cd
wget http://www.aczoom.com/tools/blockhosts/BlockHosts-2.1.0.tar.gz
tar xvfz BlockHosts-2.1.0.tar.gz
cd cd BlockHosts-2.1.0
python setup.py install --force
nano /etc/blockhosts.cfg
修改
[...]
HOSTS_BLOCKFILE = "/etc/hosts.allow"
[...]
HOST_BLOCKLINE = ["ALL: ", " : deny"]
[...]
LOGFILES = [ "/var/log/auth.log", "/var/log/proftpd/proftpd.log", ]
[...]
COUNT_THRESHOLD = 3
[...]
AGE_THRESHOLD = 12
[...]
MAIL = True
[...]
NOTIFY_ADDRESS = 'root@localhost.localdomain'
[...]
SMTP_SERVER = "localhost"
SENDER_ADDRESS = 'BlockHosts <blockhosts-do-not-reply@localhost.localdomain>'
[...]
IPBLOCK = "iptables" [...]
In HOSTS_BLOCKFILE we can specify either /etc/hosts.allow or /etc/hosts.deny. It doesn't matter which one we choose. I'm using /etc/hosts.allow here. In the LOGFILES line we specify the log files that BlockHosts should look at. OpenSSH is logging failed login attempts to /var/log/auth.log, ProFTPd to /var/log/proftpd/proftpd.log. COUNT_THRESHOLD specifies the number of failed login attempts from the same host after which BlockHosts should block that host. AGE_THRESHOLD is the numer of hours after which blocked hosts get unblocked. IPBLOCK specifies if you'd like to block hosts with iptables or iproute in addition to adding these hosts to /etc/hosts.allow (or /etc/hosts.deny).
Next we must modify /etc/hosts.allow. First back up your current /etc/hosts.allow:
cp /etc/hosts.allow /etc/hosts.allow_bak
nano /etc/hosts.allow
TCP: Treason uncloaked! Peer 203.168.193.2:55074/80 shrinks window ... Repaired.
The remote host decided to shrink the TCP window size without negotiating such with your Linux box. The message is of the informational level, meaning Linux doesn't like what it is seeing but will cope with it and carry on.
大致意思是说:这是一段一般性提示信息,说明远程主机在未经Linux主机"同意"就收缩了TCP window size,虽然Linux主机不喜欢这类举动,但是仍将继续处理这类请求.
这是一种解释,也就是这类信息可能并非危险.
另外一段解释来自Debian的邮件列表,首先回复者引用了一段源代码说明错误的来源:
>>From /usr/src/linux/net/ipv4/tcp_timer.c:
if (tp->snd_wnd == 0 && !sk->dead &&
!((1<<sk->state)&(TCPF_SYN_SENT|TCPF_SYN_RECV))) {
/* Receiver dastardly shrinks window. Our retransmits
* become zero probes, but we should not timeout this
* connection. If the socket is an orphan, time it out,
* we cannot allow such beasts to hang infinitely.
*/
#ifdef TCP_DEBUG
if (net_ratelimit())
printk(KERN_DEBUG "TCP: Treason uncloaked! Peer
%u.%u.%u.%u:%u/%u shrinks window %u:%u. Repaired.\n",
NIPQUAD(sk->daddr), htons(sk->dport), sk->num,
tp->snd_una, tp->snd_nxt);
#endif
具体的解释是:
So it appears that someone is running some sort of "tar-pit" system that is
designed to keep sockets in a bad state and run you out of kernel memory.I suspect that this ties in with the spam blocking things we recently
discussed. Maybe you should tell your ISP that they are to blame for such
actions being done to you and that they should "give you face" (I think that
was the term you used) by closing their open relays.
作者认为这可能和tar-pit攻击相关.并且建议联系ISP提供解决方案.
还有如下的解释:
The reason Linux is printing such messages is because your client guy is shrinking the TCP Window to 0, and the server has something to retransmit. There is something seriously wrong with your client's stack. Which Stack/OS are you using on he client side, and which browser?
That could explain your browser showing some html tags as the server fails to send the whole page across and based on what browser you are using it is failing to parse it out.
意思是,这类错误也可能是客户端Stack错误引起的.
另一段同样引用了源代码的解释似乎直指了问题的本质:
> Treason uncloaked! Peer [IP address]:515/1022 shrinks window
> 3957222360:3957222379. Repaired.
> Our researches so far indicate the problem may be a buggy TCP stack
> in the client, that is in the DP301P+. But we still do not know
> exactly what caused the problem, nor how to prevent it happening
> again.
That comes from the kernel tcp code below. Looks like the DLink has
returned information yielding a transmit window smaller than it
previously did; specifically it returned a window of zero plus an ack
of up to byte 3957222360, thus indicating that it can accept nothing
after that byte. Previously it had sent some ack+wnd values
indicating that it would accept up to byte 3957222379.
The Linux side is now supposed to send a packet every now and then
forever until the returned window is nonzero. It does.
However, the dlink is apparently not responding in a timely manner.
Any response would either open the window or update the rcv timestamp
such that the thing will retransmit forever. It may be responding
very slowly, or just not responding at all.
The kernel prints the message after it expected but did not see a
response to the probe packet it sent to check for a nonzero window.
The kernel implements exponential backoff retransmissions until it
hasn't seen any response in 2m, then it will bail and close the
connection. This is reasonable. It's unclear from your report if the
connections are failing outright or just sometimes having to
retransmit a probe against a peer that shrank the window.
这段解释极为详尽.就此作结.
proftpd配置文件中设置的最大连接数为500,结果发现事实上到了100就不能连接了。
今天发现原来是mysql的问题,mysql中max_connections设置的为100。导致proftpd用户登录时,与mysql连接进行验证失败。
修改my.conf ,将里面的max_connections设置为500就ok了
用惯了proftpd,本来打算用pureftpd的,后来想想算了。proftpd虚拟用户的配置其实很早就解决了,只是虚拟用户和本地用户同时登录,一直没有解决。于是趁这个机会仔细研究了下。依然是debian下面的配置。
参考站点:HowtoForge 上面有很多server的配置,各种平台下,从debian到redhat,以及suse,mandriva都有,非常详细。强烈推荐。
安装mysql和phpmyadmin,其中phpmyadmin不是必需的
apt-get install mysql-server mysql-client libmysqlclient15-dev phpmyadmin apache2
为mysql设置root密码
mysqladmin -u root password yourrootsqlpassword
如果需要其他人访问本机的mysql,同样需要设置密码
mysqladmin -h server1.example.com -u root password yourrootsqlpassword
安装带mysql支持的proftpd,注意选择proftpd工作在standalone模式
apt-get install proftpd-mysql
建立虚拟用户组,这个是为了把proftpd用户虚拟到本机的一个用户上。注意下面的2001修改为自定义的。
groupadd -g 2001 ftpgroup
useradd -u 2001 -s /bin/false -d /bin/null -c "proftpd user" -g ftpgroup ftpuser
debian上挂载的存储,一共2快。大小分别为1T和2T。因为刚刚挂载,所以没有分区。下面是分区过程。同时发现debian下的图形化分区工具cfdisk,效果不错。只是似乎不能选择reserfs格式。但是对于其他应用非常不错
首先对2T空间sdd分区,首先还是建立分区
bt:/# fdisk /dev/sdd
The number of cylinders for this disk is set to 130541.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-130541, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-130541, default 130541):
Using default value 130541Command (m for help): w
The partition table has been altered!Calling ioctl() to re-read partition table.
Syncing disks.
分配文件格式,为了提高效率,设置的reiserfs格式
bt:/# mkfs.reiserfs /dev/sdd1
mkfs.reiserfs 3.6.19 (2003 www.namesys.com)A pair of credits:
Edward Shushkin wrote the encryption and compression file plugins, and the V3
journal relocation code.The Defense Advanced Research Projects Agency (DARPA, www.darpa.mil) is the
primary sponsor of Reiser4. DARPA does not endorse this project; it merely
sponsors it.Guessing about desired format.. Kernel 2.6.18-4-686 is running.
Format 3.6 with standard journal
Count of blocks on the device: 262142624
Number of blocks consumed by mkreiserfs formatting process: 16211
Blocksize: 4096
Hash function used to sort names: "r5"
Journal Size 8193 blocks (first block 18)
Journal Max transaction length 1024
inode generation number: 0
UUID: afd18a2b-f8fd-448a-ac64-7886b53706bd
ATTENTION: YOU SHOULD REBOOT AFTER FDISK!
ALL DATA WILL BE LOST ON '/dev/sdd1'!
Continue (y/n):y
Initializing journal - 0%....20%....40%....60%....80%....100%
Syncing..okTell your friends to use a kernel based on 2.4.18 or later, and especially not a
kernel based on 2.4.9, when you use reiserFS. Have fun.ReiserFS is successfully created on /dev/sdd1.
然后挂载分区
bt:/# mount -t reserfs /dev/sdc1 /var/ftp/
开机自动挂载,修改/etc/fstab就可以了
首先下载相应版本的驱动,我的是
http://www-dl.emulex.com/support/hpux/53109/lpfc.depot-05_31_09-hpux11iv2_64_dlkm.z
然后上传到服务器
重命名
mv lpfc.depot-05_31_09-HPUX11iv2_64_dlkm.z lpfc.depot 05_31_09-HPUX11iv2_64_dlkm.Z
解压缩
uncompress lpfc.depot-05_31_09-HPUX11iv2_64_dlkm.Z
安装
swinstall -s `pwd`/lpfc.depot-t-05_31_09-HPUX11iv2_64_dlkm
似乎hp unix的彷图形界面有些不稳定,同样环境的2台机器,1台一次成功,1台安装总是失败,重新启动2次后安装成功。。
安装后查看是否安装成功
# kcmodule -v lpfc
新到的存储,准备在Debian下使用,但是Qlogic官方没有提供for debian的驱动,只有for redhat ,SLSE的。在debian下需要自己安装下。
首先插上HBA卡,启动系统。从启动信息中发现似乎已经找到了。
进入系统,执行lsmod,发现模块已经加载了。
qla2xxx 126560 0
firmware_class 9600 1 qla2xxx
scsi_transport_fc 28544 1 qla2xxx
但是无法正常驱动,查看系统日志: more /var/log/systemlog
发现如下信息
QLogic Fibre Channel HBA Driver
qla2xxx 0000:02:01.0: Found an ISP2100, irq 10, iobase 0xf8826000
qla2xxx 0000:02:01.0: Configuring PCI space...
qla2xxx 0000:02:01.0: Configure NVRAM parameters...
qla2xxx 0000:02:01.0: Verifying loaded RISC code...
qla2xxx 0000:02:01.0: Firmware image unavailable.
qla2xxx 0000:02:01.0: Firmware images can be retrieved from: ftp://ftp.qlogic.com/outgoing/linux/firmware/.
qla2xxx 0000:02:01.0: Failed to initialize adapter
提示firmware有问题,到提示的地址下载,ftp://ftp.qlogic.com/outgoing/linux/firmware/.
结果网络实在是太慢。。。下载不到。。于是google了一下debian的deb包,发现确实有。
于是执行
wget ftp://ftp.debian.org/debian/pool/non-free/f/firmware-nonfree/firmware-qlogic_*
dpkg -i firmware-qlogic_*
update-initramfs -k all -u
然后执行
#find / -name *logic
/usr/src/qlogic
/usr/share/doc/firmware-qlogic
/usr/share/initramfs-tools/hooks/firmware_qlogic
然后执行
./usr/share/initramfs-tools/hooks/firmware_qlogic
重新执行
update-initramfs -k all -u
重新启动系统,然后查看系统日志,已经正确加载
QLogic Fibre Channel HBA Driver
PCI: Enabling device 0000:0f:03.0 (0150 -> 0153)
ACPI: PCI Interrupt 0000:0f:03.0[A] -> GSI 160 (level, low) -> IRQ 74
qla2xxx 0000:0f:03.0: Found an ISP2312, irq 74, iobase 0xf88f8000
qla2xxx 0000:0f:03.0: Configuring PCI space...
qla2xxx 0000:0f:03.0: Configure NVRAM parameters...
qla2xxx 0000:0f:03.0: Verifying loaded RISC code...
qla2xxx 0000:0f:03.0: Allocated (412 KB) for firmware dump...
qla2xxx 0000:0f:03.0: LIP reset occured (f8f7).
qla2xxx 0000:0f:03.0: Waiting for LIP to complete...
qla2xxx 0000:0f:03.0: LIP occured (f8f7).
qla2xxx 0000:0f:03.0: LOOP UP detected (2 Gbps).
qla2xxx 0000:0f:03.0: LIP reset occured (f7f7).
qla2xxx 0000:0f:03.0: LIP occured (f7f7).
qla2xxx 0000:0f:03.0: Topology - (Loop), Host Loop address 0x0
参考文章
It is recommended to use YaST for installation of the NVIDIA
driver. There are several reasons for this. First, it's
simple. Second, and this is the most important one, you won't need to
recompile the nvidia kernel module after a kernel update.
Update your Kernel via YOU (YaST Online Update). Use
YaST -> Software -> Change installation Source -> Add
Protocol: HTTP
Server Name: : download.nvidia.com
Directory on Server: /opensuse/10.2
to add the NVIDIA ftp server as additional installation source.
Now use
YaST -> Software -> Install and Delete Software
to install the NVIDIA driver. Select the following packages:
x11-video-nvidia
nvidia-gfx-kmp-"kernel-flavor"
"kernel-flavor" depends on your installed kernel. Check with
"uname -r" for installed default/smp/bigsmp kernel. Use "sax2 -r"
for X.Org configuration.
People who aren't afraid of recompiling the nvidia kernel module or
even reinstalling the nvidia driver each time the kernel has been
updated and want or need to use the latest and greatest nvidia driver
can use the following steps 1-3. The others should use the
instructions above using YaST and skip the steps below.
1) Kernel sources must be installed and configured. Usually this means
installing the 'kernel-source', 'make' and 'gcc' packages with YaST2.
2) Use the nvidia installer for 1.0-9746.
sh NVIDIA-Linux-x86-1.0-9746-pkg1.run -q
3) Configure X.Org with
sax2 -r -m 0=nvidia (0 is a digit, not a letter!)
NOTE: There is no need to try to enable 3D support. It's already
enabled, when the nvidia driver is running.
IMPORTANT: You need to recompile and install the nvidia kernel module
after each kernel update.
sh NVIDIA-Linux-x86-1.0-9746-pkg1.run -K
The default Ubuntu Dapper Drake installation includes some basic processes that check devices, tune the operating system, and perform housekeeping. Some of these processes are always running, while others start up periodically. Occasionally you might see your hard drive start up or grind away for a few minutes—what's going on? On mission critical servers, serious gaming boxes, and other real-time systems, unexpected processes can cause huge problems; administrators should know exactly what is running and when. The last thing a time-sensitive application needs is for a resource-intensive maintenance system to start at an unexpected time and cause the system to slow down.
In order to fine-tune your system, you will need to know what is currently running, which resources are available, and when processes start up. From there, you can tweak configurations: disable undesirable processes, enable necessary housekeeping, and adjust your kernel to better handle your needs.
Time to Change
Different versions of Ubuntu (and Linux) use different startup scripts and run different support processes. Knowing how one version of Linux works does not mean that you know how all versions work. For example, one of my computers has a clock that loses a few minutes after every reboot. (It's an old computer.) When I installed Ubuntu Dapper Drake (6.06), I noticed that the time was correct after a reboot. I started to look around to find out how it did that and which timeserver it was using. The first thing I noticed was that there was no script in /etc/init.d/ for setting the time. Eventually I tracked down the network startup scripts and found that the ntpdate script was moved from /etc/init.d/ (in previous Ubuntu releases) to /etc/network/if-up.d/. This script allowed me to find the network time protocol (NTP) configuration file (/etc/default/ntpdate).
A similar problem came up when I started running Ubuntu Hoary Hedgehog (5.04). Periodically the hard drives would grind when I was not doing anything. At other times it happened when I was running processes that were impacted by disk I/O—when the drives began to grind, the critical process would detect a processing problem. I quickly narrowed the disk grinding to updatedb—a caching program that works with slocate for quickly finding files. What I could not find was how this program was being started. Eventually I discovered that updatedb was started by anacron, an automated scheduler.
While it is important to know what is running, it is even more important to know how to track down running processes and tune them to your needs.
Learning the Lingo
Everything that runs on the system is a process. Processes are programs that perform tasks. The tasks may range from system maintenance to configuring plug-and-play devices and anything else the user needs. System processes manage keep the operating system running, whereas user processes handle user needs.
Many processes provide services for other processes. For example, a web server is a service for handling HTTP network requests. The web server may use one or more processes to perform its task. Some services are critical to the system's operation. For example, if the system must support graphics but the X-Windows service is unavailable, then a critical service is missing.
Although most system processes are services, most user processes are applications. Applications consist of one or more processes for supporting user needs. For example, the Firefox web browser is an application that helps the user browse the web. In general, services start and end based on system needs, while applications start and end based on user needs.
None of these definitions—programs, processes, applications, and services—are very distinct. For example, the Gnome desktop consists of programs and processes that provide services to other programs and supports user needs. GDE can be called a set of programs, processes, applications, or services without any conflict.
When I talk about processes, I refer to anything that generates a running process identifier (see the next section for Viewing Running Processes). Programs are the executable files on the system that generate one or more processes. Users directly use applications, while the operating system uses services.
