我有一个本地 WireGuard 网关,我正在尝试使用 Ansible 进行管理。我在通过 SSH 连接时发现了一个问题。该连接超时。研究问题后,我意识到原因是来自接口 ino1 的 SSH 的 TCP SYN 没有收到 SYN-ACK,因为 WG 规则将其转发到 wg0 接口。
有谁知道如何向 iptables 添加规则来解决此问题而不与 WG 流量冲突?WG 在 UDP 上运行。
我对 iptables 不是很熟练,所以任何帮助将不胜感激。
我有一个本地 WireGuard 网关,我正在尝试使用 Ansible 进行管理。我在通过 SSH 连接时发现了一个问题。该连接超时。研究问题后,我意识到原因是来自接口 ino1 的 SSH 的 TCP SYN 没有收到 SYN-ACK,因为 WG 规则将其转发到 wg0 接口。
有谁知道如何向 iptables 添加规则来解决此问题而不与 WG 流量冲突?WG 在 UDP 上运行。
我对 iptables 不是很熟练,所以任何帮助将不胜感激。
我在我的 VPS 上使用 debian 11 服务器,并尝试设置wireguard。
创建私钥和公钥后,我创建配置文件/etc/wireguard/wg0.conf,其中包含内容
[Interface]
PrivateKey = [PRV_KEY]
Address = 192.168.23.1/24
ListenPort = 51820
SaveConfig = true
[peer]
PublicKey = [PUB_KEY]
AllowedIPs = 192.168.23.2
调用wg-快速启动 wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 192.168.23.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
ip addr显示新的 wg0 接口
现在我的/etc/wireguard/wg0.conf已更改为
[Interface]
Address = 192.168.23.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = [PRV_KEY]
[peer]块完全丢失。
由于我是wireguard和VPN的新手,我假设如果没有解析这个对等块,我就没有公钥......
我正在运行 Bullseye(Debian 11?),尝试从 bullseye-backports 安装内核 6.x。我真的不知道如何撤消它。新内核不能与图形驱动程序和其他一些驱动程序一起使用。我想回到5.10内核。
以下是我所做的:
/etc/apt/sources.list
deb http://deb.debian.org/debian/ bullseye-backports main contrib non-free
sudo apt install -t bullseye-backports linux-image-amd64 firmware-misc-nonfree
sudo remove firmware-misc-nonfree
sudo apt -s remove linux-image-amd64
演出节目apt policy linux-image-amd64
:
linux-image-amd64:
Installed: 5.10.209-2
Candidate: 5.10.209-2
Version table:
6.1.55-1~bpo11+1 100
100 http://deb.debian.org/debian bullseye-backports/main amd64 Packages
*** 5.10.209-2 500
500 http://deb.debian.org/debian bullseye/main amd64 Packages
100 /var/lib/dpkg/status
5.10.205-2 500
500 http://security.debian.org/debian-security bullseye-security/main amd64 Packages
但是,我不确定我当前是否正在使用这些内核中的任何一个:
$ uname -a
Linux debian 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64 GNU/Linux
以下是Debian相关部分/boot/grub/grub.cfg
:
menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-da96684c-0696-43ed-ba36-54d11861e7d4' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
search --no-floppy --fs-uuid --set=root da96684c-0696-43ed-ba36-54d11861e7d4
echo 'Loading Linux 6.1.0-0.deb11.13-amd64 ...'
linux /boot/vmlinuz-6.1.0-0.deb11.13-amd64 root=UUID=da96684c-0696-43ed-ba36-54d11861e7d4 ro noresume quiet
echo 'Loading initial ramdisk ...'
initrd /boot/initrd.img-6.1.0-0.deb11.13-amd64
}
submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-da96684c-0696-43ed-ba36-54d11861e7d4' {
menuentry 'Debian GNU/Linux, with Linux 6.1.0-0.deb11.13-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-0.deb11.13-amd64-advanced-da96684c-0696-43ed-ba36-54d11861e7d4' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
search --no-floppy --fs-uuid --set=root da96684c-0696-43ed-ba36-54d11861e7d4
echo 'Loading Linux 6.1.0-0.deb11.13-amd64 ...'
linux /boot/vmlinuz-6.1.0-0.deb11.13-amd64 root=UUID=da96684c-0696-43ed-ba36-54d11861e7d4 ro noresume quiet
echo 'Loading initial ramdisk ...'
initrd /boot/initrd.img-6.1.0-0.deb11.13-amd64
}
menuentry 'Debian GNU/Linux, with Linux 6.1.0-0.deb11.13-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-0.deb11.13-amd64-recovery-da96684c-0696-43ed-ba36-54d11861e7d4' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
search --no-floppy --fs-uuid --set=root da96684c-0696-43ed-ba36-54d11861e7d4
echo 'Loading Linux 6.1.0-0.deb11.13-amd64 ...'
linux /boot/vmlinuz-6.1.0-0.deb11.13-amd64 root=UUID=da96684c-0696-43ed-ba36-54d11861e7d4 ro single noresume
echo 'Loading initial ramdisk ...'
initrd /boot/initrd.img-6.1.0-0.deb11.13-amd64
}
menuentry 'Debian GNU/Linux, with Linux 5.10.0-28-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.10.0-28-amd64-advanced-da96684c-0696-43ed-ba36-54d11861e7d4' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
search --no-floppy --fs-uuid --set=root da96684c-0696-43ed-ba36-54d11861e7d4
echo 'Loading Linux 5.10.0-28-amd64 ...'
linux /boot/vmlinuz-5.10.0-28-amd64 root=UUID=da96684c-0696-43ed-ba36-54d11861e7d4 ro noresume quiet
echo 'Loading initial ramdisk ...'
initrd /boot/initrd.img-5.10.0-28-amd64
}
menuentry 'Debian GNU/Linux, with Linux 5.10.0-28-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.10.0-28-amd64-recovery-da96684c-0696-43ed-ba36-54d11861e7d4' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
search --no-floppy --fs-uuid --set=root da96684c-0696-43ed-ba36-54d11861e7d4
echo 'Loading Linux 5.10.0-28-amd64 ...'
linux /boot/vmlinuz-5.10.0-28-amd64 root=UUID=da96684c-0696-43ed-ba36-54d11861e7d4 ro single noresume
echo 'Loading initial ramdisk ...'
initrd /boot/initrd.img-5.10.0-28-amd64
}
menuentry 'Debian GNU/Linux, with Linux 5.10.0-26-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.10.0-26-amd64-advanced-da96684c-0696-43ed-ba36-54d11861e7d4' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
search --no-floppy --fs-uuid --set=root da96684c-0696-43ed-ba36-54d11861e7d4
echo 'Loading Linux 5.10.0-26-amd64 ...'
linux /boot/vmlinuz-5.10.0-26-amd64 root=UUID=da96684c-0696-43ed-ba36-54d11861e7d4 ro noresume quiet
echo 'Loading initial ramdisk ...'
initrd /boot/initrd.img-5.10.0-26-amd64
}
menuentry 'Debian GNU/Linux, with Linux 5.10.0-26-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.10.0-26-amd64-recovery-da96684c-0696-43ed-ba36-54d11861e7d4' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
search --no-floppy --fs-uuid --set=root da96684c-0696-43ed-ba36-54d11861e7d4
echo 'Loading Linux 5.10.0-26-amd64 ...'
linux /boot/vmlinuz-5.10.0-26-amd64 root=UUID=da96684c-0696-43ed-ba36-54d11861e7d4 ro single noresume
echo 'Loading initial ramdisk ...'
initrd /boot/initrd.img-5.10.0-26-amd64
}
menuentry 'Debian GNU/Linux, with Linux 5.10.0-22-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.10.0-22-amd64-advanced-da96684c-0696-43ed-ba36-54d11861e7d4' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
search --no-floppy --fs-uuid --set=root da96684c-0696-43ed-ba36-54d11861e7d4
echo 'Loading Linux 5.10.0-22-amd64 ...'
linux /boot/vmlinuz-5.10.0-22-amd64 root=UUID=da96684c-0696-43ed-ba36-54d11861e7d4 ro noresume quiet
echo 'Loading initial ramdisk ...'
initrd /boot/initrd.img-5.10.0-22-amd64
}
menuentry 'Debian GNU/Linux, with Linux 5.10.0-22-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.10.0-22-amd64-recovery-da96684c-0696-43ed-ba36-54d11861e7d4' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
search --no-floppy --fs-uuid --set=root da96684c-0696-43ed-ba36-54d11861e7d4
echo 'Loading Linux 5.10.0-22-amd64 ...'
linux /boot/vmlinuz-5.10.0-22-amd64 root=UUID=da96684c-0696-43ed-ba36-54d11861e7d4 ro single noresume
echo 'Loading initial ramdisk ...'
initrd /boot/initrd.img-5.10.0-22-amd64
}
}
这是vmlinuz*
我实际拥有的文件/boot/
:
$ ls -1 /boot/vmlinuz*
/boot/vmlinuz-5.10.0-22-amd64
/boot/vmlinuz-5.10.0-26-amd64
/boot/vmlinuz-5.10.0-28-amd64
/boot/vmlinuz-6.1.0-0.deb11.13-amd64
5.10.0-28
如果我在启动时从 grub 菜单中明确选择内核,一切都会正常。我想我必须有效地删除启动项grub.cfg
、6.1x
内核相关的文件和头文件。
我担心如果我手动执行此操作,我会弄乱 Debian 包管理系统的依赖项列表。而且,我不再需要了bullseye-backports
。
我删除了条目/etc/apt/sources.list
,apt update -y
然后是apt upgrade
. 这没有帮助。不知道应该做什么。
与此问题类似无法通过 OpenVPN 隧道连接到 MariaDB
我无法通过 OpenVPN 连接到 MariaDB 服务器。设置是-
发现和尝试:
结论-这不是防火墙问题,因为我可以通过OpenVPN连接到SAMBA,我也完全禁用了防火墙,但仍然无法建立连接
这是界面设置
root@machine:/home/myuser# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:ce:de:9a brd ff:ff:ff:ff:ff:ff
inet *PUBLIC IP* brd *PUBLIC IP BROADCAST* scope global dynamic ens3
valid_lft 64288sec preferred_lft 64288sec
inet6 *PUBLIC IPV6* scope link
valid_lft forever preferred_lft forever
102: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.1.1/24 brd 10.8.1.255 scope global tun1
valid_lft forever preferred_lft forever
inet6 fe80::c446:2ce1:c480:a740/64 scope link stable-privacy
valid_lft forever preferred_lft forever
TCP DUMP 检查 - 我的客户端有 IP 10.8.1.2
tcpdump -i tun1 -n port 3306
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun1, link-type RAW (Raw IP), capture size 262144 bytes
09:26:53.954949 IP 10.8.1.2.59977 > 10.8.1.1.3306: Flags [S], seq 771542358, win 64240, options [mss 1286,nop,wscale 8,nop,nop,sackOK], length 0
09:26:54.969398 IP 10.8.1.2.59977 > 10.8.1.1.3306: Flags [S], seq 771542358, win 64240, options [mss 1286,nop,wscale 8,nop,nop,sackOK], length 0
09:26:56.979356 IP 10.8.1.2.59977 > 10.8.1.1.3306: Flags [S], seq 771542358, win 64240, options [mss 1286,nop,wscale 8,nop,nop,sackOK], length 0
09:27:00.989474 IP 10.8.1.2.59977 > 10.8.1.1.3306: Flags [S], seq 771542358, win 64240, options [mss 1286,nop,wscale 8,nop,nop,sackOK], length 0
网络统计
netstat -naplut | grep 3306
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 158452/mysqld
Mariadb 50 服务器配置
[server]
# this is only for the mysqld standalone daemon
[mysqld]
#
# * Basic Settings
#
user = mysql
pid-file = /run/mysqld/mysqld.pid
socket = /run/mysqld/mysqld.sock
#port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
#skip-external-locking
bind-address = 0.0.0.0
UFW 状态
ufw status
Status: active
To Action From
-- ------ ----
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
20/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere
1194/udp ALLOW Anywhere
Samba ALLOW 10.8.1.0/24
16/tcp ALLOW Anywhere
Apache Full ALLOW Anywhere
1195 ALLOW Anywhere
1195/udp ALLOW Anywhere
3306/tcp ALLOW 10.8.1.0/24
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
20/tcp (v6) ALLOW Anywhere (v6)
21/tcp (v6) ALLOW Anywhere (v6)
1194/udp (v6) ALLOW Anywhere (v6)
16/tcp (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
1195 (v6) ALLOW Anywhere (v6)
1195/udp (v6) ALLOW Anywhere (v6)
我正在运行 Debian 12,并尝试使用crontab
执行 Python 脚本来定期从 Artifactory 存储库检索一些文件。
我在 user 下的单独用户帐户上运行此作业www
。我使用编辑了 crontabcrontab -e
命令如下:
# Cron
0 * * * * /path/to/py/venv/python3 /path/to/py/script.py && chown -R user:group /path/to/resource
# Command
/path/to/py/venv/python3 /path/to/py/script.py && chown -R user:group /path/to/resource
基于sudo journalctl -u cron
工作似乎正在运行。我还创建了一个单独的工作0 * * * * date >> ~/clock.txt
作为测试。两者似乎(?)都在执行。但是应该检索文件的Python脚本没有向我设置的目录写入任何新内容(日期和时间没有改变)。
我尝试通过复制并粘贴来直接执行该命令,它运行良好并写入了新文件。cron 是否需要任何特殊的东西才能使脚本正确执行?
我有一个自定义的 Linux 发行版(基于 debian),它有很多自定义工具,例如更改系统配置(如网络等)。
这些配置文件是 .json 文件(我知道,不是真正的 Linux),它们是从自定义生成器中读取的,这些生成器基本上从相应的 Linux 配置中的我的配置文件生成值。这些生成器是在sysinit.target中调用的 systemd 单元。
我在 /etc/fstab 中有一个默认条目,它被生成器覆盖。之后我执行sudo -o remount /tmp
以正确的大小重新挂载 tmpfs。这有时似乎有效,但有时重新安装会失败并出现以下错误:not located or bad option。我想这是一个时间问题。
我还了解到这可以仅使用 systemd (tmp.mount)来实现。这适用于我的特定用例吗?是否可以在引导过程中生成tmp.mount的单元文件,以便以正确的大小挂载 tmpfs?
一切都必须自动化。没有手动拦截的余地。
我已成功设置 NFS/Keberos,但当经过 Kerberos 身份验证的用户发出写入时遇到权限问题,该写入输出以下内容:
philip@client $: touch /mnt/philip/testfile.txt
touch: cannot touch '/mnt/philip/test': Permission denied
以下是我的完整安装和配置:
mydomain.net
是一个占位符
server #: apt-get -y update
server #: apt-get -y install nfs-kernel-server nfs-common
server #: mkdir -p /srv/nfs/philip
server #: cat <<EOF >>/etc/exports
/srv/nfs/philip 192.168.10.0/24(rw,nohide,insecure,no_subtree_check,sync,no_root_squash)
EOF
server #: service nfs-kernel-server restart
client #: apt-get -y update
client #: apt-get -y install nfs-common
client #: mkdir -p /mnt/philip
client #: cat <<EOF >>/etc/fstab
nfs.mydomain.net:/srv/nfs/nfs-001 /mnt/philip nfs defaults 0 0
EOF
client #: mount -a
NFS 共享现在应该安装在/mnt/philip
. 这有效!
更新/etc/exports
以反映新的 Kerberos 共享:
/srv/nfs/philip 192.168.10.0/24(sec=krb5p,rw,nohide,insecure,no_subtree_check,sync)
注:我no_root_squash
这里删除了。
并导出:
server #: exportfs -ra
server #: showmount -e
现在设置 Kerberos 服务器:
server #: apt install krb5-kdc krb5-admin-server #enter realm in full caps, enter fqdn for hostnames
server #: cat /etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.NET
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
MYDOMAIN.NET = {
kdc = nfs.mydomain.net
admin_server = nfs.mydomain.net
}
[domain_realm]
继续设置...
server #: krb5_newrealm
server #: vi /etc/krb5kdc/kadm5.acl # uncomment /*admin *
server #: systemctl restart krb5-kdc krb5-admin-server
server #: kadmin.local -q "addprinc admin/[email protected]"
# setup principal for NFS Service on NFS Server
server #: kadmin.local -q "addprinc -randkey nfs/[email protected]"
server #: kadmin.local -q "ktadd -k /etc/krb5.keytab nfs/[email protected]"
仍在服务器上时:
server #: kadmin.local -q "addprinc -randkey nfs/[email protected]"
server #: kadmin.local -q "ktadd -k /etc/krb5.client.keytab nfs/[email protected]"
server #: scp /etc/krb5.client.keytab client:/etc/krb5.keytab
然后在客户端:
client #: apt update
client #: apt install krb5-user
client #: kinit -k -t /etc/krb5.keytab nfs/[email protected]
client #: klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/[email protected]
Valid starting Expires Service principal
11/27/2023 14:49:54 11/28/2023 00:49:54 krbtgt/[email protected]
renew until 11/28/2023 14:49:44
我现在可以使用 Kerberos 身份验证挂载 NFS 共享:
mount -a
注意我nfs.mydomain.net:/srv/nfs/philip /mnt/philip nfs sec=krb5p 0 0
的/etc/fstab
.
如果失败,您可能需要:
systemctl restart rpc-gssd
NFS 现在通过 Kerberos 安装在客户端计算机上
# setup principal for Philip
server #: kadmin.local -q "addprinc -randkey philip/[email protected]"
server #: kadmin.local -q "ktadd -k /etc/krb5.philip.keytab philip/[email protected]"
server #: scp /etc/krb5.philip.keytab client:
然后验证:
philip@client $: kinit -k -t krb5.philip.keytab philip/[email protected]
philip@client $: ls -ls /mnt/philip
total 12
drwxr-xr-x 2 philip philip 4096 Dec 26 07:30 .
drwxr-xr-x 7 root root 4096 Dec 26 09:34 ..
philip@client $: touch /mnt/philip/test
touch: cannot touch '/mnt/philip/test': Permission denied
这是权限:
server #: ls -la /srv/nfs/
total 16
drwxr-xr-x 4 root root 4096 Dec 26 06:35 .
drwxr-xr-x 3 root root 4096 Dec 22 14:35 ..
drwxr-xr-x 2 philip philip 4096 Dec 26 07:30 philip
root 甚至无法写入该目录。
如果我chmod 777 /srv/nfs/philip
那么我可以写,那么这表明我是一个other
用户。
我感谢任何帮助解决此问题的帮助。
ClamAV 似乎在 Debian 12(书虫)上有一个错误,使其很难在 TCP 3310 上监听。
我尝试了中描述的两种方法
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042377
无济于事。我也尝试过
https://bbs.archlinux.org/viewtopic.php?id=233951
然后跑了
dpkg-reconfigure clamav-daemon
如建议的
Debian 8:无法让 ClamAV 监听 TCP 3310
任何想法?谢谢。以下是我的配置文件、clamav 日志文件以及重新启动服务和检查 clamd 正在侦听的位置的命令。
/etc/systemd/system/clamav-daemon.service.d/tcp-socket.conf
[Socket]
ListenStream=3310
/etc/clamav/clamd.conf
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
TCPSocket 3310
TCPAddr 127.0.0.1
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail false
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 30
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanTime 120000
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 50M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OnAccessMaxFileSize 5M
/var/log/clamav/clamav.log
Sat Dec 16 01:23:16 2023 -> +++ Started at Sat Dec 16 01:23:16 2023
Sat Dec 16 01:23:16 2023 -> Received 1 file descriptor(s) from systemd.
Sat Dec 16 01:23:16 2023 -> clamd daemon 1.0.3 (OS: Linux, ARCH: x86_64, CPU: x86_64)
Sat Dec 16 01:23:16 2023 -> Log file size limited to 4294967295 bytes.
Sat Dec 16 01:23:16 2023 -> Reading databases from /var/lib/clamav
Sat Dec 16 01:23:16 2023 -> Not loading PUA signatures.
Sat Dec 16 01:23:16 2023 -> Bytecode: Security mode set to "TrustSigned".
Sat Dec 16 01:23:27 2023 -> Loaded 8680737 signatures.
Sat Dec 16 01:23:29 2023 -> TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from systemd.
Sat Dec 16 01:23:29 2023 -> LOCAL: Received AF_UNIX SOCK_STREAM socket from systemd.
Sat Dec 16 01:23:29 2023 -> Limits: Global time limit set to 120000 milliseconds.
Sat Dec 16 01:23:29 2023 -> Limits: Global size limit set to 104857600 bytes.
Sat Dec 16 01:23:29 2023 -> Limits: File size limit set to 26214400 bytes.
Sat Dec 16 01:23:29 2023 -> Limits: Recursion level limit set to 16.
Sat Dec 16 01:23:29 2023 -> Limits: Files limit set to 10000.
Sat Dec 16 01:23:29 2023 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Sat Dec 16 01:23:29 2023 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Sat Dec 16 01:23:29 2023 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Sat Dec 16 01:23:29 2023 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
Sat Dec 16 01:23:29 2023 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Sat Dec 16 01:23:29 2023 -> Limits: MaxPartitions limit set to 50.
Sat Dec 16 01:23:29 2023 -> Limits: MaxIconsPE limit set to 100.
Sat Dec 16 01:23:29 2023 -> Limits: MaxRecHWP3 limit set to 16.
Sat Dec 16 01:23:29 2023 -> Limits: PCREMatchLimit limit set to 10000.
Sat Dec 16 01:23:29 2023 -> Limits: PCRERecMatchLimit limit set to 5000.
Sat Dec 16 01:23:29 2023 -> Limits: PCREMaxFileSize limit set to 26214400.
Sat Dec 16 01:23:29 2023 -> Archive support enabled.
Sat Dec 16 01:23:29 2023 -> AlertExceedsMax heuristic detection disabled.
Sat Dec 16 01:23:29 2023 -> Heuristic alerts enabled.
Sat Dec 16 01:23:29 2023 -> Portable Executable support enabled.
Sat Dec 16 01:23:29 2023 -> ELF support enabled.
Sat Dec 16 01:23:29 2023 -> Mail files support disabled.
Sat Dec 16 01:23:29 2023 -> OLE2 support enabled.
Sat Dec 16 01:23:29 2023 -> PDF support enabled.
Sat Dec 16 01:23:29 2023 -> SWF support enabled.
Sat Dec 16 01:23:29 2023 -> HTML support enabled.
Sat Dec 16 01:23:29 2023 -> XMLDOCS support enabled.
Sat Dec 16 01:23:29 2023 -> HWP3 support enabled.
Sat Dec 16 01:23:29 2023 -> Self checking every 3600 seconds.
命令和输出:
# systemctl stop clamav-daemon.socket
# systemctl stop clamav-daemon.service
# systemctl daemon-reload
# systemctl start clamav-daemon.service
# systemctl status clamav-daemon.service
● clamav-daemon.service - Clam AntiVirus userspace daemon
Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; preset: enabled)
Drop-In: /etc/systemd/system/clamav-daemon.service.d
└─extend.conf, tcp-socket.conf
Active: active (running) since Sat 2023-12-16 01:31:15 CET; 8s ago
TriggeredBy: ● clamav-daemon.socket
Docs: man:clamd(8)
man:clamd.conf(5)
https://docs.clamav.net/
Process: 2741989 ExecStartPre=/bin/mkdir -p /run/clamav (code=exited, status=0/SUCCESS)
Process: 2741990 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
Main PID: 2741991 (clamd)
Tasks: 1 (limit: 76845)
Memory: 1.0G
CPU: 8.734s
CGroup: /system.slice/clamav-daemon.service
└─2741991 /usr/sbin/clamd --foreground=true
systemd[1]: Starting clamav-daemon.service - Clam AntiVirus userspace daemon...
systemd[1]: Started clamav-daemon.service - Clam AntiVirus userspace daemon.
# netstat -anp | grep -E "(Active|State|clam|3310)"
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 3 [ ] STREAM CONNECTED 7558837 2741991/clamd
unix 3 [ ] STREAM CONNECTED 7472325 2675419/freshclam
unix 2 [ ACC ] STREAM LISTENING 7562309 1/systemd /run/clamav/clamd.ctl
在我的 Apache 2.4 服务器配置虚拟主机文件的第二次调用中,我有:
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName 51.89.98.21
RewriteEngine On
RewriteCond %{HTTP_HOST} ^http://51.89.98.21$1 [NC]
RewriteRule ^(.*)$ http://51.89.98.21/ [R=permanent,END,QSA]
</VirtualHost>
第三个配置虚拟主机是这个(部分):
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName www.developmentscout.com
ServerAlias developmentscout.com
UseCanonicalName Off
DocumentRoot "/var/www/vhosts/developmentscout.com/htdocs"
RewriteEngine On
RewriteCond %{REQUEST_URI} ^\.well\-known [NC,OR]
RewriteCond %{HTTP_HOST} ^developmentscout.com$ [NC]
RewriteRule ^ https://www.developmentscout.com%{REQUEST_URI} [END,QSA,R=permanent]
SSLEngine on
SSLCertificateKeyFile /etc/letsencrypt/live/developmentscout.com-0002/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/developmentscout.com-0002/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/developmentscout.com-0002/chain.pem
...
https://51.89.98.21/industrie/automatisierung/ipc/11315-edge-computing的链接 应重定向到http://51.89.98.21但我重定向到:http://51.89.98.21/industrie/ automatisierung/ipc/11315-edge-computing,它向我显示“真实”页面的内容。
第二个虚拟主机永远无法到达,因为在日志中我有以下内容:
[Tue Oct 24 18:44:23.156932 2023] [ssl:debug] [pid 8958:tid 140379014039296] ssl_engine_kernel.c(383): [client 98.58.102.21:64004] AH02034: 后续 (No.3) HTTPS收到的请求子22272(服务器www.developmentscout.com:443),参考: https: //51.89.98.21/industrie/automatisierung/ipc/11315-edge-computing
显然,https 请求转到了错误的 URL,该 URL 调用了错误的 SSL 证书,然后使用了 http 连接并显示了内容。
我尝试使用 Letsencrypt 创建 SSL 证书,但这对于 IP 来说是不可能的。因此,任何如何解决这个问题的建议都会很棒。
更新:与此同时,我已经为 51.89.98.21 创建了一个自签名证书。(默认之后的第二个)虚拟主机是:
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName 51.89.98.21
SSLEngine on
SSLCertificateKeyFile /etc/ca-certificates/key.pem
SSLCertificateFile /etc/ca-certificates/cert.pem
RewriteEngine On
RewriteCond %{HTTP_HOST} ^51.89.98.21/$ [NC]
RewriteRule ^ https://51.89.98.21/ [END,QSA,R=permanent]
DocumentRoot /var/www/server3
</VirtualHost>
当我调用此 URL:https://51.89.98.21/branche/automobil/11819-e-auto-laden-ladestecker-ladekabel时 ,我得到了 Not Found 404。