CentOS7修改Locale为zh_CN.UTF-8


检查当前的环境

# localectl status

获得可配置的locale列表

# localectl list-locales | grep zh

设置locale

# localectl set-locale LANG=zh_CN.utf8

检查locale状态

# localectl status

参考:How to set up system locale on CentOS 7

Advertisements

CentOS 7 编辑fstab自动挂载磁盘


blkid获得UUID和文件类型

# blkid /dev/sdd5
/dev/sdd5: UUID=”43f2e872-45e4-4837-8214-7238cbb312c6″ TYPE=”xfs”

编辑/etc/fstab文件,增加以下记录

UUID=43f2e872-45e4-4837-8214-7238cbb312c6 /opt xfs defaults 0 0

Linux制作堡垒机


参考:https://aws.amazon.com/cn/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/

按照亚马逊原始方案一步一步操作即可,注意一下红色字体部分,修复了script命令方法差异。

# Create a new folder for the log files
mkdir /var/log/bastion

# Allow ec2-user only to access this folder and its content
chown ec2-user:ec2-user /var/log/bastion
chmod -R 770 /var/log/bastion
setfacl -Rdm other:0 /var/log/bastion

# Make OpenSSH execute a custom script on logins
echo -e “\nForceCommand /usr/bin/bastion/shell” >> /etc/ssh/sshd_config

# Block some SSH features that bastion host users could use to circumvent
# the solution
awk ‘!/AllowTcpForwarding/’ /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
awk ‘!/X11Forwarding/’ /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
echo “AllowTcpForwarding no” >> /etc/ssh/sshd_config
echo “X11Forwarding no” >> /etc/ssh/sshd_config

mkdir /usr/bin/bastion

cat > /usr/bin/bastion/shell << ‘EOF’

# Check that the SSH client did not supply a command
if [[ -z $SSH_ORIGINAL_COMMAND ]]; then

# The format of log files is /var/log/bastion/YYYY-MM-DD_HH-MM-SS_user
LOG_FILE=”`date –date=”today” “+%Y-%m-%d_%H-%M-%S”`_`whoami`”
LOG_DIR=”/var/log/bastion/”

# Print a welcome message
echo “”
echo “NOTE: This SSH session will be recorded”
echo “AUDIT KEY: $LOG_FILE”
echo “”

# I suffix the log file name with a random string. I explain why
# later on.
SUFFIX=`mktemp -u _XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX`

# Wrap an interactive shell into “script” to record the SSH session
script -qf -t $LOG_DIR$LOG_FILE$SUFFIX.time $LOG_DIR$LOG_FILE$SUFFIX.data -c /bin/bash

else

# The “script” program could be circumvented with some commands
# (e.g. bash, nc). Therefore, I intentionally prevent users
# from supplying commands.

echo “This bastion supports interactive sessions only. Do not supply a command”
exit 1

fi

EOF

# Make the custom script executable
chmod a+x /usr/bin/bastion/shell

# Bastion host users could overwrite and tamper with an existing log file
# using “script” if they knew the exact file name. I take several measures
# to obfuscate the file name:
# 1. Add a random suffix to the log file name.
# 2. Prevent bastion host users from listing the folder containing log
# files.
# This is done by changing the group owner of “script” and setting GID.
chown root:ec2-user /usr/bin/script
chmod g+s /usr/bin/script

# 3. Prevent bastion host users from viewing processes owned by other
# users, because the log file name is one of the “script”
# execution parameters.
mount -o remount,rw,hidepid=2 /proc
awk ‘!/proc/’ /etc/fstab > temp && mv temp /etc/fstab
echo “proc /proc proc defaults,hidepid=2 0 0” >> /etc/fstab

# Restart the SSH service to apply /etc/ssh/sshd_config modifications.
service sshd restart

 

Android端RSA加密数据送Java服务端解密时出现BadPaddingException


原因:Android系统使用的虚拟机(dalvik)跟SUN标准JDK是有所区别的,其中他们默认的RSA实现就不同。即Android端用Cipher.getInstance(“RSA”)方法进行加密时,使用的provider是Bouncycastle Security provider,Bouncycastle Security provider默认实现的是“RSA/None/NoPadding”算法,而服务器(PC)端用Cipher.getInstance(“RSA”)进行解密时,使用的是Sun的security provider,实现的是“RSA/None/PKCS1Padding”算法,所以,解密时会失败。

正确的设置方法:Java服务端代码

Cipher cipher = Cipher.getInstance(“RSA”);

Android端代码

Cipher cipher = Cipher.getInstance(“RSA/None/PKCS1Padding”);

解决Cassandra节点一直报告”received an invalid gossip generation”问题


有一个月多月的时间Cassandra节点一直报告“received an invalid gossip generation for peer xxx.xxx.xxx.xxx; local generation = 1414613355, received generation = 1450978722”,导致不能创建表。

试过重启报告问题的节点,以及集群内所有节点逐个重启,问题都没有解决。

最近通过Nodes showing DN in nodetool status with “invalid gossip generation” warning in logs文章找到了long-running cluster sees bad gossip generation when a node restarts文章,有朋友报告,重启整个集群解决了问题,突然来了灵感,找了一个业务空闲的时间,将所有集群节点全部停止,再次重启,问题解决。

之前一直有个误区,认为重启集群,是集群中的节点逐个重启一遍,原来是需要停掉集群所有节点,再次启动。