最近有台服务器被安全部门扫出存在java反序列化的漏洞,修复建议是:
升级Commons-Collections.jar到最新版本,官方下载地址:
http://commons.apache.org/proper/commons-collections/download_collections.cgi
注:升级后请做好相关功能测试。
检查了这个jar包后,发现这个服务器上的应用和最新版无法兼容。于是想到使用iptables把外网访问这个端口的权限给禁用掉
# Generated by iptables-save v1.4.8 on Sat Jun 15 23:23:13 2013
*filter
:INPUT ACCEPT [35:6316]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17:1648]
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j REJECT
COMMIT
# Completed on Sat Jun 15 23:23:13 2013

iptables-resore rules.txt后

防火墙服务开机自启动
chkconfig iptables on

防火墙规则开启自启动
service iptables save
会把规则保存到/etc/sysconfig/iptables文件中,重启会自动读取

Categories: 感悟 Tags:

近日因为公司IT提供的接口返回的数据只能用windows环境去解析, 可我处所有服务器已经完成了全linux进化,所以只好找了台空闲的ubuntu server去Virtualbox一个windows 2008.
根据Oracle Virtualbox官方的统一叫法,ubuntu系统是host,而要安装的windows 2008是guest.
其中host的信息为:

Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic x86_64)

而guest的镜像信息为:

cn_windows_server_2008_r2_X64_standard_enterprise

可以看到,这两个系统都是64位的。
首先在host中为virtualbox的apt-secure配置公钥信息:

wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -

然后在/etc/apt/sources.list添加下列行:

deb http://download.virtualbox.org/virtualbox/debian vivid contrib

该处需要根据你系统的发行版本, 将 ‘vivid’ 替换为 ‘utopic’, ‘trusty’, ‘raring’, ‘quantal’, ‘precise’, ‘lucid’, ‘jessie’, ‘wheezy’, 或 ‘squeeze’.我的是trusty,所以添加完变为:

deb http://download.virtualbox.org/virtualbox/debian trusty contrib

然后安装virtualbox-5.0:

sudo apt-get update
sudo apt-get install virtualbox-5.0

安装完成会自动在dkms中注册virtualbox的核心模块,以保证各模块随系统自动更新。如果没有dkms,需要安装:
sudo apt-get install dkms
如果出现签名认证错误“The following signatures were invalid: BADSIG …”,需要执行下列操作:

# sudo -s -H
# apt-get clean
# rm /var/lib/apt/lists/*
# rm /var/lib/apt/lists/partial/*
# apt-get clean
# apt-get update

安装成功后,因为是server版本的ubuntu,我们需要灵活使用vboxmanage这个工具进行虚拟机创建、安装、删除等一系列操作。
切换到root用户下,保证权限足够大:
sudo su
然后在virtualboxHD目录下创建一个虚拟机所需要的硬盘,50G足够:

vboxmanage createhd --filename virtualboxHD/win2008server --size 50000

然后创建一个名字为win2008x64的guest虚拟机,这个ostype很重要,一定要选择对了,查看支持的系统类型:

VBoxManage list ostypes

创建过程:

vboxmanage createvm --name='win2008x64' --ostype='Windows2008_64' --register

然后指定guest使用的内存为1个G:

vboxmanage modifyvm "win2008x64" --memory 1024

创建硬盘控制器,并将刚创建的硬盘和镜像挂载上:

vboxmanage storagectl "win2008x64" --name "IDE Controller" --add ide --bootable on
vboxmanage storageattach "win2008x64" --storagectl "IDE Controller" --port 0 --device 0 --type hdd --medium virtualboxHD/win2008server.vdi
vboxmanage storageattach "win2008x64" --storagectl "IDE Controller" --port 1 --device 0 --type dvddrive --medium Win2008_R2_x64fre_server_eval_zh-cn-GRMSXEVAL_CN_DVD.iso

接下来指定网络类型为桥接,并指定控制guest的端口:

vboxmanage modifyvm "win2008x64" --nic1 bridged
vboxmanage modifyvm "win2008x64" --bridgeadapter1 eth0
vboxmanage modifyvm "win2008x64" --vrde on
vboxmanage modifyvm "win2008x64" --vrdeport 6000
vboxmanage modifyvm "win2008x64" --vrdeaddress 10.103.236.182

该处的vrdeaddress就是Host的ip地址。
控制guest的权限认证为自定义:

vboxmanage modifyvm "win2008x64" --vrdeauthtype external
vboxmanage modifyvm "win2008x64" --vrdeauthlibrary VBoxAuthSimple

然后生成一个密码:

vboxmanage internalcommands passwordhash "密码"

将密码配置到用户名上:

vboxmanage setextradata "win2008x64" "VBoxAuthSimple/users/用户名" "生成的密码"

然后就可以启动guest了:

vboxmanage startvm "win2008x64" --type headless

用自己PC电脑打开远程桌面(mstsc),使用刚生成用户名和密码,就可以连接到10.103.236.182:6000, 观察guest的系统安装情况。此时发现guest无法正常安装系统,错误提示:
…cpu is not compatible with 64-bit mod
回到host命令行,关闭guest:

vboxmanage controlvm "win2008server" poweroff

然后修改CPU,让它支持64位系统:

vboxmanage setextradata "win2008x64" VBoxInternal/CPUM/CMPXCHG16B 1

再启动guest,发现还是有同样的错误,查看/proc/cpuinfo的flags,发现有vmx标识,说明host的cpu是支持的虚拟化技术的,于是
到virtualbox官网查半天,发现需要将Host的bios中的虚拟化配置选项vt-x打开,没办法,去机房实体操作BIOS,打开intel virtual technology选项后,重新启动guest,系统安装成功。

接下来是配置guest的网络环境,需要关机。因为没有多余的ip,所以不能选择桥接类型了,只好改为nat。
桥接所用命令:

VBoxManage modifyvm "win2008x64" --nic1 bridged --cableconnected1 on --nictype1 82540EM --bridgeadapter1 eth0 --intnet1 brigh1 --macaddress1 auto

修改为NAT所用命令:

VBoxManage modifyvm "win2008x64" --nic1 nat

然后把3389端口映射到host

VBoxManage modifyvm "win2008x64" --natpf1 "guestrdp,tcp,,3389,,3389"

如此,就可以使用自己的PC的远程桌面,直接通过host的ip连接guest了。

至此,配置完成。

Categories: 感悟 Tags:

mac os下openconnect安装3+

8,573 views / 2014.11.19 / 1:01 下午

前阵子介绍了mac系统下使用openconnect连接cisco VPN的方法,但是好多peng’yopeng’yo朋友不知道如何安装openconnect,在此我再介绍下。
软件下载链接:
Homebrew http://brew.sh/
VPNC http://www.infradead.org/openconnect/vpnc-script.html

Here is a high level set of steps to install and configure it for your use. As always, proceed at your own risk, make a backup, complete your last will and testament, and accept that your computer may overheat and fuse into a worthless pile of slag as a result of following these directions.

Installs

You’ll need openconnect and vpnc-script.

I used Homebrew to install openconnect.

$ brew install openconnect

The caveats for openconnect warn you that you’ll need the TUN/TAP kernel extensions. Get TUN/TAP from http://tuntaposx.sourceforge.net/download.html. After running the installer, run

$ cd /Library/Extensions
$ sudo kextload -v tun.kext

Download vpnc-script. I saved mine to /usr/local/bin/vpnc-script. Make sure the script is executable.

$ chmod +x /usr/local/bin/vpnc-script

Configuration

You can view the openconnect command options by running

$ sudo openconnect

Rather than enter the options each time you want to create a virtual private network, create an openconnect configuration file and put the configuration values you need there.

$ cd ~
$ touch .openconnect
$ vim .openconnect

Here is my .openconnect file:

authgroup=root
userr=root
no-cert-check
script=/usr/local/sbin/vpnc
background
passwd-on-stdin

Fill in your own authgroup and user information.

There is no configuration necessary for vpnc-script.

Running openconnect

With a configuration file in place, here’s how to start a VPN:

$ sudo openconnect –config ~/.openconnect https://your.vpn.url

If you don’t want to have to enter your local account password for the sudo command, you can add an exception for the openconnect command to /etc/sudoers, like so:

$ sudo visudo -f /etc/sudoers

And add this line to the file:

%admin ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect

Finally, create an alias for the openconnect command above to make life easier.

Categories: 感悟 Tags: ,

function socket($host, $url, $content, $port = 80) {
$data = “POST ” . $url . ” HTTP/1.1\r\n”;
$data .= “Host: ” . $host . “\r\n”;
$data .= “Content-Type: application/x-www-form-urlencoded\r\n”;
$data .= “Content-Length: ” . strlen($content) . “\r\n”;
$data .= “\r\n”;
$data .= $content . “\r\n\r\n”;
$ock = fsockopen($host, $port);
if (!$ock) {
echo ‘No response from ‘ . $host . “\n”;;
}
fwrite($ock, $data);
$r = “”;
while (!feof($ock)) {
$r .= fgets($ock, 1024);
}
preg_match(“/(\{.+\})/”, $r, $m);
fclose($ock);
return $m[1];
}
function socket_by_curl($host, $url, $content, $port = 80) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $host.$url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $content);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(‘Content-Type: application/x-www-form-urlencoded’));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$r = curl_exec($ch);
curl_close($ch);
preg_match(“/(\{.+\})/”, $r, $m);
return $m[1];
}

Categories: 感悟 Tags:

linux批量解压rar到各自文件夹0+

5,341 views / 2014.01.12 / 10:10 下午

相信用过winrar的朋友都不陌生,在windows下面一次选取多个压缩文件,点右键会弹出解压每个压缩文件到单独的文件夹,这个给一次解压多个文件非常方便。在linux系统下的实现过程如下:

for i in `ls *.rar`
do
mkdir ./${i/.rar//}
unrar x $i ${i/.rar//}
done

Categories: 感悟 Tags: