2016年8月30日 星期二

小精靈吃蘋果

運算思維練習
作業請放在--更換密碼、大頭貼--資料夾

































3排8顆蘋果






































派大星走路





































彈簧床
























作業請放在--更換密碼、大頭貼--資料夾


2016年8月26日 星期五

速度慢

梧棲國中網站
全國教師研習網

ajax.googleapis.com
fonts.googleapis.com

2016年8月23日 星期二

解決使用SFS3 LDAP模組學校密碼到期問題-潘爸的喃喃自語

因為改版的緣故,現在學務系統密碼使用滿30天會提示更改
但是使用LDAP學校因為必須停用該頁面,會導致使用者登入後無權限存取,
而跳出帳號密碼登入畫面,使用者會以為自己沒有登入成功

但是因為LDAP不是官方模組
所以必須要自救
解決的方式是在
/var/www/html/sfs3/modules/chpass/teach_cpass.php2 /var/www/html/sfs3/modules/chpass/teach_cpass.php
的前面加上一行
<meta http-equiv="refresh" content="0;url=http://sfs3.??es.tc.edu.tw/sfs3/" />
但只做這樣更新就沒了
所以要限制這個檔案不能被覆蓋
下這個指令 
chattr +i /var/www/html/sfs3/modules/chpass/teach_cpass.php 


但是因為怕偶爾這個檔案會有更新
所以一段時間得拿掉標記

chattr -i /var/www/html/sfs3/modules/chpass/teach_cpass.php
更新過學務系統再把前面的轉址補回去

2016年8月15日 星期一

IPADDR=192.168.7.254--IPADDR=10.209.1.254--GATEWAY=163.17.209.254

IPADDR=192.168.7.254--GATEWAY=163.17.209.254


DEVICE=eth1
TYPE=Ethernet
UUID=9f069484-0db4-4838-9fd4-47cea6d639ff
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
HWADDR=00:0C:29:20:F4:68
NETMASK=255.255.0.0
IPADDR=192.168.7.254
PREFIX=16
GATEWAY=163.17.209.254
DNS1=163.17.209.1
DOMAIN=wcjs.tc.edu.tw
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth1"


IPADDR=10.209.1.254--GATEWAY=163.17.209.254

DEVICE=eth2
HWADDR=00:0c:29:16:50:e4
TYPE=Ethernet
UUID=a6efb302-9a9f-45ed-a3ab-c2bcb68f667c
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
USERCTL=no
PEERDNS=yes
IPV6INIT=no
IPADDR=10.209.1.254
NETMASK=255.255.0.0
DNS2=163.17.40.1
GATEWAY=163.17.209.254
DNS1=163.17.209.1

2016年8月12日 星期五

【Linux】在 CentOS 6 上安裝 LDAP Server 2.4


最近因任務需求必須將 LDAP Server 從 FreeBSD 移至 CentOS 上面,做個簡單的小筆記
原則上在 CentOS 下安裝 OpenLDAP 是件很輕鬆的事,用 YUM 裝一下就好了,我的環境如下
CentOS:6.  x86_64
OpenLDAP:2.4.40
####################
yum install -y openldap-servers openldap-clients openldap-devel
/bin/cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG   -f 
#/bin/cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf   -f 
複製前一版slapd.conf.obsolete
/bin/cp /163.17.209.1/etc/slapd.conf.obsolete  /etc/openldap/slapd.conf  -f
slappasswd
###################
/bin/cp /163.17.209.1/etc/openldap/slapd.conf  /etc/openldap/.  -f 
vim  /etc/openldap/slapd.conf
change root password
####################################
/bin/cp /163.17.209.1/etc/rsyslog.conf  /etc/.    -f
mkdir  /etc/openldap/ldif
/bin/cp /163.17.209.1/etc/openldap/ldif/base.ldif  /etc/openldap/ldif/.    -f 
vim  /etc/openldap/ldif/base.ldif
###########################################
rm -rf /etc/openldap/slapd.d/*
############建立架構########################
slapadd -v -l /etc/openldap/ldif/base.ldif
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /var/lib/ldap
chown -R ldap:ldap /etc/openldap/slapd.d

systemctl start slapd.service 
systemctl status slapd.service
systemctl enable slapd.service

##############################################
ldapsearch -x -b "dc=wcjs,dc=tc,dc=edu,dc=tw"
############################################
rm -rf /var/lib/ldap/*
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
############匯入資料####/home/lia/slapcat/y/20150301ldap.ldif####################
############匯入資料####/home/lia/slapcat/y/20150301ldap.ldif####################
############匯入資料####/home/lia/slapcat/y/20150301ldap.ldif####################
############匯入資料####/home/lia/slapcat/y/20150301ldap.ldif####################
slapadd -v -l /163.17.209.1/etc/ldap.ldif.1 
chown -R ldap:ldap /var/lib/ldap
systemctl restart slapd.service

firewall-cmd --add-service=ldap --permanent 
firewall-cmd --reload 
####################

2016年8月11日 星期四

Configure DHCP ( Dynamic Host Configuration Protocol ) Server.

yum -y install dhcp

cp /163.17.209.1/etc/dhcp/dhcpd.conf /etc/dhcp/.

vim /etc/dhcp/dhcpd.conf

ddns-update-style none;
ignore client-updates;
option nis-domain  "wcjs.tc.edu.tw";
option routers     163.17.209.254;
option domain-name "w252.wcjs.tc.edu.tw";
option domain-name-servers 163.17.209.1, 168.95.1.1, 8.8.8.8;
option time-offset  -18000; # Eastern Standard Time
default-lease-time 28800;
max-lease-time 28800;
authoritative;
subnet 163.17.209.0 netmask 255.255.255.0 {
         range dynamic-bootp 163.17.209.75 163.17.209.200;
         host Epson6500 {
                 hardware ethernet 00:00:48:cc:9b:e5;
                 fixed-address 163.17.209.81;
         }
}


systemctl start dhcpd
systemctl status dhcpd
systemctl enable dhcpd 

firewall-cmd --add-service=dhcp --permanent 
firewall-cmd --reload 

CentOS 7.2 Proxy Server (Squid) 安裝及基本設定(一)

yum -y install squid

cp /163.17.209.1/etc/squid/squid.conf /etc/squid/.

vim /etc/squid/squid.conf

# add follows to the end
request_header_access Referer deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
# do not display IP address
forwarded_for off


chown -R squid:squid /cache1

systemctl start squid 
systemctl status squid 
systemctl enable squid 

firewall-cmd --add-service=squid --permanent 
firewall-cmd --reload 

CentOS 6.8 Proxy Server (Squid) 安裝及基本設定(一)

網頁代理伺服器 (Squid)
利用yum 安裝即可
指令: 
yum install squid -y

/bin/cp /163.17.209.6/etc/squid/squid.conf /etc/squid/. -f 

chown -R squid:squid /cache1


service squid restart



預設設定檔路徑 /etc/squid/squid.conf
預設使用 port : 3128 (可自行修改)
啟動服務指令 :  service squid start
檢查 port 3128 有沒有正常開啟
指令 : netstat –antp
squid
一些常用基本設定
修改/etc/squid/squid.conf
1. 設定開啟快取目錄
快取目錄就是squid 的硬碟,當USER要求網頁資料時,squid 就快將資料存放置快取目錄如果使用者連線到網站時,squid 會先檢查快取目錄是否有相同的資料,如果有相同資料就不會去網路下載一份, 而是直接將快取目錄中的資料給使用者,如果又有另外一個USER要求相同的網頁資料,但是squid如果發現網頁內容有變動也會自動去下載一份新版資料放置快取區
cache_dir ufs /var/spool/squid 100 16 256 (預設不啟用,移除#將他起用)
如過要將cache  修改為2G 則
cache_dir ufs /var/spool/squid 2000 16 256
2.設定自動清除快取資料
  • cache_swap_low 90
  • cache_swap_high 95
以上設定表示當磁碟使用量達 95% 時,比較舊的快取資料將會被刪除,當刪除到剩下磁碟使用量達 90% 時,就停止持續刪除的動作
3.清除快取資料
  • 須先停止squid 服務 —-> service squid stop
  • 切換到快取目錄 cd  /var/spool/squid
  • 刪除 sqap.state  —-> rm –rf /var/spool/squid/swap.state
  • 刪除後重新啟動服務即可 —-> service squid start
Squid ACL 設定
限制單一IP(192.168.1.150)無法連線
acl  test  src  192.168.1.150/32
http_access deny test
說明 :
test 是自訂名稱,上下兩個名稱要一致才可以
限制某一區段無法連線(192.168.1.150-192.168.1.200)無法連線
acl  test  src  192.168.1.150-192.168.0.200/32
http_access deny test
限制某個網域下的網站無法存取
acl  domain  dstdomain  .pchome.com.tw
http_access deny domain

正在停止 squid:2015/02/25 15:53:42| WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.
2015/02/25 15:53:42| WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.
................                                           [  確定  ]
正在啟動 squid:.                                          [  確定  ]

[root@w231 ~]#


Trying other mirror.
http://ftp.stu.edu.tw/Linux/CentOS/6/updates/x86_64/Packages/squid-3.1.10-22.el6_5.x86_64.rpm: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 404 Not Found"
Trying other mirror.
ftp://ftp.free.fr/mirrors/ftp.centos.org/6/updates/x86_64/Packages/squid-3.1.10-22.el6_5.x86_64.rpm: [Errno 14] PYCURL ERROR 19 - "Given file does not exist"
Trying other mirror.
ftp://mirror.anl.gov/pub/centos/6/updates/x86_64/Packages/squid-3.1.10-22.el6_5.x86_64.rpm: [Errno 12] Timeout on ftp://mirror.anl.gov/pub/centos/6/updates/x86_64/Packages/squid-3.1.10-22.el6_5.x86_64.rpm: (28, 'connect() timed out!')
Trying other mirror.


Error Downloading Packages:
  7:squid-3.1.10-22.el6_5.x86_64: failure: Packages/squid-3.1.10-22.el6_5.x86_64.rpm from updates: [Errno 256] No more mirrors to try.

[root@www6 ~]# ^C

[root@www6 ~]#

清除下載資料(/var/cache/yum)
yum clean all
###################


centos 6.8 本機名稱

vim /etc/sysconfig/network 
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=dns.wcjs.tc.edu.tw

2016年8月10日 星期三

firewalld

sfs3主机存放的是學生的各种相關資料, 為了小心謹慎保護好資料, 我們還是討論一下firewalld

安裝firewalld

# yum install -y firewalld
start firewalld service
# systemctl start firewalld
start at boot
#systemctl enable firewalld

Check the firewall status. 
#firewall-cmd --state

Firewall Zones

Zones are pre-constructed rulesets for various trust levels you would likely have for a given location or scenario (e.g. home, public, trusted, etc.).

To view the available zones
#firewall-cmd --get-zones

To view the default zone
#firewall-cmd --get-default-zone

Showing the currently allowed services and ports on your system List all the allowed services :
#firewall-cmd --list-services

Working with Services

To view the d predefined services :

#firewall-cmd --get-services

For instance, if we are running a web server serving conventional HTTP traffic, we can allow this traffic for interfaces in our "public" zone for this session by typing:
#firewall-cmd --zone=public --add-service=http

#firewall-cmd --zone=public --add-service=http  --permanent
#firewall-cmd --zone=public --remove-service=http  --permanent

Thus,
#firewall-cmd --permanent --zone=public --add-service=http
#firewall-cmd --permanent --zone=public --add-service=https
#firewall-cmd –reload

For sfs3
#firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.20.0/24" port protocol="tcp" port="80" accept'  --permanent
#firewall-cmd --reload
#firewall-cmd --zone=public --list-all

remove
# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.20.0/24" port protocol="tcp" port="80" accept'  --permanent
#firewall-cmd --zone=public --list-all

參考


 

TCP Wrappers

檢查sshd 是否支援
#ldd /usr/sbin/sshd |grep wrap

設定檔,擇一編輯即可
/etc/hosts.allow
/etc/hosts.deny

        sshd : 192.168.2.107 : deny
        sshd : 192.168.2. : allow


忘記MariaDB的密碼?

1. 停止MariaDB service
# systemctl stop mariadb.service

2.啟動safe mode
# mysqld_safe --skip-grant-tables &

3. access the MySQL console and connect to  the database:
# mysql -u root
>use mysql;

4.create a new password for the root user, flush the new privileges, and exit the MySQL console like this:
> update user set password=PASSWORD("NEW_PASSWORD") where User='root';
> flush privileges;
> exit

sfs3 安裝 php-ldap

yum install -y php-ldap
systemctl restart httpd.service

6、改用iptables服務

在CentOS/RHEL 7系統中,要用iptables和ip6tables服務代替FirewallD服務,需要以root身份運行以下命令,先禁用FirewallD:

systemctl disable firewalld 

systemctl stop firewalld

然後安裝iptables-services程序包,以root身份輸入以下命令:

iptables-services程序包包含了iptables和ip6tables服務。然後,以root身份運行iptables和ip6tables命令:

systemctl start iptables 

systemctl start ip6tables 

systemctl enable iptables 

systemctl enable ip6tables

原文網址:https://read01.com/QQ0R5.html

2016年8月9日 星期二

To-Enable-“setup”-command-in-CentOS-minimal-install.md

no “setup” command found in CentOS minimal install
In Minimum Install this will not get install
If we get below Error, we need to install some packages to get work with setup command
[root@masterdns ~] setup
-bash: setup: command not found
Here we can see how to install in minimal install
yum install setuptool -y
yum install system-config-network* -y
yum install system-config-firewall* -y
yum install system-config-securitylevel-tui -y
yum install system-config-keyboard -y
yum install ntsysv -y
Now we can use the setup utility, That's it.

Install sarg on ClearOS Version 6.x or Version 7.x for great proxy reports

0votes
Installation of SARG on ClearOS 6.x or ClearOS 7.x Reports for your web proxy i.e. squid...

First you need to understand this...
It is your responsibility to determine the suitability of any information
and/or software you receive from this site.If they happen to break
something, that's solely your own problem and you get to keep any and all
of the pieces :-) Also, as this program generates web pages, it is your
responsibility to validate the security of your web-site against attacks
etc. The rpm version below is current as of the time of writing.

The access security for the install below is more suitable if you use
static address(s) for your workstations that will be used to access the sarg
reports. A better alternative method may be available in the future for
using dynamic addresses...

A pre-requisite for this install is squid (web proxy) running, in use
generating records and the webserver (httpd/apache) running... If this is
NOT the case - then fix and come back later... Another pre-requisite is that
you are comfortable using the cli, familiar with rpms, repositories and
yum and lastly, editing configuration files.

1) Install SARG

Currently could find no rpm for ClearOS7, CentOS7 or rhel7 so have build one
using the latest source code from https://sourceforge.net/projects/sarg/

To add get the rpm file we require wget, and for SARG a pre-requisite is gd.
If not already installed install them...

to check if wget installed...
# rpm -q wget

to check if gd installed...
# rpm -q gd

ClearOS 7.x to install wget and gd...

# yum install wget gd --enablerepo=clearos-centos,clearos-epel,clearos-centos-updates

ClearOS 6.x to install wget and gd...

# yum install wget gd --enablerepo=clearos*

Now download the rpm...

ClearOS Version 7.x
# wget http://danda.poweredbyclear.com/sarg7/sarg-2.3.10-3.v7.x86_64.rpm

ClearOS Version 6.x
# wget http://danda.poweredbyclear.com/kmod-clearos/sarg-2.3.10-3.v6.x86_64.rpm

# then install it...

ClearOS Version 7.x
# yum localinstall sarg-2.3.10-3.v7.x86_64.rpm

Clear)S Version 6.x
# yum localinstall sarg-2.3.10-3.v6.x86_64.rpm

If you are using CleaOS 6.x 32 bit then substitute "sarg-2.3.10-3.v6.i686.rpm"

2) Configure SARG

Edit "/etc/sarg/sarg.conf" and make changes as necessary, e.g.

search for "#date_format u" and change if necessary to your local
format e.g. "date_format e" for European (remove the comment or #).

That should do for now as the defaults are reasonable, but by all means
check them all for suitability :-) (especially if you have changed some
of the squid or https/apache defaults).

3) Fix problem sub-directory locations...

# mkdir /usr/share/sarg/
# ln -s /etc/sarg/fonts/ /usr/share/sarg/
# ln -s /etc/sarg/languages/ /usr/share/sarg/
# ln -s /etc/sarg/images/ /usr/share/sarg/

4) Now we check that we can generate a report

# sarg -x

We now need to allow access to the sarg pages from your workstation.

edit "/etc/httpd/conf.d/sarg.conf" and add the ip address(s) you will
use (quad decimal format is OK if you prefer that). Add extra lines 
for more workstations if required. An example :-


Alias /sarg /var/www/sarg

<Directory /var/www/sarg>
        DirectoryIndex index.html
        Order deny,allow
        Deny from all   
        Allow from 127.0.0.1
        Allow from ::1
#       Allow from your-workstation.com
        Allow from 192.168.2.28
        Allow from 192.168.1.17
        Allow from 192.168.3.27
</Directory>

Restart the webserver using the following command...

ClearOS 7.x
# systemctl restart httpd.service

ClearOS 6.x
# service httpd restart

Run the following to check the cron scripts, there should be no output on
the command line...

# /etc/cron.daily/sarg
# /etc/cron.weekly/sarg
# /etc/cron.monthly/sarg

5) Testing SARG - bliss :-) or despair :-( ?

Now go to http://your_webserver_ip/sarg and you should see the sarg home
page...

Click on "ONE-SHOT" and some data should appear, assuming squid has data
available, the rest will get populated as when the data from squid is 
created and the various cron jobs run to create the reports (daily, weekly
and monthly). Note these cron jobs to update the reports run during the early
hours of the morning, so if you shut of the server over-night you will need 
to make changes to ensure your reports are generated.

Access is limited to the name(s) or address(s) you enabled above. However,
if you use dynamic dhcp addresses, a different security method would be more
appropriate... This may be the subject of another "How-To" as and when time 
permits...

Good Luck!

Home Page for sarg - http://sarg.sourceforge.net/

see https://www.clearos.com/clearfoundation/social/community/install-sarg-on-clearos-version-6-x-or-version-7-x-for-great-proxy-reports#reply-121561
for Andy Godber's tip for SARG Realtime, and a few posts above for more details regarding the logs

yum install clamav-server

yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd -y

sed -i -e 's/^Example/#Example/' /etc/clamd.d/scan.conf
sed -i -e 's/^Example/#Example/' /etc/freshclam.conf
vim /etc/clamd.d/clamd.conf

User clamscan
LocalSocket /var/run/clamd.<SERVICE>/clamd.sock

freshclam
freshclam
freshclam

vim /usr/lib/systemd/system/clam-freshclam.service

# Run the freshclam as daemon
[Unit]
Description = freshclam scanner
After = network.target
[Service]
Type = forking
ExecStart = /usr/bin/freshclam -d -c 4
Restart = on-failure
PrivateTmp = true
[Install]
WantedBy=multi-user.target

systemctl enable clam-freshclam.service
systemctl start clam-freshclam.service

ls -l /usr/lib/systemd/system/clam*
mv /usr/lib/systemd/system/clamd@.service /usr/lib/systemd/system/clamd.service
vim /usr/lib/systemd/system/clamd@scan.service ->.include
/lib/systemd/system/clamd@.service -> remove @
vim /usr/lib/systemd/system/clamd.service

[Unit]
Description = clamd scanner daemon
After = syslog.target nss-lookup.target network.target
[Service]
Type = simple
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/clamd.conf --nofork=yes
Restart = on-failure
PrivateTmp = true
[Install]
WantedBy=multi-user.target

systemctl enable clamd.service
systemctl start clamd.service
systemctl enable clamd@scan.service
systemctl start clamd@scan.service

setsebool -P antivirus_can_scan_system 1
setsebool -P clamd_use_jit 1