Linux : le bug incompréhensible du jour
- Mercredi 30 novembre 2011
- Par Boris HUISGEN
- Ecrire
NE PLUS UTILISER ce paramètre système :
net.ipv4.tcp_tw_recycle = 1
Archives pour la catégorie ‘Administration’
NE PLUS UTILISER ce paramètre système :
net.ipv4.tcp_tw_recycle = 1
mmv est un outil permettant la modification / copie / déplacement de fichiers en masse. Il permet donc de corriger rapidement les erreurs de nommage !
Ainsi la commande pour renommer les fichiers possédant un caractère : par un caractère _ est la suivante :
# mmv \*:\* \#1_#2
OpenVPN fournit un plugin d’authentification PAM. En ajoutant le module LDAP pour PAM, il peut alors interroger la base LDAP où sont stockés les accès de chaque utilisateur se connectant au serveur VPN.
# cd /usr/ports/security/pam_ldap # make install clean
/usr/local/etc/openvpn/openvpn.conf :
[...] plugin /usr/local/lib/openvpn-auth-pam.so openvpn
/usr/local/etc/pam.d/openvpn :
account required /usr/local/lib/pam_ldap.so config=/usr/local/etc/openvpn/auth/pam_ldap.conf auth required /usr/local/lib/pam_ldap.so config=/usr/local/etc/openvpn/auth/pam_ldap.conf password required /usr/local/lib/pam_ldap.so config=/usr/local/etc/openvpn/auth/pam_ldap.conf session required /usr/local/lib/pam_ldap.so config=/usr/local/etc/openvpn/auth/pam_ldap.conf
/usr/local/etc/openvpn/auth/pam_ldap.conf :
uri ldapi://%2Fvar%2Frun%2Fopenldap%2Fldapi/ binddn cn=proxy,dc=my,dc=domain bindpw 123456 ldap_version 3 ssl start_tls tls_cacert /usr/local/etc/openldap/server.crt tls_checkpeer no base ou=Users,dc=my,dc=domain scope one pam_login_attribute uid
Côté client, il faut ajouter l’option suivante au fichier de configuration :
[...] auth-user-pass
$ wireshark -k -i <(ssh -l root server.my.domain /usr/bin/tshark -i eth0 -w - not tcp port 22)
# apt-get build-dep netatalk # apt-get install libcrack2-dev fakeroot libssl-dev # apt-get source netatalk # cd netatalk-2.1.2/ # DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -rfakeroot # dpkg -i netatalk_2.1.2-2_amd64.deb
# nano /etc/netatalk/afpd.conf
- -tcp -ipaddr 192.168.1.166 -noddp -uamlist uams_dhx2.so -nosavepassword
# nano /etc/netatalk/AppleVolumes.default
/home/share/work work allow:@users perm:770
# mkdir /home/work # chown root:users /home/share/work # chmod 770 /home/share/work
# apt-get install avahi-daemon libnss-mdns
# touch /etc/avahi/services/afpd.service # nano /etc/avahi/services/afpd.service
<?xml version= "1.0" standalone='no'?><!--*-nxml-*--> <!DOCTYPE service-group SYSTEM "avahi-service.dtd"> <service-group> <name replace-wildcards= "yes">%h</name> <service> <type>_afpovertcp._tcp</type> <port>548</port> </service> <service> <type>_device-info._tcp</type> <port>0</port> <txt-record>model=Xserve</txt-record> </service> </service-group>
# apt-get install libnss-ldap libpam-ldap
# nano /etc/libnss-ldap.conf # nano /etc/libpam-ldap.conf
uri ldap://192.168.1.254/ base dc=my,dc=domain ldap_version 3 binddn cn=proxy,dc=my,dc=domain bindpw 123456 ssl start_tls tls_checkpeer no
# nano /etc/pam/common-session
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_ldap.so # end of pam-auth-update config session required pam_mkhomedir.so skel=/etc/skel umask=0022
Si le démon afpd refuse de se lancer automatiquement au démarrage de votre machine, il convient de vérifier la sortie de debug du émon en ajoutant l’option -setuplog « default log_maxdebug ».
Dans le cas où la sortie syslog révèle cette erreur :
Nov 9 15:44:27 patty afpd[1505]: "patty"'s signature is 978C0D71D26955DDF9149364E6377FB8 Nov 9 15:44:27 patty afpd[1505]: DSIConfigInit: hostname: patty, ip/port: 192.168.2.200/548, Nov 9 15:44:27 patty afpd[1505]: dsi_tcp_init: bind: Cannot assign requested address Nov 9 15:44:27 patty afpd[1505]: dsi_tcp_init: no suitable network config for TCP socket Nov 9 15:44:27 patty afpd[1505]: main: dsi_init: Cannot assign requested address
il convient d’appliquer ce patch au script de démarrage /etc/init.d/netatalk :
--- netatalk.old 2011-11-09 15:58:00.340749343 +0100 +++ netatalk 2011-11-09 15:48:01.460324452 +0100 @@ -63,6 +63,7 @@ fi if [ x"$AFPD_RUN" = x"yes" ]; then + sleep 4 /usr/sbin/afpd $AFPD_UAMLIST -g $AFPD_GUEST -c $AFPD_MAX_CLIENTS \ -n "$ATALK_NAME$ATALK_ZONE" echo -n " afpd"
node1# more /etc/rc.conf
gateway_enable="YES" network_interfaces="lo0 igb0 igb1 em0" ifconfig_igb0="up" ifconfig_igb1="inet 172.16.2.251 netmask 255.255.255.0" ifconfig_em0="192.168.254.251 netmask 255.255.255.0" defaultrouter="172.16.2.254" cloned_interfaces="vlan1 vlan101 vlan102 carp0 carp1 carp2 carp3" ifconfig_vlan1="inet 192.168.0.251 netmask 255.255.255.0 vlan 1 vlandev igb0" ifconfig_vlan101="inet 192.168.1.251 netmask 255.255.255.0 vlan 101 vlandev igb0" ifconfig_vlan102="inet 192.168.2.251 netmask 255.255.255.0 vlan 102 vlandev igb0" ifconfig_carp0="vhid 1 pass my$ecret 192.168.0.254 netmask 255.255.255.0 advbase 1 advskew 0" ifconfig_carp1="vhid 2 pass my$ecret 192.168.1.254 netmask 255.255.255.0 advbase 1 advskew 0" ifconfig_carp2="vhid 3 pass my$ecret 192.168.2.254 netmask 255.255.255.0 advbase 1 advskew 0" ifconfig_carp3="vhid 4 pass my$ecret 172.16.2.253 netmask 255.255.255.0 advbase 1 advskew 0" pf_enable="YES" pf_flags="" pf_rules="/etc/fw.conf" pflog_enable="YES" pflog_logfile="/var/log/pflog" pfsync_enable="YES" pfsync_syncdev="em0" pfsync_syncpeer="192.168.254.252"
node1# echo net.inet.carp.preempt=1 > /etc/sysctl.conf node1# sysctl net.inet.carp.preempt=1
node1# ee pf.conf
pass quick on em0 inet proto pfsync from any to any
pass quick on { vlan1 vlan101 vlan102 igb1 } inet proto carp from any to any
node2# more /etc/rc.conf
gateway_enable="YES" network_interfaces="lo0 igb0 igb1 em0" ifconfig_igb0="up" ifconfig_igb1="inet 172.16.2.252 netmask 255.255.255.0" ifconfig_em0="192.168.254.252 netmask 255.255.255.0" defaultrouter="172.16.2.254" cloned_interfaces="vlan1 vlan101 vlan102 carp0 carp1 carp2 carp3" ifconfig_vlan1="inet 192.168.0.252 netmask 255.255.255.0 vlan 1 vlandev igb0" ifconfig_vlan101="inet 192.168.1.252 netmask 255.255.255.0 vlan 101 vlandev igb0" ifconfig_vlan102="inet 192.168.2.252 netmask 255.255.255.0 vlan 102 vlandev igb0" ifconfig_carp0="vhid 1 pass my$ecret 192.168.0.254 netmask 255.255.255.0 advbase 1 advskew 100" ifconfig_carp1="vhid 2 pass my$ecret 192.168.1.254 netmask 255.255.255.0 advbase 1 advskew 100" ifconfig_carp2="vhid 3 pass my$ecret 192.168.2.254 netmask 255.255.255.0 advbase 1 advskew 100" ifconfig_carp3="vhid 4 pass my$ecret 172.16.2.253 netmask 255.255.255.0 advbase 1 advskew 100" pf_enable="YES" pf_flags="" pf_rules="/etc/fw.conf" pflog_enable="YES" pflog_logfile="/var/log/pflog" pfsync_enable="YES" pfsync_syncdev="em0" pfsync_syncpeer="192.168.254.251"
node2# echo net.inet.carp.preempt=1 > /etc/sysctl.conf node2# sysctl net.inet.carp.preempt=1
node2# ee pf.conf
pass quick on em0 inet proto pfsync from any to any
pass quick on { vlan1 vlan101 vlan102 igb1 } inet proto carp from any to any
# PF SUPPORT device pf device pfsync device pflog device carp options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_PRIQ
altq on igb0 bandwidth 853Kb hfsc queue { net_ack, net_dns, net_ssh, net_web, net_bulk, net_p2p }
queue net_ack bandwidth 30% priority 9 qlimit 500 hfsc (realtime 20%)
queue net_dns bandwidth 5% priority 8 qlimit 500 hfsc (realtime 2%)
queue net_ssh bandwidth 20% priority 7 qlimit 500 hfsc (realtime 20%) { net2_ssh_bulk, net2_ssh_login }
queue net_ssh_bulk bandwidth 50% priority 5 qlimit 500 hfsc
queue net_ssh_login bandwidth 50% priority 6 qlimit 500 hfsc
queue net_web bandwidth 20% priority 6 qlimit 500 hfsc (realtime (20%, 10000, 5%))
queue net_bulk bandwidth 5% priority 4 qlimit 500 hfsc (realtime 2% default, ecn)
queue net_p2p bandwidth 1% priority 1 qlimit 500 hfsc (upperlimit 50%)
pass out quick on igb0 inet proto tcp from any to any port 53 flags any queue net_dns
pass out quick on igb0 inet proto udp from any to any port 53 queue net_dns
pass out quick on igb0 inet proto tcp from any to any port 22 flags any queue (net_ssh_bulk, net_ssh_login)
pass out quick on igb0 inet proto tcp from any to any port { 80, 443 } flags any queue net_web
pass out quick on igb0 inet proto tcp from any to any flags any queue (net_bulk, net_ack)
pass out quick on igb0 inet proto udp from any to any port 10000 queue net2_p2p
Attention ! L’option queue, à l’inverse de l’option tag, n’est pas sticky . Le choix de la queue s’appuie donc sur la dernière règle validant le paquet. Si cette dernière ne précise aucune queue, la queue par défaut est donc utilisée. Dans le cas d’une QoS sur les flux FTP, il est nécessaire de spécifier la queue à utiliser par ftp-proxy, par le biais de son option -q.
Pour tester et valider toutes vos règles PF et ALTQ, pftop est d’un grand secours.
./GoAccess est un analyseur de log Apache/Nginx qui présente ses résultats à la volée, directement en console. Ce logiciel opensource est disponible sur les différents systèmes UNIX/Linux.
Site officiel : http://goaccess.prosoftcorp.com/
# fix for clickjacking Header always append X-Frame-Options SAMEORIGIN
Plus d’informations ici.
Sur le serveur :
$ nc -lu 192.168.1.1 1194
Depuis le client (ici externe) :
$ nc -vzu 80.81.80.81 1194