前面同大家一齊做起佐firewall及reverse proxy既OS setup及基本software installation, 咁我地就開始著手做application configuration啦, 須要做application configuration既分別有ufw, fail2ban及nginx
Category: UNIX Admin
用隻pi做firewall及reverse proxy 教學
啱啱見有朋友仔話自己隻NAS比hacker hijack同encrypted佐隻碟, 而其實呢件咁不幸既事係2019年10月份都發生過係我身上.咁橋係錯有錯著情況之下,我都分享一下我既方案比大家做reference. 就係用一隻好simple既pi 或 linux base既 appliance係做Firewall + reverse proxy去reduce個risk.
Continue reading “用隻pi做firewall及reverse proxy 教學”
用Duplicator Pro 重建 WordPress – Part 2
原本想用一編文章去講解如何用Duplicator Pro來重建Wordpress, 可是原來重建OS,基本LAMP stack及重建mysql已經很長,所以最後還是在這編文章來交待用Duplicator Pro的流程.
Continue reading “用Duplicator Pro 重建 WordPress – Part 2”
用Duplicator Pro 重建 WordPress – Part 1
早一星期因為一個一不少心,在upgrade Ubuntu時忙了用SSH做release upgrade是一件中度風險事情(雖然每次都無事),最後server instance就因為session timeout 而brick了. 搞了一大輪.最後只可以rebuild server instance及wordpress. 說起wordpress, 我早前好在買了Duplicator Pro作為backup用途, 今次正正用了 Duplicator Pro 來重建我的Wordpress.
用Squid proxy 做 youtube 既 Live Streaming
話說X’mas就到,而咁啱我手頭上既野比我D伙計KO晒,即係我都幾得閑. 而且尋日又去金魚街買佐4 packs野.包括水草, 魚一包, 螺一包, Crayfish(淡水龍蝦)一隻. lunch 時大家話不如搞個魚樂無窮Channel. 咁我地就著手用desktop板youtube試用USB Webcam 去 live streaming 啦, 點知因為…又係coperate既firewall block晒D port(證明Infra team交足功課比我), 所以我當然係要leverage我隻squid proxy啦.
如何在Linux/unix上 ban spammer?
好多時review syslog 及 mail.log 都會見到好多spammer, spammer最common既observations就係做brute force attack. 當然正常情況下用strong password policy唔係咁容易比spammer誤入,但更好既方法就係做prevention control.
Dec 10 13:53:12 delta dovecot: auth-worker(9742): pam(sir@xxx.org,87.246.7.34): pam_authenticate() failed: Authentication failure (password mismatch?) Dec 10 13:53:14 delta postfix/smtps/smtpd[8101]: warning: unknown[87.246.7.34]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 10 13:53:16 delta postfix/smtps/smtpd[8101]: lost connection after AUTH from unknown[87.246.7.34] Dec 10 13:53:16 delta postfix/smtps/smtpd[8101]: disconnect from unknown[87.246.7.34] ehlo=1 auth=0/1 rset=1 commands=2/3 Dec 10 13:53:52 delta postfix/smtps/smtpd[8101]: warning: hostname net6-ip34.linkbg.com does not resolve to address 87.246.7.34 Dec 10 13:53:52 delta postfix/smtps/smtpd[8101]: connect from unknown[87.246.7.34] Dec 10 13:53:56 delta postfix/smtps/smtpd[8101]: Anonymous TLS connection established from unknown[87.246.7.34]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 10 13:54:05 delta dovecot: auth-worker(9742): pam(sistemas@xxx.org,87.246.7.34): pam_authenticate() failed: Authentication failure (password mismatch?) Dec 10 13:54:07 delta postfix/smtps/smtpd[8101]: warning: unknown[87.246.7.34]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 10 13:54:08 delta postfix/smtps/smtpd[8101]: lost connection after AUTH from unknown[87.246.7.34] Dec 10 13:54:08 delta postfix/smtps/smtpd[8101]: disconnect from unknown[87.246.7.34] ehlo=1 auth=0/1 rset=1 commands=2/3 Dec 10 13:54:49 delta postfix/smtps/smtpd[8101]: warning: hostname net6-ip34.linkbg.com does not resolve to address 87.246.7.34 Dec 10 13:54:49 delta postfix/smtps/smtpd[8101]: connect from unknown[87.246.7.34] Dec 10 13:54:56 delta postfix/smtps/smtpd[8101]: Anonymous TLS connection established from unknown[87.246.7.34]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 10 13:55:07 delta dovecot: auth-worker(9841): pam(six@xxx.org,87.246.7.34): pam_authenticate() failed: Authentication failure (password mismatch?) Dec 10 13:55:09 delta postfix/smtps/smtpd[8101]: warning: unknown[87.246.7.34]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 10 13:55:11 delta postfix/smtps/smtpd[8101]: lost connection after AUTH from unknown[87.246.7.34] Dec 10 13:55:11 delta postfix/smtps/smtpd[8101]: disconnect from unknown[87.246.7.34] ehlo=1 auth=0/1 rset=1 commands=2/3 Dec 10 13:55:47 delta postfix/smtps/smtpd[8101]: warning: hostname net6-ip34.linkbg.com does not resolve to address 87.246.7.34 Dec 10 13:55:47 delta postfix/smtps/smtpd[8101]: connect from unknown[87.246.7.34] Dec 10 13:55:51 delta postfix/smtps/smtpd[8101]: Anonymous TLS connection established from unknown[87.246.7.34]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
停止 Dovecot 無需要的 info log
在linux/unix上有用 dovecot 作為 imapd/popd的朋友都可能好似我一樣, 覺得 dovecot 的 info 及 log 真的太多太煩. 所以大家都一定會問: 如何可以停止 Dovecot 無需要的 info log呢?
常見很煩擾的info log
Dec 10 09:50:20 sigma dovecot: imap(adrian): Logged out in=80 out=1262 Dec 10 09:50:20 sigma dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=30133, secured, session=<rwUcvE+ZCrB/AAAB> Dec 10 09:50:20 sigma dovecot: imap(adrian): Logged out in=110 out=1282 Dec 10 09:50:21 sigma dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=30134, secured, session=<BgYcvE+ZDLB/AAAB> Dec 10 09:50:21 sigma dovecot: imap(adrian): Logged out in=280 out=1227 Dec 10 09:50:25 sigma dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=30136, secured, session=<PgFovE+ZDrB/AAAB> Dec 10 09:50:25 sigma dovecot: imap(adrian): Logged out in=28 out=769 Dec 10 09:52:21 sigma dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=30141, secured, session=<dkNEw0+ZELB/AAAB> Dec 10 09:52:21 sigma dovecot: imap(adrian): Logged out in=89 out=882
Postfix 上制作 Greylisting
上一編文章簡單講解了如何安裝Postfix作為mail server. 作為mail server除了發送email外當然也會收email, 而當您隻mail server不停收到Junk/spam時其實有好幾個方法應付, 今日的教學正是使用 Greylisting方案來解決問題.
Postgrey
Public Anti-Spam Blacklists
建設 Postfix + SPF + DKIM + DMARC
因為源用了好幾年的VPS hosting供應商AlphaRacks.com突然結業, 迫於無奈要找新的hosting供應商, 最迫不得意的當然是重新建設mail server. 當然您也可以使用raspberry pi或 OrangePi. 今次使用的VPS供應商是SnowVPS.com, 而選用的OS當然也是Ubuntu 16.04吧. 既然是由零開始, 所以今次一於記錄下安裝程序方便有須要朋友可參考. 今次安裝的 smtp server 是 Postfix, 另外會加上 SPF 作為 inbound/outbound filter, 再加上 DKIM 及 DMARC 作業 email authentication. 另外我都會使用 greylist 加強 spam filter.
OrangePi Zero – Reverse Proxy
由於網上爬真係比較慢,而4G雖然快但始終有用量限制(我subscribe 個plan係50G 4.5G network) , 正因為我想方便utilitize system resources, 所以我把張家中network分家. 而今次這個project, 我是希望通過一台OrangePi Zero 做 reverse proxy, 令到活在4G network部份的器材可經網上爬這個fix fee接口進出internet.
低能shell script
好多年無寫過program啦,今日手痕,所以搞搞新意思
手上有成手zip file, 因為係成手都係既問題, 而如果用windows去unzip 會有排玩, 會有好多keystroke 而如果寫 batch file 既話又無得再用 pkzip -d 等呢類 command…加埋我寫batch file既技巧真係同阿EDB局長(唔得掂)一樣. 所以我索性張D zip file 放晒上隻 Raspberry PI 上面再寫個 shell script 去 KO 佢
#!/bin/bash for f in *.zip; do echo $f; file=$(basename "$f") filename="${file%.*}" # extension="${file##*.}" echo "mkdir: "$filename; mkdir unzip/$filename; unzip $f -d unzip/$filename; done
個script大致上係scan晒個directory入面既 zip file, 再跟個zip file 既名起個directory, 再爆晒D file落去呢個sub-directory.
至於file既transfer 我會用 winscp, 用唔使3分鐘時間就搞掂晒