Jump to content
新域网络技术论坛

Search the Community

Showing results for tags 'freebsd'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • 论坛服务
    • 公告栏
    • ZW微擎模块技术支持
  • 技术讨论
    • IPB相关讨论
    • PHP技术探讨
    • FREEBSD讨论
    • 其它技术
    • 软件分享
  • 业余无线电
    • 使用指南
    • 设备讨论

Blogs

There are no results to display.

Product Groups

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


位置


兴趣


呼号

Found 17 results

  1. 代理,我要代理 cd /usr/ports/www/squid make install clean #要身份验证,把mysql模块选上 cd /usr/ports/databases/p5-DBD-mysql/ make install clean # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # visible_hostname localhost auth_param basic program /usr/local/libexec/squid/basic_db_auth \ --dsn "DBI:mysql:host=localhost;port=3306;database=squid" \ --user squid --password squid --plaintext --persist auth_param basic children 5 auth_param basic realm Web-Proxy auth_param basic credentialsttl 1 minute auth_param basic casesensitive off acl db-auth proxy_auth REQUIRED http_access allow db-auth #http_port 3128 https_port 443 cert=/etc/ssl/squid.crt key=/etc/ssl/squid.key request_header_access Via deny all request_header_access X-Forwarded-For deny all request_header_access All allow all reply_header_access Server deny all reply_header_access X-Cache deny all reply_header_access X-Cache-Lookup deny all reply_header_access Warning deny all reply_header_access Expires deny all reply_header_access Cache-Control deny all reply_header_access age deny all #证书最好用正式签发的,因为访问代理服务器的时候需要使用与证书一致的域名进行访问 cd /etc/ssl openssl req -new -sha256 -keyout squid.key -nodes -x509 -days 3650 -out squid.crt openssl req -new -sha512 > squid.csr 密码:qqbx.cn openssl rsa -in privkey.pem -out squid.key openssl x509 -in squid.csr -out squid.crt -req -signkey squid.key -days 3650
  2. 使用FREEBSD的时候,使用SSH方式进行git操作的时候就经常30秒左右才有反应。经过ssh -v ip分析一直Dnslookup时候等回应,默认超时时间应该是30秒,所以就在这个环节等待30秒后继续处理后续动作,所以就慢了。 找到原因了,就去处理吧,首先,我们连接git服务器的时候是作为客户端的,所以sshd_config是不需要处理的。 ee /etc/ssh/ssh_config #把下列参数设置上就OK了 VerifyHostKeyDNS no 这个参数就是说不较验服务器DNS,设置完成后再去git操作时就快如闪电了。
  3. 有的时候我们在企业内部无法使用别名或者虚拟域名访问内部服务器,比如HTTP根据不同的主机头访问不同站点,所以只能够开设一堆的端口,非常不雅观。那我们在内网如何实现这些功能呢?非常简单自行架设一个DNS服务器,网络内部通过路由器将DNS服务器全部指向自行架设的DNS服务器上,然后我们需要维护的域名指向某个IP,就达到我们的目的了,如果将端口映射到外网,也能够提供DNS服务,想想那些恶心的DNS劫持,有了它之后基本都不会遇到(除非你设置的上级DNS服务器还是那些运营商的)。 言归正转,我们有FREEBSD,肯定想在它的基础上架设DNS服务器,FREEBSD下有个从20世纪80年代就开始使用的DNS服务器软件,目前已经是互联网上部署最多的DNS服务器了,目前版本为9.11。另外我想实现用数据库保存DNS解析记录,这样可以简单的实现web管理。 #选择相应模块安装bind911 cd /usr/ports/dns/bind911/ make install #安装数据库 cd /usr/ports/databases/postgresql10-server make install 创建数据库并设置好相应权限: ee /var/db/postgres/data96/pg_hba.conf #添加一行,允许管理员从任何IP用密码登录 host all webmaster 0.0.0.0/0 md5 ee /var/db/postgres/data96/postgresql.conf listen_addresses = '*' #允许数据库及BIND自动启动 ee /etc/rc.conf postgresql_enable="YES" named_enable="YES" #初始化postgres数据库 /usr/local/etc/rc.d/postgresql initdb #启动数据库 /usr/local/etc/rc.d/postgresql start #建立管理员帐号 createuser -P -d -s -U postgres webmaster 这是原始脚本,也可以使用下面导出的SQL文件 create database dns_dlz; create table dns_records( zone character varying(256), host character varying(256) NOT NULL default '@', ttl integer, view character varying(256), type character varying(256), mx_priority integer, data character varying(256), resp_person character varying(256), serial integer, refresh integer, retry integer, expire integer, minimum integer ); create INDEX dns_records_host_index on dns_records (host); create INDEX dns_records_type_index on dns_records ("type"); create INDEX dns_records_zone_index on dns_records ("zone"); # zone sample.com #soa 记录 insert into dns_records(zone, host, ttl, view, type, mx_priority, data, resp_person, serial, refresh, retry, expire, minimum) values ('sample.com', '@', 600, 'LOCAL', 'SOA', NULL, 'sample.com.', 'root.sample.com.', 2011083001, 28800, 14400, 86400, 86400); insert into dns_records(zone, host, ttl, view, type, mx_priority, data, resp_person, serial, refresh, retry, expire, minimum) values ('sample.com', '@', 600, 'ANY', 'SOA', NULL, 'sample.com.', 'root.sample.com.', 2011083001, 28800, 14400, 86400, 86400); #dns 记录 insert into dns_records(zone, host, ttl, view, type, mx_priority, data, resp_person, serial, refresh, retry, expire, minimum) values ('sample.com', '@', 600, 'LOCAL', 'NS', NULL, 'ns1.sample.com.', NULL, 2011083001, 28800, 14400, 86400, 86400); insert into dns_records(zone, host, ttl, view, type, mx_priority, data, resp_person, serial, refresh, retry, expire, minimum) values ('sample.com', '@', 600, 'ANY', 'NS', NULL, 'ns1.sample.com.', NULL, 2011083001, 28800, 14400, 86400, 86400); #A记录 time.sample.com insert into dns_records(zone, host, ttl, view, type, mx_priority, data, resp_person, serial, refresh, retry, expire, minimum) values ('sample.com', 'time', 600, 'LOCAL', 'A', NULL, '10.0.0.8', NULL, 2011083001, 28800, 14400, 86400, 86400); insert into dns_records(zone, host, ttl, view, type, mx_priority, data, resp_person, serial, refresh, retry, expire, minimum) values ('sample.com', 'time', 600, 'ANY', 'A', NULL, '222.222.222.8', NULL, 2011083001, 28800, 14400, 86400, 86400); #A记录 ns1.sample.com insert into dns_records(zone, host, ttl, view, type, mx_priority, data, resp_person, serial, refresh, retry, expire, minimum) values ('sample.com', 'ns1', 600, 'LOCAL', 'A', NULL, '10.0.0.10', NULL, NULL, NULL, NULL, NULL, NULL); insert into dns_records(zone, host, ttl, view, type, mx_priority, data, resp_person, serial, refresh, retry, expire, minimum) values ('sample.com', 'ns1', 600, 'ANY', 'A', NULL, '222.222.222.10', NULL, NULL, NULL, NULL, NULL, NULL); #mx记录 insert into dns_records(zone, host, ttl, view, type, mx_priority, data, resp_person, serial, refresh, retry, expire, minimum) values ('sample.com', '@', 600, 'LOCAL', 'MX', 10, 'mail.sample.com.', NULL, NULL, NULL, NULL, NULL, NULL); insert into dns_records(zone, host, ttl, view, type, mx_priority, data, resp_person, serial, refresh, retry, expire, minimum) values ('sample.com', '@', 600, 'ANY', 'MX', 10, 'mail.sample.com.', NULL, NULL, NULL, NULL, NULL, NULL); 其他域名的添加方式类似,将zone项替换为对于的域名即可 /* Navicat PGSQL Data Transfer Source Server : PostgreSQL86 Source Server Version : 90605 Source Host : 192.168.1.86:5432 Source Database : dns_dlz Source Schema : public Target Server Type : PGSQL Target Server Version : 90605 File Encoding : 65001 Date: 2017-09-13 14:47:24 */ -- ---------------------------- -- Table structure for dns_records -- ---------------------------- DROP TABLE IF EXISTS "dns_records"; CREATE TABLE "dns_records" ( "zone" varchar(256) COLLATE "default", "host" varchar(256) COLLATE "default" DEFAULT '@'::character varying NOT NULL, "ttl" int4, "view" varchar(256) COLLATE "default", "type" varchar(256) COLLATE "default", "mx_priority" int4, "data" varchar(256) COLLATE "default", "resp_person" varchar(256) COLLATE "default", "serial" int4, "refresh" int4, "retry" int4, "expire" int4, "minimum" int4 ) WITH (OIDS=FALSE) ; -- ---------------------------- -- Records of dns_records -- ---------------------------- BEGIN; INSERT INTO "dns_records" VALUES ('sample.com', '*', '600', 'ANY', 'A', null, '58.210.147.58', null, null, null, null, null, null); INSERT INTO "dns_records" VALUES ('sample.com', '*', '600', 'LOCAL', 'A', null, '192.168.1.85', null, null, null, null, null, null); INSERT INTO "dns_records" VALUES ('sample.com', '@', '600', 'ANY', 'MX', '10', 'mail.sample.com.', null, null, null, null, null, null); INSERT INTO "dns_records" VALUES ('sample.com', '@', '600', 'ANY', 'NS', null, 'ns1.sample.com.', null, '2011083001', '28800', '14400', '86400', '86400'); INSERT INTO "dns_records" VALUES ('sample.com', '@', '600', 'ANY', 'SOA', null, 'sample.com.', 'root.sample.com.', '2011083001', '28800', '14400', '86400', '86400'); INSERT INTO "dns_records" VALUES ('sample.com', '@', '600', 'LOCAL', 'MX', '10', 'mail.sample.com.', null, null, null, null, null, null); INSERT INTO "dns_records" VALUES ('sample.com', '@', '600', 'LOCAL', 'NS', null, 'ns1.sample.com.', null, '2011083001', '28800', '14400', '86400', '86400'); INSERT INTO "dns_records" VALUES ('sample.com', '@', '600', 'LOCAL', 'SOA', null, 'sample.com.', 'root.sample.com.', '2011083001', '28800', '14400', '86400', '86400'); INSERT INTO "dns_records" VALUES ('sample.com', 'mail', '600', 'ANY', 'A', null, '58.210.147.58', null, '2011083001', '28800', '14400', '86400', '86400'); INSERT INTO "dns_records" VALUES ('sample.com', 'mail', '600', 'LOCAL', 'A', null, '192.168.1.86', null, '2011083001', '28800', '14400', '86400', '86400'); INSERT INTO "dns_records" VALUES ('sample.com', 'ns1', '600', 'ANY', 'A', null, '58.210.147.58', null, null, null, null, null, null); INSERT INTO "dns_records" VALUES ('sample.com', 'ns1', '600', 'LOCAL', 'A', null, '192.168.1.86', null, null, null, null, null, null); INSERT INTO "dns_records" VALUES ('sample.com', 'www', '600', 'ANY', 'A', null, '58.210.147.58', null, null, null, null, null, null); INSERT INTO "dns_records" VALUES ('sample.com', 'www', '600', 'LOCAL', 'A', null, '192.168.1.86', null, null, null, null, null, null); COMMIT; -- ---------------------------- -- Alter Sequences Owned By -- ---------------------------- -- ---------------------------- -- Indexes structure for table dns_records -- ---------------------------- CREATE INDEX "dns_records_host_index" ON "dns_records" USING btree ("host"); CREATE INDEX "dns_records_type_index" ON "dns_records" USING btree ("type"); CREATE INDEX "dns_records_zone_index" ON "dns_records" USING btree ("zone"); 修改几个配置文件: cd /usr/local/etc/namedb rndc-confgen >rndc.conf tail -n6 rndc.conf | head -n5 | sed -e s/#\//g >named.conf rm -f rndc.conf rndc-confgen -a -c rndc.key dnssec-keygen -a hmac-md5 -b 128 -n HOST local dnssec-keygen -a hmac-md5 -b 128 -n HOST any 以下几个示例配置文件: named.conf // $FreeBSD: head/dns/bind911/files/named.conf.in 443607 2017-06-14 22:54:43Z mat $ // // Refer to the named.conf(5) and named(8) man pages, and the documentation // in /usr/local/share/doc/bind for more details. // // If you are going to set up an authoritative server, make sure you // understand the hairy details of how DNS works. Even with // simple mistakes, you can break connectivity for affected parties, // or cause huge amounts of useless Internet traffic. options { // All file and path names are relative to the chroot directory, // if any, and should be fully qualified. directory "/usr/local/etc/namedb/working"; pid-file "/var/run/named/pid"; dump-file "/var/dump/named_dump.db"; statistics-file "/var/stats/named.stats"; // If named is being used only as a local resolver, this is a safe default. // For named to be accessible to the network, comment this option, specify // the proper IP address, or delete this option. #listen-on { 127.0.0.1; }; // If you have IPv6 enabled on this system, uncomment this option for // use as a local resolver. To give access to the network, specify // an IPv6 address, or the keyword "any". // listen-on-v6 { ::1; }; // These zones are already covered by the empty zones listed below. // If you remove the related empty zones below, comment these lines out. disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; // If you've got a DNS server around at your upstream provider, enter // its IP address here, and enable the line below. This will make you // benefit from its cache, thus reduce overall DNS traffic in the Internet. forwarders { 223.5.5.5; 223.6.6.6; 8.8.8.8; }; // If the 'forwarders' clause is not empty the default is to 'forward first' // which will fall back to sending a query from your local server if the name // servers in 'forwarders' do not have the answer. Alternatively you can // force your name server to never initiate queries of its own by enabling the // following line: // forward only; // If you wish to have forwarding configured automatically based on // the entries in /etc/resolv.conf, uncomment the following line and // set named_auto_forward=yes in /etc/rc.conf. You can also enable // named_auto_forward_only (the effect of which is described above). // include "/usr/local/etc/namedb/auto_forward.conf"; /* Modern versions of BIND use a random UDP port for each outgoing query by default in order to dramatically reduce the possibility of cache poisoning. All users are strongly encouraged to utilize this feature, and to configure their firewalls to accommodate it. AS A LAST RESORT in order to get around a restrictive firewall policy you can try enabling the option below. Use of this option will significantly reduce your ability to withstand cache poisoning attacks, and should be avoided if at all possible. Replace NNNNN in the example with a number between 49160 and 65530. */ // query-source address * port NNNNN; }; // If you enable a local name server, don't forget to enter 127.0.0.1 // first in your /etc/resolv.conf so this server will be queried. // Also, make sure to enable it in /etc/rc.conf. // The traditional root hints mechanism. Use this, OR the slave zones below. //zone "." { type hint; file "/usr/local/etc/namedb/named.root"; }; /* Slaving the following zones from the root name servers has some significant advantages: 1. Faster local resolution for your users 2. No spurious traffic will be sent from your network to the roots 3. Greater resilience to any potential root server failure/DDoS On the other hand, this method requires more monitoring than the hints file to be sure that an unexpected failure mode has not incapacitated your server. Name servers that are serving a lot of clients will benefit more from this approach than individual hosts. Use with caution. To use this mechanism, uncomment the entries below, and comment the hint zone above. As documented at http://dns.icann.org/services/axfr/ these zones: "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and a few others are available for AXFR from these servers on IPv4 and IPv6: xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org */ /* zone "." { type slave; file "/usr/local/etc/namedb/slave/root.slave"; masters { 192.0.32.132; // lax.xfr.dns.icann.org 2620:0:2d0:202::132; // lax.xfr.dns.icann.org 192.0.47.132; // iad.xfr.dns.icann.org 2620:0:2830:202::132; // iad.xfr.dns.icann.org }; notify no; }; zone "arpa" { type slave; file "/usr/local/etc/namedb/slave/arpa.slave"; masters { 192.0.32.132; // lax.xfr.dns.icann.org 2620:0:2d0:202::132; // lax.xfr.dns.icann.org 192.0.47.132; // iad.xfr.dns.icann.org 2620:0:2830:202::132; // iad.xfr.dns.icann.org }; notify no; }; zone "in-addr.arpa" { type slave; file "/usr/local/etc/namedb/slave/in-addr.arpa.slave"; masters { 192.0.32.132; // lax.xfr.dns.icann.org 2620:0:2d0:202::132; // lax.xfr.dns.icann.org 192.0.47.132; // iad.xfr.dns.icann.org 2620:0:2830:202::132; // iad.xfr.dns.icann.org }; notify no; }; zone "ip6.arpa" { type slave; file "/usr/local/etc/namedb/slave/ip6.arpa.slave"; masters { 192.0.32.132; // lax.xfr.dns.icann.org 2620:0:2d0:202::132; // lax.xfr.dns.icann.org 192.0.47.132; // iad.xfr.dns.icann.org 2620:0:2830:202::132; // iad.xfr.dns.icann.org }; notify no; }; */ /* Serving the following zones locally will prevent any queries for these zones leaving your network and going to the root name servers. This has two significant advantages: 1. Faster local resolution for your users 2. No spurious traffic will be sent from your network to the roots */ /* // RFCs 1912, 5735 and 6303 (and BCP 32 for localhost) zone "localhost" { type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; }; zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; }; zone "255.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // RFC 1912-style zone for IPv6 localhost address (RFC 6303) zone "0.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; }; // "This" Network (RFCs 1912, 5735 and 6303) zone "0.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // Private Use Networks (RFCs 1918, 5735 and 6303) zone "10.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "16.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "17.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "18.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "19.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "20.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "21.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "22.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "23.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "24.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "25.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "26.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "27.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "28.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "29.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "30.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "31.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "168.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // Shared Address Space (RFC 6598) zone "64.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "65.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "66.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "67.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "68.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "69.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "70.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "71.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "72.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "73.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "74.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "75.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "76.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "77.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "78.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "79.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "80.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "81.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "82.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "83.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "84.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "85.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "86.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "87.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "88.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "89.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "90.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "91.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "92.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "93.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "94.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "95.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "96.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "97.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "98.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "99.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "100.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "101.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "102.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "103.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "104.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "105.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "106.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "107.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "108.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "109.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "110.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "111.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "112.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "113.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "114.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "115.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "116.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "117.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "118.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "119.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "120.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "121.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "122.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "123.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "124.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "125.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "126.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "127.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // Link-local/APIPA (RFCs 3927, 5735 and 6303) zone "254.169.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // IETF protocol assignments (RFCs 5735 and 5736) zone "0.0.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // TEST-NET-[1-3] for Documentation (RFCs 5735, 5737 and 6303) zone "2.0.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "100.51.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "113.0.203.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // IPv6 Example Range for Documentation (RFCs 3849 and 6303) zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // Router Benchmark Testing (RFCs 2544 and 5735) zone "18.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "19.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // IANA Reserved - Old Class E Space (RFC 5735) zone "240.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "241.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "242.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "243.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "244.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "245.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "246.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "247.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "248.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "249.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "250.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "251.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "252.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "253.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "254.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // IPv6 Unassigned Addresses (RFC 4291) zone "1.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "3.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "4.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "5.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "6.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "7.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "8.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "9.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "a.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "b.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "c.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "d.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "e.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "0.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "1.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "2.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "3.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "4.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "5.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "6.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "7.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "8.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "9.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "a.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "b.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "0.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "1.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "2.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "3.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "4.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "5.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "6.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "7.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // IPv6 ULA (RFCs 4193 and 6303) zone "c.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "d.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // IPv6 Link Local (RFCs 4291 and 6303) zone "8.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "9.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "a.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "b.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // IPv6 Deprecated Site-Local Addresses (RFCs 3879 and 6303) zone "c.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "d.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "e.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "f.e.f.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // IP6.INT is Deprecated (RFC 4159) zone "ip6.int" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; */ // NB: Do not use the IP addresses below, they are faked, and only // serve demonstration/documentation purposes! // // Example slave zone config entries. It can be convenient to become // a slave at least for the zone your own domain is in. Ask // your network administrator for the IP address of the responsible // master name server. // // Do not forget to include the reverse lookup zone! // This is named after the first bytes of the IP address, in reverse // order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. // // Before starting to set up a master zone, make sure you fully // understand how DNS and BIND work. There are sometimes // non-obvious pitfalls. Setting up a slave zone is usually simpler. // // NB: Don't blindly enable the examples below. :-) Use actual names // and addresses instead. /* An example dynamic zone key "exampleorgkey" { algorithm hmac-md5; secret "sf87HJqjkqh8ac87a02lla=="; }; zone "example.org" { type master; allow-update { key "exampleorgkey"; }; file "/usr/local/etc/namedb/dynamic/example.org"; }; */ /* Example of a slave reverse zone zone "1.168.192.in-addr.arpa" { type slave; file "/usr/local/etc/namedb/slave/1.168.192.in-addr.arpa"; masters { 192.168.1.1; }; }; */ include "/usr/local/etc/namedb/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; key "any" { algorithm hmac-md5; secret "09o8VJg1+JLEKTD/QrSc5g=="; }; key "local" { algorithm hmac-md5; secret "8tS+9+4siNa0n8oTnuEFsQ=="; }; acl "dns_ip" { 192.168.1.86; #master #10.0.0.9; #slave }; acl "LOCAL" { 192.168.1.0/24; 192.168.2.0/24; 192.168.10.0/24; }; include "/usr/local/etc/namedb/local_acl.conf"; include "/usr/local/etc/namedb/any.conf"; #logging { # category edns-disabled { null; }; # channel query_log { # file "/var/named/data/query.log" versions 3 size 20m; # severity info; # print-time yes; # print-category yes; # }; # category queries { # query_log; # }; #}; local_acl.conf #local network view view "local" { #match-clients { key local; LOCAL; }; #使用文件存储zone使用,用于master slave同步 match-clients { LOCAL; }; #使用数据库时的配置,无需同步 allow-query-cache { LOCAL; }; #allow-transfer { key local; }; #使用文件存储zone使用,用于master slave同步 #server 10.0.0.9 { keys { local; }; }; #使用文件存储zone使用,用于master slave同步 #允许内部ip地址递归查询 allow-recursion { 192.168.1.0/24; 127.0.0.1; }; #------使用文件存储zone 配置----------- # zone "sample.com" { # type master; #slave 配置 type slave; # file "/etc/named/sample.com.in.zone" # # masters { 10.0.0.8; }; #slave 配置 # }; # zone "1.0.10.in-addr.arpa" { # type master; #slave 配置 type slave; # file "/etc/named/0.0.10.in-addr.arpa; # # masters { 10.0.0.8; }; #slave 配置 # }; #------使用文件存储zone 配置----------- #---dlz postgresql database configure---- dlz "postgres zone" { database "postgres 1 {host=localhost port=5432 dbname=dns_dlz user=postgres} {select zone from dns_records where zone = '$zone$' limit 1} {select ttl, type, mx_priority, case when lower(type)='txt' then '\"' || data || '\"' when lower(type)='soa' then data || ' ' || resp_person || ' ' || serial || ' ' || refresh || ' ' || retry || ' ' || expire || ' ' || minimum else data end from dns_records where zone = '$zone$' and lower(view)='local' and host = '$record$'} {} {select ttl, type, host, mx_priority, case when lower(type)='txt' then '\"' || data || '\"' else data end, resp_person, serial, refresh, retry, expire, minimum from dns_records where zone = '$zone$'}"; }; }; any.conf view "any" { #match-clients { key local; ANY; }; #使用文件存储zone使用,用于master slave同步 match-clients { ANY; }; #使用数据库时的配置,无需同步 allow-query-cache { ANY; }; #allow-transfer { key any; }; #使用文件存储zone使用,用于master slave同步 #server 10.0.0.9 { keys { any; }; }; #使用文件存储zone使用,用于master slave同步 allow-recursion { 127.0.0.1; 192.168.1.0/24; }; #------使用文件存储zone 配置----------- #zone "sample.com" { # type master; # file "/etc/named/sample.com.zone"; # # masters { 10.0.0.8; }; #slave 配置 #}; #zone "222.222.222.in-addr.arpa" { # type master; #slave 配置 type slave; # file "/etc/named/222.222.222.in-addr.arpa"; # # masters { 10.0.0.8; }; #slave 配置 #}; #------使用文件存储zone 配置----------- #---dlz postgresql database configure---- dlz "postgres zone" { database "postgres 1 {host=localhost port=5432 dbname=dns_dlz user=postgres} {select zone from dns_records where zone = '$zone$' limit 1} {select ttl, type, mx_priority, case when lower(type)='txt' then '\"' || data || '\"' when lower(type)='soa' then data || ' ' || resp_person || ' ' || serial || ' ' || refresh || ' ' || retry || ' ' || expire || ' ' || minimum else data end from dns_records where zone = '$zone$' and lower(view)='any' and host = '$record$'}"; }; #---dlz postgresql database configure---- }; 因为我使用的是FREEBSD 11.0,不支持TCP_FASTOPEN,所以还得编译内核才能够使用BIND ee /etc/sysctl.conf #添加 net.inet.tcp.fastopen.enabled=1 cd /usr/src/sys/i386/conf mkdir ~/kernels/ cp GENERIC TCPOPEN mv TCPOPEN ~/kernels/TCPOPEN ln -s ~/kernels/TCPOPEN ee TCPOPEN #最后添加 # TFO TCP Fast Open TCP_FASTOPEN options TCP_RFC7413 cd /usr/src make buildkernel KERNCONF=TCPOPEN #编译完后安装 make installkernel KERNCONF=TCPOPEN #然后重启 shutdown -r now 重启后应该就能够正常使用相应服务了。
  4. 安装redis方式就不再多述,假设可以运行一个正常的redis的环境下。 Ports路径 :/usr/ports/databases/redis 安装ruby(建集群时需要用到): cd /usr/ports/accessibility/rubygem-atk make install clean 安装 ruby-gems cd /usr/ports/devel/rubygem-gems make install clean 安装ruby-redis gem install redis 建立集群至少要求超过3个结点,我这里配置了五个,如果集群挂掉的结点超过一半,将无法正常提供服务。 修改配置文件: cd /usr/local/etc /usr/local/etc/rc.d/redis stop cp redis.conf redis-6379.conf cp redis.conf redis-6380.conf cp redis.conf redis-6381.conf cp redis.conf redis-6382.conf cp redis.conf redis-6383.conf chown redis redis-*.conf ee redis-6379.conf 主要修改以下内容: bind 0.0.0.0 port 6379 #修改各自的端口号 6379-6383 pidfile /var/run/redis/6379.pid dbfilename dump-6379.rdb cluster-enabled yes cluster-config-file nodes-6379.conf #修改启动参数 ee /etc/rc.conf redis_profiles="6379 6380 6381 6382 6383" 然后重启服务 /usr/local/etc/rc.d/redis start 建立集群: cd /usr/ports/databases/redis/work/redis-3.2.9/src ./redis-trib.rb create --replicas 1 127.0.0.1:6379 127.0.0.1:6380 127.0.0.1:6381 127.0.0.1:6382 127.0.0.1:6383 #等提示时输入yes即可 上面的IP如果要其他机器访问,请使用内网IP 连接测试: redis-cli -h 192.168.1.86 -c -p 6379 set hello world #提示: #-> Redirected to slot [8516] located at 192.168.1.86:6381 #OK #成功 注意:建立集群前不能设置访问密码,需要身份验证的话需要在建立集群后再逐一用config命令进行设置: config set masterauth passowrd config set requirepass password config rewrite
  5. 最早最早以前是用的自己的服务器架设的邮件服务器,Windows下用过Mdaemon、CmailServer等等。Windows架设服务的事越干越少了,目前服务均架设在FREEBSD中。2011年左右使用了QQ的域名邮箱,一直到最近。现在发现国外的邮件腾讯的邮件服务器居然收不到。无奈重新搞回来吧? 原来Postfix也用过,当时由于对于垃圾邮件处理较好,当时的缺憾就是没有一个漂亮合适的webmail,现在看了一下使用roundcube,原来准备用openwebmail的,只是界面不够漂亮另外就是cgi搞起来麻烦,roundcube则完全符合我的习惯,纯PHP,界面漂亮大方。 目前仅提供最基本的功能,后续再调整反垃圾邮件、杀毒等等功能,开工! Postfix安装:SMTP服务提供,mysql都选上我要使用mysql进行验证的。 cd /usr/ports/mail/postfix make install clean dovecot:POP3、IMAP等服务提供, cd /usr/ports/mail/dovecot/ make install clean 配置dovecot: cp /usr/local/etc/dovecot/example-config/dovecot.conf /usr/local/etc/dovecot/ cp /usr/local/etc/dovecot/example-config/dovecot-sql.conf.ext /usr/local/etc/dovecot/ mkdir /usr/local/etc/dovecot/conf.d/ cp /usr/local/etc/dovecot/example-config/conf.d/* /usr/local/etc/dovecot/conf.d/ ee /usr/local/etc/dovecot/dovecot-sql.conf driver = mysql connect = host=localhost dbname=postfix user=postfix password=postfix default_pass_scheme = MD5 password_query = \ SELECT username, domain, password \ FROM users WHERE username = '%n' AND domain = '%d' AND active = 'Y' user_query = \ SELECT home, uid, gid \ FROM users WHERE username = '%n' AND domain = '%d' iterate_query = SELECT username AS user FROM users 安装postfixadmin cd /usr/ports/mail/postfixadmin make install clean 建立数据库和用户: # Create the database CREATE DATABASE postfix; # Create user and allow him to read from the mail database GRANT SELECT ON postfix.* TO 'postfix'@'localhost' IDENTIFIED BY 'postfix'; FLUSH PRIVILEGES; 自己配置postfixadmin的访问路径,并建立相应数据表和相关数据。位置如下: /usr/local/www/postfixadmin 建立mysql映射: 映射: ee /usr/local/etc/postfix/mysql_virtual_alias_maps.cf user = postfix password = postfix hosts = localhost dbname = postfix table = alias select_field = goto where_field = address additional_conditions = and active = '1' #query = SELECT goto FROM alias WHERE address='%s' AND active = '1' ee /usr/local/etc/postfix/mysql_virtual_domains_maps.cf user = postfix password = postfix hosts = localhost dbname = postfix table = domain select_field = domain where_field = domain additional_conditions = and backupmx = '0' and active = '1' #query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1' ee /usr/local/etc/postfix/mysql_virtual_mailbox_limit_maps.cf user = postfix password = postfix dbname = postfix hosts = localhost table = mailbox select_field = quota where_field = username additional_conditions = and active = '1' #query = SELECT quota FROM mailbox WHERE username='%s' AND active = '1' ee /usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf user = postfix password = postfix dbname = postfix hosts = localhost table = mailbox select_field = CONCAT(domain,'/',maildir) where_field = username additional_conditions = and active = '1' #query = SELECT CONCAT(domain,'/',maildir) FROM mailbox WHERE username='%s' AND active = '1' 其它配置: ee /usr/local/etc/postfix/master.cf 在最后添加一行: dovecot unix - n n - - pipe flags=DRhu user=postfix:postfix argv=/usr/local/libexec/dovecot/deliver -d $(recipient) TLS生成证书: openssl req -new -outform PEM -out /usr/local/etc/postfix/smtpd.cert -newkey rsa:2048 -nodes -keyout /usr/local/etc/postfix/smtpd.key -keyform PEM -days 3650 -x509 chmod 640 /usr/local/etc/postfix/smtpd.key chgrp postfix /usr/local/etc/postfix/smtpd.key cd /usr/local/share/examples/dovecot ee dovecot-openssl.cnf 修改需要改的东西 sh mkcert.sh 安装roundcube: cd /usr/ports/mail/roundcube make install 文件目录为:/usr/local/www/roundcube 配置完成后访问:http://xxxx/installer/ 配置postfix:这里是我目前的配置内容,自己根据需要修改 postconf -e 'virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf' postconf -e 'virtual_mailbox_base = /var/spool/postfix' postconf -e 'virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf' postconf -e 'virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf' postconf -e 'virtual_uid_maps = static:125' postconf -e 'virtual_gid_maps = static:125' postconf -e 'virtual_transport = dovecot' postconf -e 'local_transport = virtual' postconf -e 'local_recipient_maps = $virtual_mailbox_maps' postconf -e 'transport_maps = hash:/usr/local/etc/postfix/transport' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_helo_required = yes' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client cblless.anti-spam.org.cn, reject_unauth_destination' postconf -e 'smtpd_sasl_exceptions_networks = $mynetworks' postconf -e 'smtpd_sasl_type = dovecot' postconf -e 'smtpd_sasl_path = private/auth' postconf -e 'smtpd_use_tls = yes' postconf -e 'smtpd_tls_cert_file = /usr/local/etc/postfix/smtpd.cert' postconf -e 'smtpd_tls_key_file = /usr/local/etc/postfix/smtpd.key' postconf -e 'smtpd_sasl_local_domain = $mydomain' postconf -e 'smtpd_sasl_tls_security_options = $smtpd_sasl_security_options' postconf -e 'strict_rfc821_envelopes = yes' postconf -e 'disable_vrfy_command = yes' broken_sasl_auth_clients = yes command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 disable_vrfy_command = yes html_directory = /usr/local/share/doc/postfix inet_interfaces = all inet_protocols = ipv4 local_recipient_maps = $virtual_mailbox_maps local_transport = virtual mail_owner = postfix mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man mydestination = $myhostname, $mydomain, localhost mydomain = zomew.com myhostname = mail.zomew.com mynetworks = 192.168.1.0/24, 192.168.2.0/24, 127.0.0.0/8 mynetworks_style = host newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtpd_banner = $myhostname ESMTP $mail_name smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = dovecot smtpd_tls_cert_file = /usr/local/etc/postfix/smtpd.cert smtpd_tls_key_file = /usr/local/etc/postfix/smtpd.key smtpd_use_tls = yes strict_rfc821_envelopes = yes transport_maps = hash:/usr/local/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:125 virtual_mailbox_base = /var/spool/postfix virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_transport = dovecot virtual_uid_maps = static:125 添加smtps端口: ee /usr/local/etc/postfix/master.cf smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes dovecot配置文件:有很多要修改的,这里的内容是dovecot -n显示的内容: # 2.2.18: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 10.2-RELEASE amd64 ufs base_dir = /var/run/dovecot/ first_valid_uid = 125 last_valid_uid = 125 mail_location = maildir:/var/spool/postfix/%d/%u namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix } } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } /usr/local/etc/dovecot/dovecot.conf protocols = imap pop3 lmtp base_dir = /var/run/dovecot/ /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = mysql connect = host=localhost dbname=postfix user=postfix password=postfix default_pass_scheme = MD5-CRYPT password_query = SELECT password FROM mailbox WHERE username = '%u' user_query = SELECT maildir, 125 as uid,125 as gid FROM mailbox WHERE username = iterate_query = SELECT username AS user FROM mailbox /usr/local/etc/dovecot/conf.d/ 10-auth.conf disable_plaintext_auth = yes !include auth-sql.conf.ext 10-mail.conf mail_location = maildir:/var/spool/postfix/%d/%u first_valid_uid = 125 last_valid_uid = 125 10-master.conf # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix } 10-ssl.conf ssl = yes ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem
  6. 传统网络结构中经常会出现这么个情况,有两个不同的业务存在于两台服务器上,都使用80端口。外网访问只能够选择一个业务或者需要使用其它端口,导致诸多不便,然后此想法应运而生:采用统一入口分流或者均衡访问请求,我选择了Nginx,相对轻量,如果有静态页面也可以直接使用它进行缓存以减轻其它服务器的压力,这里就没有涉及,有需要的朋友自行调整吧。 首先在入口服务器上安装nginx,如果有防火墙或者路由器的把80端口直接给它。安装过程相对简单,不说了,放上配置文件。 /usr/local/etc/nginx/nginx.conf #user nobody; user www www; worker_processes 1; error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; include /usr/local/etc/nginx/conf/reverse-proxy.conf; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; log_format resv '$HTTP_X_REAL_IP - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" $HTTP_X_Forwarded_For'; access_log logs/access.log resv; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; gzip on; client_max_body_size 50m; #缓冲区代理缓冲用户端请求的最大字节数,可以理解为保 client_body_buffer_size 256k; client_header_timeout 3m; client_body_timeout 3m; send_timeout 3m; proxy_connect_timeout 300s; #nginx跟后端服务器连接超时时间(代理连接超时) proxy_read_timeout 300s; #连接成功后,后端服务器响应时间(代理接收超时) proxy_send_timeout 300s; proxy_buffer_size 64k; #设置代理服务器(nginx)保存用户头信息的缓冲区大小 proxy_buffers 4 32k; #proxy_buffers缓冲区,网页平均在32k以下的话,这样设置 proxy_busy_buffers_size 64k; #高负荷下缓冲大小(proxy_buffers*2) proxy_temp_file_write_size 64k; #设定缓存文件夹大小,大于这个值,将从upstrea proxy_ignore_client_abort on; #不允许代理端主动关闭连接 server { listen 80 default; server_name localhost; charset utf-8; #access_log logs/host.access.log main; location / { root /usr/local/www/nginx; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/local/www/nginx-dist; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #} } /usr/local/etc/nginx/conf/reverse-proxy.conf upstream zomew { server 192.168.1.81; } upstream temp { server 192.168.1.120; } server { listen 80; server_name t1.zomew.com; location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://zomew$request_uri; } access_log logs/t1_access.log; } server { listen 80; server_name t2.zomew.com; location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://temp; } access_log logs/t2_access.log; }
  7. 数据库双机热备,当使用两台服务器均衡时可能需要用到,数据库单独存放在一台服务器或虚拟机上可能会突然无法访问,本文仅作测试,如果能够直接使用专门的服务器或虚拟机做数据库时也可以,毕竟mysql挂的情况还是很少的。过程仅供参考,FREEBSD 10.2/Mysql 5.6.26. 先保证两个库都相同,然后进行下列设置 ee /usr/local/my.cnf server-id=78 #ID唯一 log_bin=mysql-bin #改成你需要的名称,要和下面的命令一致 binlog-do-db=test #需要同步的数据库 两个服务器都这么操作,并重新启动mysql service mysql-server restart 新增slave权限帐号,不建议使用root grant replication slave on *.* to 'slave'@'%' identified by 'password'; 执行同步命令: change master to master_host='192.168.1.77', master_user='slave', master_password='password', master_log_file='mysql-bin.000001', master_log_pos=319; 代码说明:   master_host:主服务器的IP地址   master_user:主服务器设置的备份用户   master_password:主服务器备份用户密码   master_log_file:主服务器的日志名称   master_log_pos:主服务器的位置 启动slave: start slave; 然后在一个表里执行某操作,看另一数据库是否有同样的修改,测试成功就PASS。这里还有个注意的问题。 我当时测试时直接克隆的虚拟机,导致两个mysql的ID是完全一样的,需要修改/var/db/mysql/auto.cnf 把ID随便修改一位保存后重启mysql即可,否则会报错: Fatal error: The slave I/O thread stops because master and slave have equal MySQL server UUIDs; these UUIDs must be different for replication to work. 如果仅需要主从备份的话,可以将备用服务器往主服务器备份的设置关掉。
  8. 一般FREEBSD安装好后,时间久远,需要更新怎么办?重新安装,那样需要配置的东西太多了,用这个命令,可以指定升级到哪个版本。 http://www.freebsd.org/doc/zh_CN/books/handbook/updating-upgrading-freebsdupdate.html freebsd-update fetch install freebsd-update -r 10.2-RELEASE upgrade shutdown -r now freebsd-update install http://kanjuku-tomato.blogspot.com/2014/01/freebsd-92-releasefreebsd-10-release.html 安装有问题,按这个日本博客上的步骤搞定。。国内为毛没有呢?总体思路,原来的freebsd-update有问题,两个补丁打完就可以了。
  9. 我们平常能够使用到的防火墙大多是规则设置好后,然后就等人工分析相应日志后更新相应规则,这样就没有多少时效性,不能及时保证系统的安全。所以才萌发出搞个主动屏蔽的功能。 目前这套系统仅能够运行在启用ipfw的类*NIX或*BSD的系统中,当然PHP和mysql必不可少。另外程序只能够以root的身份在命令行状态进行执行,因为IPFW必须有root权限才能够操作。 系统原理为:定期执行相应程序分析指定日志文件(可以设置多个),从日志文件中挑出对系统不利的操作,一旦达到设定阀值后,即将指定IP临时屏蔽(按目前系统设定,那么接下来的24小时,此IP将无法访问本服务器),如果多次被屏蔽,将会被直接移至黑名单中,那样将永久屏蔽此IP的访问。具体可在config.php配置文件中修改。 以下帖出部分核心文件,完整的文件将在最下面提供下载。此程序仅供抛砖引玉,如果有更好的方案,可以一起探讨共同成长。如果此工具能够帮到一些朋友,我将不胜荣幸,如果有任何BUG之类的,也可以及时与我联系共同把此工具做好。 安装方式: 注意本程序仅供有足够unix操作经验的网友使用,权限方面的问题不多讲。 1. 首先没有conn.php,需要选执行一次 install.php,程序会自动生成conn.php 2. 待conn.php生成后,修改并创建相应mysql数据库及用户后再次运行install.php 3. 然后修改config.php,重要的是将各需要扫描的apache访问日志文件完整路径写上,原配置文件中的文件仅供测试使用 4. 修改crontab以root身份,每10到15分钟运行一下 php firewall.php ,这个时间可以根据自己的实际情况进行调整 5. 如果有需要加入白名单的IP地址以防止误封,可以手工在whitelist表中添加相应记录。 6. 如果事先有需要加入黑名单的IP地址也可以手工在blacklist表中添加相应记录 config.php <?php DEFINED('ROOT_DIR') || DEFINE('ROOT_DIR',dirname(__FILE__)); if (file_exists(ROOT_DIR.'/conn.php')) include_once(ROOT_DIR.'/conn.php'); class config { /** * 配置文件 Jamers 2015.1.5 */ static $dellogtime = -1; //删除数据时间 31*24*60*60 -1为不删除 static $blockvalue = 50; //屏蔽阀值,一天触发规则多少次 static $step = 1; //ID步行 static $white_start = 1100; //白名单起始ID static $white_set = 10; //白名单规则集 static $black_start = 1500; //黑名单起始ID static $black_set = 11; //黑名单规则集 static $temp_start = 10000; //临时屏蔽起始ID static $temp_set = 15; //临时屏蔽规则集 static $temp_durt = array(0 => 1,1 => 7,2 => -1); //临时屏蔽时间天数 -1为永久 static $ipfw = '/sbin/ipfw'; //IPFW完整路径,否则CRON无法执行 static $debug = false; //DEBUG标志 static $debug_out = 'debug.txt'; //DEBUG输出文件 static $list = array( 'data/bbs.zomew.net-access_log', ); //需要扫描的日志文件 static $filter = array( ' 404 ','%20and%20','%20or%20','/**/or/**/','phpinfo.php','act=phpinfo','phpmyadmin','%20union%20','select%20','><script>','=alert(', ); //需要过滤的内容 static $ignore = array( 'robots.txt','google=', ); //忽略列表数据,比如robots.txt //调用语句:cat 文件名 | grep -i "19/Dec/2014" | grep -i " 404 \|phpinfo.php" | grep -vi "robots.txt" } ?> cls_firewall.php 核心文件 <?php DEFINED('ROOT_DIR') || DEFINE('ROOT_DIR',dirname(__FILE__)); include_once(ROOT_DIR.'/config.php'); include_once(ROOT_DIR.'/cls_mysql.php'); class cls_firewall { /** * IPFW防火墙处理脚本,原设想自动根据apache日志屏蔽相应恶意访问IP * * Jamers 2015.1.5 */ public $vars=array(); public $DB; public $step = 1; private $dt,$ipfw,$debug,$debug_out; private $filter,$ignore; private $type = array('white','black','temp'); public $ids = array('white'=>1100,'black'=>1500,'temp'=>10000); public $sets = array('white'=>10,'black'=>11,'temp'=>15); public $qsql = array( 'white' => 'select ip from whitelist;', 'black' => 'select ip from blacklist;', 'temp' => 'select ip from blocked where stime+durt>=UNIX_TIMESTAMP()', ); public $output; //输出的语句 private $support; function __construct() { $this->step = config::$step; $this->ids['white'] = config::$white_start; $this->ids['black'] = config::$black_start; $this->ids['temp'] = config::$temp_start; $this->sets['white'] = config::$white_set; $this->sets['black'] = config::$black_set; $this->sets['temp'] = config::$temp_set; $this->dt = config::$dellogtime; $this->ipfw = config::$ipfw; $this->debug = false; $this->debug = config::$debug; $this->debug_out = config::$debug_out; $this->filter = implode('\\|',config::$filter); $this->ignore = implode('\\|',config::$ignore); $this->checksystem(); } private function checksystem() { $res = array(); $this->support = false; if (php_sapi_name()!='cli') return false; @exec('/usr/bin/uname',$res); //检测uname if ($this->debug) { $dd = var_export($res,true); $this->append($this->debug_out,'/usr/bin/uname'."\r\n".$dd."\r\n"); } if (count($res)>0) { $res = array(); @exec('/usr/bin/whoami',$res); //var_dump($res); if ($this->debug) { $dd = var_export($res,true); $this->append($this->debug_out,'/usr/bin/whoami'."\r\n".$dd."\r\n"); } if ($res[0]=='root') $this->support = true; } return $this->support; } function execute() { /** * 主调用程序,分析相应日志,并生成防火墙命令语句并执行 */ if (! $this->support) die('Your system is unable to support this program!this program need command line shell and root execute!'); //windows系统直接退出,不让玩! $this->loaddata(); //从日志文件中取得相应IP资料 //echo "1"; $this->delete_old_data(); //删除过期数据 //echo "2"; $t = $this->exec_filter(); //执行过滤语句 //var_dump($t); //echo date('Y-m-d H:i:s'); return date('Y-m-d H:i:s'); } function init_DB() { $this->DB = new cls_mysql($this->vars['dbhost'],$this->vars['dbuser'],$this->vars['dbpass'],$this->vars['dbname']); } private function checklist($ip) { /** * 检查是否在黑白名单中,在的话返回True */ $res = false; $sql = "select count(*) from ((select DISTINCT ip from whitelist) union (select DISTINCT ip from blacklist)) a where ip='{$ip}';"; $rs = $this->DB->getOne($sql,MYSQL_NUM); if (intval($rs[0])>0) $res = true; return $res; } private function loaddata() { /** * 读取日志数据 */ foreach (config::$list as $v) { $res = array(); $dstr = date('d/M/Y'); //$dstr = '19/Dec/2014'; //DEBUG专用 $p = '/^\s*(\d+)\s+([\d\.]+)$/'; $cmd = "/bin/cat {$v} | /usr/bin/grep -i '{$dstr}' | /usr/bin/grep -i '{$this->filter}' | /usr/bin/grep -vi '{$this->ignore}' | /usr/bin/awk '{print \$1}' | /usr/bin/sort | /usr/bin/uniq -c | /usr/bin/sort -nr "; if ($this->debug) $this->append($this->debug_out,$cmd); @exec($cmd,$res); if ($this->debug) { $dd = var_export($res,true); $this->append($this->debug_out,"\r\n".$dd."\r\n"); } foreach ($res as $v) { preg_match($p,$v,$t); $cc = 0; if (intval($t[1])>=config::$blockvalue) { //超过阀值,加入数据库,加入前先检查是否已有数据 //如果在黑名单中,应该就不会出现在这里了吧? $ip = trim($t[2]); $sql = "select count(id) from blocked where ip='{$ip}' and stime>UNIX_TIMESTAMP(DATE_FORMAT(now(),'%Y-%m-%d 0:0:0'))"; $rs = $this->DB->getOne($sql,MYSQL_NUM); if ($rs[0]<=0) { //当天没数据,加! if (! $this->checklist($ip)) { //检测是否在黑白名单中 $max = max(config::$temp_durt); $sql = "select count(id) from blocked where ip='{$ip}' and stime<UNIX_TIMESTAMP(DATE_FORMAT(now(),'%Y-%m-%d 0:0:0')) and stime>=UNIX_TIMESTAMP(DATE_FORMAT(DATE_SUB(now(),INTERVAL {$max} DAY),'%Y-%m-%d 0:0:0'))"; //N天内 $rs = array(); $rs = $this->DB->getOne($sql,MYSQL_NUM); if ($rs[0]>=0) { $cc = intval($rs[0]); } $ary = array('ip'=>$ip,'stime'=>time()); $ary['durt'] = config::$temp_durt[$cc]; if ($ary['durt']==-1) { $this->DB->do_insert('blacklist',array('ip'=>$ip,'addtime'=>time())); }else{ $ary['durt'] *= 24*60*60; $this->DB->do_insert('blocked',$ary); } } } } } } } private function delete_old_data() { /** * 删除过期数据 原设置为31天 * * @var mixed */ if ($this->dt >=0) { $sql = "delete from blocked where stime+durt+{$this->dt} < UNIX_TIMESTAMP();"; //echo $sql; $this->DB->execute($sql); } } private function buildall() { /** * 从数据库取所有IP数据,返回IPFW语句 * */ $res = ''; foreach ($this->type as $v) { $res .= "{$this->ipfw} delete set {$this->sets[$v]};"; $res .= $this->buildrule($v); } $this->output = $res; return $res; } private function exec_filter($len=1024) { //echo 'here!'; if ($this->output=='') $this->buildall(); if ($this->output=='') return 'NULL'; //var_dump($this->output); $str = $this->output; $res = array(); while (strlen($str)>0) { if (strlen($str)<=$len) { $res[] = $str; @exec($str); $str = ''; }else{ $tmp = substr($str,0,$len); $pos =strrpos($tmp,';'); $out = substr($tmp,0,$pos+1); $res[] = $out; @exec($out); $str = substr($str,$pos+1); } } if ($this->debug) { $dd = var_export($res,true); $this->append($this->debug_out,"exec_filter\r\n".$dd."\r\n"); } return $res; } private function buildrule($type) { /** * 生成相应ipfw语句 * * Jamers 2015.1.5 */ $res = ''; if (isset($this->qsql[$type])) { $sql = $this->qsql[$type]; $rs = $this->DB->getAll($sql,MYSQL_NUM); if ($rs) { foreach ($rs as $v) { $opt = strtolower($type)=='white'?'allow':'deny'; $res .= "{$this->ipfw} -q add {$this->ids[$type]} set {$this->sets[$type]} {$opt} ip from {$v[0]} to me;"; $this->ids[$type]+=$this->step; } return $res; }else{ return ''; } }else{ return ''; } } private function append($file,$str) { $fp = fopen($file,'a'); fwrite($fp,$str); fclose($fp); } } ?> firewall.php 调用主程序 <?php DEFINED('ROOT_DIR') || DEFINE('ROOT_DIR',dirname(__FILE__)); include_once(ROOT_DIR.'/cls_firewall.php'); $fw = new cls_firewall(); if (isset($INFO)) { $fw->vars = $INFO; $fw->init_DB(); }else{ die('system config error!'); } echo $fw->execute(); ?> firewall.rar
  10. 系统更换过也有一段时间了,防火墙也一直没有去管。今天抽出时间,将防火墙设置一番,将安全进行到底。 以前的FREEBSD默认是不带ipfw的,如果默认没有编译的话,我使用这个防火墙的想法肯定泡汤,因为服务器托管着的,如果编译势必有其它方面的影响,还好FREEBSD 10.1默认已经编译了ipfw支持,好了不废话,开工! 开启防火墙支持 ee /etc/rc.conf #添加下列行 firewall_enable="YES" # 激活firewall防火墙 firewall_script="/etc/rc.firewall" # firewall防火墙的默认脚本 firewall_type="/etc/ipfw.conf" # firewall自定义脚本 firewall_quiet="NO" # 起用脚本时,是否显示规则信息。现在为“NO”假如你的防火墙脚本已经定型,那么就可以把这里设置 成“YES”了。 firewall_logging_enable="YES" # 启用firewall的log记录。 增加日志记录 ee /etc/syslog.conf #加入下列行 !ipfw *.*         /var/log/ipfw.log 创建规则包,最重要的步骤,小心一点,把需要打开的端口都打开,否则你可能需要到服务器旁才能够调整相应设置了。 假设服务器IP为192.168.1.50自己注意修改 ee /etc/ipfw.conf ##TCP add 10000 allow tcp from any to 192.168.1.50 22 in #允许SSH add 10001 allow tcp from any to me dst-port 80 setup limit src-addr 50 #允许访问80端口并且限制每个IP地址50个并发连接数 add 10002 allow tcp from any to 192.168.1.50 21 in #允许FTP add 10003 allow tcp from any to 192.168.1.50 3306 in #允许mysql ##允许服务器所有出站请求 add 19000 allow ip from 192.168.1.50 to any out ##允许DNS解析返回内容 add 20000 allow udp from any 53 to 192.168.1.50 ##允许所有UDP出站请求 add 29000 allow udp from any to any out ##允许服务器使用ICMP出站和相应返回信息通过 add 39000 allow icmp from any to any icmptypes 8 out add 39001 allow icmp from any to any icmptypes 0 in add 39002 allow icmp from any to any icmptypes 11 in ##禁止所有不符合规则的数据通过 add 60000 deny all from any to any 配置好后,重启服务器,除了指定打开的端口外,其它端口均无法访问了。包括ping也直接无响应了。有需要的朋友可以根据自己的需求将相应的规则修改一下以满足自己的需要。
  11. 于2014年7月5日发布于百度空间:http://hi.baidu.com/zomew/item/b8bc1b05c0ee8bd572e676ca FREEBSD10在2014.1就发行了,之前一直没去看,最近安装过程中,发现N多改动,特此备忘! 原来熟悉的sysinstall已经没有了,取而代之的是bsdinstall/bsdconfig两个命令。 Apache安装得挺顺利,再按原来的方式把PHP安装完,居然没办法解析PHP文件,找了N多地方,才发现PHP的apache模块独立出来了,直接到 /usr/ports/www/mod_php55 安装完后解决。 在FREEBSD9之前,我都是用cvsup升级ports树的,现在用portsnap速度快很多 fetch/extract/update 升级ports的时候默认单线程,慢得想死的心都有了,换!axel /usr/ports/ftp/axel 默认安装带ee编辑器了 以下为备忘内容: axel /usr/ports/ftp/axel/ ee /etc/make.conf FETCH_CMD=axel FETCH_BEFORE_ARGS=-n 10 FETCH_AFTER_ARGS= DISABLE_SIZE=yes apache /usr/ports/www/apache24/ mysql /usr/ports/databases/mysql56-server/ php /usr/ports/lang/php55/ php-ext /usr/ports/lang/php55-extensions/ mod_php /usr/ports/www/mod_php55/ ftp /usr/ports/ftp/pureftpd/ #SSHD仅允许密钥登录 ee /etc/ssh/sshd_config Protocol 2 # Authentication: LoginGraceTime 2m PermitRootLogin no #StrictModes yes MaxAuthTries 6 MaxSessions 10 RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys # Change to no to disable PAM authentication ChallengeResponseAuthentication no UsePAM no
  12. FTP应用广泛,标准的FTP都是明文传输,以前还是HUB的年代经常可以在网吧里一嗅探就能拿到大把的FTP帐号,现在换成交换机了原来客户机能够拿到这些数据已经不存在了,但是在网管型交换机上,还是可以做到这点,如果有恶意用户把FTP帐号拿到后,可能造成的危害不容小觑。 在我们这种把服务器安全看得比生命更重要的,明文FTP只能够在内网中用用,对于公网上的FTP必须使用FTPS模式,以避免FTP帐号被嗅探到,如果我们在普通的网络环境中使用FTPS没有问题,但是在复杂网络中,可能会出现无法连接上FTP服务器的情况,我目前所在环境就无法打开公网上的FTPS服务器(网络中有多层架构,直接导致无法从秘密端口与服务器直接通讯),而在自己家里同样是用路由器的网络环境中正常使用FTPS,平常在家的时候可以使用FTPS,在单位的时候怎么办?不使用FTP?现实么?在单位的时间长达10个小时,必须要使用的。所以只好寄希望于SFTP。 SFTP基本不需要配置,FREEBSD默认已经开启SFTP了,这里要说的就是配置方式。 在公司里我会使用两种方式与服务器进行通讯,一种是Cuteftp用来传输大量文件,另一种是Ultraedit用来修改服务器上的网页文件。 首先我们ssh使用密钥登录的方式,这里就跳过不说了。值得注意的是,UE以及cuteftp所使用的私钥格式,如果是用freebsd上生成的话可能不支持,如果我们已经有了密钥,请将openssh的密钥文件拷到windows里,然后打开PUTTYGEN.EXE (putty包里的文件),Conversions==>Import key==>选择你原有的私钥文件==>Conversions==>Export OpenSSH key==>保存起来就可以供客户端使用了。 生成的私钥格式为以下格式: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,AD7A47C442FABADD xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END RSA PRIVATE KEY----- Ultraedit中添加FTP帐户: 协议:SFTP 服务器:xx.xx.xx 端口:22 用户名:ssh用户名 密码:ssh用户密码 初始化目录:这里可以填写网站根目录,我这里用的是/usr/local/www/apache24/data/ 在SSH中选择:密码和公共密钥 指定生成的私钥文件,保存就可以连接了。 CuteFTP新建SFTP方式连接: 把需要填的东西填一下,新建连接的区域没特殊的设置。 工具==>全局选项==>安全==>SSH2 安全 把使用密码身份验证和使用公钥身份验证勾选 指定公钥和私钥路径,PASS!
  13. SubVersioN(以下简称SVN),是一个版本控制工具,它可以实现了解何时修改过哪些地方,程序开发中应用非常多。关于它的特性只是简单说明一下,需要了解它的可以到下列网址上去了解。http://baike.baidu.com/link?url=h9cklVJQSas0d9sy-RaBOPxPNusbEbGZHhuYptScomOl2_2TtmQk4qOr_E3WcF4WWCWGEcl41g5GdpFwFa7uiK 当然它也不是没有缺点,svn的验证方式居然是明文,如果我们把服务器放在公网上,然后更新提交相应的更新,每次提交都会面临帐号被盗的风险,一般源代码是极为重要的东西,一旦泄露后果不堪设想。所以我们想用其它更加安全的方式进行。才有了此文章,本文内容全部通过实际验证,测试相关版本情况如下: 服务端: FreeBSD freebsd 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 subversion 1.8.10 客户端: putty 0.63 TortoiseSVN 1.8.8, Build 25755 - 64 Bit , 2014/08/10 14:44:06 首先服务器上安装subversion,我采用ports安装,不多说了。 cd /usr/ports/devel/subversion make install 安装完成,建立相关帐号以及目录 pw groupadd svn pw useradd -G svn svn mkdir -p /home/svn/repos chown -R svn:svn /home/svn svnadmin create /home/svn/repos chmod -R 777 /home/svn/repos 修改相应配置文件,并启动svnserve ee /home/svn/repos/conf/svnserver.conf #修改配置文件 anon-access = none auth-access = write ######################### #此内容仅暂供测试svn直接连接,测试完成后请删除 password-db = passwd ######################### authz-db = authz ee /home/svn/repos/conf/authz #修改身份验证信息 [/] jamers=rw #jamers有读写权限 ######################################### ee /home/svn/repos/conf/passwd #在[users]下添加密码信息 jamers = testtest ######################################### ee /etc/rc.conf #添加下列内容 svnserve_enable="YES" #默认数据路径为:/home/svn/repos #可以启动SVN服务器了 /usr/local/etc/rc.d/svnserve start svnserver已经安装完成,默认情况下可以通过svn://xx.xx.xx.xx进行访问了,但是svn身份验证通常是明文传输,如果放在服务器上非常不安全。 测试完成请将svnserver.conf中配置的password-db = passwd注释掉,然后重启svnserve,这样正常的svn连接方式就无效了。 下载putty http://the.earth.li/~sgtatham/putty/latest/x86/putty.zip mkdir ~/.ssh 用PUTTYGEN.EXE生成私钥和公钥,生成完后,将上面文本框中内容复制下来,写入.ssh目录下的authorized_keys里去 把私钥和公钥保存起来备用。 测试使用生成的私钥能否登录系统。确定无误就退出。 windows中的SVN客户端设置ssh client:我这边的值是:"E:\Program Files\TortoiseSVN\bin\TortoisePlink.exe" 连接前打开PUTTY中的PAGEANT.EXE,如果中间没有私钥请导入对应密钥,每次需要连接SVN的时候都必须有密钥在里面。 链接部分使用此类型: svn+ssh://jamers@192.168.1.50:/home/svn/repos 这样,SVN的密码就不会被泄露了,以实现安全。
  14. 注意,由于这是在老版本的FREEBSD上运行的脚本,不能够保证能够使用在目前的10.1版本上,待验证。另外这是当时的环境路径,如有不同需要请修改相应路径。 FreeBSD小知识库备忘 2006-11-10, 14:50 在管理公司网络的时候会用到一些小技巧,备忘! 注意:以下路径均为Ports安装的路径,可能和其它部分路径不一致。 定时执行功能: 代码 ee /etc/crontab #分时日月星期 #每天0点执行指定命令 0 0 * * * /home/jamers/backup/website/utfipb_db.sh #每二小时执行一次 0 */2 * * * /home/jamers/backup/website/utfipb_fb.sh #晚上11点到早上8点之间每两个小时,早上八点 0 23-7/2,8 * * * /home/jamers/backup/config/configbackup.sh 备份数据库: 代码 #!/usr/local/bin/bash #This is a ShellScript For Auto DB Backup #Powered by aspbiz #2004-09 #Setting #设置数据库名,数据库登录名,密码,备份路径,日志路径,数据文件位置,以及备份方式 #默认情况下备份方式是tar,还可以是mysqldump,mysqldotcopy #默认情况下,用root(空)登录mysql数据库,备份至/root/dbxxxxx.tgz DBName=utfipb DBUser=root DBPasswd= BackupPath=/home/jamers/backup/website/ LogFile=/home/jamers/backup/website/db.log DBPath=/var/db/mysql/ BackupMethod=mysqldump #BackupMethod=mysqlhotcopy #BackupMethod=tar #Setting End NewFile="$BackupPath"utfipb_$(date +%Y%m%d)_db.tgz DumpFile=utfipb_$(date +%Y%m%d)_db.sql OldFile="$BackupPath"utfipb_$(date -v -15d +%Y%m%d)_db.tgz echo "-------------------------------------------" >> $LogFile echo $(date +"%Y-%m-%d %H:%M:%S") >> $LogFile echo "--------------------------" >> $LogFile #Delete Old File if [ -f $OldFile ] then rm -f $OldFile >> $LogFile 2>&1 echo "[$OldFile]Delete Old File Success!" >> $LogFile else echo "[$OldFile]No Old Backup File!" >> $LogFile fi if [ -f $NewFile ] then echo "[$NewFile]The Backup File is exists,Can't Backup!" >> $LogFile else case $BackupMethod in mysqldump) if [ -z $DBPasswd ] then mysqldump -u $DBUser --opt $DBName > $DumpFile else mysqldump -u $DBUser -p$DBPasswd --opt $DBName > $DumpFile fi tar czvf $NewFile -C $BackupPath $DumpFile >> $LogFile 2>&1 echo "[$NewFile]Backup Success!" >> $LogFile rm -rf $DumpFile ;; mysqlhotcopy) rm -rf $DumpFile mkdir $DumpFile if [ -z $DBPasswd ] then mysqlhotcopy -u $DBUser $DBName $DumpFile >> $LogFile 2>&1 else mysqlhotcopy -u $DBUser -p $DBPasswd $DBName $DumpFile >> $LogFile 2>&1 fi #tar czvf $NewFile $DumpFile >> $LogFile 2>&1 tar czvf $NewFile -C $BackupPath $DumpFile >> $LogFile 2>&1 echo "[$NewFile]Backup Success!" >> $LogFile rm -rf $DumpFile ;; *) /etc/init.d/mysqld stop >/dev/null 2>&1 tar czvf $NewFile $DBPath$DBName >> $LogFile 2>&1 /etc/init.d/mysqld start >/dev/null 2>&1 echo "[$NewFile]Backup Success!" >> $LogFile ;; esac fi echo "-------------------------------------------" >> $LogFile 备份网站: 代码 #!/usr/local/bin/bash #This is a ShellScript For Auto WEBSITE Backup #Powered by Jamers #2006-11-10 #Setting #设置文件列表名 BackupPath=/home/jamers/backup/website/ LogFile=/home/jamers/backup/website/fb.log WorkDir=/usr/local/www/apache22/data #FullDir=/usr/local/www/apache22/data/ipb #Setting End NewFile="$BackupPath"utfipb_$(date +%Y%m%d).tgz DumpFile="$BackupPath"utfipb_$(date +%Y%m%d).sql OldFile="$BackupPath"utfipb_$(date -v -15d +%Y%m%d).tgz echo "-------------------------------------------" >> $LogFile echo $(date +"%Y-%m-%d %H:%M:%S") >> $LogFile echo "-------------------------------------------" >> $LogFile #Delete Old File if [ -f $OldFile ] then rm -f $OldFile >> $LogFile 2>&1 echo "[$OldFile]Delete Old File Success!" >> $LogFile else echo "[$OldFile]No Old Backup File!" >> $LogFile fi if [ -f $NewFile ] then echo "[$NewFile]The Backup File is exists,Can't Backup!" >> $LogFile else tar czvf $NewFile -C $WorkDir ipb >> $LogFile 2>&1 fi echo "-------------------------------------------" >> $LogFile 备份FreeBSD配置信息: 代码 #!/usr/local/bin/bash #This is a ShellScript For Auto Config Backup #Powered by Jamers #2006-11-10 #Setting #设置文件列表名 BackupPath=/home/jamers/backup/config/ LogFile=/home/jamers/backup/config/backup.log FileList=/home/jamers/backup/config/needlist #Setting End NewFile="$BackupPath"config$(date +%Y%m%d).tgz DumpFile="$BackupPath"config$(date +%Y%m%d).sql OldFile="$BackupPath"config$(date -v -15d +%Y%m%d).tgz echo "-------------------------------------------" >> $LogFile echo $(date +"%Y-%m-%d %H:%M:%S") >> $LogFile echo "-------------------------------------------" >> $LogFile #Delete Old File if [ -f $OldFile ] then rm -f $OldFile >> $LogFile 2>&1 echo "[$OldFile]Delete Old File Success!" >> $LogFile else echo "[$OldFile]No Old Backup File!" >> $LogFile fi if [ -f $NewFile ] then echo "[$NewFile]The Backup File is exists,Can't Backup!" >> $LogFile else tar czvf $NewFile -T $FileList >> $LogFile fi echo "-------------------------------------------" >> $LogFile 接上面:needlist 把需要备份的文件写出来就可以了… 代码 /etc/rc.conf /etc/csh.cshrc /etc/csh.logout /etc/passwd /etc/group /etc/pwd.db /etc/resolv.conf /etc/aliases /etc/crontab /usr/local/etc/php.conf /usr/local/etc/php.ini /usr/local/etc/clamd.conf /usr/local/etc/pure-ftpd.conf /etc/pureftpd-mysql.conf /usr/local/www/postfixadmin/config.inc.php /usr/local/etc/apache22/ /usr/local/etc/authlib/ /usr/local/etc/postfix/ /usr/local/etc/MailScanner/ /usr/local/etc/samba/ /usr/local/lib/sasl2/smtpd.conf
  15. FreeBSD本地化设置 ee ~/.cshrc 添加以下几行 alias dir ls -alhG alias cls clear set prompt = "$user@`/bin/hostname -s` %/# " setenv LANG zh_CN.GB2312 setenv LC_ALL zh_CN.GB2312 setenv LC_CTYPE zh_CN.GB2312 setenv LC_COLLATE zh_CN.GB2312 setenv LC_MESSAGES zh_CN.GB2312 setenv LC_MONETARY zh_CN.GB2312 setenv LC_NUMERIC zh_CN.GB2312 setenv LC_TIME zh_CN.GB2312 setenv CHARSET GB2312 setenv MM_CHARSET GB2312 防火墙规则设置 配置ipfw 如果配置普通情况下的规则,使用命令配置的模式: ipfw的配置命令:ipfw [-N] 命令 [编号] 动作 [log(日志)] 协议 地址 [其它选项] 例如: # ipfw add allow tcp from any to 10.10.10.1 80 #允许外界访问我的web服务 # ipfw add allow tcp from any to 10.10.10.1 21 #允许外面访问我的ftp服务 # ipfw add allow tcp from any to 10.10.10.1 22 #允许外界访问我的ssh服务 如果使用规则包的形式,那么查看下面内容。 系统启动后,我们还要配置rc.conf文件来运行我们的防火墙: # ee /etc/rc.conf 加入如下内容: gateway_enable="YES" # 启动网关 firewall_enable="YES" # 激活firewall防火墙 firewall_script="/etc/rc.firewall" # firewall防火墙的默认脚本 firewall_type="/etc/ipfw.conf" # firewall自定义脚本 firewall_quiet="NO" # 起用脚本时,是否显示规则信息。现在为“NO”假如你的防火墙脚本已经定型,那么就可以把这里设置 成“YES”了。 firewall_logging_enable="YES" # 启用firewall的log记录。 设置完成后我们再编辑/etc/syslog.conf文件: # ee /etc/syslog.conf 加入以下行: !ipfw *.*         /var/log/ipfw.log 现在到了最重要的编辑规则包了: # ee /etc/ipfw.conf 我们添加一下规则:(注意 10.10.10.1是我们服务器的IP) ######### TCP ########## #add 00001 deny log ip from any to any ipopt rr #add 00002 deny log ip from any to any ipopt ts #add 00003 deny log ip from any to any ipopt ssrr #add 00004 deny log ip from any to any ipopt lsrr #add 00005 deny tcp from any to any in tcpflags syn,fin # 这5行是过滤各种扫描包 # 因为我们默认的是不开放任何数据包传输,所以,deny的东西都不需要… add 10000 allow tcp from 1.2.3.4 to 10.10.10.1 22 in # 开放SSH服务 add 10001 allow tcp from any to 10.10.10.1 80 in # 向整个Internet开放http服 务。 add 10002 allow tcp from any to 10.10.10.1 21 in # 向整个Internet开放ftp服务。 add 10003 allow tcp from any to 10.10.10.1 3306 in # mysql开放 # 向Internet的xx.xx.xx.xx这个IP开放SSH服务。也就是只信任这个IP的SSH登陆。 # 如果你登陆服务器的IP不固定,那么就要设为:add 10000 allow tcp from any to 10.10.10.1 22 in add 10004 allow ip from 10.10.10.1 to any out #所有的出去通讯均打开 add 19997 check-state add 19998 allow tcp from any to any out keep-state setup add 19999 allow tcp from any to any out #这三个组合起来是允许内部网络访问出去,如果想服务器自己不和 Internet进行tcp连接出去,可以把19997和19998去掉。(不影响Internet对服务器的访问) ########## UDP ########## add 20001 allow udp from any 53 to 10.10.10.1 # 允许其他DNS服务器的信息进入该服务器,因为自 己要进行DNS解析嘛~ add 29999 allow udp from any to any out # 允许自己的UDP包往外发送。 ########## ICMP ######### add 30000 allow icmp from any to any icmptypes 3 add 30001 allow icmp from any to any icmptypes 4 add 30002 allow icmp from any to any icmptypes 8 out add 30003 allow icmp from any to any icmptypes 0 in add 30004 allow icmp from any to any icmptypes 11 in #允许自己ping别人的服务器。也允许内部网络用router命令进行路由跟踪。 add 40000 deny any from any to any DNS服务器设置 /etc/resolv.conf domain kingstate.com.ks nameserver 61.177.7.1 nameserver 221.228.255.1 nameserver 192.168.72.8 HOSTS文件设置 /etc/hosts ::1 localhost 127.0.0.1 localhost 192.168.72.254 freebsd 192.168.72.254 freebsd. 192.168.72.254 counsel 192.168.72.254 counsel.kingstate.com.ks
  16. 在2007年前正式使用了一段时间FREEBSD,直接在正式环境中使用的,当时积累的一些脚本,最近找到了,放到网站上分享一下。以备将来有可能使用到。 2006-11-11, 09:03 Samba相关资料: Samba做主域,客户端用Windows权限设定: net groupmap add rid=512 unixgroup="Domain Admins" ntgroup="Domain Admins" net groupmap add rid=513 unixgroup="Domain Users" ntgroup="Domain Users" net groupmap add rid=514 unixgroup="Domain Guests" ntgroup="Domain Guests" 查看对应帐号权限: net -U jamers rpc rights list 2007-04-05, 09:16 添加用户(懒人专用): #!/usr/local/bin/bash echo $2|pw useradd $1 -c $3 -g users -s /bin/sh -m -h 0 edquota -p test $1 smbpasswd -a -s $1 $2 $2 EOF exit 0 调用方式:./adduser username password "姓名(PinYin)"
  17. 昨天将服务器系统更换为FREEBSD,以获取更高的性能,安装过程中出了一点小状况,原来虚拟机测试过程一切正常,到实际服务器上一切配置完毕居然无法运行PHP页面。 在apache的httpd.conf中添加了以下内容: <FilesMatch "\.php$"> SetHandler application/x-httpd-php </FilesMatch> 仍然没用,后来试了一下以前版本的方式,居然测试通过了。什么情况? AddType application/x-httpd-php .php 原因后来也没找到,备忘一下吧。
×
×
  • Create New...