https://jlajara.gitlab.io/posts/2018/11/26/process-migration.html
https://security.stackexchange.com/questions/90578/how-does-process-migration-work-in-meterpreter
1.创建一个与旧系统同样系统的虚拟机,选择最小化配置省钱。
2.停止新虚机,把磁盘解除挂载。
3.将磁盘挂载到老虚机上
4.建立挂载点,挂载磁盘:
mkdir /new mount /dev/nvme1n1p1 /new
4.删除/new/中除了”/dev/*”,”/proc/*”,”/sys/*”,”/tmp/*”,”/run/*”,”/mnt/*”,”/media/*”,”/lost+found”,”/new”,”/var/lock/*”,”/boot/*”, “/etc/fstab” 之外的所有文件、目录。
5.拷贝所有内容到新磁盘:
rsync -aAXv / --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found","/new","/var/lock/*","/boot/*", "/etc/fstab"} /new
6.将新磁盘挂回新虚机,更新重新安装内核。
1.拉镜像
docker pull registry
2.建立目录,auth放账户认证信息,home用来映射到容器内存放仓库内镜像文件
mkdir /home/hd/docker_home/ mkdir /home/hd/docker_home/auth/ mkdir /home/hd/docker_home/home/
3.建立认证文件
docker run --entrypoint htpasswd registry -Bbn user pass >/home/hd/docker_home/auth/htpasswd
4.启动仓库
docker run -d -p 5000:5000 --restart=always --name brian-docker -v /home/hd/docker_home/home:/var/lib/registry -v /home/hd/docker_home/auth:/auth -e "REGISTRY_AUTH=htpasswd" -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd registry
5.本地docker服务配置文件里添加
"insecure-registries" : [ "192.168.31.101:5000", "hub.docker.jiankunking.io:5000" ],
https://www.maketecheasier.com/see-pc-startup-and-shutdown-history-in-windows/
https://serverfault.com/questions/702828/windows-server-restart-shutdown-history
https://www.bantrain.com/how-to-install-haproxy-2-0-in-amazon-linux-2-centos-rhel/
First, Install dependencies needed to build HAProxy
yum install -y make gcc gcc-c++ pcre-devel openssl-devel readline-devel systemd-devel zlib-devel
Download Lua source code and then Install Lua
curl -R -O http://www.lua.org/ftp/lua-5.3.5.tar.gz tar zxf lua-5.3.5.tar.gz cd lua-5.3.5 make linux test make linux install cd ..
Download OpenSSL source code and then Install OpenSSL
curl -R -O https://www.openssl.org/source/openssl-1.1.1d.tar.gz tar xvzf openssl-1.1.1d.tar.gz cd openssl-1.1.1d ./config --prefix=/usr/local/openssl-1.1.1d shared make make install
Download HAProxy source code and then Install HAProxy
curl -R -O tar -xzf haproxy-2.0.7.tar.gz cd haproxy-2.0.7 make -j $(nproc) TARGET=linux-glibc USE_OPENSSL=1 SSL_LIB=/usr/local/openssl-1.1.1d/lib SSL_INC=/usr/local/openssl-1.1.1d/include USE_ZLIB=1 USE_LUA=1 LUA_LIB=/usr/local/lib/ LUA_INC=/usr/local/include/ USE_PCRE=1 USE_SYSTEMD=1 EXTRA_OBJS="contrib/prometheus-exporter/service-prometheus.o" make install cp /usr/local/sbin/haproxy /usr/sbin/haproxy useradd -M -r -s /sbin/nologin haproxy
Add Service for HAProxy
nano /etc/systemd/system/haproxy.service
Then paste in the following
[Unit] Description=HAProxy Load Balancer After=network.target [Service] Environment=LD_LIBRARY_PATH=/usr/local/openssl-1.1.1d/lib/ Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "EXTRAOPTS=-S /run/haproxy-master.sock" ExecStartPre=/usr/local/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS ExecStart=/usr/local/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS ExecReload=/usr/local/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS ExecReload=/bin/kill -USR2 $MAINPID KillMode=mixed Restart=always SuccessExitStatus=143 Type=notify [Install] WantedBy=multi-user.target
Then finish HAProxy Installation Process by running
systemctl daemon-reload mkdir -p /etc/haproxy touch /etc/haproxy/haproxy.cfg systemctl enable haproxy systemctl start haproxy cd ..
Optional remove build dependencies for haproxy
yum remove readline-devel pcre-devel openssl-devel
如果haproxy -V报错:openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
ln -s /usr/local/openssl-1.1.1d/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1 ln -s /usr/local/openssl-1.1.1d/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
https://segmentfault.com/a/1190000005797776
自己做了一个iOS App,需要访问自己的网站获取数据,但是系统默认只能直接访问https的网站。不想让应用改用http的服务。因此,研究如何启用https,本文即是介绍如何在CentOS上配合Nginx使用CertBot。
环境
CentOS Linux release 7.2.1511
)nginx version: nginx/1.6.3
)命令行,键入:
sudo yum install epel-release
sudo yum install certbot
这里我不想使用CertBot的standalone
模式,这个模式虽然可以配置好服务器,但是以后Renew的时候,需要让服务停止一下,再启动。因此抛弃这个模式,我们使用Webroot
配置模式。
因为,CertBot在验证服务器域名的时候,会生成一个随机文件,然后CertBot的服务器会通过HTTP访问你的这个文件,因此要确保你的Nginx配置好,以便可以访问到这个文件。
修改你的服务器配置,在server模块
添加:
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /usr/share/nginx/html;
}
location = /.well-known/acme-challenge/ {
return 404;
}
可以看到,上面的root,我们让他指向了/usr/share/nginx/html
,因为我的应用是通过NodeJS
的ExpressJS
写的,如果修改源代码的话,比较麻烦。因此我就让检验的链接指向了nginx默认的文件夹下。
接着重新加载Nginx配置:
sudo service nginx reload
然后在命令行输入:
sudo certbot certonly --webroot -w /usr/share/nginx/html/ -d your.domain.com
上面记得替换your.domain.com
为你自己的域名。
如果提示:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/your.domain.com/fullchain.pem. Your cert
will expire on 20XX-09-23. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
证书生成成功!
同样,修改Nginx的虚拟主机配置文件,新建一个443端口的server配置:
server {
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/your.domain.com/chain.pem;
// ... other settings ...
}
上面记得替换your.domain.com
为你自己的域名。
接着重新加载Nginx配置:
sudo service nginx reload
现在通过浏览器访问你的网站:https://your.domain.com
试试,如果看到浏览器的绿色标志,恭喜你设置成功!
不过由于这个证书的时效只有90天,我们需要设置自动更新的功能,帮我们自动更新证书的时效。
先在命令行模拟证书更新:
sudo certbot renew --dry-run
模拟更新成功的效果如下:
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/your.domain.com.conf
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/your.domain.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
既然模拟成功,我们就使用crontab -e
的命令来启用自动任务,命令行:
sudo crontab -e
添加配置:
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
上面的执行时间为:每周一半夜2点30分执行renew任务。
你可以在命令行执行/usr/bin/certbot renew >> /var/log/le-renew.log
看看是否执行正常,如果一切OK,那么我们的配置到此结束!
https://www.cyberciti.biz/faq/linux-add-a-swap-file-howto/
You need to use the dd command to create swap file. The mkswap command is used to set up a Linux swap area on a device or in a file.
Open a terminal window (select Applications > Accessories > Terminal) or login to remote server using the ssh client. Switch to the root user by typing su - (or sudo -s) and entering the root password, when prompted:
$ su -
OR
$ sudo -s
Type the following command to create 512MB swap file (1024 * 512MB = 524288 block size):
# dd if=/dev/zero of=/swapfile1 bs=1024 count=524288
Sample outputs:
524288+0 records in 524288+0 records out 536870912 bytes (537 MB) copied, 3.23347 s, 166 MB/s
Where,
Setup correct file permission for security reasons, enter:
# chown root:root /swapfile1
# chmod 0600 /swapfile1
A world-readable swap file is a huge local vulnerability. The above commands make sure only root user can read and write to the file.
Type the following command to set up a Linux swap area in a file:
# mkswap /swapfile1
Sample outputs:
Setting up swapspace version 1, size = 524284 KiB no label, UUID=0e5e7c60-bbba-4089-a76c-2bb29c0f0839
Finally, activate /swapfile1 swap space immediately, enter:
# swapon /swapfile1
To activate /swapfile1 after Linux system reboot, add entry to /etc/fstab file. Open this file using a text editor such as vi:
# vi /etc/fstab
Append the following line:
/swapfile1 none swap sw 0 0
Save and close the file. Next time Linux comes up after reboot, it enables the new swap file for you automatically.
Simply use the free command:
$ free -m
total used free shared buffers cached Mem: 1876 1798 77 0 119 1440 -/+ buffers/cache: 237 1638 Swap: 4607 0 4607
Type the following swapon command:
# swapon -s
Sample outputs:
Filename Type Size Used Priority /dev/sda6 partition 4194296 0 0 /swapfile1 file 524280 0 -1
Another option is to view /proc/meminfo file:
$ less /proc/meminfo
$ grep -i --color swap /proc/meminfo
Sample outputs:
SwapCached: 30748 kB SwapTotal: 6291448 kB SwapFree: 6154008 kB
You can also use top command, atop command, and/or htop command to display information about swap usage:
# top
# atop
# htop
Sample outputs from a database server running on a CentOS Linux server:
1 [|| 3.9%] Tasks: 171, 106 thr; 1 running 2 [ 0.0%] Load average: 0.06 0.12 0.09 3 [|| 2.0%] Uptime: 22 days, 07:07:28 4 [ 0.0%] 5 [ 0.0%] 6 [ 0.0%] 7 [ 0.0%] 8 [ 0.0%] Mem[||||||||||||||||||2112/11909MB] Swp[| 134/6143MB] PID USER PRI NI VIRT RES SHR S CPU% MEM% TIME+ Command 8523 mysql 20 0 4545M 414M 4816 S 0.0 3.5 0:00.00 /usr/libexec/mysq 8524 mysql 20 0 4545M 414M 4816 S 0.0 3.5 0:02.74 /usr/libexec/mysq 8525 mysql 20 0 4545M 414M 4816 S 0.0 3.5 0:16.17 /usr/libexec/mysq 8526 mysql 20 0 4545M 414M 4816 S 0.0 3.5 0:06.33 /usr/libexec/mysq 8528 mysql 20 0 4545M 414M 4816 S 0.0 3.5 4:02.14 /usr/libexec/mysq 8529 mysql 20 0 4545M 414M 4816 S 0.0 3.5 5:22.00 /usr/libexec/mysq 8530 mysql 20 0 4545M 414M 4816 S 0.0 3.5 0:04.63 /usr/libexec/mysq 8531 mysql 20 0 4545M 414M 4816 S 0.0 3.5 0:50.95 /usr/libexec/mysq 8532 mysql 20 0 4545M 414M 4816 S 0.0 3.5 0:08.10 /usr/libexec/mysq 9359 mysql 20 0 4545M 414M 4816 S 0.0 3.5 22:53.28 /usr/libexec/mysq
You need to use the swapoff command:
# swapoff /swapfile1
# swapon -s
The syntax is:
# sysctl vm.swappiness=VALUE
# sysctl vm.swappiness=20
OR
# echo VALUE > /proc/sys/vm/swappiness
# echo 30 > /proc/sys/vm/swappiness
The value in /proc/sys/vm/swappiness file controls how aggressively the kernel will swap memory pages. Higher values increase agressiveness, lower values descrease aggressiveness. The default value is 60. To make changes permanent add the following line to /etc/sysctl.conf:
echo 'vm.swappiness=30' >> /etc/sysctl.conf |
net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_keepalive_time = 600 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_intvl =15 net.ipv4.tcp_retries2 = 5 net.ipv4.tcp_fin_timeout = 2 net.ipv4.tcp_max_tw_buckets = 36000 net.ipv4.tcp_max_orphans = 32768 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.tcp_wmem = 8192 131072 16777216 net.ipv4.tcp_rmem = 32768 131072 16777216 net.ipv4.tcp_mem = 786432 1048576 1572864 net.ipv4.ip_local_port_range = 1024 65000 #net.ipv4.ip_conntrack_max = 65536 #net.ipv4.netfilter.ip_conntrack_max=65536 #net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180 net.core.somaxconn = 16384 net.core.netdev_max_backlog = 16384 vm.swappiness=10 net.ipv4.neigh.default.gc_stale_time=120 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.all.arp_announce=2 net.ipv4.conf.lo.arp_announce=2