以下 crontab 命令:
5 * * * * www-data /usr/bin/php5 /home/... >> /var/log/piwik_archive.log 2>&1
生产,在/var/log/piwik_archive.log:
/bin/sh: www-data: command not found
如何指定 crontab 命令用户?
我可以看到linux-image-3.2.0-4-686-pae已安装的软件包:
# apt-cache policy linux-image-3.2.0-4-686-pae
linux-image-3.2.0-4-686-pae:
Installé : 3.2.82-1
Candidat : 3.2.82-1
Table de version :
*** 3.2.82-1 0
100 /var/lib/dpkg/status
但我正在运行的内核是:
uname -a
Linux igname 3.16.0-4-686-pae #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) i686 GNU/Linux
我可以删除linux-image-3.2.0-4-686-pae包裹吗?如果是,为什么它仍然安装?
尝试建立远程 ssh 端口转发:
在我的远程主机上,/etc/ssh/sshd_config
GatewayPorts 客户端指定
在我的本地计算机上:
ssh -g -R 1234:0.0.0.0:8000 me@my-remote-host
通过调试,我们可以阅读:
debug1: Authentication succeeded (publickey).
Authenticated to s1.bux.fr ([178.32.223.76]:22).
debug1: Remote connections from LOCALHOST:1234 forwarded to local address 0.0.0.0:8000
debug2: fd 3 setting TCP_NODELAY
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: remote forward success for: listen 1234, connect 0.0.0.0:8000
debug1: All remote forwarding requests processed
在远程主机上,我们可以联系到 1234 端口(WSGIServer/0.2 CPython/3.4.3是本地机器的 8000 端口):
# http :1234
HTTP/1.0 302 Found
Content-Type: text/html; charset=utf-8
Date: Wed, 19 Oct 2016 13:26:00 GMT
Location: /accounts/login/
Server: WSGIServer/0.2 CPython/3.4.3
Vary: Cookie
X-Frame-Options: SAMEORIGIN
我们可以查看打开的端口:
# netstat -tupln | grep 1234
tcp 0 0 127.0.0.1:1234 0.0.0.0:* LISTEN 14460/1
tcp6 0 0 ::1:1234 :::* LISTEN 14460/1
但是,从世界上的另一台机器上,我无法联系my-remote-host:1324:
# http my-remote-host:1234
http: error: ConnectionError: HTTPConnectionPool(host='my-remote-host', port=1234): Max retries exceeded with url: / (Caused by NewConnectionError('<requests.packages.urllib3.connection.HTTPConnection object at 0xb6b2fbec>: Failed to establish a new connection: [Errno 111] Connection refused',)) while doing GET request to URL: http://my-remote-host:1234/
my-remote-host 上没有防火墙:
# iptables -L
[sudo] password for bux:
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-sshd tcp -- anywhere anywhere multiport dports ssh
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
如何找到它阻塞的地方?
只需在 debian 8 下获取新的专用服务器并检查有关 cpu 的一些信息:
$ lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 4
On-line CPU(s) list: 0-3
Vendor ID: GenuineIntel
CPU family: 6
Model: 42
Model name: Intel(R) Core(TM) i3-2130 CPU @ 3.40GHz
Stepping: 7
CPU MHz: 1600.257
BogoMIPS: 6784.70
Virtualization: VT-x
Model name指示Intel(R) Core(TM) i3-2130 CPU @ 3.40GHz和CPU MHz指示1600.257。为什么显示的cpu速度不一样?
我的 nagios 因 fail2ban 服务而失败。有了其他命令就可以了:
nagios@server:/usr/lib/nagios/plugins$ /usr/local/nagios/libexec/check_nrpe -H 127.0.0.1 -c "check_load"
OK - 平均负载:0.00, 0.06, 0.08|load1=0.000;15.000;30.000;0; 负载5=0.060;10.000;25.000;0; 负载15=0.080;5.000;20.000;0;
使用 fail2ban 服务它不起作用。此 fail2ban 脚本对此进行测试(请参阅http://pastebin.com/1utP9iM6):
$(ps aux |grep "fail2ban.sock" |grep -v grep| wc -l)
如果我用 nagios 用户测试它,它会正确返回1。但是当它由 NRPE 执行时,它会失败:
nagios@server:/usr/lib/nagios/plugins$ /usr/local/nagios/libexec/check_nrpe -H 127.0.0.1 -c "check_fail2ban" /var/log/fail2ban.log /etc/fail2ban/jail.conf 10 20
0
++++ 进程未运行 ++++
我如何调试更多以发现问题所在?
在 debian 和基于 debian 上测试:
$ cd // && pwd && ls
//
bin build dev home ...
为什么路径//是有效路径?
我使用特定命令来检查安全更新:
/usr/bin/apt-get update -o Dir::Etc::SourceList=/etc/apt/security.sources.list
但是在执行时,它使用/etc/apt/sources.list.d/中的源文件。所以我希望这个命令只读取指定的源文件。怎么做 ?
我正在使用 iptables 保护我的 debian。我这样做是为了允许 ssh、http 和 https:
# history | grep iptable
18 /sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
22 /sbin/iptables -I INPUT 2 -i lo -j ACCEPT
23 /sbin/iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
24 /sbin/iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
25 /sbin/iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
26 /sbin/iptables -P INPUT DROP
18:已建立连接 22:本地主机 23、24、25:ssh、http、https 26:阻止其他
我的规则:
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
该行:
ACCEPT all -- anywhere anywhere
吓到我了:这条规则允许所有流量?
编辑:
# iptables -L -v -n
Chain INPUT (policy DROP 1352 packets, 99220 bytes)
pkts bytes target prot opt in out source destination
275 21348 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 67 packets, 9852 bytes)
pkts bytes target prot opt in out source destination
我有一个带有测试套件的应用程序。这些测试需要在特定时期(2012 年 1 月 1 日至 2012 年 12 月 31 日之间的日期)运行。
是否可以在虚拟主机中强制返回日期(到 php、python 等脚本)而不是系统时钟?
我的 apache2 配置有问题:我在服务器上有两个网站:
- 域名1.tdl
- 域2.tdl
其中之一 (domain2.tdl) 必须并且可以在端口 443 上访问(使用 SSL)。所有域都必须并且可以通过端口 80 访问。但是当我们尝试在端口 443 上访问 domain1.tdl 时,会显示 domain2.tdl 文件。因此,在端口 443 上,domain2.tdl 可由 domain1.tdl和domain2.tdl 访问。我不要!
我的配置:
域 1.tdl:
<VirtualHost *:80>
DocumentRoot /home/sites/domain1.tdl/www
ServerName domain1.tdl
ServerAlias www.domain1.tdl
ServerAdmin xxx@mail.com
RewriteEngine on
<Directory "/home/sites/domain1.tdl/www">
AllowOverride All
allow from all
Options -Indexes
</Directory>
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /home/sites/domain1.tdl/www
ServerName domain1.tdl
ServerAlias www.domain1.tdl
ServerAdmin xxx@mail.com
RewriteEngine on
<Directory "/home/sites/domain1.tdl/www">
AllowOverride All
allow from all
Options -Indexes
</Directory>
域 2.tdl:
<VirtualHost *:80>
DocumentRoot "/home/sites/domain2.tdl/web"
ServerName domain2.tdl
ErrorLog /var/log/apache2/site/error_domain2.tdl.log
CustomLog /var/log/apache2/site/access_domain2.tdl.log combined
<Directory "/home/sites/domain2.tdl/web">
allow from all
Options -Indexes
</Directory>
ServerAlias www.domain2.tdl
</VirtualHost>
<VirtualHost domain2.tdl:443>
DocumentRoot "/home/sites/domain2.tdl/web"
ServerName domain2.tdl
ErrorLog /var/log/apache2/site/error_domain2.tdl.log
CustomLog /var/log/apache2/site/access_domain2.tdl.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/private/domain2.tdl/domain2.tdl.crt
SSLCertificateKeyFile /etc/ssl/private/domain2.tdl/domain2.tdl.key
SSLCACertificateFile /etc/ssl/private/domain2.tdl/GandiStandardSSLCA.pem
SSLVerifyClient None
<Directory "/home/sites/domain2.tdl/web">
allow from all
Options -Indexes
</Directory>
ServerAlias www.domain2.tdl
</VirtualHost>