แสดงกระทู้

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - golfreeze

Pages: [1] 2 3 ... 72
1
===for centos , debian 11
cd /usr/local/directadmin/scripts/custom
wget https://raw.githubusercontent.com/poralix/directadmin-utils/master/php/php-extension.sh -O php-extension.sh
chmod 750 php-extension.sh
./php-extension.sh install redis

==for freebsd
cd /usr/local/directadmin/scripts/custom
wget https://raw.githubusercontent.com/poralix/directadmin-utils/master/php/php-extension.sh -O php-extension.sh
chmod 750 php-extension.sh

mkdir -p /usr/local/src
และแก้ไข #!/bin/bash -> #!/usr/local/bin/bash ใน php-extension.sh แล้วรัน
./php-extension.sh install redis

2
csf lfd stop alert email for nrpe on debian os directadmin
กรณีมีอีเมลส่งมาแจ้ง เยอะ alert สามารถแก้ไขเพื่อไม่ให้ส่ง email จาก service csf ที่เป้นหัวข้อ lfd ได้โดย

If debian enable “csf” need allow on csf.conf “TCP_in” and “TCP_out” and
Disable lfd for resource usage

Subject: lfd on packetlove.com: Excessive resource usage: nagios (494190 (Parent PID:494190))
From:  <root@packetlove.com>
Message-Id: <E1ne3x7-002N0R-7t@packetlove.com>
Date: Tue, 12 Apr 2022 07:00:13 +0700

Time:         Tue Apr 12 07:00:13 2022 +0700
Account:      nagios
Resource:     Process Time
Exceeded:     75567 > 1800 (seconds)
Executable:   /usr/local/nagios/bin/nrpe
Command Line: /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -f
PID:          494190 (Parent PID:494190)
Killed:       No

--1649721613-eximdsn-849789542--

==แก้ไขเพื่อไม่ให้ส่ง email ได้โดย
vi /etc/csf/csf.pignore
user:nagios
exe:/usr/local/nagios/bin/nrpe
cmd:/usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -f
==reload csf rule 1 รอบ
csf -r

3
วันนี้มีโจทย์ให้ทำ บน DirectAdmin ให้ uninstall pureftp และทำการ enable proftpd พร้อมกับ sFTP feature ขึ้นมา

==เริ่มด้วย stop pureftp first เพราะ default ลงมาเป็น pureftp
cd /usr/local/directadmin/custombuild
./build set pureftpd_uploadscan no

ทำการ build proftpd
# cd /usr/local/directadmin/custombuild
# ./build update
# ./build set ftpd proftpd
# mkdir -p custom/proftpd/conf (make a directory for custom ProFTPd config that adds mod_sftp)
# wget -O custom/proftpd/configure.proftpd http://files.directadmin.com/services/all/sftp/configure.proftpd.sftp
# wget -O custom/proftpd/conf/proftpd.conf http://files.directadmin.com/services/all/sftp/proftpd.conf
# chmod 755 custom/proftpd/configure.proftpd
# wget -O /etc/proftpd.sftp.conf http://files.directadmin.com/services/all/sftp/proftpd.sftp.conf
# mkdir /etc/proftpd.ssl
# cp /etc/ssh/ssh_host_rsa_key* /etc/proftpd.ssl
# chmod 400 /etc/proftpd.ssl/ssh_host_rsa_key
# cp /etc/proftpd.sftp.conf /etc/proftpd.sftp.conf_original

===Edit /etc/proftpd.sftp.conf ตรงส่วน SFTPHostKey ให้ไปชี้ /etc/proftpd.ssl/ssh_host_rsa_key แทน !!!! ไม่งั้นจะทำงาน sftp ไม่ได้ ===
<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0>
# The SFTP configuration
# Port 23
Port 22 # Change to standard port now possible after moving SSH to 44
AuthUserFile /etc/proftpd.passwd
TransferLog /var/log/proftpd/xferlog.legacy
ExtendedLog /var/log/proftpd/75.126.244.2.bytes WRITE,READ userlog
SFTPEngine on
SFTPLog /var/log/proftpd/sftp.log
# SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/proftpd.ssl/ssh_host_rsa_key # Change to use key pair copied to /etc/proftpd.ssl and given necessary rights (0400) for mod_sftp.c work.
SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys

หลังจากนั้นทำการ rebuild อีกรอบ
# cd /usr/local/directadmin/custombuild
# ./build proftpd
service proftpd restart

แล้วเทสกับ Filezilla ก็จะใช้งาน sFTP ได้ครับผม  :)

===recompile proftpd
https://forum.directadmin.com/threads/how-to-set-up-your-proftpd-ftp-server-to-support-the-secure-protocols-while-disabling-insecure-ftp.65025/
https://forum.directadmin.com/threads/proftpd-issue-with-sftp.63352/
https://docs.directadmin.com/other-hosting-services/ftp/general.html

4
upgrade mac-os แล้วทำการ copy text content on terminal ไม่ได้

คือหลังจากอัฟเกรด mac os จาก mojave-> montery แล้วทำการ copy text บน terminal ไม่ได้แก้ไขโดย ไปที่
Terminal -> View -> ติ๊กถูก Allow Mouse Reporting ออก 

 8)

5
ถ้าเจอปัญหาเรื่อง nagios check_ping: CRITICAL - Could not interpret output from ping command #46
sh-4.4# su - nagios
$ /bin/ping -n -U -w 30 -c 5 127.0.0.1
ping: socket: Address family not supported by protocol
$ /bin/ping -4 -n -U -w 30 -c 5 127.0.0.1
ping: socket: Operation not permitted


สามารถทำการแก้ไขได้โดย
sh-4.4# chmod +s /bin/ping
sh-4.4# su - nagios
$ /bin/ping -4 -n -U -w 30 -c 5 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.097 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.053 ms

==special thank : https://github.com/bodsch/docker-icinga2/issues/46

6
On CentOS8.x End of life , then if you running "yum update" will found error

Failed to download metadata for repo ‘appstream’: Cannot prepare internal mirrorlist

So how to fixed

==change mirrorlist ==
sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-Linux-*
sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-Linux-*

== install centos-release-stream
sudo dnf install centos-release-stream -y
sudo dnf swap centos-{linux,stream}-repos -y
sudo dnf distro-sync -y

yum update
==finished ==
 ;)

Special Thank:
https://flutterq.com/failed-to-download-metadata-for-repo-appstream-cannot-prepare-internal-mirrorlist-no-urls-in-mirrorlist/

7
หลังจากทำการ extend disk ผ่าน vcenter ต้องทำการรัน eagerzeroedthick ด้วยสำหรับ disk ที่มีการ share กันระหว่าง clustering เนื่องจากมีการปรับค่ากลับไปเป็น lazy ในตอนแรกต้องทำกลับมาเป้น eagerzeroedthick
เปิด ssh service on esx-i แล้วใช้ putty login เข้าไปที่ console
 
vmkfstools --eagerzero /vmfs/volumes/myVMFS/VMName/disk.vmdk

รอการปรับ disk ระยะเวลาที่ใช้ประมาณ 30-60 นาทีสำหรับ 500GB ขึ้นอยู่กับขนาดที่ปรับ
https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.storage.doc/GUID-60B9C89A-6638-43FA-A8E3-4DACAC85FC29.html

8
===install squid on ubuntu20.04
apt update
apt install squid
systemctl status squid.service
systemctl enable squid.service
vi /etc/squid/squid.conf

===start of squid.conf===
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
 # Deny CONNECT to other than secure SSL ports
 http_access deny CONNECT !SSL_ports
 # Only allow cachemgr access from localhost
 http_access allow localhost manager
 http_access deny manager
 # We strongly recommend the following be uncommented to protect innocent
 # web applications running on the proxy server who think the only
 # one who can access services on "localhost" is a local user
 #http_access deny to_localhost
 #
 # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 #
 include /etc/squid/conf.d/*
 ##allow user pass authen via proxy
 auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwords
 auth_param basic realm proxy
 acl authenticated proxy_auth REQUIRED
 ##add from golf ip whois current ip check via https://whatismyipaddress.com/
 acl localnet src 49.228.38.136
 # Example rule allowing access from your local networks.
 # Adapt localnet in the ACL section to list your (internal) IP networks
 # from where browsing should be allowed
 #http_access allow localnet
 #http_access allow localhost
 http_access allow authenticated
 # And finally deny all other access to this proxy
 http_access deny all
===end of squid.conf===

===after that last step need to install for htaccess password user
apt install apache2-utils
htpasswd -c /etc/squid/passwords axpkl2
systemctl restart squid.service
ufw allow 3128

=====Ip: 116.204.180.2
=====setup proxy user and password
htpasswd  /etc/squid/passwords axpkl3


==test from pc or Macbook (49.228.38.136)
curl -v -x http://axpkl2:pklpkl2@116.204.180.2:3128 http://www.google.com/

=====show log could connect via proxy normally
===tail -f /var/log/squid/access.log
==DENIED
1643733370.341      0 49.228.38.136 TCP_DENIED/407 4051 CONNECT www.google.com:443 axpkl HIER_NONE/- text/html
==CONNECTED
1643733378.519    291 49.228.38.136 TCP_TUNNEL/200 26450 CONNECT www.google.com:443 axpkl2 HIER_DIRECT/142.250.199.36

9
migrate and export redis on prem and restore to AWS elasticache

======Example: Redis Backup ==> https://www.w3resource.com/redis/redis-backup.php
The example given below creates the backup of the current database.
127.0.0.1:6379> SAVE
OK
This command will create the dump.rdb file in your redis directory.

Restore:
CONFIG GET
To restore redis data just move redis backup file (dump.rdb) into your redis directory and start the server. To get your redis directory use CONFIG command can be used. The CONFIG GET command is used to read the configuration parameters of a running Redis server.
127.0.0.1:6379> CONFIG get dir
1) “dir"
2) "/var/lib/redis/6379”
In the output of above command "/var/lib/redis/6379" is the directory, where redis server is installed.

==== restore .rdb to AWS elastic ache  https://github.com/leonchen83/redis-rdb-cli
apt-get install openjdk-8-jdk
wget https://github.com/leonchen83/redis-rdb-cli/releases/download/v0.7.4/redis-rdb-cli-release.zip
unzip redis-rdb-cli-release.zip
cd ./redis-rdb-cli/bin
./rmt -h

==connect via stunnel4 need to connect via stunnel
./rmt -s dump.rdb -m redis://172.31.20.105:6374 -r
get golf2
or
./rmt -s dump.rdb -m redis://172.31.20.105:6374 -t list -d 0
 \[    5 B|    3 B/s]

10
upgrade php7.4 on directadmin

==== upgrade PHP7.4
cd /usr/local/directadmin/custombuild
./build update
./build set php1_release 7.4
./build set php1_mode php-fpm

./build php n
./build rewrite_confs

===If found error
Libjpeg not found

==fixed by install libjpeg-devel on centos
yum install libjpeg-devel
yum -y install krb5-devel

==fixed by install libjpeg-devel on Debian
apt install libjpeg-dev
apt install krb5-dev

==fixed by install on freebsd [checking whether to build with LIBXML support... yes
checking for libxml-2.0 >= 2.7.6... no
configure: error: in `/usr/local/directadmin/custombuild/php-7.4.2':
configure: error: The pkg-config script could not be found or is too old. Make sure it
is in your PATH or set the PKG_CONFIG environment variable to the full
path to pkg-config.]
=> fixed by
pkg install pkgconf krb5

===If found error
checking for icu-uc >= 50.1 icu-io icu-i18n… no
configure: error: Package requirements (icu-uc >= 50.1 icu-io icu-i18n) were not met:
Requested 'icu-uc >= 50.1' but version of icu-uc is 4.8.1.1

===fixed by re-build icu
./build update
./build icu
==start compile php again.
./build php n

==or build only 7.4
./build php_expert 7.4 php-fpm

11
เจอ error #1264 Out of range value adjusted for column 'ID' at row 1 ID บน board smf
แก้ไขโดย
alter table smf_ads change HITS HITS BIGINT NOT NULL default '0';

12
===== send syslog to sensor node.  [normally syslog send to master node only]
https://docs.securityonion.net/en/2.3/firewall.html?highlight=syslog#allow-hosts-to-send-syslog-to-a-sensor-node

==step1 run on master
so-firewall addhostgroup syslogtosensor1

==step2 run on master
so-firewall includehost syslogtosensor1 ipของsyslog-ngที่จะส่งไปsensor

==step3 run on master “sensor_heavynode.sls” => /opt/so/saltstack/local/pillar/minions/<HOSTNAME>_<ROLE>.sls
/opt/so/saltstack/local/pillar/minions/sensor_heavynode.sls
firewall:
  assigned_hostgroups:
    chain:
      DOCKER-USER:
        hostgroups:
          syslogtosensor1:
            portgroups:
              - portgroups.syslog

==step4 run on master salt <HOSTNAME>_<ROLE> state.apply firewall
salt sensor_heavynode state.apply firewall

==step5 : run on sensor node
==check and view see connection establish for source_log send to sensor_ip
netstat -na | grep 514

13
all application on unix knowledges by golfreeze / pacemaker crm manual command
« on: สิงหาคม 16, 2021, 11:39:50 AM »
=====CRM manual  Putting cluster in maintenance mode for a maintenance activity on the SAP servers.
Many times there will be a need to do some kind of maintenance of a SAP server like OS patching, kernel upgrade, SID stacking etc.

In cases like these you might need to restart the servers but if the servers/nodes are in the cluster then the pacemaker will start migrating the services which can create a setback for the administrators. To avoid such scenarios we can simply put the cluster or a particular node in maintenance mode to avoid unwanted resource migrations.

There are three ways to achieve this depending on the situation.

Put the cluster in maintenance mode
crm configure property maintenance-mode="true"
Put the node in maintenance mode
crm node maintenance <node>
Put the node in standby mode
crm node standby <node>

==Once the activity is completed move the cluster or node out of maintenance using below commands.

Move the cluster out of maintenance
crm configure property maintenance-mode="false"
Move the node out of maintenance
crm node ready <node>
Move the node out of standby
crm node online <node>

====Most Important Commands for managing a pacemaker cluster

CRM monitoring commands-

-> crm status : Check the status of the cluster and its services.
-> crm_mon    : Live nonitoring of the cluster

CRM Node Commands

-> crm node show                : list the nodes in the cluster.
-> crm node standby <node name> : put a node on standby
-> crm node fence <node name>   : fence a particular node. (Restart)
-> crm node online <node name>  : bring a node online after standby.
-> crm node clearstate <node>   : clear a nodes state. (if in error)
-> crm node maintenance <node>  : put the node in maintenance mode. Will not affect the cluster services or resources
-> crm node ready <node>        : put the node out of maintenance

CRM Cluster Commands

-> crm cluster health           : Check the health of the cluster.
-> crm cluster start            : Start cluster services on the node.
-> crm cluster stop             : Stop cluster services on the node.
-> crm cluster restart          : Restart cluster services on the node.
-> crm cluster status           : Show cluster services on this node.

CRM Resource Commands

-> crm resource status <name>   : Check status of the resource
-> crm resource start <name>    : Start the resource.
-> crm resource stop  <name>    : Stop the resource.
-> crm resource cleanup <name>  : Cleanup the resource.(if in error)
-> crm resource migrate <name> <node> : Migrate the resource from this node to another.

==special thank you
https://www.linkedin.com/pulse/everything-you-need-know-sap-pacemaker-cluster-testing-robin-singh/

14
=== postgres force drop database
If found error :
 database "boss_v2" is being accessed by other users
 DETAIL:  There are 2 other sessions using the database.

==fixed by force drop
REVOKE CONNECT ON DATABASE boss_v2 FROM public;
SELECT pg_terminate_backend(pg_stat_activity.pid)
FROM pg_stat_activity
WHERE pg_stat_activity.datname = 'bot’;
==and drop again
drop database boss_v2;

===when create found problem try to template0
CREATE DATABASE dbname TEMPLATE template1;
=If template1 is not available or corrupted, you can use template0 as last resort:
CREATE DATABASE dbname TEMPLATE template0;

ลองกันดูนะครับผม  8)

15
การมีระบบ SIEM ทำให้เราวิเคราะห์การโจมตีได้ก่อน บางทีจะมี log ที่เป็นลางบอกเหตุมาก่อน เมื่อเห็นทันและทำการยกระดับการป้องกันได้ทัน ปัญหาที่จะส่งผลกระทบขนาดใหญ่ และสามารถมีแนวทางการป้องกันที่ชัดเจน ก็ทำให้ความรุนแรงและผลกระทบทุเลาลงไปได้ครับ

=== Snort rule และระบบ Blueliv Threat Context สามารถจับพฤติกรรม ของ ransomware Avaddon ได้ก่อนจาก กลุ่ม ip ของ campaign นี้
ET TROJAN Win32/Avaddon Ransomware Style External IP Address Check

Pages: [1] 2 3 ... 72