Tiffany Walker's questions

CentOS PHP-FPM

'./configure'  '--enable-fpm' '--with-libdir=lib64' '--with-bz2' '--with-curl=/usr/local/lib' '--with-gd' '--with-gettext' '--with-jpeg-dir=/usr/local/lib' '--with-freetype-dir=/usr/local/lib' '--with-kerberos' '--with-mcrypt' '--with-mhash' '--with-mysql' '--with-mysqli' '--with-pcre-regex=/usr' '--with-pdo-mysql=shared' '--with-pdo-sqlite=shared' '--with-pear=/usr/local/lib/php' '--with-png-dir=/usr/local/lib' '--with-pspell' '--with-sqlite=shared' '--with-tidy' '--with-xmlrpc' '--with-xsl' '--with-zlib' '--with-zlib-dir=/usr/local/lib' '--with-openssl' '--with-iconv' '--enable-bcmath' '--enable-calendar' '--enable-exif' '--enable-ftp' '--enable-gd-native-ttf' '--enable-libxml' '--enable-magic-quotes' '--enable-soap' '--enable-sockets' '--enable-mbstring' '--enable-zip' '--enable-wddx'

尝试安装 xcache 但我不断收到以下错误：

root@www1 [/usr/src/xcache-3.0.3]# make
/usr/bin/m4 -B 102400 -D srcdir='`'"/usr/src/xcache-3.0.3'" -D builddir='`'".'"  /usr/src/xcache-3.0.3/processor/main.m4 > ./processor.out.c.tmp
/usr/bin/m4: Warning: `m4 -B' may be removed in a future release
AUTOCHECK INFO: runtime autocheck Disabled (optimized build)
AUTOCHECK INFO: zend_compiled_variable: processor looks good
AUTOCHECK ERROR: ==== calc zend_try_catch_element =================
AUTOCHECK expected: "try_op","catch_op","finally_op","finally_end"
AUTOCHECK missing : "finally_op" "finally_end"
AUTOCHECK INFO: zend_brk_cont_element: processor looks good
AUTOCHECK INFO: HashTable: processor looks good
AUTOCHECK INFO: zval: processor looks good
AUTOCHECK INFO: zend_arg_info: processor looks good
AUTOCHECK INFO: zend_constant: processor looks good
AUTOCHECK INFO: zend_property_info: processor looks good
AUTOCHECK INFO: zend_trait_method_reference: processor looks good
AUTOCHECK INFO: zend_trait_alias: processor looks good
AUTOCHECK INFO: zend_trait_precedence: processor looks good
AUTOCHECK INFO: zend_class_entry: processor looks good
AUTOCHECK INFO: znode: processor looks good
AUTOCHECK INFO: zend_op: processor looks good
AUTOCHECK INFO: zend_literal: processor looks good
AUTOCHECK ERROR: ==== calc zend_op_array =================
AUTOCHECK expected: "type","function_name","scope","fn_flags","prototype","num_args","required_num_args","arg_info","refcount","opcodes","last","vars","last_var","T","nested_calls","used_stack","brk_cont_array","last_brk_cont","try_catch_array","last_try_catch","has_finally_block","static_variables","this_var","filename","line_start","line_end","doc_comment","doc_comment_len","early_binding","literals","last_literal","run_time_cache","last_cache_slot","reserved"
AUTOCHECK missing : "nested_calls" "used_stack" "has_finally_block"
AUTOCHECK INFO: xc_constinfo_t: processor looks good
AUTOCHECK INFO: xc_op_array_info_detail_t: processor looks good
AUTOCHECK INFO: xc_op_array_info_t: processor looks good
AUTOCHECK INFO: xc_funcinfo_t: processor looks good
AUTOCHECK INFO: xc_classinfo_t: processor looks good
AUTOCHECK INFO: xc_autoglobal_t: processor looks good
AUTOCHECK INFO: xc_compilererror_t: processor looks good
AUTOCHECK INFO: xc_entry_data_php_t: processor looks good
AUTOCHECK INFO: xc_entry_t: processor looks good
AUTOCHECK INFO: xc_entry_php_t: processor looks good
AUTOCHECK INFO: xc_entry_var_t: processor looks good
AUTOCHECK ERROR: ==== store zend_try_catch_element =================
AUTOCHECK ERROR: ==== store zend_op_array =================
AUTOCHECK ERROR: ==== restore zend_try_catch_element =================
AUTOCHECK ERROR: ==== restore zend_op_array =================
AUTOCHECK ERROR: ==== dprint zend_try_catch_element =================
AUTOCHECK ERROR: ==== dprint zend_op_array =================
AUTOCHECK ERROR: ==== dasm zend_try_catch_element =================
AUTOCHECK ERROR: ==== dasm zend_op_array =================
AUTOCHECK ERROR: ==== asm zend_try_catch_element =================
AUTOCHECK ERROR: ==== asm zend_op_array =================
make: *** [processor.out.c] Error 1

我做了以下事情：

~/src $ wget http://... (the release url)
~/src $ tar -zxf xcache-*.tar.gz
~/src $ cd xcache
~/src/xcache $ phpize
~/src/xcache $ ./configure --enable-xcache
~/src/xcache $ make

root@monitor:/opt/observium# service syslog-ng restart
Stopping system logging: syslog-ng.
Starting system logging: syslog-ngsyslog-ng: Error setting capabilities, capability management disabled; error='Operation not permitted'

root@monitor:/opt/observium# uname -a
Linux monitor 2.6.32-042stab075.2 #1 SMP Tue Mar 5 15:21:53 MSK 2013 x86_64 GNU/Linux

这是内核的问题吗？

我下载了 SNMPWalk.exe 并运行了以下命令：

snmpwalk.exe -r:192.168.2.254 -p:161 -c:"public" -os:.1.3.1.1.4.1.4526

我最终得到了超过 900 个 OID 选项。我怎么知道他们做了什么以及如何正确地绘制它们或找到与它们一起使用的图表？

我还应该提到我对 OID 以及它到底是什么知之甚少。

我在 Apache 前面有 nginx 服务静态内容。但是，我希望 nginx 提供一个页面而不是去 apache。

...
server {
location /nginx_status {
stub_status on;
}
}
include "/etc/nginx/vhosts/*";

但是，当我尝试访问它 IP/nginx_status 时，我在 Apache 上得到一个 404 页面。

nginx -V
nginx version: nginx/1.4.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
TLS SNI support enabled
configure arguments: --with-http_flv_module --with-http_mp4_module --with-pcre=/usr/local/src/publicnginx/pcre-8.32 --sbin-path=/usr/local/sbin --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_realip_module --with-http_ssl_module --http-client-body-temp-path=/tmp/nginx_client --http-proxy-temp-path=/tmp/nginx_proxy --http-fastcgi-temp-path=/tmp/nginx_fastcgi --with-http_stub_status_module

您必须重新启动 MySQL 才能编辑更改吗？或者您可以即时编辑它们并重新启动 MySQL 或在 MySQL 内部进行更改吗？

该服务器运行着 100 个活动的网站，除非必须，否则我真的不想关闭 mysql 以重新启动。

您可以在主机节点上使用 IPTables 还是会影响节点上的所有容器？

我不确定使用 iptables 是否会影响下面的所有容器。

如果我将 master .htaccess 添加到根目录，哪些方面会被带入子目录？就像 .htaccess 中的设置进行到/root/sub1/和/root/sub2/.

我想用我的 .htaccess 来阻止机器人、垃圾邮件、机器人程序和其他媒介，并且想知道什么会被带走。这是基于 Joolma 和 Drupal 类型的网站。

您如何确定哪个 OpenVZ 包含受到 dDoS 攻击？

我知道这是一次攻击，因为黑白和传入流量猛增。

这可以用 netstat 完成吗？如果某些攻击攻击了没有服务运行的端口，它们是否不会像 UDP 一样显示在 netstat 上？是否可以在主机节点上安装监控服务？

这更像是一个学习和理解 BIND/NAMED 的实验，但这就是我所拥有的。

我将我的计算机 DNS 设置为我的 linux 服务器的 IP。我使用以下条目运行 BIND9：

$TTL    1 @     IN      SOA     1.2.3.4. google.com. (
                              2013041602                ; Serial
                              1         ; Refresh
                              1         ; Retry
                              10000             ; Expire
                              1 )       ; Negative Cac
home       14400   IN      A       1.2.3.4
*       14400   IN      A       2.2.2.2
space     14400   IN      A       1.2.3.4


1.2.3.4 = My Server IP

如果我 ping home.google.com，我在家里的电脑上什么也得不到。如果我的 DNS 指向 BIND9 服务器，它不应该获取那些 DNS 记录吗？

这是在服务器上（Windows 有挖掘功能吗？）

我编辑了 /etc/resolv.conf 以使用我的 Linux 服务器作为 DNS。

dig home.google.com

; <<>> DiG 9.8.1-P1 <<>> home.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2032
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;home.google.com.     IN      A

;; Query time: 0 msec
;; SERVER: 1.2.3.4#53(1.2.3.4)
;; WHEN: Wed Apr 17 10:00:59 2013
;; MSG SIZE  rcvd: 43

查询：

Server:  UnKnown
Address:  1.2.3.4

*** UnKnown can't find home.google.com: Server failed

命名.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

命名.conf.选项：

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

         forwarders {
                75.75.75.75;
                75.75.76.76;
         };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

命名的.conf.local

zone "google.com" {
        type master;
        file "/etc/bind/db.google.com";
};

zone "2.3.4.in-addr.arpa" {
        type master;
        notify no;
        file "/etc/bind/db.192";
};

/etc/bind/named.conf.default-zones

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

我找到了这个脚本，想知道这是否有点矫枉过正甚至值得使用？

只使用 mod_security 对我来说更好吗？

# Generated using http://solidshellsecurity.com services
# Begin block Bad-Robots from robots.txt
User-agent: asterias
Disallow:/
User-agent: BackDoorBot/1.0
Disallow:/
User-agent: Black Hole
Disallow:/
User-agent: BlowFish/1.0
Disallow:/
User-agent: BotALot
Disallow:/
User-agent: BuiltBotTough
Disallow:/
User-agent: Bullseye/1.0
Disallow:/
User-agent: BunnySlippers
Disallow:/
User-agent: Cegbfeieh
Disallow:/
User-agent: CheeseBot
Disallow:/
User-agent: CherryPicker
Disallow:/
User-agent: CherryPickerElite/1.0
Disallow:/
User-agent: CherryPickerSE/1.0
Disallow:/
User-agent: CopyRightCheck
Disallow:/
User-agent: cosmos
Disallow:/
User-agent: Crescent
Disallow:/
User-agent: Crescent Internet ToolPak HTTP OLE Control v.1.0
Disallow:/
User-agent: DittoSpyder
Disallow:/
User-agent: EmailCollector
Disallow:/
User-agent: EmailSiphon
Disallow:/
User-agent: EmailWolf
Disallow:/
User-agent: EroCrawler
Disallow:/
User-agent: ExtractorPro
Disallow:/
User-agent: Foobot
Disallow:/
User-agent: Harvest/1.5
Disallow:/
User-agent: hloader
Disallow:/
User-agent: httplib
Disallow:/
User-agent: humanlinks
Disallow:/
User-agent: InfoNaviRobot
Disallow:/
User-agent: JennyBot
Disallow:/
User-agent: Kenjin Spider
Disallow:/
User-agent: Keyword Density/0.9
Disallow:/
User-agent: LexiBot
Disallow:/
User-agent: libWeb/clsHTTP
Disallow:/
User-agent: LinkextractorPro
Disallow:/
User-agent: LinkScan/8.1a Unix
Disallow:/
User-agent: LinkWalker
Disallow:/
User-agent: LNSpiderguy
Disallow:/
User-agent: lwp-trivial
Disallow:/
User-agent: lwp-trivial/1.34
Disallow:/
User-agent: Mata Hari
Disallow:/
User-agent: Microsoft URL Control - 5.01.4511
Disallow:/
User-agent: Microsoft URL Control - 6.00.8169
Disallow:/
User-agent: MIIxpc
Disallow:/
User-agent: MIIxpc/4.2
Disallow:/
User-agent: Mister PiX
Disallow:/
User-agent: moget
Disallow:/
User-agent: moget/2.1
Disallow:/
User-agent: mozilla/4
Disallow:/
User-agent: Mozilla/4.0 (compatible; BullsEye; Windows 95)
Disallow:/
User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)
Disallow:/
User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 98)
Disallow:/
User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows NT)
Disallow:/
User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows XP)
Disallow:/
User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 2000)
Disallow:/
User-agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows ME)
Disallow:/
User-agent: mozilla/5
Disallow:/
User-agent: NetAnts
Disallow:/
User-agent: NICErsPRO
Disallow:/
User-agent: Offline Explorer
Disallow:/
User-agent: Openfind
Disallow:/
User-agent: Openfind data gathere
Disallow:/
User-agent: ProPowerBot/2.14
Disallow:/
User-agent: ProWebWalker
Disallow:/
User-agent: QueryN Metasearch
Disallow:/
User-agent: RepoMonkey
Disallow:/
User-agent: RepoMonkey Bait & Tackle/v1.01
Disallow:/
User-agent: RMA
Disallow:/
User-agent: SiteSnagger
Disallow:/
User-agent: SpankBot
Disallow:/
User-agent: spanner
Disallow:/
User-agent: suzuran
Disallow:/
User-agent: Szukacz/1.4
Disallow:/
User-agent: Teleport
Disallow:/
User-agent: TeleportPro
Disallow:/
User-agent: Telesoft
Disallow:/
User-agent: The Intraformant
Disallow:/
User-agent: TheNomad
Disallow:/
User-agent: TightTwatBot
Disallow:/
User-agent: Titan
Disallow:/
User-agent: toCrawl/UrlDispatcher
Disallow:/
User-agent: True_Robot
Disallow:/
User-agent: True_Robot/1.0
Disallow:/
User-agent: turingos
Disallow:/
User-agent: URLy Warning
Disallow:/
User-agent: VCI
Disallow:/
User-agent: VCI WebViewer VCI WebViewer Win32
Disallow:/
User-agent: Web Image Collector
Disallow:/
User-agent: WebAuto
Disallow:/
User-agent: WebBandit
Disallow:/
User-agent: WebBandit/3.50
Disallow:/
User-agent: WebCopier
Disallow:/
User-agent: WebEnhancer
Disallow:/
User-agent: WebmasterWorldForumBot
Disallow:/
User-agent: WebSauger
Disallow:/
User-agent: Website Quester
Disallow:/
User-agent: Webster Pro
Disallow:/
User-agent: WebStripper
Disallow:/
User-agent: WebZip
Disallow:/
User-agent: WebZip/4.0
Disallow:/
User-agent: Wget
Disallow:/
User-agent: Wget/1.5.3
Disallow:/
User-agent: Wget/1.6
Disallow:/
User-agent: WWW-Collector-E
Disallow:/
User-agent: Xenu's
Disallow:/
User-agent: Xenu's Link Sleuth 1.1c
Disallow:/
User-agent: Zeus
Disallow:/
User-agent: Zeus 32297 Webster Pro V2.9 Win32
Disallow:/

User-agent: *
Crawl-delay: 10
Disallow: /cgi-bin/
Disallow: /wp-admin
Disallow: /wp-content
Disallow: /wp-includes

我有一个提供商提供的高级 SSL 证书，他们向我发送了 chain.cer、site.pem 和 site.cer。我是否需要做一些特别的事情来避免收到“该站点的安全证书不受信任！” 使用 SSL 连接浏览时？

我的配置文件

server {
        listen       80;
        server_name  site.com www.site.com;
        root /home/site/public_html;

        listen       443 ssl;
        ssl_certificate      /root/site.cer;
        ssl_certificate_key  /root/site.key;

我的 nginx 具有以下设置：

 server {
        listen       80;
        server_name  site.com www.site.com;
        root /home/site/public_html;

        listen       443;
        #server_name  site.com www.site.com;
        #root /home/site/public_html;
        ssl_certificate      /root/site.pem;
        ssl_certificate_key  /root/site.key;

但是，当我查看 SSL 连接时，我得到：

An error occurred during a connection to grewpler.com.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

我正在TrustWave Premium SSL用作 SSL 证书颁发机构。

Mar 24 03:29:26 kernel: [1557411.243821] TCP: time wait bucket table overflow (CT0)
Mar 24 03:29:26 kernel: [1557411.243828] TCP: time wait bucket table overflow (CT0)
Mar 24 03:29:26 kernel: [1557411.243998] TCP: time wait bucket table overflow (CT0)
Mar 24 03:29:26 kernel: [1557411.244877] TCP: time wait bucket table overflow (CT0)
: [1564292.095620] __ratelimit: 37822 callbacks suppressed
Mar 24 05:24:18 kernel: [1564292.095623] nf_conntrack: table full, dropping packet.
Mar 24 05:24:18 kernel: [1564292.095629] nf_conntrack: table full, dropping packet.
Mar 24 05:24:18 kernel: [1564292.095866] nf_conntrack: table full, dropping packet.
Mar 24 05:24:18 kernel: [1564292.096156] nf_conntrack: table full, dropping packet.
Mar 24 05:24:18 kernel: [1564292.096201] nf_conntrack: table full, dropping packet.
Mar 24 05:24:18 kernel: [1564292.096232] nf_conntrack: table full, dropping packet.
Mar 24 05:24:18  kernel: [1564292.096271] nf_conntrack: table full, dropping packet.
Mar 24 05:24:18 kernel: [1564292.096310] nf_conntrack: table full, dropping packet.
Mar 24 05:24:18 kernel: [1564292.096348] nf_conntrack: table full, dropping packet.
Mar 24 05:24:18 kernel: [1564292.096376] nf_conntrack: table full, dropping packet.

-

sysctl -p
error: "net.ipv4.ip_conntrack_max" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_generic_timeout" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_icmp_timeout" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_udp_timeout_stream" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_udp_timeout" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_max" is an unknown key
error: "net.ip_conntrack_max" is an unknown key

和

/sbin/lsmod | egrep 'ip_tables|conntrack'
xt_conntrack            3968  0
nf_conntrack_ftp       12929  1 nf_nat_ftp
nf_conntrack_ipv4       9946  55 iptable_nat,nf_nat
nf_defrag_ipv4          1531  1 nf_conntrack_ipv4
ip_tables              18151  3 iptable_filter,iptable_nat,iptable_mangle
nf_conntrack_ipv6       8732  24
nf_defrag_ipv6         12315  1 nf_conntrack_ipv6
nf_conntrack           80236  9 nf_nat_ftp,xt_conntrack,nf_conntrack_ftp,xt_connlimit,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
ipv6                  325405  35 ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6

-

核心

2.6.32-379.22.1.lve1.2.13.el6.x86_64 #1 SMP Fri Mar 1 09:43:47 EST 2013 x86_64 x86_64 x86_64 GNU/Linux

那么我需要做什么来修复以下错误呢？

我的配置文件中有以下设置：(/etc/rsnapshot.conf)

脚本/工具：http ://www.rsnapshot.org/

backup_script   ssh     [email protected] "sh /home/user/backup_mysql.sh"     ./mysql

该示例显示以下内容：

backup_script  ssh [email protected] "mysqldump -A > /var/db/dump/mysql.sql"    unused2

我得到的错误：

ERROR: backup_script /usr/bin/ssh returned 255  

我究竟做错了什么？

拨入服务器 2 的服务器 1

ssh-keygen -t dsa -b 1024 (no password)
scp id_dsa.pub [email protected]:/home/user/.ssh

服务器2：

[~/.ssh]# cat id_dsa.pub >> ./authorized_keys

但是当我执行 ssh [email protected] 时，我得到：

[email protected]'s password:

编辑：

server1: ssh-keygen -t dsa -b 1024 (no password)
server1: ssh-copy-id -i ~/.ssh/id_dsa [email protected]
server1: ssh [email protected] -- get promoted for a password

如何使用正确的用户以便无​​需密码即可登录？

服务器 1 发送到服务器 2：

Connecting to domain.com [1.1.1.1]:25 ... connected
  SMTP<< 451 Temporary local problem - please try later
  SMTP>> QUIT
LOG: MAIN
  SMTP error from remote mail server after initial connection: host domain.com [1.1.1.1]: 451 Temporary local problem - please try later
LOG: MAIN
  == [email protected] R=dkim_lookuphost T=dkim_remote_smtp defer (0): SMTP error from remote mail server after initial connection: host domain.com [1.1.1.1]: 451 Temporary local problem - please try later
LOG: queue_run MAIN
  End queue run: pid=42746 -qff

服务器2：

2013-02-13 19:35:07 1U5mn3-0006KF-Ft Completed
2013-02-13 19:38:36 SMTP connection from [1.1.1.1]:10702 (TCP/IP connection count = 1)
2013-02-13 19:38:36 no IP address found for host 1.1.1.1.choopa.net (during SMTP connection from [1.1.1.1]:10702)
2013-02-13 19:38:36 H=(host.domain.com) [1.1.1.1]:10702 F=<> rejected RCPT <[email protected]>: "
2013-02-13 19:38:37 H=(host.domain.com) [1.1.1.1]:10702 F=<> rejected RCPT <[email protected]>: "
2013-02-13 19:38:37 H=(host.domain.com) [1.1.1.1]:10702 F=<> rejected RCPT <[email protected]>: "
2013-02-13 19:38:37 H=(host.domain.com) [1.1.1.1]:10702 F=<> rejected RCPT <[email protected]>: "
2013-02-13 19:38:37 H=(host.domain.com) [1.1.1.1]:10702 Warning: "Detected session with all messages failed"
2013-02-13 19:38:37 H=(host.domain.com) [1.1.1.1]:10702 Warning: "Increment slow_fail_block Ratelimit - (host.domain.com) [1.1.1.1]:10702 because of all messages failed"
2013-02-13 19:38:37 SMTP connection from (host.domain.com) [1.1.1.1]:10702 closed by QUIT
2013-02-13 19:38:37 SMTP connection from [1.1.1.1]:10723 (TCP/IP connection count = 1)
2013-02-13 19:38:38 no IP address found for host 1.1.1.1.choopa.net (during SMTP connection from [1.1.1.1]:10723)
2013-02-13 19:38:38 H=[1.1.1.1]:10723 temporarily rejected connection in "connect" ACL: "Host is ratelimited due to multiple failure only connections (5.8/1h max:5)"
2013-02-13 19:38:38 SMTP connection from [1.1.1.1]:10725 (TCP/IP connection count = 1)
2013-02-13 19:38:38 no IP address found for host 1.1.1.1.choopa.net (during SMTP connection from [1.1.1.1]:10725)
2013-02-13 19:38:38 H=[1.1.1.1]:10725 temporarily rejected connection in "connect" ACL: "Host is ratelimited due to multiple failure only connections (5.8/1h max:5)"
2013-02-13 19:38:39 SMTP connection from [1.1.1.1]:10735 (TCP/IP connection count = 1)
2013-02-13 19:38:39 no IP address found for host 1.1.1.1.choopa.net (during SMTP connection from [1.1.1.1]:10735)
2013-02-13 19:38:39 H=[1.1.1.1]:10735 temporarily rejected connection in "connect" ACL: "Host is ratelimited due to multiple failure only connections (5.8/1h max:5)"
2013-02-13 19:38:40 SMTP connection from [1.1.1.1]:10740 (TCP/IP connection count = 1)
2013-02-13 19:38:40 no IP address found for host 1.1.1.1.choopa.net (during SMTP connection from [1.1.1.1]:10740)
2013-02-13 19:38:40 H=[1.1.1.1]:10740 temporarily rejected connection in "connect" ACL: "Host is ratelimited due to multiple failure only connections (5.8/1h max:5)"
2013-02-13 19:38:40 SMTP connection from [1.1.1.1]:10741 (TCP/IP connection count = 1)

如何删除速率限制？

我有 nginx/php-fpm 运行但我得到以下信息：

apr_socket_recv: Connection timed out (110)

这是一个巨大的大盒子。16 核/24GB 内存

我需要调整什么以增加允许的连接数？

编辑：

刚刚在 dmesg 中找到这个

nf_conntrack: table full, dropping packet

看起来我需要提高这些值。

我有一个备份服务器，我想知道我是否设置了一个 cron 作业以允许从 IPTables 中的服务器连接，然后一旦它与 rsync 连接，我可以使用 IPTables 然后关闭端口以防止连接吗？

这个想法是为了阻止主服务器被破坏时备份被擦除的机会（是的，它是安全的，但我不冒险。）

编辑：在尝试了东西之后并且因为事情是如何工作的。我决定最好的主意是设置第二台服务器，它只会从第一台服务器中提取数据。

mv /lib64/libkeyutils.so.1.9 /root
service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd: /usr/sbin/sshd: error while loading shared libraries: libkeyutils.so.1: cannot open shared object file: No such file or directory
                                                           [FAILED]

如何从 SSHD 中删除它？

需要解决这个问题： http ://www.webhostingtalk.com/showpost.php?p=8548338&postcount=4

现在我已经听说了这个漏洞的 REF：http: //blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/

他们没有使用 root 登录，甚至没有生成 bash 进程。如果 lib 被移出，并且 sshd 被重新启动，他们将无法再登录 fwiw。

关键是找出他们是如何进入的。完全升级的、ssh 密钥受限的 sshd，在非标准端口上正在被破坏。我的客户都不是，但我收到了很多关于这个问题的销售咨询，所以我不知道机器的完整历史。

[/lib64]# rpm -vV openssh
.........    /etc/ssh
.........  c /etc/ssh/moduli
.........    /usr/bin/ssh-keygen
.........    /usr/libexec/openssh
.........    /usr/libexec/openssh/ssh-keysign
.........    /usr/share/doc/openssh-5.3p1
.........  d /usr/share/doc/openssh-5.3p1/CREDITS
.........  d /usr/share/doc/openssh-5.3p1/ChangeLog
.........  d /usr/share/doc/openssh-5.3p1/INSTALL
.........  d /usr/share/doc/openssh-5.3p1/LICENCE
.........  d /usr/share/doc/openssh-5.3p1/OVERVIEW
.........  d /usr/share/doc/openssh-5.3p1/PROTOCOL
.........  d /usr/share/doc/openssh-5.3p1/PROTOCOL.agent
.........  d /usr/share/doc/openssh-5.3p1/README
.........  d /usr/share/doc/openssh-5.3p1/README.dns
.........  d /usr/share/doc/openssh-5.3p1/README.nss
.........  d /usr/share/doc/openssh-5.3p1/README.platform
.........  d /usr/share/doc/openssh-5.3p1/README.privsep
.........  d /usr/share/doc/openssh-5.3p1/README.smartcard
.........  d /usr/share/doc/openssh-5.3p1/README.tun
.........  d /usr/share/doc/openssh-5.3p1/TODO
.........  d /usr/share/doc/openssh-5.3p1/WARNING.RNG
.........  d /usr/share/man/man1/ssh-keygen.1.gz
.........  d /usr/share/man/man8/ssh-keysign.8.gz
[/lib64]# rpm -vV openssh-clients
S.5....T.  c /etc/ssh/ssh_config
.........    /usr/bin/.ssh.hmac
.........    /usr/bin/scp
.........    /usr/bin/sftp
.........    /usr/bin/slogin
.........    /usr/bin/ssh
.........    /usr/bin/ssh-add
.........    /usr/bin/ssh-agent
.........    /usr/bin/ssh-copy-id
.........    /usr/bin/ssh-keyscan
.........  d /usr/share/man/man1/scp.1.gz
.........  d /usr/share/man/man1/sftp.1.gz
.........  d /usr/share/man/man1/slogin.1.gz
.........  d /usr/share/man/man1/ssh-add.1.gz
.........  d /usr/share/man/man1/ssh-agent.1.gz
.........  d /usr/share/man/man1/ssh-copy-id.1.gz
.........  d /usr/share/man/man1/ssh-keyscan.1.gz
.........  d /usr/share/man/man1/ssh.1.gz
.........  d /usr/share/man/man5/ssh_config.5.gz
[/lib64]# rpm -vV openssh-server
.......T.  c /etc/pam.d/ssh-keycat
S.5....T.  c /etc/pam.d/sshd
.........    /etc/rc.d/init.d/sshd
S.5....T.  c /etc/ssh/sshd_config
.........  c /etc/sysconfig/sshd
.........    /usr/libexec/openssh/sftp-server
.........    /usr/libexec/openssh/ssh-keycat
.........    /usr/sbin/.sshd.hmac
.........    /usr/sbin/sshd
.........    /usr/share/doc/openssh-server-5.3p1
.........  d /usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat
.........  d /usr/share/man/man5/moduli.5.gz
.........  d /usr/share/man/man5/sshd_config.5.gz
.........  d /usr/share/man/man8/sftp-server.8.gz
.........  d /usr/share/man/man8/sshd.8.gz
.........    /var/empty/sshd

和

[/lib64]# rpm -qf /lib64/libkeyutils.so.1.9
file /lib64/libkeyutils.so.1.9 is not owned by any package
[/lib64]# rpm -vV keyutils-libs
....L....    /lib64/libkeyutils.so.1
.........    /lib64/libkeyutils.so.1.3
.........    /usr/share/doc/keyutils-libs-1.4
.........  d /usr/share/doc/keyutils-libs-1.4/LICENCE.LGPL

/tmp 是否有理想的 chmod（/var/tmp 符号链接到 /tmp）？

我见过人们以两种方式提到它，只是对它们之间的区别感到好奇。

这是安全差异吗？