分类：Sec

https://coffieldweb.com/weblog/2019/09/04/install-webmin-aws-amazon-linux-2/

Today we’re going to install one of our favorite Linux management tools. Webmin has been around for a very long time and is great if you’re not a command-line guru. Or perhaps you just prefer a nice GUI to look at. Webmin has a great documentation wiki here.

So let’s get started.

First, we’re going to install the repository so Yum can find it. We’re going to create a .repo file and fill it using vim.

Now lets add the Webmin settings in the file.

Save the file. Now Let’s go get the GPG key so Yum can validate the authenticity of the package.

OK now that we can the reference to the repo installed and the GPG key imported, we’ll simply use Yum to install Webmin. It’ll take care of all the dependencies.

Once that’s done, Webmin will be running and serving on port 10000. You’ll want to adjust your security group in EC2 to make sure port 10000 is open. Also by default, Webmin serves secure pages using https. Most servers don’t have a domain-specific SSL cert installed at this point, so it’ll default to a self-signed certificate. Chrome and other browsers will complain about this. We’ll go over installing SSL certificates another day. For now, just accept the warning and continue to https://you_ip_address:10000/.

The last thing you’ll need to do is set the Webmin root password. By default, it tries to use the system root password which you don’t have access to. But no worries. We can force a password for the Webmin root user only. We can set up other users in Webmin btw. Let’s change the password for root now

We’re all set and can now use Webmin in EC2 on Amazon Linux 2.

https://download.configserver.com/csf/install.txt

https://www.liquidweb.com/kb/basic-dosddos-mitigation-with-the-csf-firewall/

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are common threats that every publicly accessible web server faces. The purpose of such attacks, in simplest terms, is to flood a server with connections, overloading it and preventing from accepting legitimate traffic.

Attacks increasingly have become automated instead of directly targeted and botnets (networks of infected computers that can be remotely controlled) continue to grow at a rapid pace, making DoS and DDoS attacks much more common.

Fortunately, CSF can be used to help mitigate small attacks.

Before proceeding, it is important to understand the following points:

1. There is no way to prevent a DoS/DDoS attack against any server connected to the Internet; once in progress, the only thing that can be done is to try to mitigate its effects.
2. There is no way to make a server respond normally when it is under attack; the most that can be done is to try to keep it online during the attack by reducing the impact of the incoming traffic.
3. In some cases, the best way to deal with a large-volume attack is to null-route the server’s IP address. Effectively, that means temporarily taking it offline until the incoming traffic subsides.
4. Any measures employed within CSF will be effective only against small attacks, and measures should be implemented in CSF only while the server is under attack. The firewall settings always should be restored afterward to minimize disruption of legitimate traffic, as the measures outlined below will slow incoming packets.
5. CSF is not the only way to mitigate small-scale attacks. Services such as those offered by CloudFlare’s network also may help because they are external, buffering traffic to the server. And for maximum protection against large attacks (millions of incoming packets per second), a specialized DoS mitigation service may be necessary. You can read more about such protection at https://www.liquidweb.com/services/network/ddos.html.

Pre-Flight Check

• This series assumes you have the ConfigServer Firewall (CSF) installed on your cPanel server, and you have access to WebHost Manager (WHM).
• If your managed cPanel server currently uses APF but you’d prefer CSF, contact Heroic Support® and request a switch. There is no charge, it typically takes only a few minutes, and the only service that needs to be restarted as a result is the firewall itself. Our support technicians also can port your existing APF rules to CSF. If requesting an upgrade, please be sure to indicate whether your server uses the Guardian backup service so that its rules also can be configured.

If you have not already done so, be sure to first back up the current firewall configuration (Part One: How to Back up and Restore the Firewall Configuration) before making any changes. After the attack has subsided, you will want to restore the current firewall configuration using the instructions in that article.

Step #1: Open the Firewall Configuration

1. In WebHost Manager, locate and select ConfigServer Security & Firewall under the Plugins section in the left menu. You also can begin typing “fire” into the search field at the top left to narrow down the options.
2. Click on the Firewall Configuration button to open the configuration file.

Step #2: Rate Limit Incoming Traffic

The first thing that can be done to mitigate the effects of an incoming attack is to limit the number of connections per IP address.

When properly configured, CSF will track the number of connections from IP address hitting the server and block IP addresses at the firewall level should they exceed a defined limit.

It’s important not to set the limit too low, as protocols such as FTP, IMAP, and even HTTP all legitimately make multiple connections. Also, remember that most companies as well as homes and public hotspots may have many different computers on their internal network which all share a single public IP address.

1. To set the limit on connections per IP address, scroll down to the Connection Tracking section of the Firewall Configuration page and set CT_LIMIT to the desired value.
   
   For the purposes of this tutorial, we’ll be using 150 connections per IP address as an upper limit. You may find that you need to lower or raise that number but, generally, you should never attempt to set it below about 100.
2. Assuming the server is under attack, you also will want to disable email alerts by setting CT_EMAIL_ALERT to “0”. Otherwise, the server will send an email every time it blocks an IP address, which will only add to load on the server.
   
3. You also may wish to restrict rate limiting to specific ports, which can be done using the CT_PORTS setting. Multiple ports can be added in comma-separated format (with no space in between). In this example, we’re applying rate limiting only to HTTP ports:
   

With these settings, any IP address that makes more than 150 connections to the web site on the standard and/or secure ports will be blocked in the firewall. By default, that will be a temporary block for 30 minutes. The CT_BLOCK_TIME setting can extend the block period, and by toggling the CT_PERMANENT setting you can arrange for the IP addresses to be blocked permanently.

Step #3: SYNflood Protection

A SYNflood attack is a DoS attack exploiting the TCP (Transmission Control Protocol) connection process itself.

In basic terms, a TCP connection is established using a three-way handshake:

• The client (incoming connection) sends a synchronization packet (SYN) to the server.
• The server responds with a synchronization acknowledgement (SYN/ACK) to the client.
• The client then responds with an acknowledgement (ACK) back to the server.

A SYNflood attack manipulates that three-way handshake by initiating multiple synchronization requests and then refusing to respond with any final acknowledgements. That causes the server, which is keeping a spot open waiting on the client’s final reply to complete their incoming connection, to eventually run out of available connections for the targeted service and appear to be offline.

On a Linux server, you can quickly check for SYN packets by running this command over SSH:
netstat -nap | grep SYN -c
It’s important to note that the presence of SYN packets does not necessarily mean that a server actually is under SYNflood attack. For instance, if load on the server already is high or there is a great deal of incoming traffic, an elevated level is to be expected. Only the presence of a large number (in the hundreds) is likely to be indicative of a possible SYNflood attack.

If you know that the server is under attack, you can configure CSF to help mitigate this type of attack. Otherwise, skip to Step Three and restart the firewall to apply the rate limits you enabled in Step One.

1. To enable SYNflood protection, locate the Port Flood Settings section of the Firewall Configuration page.
   
2. You can enable SYNflood protection by setting SYNFLOOD to “1” and setting the maximum rate and burst:
   • SYNFLOOD_RATE is the number of SYN packets to accept per IP, per second. For the purposes of this tutorial, we’ll be using a value of “75/s” on the assumption that a DoS attack is in progress.
   • SYNFLOOD_BURST is the number of times the IP can hit the rate limit before being blocked in the firewall. A setting of 25 works for our purposes.

You likely will need to raise or lower these settings based on your circumstances. However, a setting above about 100/s for the rate (or 150 for the burst) could be too generous to be effective; Likewise, lowering the rate below about 50/s (or the burst below about 50) could prevent legitimate access to services.

Step #3: Save Your Changes and Restart the Firewall

1. Scroll to the bottom of the Firewall Configuration page and click on the Change button.
2. On the next screen, click the Restart csf+lfd button to restart the firewall with the new settings.

Next Steps

1. Once the attack has subsided, you will need to restore the firewall’s previous configuration to avoid disruption of legitimate incoming traffic. If these “under attack” rules are left in place, the added packet scrutiny at the firewall level will slow traffic considerably and can lead to noticeably diminished web server performance.
2. If you followed the instructions in Part One: How to Back up and Restore the Firewall Configuration to back up the previous configuration, you can easily use the same process to restore those saved settings. You also may wish to save these DoS/DDoS protection settings before restoring the original configuration so that they can be quickly employed in the future if necessary.

https://www.haproxy.com/blog/application-layer-ddos-attack-protection-with-haproxy/

Protecting TCP (non-HTTP) Services

So far, we’ve primarily covered protecting web servers. However, HAProxy can also help in protecting other TCP-based services such as SSH, SMTP, and FTP. The first step is to set up a stick-table that tracks conn_cur and conn_rate:

Next, create or modify a frontend to use this table by adding track and reject rules:

With the usual backend:

Now, each client can establish one SMTP connection at a time. If they try to open a second one while the first is still open, the connection will be immediately closed again.

1.查看~/.msf4/msf-ws.log，如果是

dyld: lazy symbol binding failed: Symbol not found: _SSL_library_init
Referenced from: /Users/xxxx/.rbenv/versions/2.6.5/lib/ruby/gems/2.6.0/gems/eventmachine-1.2.7/lib/rubyeventmachine.bundle
Expected in: flat namespace

手动指定ssl包含文件路径并重新安装eventmachine

2.再次启动msfdb，发现报错

objc[4443]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called.
objc[4443]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.

这是macOS对objc多线程的限制，修改环境变量解决问题

 

https://www.raspberrypi.org/documentation/installation/installing-images/mac.md

Note: The use of the dd tool can overwrite any partition of your machine. If you specify the wrong device in the instructions, you could overwrite your primary Mac OS partition!

Determine SD device

• Insert the SD card in the slot or connect the SD card reader with the SD card inside.
• diskutil list

  or

• From the Apple menu, choose ‘System Report’, then click on ‘More info…’.
• Click on ‘USB’ (or ‘Card Reader’ if you are using a built-in SD card reader), then search for your SD card in the upper right section of the window. Click on it, then search for the BSD name in the lower right section. It is in the form diskN (for example, disk4). Record this name.
• using Disk Utility, unmount the partition. Do not eject it.

Copy the image

• From Terminal, enter:
  sudo dd bs=1m if=path_of_your_image.img of=/dev/rdiskN conv=sync

  1	sudo dd bs=1m if=path_of_your_image.img of=/dev/rdiskN conv=sync

  Replace N with the number that you noted before.

  This can take more than 15 minutes, depending on the image file size. Check the progress by pressing Ctrl+T.

  If the command reports dd: bs: illegal numeric value, change the block size bs=1m to bs=1M.

  If the command reports dd: /dev/rdisk2: Operation not permitted you need to disable SIP before continuing.

  If the command reports the error dd: /dev/rdisk3: Permission denied, the partition table of the SD card is being protected against being overwritten by Mac OS. Erase the SD card’s partition table using this command:

  sudo diskutil partitionDisk /dev/diskN 1 MBR "Free Space" "%noformat%" 100%

  1	sudo diskutil partitionDisk /dev/diskN 1 MBR "Free Space" "%noformat%" 100%

  That command will also set the permissions on the device to allow writing. Now issue the dd command again.

After the dd command finishes, eject the card:

https://forums.aws.amazon.com/thread.jspa?threadID=307496

https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-updating-database-parameters

1.通过get-relational-database-parameters查询可用参数

2.通过update-relational-database-parameters更新参数

 

 

https://lanjingling.github.io/2016/05/10/linux-socket-youhua1/

继续阅读转：linux系统高并发socket最大连接数优化