AskOverflow.Dev

AskOverflow.Dev Logo AskOverflow.Dev Logo

AskOverflow.Dev Navigation

  • 主页
  • 系统&网络
  • Ubuntu
  • Unix
  • DBA
  • Computer
  • Coding
  • LangChain

Mobile menu

Close
  • 主页
  • 系统&网络
    • 最新
    • 热门
    • 标签
  • Ubuntu
    • 最新
    • 热门
    • 标签
  • Unix
    • 最新
    • 标签
  • DBA
    • 最新
    • 标签
  • Computer
    • 最新
    • 标签
  • Coding
    • 最新
    • 标签
主页 / user-145652

Steffen's questions

Martin Hope
Steffen
Asked: 2022-03-06 10:54:50 +0800 CST

firewalld:记录被阻止的传出连接

  • 0

我已经配置了firewalld,这样防火墙也会阻止传出连接。我需要通过添加特定规则将传出流量列入白名单。这工作正常。

但现在我想知道,是否有传出连接当前仍被防火墙阻止。要检查这一点,我已设置并LogDenied重新all启动/重新加载 firewalld。现在我可以看到许多防火墙消息,/var/log/messages用于REJECT接收消息,例如

Mar  5 19:45:29 kvm011 kernel: FINAL_REJECT: IN=br0-enp3s0 OUT= MAC=80:ee:73:9d:59:09:98:9b:cb:bf:c3:7e:08:00 SRC=192.168.1.254 DST=192.168.1.3 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55873 DF PROTO=TCP SPT=41047 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 

但似乎不会记录被阻止的传出流量。我已经对其进行了测试: SMTP 端口 25 未针对传出流量列入白名单。因此,如果我尝试发送电子邮件,该电子邮件被标记为“延迟”,并且我在邮件日志中看到该电子邮件无法发送:

Mar  5 19:46:21 kvm011 postfix/smtp[3240]: connect to xxx.xxx.org[193.111.xxx.xxx]:25: Connection timed out

但是/var/log/messages文件中没有防火墙消息(对于端口 25 上的阻塞连接)。我必须在firewalld中激活这些消息吗?如果是这样,我该怎么做?

logging centos7 firewalld
  • 1 个回答
  • 399 Views
Martin Hope
Steffen
Asked: 2021-12-30 07:44:34 +0800 CST

firewalld:阻止传出连接也阻止传入连接

  • 1

log4shell 使我们提高了一些服务器的安全性。我们现在还希望阻止传出流量(尽可能)。当前的防火墙规则是:

/> firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client https smtp ssh
  ports: 143/tcp 3000/tcp 4949/tcp 8080/tcp 12999/tcp 25/tcp 1194/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

因此,目前可以通过 ssh 连接到服务器(并且将来应该仍然可以)。现在我们要阻止除通过 https (443) 的连接之外的所有传出连接。为此,我们添加了一些防火墙规则(另请参阅https://serverfault.com/a/624474/145652):

/> firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=443 -j ACCEPT
success
/> firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP
success
/> firewall-cmd --reload

但是在这些命令之后,我们将失去与服务器的所有连接:没有 ping,没有 ssh,服务器不接受任何连接。可能firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP阻止所有传出流量,包括传入(ssh-)请求的服务器应答?是否缺少允许发送传入请求的应答数据的规则?

rhel7
  • 0 个回答
  • 491 Views
Martin Hope
Steffen
Asked: 2019-04-01 21:20:36 +0800 CST

logrotate:消息“日志已经轮换”是什么意思

  • 5

如果我运行 logrotate 我会得到log does not need rotating (log has been already rotated)并且日志文件不会旋转。为什么?

我的日志旋转配置:

/var/log/capp/*.log {
    missingok
    rotate 90
    daily
    notifempty
    compress
    delaycompress
}

在我运行 logrotate 之前,我删除了该行

"/var/log/capp/server.log" 2019-4-1-7:0:0

从文件/var/lib/logrotate/logrotate.status

日志旋转输出:

/> logrotate -v /etc/logrotate.d/capp 
reading config file /etc/logrotate.d/capp
Allocating hash table for state file, size 15360 B

Handling 1 logs

rotating pattern: /var/log/capp/*.log  after 1 days (90 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/capp/server.log
  log does not need rotating (log has been already rotated)

并且日志文件不旋转:

/> ls -la  /var/log/capp/server.log*
-rw-r--r-- 1 capp capp 272962507  1. Apr 07:00 /var/log/capp/server.log
linux
  • 1 个回答
  • 5926 Views
Martin Hope
Steffen
Asked: 2018-12-06 00:47:50 +0800 CST

rkhunter:测试“packet_cap_apps”的白名单

  • 0

这里有一个安装了 rkhunter 的 CentOS 7 服务器。从昨天开始,我们收到以下 rkhunter 警告:

[01:10:30] Info: Starting test name 'packet_cap_apps'
[01:10:30]   Checking for packet capturing applications      [ Warning ]
[01:10:30] Warning: Process '/usr/sbin/NetworkManager' (PID 4654) is listening on the network.

有没有办法/usr/sbin/NetworkManager将packet_cap_apps测试列入白名单?

linux
  • 2 个回答
  • 421 Views
Martin Hope
Steffen
Asked: 2017-08-02 00:26:39 +0800 CST

rkhunter:预链接哈希函数警告

  • 0

我们正在使用 rkhunter 定期检查以扫描我们的服务器。服务器操作系统为 CentOS 6/7。但自上次 rkhunter 更新(到当前版本 1.4.4)以来,我们收到以下警告消息:

[10:12:09] Performing file properties checks
[10:12:09] Warning: Checking for prerequisites               [ Warning ]
[10:12:09]          All file hash checks will be skipped because:
[10:12:09]              This system uses prelinking, but the hash function 
                        command does not look like SHA1 or MD5.

但是我们预先链接了所有内容:

/> prelink -a --md5

任何人都知道我可以如何阻止该消息或有什么问题?

linux
  • 2 个回答
  • 801 Views
Martin Hope
Steffen
Asked: 2016-06-04 07:38:27 +0800 CST

CentOS6.X:letsencrypt、cronjob 和错误的“pip 版本”

  • 3

我正在尝试编写一个脚本,该脚本将在最新的 CentOS6.x 上通过 cronjob 自动更新letsencrypt 证书。

为此,我编写了以下脚本:

#!/bin/sh

#
# get newest "Let's Encrypt" version
#
cd /opt/letsencrypt
git pull

# bug fix #201600233: update pip
echo "****************************************************************"
echo pip --version
pip --version
echo "****************************************************************"

pip install --upgrade pip

#
# update certs
#

# stop httpd
/etc/init.d/httpd stop

# renew certs
/opt/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1
LE_STATUS=$?

# start httpd
/etc/init.d/httpd start

# check "Let's Encrypt" result
if [ "$LE_STATUS" != 0 ]; then
    echo Automated renewal failed:
    cat /var/log/letsencrypt/renew.log
    exit 1
fi

每次如果我从命令行执行这个脚本一切都很好。该脚本正在运行,没有任何错误。但是每次当我通过 cronjob 启动脚本时,我都会收到错误消息

You are using pip version 8.0.3, however version 8.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

不知道为什么会发生这些......是否缺少任何环境变量?

这里是 cronjob 的所有输出。另请注意,cronjob 输出表明 pip 版本为“8.1.2”。

Already up-to-date.
****************************************************************
pip --version
pip 8.1.2 from /usr/lib/python2.6/site-packages (python 2.6)
****************************************************************
DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
Requirement already up-to-date: pip in /usr/lib/python2.6/site-packages
httpd beenden: [  OK  ]^M
httpd starten: [  OK  ]^M
Automated renewal failed:
Bootstrapping dependencies for RedHat-based OSes...
yum ist /usr/bin/yum
Geladene Plugins: fastestmirror, refresh-packagekit, security, verify
Einrichten des Installationsprozess
Loading mirror speeds from cached hostfile
 * base: centosmirror.netcup.net
 * epel: mirrors.n-ix.net
 * extras: centosmirror.netcup.net
 * updates: mirror.ratiokontakt.de
 * webtatic: uk.repo.webtatic.com
Paket gcc-4.4.7-17.el6.x86_64 ist bereits in der neusten Version installiert.
Paket dialog-1.1-9.20080819.1.el6.x86_64 ist bereits in der neusten Version installiert.
Paket augeas-libs-1.0.0-10.el6.x86_64 ist bereits in der neusten Version installiert.
Paket openssl-1.0.1e-48.el6_8.1.x86_64 ist bereits in der neusten Version installiert.
Paket openssl-devel-1.0.1e-48.el6_8.1.x86_64 ist bereits in der neusten Version installiert.
Paket libffi-devel-3.0.5-3.2.el6.x86_64 ist bereits in der neusten Version installiert.
Paket redhat-rpm-config-9.0.3-51.el6.centos.noarch ist bereits in der neusten Version installiert.
Paket ca-certificates-2015.2.6-65.0.1.el6_7.noarch ist bereits in der neusten Version installiert.
Paket python-2.6.6-64.el6.x86_64 ist bereits in der neusten Version installiert.
Paket python-devel-2.6.6-64.el6.x86_64 ist bereits in der neusten Version installiert.
Paket python-virtualenv-1.10.1-1.el6.noarch ist bereits in der neusten Version installiert.
Paket python-tools-2.6.6-64.el6.x86_64 ist bereits in der neusten Version installiert.
Paket python-pip-7.1.0-1.el6.noarch ist bereits in der neusten Version installiert.
Paket 1:mod_ssl-2.2.15-53.el6.centos.x86_64 ist bereits in der neusten Version installiert.
Nichts zu tun
Creating virtual environment...
Installing Python packages...
Had a problem while installing Python packages:
DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
Requirement already satisfied (use --upgrade to upgrade): argparse==1.4.0 in /.local/share/letsencrypt/lib/python2.6/site-packages (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 5))
Collecting pycparser==2.14 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 11))
//.local/share/letsencrypt/lib64/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
//.local/share/letsencrypt/lib64/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Downloading pycparser-2.14.tar.gz (223kB)
Collecting cffi==1.4.2 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 14))
  Downloading cffi-1.4.2.tar.gz (365kB)
Collecting ConfigArgParse==0.10.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 31))
  Downloading ConfigArgParse-0.10.0.tar.gz
Collecting configobj==5.0.6 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 33))
  Downloading configobj-5.0.6.tar.gz
Collecting cryptography==1.2.3 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 35))
  Downloading cryptography-1.2.3.tar.gz (373kB)
Collecting enum34==1.1.2 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 57))
  Downloading enum34-1.1.2.tar.gz (46kB)
Collecting funcsigs==0.4 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 60))
  Downloading funcsigs-0.4-py2.py3-none-any.whl
Collecting idna==2.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 63))
  Downloading idna-2.0-py2.py3-none-any.whl (61kB)
Collecting ipaddress==1.0.16 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 66))
  Downloading ipaddress-1.0.16.tar.gz
Collecting linecache2==1.0.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 69))
  Downloading linecache2-1.0.0-py2.py3-none-any.whl
Collecting ndg-httpsclient==0.4.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 72))
  Downloading ndg_httpsclient-0.4.0.tar.gz
Collecting ordereddict==1.1 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 74))
  Downloading ordereddict-1.1.tar.gz
Collecting parsedatetime==2.1 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 76))
  Downloading parsedatetime-2.1-py2-none-any.whl
Collecting pbr==1.8.1 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 79))
  Downloading pbr-1.8.1-py2.py3-none-any.whl (89kB)
Collecting psutil==3.3.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 82))
  Downloading psutil-3.3.0.tar.gz (261kB)
Collecting pyasn1==0.1.9 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 104))
  Downloading pyasn1-0.1.9-py2.py3-none-any.whl
Collecting pyOpenSSL==0.15.1 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 116))
  Downloading pyOpenSSL-0.15.1-py2.py3-none-any.whl (102kB)
Collecting pyRFC3339==1.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 119))
  Downloading pyRFC3339-1.0-py2.py3-none-any.whl
Collecting python-augeas==0.5.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 122))
  Downloading python-augeas-0.5.0.tar.gz (90kB)
Collecting python2-pythondialog==3.3.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 124))
  Downloading python2-pythondialog-3.3.0.tar.bz2 (1.8MB)
Collecting pytz==2015.7 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 127))
  Downloading pytz-2015.7-py2.py3-none-any.whl (476kB)
Collecting requests==2.9.1 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 141))
  Downloading requests-2.9.1-py2.py3-none-any.whl (501kB)
Collecting six==1.10.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 144))
  Downloading six-1.10.0-py2.py3-none-any.whl
Collecting traceback2==1.4.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 147))
  Downloading traceback2-1.4.0-py2.py3-none-any.whl
Collecting unittest2==1.1.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 150))
  Downloading unittest2-1.1.0-py2.py3-none-any.whl (96kB)
Collecting zope.component==4.2.2 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 153))
  Downloading zope.component-4.2.2.tar.gz (546kB)
Collecting zope.event==4.1.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 155))
  Downloading zope.event-4.1.0.tar.gz (476kB)
Collecting zope.interface==4.1.3 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 157))
  Downloading zope.interface-4.1.3.tar.gz (141kB)
Collecting mock==1.0.1 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 175))
  Downloading mock-1.0.1.zip (861kB)
Collecting letsencrypt==0.7.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 178))
  Downloading letsencrypt-0.7.0-py2-none-any.whl
Collecting acme==0.8.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 184))
  Downloading acme-0.8.0-py2.py3-none-any.whl (91kB)
Collecting certbot==0.8.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 187))
  Downloading certbot-0.8.0-py2-none-any.whl (215kB)
Collecting certbot-apache==0.8.0 (from -r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 190))
  Downloading certbot_apache-0.8.0-py2-none-any.whl (103kB)
Collecting setuptools>=1.0 (from cryptography==1.2.3->-r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 35))
In --require-hashes mode, all requirements must have their versions pinned with ==. These do not:
    setuptools>=1.0 from https://pypi.python.org/packages/a6/2b/803bd512ae9a69164ccfc29d289c99fa1b50cdfeb57aa3ab2239094e4751/setuptools-22.0.2-py2.py3-none-any.whl#md5=51dcd17dd15db58ee090565e99b0e94d (from cryptography==1.2.3->-r /tmp/tmp.8WY1y3IFg4/letsencrypt-auto-requirements.txt (line 35))
//.local/share/letsencrypt/lib64/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.0.3, however version 8.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
python pip lets-encrypt centos6
  • 1 个回答
  • 1027 Views
Martin Hope
Steffen
Asked: 2016-04-17 01:00:19 +0800 CST

rkhunter:几天后,我收到“系统已更改为自上次运行以来不使用预链接。”

  • 2

我们在这里运行一个(新的)CentOS 7 系统。为了观察系统免受无效更改/黑客攻击,我们每晚运行 rkhunter。同样在每次(yum)更新之后,我们预先链接所有并运行“rkhunter --propupd”。

这运行良好。但是几天后我们收到以下错误:

[03:55:02] Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
           is used, all the files on their system are known to be genuine, and installed from a
           reliable source. The rkhunter '--check' option will compare the current file properties
           against previously stored values, and report if any values differ. However, rkhunter
           cannot determine what has caused the change, that is for the user to do.
...
...
...
[03:55:04] Warning: Checking for prerequisites               [ Warning ]
[03:55:04]          The local host configuration or operating system has changed.
[03:55:05]   /usr/sbin/adduser                               [ Warning ]
[03:55:05] Warning: No inode value found for file '/usr/sbin/adduser' in the 'rkhunter.dat' file.
[03:55:05]   /usr/sbin/chkconfig                             [ Warning ]
[03:55:05] Warning: No inode value found for file '/usr/sbin/chkconfig' in the 'rkhunter.dat' file.
[03:55:05]   /usr/sbin/chroot                                [ Warning ]

我们确信服务器没有被黑客入侵。因为我们检查了一些二进制文件的日期和大小。我们还创建了其中一些文件的校验和。发生 rkhunter 警告后,所有文件都相同且未更改。

但我们想找出 rkhunter 警告的原因是什么......

有任何想法吗?

编辑:

rkhunter 日志文件中还有其他警告:

[03:55:05] Warning: The system has changed to not using prelinking since the last run.
[03:55:05]          Because of the change(s) the file properties checks may give some false-positive results.
[03:55:05]          You may need to re-run rkhunter with the '--propupd' option.

这也是解决方案。请参阅下面我的答案....

centos7 rkhunter
  • 1 个回答
  • 596 Views
Martin Hope
Steffen
Asked: 2015-12-23 08:07:43 +0800 CST

后缀:别名将被忽略

  • 7

我有一个配置为后缀 MTA 的服务器,它还运行一个 munin 节点。在 /etc/aliases 我添加了:

root:    hostmaster@my.domain

在 postfix 的 main.cf 中配置:

mydomain = my.domain
myorigin = $mydomain
alias_database = hash:/etc/aliases
relay_domains = my.domain
append_at_myorigin = no
...

每次更改别名或 postfix 配置文件后,我都会调用newaliasesorpostmap <cfgfile>并重新启动 postfix。

每次如果 munin 会发送一封(错误)电子邮件,我会在邮件日志文件中得到这个:

Dec 22 16:45:19 myserver postfix/pickup[21509]: 5CFBA2011E0: uid=995  rom=<munin>
Dec 22 16:45:19 myserver postfix/cleanup[22094]: 5CFBA2011E0: 
    message-id=<20151222154519.5CFBA2011E0@my.domain>
Dec 22 16:45:19 myserver postfix/qmgr[21510]: 5CFBA2011E0: from=<munin>, size=999, nrcpt=1 
    (queue active)
Dec 22 16:45:20 myserver postfix/smtp[22099]: 5CFBA2011E0: to=<root@my.domain>, 
    orig_to=<root>, relay=internal.my.domain[XXX.182.189.136]:25, delay=4.2, 
    delays=3/0.01/1.1/0.09, dsn=5.1.1, status=bounced (host 
    internal.my.domain[XXX.182.189.136] said: 550 5.1.1 <root@my.domain>: Recipient address 
    rejected: User unknown in virtual mailbox table (in reply to RCPT TO command))
Dec 22 16:45:20 myserver postfix/cleanup[22094]: A98B72012D2: 
    message-id=<20151222154520.A98B72012D2@my.domain>
Dec 22 16:45:20 myserver postfix/bounce[22100]: 5CFBA2011E0: sender non-delivery 
    notification: A98B72012D2

不明白为什么“root”(orig_to)没有被替换为“hostmaster@my.domain”,就像在别名文件中指定的那样。似乎后缀将myorigin值附加到“root”。不知道为什么,因为我也指定了append_at_myorigin = no.

这里发生了什么?我想用“hostmaster@my.domain”替换“root”地址。我怎样才能做到这一点?

postfix
  • 2 个回答
  • 14756 Views
Martin Hope
Steffen
Asked: 2015-12-20 02:14:25 +0800 CST

如何在 postfix 上禁用 RC4?

  • 13

我已经在https://de.ssl-tools.net/mailservers上对我们的 postfix 服务器进行了安全检查,并收到仍然支持“ECDHE_RSA_WITH_RC4_128_SHA”的警告。但不知道如何禁用它...

postfix
  • 1 个回答
  • 6308 Views
Martin Hope
Steffen
Asked: 2015-11-13 04:29:11 +0800 CST

Joomla:为什么我的 tmp 文件夹“不可写”?

  • 0

我们在这里安装了一个新安装的 CentOS7 系统,并安装了新的 Joomla。我想知道所有 Joomla 文件都是“不可写”的:

如果我们在 Joomla 中打开“系统”-“系统信息”-“文件夹权限”,所有文件夹都列为“不可写”

磁盘上的文件夹都归用户“apache”所有,并且对用户都是可写的:

[root@localhost joomla]# ls -la
insgesamt 88
drwxr-xr-x. 18 apache apache  4096 12. Nov 12:50 .
drwxr-xr-x.  3 apache root      19 11. Nov 18:03 ..
drwxr-x--x. 10 apache apache  4096 21. Okt 23:48 administrator
drwxr-x--x.  2 apache apache    42 21. Okt 23:48 bin
drwxr-x--x.  2 apache apache    23 21. Okt 23:48 cache
drwxr-x--x.  2 apache apache  4096 21. Okt 23:48 cli
drwxr-x--x. 16 apache apache  4096 21. Okt 23:48 components
-rw-------.  1 apache root    1902 12. Nov 12:50 configuration.php
-rwxr-x--x.  1 apache apache  2915 21. Okt 23:48 htaccess.txt
drwxr-x--x.  5 apache apache  4096 21. Okt 23:48 images
drwxr-x--x.  2 apache apache    61 21. Okt 23:48 includes
-rwxr-x--x.  1 apache apache  1212 21. Okt 23:48 index.php
-rwxr-x--x.  1 apache apache  1872 22. Okt 15:55 joomla.xml
drwxr-x--x.  4 apache apache    51 21. Okt 23:48 language
drwxr-x--x.  5 apache apache    66 21. Okt 23:48 layouts
drwxr-x--x. 11 apache apache  4096 21. Okt 23:48 libraries
-rwxr-x--x.  1 apache apache 18092 21. Okt 23:48 LICENSE.txt
drwxr-x--x.  2 apache apache    23 21. Okt 23:48 logs
drwxr-x--x. 18 apache apache  4096 21. Okt 23:48 media
drwxr-x--x. 27 apache apache  4096 21. Okt 23:48 modules
drwxr-x--x. 14 apache apache  4096 21. Okt 23:48 plugins
-rwxr-x--x.  1 apache apache  4213 21. Okt 23:48 README.txt
-rwxr-x--x.  1 apache apache   842 21. Okt 23:48 robots.txt.dist
drwxr-x--x.  5 apache apache    64 21. Okt 23:48 templates
drwxrwxrwx.  2 apache apache    23 21. Okt 23:48 tmp
-rwxr-x--x.  1 apache apache  1690 21. Okt 23:48 web.config.txt

httpd 也与 apache 用户一起运行:

[root@localhost joomla]# ps aux | grep httpd
root      8642  0.0  1.2 396684 13032 ?        Ss   13:16   0:00 /usr/sbin/httpd -DFOREGROUND
apache    8644  0.0  0.7 396684  7316 ?        S    13:16   0:00 /usr/sbin/httpd -DFOREGROUND
apache    8645  0.0  0.7 396684  7784 ?        S    13:16   0:00 /usr/sbin/httpd -DFOREGROUND
apache    8646  0.0  1.3 502324 13332 ?        S    13:16   0:00 /usr/sbin/httpd -DFOREGROUND
apache    8647  0.0  0.7 396684  7784 ?        S    13:16   0:00 /usr/sbin/httpd -DFOREGROUND
apache    8648  0.0  1.3 502324 13332 ?        S    13:16   0:00 /usr/sbin/httpd -DFOREGROUND
apache    8650  0.0  1.3 502324 13332 ?        S    13:17   0:00 /usr/sbin/httpd -DFOREGROUND
apache    8651  0.0  0.6 396684  6588 ?        S    13:17   0:00 /usr/sbin/httpd -DFOREGROUND
apache    8652  0.0  0.7 396684  7784 ?        S    13:17   0:00 /usr/sbin/httpd -DFOREGROUND
root      8660  0.0  0.0 112660   924 pts/0    R+   13:27   0:00 grep --color=auto httpd

为什么文件夹不可写?!?

httpd
  • 1 个回答
  • 856 Views
Martin Hope
Steffen
Asked: 2015-06-22 03:26:21 +0800 CST

davfs:机密文件中的语法错误

  • 2

我这里有一个 linux 系统,它应该挂载一个(远程)davfs 文件系统。一切都很好,如果我从命令行手动挂载文件系统,它可以工作:

/> mount /share/davDrives/private 
Gib bitte den Benutzernamen für den Server https://data011.fritz.box/webdav/Shared/Public an; wenn du keinen angeben willst, drücke Return.
  Benutzername: username
Gib bitte das Passwort von username für den Server https://data011.fritz.box/webdav/Shared/Public
an; wenn du keines angeben willst, drücke Return.
  Passwort: 

(这是德语安装)之后文件系统安装成功。

但我想自动挂载文件系统。为此,我必须将用户名和密码放入 ~/.davfs2/secrets 文件中:

/share/davDrives/private  username  myPasswordIsTopSecret 

但是,如果我尝试安装 davfs,我会得到:

/> mount /share/davDrives/private 
/sbin/mount.davfs:/home/stewert.c-on/.davfs2/secrets:1: Syntaxfehler in der Zeile

(“Zeile 中的 Syntaxfehler”==“行中的语法错误”)

怎么了?

linux
  • 1 个回答
  • 1091 Views
Martin Hope
Steffen
Asked: 2015-06-11 00:07:44 +0800 CST

rkhunter:“可疑的共享内存段”

  • 16

我在这里有一个新安装的服务器,上面安装了 CentOS7 和 GroupOffice。安装 rkhunter 并启动 rkhunter 检查后,我得到:

[09:58:15] Suspicious Shared Memory segments
[09:58:15]   Process:     PID: 1769    Owner: apache         [ Found ]
[09:58:15]   Suspicious Shared Memory segments               [ Warning ]

有人知道“可疑共享内存段”是什么意思吗?我如何检查这是否是误报?如果是这样:我如何才能将此错误列入白名单?

编辑

如果我尝试使用 ps 命令列出进程,则 PID 为 1769 的进程不存在:

# ps -p 1769
  PID TTY          TIME CMD
# ps aux | grep 1769
root     12777  0.0  0.0 112660   960 pts/0    S+   10:25   0:00 grep --color=auto 1769
# ps aux | grep apache
apache   12606  0.0  0.5 537092 10224 ?        S    10:15   0:00 /usr/sbin/httpd -DFOREGROUND
apache   12607  0.0  0.5 537092 10224 ?        S    10:15   0:00 /usr/sbin/httpd -DFOREGROUND
apache   12608  0.0  0.5 537092 10224 ?        S    10:15   0:00 /usr/sbin/httpd -DFOREGROUND
apache   12609  0.0  0.5 537092 10224 ?        S    10:15   0:00 /usr/sbin/httpd -DFOREGROUND
apache   12610  0.0  0.5 537092 10224 ?        S    10:15   0:00 /usr/sbin/httpd -DFOREGROUND
root     12779  0.0  0.0 112660   960 pts/0    S+   10:26   0:00 grep --color=auto apache
linux
  • 3 个回答
  • 21736 Views
Martin Hope
Steffen
Asked: 2015-02-20 23:54:29 +0800 CST

如何在 Linux 上挂载具有不同凭据(用户名和密码)的 smb 驱动器?

  • 2

好的,我这里有一台运行 Linux (CentOS 7) 的笔记本电脑。笔记本电脑将由不同的用户使用(笔记本电脑上有所有不同的登录名)。我们的网络中有一个 Samba 服务器。所有在笔记本电脑上登录的用户对于不同的 smb 驱动器也有不同的登录名(用户名和密码)。现在的问题是如何配置 linux 笔记本电脑,以便自动挂载每个用户的 smb 驱动器?

默认提示和提示,例如将以下行添加到 fstab

//servername/sharename  /media/windowsshare  cifs   uid=ubuntuuser,credentials=/home/ubuntuuser/.smbcredentials,iocharset=utf8,sec=ntlm   0       0

并创建凭据文件 ( /home/ubuntuuser/.smbcredentials) 在我的情况下不起作用,因为凭据文件对于每个用户都是相同的(但应该是不同的)。还指定凭证文件~/.smbcredentials不起作用,因为~/在挂载时主目录是未知的......

linux
  • 1 个回答
  • 5897 Views
Martin Hope
Steffen
Asked: 2014-12-05 00:57:01 +0800 CST

cron:邮件错误状态“0x0002#012”是什么意思

  • 1

我在 crontab 中指定了一个 cron 作业:

...
MAILTO=root
...
...
47 09 * * * tst nice -n 15 /opt/tst/bin/doMirror
...

由于语法错误,doMirror 脚本失败。我原以为root用户会变成email通知,但在cron日志中显示:

Dec  4 09:47:01 f601 CROND[1163]: (CRON) ERROR chdir failed (/home/tst): Datei oder Verzeichnis nicht gefunden
Dec  4 09:47:01 f601 CROND[1161]: (tst) MAIL (mailed 60 bytes of output but got status 0x0002#012)

什么意思是“得到状态 0x0002#012”。找不到任何相关信息。

如果我通过

echo "This is only a test." | mail -s "Testing testing" root

这像预期的那样工作。

谢谢,史蒂芬

linux
  • 1 个回答
  • 3651 Views
Martin Hope
Steffen
Asked: 2014-08-18 02:58:50 +0800 CST

如何在 CentOS/RHEL 6 上安装 SVN 客户端 1.8 版?

  • 0

我正在尝试在 CentOS 6 上安装 SVN 客户端版本 1.8。我使用的是关于

http://tecadmin.net/install-subversion-1-8-on-centos-rhel/

所有活动都顺利进行,没有任何问题。但在那之后我得到

/> svn --version
svn, Version 1.6.11 (r934486)
...
...
...
svn
  • 3 个回答
  • 32096 Views
Martin Hope
Steffen
Asked: 2014-02-19 08:32:00 +0800 CST

后缀:如何为信封返回消息设置正确的“内容传输编码”

  • 0

有没有办法强制 postfix 在 DSN(“交付状态通知”)消息的标题中添加“内容传输编码”行?如果“Content-Transfer-Encoding”设置不正确(另见https://forums.zarafa.com/showthread.php?91-Fallback-delivery),可能是某些客户端/群件系统(如 zarafa)出现问题。如果我查看 DNS 消息的标头,我找不到“Content-Transfer-Encoding”条目。

postfix
  • 1 个回答
  • 1097 Views
Martin Hope
Steffen
Asked: 2013-05-21 02:44:08 +0800 CST

nagios - https 主动服务失败(接收时出错)

  • 1

我想用 nagios 检查 SSL 网站 (https) 的可用性。

我在 command.cfg 中添加了一个命令:

define command{
  command_name    check_http_myserver_Demo
  command_line    $USER1$/check_http -H www.mydomain.de -u /Demo -p 443 -S
}

然后我还在 localhost.cfg 中添加了一个服务:

define service {
   use                             local-service
   host_name                       myServer
   service_description             HTTP myserver Response Check
   check_command                   check_http_myserver_Demo
   max_check_attempts              2
   normal_check_interval           5
   retry_check_interval            1
   notification_interval           240
   notification_period             24x7
   notification_options            w,u,c,r
}

如果我用“nagios -v nagios.cfg”检查配置文件,我没有收到任何错误。

此服务的 nagios 服务器检查是否定的,并显示“HTTP CRITICAL - Fehler beim Empfangen”(这是德语;我的翻译:“接收时出错”)。但该服务是明确可用的。我可以打开浏览器并且可以毫无问题地打开 URL。

有任何想法吗?

编辑:

如果我手动运行检查,我会得到:

/usr/lib64/nagios/plugins/check_http -v -H www.c-onDocFlow.de -u / -S
GET / HTTP/1.1
User-Agent: check_http/v1.4.15 (nagios-plugins 1.4.15)
Connection: close
Host: www.c-onDocFlow.de

HTTP CRITICAL - Fehler beim Empfangen

没有“-S”它运行正常。另外,如果我使用另一个 https 端(另一个域的)也可以。可能证书有问题,但我看不出有什么问题。

nagios
  • 2 个回答
  • 4333 Views
Martin Hope
Steffen
Asked: 2013-02-07 06:58:58 +0800 CST

后缀:将 DSN 发送到“回复”地址

  • 0

有没有办法配置后缀,以便他将 DSN(传递状态通知)消息发送到“回复”地址而不是“发件人”地址。

背景:“发件人”地址是无效的电子邮件地址(doNotReply@....),但“回复”地址填写了正确的电子邮件地址。

有人知道这是否可能吗?

谢谢和问候,史蒂芬

postfix
  • 1 个回答
  • 273 Views

Sidebar

Stats

  • 问题 205573
  • 回答 270741
  • 最佳答案 135370
  • 用户 68524
  • 热门
  • 回答
  • Marko Smith

    新安装后 postgres 的默认超级用户用户名/密码是什么?

    • 5 个回答
  • Marko Smith

    SFTP 使用什么端口?

    • 6 个回答
  • Marko Smith

    命令行列出 Windows Active Directory 组中的用户?

    • 9 个回答
  • Marko Smith

    什么是 Pem 文件,它与其他 OpenSSL 生成的密钥文件格式有何不同?

    • 3 个回答
  • Marko Smith

    如何确定bash变量是否为空?

    • 15 个回答
  • Martin Hope
    Tom Feiner 如何按大小对 du -h 输出进行排序 2009-02-26 05:42:42 +0800 CST
  • Martin Hope
    Noah Goodrich 什么是 Pem 文件,它与其他 OpenSSL 生成的密钥文件格式有何不同? 2009-05-19 18:24:42 +0800 CST
  • Martin Hope
    Brent 如何确定bash变量是否为空? 2009-05-13 09:54:48 +0800 CST
  • Martin Hope
    cletus 您如何找到在 Windows 中打开文件的进程? 2009-05-01 16:47:16 +0800 CST

热门标签

linux nginx windows networking ubuntu domain-name-system amazon-web-services active-directory apache-2.4 ssh

Explore

  • 主页
  • 问题
    • 最新
    • 热门
  • 标签
  • 帮助

Footer

AskOverflow.Dev

关于我们

  • 关于我们
  • 联系我们

Legal Stuff

  • Privacy Policy

Language

  • Pt
  • Server
  • Unix

© 2023 AskOverflow.DEV All Rights Reserve