2018 on Ricky

Avalon (The Resistance: Avalon)

Mon, 24 Dec 2018 13:22:33 +0800

Install Font Libraries and Chinese Fonts on Linux CentOS 7

Tue, 18 Dec 2018 22:13:40 +0800

Install Font Libraries and Chinese Fonts on Linux CentOS 7

yum -y install fontconfig

Now you can see the fonts and fontconfig directories under /usr/shared (they did not exist before).

Before that we need to create a directory. First create /usr/shared/fonts/chinese.

mkdir /usr/shared/fonts/chinese

Copy the fonts you need and upload them to /usr/shared/fonts/chinese. Here I use SimSun and HeiTi (used in reports). You will see files with ttf and ttc extensions.

What is the SHA256 that comes on the sshd entry in auth.log?

Mon, 17 Dec 2018 16:11:43 +0800

What is the SHA256 that comes on the sshd entry in auth.log?

ssh-keygen -lf .ssh/id_rsa.pub

cat .ssh/id_rsa.pub |
 awk '{ print $2 }' | # Only the actual key data without prefix or comments
 base64 -d | # decode as base64
 sha256sum | # SHA256 hash (returns hex)
 awk '{ print $1 }' | # only the hex data
 xxd -r -p | # hex to bytes
 base64 # encode as base64

What does `< <(command args)` mean in the shell?

Sat, 17 Nov 2018 22:29:23 +0800

What does < <(command args) mean in the shell?

 while IFS= read -r -d $'\0' file; do
 dosomethingwith "$file" # do something with each file
 done < <(find /bar -name *foo* -print0)

<() is called process substitution in the manual, and is similar to a pipe but passes an argument of the form /dev/fd/63 instead of using stdin.

< reads the input from a file named on command line.

Together, these two operators function exactly like a pipe, so it could be rewritten as

Netcat (Linux nc) Practical Examples for Network Admins

Fri, 09 Nov 2018 00:17:47 +0800

Netcat (Linux nc) Practical Examples for Network Admins

Send a test UDP packet to a remote server

This command sends a UDP test packet to the specified host and port. The -w1 option sets the timeout to 1 second.

echo -n "foo" | nc -u -w1 192.168.1.8 5000

Open a UDP port to receive data

nc -lu localhost 5000

Port scanning on a remote host

This command scans TCP ports in the ranges 1-1000 and 2000-3000 on the specified host to see which ports are open.

vimrc Configuration Guide

Sat, 03 Nov 2018 23:30:52 +0800

vimrc Configuration Guide
:set nu
- Show line numbers: useful for debugging.
:set ai
- Auto-indent: if the previous line has two tab widths, pressing Enter keeps those two tab widths on the next line.
:set cursorline
- Cursor line: underline the current line to help locate the cursor.
:set bg=light
- Color scheme for light backgrounds.
- The default assumes a light background (white, etc), but if your terminal background is dark purple, text may disappear (for example, comments in dark blue). Change this to :set bg=dark.
:set tabstop=4

Why do browser user-agent strings always include Mozilla/5.0?

Wed, 17 Oct 2018 12:03:04 +0800

Quick answer

Because website developers may output special features when they detect a browser (Mozilla in this case). When other browsers also support those good features, they try to mimic Mozilla so the site outputs the same content instead of a degraded version.

Simulate Network Anomalies with TC and Netem

Sat, 15 Sep 2018 16:17:26 +0800

Simulate Network Anomalies with TC and Netem

Netem and TC brief overview

Netem is a network emulation module provided by Linux 2.6 and later kernels. It can be used on a good LAN to simulate complex Internet transmission performance, such as low bandwidth, latency, packet loss, and so on. Many Linux distributions with kernel 2.6+ enable this module by default, such as Fedora, Ubuntu, Redhat, OpenSuse, CentOS, Debian, etc.

TC is a user-space tool in Linux, short for Traffic Control. TC controls the operating mode of the Netem module. In other words, to use Netem you need at least two conditions: the Netem module must be enabled in the kernel, and the corresponding user-space tool TC must be available.

Quagga Routing - Install, Configure and setup BGP

Tue, 14 Aug 2018 22:13:12 +0800

Quagga Routing - Install, Configure and setup BGP

Systemd Tutorial: Practical Part

Thu, 09 Aug 2018 13:53:32 +0800

Systemd Tutorial: Practical Part

$ systemctl cat sshd.service

[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service

[Service]
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
Type=simple
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target

[Unit] Section: Startup Order and Dependencies

After field: if network.target or sshd-keygen.service needs to start, then sshd.service should start after them.

Correspondingly, the Before field defines which services sshd.service should start before.

Note that After and Before only involve startup order, not dependency relationships.

RAID10 Total Failure: Mirror Drives in the Same Group Failed Together

Wed, 01 Aug 2018 18:21:20 +0800

Applying HTTPS Certificates for CDN

Tue, 24 Jul 2018 18:35:39 +0800

Since we cannot upload files to the CDN server, we cannot use file validation to apply for HTTPS certificates. Fortunately, Let’s Encrypt supports the dns-01 challenge via DNS validation. We use Dehydrated with the CloudFlare hook to apply for HTTPS certificates.

# First clone the dehydrated repository

git clone https://github.com/lukas2511/dehydrated

# In the cloned dehydrated directory, create a config file. See the example config file:
# https://github.com/dehydrated-io/dehydrated/blob/master/docs/examples/config
# Append Cloudflare info to the end of the config file

echo "export CF_EMAIL=user@example.com" >> config
echo "export CF_KEY=K9uX2HyUjeWg5AhAb" >> config

# Clone the Cloudflare hook
mkdir hooks
git clone https://github.com/kappataumu/letsencrypt-cloudflare-hook hooks/cloudflare


# Install dependencies

pip install -r hooks/cloudflare/requirements-python-2.txt

# Create domains.txt, one domain per line

[root@db-slave01 dehydrated]# cat domains.txt
apk.kosungames.com
sp-res.kosungames.com
cpweb.kosungames.com

# Request HTTPS certificates

./dehydrated -c -k hooks/cloudflare/hook.py

# Use a Python script to upload the certificates. The script must be in the dehydrated directory.

#!/usr/bin/env python

from aliyunsdkcore import client
from aliyunsdkcdn.request.v20141111 import SetDomainServerCertificateRequest
import uuid


def upload(domain):
 cli = client.AcsClient("LTAI7zSXga2D", "ed03Mt9xcNkRgmadx0XtpyDje", "cn-hongkong")
 request = SetDomainServerCertificateRequest.SetDomainServerCertificateRequest()
 request.set_accept_format("json")
 request.set_DomainName(domain)
 request.set_CertName(domain + str(uuid.uuid1()))
 #request.set_CertName(domain)
 #certificate = open("certs/" + domain + "/fullchain.pem").read()
 certificate = open("certs/" + domain + "/cert.pem").read()
 with open("certs/" + domain + "/chain.pem") as f:
 f.readline()
 f.readline()
 chain = f.read()
 certificate += chain
 key = open("certs/" + domain + "/privkey.pem").read()
 request.set_ServerCertificateStatus('on')
 request.set_ServerCertificate(certificate)
 request.set_PrivateKey(key)

 result = cli.do_action_with_exception(request)

domain_file="domains.txt"
with open(domain_file) as f:
 for line in f:
 domain = line.split()[0]
 upload(domain)

Record Millisecond Precision in Nginx Access Logs

Tue, 24 Jul 2018 18:31:42 +0800

Nginx access logs can record millisecond timestamps, but they are milliseconds since EPOCH, for example 1503544071.865. Another variable, $time_local, records a second-level time format, for example 24/Aug/2017:11:07:51 +0800. Under heavy traffic, we need a millisecond-precision format like 24/Aug/2017:11:07:51.865 +0800. This can be done with Lua.

First, define a variable named time_millis in nginx.conf and initialize it to empty. This is similar to providing a fallback self-signed certificate when using auto-ssl.

HA command

Sat, 21 Jul 2018 14:45:29 +0800

load merge relative terminal
# On a brand-new device without HA enabled, you must define the cluster ID.
# Cluster ID must be unique and cannot duplicate other SRX, because HA creates a virtual MAC address and this ID affects it. Duplicates may cause MAC duplication and unexpected errors.
#
request system zeroize
# The following commands must be run in `>` mode.
set chassis cluster cluster-id <ID range 0~255> node 0 # This is on node 0
set chassis cluster cluster-id <ID range 0~255> node 1 # This is on node 1
# On the secondary node, run this command.
request chassis cluster configuration-synchronize
# After reboot, you will see Hold or standby; check whether the cluster is up.
show chassis cluster status
# This appears only after RETH interfaces are created; you must configure first.
show chassis cluster interfaces
# The following commands are run in config mode; build the config first.
---
# The backup-router is for the HA standby device management interface (fxp) so it can respond to routing; by default the standby does not enable the routing engine, so this is required.
set groups node0 system host-name SRX-node0
set groups node0 system backup-router 10.10.0.254
set groups node0 system backup-router destination 0.0.0.0/0
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.0.2/24
set groups node1 system host-name SRX-node1
set groups node1 system backup-router 10.10.0.254
set groups node1 system backup-router destination 0.0.0.0/0
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.0.3/24
set apply-groups "${node}"
set system time-zone Asia/Taipei
set chassis cluster control-link-recovery
set chassis cluster reth-count 10
set chassis cluster heartbeat-interval 2000
# It is recommended to enable IPv6 during setup using the following command, because enabling IPv6 later requires a reboot.
set security forwarding-options family inet6 mode flow-based
# Interface numbers vary by chassis model.
# The easiest way is to check how many slots the device has. For example, SRX550HM has expansion 0-8, so HA starts at 9, hence ge-9/x/x.
set chassis cluster redundancy-group 0 node 0 priority 150
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 0 interface-monitor ge-0/0/3 weight 150
set chassis cluster redundancy-group 0 interface-monitor ge-0/0/5 weight 150
set chassis cluster redundancy-group 0 interface-monitor ge-9/0/3 weight 100
set chassis cluster redundancy-group 0 interface-monitor ge-9/0/5 weight 100
set chassis cluster redundancy-group 1 node 0 priority 150
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 150
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 150
set chassis cluster redundancy-group 1 interface-monitor ge-9/0/3 weight 100
set chassis cluster redundancy-group 1 interface-monitor ge-9/0/5 weight 100
# This is the data sync setting for redundancy group 1; you must set it to enable the ge-0/0/2 heartbeat link.
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-9/0/2
# Add interfaces to the reth group.
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 gigether-options redundant-parent reth0
set interfaces ge-9/0/3 gigether-options redundant-parent reth0
set interfaces ge-9/0/4 gigether-options redundant-parent reth0
set interfaces ge-0/0/5 gigether-options redundant-parent reth1
set interfaces ge-9/0/5 gigether-options redundant-parent reth1
set interfaces reth0 vlan-tagging
# You must add RETH to the data sync group, otherwise it will not work.
set interfaces reth0 redundant-ether-options redundancy-group 1
# Note: SRX uses LACP passive mode, but the switch must use LACP active mode.
set interfaces reth0 redundant-ether-options lacp passive
set interfaces reth0 redundant-ether-options lacp periodic slow
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 202.99.240.100/26

Fighting DDoS: nginx, iptables, and fail2ban

Fri, 20 Jul 2018 18:47:42 +0800

Fighting DDoS: nginx, iptables, and fail2ban

[Juniper Firewall] command

Wed, 27 Jun 2018 00:58:01 +0800

The following commands are run in operational mode, or use run show in configuration mode.

Show current firewall session count

show security flow session | match 10.22.12.104
show security flow session source-prefix 10.22.12.104

Clear current sessions

clear security flow session all

Query OID

show snmp mib walk decimal 1.3.6.1.2.1.2.2.1.2

Check current software version

show system software

Check system uptime

show system uptime

Check hardware cards and serial numbers

show chassis haredware

Check current hardware status

show chassis environment

Show routing table

Switch Firmware Update

Thu, 14 Jun 2018 12:28:29 +0800

Preparation:

Plug in the console.

Copy the update file to the USB drive.

Before starting, use show version to check the current version

Update SOP:

Insert the USB with the update file into the switch. The screen will show the detected device name.
Copy the update file from USB to the switch flash: copy usbflash0(device name):<update-file> flash:
1. Press Enter and confirm the file name, then press Enter again. A stream of ccccccccc means it is copying.
After it finishes, use dir flash to verify the update file exists.
conf t to enter config mode, then boot system flash:<update-file> to set the new IOS image.
exit config mode, then show boot to confirm the new IOS is selected.
write memory to apply settings to the running config.
Run reload.
It takes about 15-20 minutes. After it finishes, check the version to confirm the upgrade.

copy usbflash0:cat.bin flash:
copy usbflash0:cat.bin flash0-2:
software install file flash:cat.bin switch 1-2
software clean

Firewall Update

Tue, 12 Jun 2018 07:48:48 +0800

Preparation:

Plug in the console.

Copy the update file to the USB drive.

Before starting, use show version to check the current version

Update SOP:

start shell
su to root
Create a directory: mkdir /var/tmp/usb (name can be anything)
Insert the USB. Note the number after da, currently da1.
Mount it: mount -t msdos /dev/da1s1 /var/tmp/usb (if da0, then use da0s1, etc.)
After it finishes, cd /cf/var/tmp/usb/da2s1/ (usb)
1. ls (junos-srxsme-15.1X49-D120.3-domestic.tgz)
Switch the CLI to operational mode
1. request system software add /var/tmp/usb/da2s1/junos-srxsme-15.1X49-D120.3-domestic.tgz
request system reboot
show version

Best V2Ray One-Click Install & Management Script

Thu, 08 Feb 2018 10:56:54 +0800

How to Enable SNMP on a Switch

Sun, 04 Feb 2018 14:48:12 +0800

How to Enable SNMP on a Switch

Use snmp-server as the main command.

C3750(Config)#snmp-server community RO

This is the shared secret for SNMP communication. RO means Read Only (SNMP tools are not allowed to modify settings). RW means Read and Write (SNMP tools can modify settings).

C3750(config)#snmp-server group SNMP_ROA v3 priv match exact

SNMP group name: SNMP_ROA
Version: v3
Highest priv level

C3750(config)#snmp-server user cater SNMP_ROA v3 auth MD5 cisco12345 priv des56 test12345

A10

Wed, 10 Jan 2018 03:44:14 +0800

A10 Link Aggregation

802.3ad LACP

A10 trunk can config a maximnm of 16 LACP trunks per device.

interface ethernet 1
lacp trunk 1 mode active
lacp timeout long
!
interface ethernet 2
lacp trunk 1 mode active
lacp timeout long

Static Link Aggregation

None LACP.

Up to 8 static trunks.