分类目录归档:服务器配置

【转载】How to setup the Ultimate IRC Server

Original link is: http://www.codeography.com/2012/09/23/howto-irc-server.html

While I like Campfire and HipChat and those other tools for
group collaboration there is just something nice about using an IRC
channel. Probably the most compelling reason is that I am going to have
my IRC client running anyway for other channels — so it would be nice
to just add a server and use the same client I am already using.

At Radius we had been using a public server for a little bit of
communication, but the converstaions starting becoming more technical
and wasn’t happy having things go through someone else’s server, and be
unencrypted. So I decided to setup my own. I give you the ultimate irc
setup:

The Ultimate IRC Server

The ultimate server consists of a few components:

  • The IRC server itself (ircd-hybrid)
  • an IRC bouncer (ZNC)
  • a way to tunnel port 443 to the bouncer
  • and maybe a bot that can post funny pictures of cats for you

I am using Ubuntu Server 12.04.1 LTS (ami-137bcf7a) running on a micro instance.

Install the IRC Server

sudo apt-get install ircd-hybrid
sudo vim /etc/ircd-hybrid/ircd.motd

Create the password required to be the Oper:

WARNING: Please do not mix up themkpasswdprogram from/usr/sbinwith this one. If you are root, typingmkpasswdwill run that one instead and you will receive a strange error.

/usr/bin/mkpasswd super-secret

Edit the config file, this is well documented and there are plenty of
little tweaks you can make but make a couple little changes now:

sudo vim /etc/ircd-hybrid/ircd.conf

Comment out thehostparameter in thelistensection (about line 130 in the default ubuntu config)

host = “127.0.0.1″;

to be

#host = “127.0.0.1″;

And increase themax_clientsin theserverinfosection:

max_clients = 2;

to be

max_clients = 512;

This will open the server up to external connections (Note: make sure
you configure your instance to have these ports open, e.g. in EC2 you
will need to edit the security profile and open ports 443, 6664, and
6667), and allow more than 2 folks to connect from the same IP (which is
important since we will have everyone connect via ZNC running on this
machine).

Now restart the server

sudo /etc/init.d/ircd-hybrid restart

Now you should be able to fire up your favorite client and see if you
can get it to connect to the server. Once you have proven it works,
time to move onto the bouncer.

Install the IRC Bouncer

Originally I followed the guide from Dustin Davis but have a few tweaks:

sudo apt-get install znc
znc --makeconf

Follow the guides to setup the server. I mostly choose the defaults, and enabled all the modules

What port would you like ZNC to listen on? (1025 to 65535): 6664
Would you like ZNC to listen using SSL? (yes/no) [no]: yes
Would you like to create a new pem file now? (yes/no) [yes]: yes
Listen Host (Blank for all ips):
Number of lines to buffer per channel [50]: 1000
Would you like to keep buffers after replay? (yes/no) [no]: yes

Configure ZNC to use the brand new IRC server that we just installed:

IRC server (host only): 127.0.0.1
[127.0.0.1] Port (1 to 65535) [6667]: 6667
[127.0.0.1] Password (probably empty):
Does this server use SSL? (yes/no) [no]:
Would you like to add another server for this IRC network? (yes/no) [no]: no
Would you like to add a channel for ZNC to automatically join? (yes/no) [yes]: yes
Would you like to add another channel? (yes/no) [no]: no
Would you like to set up another user (e.g. for connecting to another network)? (yes/no) [no]: no
Launch ZNC now? (yes/no) [yes]: no

Now you can run ZNC as that user and verify it works, and make tweaks to the config.

vi .znc/configs/znc.conf

or with the webadmin module by pointing a browser to

https://yourhostname:6664

To verify that this works with your local client you should just have
to change the port from 6667 to 6664. If you want to compare settings
my initial config file looked something like this.

Make ZNC a system daemon

At the end of the config keep it running and connect to it from your
local IRC client to make sure things are working. Once you have proven
it works time to set it up as a daemon that starts at boot. I used
Henner’s guide when I first set this up.

killall znc # just to make sure

Create the user and group

sudo addgroup --system znc
sudo adduser --system --no-create-home --ingroup znc znc

Create the init script, I have the one I use up here

sudo vim /etc/init.d/znc

It’s pretty big, so you may want to curl it down

curl https://gist.githubusercontent.com/csexton/3772971/raw/efbe88004be70cb7f157e30aa1183ea5867d8de6/gistfile1.sh > /etc/init.d/znc

Copy over the ZNC config files to/etc, and update permissions

sudo mkdir /etc/znc
sudo mv /home/$USER/.znc/* /etc/znc/
rm -R /home/$USER/.znc
chown -R znc:znc /etc/znc
sudo chown -R znc:znc /etc/znc
sudo chmod +x /etc/init.d/znc

Start ‘er up

sudo /etc/init.d/znc start

Setup port forwarding

Forward from 443 to 6664 to work around firewalls.

This step is not required if your network does not block the ports we
are using. But it is still nice to use in case you ever find yourself
on one. Also you would not want to do this on a server that is serving
webpages over https.

sudo apt-get install rinetd
sudo vim /etc/rinetd.conf

Edit that file to include a new forwarding rule

0.0.0.0 443 127.0.0.1 6664

Restart rinetd

sudo /etc/init.d/rinetd restart

If you enabled the webadmin module in ZNC you should now be able to point your browser tohttps://yourhostnameand edit your ZNC config (and let folks edit their accounts, configure
modules and change passwords). Yes, ZNC uses the same port for IRC
connections and for the admin page.

Recap

Now you should have an irc server running on port 6667, a bouncer
running on port 6664, and a tunnel for the bouncer from port 443.

I just used the web admin module to setup accounts for everyone on my
team. I wound up turning off external access to 6667 so that I didn’t
have to secure ircd, and everyone just goes through ZNC.

You might want to setup an bot to do your bidding, I use radbot. You should fork :-)

I run this on a micro instance on Amazon’s EC2, so it costs us about
$14/month — but given that I use the server for other things as well it
doesn’t really cost the full $14.

【转载】使用Nginx、Nginx Plus抵御DDOS攻击

转载自:http://mp.weixin.qq.com/s?__biz=MzA3MzYwNjQ3NA==&mid=208998983&idx=1&sn=57c74bef6c19227660236fff74557c50&scene=5&srcid=101662lSEf1ZZiBlmMQCY3XS#rd

DDOS是一种通过大流量的请求对目标进行轰炸式访问,导致提供服务的服务器资源耗尽进而无法继续提供服务的攻击手段。

一般情况下,攻击者通过大量请求与连接使服务器处于饱和状态,以至于无法接受新的请求或变得很慢。

0x01 应用层DDOS攻击的特征

应用层(七层/HTTP层)DDOS攻击通常由木马程序发起,其可以通过设计更好的利用目标系统的脆弱点。例如,对于无法处理大量并发请求的系统,仅仅通过建立大量的连接,并周期性的发出少量数据包来保持会话就可以耗尽系统的资源,使其无法接受新的连接请求达到DDOS的目的。其他还有采用发送大量连接请求发送大数据包的请求进行攻击的形式。因为攻击是由木马程序发起,攻击者可以在很短时间内快速建立大量的连接,并发出大量的请求。

以下是一些DDOS的特证,我们可以据此特征来抵抗DDOS(包括但不限于):

  • 攻击经常来源于一些相对固定的IP或IP段,每个IP都有远大于真实用户的连接数和请求数。备注:这并不表明这种请求都是代表着DDOS攻击。在很多使用NAT的网络架构中,很多的客户端使用网关的IP地址访问公网资源。但是,即便如此,这样的请求数和连接数也会远少于DDOS攻击。
  • 因为攻击是由木马发出且目的是使服务器超负荷,请求的频率会远远超过正常人的请求。
  • User-Agent通常是一个非标准的值
  • Referer有时是一个容易联想到攻击的值

0x02 使用Nginx、Nginx Plus抵抗DDOS攻击

结合上面提到的DDOS攻击的特征,Nginx、Nginx Plus有很多的特性可以用来有效的防御DDOS攻击,可以从调整入口访问流量和控制反向代理到后端服务器的流量两个方面来达到抵御DDOS攻击的目的。

限制请求速度

设置Nginx、Nginx Plus的连接请求在一个真实用户请求的合理范围内。比如,如果你觉得一个正常用户每两秒可以请求一次登录页面,你就可以设置Nginx每两秒钟接收一个客户端IP的请求(大约等同于每分钟30个请求)。

limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;

server {

location /login.html {

limit_req zone=one;

}

}

`limit_req_zone`命令设置了一个叫one的共享内存区来存储请求状态的特定键值,在上面的例子中是客户端IP($binary_remote_addr)。location块中的`limit_req`通过引用one共享内存区来实现限制访问/login.html的目的。

限制连接数量

设置Nginx、Nginx Plus的连接数在一个真实用户请求的合理范围内。比如,你可以设置每个客户端IP连接/store不可以超过10个。

limit_conn_zone $binary_remote_addr zone=addr:10m;

server {

location /store/ {

limit_conn addr 10;

}

}

`limit_conn_zone`命令设置了一个叫addr的共享内存区来存储特定键值的状态,在上面的例子中是客户端IP( $binary_remote_addr)。location块中`limit_conn`通过引用addr共享内存区来限制到/store/的最大连接数为10。

关闭慢连接

有一些DDOS攻击,比如Slowlris,是通过建立大量的连接并周期性的发送一些数据包保持会话来达到攻击目的,这种周期通常会低于正常的请求。这种情况我们可以通过关闭慢连接来抵御攻击。

`client_body_timeout`命令用来定义读取客户端请求的超时时间,`client_header_timeout`命令用来定于读取客户端请求头的超时时间。这两个参数的默认值都是60s,我们可以通过下面的命令将他们设置为5s:

server {

client_body_timeout 5s;

client_header_timeout 5s;

}

设置IP黑名单

如果确定攻击来源于某些IP地址,我们可以将其加入黑名单,Nginx就不会再接受他们的请求。比如,你已经确定攻击来自于从123.123.123.1到123.123.123.16的一段IP地址,你可以这样设置:

location / {

deny 123.123.123.0/28;

}

或者你确定攻击来源于123.123.123.3、123.123.123.5、123.123.123.7几个IP,可以这样设置:

location / {

deny 123.123.123.3;

deny 123.123.123.5;

deny 123.123.123.7;

}

设置IP白名单

如果你的网站仅允许特定的IP或IP段访问,你可以结合使用allow和deny命令来限制仅允许你指定的IP地址访问你的网站。如下,你可以设置仅允许192.168.1.0段的内网用户访问:

location / {

allow 192.168.1.0/24;

deny all;

}

deny命令会拒绝除了allow指定的IP段之外的所有其他IP的访问请求。

使用缓存进行流量削峰

通过打开Nginx的缓存功能并设置特定的缓存参数,可以削减来自攻击的流量,同时也可以减轻对后端服务器的请求压力。以下是一些有用的设置:

  • `proxy_cache_use_stale `的updating参数告诉Nginx什么时候该更新所缓存的对象。只需要到后端的一个更新请求,在缓存有效期间客户端对该对象的请求都无需访问后端服务器。当通过对一个文件的频繁请求来实施攻击时,缓存功能可极大的降低到后端服务器的请求。
  • `proxy_cache_key `命令定义的键值通常包含一些内嵌的变量(默认的键值$scheme$proxy_host$request_uri包含了三个变量)。如果键值包含`$query_string`变量,当攻击的请求字符串是随机的时候就会给Nginx代理过重的缓存负担,因此我们建议一般情况下不要包含`$query_string`变量。

屏蔽特定的请求

可以设置Nginx、Nginx Plus屏蔽一些类型的请求:

  • 针对特定URL的请求
  • 针对不是常见的User-Agent的请求
  • 针对Referer头中包含可以联想到攻击的值的请求
  • 针对其他请求头中包含可以联想到攻击的值的请求

比如,如果你判定攻击是针对一个特定的URL:/foo.php,我们就可以屏蔽到这个页面的请求:

location /foo.php {

deny all;

}

或者你判定攻击请求的User-Agent中包含foo或bar,我们也可以屏蔽这些请求:

location / {

if ($http_user_agent ~* foo|bar) {

return 403;

}

}

http_name变量引用一个请求头,上述例子中是User-Agent头。可以针对其他的http头使用类似的方法来识别攻击。

限制到后端服务器的连接数

一个Nginx、Nginx Plus实例可以处理比后端服务器多的多的并发请求。在Nginx Plus中,你可以限制到每一个后端服务器的连接数,比如可以设置Nginx Plus与website upstream中的每个后端服务器建立的连接数不得超过200个:

upstream website {

server 192.168.100.1:80 max_conns=200;

server 192.168.100.2:80 max_conns=200;

queue 10 timeout=30s;

}

`max_conns`参数可以针对每一个后端服务器设置Nginx Plus可以与之建立的最大连接数。`queue`命令设置了当每个后端服务器都达到最大连接数后的队列大小,`timeout`参数指定了请求在队列中的保留时间。

处理特定类型的攻击

有一种攻击是发送包含特别大的值的请求头,引起服务器端缓冲区溢出。Nginx、Nginx Plus针对这种攻击类型的防御,可以参考[Using NGINX and NGINX Plus to Protect Against CVE-2015-1635](http://nginx.com/blog/nginx-protect-cve-2015-1635/?_ga=1.14368116.2137319792.1439284699)

优化Nginx性能

DDOS攻击通常会带来高的负载压力,可以通过一些调优参数,提高Nginx、Nginx Plus处理性能,硬抗DDOS攻击,详细参考:[Tuning NGINX for Performance](http://nginx.com/blog/tuning-nginx/?_ga=1.48422373.2137319792.1439284699)

0x03 识别DDOS攻击

到目前为止,我们都是集中在如何是用Nginx、Nginx Plus来减轻DDOS攻击带来的影响。如何才能让Nginx、Nginx Plus帮助我们识别DDOS攻击呢?`Nginx Plus Status module`提供了到后端服务器流量的详细统计,可以用来识别异常的流量。Nginx Plus提供一个当前服务状态的仪表盘页面,同时也可以在自定义系统或其他第三方系统中通过API的方式获取这些统计信息,并根据历史趋势分析识别非正常的流量进而发出告警。

0x04 总结

Nginx和Nginx Plus可以作为抵御DDOS攻击的一个有力手段,而且Nginx Plus中提供了一些附加的特性来更好的抵御DDOS攻击并且当攻击发生时及时的识别到。

英文原文:https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/

XAMPP Apache安装StartSSL免费SSL证书

本文原始链接:http://www.myhack58.com/Article/sort099/sort0100/2014/53529.htm

发现网上没有一个很全面的XAMPP Apache安装StartSSL免费SSL证书的教程,故分享下。

虽然本文是针对XAMPP Apache的,但应该只要是Apache,都是一样的。

一、申请免费SSL证书:

我是从StartSSL申请的免费一年SSL证书:

https://www.startssl.com/

https://www.startssl.com/?app=12

StartSSL免费SSL证书申请教程:

http://blog.csdn.net/ruixue0117/Article/details/22201303

http://www.freehao123.com/startssl-ssl/

二、SSL证书申请成功后需要的东西:

1、key文件:StartSSL申请SSL证书时提供的一长串加密的字符串,保存为server.key,后面用的时候需要解密;
2、crt文件:StartSSL申请SSL证书时提供的一长串加密的字符串,保存到server.crt;
3、sub.class1.server.ca.pem文件:StartSSL申请SSL证书申请crt成功的时候会提示下载;
4、ca.pem文件:StartSSL申请SSL证书申请crt成功的时候会提示下载;

三、安装SSL证书:

我是在Linux XAMPP下操作的,Windows版本XAMPP是类似的。
1、通过FTP或者SFTP等方式将server.key上传覆盖XAMPP原有的”/opt/lampp/etc/ssl.key /server.key”,将server.crt上传覆盖XAMPP原有的”/opt/lampp/etc/ssl.crt/server.crt”;
2、解密server.key文件:
在服务器上执行:
# cd /opt/lampp/etc/ssl.key/
# openssl rsa -in server.key -out server_decrypted.key
然后输入你申请SSL证书是输入的密码,即可解密server.key文件。
3、将server.key文件重命名或者删除,然后把上一步解密好的server_decrypted.key文件重命令为server.key
4、将sub.class1.server.ca.pem和ca.pem上传到/opt/lampp/etc/ssl.crt/目录下;
5、修改/opt/lampp/etc/extra/httpd-ssl.conf配置文件,搜索SSLCertificateChainFile和SSLCACertificateFile,对应节点下增加以下两行并保存修改:
SSLCertificateChainFile “/opt/lampp/etc/ssl.crt/sub.class1.server.ca.pem”
SSLCACertificateFile “/opt/lampp/etc/ssl.crt/ca.pem”
6、重启Apache或直接重启XAMPP:
/opt/lampp/xampp restart
5、通过https访问你的网站。

四、另外,感谢以下两个参考教程:

Apache下安装StartSSL免费证书

http://fengfan.blog.163.com/blog/static/13478622013713114942896/

http://blog.csdn.net/ruixue0117/Article/details/23923395

http://www.myhack58.com/Article/sort099/sort0100/2014/53529.htm