己的业务导致服务器僵死,后来发现80端口都是正常的,说明服务器没有问题,只是ssh无法连接。
于是通过其他手段登录到服务器,想手动拉起sshd,系统提示:

Failed to start SSH server :
Starting sshd: /etc/ssh/sshd_config line 157: Bad yes/without-password/forced-commands-only/no argument: without-passwordUseDNS
[FAILED]

根据提示,发现sshd_config的配置中有非法的内容(没有换行),于是手动,修改后sshd正常启动。
进一步定位分析,发现原来 EC2的 instance 的/etc/rc.d/rc.local 中有脚本控制每次开机后向sshd_config 末尾写入:

UseDNS no
PermitRootLogin without-password

当这2行缺少合法的换行时,sshd就开机无法启动了。
解决方法:
1)屏蔽rc.local脚本的相关语句
2)修改sshd_config的属性为只读

EC2 snapshot 默认创建instance无法启动问题

用创建的snapshot创建的 instance 一直显示 initialization,查看log:
EXT3-fs: sda1: couldn't mount because of unsupported optional features (240).
EXT2-fs: sda1: couldn't mount because of unsupported optional features (240).
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(8,1)
初步分析,创建都是default 的,恢复也是default的,应该没有问题才对,但看日志,是文件系统不支持,说明内核版本有问题了。于是在恢复时手动选择AKI:
aki-68c06a69 aki-config 注意:此AKI要根据自己的系统以及版本选择合适的,我选择的只针对我自己的系统。
重新选择后,创建多个实例,都启动ok

有源滤波电路的等价无源滤波电路

目前的filterlab filterpro等元件生成的参考模型都是基于有源运放的。如果我们需要无源的等价电路,一个简单的近似等价方法:

先根据自己需要用软件设计出有源滤波器电路,然后将生成的滤波电路中的运放去掉,将RC网络中原来接运放输出端的那个回路点直接改接到地。

MTK编译环境问题make: *** [mmi_feature_check] Error 1

今天遇到的问题:同样都是win7 系统,同样的安装路径,编译工具和代码,在新的机器上就是编译不了,提示如下:

make: *** [mmi_feature_check] Error 1

熟悉mtk的同学一看就知道是路径问题.

于是在相关perl脚本中分段加打印,终于定位出原来是新的机器不支持命令行的空格缩写格式,不支持如  c:Progra~1 这样的写法.

具体原因待日后有时间再进一步定位.暂时通过修改工具路径规避此问题.

mysql table crash 自动修复脚本

已验证:eg1:

#!/bin/sh

cd /var/lib/mysql

echo "$(date) start mysql_deamon running..."
sleep 180

while [ 1 ]
do
echo "$(date) mysql_deamon running..."
sleep 30

for i in `cat mysqld.log |grep crash|awk -F "'" '{print $2}'|sort -u|sed -e '1d' `;
do
if [ "$i" != "./xxx/xxx" ]; then
echo 'not find xxx crash'
else
echo 'find xxx crash'
echo 'repair xxx'
mysqlcheck -uxxx -pxxx xxx xxx -r
fi

echo 'clear the err log'
> mysqld.log
done
done

eg1 中红色部分代码其实可以1句搞定,由于本人不善 shell 提取字符操作,只能做固定判断了

未验证 eg2:

#!/bin/bash

#This script edit by badboy connect leezhenhua17@163.com
#This script used by repair tables
mysql_host=localhost
mysql_user=root
mysql_pass=123456   #密码如果带特殊字符如分号可以这么写  root;2010就可以了
database=test

tables=$(mysql -h$mysql_host -u$mysql_user -p$mysql_pass $database -A -Bse “show tables”)
for arg in $tables
do
check_status=$(mysql -h$mysql_host -u$mysql_user -p$mysql_pass $database -A -Bse “check table $arg” | awk ‘{ print $4 }’)
if [ "$check_status" = "OK" ]
then
echo “$arg is ok”
else
echo $(mysql -h$mysql_host -u$mysql_user -p$mysql_pass $database -A -Bse “repair table $arg”)

fi
echo $(mysql -h$mysql_host -u$mysql_user -p$mysql_pass $database -A -Bse “optimize table $arg”)
done

未验证 eg3:

#!/bin/bash
#author:itnihao
#mail:itnihao@qq.com
#date 2013-02-18
#version v1.0
#function:repair mysql table

User=root
Password=123456
Host=192.168.1.10
Database=$(mysql -u${User} -p${Password} -h${Host} -e 'show databases'|grep -v 'Database')
for DBname in ${Database}
do
table=$(mysql -u${User} -p${Password} -h${Host} ${DBname} -e 'show tables'|grep -v tables_in_mysql)
for tableName in ${table}
do
mysql -u${User} -p${Password} -h${Host} ${DBname} -e "check table ${tableName}" [ "$?" != 0 ] &&mysql -u${User} -p${Password} -h${Host} ${DBname} -e "repair table ${tableName}"
done
done

mysql:’xxx’is marked as crashed and should be repaired

1、从网上查了下有的说是频繁查询和更表造成的索引错误。

2.还有说法为是MYSQL数据库因为某种原因而受到了损坏,如:数据库服务器突发性的断电、在提在数据库表提供服务时对表的原文件进行某种操作都 有可能导致MYSQL数据库表被损坏而无法读取数据。总之就是因为某些不可测的问题造成表的损坏。

修复:

mysql> REPAIR TABLE int_dev_gps;

服务器shell脚本中用wget/curl模拟客户端调用api接口

目前的生产环境使用的vps的shell监护脚本中,发现有很大的概率reboot命令会僵死,但是web页面面板功能正常。正好网站提供了api接口,所以可以通过api完成可靠的系统复位。

我们可以在shell中用wget 和curl 模拟客户端,来发送指令的url.

curl 常用的 开关:

-o 忽略下载

-s 忽略返回

其他的见 --help

样例:

curl -o /dev/null -s "http://xxxx.com"

mysql java 守护脚本

参考网上资料,为生产环境的mysql 和java 进程增加守护进程,负责进程退出时,自动拉起

#!/bin/sh
##设置mysql进程和jira进程的监控进程名和进程数目;
mysql_process_check=`lsof -i:3306|awk '{ print $1 }'|sed -n 2p`
mysql_check=`lsof -i:3306 |wc -l`
jira_process_check=`lsof -i:8080|awk '{ print $1 }'|sed -n 2p`
jira_check=`lsof -i:8080 |wc -l`

##设置java运行环境,单独在shell脚本提示符号下面运行是可以不用设置java运行环境(因为加载用户shell脚本环境时已经加载
##了);但是在cron进程下面时则需要设置java运行环境。

#export JAVA_HOME=/usr/lib/jvm/java-1.5.0-sun
#export PATH=$PATH:/usr/lib/jvm/java-1.5.0-sun/bin

while [ 1 ]
do
echo "$(date) jboss_deamon running..."
##先查看3306端口是否有运行进程(注意,这个时候运行在3306脚本上面的不一定是mysql进程mysqld!不过我们第一步是判断
##3306端口上面是否运行了进程)
while [ $mysql_check -eq 0 ]
do
echo "port:3306 have no process running"
sleep 2
#/usr/bin/mysqld_safe -umysql &
service mysql start
##如果8080端口上有进程运行,不管它是jira服务进程java还是其它进程,则一律把8080端口上运行的进程强行终止掉;
##因为jira服务的运行依赖于mysql的正常运行后才运行;如果jira服务进程正常存在系统中,但是mysql进程已经出问题了,
##那么这个时候不管8080端口上运行的是jira服务进程java还是其它进程,一律强行终止掉。
if [ $jira_check -gt 0 ]; then
pkill -9 $jira_process_check
fi
sleep 20
mysql_check=`lsof -i:3306 |wc -l`
done

##这一次将判断3306端口上面运行的是否为mysql进程mysqld,如果不是则强行终止3306上面的非mysql进程,同时终止完后运行##mysql进程
mysql_process_check=`lsof -i:3306|awk '{ print $1 }'|sed -n 2p`
if [ $mysql_process_check != mysqld ]; then
echo 'mysql_process not run in port 3306,so I will kill process which run in port 3306.'
pkill -9 $mysql_process_check
mysql_check=`lsof -i:3306 |wc -l`
# echo $mysql_check
while [ $mysql_check -eq 0 ]
do
sleep 2
#/usr/bin/mysqld_safe -umysql &
service mysql start
##确认8080端口上面是否运行了进程,如果运行了进程则强行终止掉8080端口上面运行的进程,不管是jira进程还是其它进程。
if [ $jira_check -gt 0 ]; then
pkill -9 $jira_process_check
fi
sleep 20
mysql_check=`lsof -i:3306 |wc -l`
done
echo 'mysql_process are running in port 3306.'
else echo 'mysql_process are running in port 3306.'
fi

##确认8080端口上面是否运行了进程(不管8080端口上面运行的是java进程还是其它进程)jira_check=`lsof -i:8080 |wc -l`
while [ $jira_check -eq 0 ]
do
echo "port:8080 have no process running"
sleep 2
#/usr/local/jira/bin/startup.sh
nohup /data/web/jboss-as-7.1.1.Final/bin/standalone.sh >/dev/null 2>&1 &
sleep 30
jira_check=`lsof -i:8080 |wc -l`
done

##检查8080端口上面是否运行着jira服务进程java,如果没有则先强行终止8080端口上面运行的进程;然后在启动jira服务
jira_process_check=`lsof -i:8080|awk '{ print $1 }'|sed -n 2p`
if [[ $jira_process_check != java ]]; then
echo 'jira_process not run in port 8080,so I will kill process which run in port 8080.'
pkill -9 $jira_process_check
jira_check=`lsof -i:8080 |wc -l`
# echo $jira_check
while [ $jira_check -eq 0 ]
do
sleep 2
#/usr/local/jira/bin/startup.sh
/data/web/jboss-as-7.1.1.Final/bin/standalone.sh >/dev/null 2>&1 &
sleep 30
jira_check=`lsof -i:8080 |wc -l`
done
echo 'jira_process are running in port 8080.'
else echo 'jira_process are running in port 8080.'
fi
sleep 60
done

mysql 重置密码

sudo service mysql stop
sudo mysqld_safe --skip-grant-table&
mysql
use mysql;
update user set password = password('yourpasswd') where user = 'root';
flush privileges;

重启登录后,如果提示:You must SET PASSWORD before executing this statement
解决:

mysql>  SET PASSWORD = PASSWORD('123456');

使用postfix 实现注册用户邮件通知

之前使用的是企业邮箱,由于有反垃圾邮件和每日发送次数限制,当用户量上来的时候,就苦逼了,后台调用失败,用户注册不了。

所以把邮件服务器换成了postfix。这样就可以摆脱以上的限制,而且postfix也很强大。

目前只实现简单的smtp 功能,实现发送注册邮件功能。

1. 增加DNS解析

为什么需要dns解析?因为显示的发送邮箱是可以软件填写的,所以唯一的好处就是在用代码调用的时候能保证接口稳定(ip主机迁移,只要修改dns解析就可以)。

2. 如果是本机发送,基本默认配置就可以搞定了。如果要支持remote,就需要简单的设置

postfix-config

对应 /etc/postfix/main.cf 中的mynetworks 参数

全部修改参数如下:

myhostname = mail.xxx.com
mydomain = xxx.com
mynetworks = 127.0.0.0/8 xxx.xxx.xxx.xxx
inet_interfaces = all

如果要进行详细的客户端权限管理和虚拟用户帐户管理,可以参见这篇文章:

http://www.centoscn.com/CentosServer/lighttpd/2013/0730/806.html

配置完成后,记得一定要重启

3. telnet 测试。

MAIL FROM: xxx@xxx.com
RCPT TO: xxx@xxx.com
DATA
From: xxx@xxx.com
To: xxx@xxx.com
Subject: test message
test mail
.

注意:Telnet时 ,请用外网ip或者域名否则可能出现:

Postfix 554 5.7.1 Relay Access Denied  的错误

ok,可以替换以前代码中的企业邮箱的参数了。