2014年1月27日 星期一
Manual Config Windows Server 2008 Ntp server
1. windows Client Side Settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time
修改 Parameters\NtpServer 到
IP,0x1
手動執行 cmd
w32tm /config /update
可以看下方的參數,是否出現 IP,xxxxxxx 表示有同步成功,xxxxxx代表下一次同步時間
如果要更動 同步週期
修改
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
重新執行
w32tm /config /update
2014年1月22日 星期三
CentOS 6 TCP/IP tunning Sample
2016/08/17 UPDATE
儘量不要開啟
net.ipv4.tcp_tw_recycle
net.ipv4.tcp_tw_reuse
這兩個參數會對 NAT 環境下的(client/server)產生問題,造成封包被 drop
(Wireshark 可以看到 TCP Handshake, SYN 後沒有 SYN-ACK / ACK,然後重發一堆 SYN , tcp retransmission 的封包)
參考 :
http://www.cnxct.com/coping-with-the-tcp-time_wait-state-on-busy-linux-servers-in-chinese-and-dont-enable-tcp_tw_recycle/
原文 :
https://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
https://wiki.archlinux.org/index.php/sysctl
http://www.pagefault.info/?p=416
http://blog.sina.com.cn/s/blog_781b0c850100znjd.html
vim /etc/security/limits.conf
* soft nofile 32768
* hard nofile 65536
echo "net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 5000 65000
net.ipv4.tcp_rmem = 4096 87380 524288
net.core.rmem_max = 1048576
net.core.wmem_max = 1048576
net.core.somaxconn = 2048
net.ipv4.tcp_max_tw_buckets = 180000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_sack = 0
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 1" >> /etc/sysctl.conf
sysctl -p
https://gist.github.com/kfox/1942782
儘量不要開啟
net.ipv4.tcp_tw_recycle
net.ipv4.tcp_tw_reuse
這兩個參數會對 NAT 環境下的(client/server)產生問題,造成封包被 drop
(Wireshark 可以看到 TCP Handshake, SYN 後沒有 SYN-ACK / ACK,然後重發一堆 SYN , tcp retransmission 的封包)
參考 :
http://www.cnxct.com/coping-with-the-tcp-time_wait-state-on-busy-linux-servers-in-chinese-and-dont-enable-tcp_tw_recycle/
原文 :
https://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
https://wiki.archlinux.org/index.php/sysctl
http://www.pagefault.info/?p=416
http://blog.sina.com.cn/s/blog_781b0c850100znjd.html
vim /etc/security/limits.conf
* soft nofile 32768
* hard nofile 65536
echo "net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 5000 65000
net.ipv4.tcp_rmem = 4096 87380 524288
net.core.rmem_max = 1048576
net.core.wmem_max = 1048576
net.core.somaxconn = 2048
net.ipv4.tcp_max_tw_buckets = 180000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_sack = 0
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 1" >> /etc/sysctl.conf
sysctl -p
https://gist.github.com/kfox/1942782
# Kernel sysctl configuration file for Red Hat Linux## For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and# sysctl.conf(5) for more details.# Controls source route verificationnet.ipv4.conf.default.rp_filter = 1# Do not accept source routingnet.ipv4.conf.default.accept_source_route = 0# Controls the System Request debugging functionality of the kernelkernel.sysrq = 0# Controls whether core dumps will append the PID to the core filename.# Useful for debugging multi-threaded applications.kernel.core_uses_pid = 1# Disable netfilter on bridges.#net.bridge.bridge-nf-call-ip6tables = 0#net.bridge.bridge-nf-call-iptables = 0#net.bridge.bridge-nf-call-arptables = 0# cf. http://www.psc.edu/networking/projects/tcptune/#Linuxnet.ipv4.ip_forward = 1net.ipv4.neigh.default.gc_thresh1 = 4096net.ipv4.neigh.default.gc_thresh2 = 8192net.ipv4.neigh.default.gc_thresh3 = 16384net.ipv4.neigh.default.gc_interval = 5net.ipv4.neigh.default.base_reachable_time = 120net.ipv4.neigh.default.gc_stale_time = 120net.ipv4.neigh.default.base_reachable_time = 120net.ipv4.neigh.default.gc_stale_time = 120net.core.netdev_max_backlog = 262144#net.core.rmem_default = 16777216net.core.rmem_max = 108544net.core.somaxconn = 262144net.core.wmem_max = 108544net.netfilter.nf_conntrack_max = 10000000net.netfilter.nf_conntrack_tcp_timeout_established = 40net.netfilter.nf_conntrack_tcp_timeout_close = 10net.netfilter.nf_conntrack_tcp_timeout_close_wait = 10net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 10net.netfilter.nf_conntrack_tcp_timeout_last_ack = 10net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 10net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 10net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10net.ipv4.tcp_fin_timeout = 1net.ipv4.tcp_max_orphans = 262144net.ipv4.tcp_max_syn_backlog = 16384net.ipv4.tcp_max_syn_backlog = 262144net.ipv4.tcp_rmem = 4096 87380 16777216net.ipv4.tcp_sack = 0net.ipv4.tcp_syn_retries = 2net.ipv4.tcp_synack_retries = 2net.ipv4.tcp_syncookies = 0net.ipv4.tcp_timestamps = 0net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_wmem = 4096 16384 16777216Watch this for more insight: http://vimeo.com/70369211 Slides http://cdn.oreillystatic.com/en/assets/1/event/94/Tuning%20TCP%20For%20The%20Web%20Presentation.pdf
CentOS 6.4 php 5.4 ssh2.so error (/usr/lib64/php/modules/ssh2.so: undefined symbol: php_checkuid in Unknown on line 0)
After update to php 5.4
php can't load ssh2.so module and has error msg
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/ssh2.so' - /usr/lib64/php/modules/ssh2.so: undefined symbol: php_checkuid in
Unknown on line 0
in error_log
Solutions :
download pecl ssh2 0.12
http://pecl.php.net/get/ssh2
tar -zxvf ssh2-0.12
cd ssh2-0.12
/usr/bin/phpize
./configure --with-ssh2 --with-php-config=/usr/bin/php-config
restart httpd
php can't load ssh2.so module and has error msg
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/ssh2.so' - /usr/lib64/php/modules/ssh2.so: undefined symbol: php_checkuid in
Unknown on line 0
in error_log
Solutions :
download pecl ssh2 0.12
http://pecl.php.net/get/ssh2
tar -zxvf ssh2-0.12
cd ssh2-0.12
/usr/bin/phpize
./configure --with-ssh2 --with-php-config=/usr/bin/php-config
restart httpd
2014年1月9日 星期四
CentOS 6.4 OpenVPN Installation
參考 http://jamyy.dyndns.org/blog/2013/09/5220.html
另外要安裝 easy-rsa
yum install easy-rsa
如果想用本身的帳號密碼登入
在設定檔加入
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so login
client-cert-not-required
username-as-common-name
如果是要讓client端透過VPN上網
server-conf 才要設置
push "redirect-gateway def1 bypass-dhcp"
不然該規則會讓VPN Server push route default gateway的rule到客戶端
修改客戶端的 default gateway 造成客戶端無法使用本來的LAN上網
如果只是要讓客戶端可以存取網域內 192.168.1.0
server-conf 要追加 push "route 192.168.1.0 255.255.255.0"
並配合防火牆設定 (參考後面)
以存取 192.168.1.0 網段上的其他主機
下方
順便修改 export KEY_SIZE=2048
iptables 設置:
-A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
-A INPUT -i tun0 -j ACCEPT
-A INPUT -s 可用VPN的IP -p udp --dport 1194 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
其他:
允許同憑證多IP
目的: 架設 OpenVPN Server, 讓電腦與 Android 裝置都能透過 VPN Server 上網
Server: CentOS 6.4 x86_64, OpenVPN 2.2.2 (yum installed from RPMForge)
Client: Ubuntu / Linux Mint, Windows 7, Android 4.0 以上
Server: CentOS 6.4 x86_64, OpenVPN 2.2.2 (yum installed from RPMForge)
Client: Ubuntu / Linux Mint, Windows 7, Android 4.0 以上
OpenVPN Server 假設網路環境
- LAN IP: 192.168.1.1
- LAN Gateway: 192.168.1.254
- Internet IP: 123.123.123.123
OpenVPN Server 網路環境設定
for TUN mode說明: 所有 OpenVPN Client -- 包括 Android 裝置 -- 都能以 TUN mode 連線# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
# sysctl -p
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
# service iptables savefor TAP mode說明: 可以讓 VPN Client 取得 VPN Server LAN IP 同網段 IP, Android 裝置無法以 TAP mode 連線# yum install bridge-utils
# cd /etc/sysconfig/network-scripts
# vi ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
BRIDGE=br0
# vi ifcfg-br0
DEVICE=br0
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.1.1
NETMASK=255.255.255.0
GATEWAY=192.168.1.254
# service network restart
OpenVPN Server 安裝與設定
# rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
# yum --disablerepo=epel install openvpn
# cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/
# vi /etc/openvpn/server.conf
# TUN mode
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
說明:
- dev tun - 設定 OpenVPN Server 使用 TUN mode
- server 10.8.0.0 255.255.255.0 - VPN Client 的虛擬網段
push "redirect-gateway def1 bypass-dhcp" - 讓 VPN Client 透過 VPN Server 上網
另外要安裝 easy-rsa
yum install easy-rsa
如果想用本身的帳號密碼登入
在設定檔加入
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so login
client-cert-not-required
username-as-common-name
如果是要讓client端透過VPN上網
server-conf 才要設置
push "redirect-gateway def1 bypass-dhcp"
不然該規則會讓VPN Server push route default gateway的rule到客戶端
修改客戶端的 default gateway 造成客戶端無法使用本來的LAN上網
如果只是要讓客戶端可以存取網域內 192.168.1.0
server-conf 要追加 push "route 192.168.1.0 255.255.255.0"
並配合防火牆設定 (參考後面)
以存取 192.168.1.0 網段上的其他主機
下方
順便修改 export KEY_SIZE=2048
準備配置金鑰
# cp -R /usr/share/doc/openvpn-*/easy-rsa/2.0 /etc/openvpn/easy-rsa
# cd /etc/openvpn/easy-rsa
# ln -s openssl-1.0.0.cnf openssl.cnf
# chmod +x build-* clean-all pkitool whichopensslcnf
# vi varsexport KEY_COUNTRY="TW"
export KEY_PROVINCE="Taiwan"
export KEY_CITY="Taipei"
export KEY_ORG="My Company, Inc."
export KEY_EMAIL="root@mycompany.com"
export KEY_CN=""
export KEY_NAME=""
export KEY_OU=""
export PKCS11_MODULE_PATH=""
export PKCS11_PIN=""# source ./vars
# ./clean-all產生 CA
# ./build-caCommon Name: vpn.server.hostname
其餘均按 Enter 接受預設值或自由填入內容
** Common Name 不一定要填入真正的 hostname, 此欄位與 VPN 連線時的驗證無關產生 Server 金鑰
# ./build-key-server server過程均按 Enter 接受預設值或自由填入內容
Sign the certificate? [y/n] 回答 y
1 out of 1 certificate requests certified, commit? [y/n] 回答 y產生 dh1024.pem
# ./build-dh產生 ta.key
# openvpn --genkey --secret keys/ta.key產生 Client 金鑰
# ./build-key-pass client-testEnter PEM pass phrase: 輸入金鑰密碼
Verifying - Enter PEM pass phrase: 再次輸入金鑰密碼以確認內容無誤
接下來的過程均按 Enter 接受預設值或自由填入內容
Sign the certificate? [y/n] 回答 y
1 out of 1 certificate requests certified, commit? [y/n] 回答 y
** 此密碼會在 Client 裝置進行 OpenVPN 連線時用到啟動 OpenVPN 服務
# service openvpn start讓 OpenVPN 服務於開機時自動啟動
# chkconfig openvpn on
OpenVPN Client 操作
Ubuntu & Linux Mint$ mkdir ~/.openvpn
$ cd ~/.openvpn取得 OpenVPN Server 上的 ca.crt, ta.key, client-test.crt, client-test.key, 置入 ~/.openvpn$ sudo apt-get install openvpn
$ cp /usr/share/openvpn/examples/sample-config-files/client.conf ./
$ vi client.conf
client
dev tun
proto udp
remote 123.123.123.123 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client-test.crt
key client-test.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
$ sudo openvpn --config client.confWindows 7
- 取得並安裝 OpenVPN Windows Installer
- 過程均接受預設值, 直接按下一步即可
- 出現 "您要安裝此裝置軟體嗎?", 回答 "安裝(I)"
- 將 OpenVPN Server 上的 ca.crt, ta.key, client-test.crt, client-test.key 複製到 C:\Program Files\OpenVPN\config 目錄下
- 將 C:\Program Files\OpenVPN\sample-config\client.ovpn 複製到 C:\Program Files\OpenVPN\config\
- 修改 C:\Program Files\OpenVPN\config\client.ovpn
client
dev tun
proto udp
remote 123.123.123.123 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client-test.crt
key client-test.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
- 以系統管理員身份執行桌面上的 OpenVPN GUI
- 雙擊工作列上的 OpenVPN 圖示開始進行連線
Android (最低版本需求 4.0 以上)
- 在 Google Play 搜尋 openvpn connect 或直接從網頁安裝 OpenVPN Connect
- 將 OpenVPN Server 上的 ca.crt, ta.key, client-test.crt, client-test.key 與 client.ovpn (由 client.conf 更名) 複製到手機某目錄下. OpenVPN Server 的 client.conf 範本在 /usr/share/doc/openvpn-2.2.2/sample-config-files/client.conf, 須先修改 client.conf 內容並更名為 client.ovpn 再放入 Android 裝置內
- 執行 OpenVPN Connect, menu → Import → Import Profile from SD card → 點入剛剛存入資料的目錄, 選取 client.ovpn
- 輸入 Private Key Password
- 點選 Connect 進行連線
在 OpenVPN Server 產生新 Client 金鑰
# cd /etc/openvpn/easy-rsa
# source ./vars
# ./build-key-pass client-UserA
# ./build-key-pass client-UserB
在 OpenVPN Server 取消某 Client 金鑰
# cd /etc/openvpn/easy-rsa
# sh ./revoke-full client-test
# vi ../server.conf
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
# service openvpn restart以後只要進入 /etc/openvpn/easy-rsa 執行 revoke-all 指定金鑰即可立即生效, 毋需再編輯 server.conf, 亦不用再重新啟動 openvpn 服務
讓 OpenVPN Client 可以確實連入 Server 端其他 LAN-to-LAN VPN
假設 Server 端網路環境尚有 192.168.2.0/24 網段的 LAN-to-LAN VPN
如果 Client 所在網路環境剛好是 192.168.2.0/24, 連上 OpenVPN 後若要存取 Server 端的 192.168.2.0/24
除了手動調整 Client PC 的 routing table 之外, 可在 OpenVPN 進行設置以下內容使其連線後自動變更路由:# vi /etc/openvpn/server.conf
push "route 192.168.2.0 255.255.255.0"
# service openvpn restart
iptables 設置:
-A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
-A INPUT -i tun0 -j ACCEPT
-A INPUT -s 可用VPN的IP -p udp --dport 1194 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
其他:
允許同憑證多IP
# Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use, # each client should have its own certificate/key # pair. # # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. duplicate-cn
訂閱:
文章 (Atom)