防火墙服务中应用了 Fail2ban 和 Wireguard 这两个服务的规则。每次我重新加载防火墙服务时,规则都会丢失。如何在两次重新加载之间保留这些规则?
# firewall-cmd --get-all-rules --direct
ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ssh -m set --match-set f2b-sshd src -j REJECT --reject-with icmp-port-unreachable
ipv4 filter FORWARD 0 -i wg -o eth0 -j ACCEPT
ipv4 filter FORWARD 1 -i wg -o wg -j ACCEPT
ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
Rocky Linux 9
我用来rdiff-backup从本地文件系统备份到安装了远程存储盒的远程 Hetzner 服务器。存储盒作为文件系统安装在远程服务器上cifs。备份以 root 身份在本地运行,并且ssh与远程服务器的连接也在 root 帐户上进行。我遇到的问题是原始文件所有者/组没有保留。一切都归 root 所有。
储物盒的安装方式如下/etc/fstab:
//user.your-storagebox.de/backup /storagebox cifs iocharset=utf8,rw,credentials=/etc/backup-credentials.txt,seal,uid=0,gid=0,file_mode=0660,dir_mode=0770 0 0
以及本地备份命令:
rdiff-backup -v4 --api-version 201 backup --print-statistics \
--include /home/cpn/Documents \
--include /home/cpn/ProgramasRFB \
--include /home/cpn/Pictures \
--include /home/cpn/Videos \
--include /hd2t/Fotos \
--include /hd2t/Videos \
--include /etc \
--exclude '**' \
/ [email protected]::/storagebox/Backup/ & disown;
文件/目录不是由原始用户拥有,而是由存储箱中的 root 拥有:
# ll
total 0
drwxrwx---. 2 root root 0 May 14 16:58 Documents
drwxrwx---. 2 root root 0 May 1 09:23 Pictures
我缺少什么?我的猜测是这个问题与cifs
这些是 Hetzner 为该云设备提供的唯一访问权限:https://docs.hetzner.com/robot/storage-box/access/access-overview
我也尝试过 SFTP,但结果更糟
RockyLinux 9. 重新启动时 Apache 无法启动并显示以下消息
Jul 21 10:53:13 cl httpd[877]: (99)Cannot assign requested address: AH00072: make_sock: could not bind to address 1.2.3.4:80
Jul 21 10:53:13 cl httpd[877]: no listening sockets available, shutting down
Jul 21 10:53:13 cl httpd[877]: AH00015: Unable to open logs
Jul 21 10:53:13 cl systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Jul 21 10:53:13 cl systemd[1]: httpd.service: Failed with result 'exit-code'.
Jul 21 10:53:13 cl systemd[1]: Failed to start The Apache HTTP Server.
主配置文件将其设置为侦听该地址和 80 端口。但是该地址在80和443端口上都有虚拟主机
如果我手动启动它,它会开始使用该地址,但使用 443 端口
# systemctl start httpd
Jul 21 10:55:44 cl systemd[1]: Starting The Apache HTTP Server...
Jul 21 10:55:44 cl httpd[2135]: [Fri Jul 21 10:55:44.803045 2023] [so:warn] [pid 2135:tid 2135] AH01574: module wsgi_module is already loaded, skipping
Jul 21 10:55:44 cl httpd[2135]: Server configured, listening on: 1.2.3.4 port 443, ...
Jul 21 10:55:44 cl systemd[1]: Started The Apache HTTP Server.
有任何想法吗?
# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 879/sshd: /usr/sbin
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 1551/postmaster
tcp 0 0 1.2.3.4:80 0.0.0.0:* LISTEN 2574/httpd
tcp 0 0 1.2.3.4:443 0.0.0.0:* LISTEN 2574/httpd
tcp6 0 0 :::22 :::* LISTEN 879/sshd: /usr/sbin
udp 0 0 127.0.0.1:323 0.0.0.0:* 810/chronyd
udp6 0 0 ::1:323 :::* 810/chronyd
# cat /etc/NetworkManager/system-connections/System\ enp0s71fa.nmconnection
[connection]
id=System enp0s71fa
uuid=b5f5eeee-5bd2-c5a6-acb6-f03d5581aca5
type=ethernet
interface-name=enp0s71fa
timestamp=1689890116
[ethernet]
[ipv4]
address1=1.2.3.4/32,1.2.3.6
address2=1.2.3.5/27
dns=5.6.7.1;
method=manual
[ipv6]
address1=2a01:4f8:bbb:aaaa::2/64,fe80::1
dns=2a01:ccc:dddd::add:2;
method=manual
我已经安装named了chroot,它已经工作了几天。现在它没有找到某个域的IP:
# dig arstechnica.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> arstechnica.com
;; global options: +cmd
;; connection timed out; no servers could be reached
通常会发现其他域:
# dig serverfault.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> serverfault.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27016
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;serverfault.com. IN A
;; ANSWER SECTION:
serverfault.com. 98 IN A 198.252.206.140
;; AUTHORITY SECTION:
serverfault.com. 172598 IN NS cf-dns02.serverfault.com.
serverfault.com. 172598 IN NS cf-dns01.serverfault.com.
;; ADDITIONAL SECTION:
cf-dns02.serverfault.com. 172598 IN A 173.245.59.4
cf-dns01.serverfault.com. 172598 IN A 173.245.58.53
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 22 11:06:10 2014
;; MSG SIZE rcvd: 127
named.conf:
# cat /var/named/chroot/var/named/chroot/etc/named.conf
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
该目录中的所有文件:
# ll /var/named/chroot/var/named/chroot/etc/
total 16
-rw-r--r--. 1 root root 118 Jul 21 2011 localtime
drwxr-x---. 2 root named 4096 Dec 12 02:25 named
-rw-r-----. 1 root named 1008 Dec 17 20:02 named.conf
-rw-r--r--. 1 root root 0 Dec 22 10:35 named.iscdlv.key
-rw-r--r--. 1 root root 0 Dec 22 10:35 named.rfc1912.zones
-rw-r--r--. 1 root root 0 Dec 22 10:35 named.root.key
drwxr-x---. 3 root named 4096 Dec 17 19:15 pki
-rw-r--r--. 1 root root 0 Dec 22 10:35 rndc.key
我错过了什么?
+trace添加:
# dig arstechnica.com +trace
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> arstechnica.com +trace
;; global options: +cmd
. 516879 IN NS m.root-servers.net.
. 516879 IN NS h.root-servers.net.
. 516879 IN NS g.root-servers.net.
. 516879 IN NS j.root-servers.net.
. 516879 IN NS a.root-servers.net.
. 516879 IN NS l.root-servers.net.
. 516879 IN NS e.root-servers.net.
. 516879 IN NS f.root-servers.net.
. 516879 IN NS k.root-servers.net.
. 516879 IN NS b.root-servers.net.
. 516879 IN NS d.root-servers.net.
. 516879 IN NS i.root-servers.net.
. 516879 IN NS c.root-servers.net.
;; Received 228 bytes from 127.0.0.1#53(127.0.0.1) in 577 ms
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
;; Received 493 bytes from 192.58.128.30#53(192.58.128.30) in 2270 ms
arstechnica.com. 172800 IN NS ns1.servercentral.net.
arstechnica.com. 172800 IN NS ns2.servercentral.net.
;; Received 118 bytes from 192.12.94.30#53(192.12.94.30) in 579 ms
;; connection timed out; no servers could be reached
挖到github:
# dig github.com +trace
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> github.com +trace
;; global options: +cmd
. 516495 IN NS k.root-servers.net.
. 516495 IN NS e.root-servers.net.
. 516495 IN NS f.root-servers.net.
. 516495 IN NS b.root-servers.net.
. 516495 IN NS g.root-servers.net.
. 516495 IN NS d.root-servers.net.
. 516495 IN NS m.root-servers.net.
. 516495 IN NS c.root-servers.net.
. 516495 IN NS j.root-servers.net.
. 516495 IN NS h.root-servers.net.
. 516495 IN NS a.root-servers.net.
. 516495 IN NS i.root-servers.net.
. 516495 IN NS l.root-servers.net.
;; Received 508 bytes from 127.0.0.1#53(127.0.0.1) in 5 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 488 bytes from 193.0.14.129#53(193.0.14.129) in 74 ms
github.com. 172800 IN NS ns1.p16.dynect.net.
github.com. 172800 IN NS ns3.p16.dynect.net.
github.com. 172800 IN NS ns2.p16.dynect.net.
github.com. 172800 IN NS ns4.p16.dynect.net.
;; Received 178 bytes from 192.31.80.30#53(192.31.80.30) in 323 ms
github.com. 30 IN A 192.30.252.131
github.com. 86400 IN NS ns4.p16.dynect.net.
github.com. 86400 IN NS ns2.p16.dynect.net.
github.com. 86400 IN NS ns1.p16.dynect.net.
github.com. 86400 IN NS ns3.p16.dynect.net.
;; Received 130 bytes from 204.13.251.16#53(204.13.251.16) in 10 ms
SELinux 阻止apache用户写入它拥有的日志文件。当我这样做时setenforce 0,它会起作用。否则显示此错误
IOError: [Errno 13] Permission denied: '/var/www/webapp/k/site/k.log'
文件的安全上下文:
$ ll -Z k.log
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 k.log
该文件是在 SELinux 模式设置为许可时创建的。
如何设置安全上下文以便apache用户可以在该目录中写入?我确实使用设置了该目录安全上下文,chcon但找不到合适的文件类型。
来自audit.log:
type=AVC msg=audit(1409945481.163:1561): avc: denied { append } for pid=16862 comm="httpd" name="k.log" dev="dm-1" ino=201614333 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1409945481.163:1561): arch=c000003e syscall=2 success=no exit=-13 a0=7fa8080847a0 a1=441 a2=1b6 a3=3 items=0 ppid=15256 pid=16862 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)