深海游弋的鱼 – 第 4 页

ubuntu 20.04配置rsync服务通过ssh同步

安装配置为数据同步进行准备

$ sudo apt-get install rsync

# ubuntu 16.04/18.04默认源中都存在rssh ,但是 ubuntu 20.04开始，已经没办法从系统源中安装了。
# 原因在于 rssh 存在安全漏洞，并且长时间没有修复，并且已经没人维护了，我们使用rrsync替代 

$ export RSH_RSYNC_USER=rsh_backup

$ export RSH_RSYNC_USER_PASSWORD=rsh_password

# 如果需要备份/var/log 目录，建议把用户组设置成 adm 用户组，否则很多日志没办法读取
# sudo useradd -s "" $RSH_RSYNC_USER -g users -G adm
# 后期也可以通过 sudo usermod -g users -G adm $RSH_RSYNC_USER 更改用户组

# 不配置任何登陆默认shell，以便于 rrsync 接管
$ sudo useradd -s "" $RSH_RSYNC_USER

$ echo $RSH_RSYNC_USER:$RSH_RSYNC_USER_PASSWORD | sudo chpasswd

# 创建配置文件目录，增加配置信息
$ sudo mkdir /home/$RSH_RSYNC_USER

$ sudo chown -R $RSH_RSYNC_USER /home/$RSH_RSYNC_USER

$ sudo mkdir /home/$RSH_RSYNC_USER/.ssh

$ sudo chown -R $RSH_RSYNC_USER /home/$RSH_RSYNC_USER/.ssh

$ sudo touch /home/$RSH_RSYNC_USER/.ssh/authorized_keys

$ sudo chown -R $RSH_RSYNC_USER /home/$RSH_RSYNC_USER/.ssh/authorized_keys

# 配置许可访问的目录
$ echo 'command="/usr/bin/rrsync -ro /var/www /data/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding' | sudo tee /home/$RSH_RSYNC_USER/.ssh/authorized_keys

$ sudo apt-get install rsync

# ubuntu 16.04/18.04默认源中都存在rssh ,但是 ubuntu 20.04开始，已经没办法从系统源中安装了。

# 原因在于 rssh 存在安全漏洞，并且长时间没有修复，并且已经没人维护了，我们使用rrsync替代

$ export RSH_RSYNC_USER=rsh_backup

$ export RSH_RSYNC_USER_PASSWORD=rsh_password

# 如果需要备份/var/log 目录，建议把用户组设置成 adm 用户组，否则很多日志没办法读取

# sudo useradd -s "" $RSH_RSYNC_USER -g users -G adm

# 后期也可以通过 sudo usermod -g users -G adm $RSH_RSYNC_USER 更改用户组

# 不配置任何登陆默认shell，以便于 rrsync 接管

$ sudo useradd -s "" $RSH_RSYNC_USER

$ echo $RSH_RSYNC_USER:$RSH_RSYNC_USER_PASSWORD | sudo chpasswd

# 创建配置文件目录，增加配置信息

$ sudo mkdir /home/$RSH_RSYNC_USER

$ sudo chown -R $RSH_RSYNC_USER /home/$RSH_RSYNC_USER

$ sudo mkdir /home/$RSH_RSYNC_USER/.ssh

$ sudo chown -R $RSH_RSYNC_USER /home/$RSH_RSYNC_USER/.ssh

$ sudo touch /home/$RSH_RSYNC_USER/.ssh/authorized_keys

$ sudo chown -R $RSH_RSYNC_USER /home/$RSH_RSYNC_USER/.ssh/authorized_keys

# 配置许可访问的目录

$ echo 'command="/usr/bin/rrsync -ro /var/www /data/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding' | sudo tee /home/$RSH_RSYNC_USER/.ssh/authorized_keys

客户端同步,测试是否正常工作

$ export RSH_RSYNC_USER=rsh_backup 

$ export RSH_RSYNC_USER_PASSWORD=rsh_password

$ export RSH_RSYNC_PORT=22

$ export REMOTE_SERVER=www.mobibrw.com

$ export SYNC_DIR=/var/www

# 测试是否可以正常工作，另一个方面是许可ssh的登录key否则我们后续没办法使用sshpass
# 可以使用 --exclude 参数忽略指定的目录,相对路径，不是绝对路径
$ sudo rsync -avzP --delete -e 'ssh -p $RSH_RSYNC_PORT' $RSH_RSYNC_USER@$REMOTE_SERVER:$SYNC_DIR $SYNC_DIR

$ export RSH_RSYNC_USER=rsh_backup

$ export RSH_RSYNC_USER_PASSWORD=rsh_password

$ export RSH_RSYNC_PORT=22

$ export REMOTE_SERVER=www.mobibrw.com

$ export SYNC_DIR=/var/www

# 测试是否可以正常工作，另一个方面是许可ssh的登录key否则我们后续没办法使用sshpass

# 可以使用 --exclude 参数忽略指定的目录,相对路径，不是绝对路径

$ sudo rsync -avzP --delete -e 'ssh -p $RSH_RSYNC_PORT' $RSH_RSYNC_USER@$REMOTE_SERVER:$SYNC_DIR $SYNC_DIR

转化为定时任务，自动同步

# 安装密码自动填写软件
$ sudo apt-get install sshpass

$ cd ~

$ touch backup_rsync.sh

$ chmod +x backup_rsync.sh

$ echo -e '#!'"/bin/bash\n" >> backup_rsync.sh

$ sed -i '$a\export RSH_RSYNC_USER=rsh_backup' backup_rsync.sh

$ sed -i '$a\export RSH_RSYNC_USER_PASSWORD=rsh_password' backup_rsync.sh

$ sed -i '$a\export RSH_RSYNC_PORT=22' backup_rsync.sh

$ sed -i '$a\export REMOTE_SERVER=www.mobibrw.com' backup_rsync.sh

# 此处注意最后的分隔符/如果没有这个分隔符，会导致目标目录多一个名为www的父目录
$ sed -i '$a\export SYNC_DIR=/var/www/' backup_rsync.sh

# 可以使用 --exclude 参数忽略指定的目录，相对路径，不是绝对路径
$ sed -i '$a\sshpass -p $RSH_RSYNC_USER_PASSWORD rsync -avzP --delete -e \"ssh -p $RSH_RSYNC_PORT\" $RSH_RSYNC_USER@$REMOTE_SERVER:$SYNC_DIR $SYNC_DIR' backup_rsync.sh

# 打开计划任务的日志，默认不开
$ sudo sed -i -r "s/#cron\.\*[ \t]*\/var\/log\/cron.log/cron.*                         \/var\/log\/cron.log/g" /etc/rsyslog.d/50-default.conf

#write out current crontab
$ sudo crontab -l > addcron

#echo new cron into cron file ,每隔30分钟我们调度一次任务,前面是文件锁，防止并发冲突
#如果需要每小时执行一次，则修改为 "* */1 * * * flock ...."
#如果需要凌晨2点执行，则修改为 "* 2 * * * flock ...."
$ echo "30 * * * * flock -x -w 10 /dev/shm/backup_rsync_corn.lock -c \"bash `echo ~`/backup_rsync.sh\"" >> addcron

#install new cron file
$ sudo crontab addcron

$ rm addcron

$ sudo service cron restart

# 安装密码自动填写软件

$ sudo apt-get install sshpass

$ cd ~

$ touch backup_rsync.sh

$ chmod +x backup_rsync.sh

$ echo -e '#!'"/bin/bash\n" >> backup_rsync.sh

$ sed -i '$a\export RSH_RSYNC_USER=rsh_backup' backup_rsync.sh

$ sed -i '$a\export RSH_RSYNC_USER_PASSWORD=rsh_password' backup_rsync.sh

$ sed -i '$a\export RSH_RSYNC_PORT=22' backup_rsync.sh

$ sed -i '$a\export REMOTE_SERVER=www.mobibrw.com' backup_rsync.sh

# 此处注意最后的分隔符/如果没有这个分隔符，会导致目标目录多一个名为www的父目录

$ sed -i '$a\export SYNC_DIR=/var/www/' backup_rsync.sh

# 可以使用 --exclude 参数忽略指定的目录，相对路径，不是绝对路径

$ sed -i '$a\sshpass -p $RSH_RSYNC_USER_PASSWORD rsync -avzP --delete -e \"ssh -p $RSH_RSYNC_PORT\" $RSH_RSYNC_USER@$REMOTE_SERVER:$SYNC_DIR $SYNC_DIR' backup_rsync.sh

# 打开计划任务的日志，默认不开

$ sudo sed -i -r "s/#cron\.\*[ \t]*\/var\/log\/cron.log/cron.* \/var\/log\/cron.log/g" /etc/rsyslog.d/50-default.conf

#write out current crontab

$ sudo crontab -l > addcron

#echo new cron into cron file ,每隔30分钟我们调度一次任务,前面是文件锁，防止并发冲突

#如果需要每小时执行一次，则修改为 "* */1 * * * flock ...."

#如果需要凌晨2点执行，则修改为 "* 2 * * * flock ...."

$ echo "30 * * * * flock -x -w 10 /dev/shm/backup_rsync_corn.lock -c \"bash `echo ~`/backup_rsync.sh\"" >> addcron

#install new cron file

$ sudo crontab addcron

$ rm addcron

$ sudo service cron restart

目前我的阿里云，腾讯云服务器之间的同步脚本如下：

#!/bin/bash

export RSH_RSYNC_USER=user
export RSH_RSYNC_USER_PASSWORD=password
export RSH_RSYNC_PORT=22
export REMOTE_SERVER=121.199.27.227

export SYNC_WWW_DIR=/var/www/

sshpass -p $RSH_RSYNC_USER_PASSWORD rsync -avzP --delete -e "ssh -p $RSH_RSYNC_PORT" $RSH_RSYNC_USER@$REMOTE_SERVER:$SYNC_WWW_DIR $SYNC_WWW_DIR --exclude "wordpress/wp-content/cache/" --exclude "wordpress/wp-content/plugins/crayon-syntax-highlighter/log.txt"

export SYNC_DATA_DIR=/data/
 
# 此处注意，如果使用 --exclude "/root/" 则忽略最顶部的root目录
# 如果使用 --exclude "root/" 则忽略所有路径中包含 root 的目录
# 主要 rsync 的 top-directroty 部分的规则
sshpass -p $RSH_RSYNC_USER_PASSWORD rsync -avzP --delete -e "ssh -p $RSH_RSYNC_PORT" $RSH_RSYNC_USER@$REMOTE_SERVER:$SYNC_DATA_DIR $RSYNC_DATA_DIR --exclude "/root/"

#!/bin/bash

export RSH_RSYNC_USER=user

export RSH_RSYNC_USER_PASSWORD=password

export RSH_RSYNC_PORT=22

export REMOTE_SERVER=121.199.27.227

export SYNC_WWW_DIR=/var/www/

sshpass -p $RSH_RSYNC_USER_PASSWORD rsync -avzP --delete -e "ssh -p $RSH_RSYNC_PORT" $RSH_RSYNC_USER@$REMOTE_SERVER:$SYNC_WWW_DIR $SYNC_WWW_DIR --exclude "wordpress/wp-content/cache/" --exclude "wordpress/wp-content/plugins/crayon-syntax-highlighter/log.txt"

export SYNC_DATA_DIR=/data/

# 此处注意，如果使用 --exclude "/root/" 则忽略最顶部的root目录

# 如果使用 --exclude "root/" 则忽略所有路径中包含 root 的目录

# 主要 rsync 的 top-directroty 部分的规则

sshpass -p $RSH_RSYNC_USER_PASSWORD rsync -avzP --delete -e "ssh -p $RSH_RSYNC_PORT" $RSH_RSYNC_USER@$REMOTE_SERVER:$SYNC_DATA_DIR $RSYNC_DATA_DIR --exclude "/root/"

参考链接

Fix ufw service not loading after a reboot

I have a Ubuntu 18.04/20.04 server running ufw (Uncomplicated Firewall) and Docker. Docker relies on iptables-persistent, which is an interface to a much more powerful and complicated firewall that many people would rather avoid.

The problem here is that ufw and iptables-persistent are both ways for creating the same firewall. On my server, only one service would ever run at startup negating the other.

After a reboot ufw would always be disabled.

$ sudo ufw status

Status: inactive

$ sudo ufw status

Status: inactive

Even though the ufw service is enabled, if you look closely, the active service has exited.

$ sudo systemctl status ufw 

● ufw.service - Uncomplicated firewall
    Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
    Active: active (exited)

$ sudo systemctl status ufw

● ufw.service - Uncomplicated firewall

Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)

Active: active (exited)

If I check the server services, both ufw and netfilter-persistent are enabled. netfilter-persistent is a means for managing iptables on Debian and Ubuntu systems.

$ sudo service --status-all

 [ + ]  netfilter-persistent
 [ + ]  ufw

$ sudo service --status-all

[ + ] netfilter-persistent

[ + ] ufw

The fix is simple; we need to tell the operating system to load ufw after the netfilter-persistent.

Find and backup the ufw service.

$ ls -l /lib/systemd/system/ufw.service

-rw-r--r-- 1 root root  266 Aug 15  2017  ufw.service

$ ls -l /lib/systemd/system/ufw.service

-rw-r--r-- 1 root root 266 Aug 15 2017 ufw.service

$ cd /lib/systemd/system/

$ sudo cp ufw.service ufw.service.original

$ cd /lib/systemd/system/

$ sudo cp ufw.service ufw.service.original

$ cat /lib/systemd/system/ufw.service

 [Unit]
 Description=Uncomplicated firewall
 Documentation=man:ufw(8)
 DefaultDependencies=no
 Before=network.target

 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/lib/ufw/ufw-init start quiet
 ExecStop=/lib/ufw/ufw-init stop

 [Install]
 WantedBy=multi-user.target

$ cat /lib/systemd/system/ufw.service

[Unit]

Description=Uncomplicated firewall

Documentation=man:ufw(8)

DefaultDependencies=no

Before=network.target

[Service]

Type=oneshot

RemainAfterExit=yes

ExecStart=/lib/ufw/ufw-init start quiet

ExecStop=/lib/ufw/ufw-init stop

[Install]

WantedBy=multi-user.target

Update and save the modified service by appending After=netfilter-persistent.service to the [Unit] block.

$ sudo nano /lib/systemd/system/ufw.service

1	$ sudo nano /lib/systemd/system/ufw.service

 [Unit]
 Description=Uncomplicated firewall
 Documentation=man:ufw(8)
 DefaultDependencies=no
 Before=network.target
 After=netfilter-persistent.service

 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/lib/ufw/ufw-init start quiet
 ExecStop=/lib/ufw/ufw-init stop

 [Install]
 WantedBy=multi-user.target

[Unit]

Description=Uncomplicated firewall

Documentation=man:ufw(8)

DefaultDependencies=no

Before=network.target

After=netfilter-persistent.service

[Service]

Type=oneshot

RemainAfterExit=yes

ExecStart=/lib/ufw/ufw-init start quiet

ExecStop=/lib/ufw/ufw-init stop

[Install]

WantedBy=multi-user.target

Reboot and test.

$ sudo reboot

1	$ sudo reboot

$ sudo ufw status

Status: active
 To                         Action      From
 --                         ------      ----
 OpenSSH                    ALLOW       Anywhere
 Nginx Full                 ALLOW       Anywhere

$ sudo ufw status

Status: active

To Action From

-- ------ ----

OpenSSH ALLOW Anywhere

Nginx Full ALLOW Anywhere

参考链接

- Fix ufw service not loading after a reboot
- Ubuntu - ufw status shows inactive after reboot

How to Install and Configure Fail2ban on Ubuntu 20.04

Any service that is exposed to the Internet is at risk of malware attacks. For example, if you are running a service on a publicly available network, attackers can use brute-force attempts to sign in to your account.

Fail2ban is a tool that helps protect your Linux machine from brute-force and other automated attacks by monitoring the services logs for malicious activity. It uses regular expressions to scan log files. All entries matching the patterns are counted, and when their number reaches a certain predefined threshold, Fail2ban bans the offending IP using the system firewall for a specific length of time. When the ban period expires, the IP address is removed from the ban list.

This article describes how to install and configure Fail2ban on Ubuntu 20.04.

低于 ubuntu 20.04 的系统，可以参考 ubuntu 16.04防止SSH暴力登录攻击。

Installing Fail2ban on Ubuntu

The Fail2ban package is included in the default Ubuntu 20.04 repositories. To install it, enter the following command as root or user with sudo privileges :

$ sudo apt update

$ sudo apt install fail2ban

$ sudo apt update

$ sudo apt install fail2ban

Once the installation is completed, the Fail2ban service will start automatically. You can verify it by checking the status of the service:

$ sudo systemctl status fail2ban

1	$ sudo systemctl status fail2ban

The output will look like this:

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-08-19 06:16:29 UTC; 27s ago
       Docs: man:fail2ban(1)
   Main PID: 1251 (f2b/server)
      Tasks: 5 (limit: 1079)
     Memory: 13.8M
     CGroup: /system.slice/fail2ban.service
             └─1251 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

● fail2ban.service - Fail2Ban Service

Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)

Active: active (running) since Wed 2020-08-19 06:16:29 UTC; 27s ago

Docs: man:fail2ban(1)

Main PID: 1251 (f2b/server)

Tasks: 5 (limit: 1079)

Memory: 13.8M

CGroup: /system.slice/fail2ban.service

└─1251 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

That’s it. At this point, you have Fail2Ban running on your Ubuntu server.

Fail2ban Configuration

The default Fail2ban installation comes with two configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. It is not recommended to modify these files as they may be overwritten when the package is updated.

Fail2ban reads the configuration files in the following order. Each .local file overrides the settings from the .conf file:

/etc/fail2ban/jail.conf
/etc/fail2ban/jail.d/*.conf
/etc/fail2ban/jail.local
/etc/fail2ban/jail.d/*.local

For most users, the easiest way to configure Fail2ban is to copy the jail.conf to jail.local and modify the .local file. More advanced users can build a .localconfiguration file from scratch. The .local file doesn’t have to include all settings from the corresponding .conf file, only those you want to override.

Create a .local configuration file from the default jail.conf file:

$ sudo cp /etc/fail2ban/jail.{conf,local}

1	$ sudo cp /etc/fail2ban/jail.{conf,local}

To start configuring the Fail2ban server open, the jail.local file with your text editor :

$ sudo nano /etc/fail2ban/jail.local

1	$ sudo nano /etc/fail2ban/jail.local

The file includes comments describing what each configuration option does. In this example, we’ll change the basic settings.

Whitelist IP Addresses

IP addresses, IP ranges, or hosts that you want to exclude from banning can be added to the ignoreip directive. Here you should add your local PC IP address and all other machines that you want to whitelist.

Uncomment the line starting with ignoreip and add your IP addresses separated by space:

/etc/fail2ban/jail.local

ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24

1	ignoreip = 127.0.0.1/8 ::1 123.123.123.123 192.168.1.0/24

Ban Settings

The values of bantime, findtime, and maxretry options define the ban time and ban conditions.

bantime is the duration for which the IP is banned. When no suffix is specified, it defaults to seconds. By default, the bantime value is set to 10 minutes. Generally, most users will want to set a longer ban time. Change the value to your liking:

/etc/fail2ban/jail.local

bantime = 1d

1	bantime = 1d

To permanently ban the IP use a negative number.

findtime is the duration between the number of failures before a ban is set. For example, if Fail2ban is set to ban an IP after five failures (maxretry, see below), those failures must occur within the findtime duration.

/etc/fail2ban/jail.local

# 这个时间段内超过规定次数会被ban掉
findtime = 10m

1 2	# 这个时间段内超过规定次数会被ban掉 findtime = 10m

maxretry is the number of failures before an IP is banned. The default value is set to five, which should be fine for most users.

/etc/fail2ban/jail.local

maxretry = 5

1	maxretry = 5

Email Notifications

Fail2ban can send email alerts when an IP has been banned. To receive emails, you need to have an SMTP installed on your server and change the default action, which only bans the IP to %(action_mw)s, as shown below:

/etc/fail2ban/jail.local

action = %(action_mw)s

1	action = %(action_mw)s

%(action_mw)s bans the offending IP and sends an email with a whois report. If you want to include the relevant logs in the email, set the action to %(action_mwl)s.

You can also adjust the sending and receiving email addresses:

/etc/fail2ban/jail.local

destemail = admin@linuxize.com 
sender = root@linuxize.com

1 2	destemail = admin@linuxize.com sender = root@linuxize.com

Fail2ban Jails

Fail2ban uses a concept of jails. A jail describes a service and includes filters and actions. Log entries matching the search pattern are counted, and when a predefined condition is met, the corresponding actions are executed.

Fail2ban ships with a number of jail for different services. You can also create your own jail configurations.

By default, only the ssh jail is enabled. To enable a jail, you need to add enabled = true after the jail title. The following example shows how to enable the proftpd jail:

/etc/fail2ban/jail.local

[proftpd]

port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(proftpd_log)s
backend  = %(proftpd_backend)s

[proftpd]

port = ftp,ftp-data,ftps,ftps-data

logpath = %(proftpd_log)s

backend = %(proftpd_backend)s

The settings we discussed in the previous section, can be set per jail. Here is an example:

/etc/fail2ban/jail.local

[sshd]
enabled   = true
maxretry  = 3
findtime  = 1d
bantime   = 4w
ignoreip  = 127.0.0.1/8 23.34.45.56

[sshd]

enabled = true

maxretry = 3

findtime = 1d

bantime = 4w

ignoreip = 127.0.0.1/8 23.34.45.56

The filters are located in the /etc/fail2ban/filter.d directory, stored in a file with same name as the jail. If you have custom setup and experience with regular expressions you can fine tune the filters.

Each time you edit a configuration file, you need to restart the Fail2ban service for changes to take effect:

$ sudo systemctl restart fail2ban

1	$ sudo systemctl restart fail2ban

Fail2ban Client

Fail2ban ships with a command-line tool named fail2ban-client that you can use to interact with the Fail2ban service.

To view all available options, invoke the command with the -h option:

$ fail2ban-client -h

1	$ fail2ban-client -h

This tool can be used to ban/unban IP addresses, change settings, restart the service, and more. Here are a few examples:

Check the jail status:

$ sudo fail2ban-client status sshd

1

$ sudo fail2ban-client status sshd
Unban an IP:

$ sudo fail2ban-client set sshd unbanip 23.34.45.56

1

$ sudo fail2ban-client set sshd unbanip 23.34.45.56
Ban an IP:

$ sudo fail2ban-client set sshd banip 23.34.45.56

1

$ sudo fail2ban-client set sshd banip 23.34.45.56

Conclusion

We’ve shown you how to install and configure Fail2ban on Ubuntu 20.04.

For more information on this topic, visit the Fail2ban documentation .

If you have questions, feel free to leave a comment below.

注意：如果服务器上启用了 UFW 防火墙，则几乎必然出现 Fail2ban 无法阻止攻击者 IP 的情况。

尽管 Fail2ban 已经提示阻止用户访问。但是由于 iptables 的顺序问题，根本不起作用，依旧在 /var/log/auth.log 中观察到不断的访问尝试。

解决方法如下：

$ sudo vim /etc/fail2ban/jail.local

1	$ sudo vim /etc/fail2ban/jail.local

将

banaction = iptables-multiport
banaction_allports = iptables-allports

1 2	banaction = iptables-multiport banaction_allports = iptables-allports

更改为

banaction = ufw
banaction_allports = ufw

1 2	banaction = ufw banaction_allports = ufw

防火墙规则要求通过 UFW 进行设置。

重新载修改后的配置信息

$ sudo fail2ban-client reload

1	$ sudo fail2ban-client reload

默认情况下，执行如下命令后：

$ sudo systemctl enable ufw

$ sudo ufw enable

$ sudo systemctl enable ufw

$ sudo ufw enable

UFW 服务器应该随着服务器重启自动启动，但是却经常没有启动，尤其是 ubuntu 20.04 。

参考 Fix ufw service not loading after a reboot 调整。

默认情况下，Fail2ban的配置是没办法阻止用户名尝试的，因此，我们需要新增如下配置才能解决问题。

First, define the filter for invalid users in /etc/fail2ban/filter.d/sshd-invaliduser.conf:

[INCLUDES]
before = common.conf

[Definition]
_daemon = sshd

failregex = ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$
ignoreregex = 

[Init]
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

[INCLUDES]

before = common.conf

[Definition]

_daemon = sshd

failregex = ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

Then enable it in /etc/fail2ban/jail.local:

[sshd-invaliduser]
enabled = true
maxretry = 1
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[sshd-invaliduser]

enabled = true

maxretry = 1

port = ssh

logpath = %(sshd_log)s

backend = %(sshd_backend)s

默认情况下，Fail2ban的配置是没办法阻止root登陆尝试的，因此，我们需要新增如下配置才能解决问题。

[INCLUDES]
 
before = common.conf
 
[Definition]
 
_daemon = sshd
 
failregex = ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\S*\s*user=(root|admin)\s.*$
 
ignoreregex =
 
[Init]
 
maxlines = 10
 
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

[INCLUDES]

before = common.conf

[Definition]

_daemon = sshd

failregex = ^%(__prefix_line)spam_unix$sshd:auth$:\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\S*\s*user=(root|admin)\s.*$

ignoreregex =

[Init]

maxlines = 10

journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

Then enable it in /etc/fail2ban/jail.local:

[sshd-ban-root]
enabled = true
maxretry = 1
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[sshd-ban-root]

enabled = true

maxretry = 1

port = ssh

logpath = %(sshd_log)s

backend = %(sshd_backend)s

移除被禁止访问的IP

我们自己操作的时候，可能会把自己给禁止访问，此时需要手工从禁止列表中移除某些特定的IP

$ sudo fail2ban-client unban xx.xx.xx.xx

1	$ sudo fail2ban-client unban xx.xx.xx.xx

参考链接

java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "".

ubuntu 18.04 .5 升级到 ubuntu 20.04.2 之后，发现 Tomcat 9.0.31 长时间没办法启动，观察日志，发现如下错误信息：

08-Feb-2021 22:09:23.792 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to start component [Connector[AJP/1.3-8009]]
        org.apache.catalina.LifecycleException: Protocol handler start failed
                at org.apache.catalina.connector.Connector.startInternal(Connector.java:1038)
                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
                at org.apache.catalina.core.StandardService.startInternal(StandardService.java:438)
                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
                at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
                at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.base/java.lang.reflect.Method.invoke(Method.java:566)
                at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
                at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478)
        Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
                at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:264)
                at org.apache.catalina.connector.Connector.startInternal(Connector.java:1035)
                ... 12 more

08-Feb-2021 22:09:23.792 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to start component [Connector[AJP/1.3-8009]]

org.apache.catalina.LifecycleException: Protocol handler start failed

at org.apache.catalina.connector.Connector.startInternal(Connector.java:1038)

at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)

at org.apache.catalina.core.StandardService.startInternal(StandardService.java:438)

at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)

at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)

at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)

at org.apache.catalina.startup.Catalina.start(Catalina.java:633)

at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.base/java.lang.reflect.Method.invoke(Method.java:566)

at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)

at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478)

Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.

at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:264)

at org.apache.catalina.connector.Connector.startInternal(Connector.java:1035)

... 12 more

这个是由于在升级系统的时候，选择保留老版本的配置文件，这样就导致，如果 Tomcat 配置了通过 AJP 方式与Apache通信的情况下，会报告上面的错误信息。

新增 secretRequired 的目的是为了解决 AJP 端口暴露在公网的情况下，存在 AJP File Read/Inclusion in Apache Tomcat (CVE-2020-1938) and Undertow (CVE-2020-1745) 漏洞，由于 Tomcat AJP 协议设计上存在缺陷，攻击者通过 Tomcat AJP Connector 可以读取或包含 Tomcat 上所有 webapp 目录下的任意文件，例如可以读取 webapp 配置文件或源代码。此外在目标应用有文件上传功能的情况下，配合文件包含的利用还可以达到远程代码执行的危害。

连接方必须在连接的时候，传入正确的 secretRequired 才能与 Tomcat 通信，相当于通信需要的密码了。

网上很多人都是直接设置

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" secretRequired="" />

1	<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" secretRequired="" />

来解决问题的，也就是设置 secretRequired 为空字符，但是这样会导致攻击方不需要传递密码就可以通信了，因此诱发远程攻击漏洞。

正确的做法其实是不允许远程用户直接通过 Tomcat AJP 协议通信，也就是在设置绑定的 IP 地址为本地地址 127.0.0.1。如下：

<Connector port="8009" protocol="AJP/1.3" address="127.0.0.1" redirectPort="8443" secretRequired=""/>

1	<Connector port="8009" protocol="AJP/1.3" address="127.0.0.1" redirectPort="8443" secretRequired=""/>

参考链接

如何检查Linux中是否启用了USB3.0 UASP（USB附加SCSI协议）模式？

USB 3.0 在数据量较多且零碎传输时，效能的表现会较差，主要原因是在于传输技术所造成的状况。

USB 采用半双工传输模式与 BOT (Bluk Only Transfer) 传输协议，半双工传输模式就像是再讲对讲机一样，一方说完另一方才能继续对话，也就是说数据的传输方向仅有单向传输功能。

BOT 传输协议则是一种单线程的传输架构，这个架构就像马路上只能行使一台车子，不管路有多宽，都必须等待这量车子行驶过后下一部车子才能继续通行。

USB 的加速方式

提升为全双工模式

当 USB 升级到 USB 3.0 时，将原来的半双工传输模式，改为全双工模式，并且提升十倍的带宽，不过其架构还是在 BOT 之下。

BOT 加速模式

这个方式虽然还是在 BOT 的架构之下，但是是将原来在路上行使的轿车，换一台更大一点的公交车，将一次传送的数据量加大，就可以减少来回的次数，来达到加速的目的。

UASP 加速模式

BOT加速模式虽然可以有效的增加传输速度，不过还是没有在根本上解决无法多任务处理的问题，所以 USB-IF (USB Implementers Forum) 一个为开发 USB 规格的企业共同成立的非营利性机构，为了让传输效能更好，制定了UASP（USB Attached SCSI Protocol）传输架构，让 USB3.0 也能像 SCSI 传输协议的方式传输数据，不需等待上一笔数据传输完成后再进行传输数据的动作，并改善了在 CPU 的使用率、数据延迟及等待时间。

要达到 UASP 加速功能，请先确认您计算机端是否同样有支持 UASP 功能。
目前支持 UASP 的系统有 WIN 8 、Mac OS 8 & 9 ，除了以上系统，您也可以询问您购买的计算机公司，是否有提供相关的驱动程序。

继续阅读如何检查Linux中是否启用了USB3.0 UASP（USB附加SCSI协议）模式？

How to mount Virtualbox drive image(vdi) on Ubuntu 16.10/20.04

This tutorial will explain How to mount Virtualbox drive image(.vdi) on Ubuntu 16.10.First we need to install QEMU tools using the following command

sudo apt-get install qemu-kvm

Now we need to load the network block device (nbd) module using the following command

sudo modprobe nbd

run qemu-nbd, which is a user space loopback block device server for QEMU-supported disk images.

qemu-nbd -c /dev/nbd0 [vdi-file]

Note:- vdi-file :- Your vdi file location for example /home/test/ubuntu.vdi

Example

qemu-nbd -c /dev/nbd0 /home/test/ubuntu.vdi

You can check the partitions in the image using the following command

sudo fdisk -l /dev/nbd0

The above command will check the entire image as a block device named /dev/nbd0, and the partitions within it as subdevices. For example, the first partition in the image will appear as /dev/nbd0p1.

If you want to mount the first partition use the following command

sudo mount /dev/nbd0p1 /mnt

Now you can check all the contents of /mnt partition and copy all the required files.

After completing your work you can unmount the partition using the following command

sudo umount /mnt

Shutdown nbd services using the following command

sudo qemu-nbd -d /dev/nbd0

参考链接

ubuntu 20.04配置samba

$ sudo apt-get install libcanberra-gtk-module

$ sudo apt install avahi-daemon

$ sudo apt-get remove --purge samba

$ sudo apt-get install samba

$ sudo apt-get install libcanberra-gtk-module

$ sudo apt install avahi-daemon

$ sudo apt-get remove --purge samba

$ sudo apt-get install samba

编辑配置文件

$ sudo vim /etc/samba/smb.conf

1	$ sudo vim /etc/samba/smb.conf

文件尾部增加

[Movie]
   comment = Movie
   path = /mnt/data/Movie/ # 需要共享的目录位置
   browseable = yes # 是否可见
   read only = yes # 是否只读
   guest ok = yes # 登陆用户是否可访问
   valid users = user # 可访问的用户

[Movie]

comment = Movie

path = /mnt/data/Movie/ # 需要共享的目录位置

browseable = yes # 是否可见

read only = yes # 是否只读

guest ok = yes # 登陆用户是否可访问

valid users = user # 可访问的用户

重启服务

$ sudo service smbd restart

1	$ sudo service smbd restart

参考链接

ubuntu 18.04 Apache2启用HTTP/2

HTTP/2 可以让我们的应用更快、更简单、更稳定 – 这几词凑到一块是很罕见的！HTTP/2 将很多以前我们在应用中针对 HTTP/1.1 想出来的“歪招儿”一笔勾销，把解决那些问题的方案内置在了传输层中。不仅如此，它还为我们进一步优化应用和提升性能提供了全新的机会！

——《Web 性能权威指南》

Ubuntu18.04 官方源已经包含带有HTTP2模块的 Apache/2.4.29 ，所以我们可以很简单的启用 HTTP2。

$ sudo a2enmod http2

1	$ sudo a2enmod http2

首先启用 http2 模块，然后在虚拟主机的配置文件中或者在 Apache2 的全局配置文件中加入：

Protocols h2 http/1.1

1	Protocols h2 http/1.1

当客户端支持时优先使用 HTTP2 ，其次是 http/1.1，表明了一种优先顺序。

目前为止就已经启用完成了，但如果你是使用的 Apache2+PHP 架构的应用程序，由于 mpm_prefork 模块不支持 mod_http2，所以我们需要切换 mpm_prefork、mod_php 到 mpm_event 和 php-fpm 来解决这个问题。

# Install php-fpm and enable
$ sudo apt install php-fpm

$ sudo systemctl enable php7.2-fpm

# To enable PHP 7.2 FPM in Apache2
$ sudo a2enmod proxy_fcgi setenvif

$ sudo a2enconf php7.2-fpm

# First to disable PHP 7.2/ mpm_prefork to avoid conflicts,then enable.
$ sudo a2dismod php7.2 mpm_prefork

$ sudo a2enmod mpm_event

# Install php-fpm and enable

$ sudo apt install php-fpm

$ sudo systemctl enable php7.2-fpm

# To enable PHP 7.2 FPM in Apache2

$ sudo a2enmod proxy_fcgi setenvif

$ sudo a2enconf php7.2-fpm

# First to disable PHP 7.2/ mpm_prefork to avoid conflicts,then enable.

$ sudo a2dismod php7.2 mpm_prefork

$ sudo a2enmod mpm_event

继续阅读ubuntu 18.04 Apache2启用HTTP/2

ubuntu 20.04 & ubuntu18.04快速开启TCP BBR实现高效单边加速

Linux Kernel 内核升级到 4.9 及以上版本可以实现 BBR 加速，由于Ubuntu 18.04 默认的内核就是 4.15版本的内核，由于Ubuntu 20.04 默认的内核就是 5.4 版本的内核，并已经默认编译了 TCP BBR 模块，所以可以直接通过参数开启。

新的 TCP 拥塞控制算法 BBR (Bottleneck Bandwidth and RTT) 可以让服务器的带宽尽量跑慢，并且尽量不要有排队的情况，让网络服务更佳稳定和高效。

修改系统变量：

$ echo 'net.core.default_qdisc=fq' | sudo tee -a /etc/sysctl.conf 

$ echo 'net.ipv4.tcp_congestion_control=bbr' | sudo tee -a /etc/sysctl.conf

$ echo 'net.core.default_qdisc=fq' | sudo tee -a /etc/sysctl.conf

$ echo 'net.ipv4.tcp_congestion_control=bbr' | sudo tee -a /etc/sysctl.conf

保存生效

$ sudo sysctl -p

1	$ sudo sysctl -p

执行

$ sysctl net.ipv4.tcp_available_congestion_control

1	$ sysctl net.ipv4.tcp_available_congestion_control

如果结果是这样

$ sysctl net.ipv4.tcp_available_congestion_control 
net.ipv4.tcp_available_congestion_control = bbr cubic reno

1 2	$ sysctl net.ipv4.tcp_available_congestion_control net.ipv4.tcp_available_congestion_control = bbr cubic reno

就开启了。执行 lsmod | grep bbr ，以检测 BBR 是否开启。

一般建议重启系统，重启后执行

$ sysctl net.ipv4.tcp_congestion_control 
net.ipv4.tcp_congestion_control = bbr

1 2	$ sysctl net.ipv4.tcp_congestion_control net.ipv4.tcp_congestion_control = bbr

参考链接

WOL网络唤醒在微星主板上开启(ubuntu 20.04/Windows 10双系统)

网络唤醒

微星H97I-AC的板子开启WOL网络唤醒

主板：微星 H97I-AC，集成 Realtek 千兆网卡,这个网卡自带网络唤醒功能，但是需要在操作系统中通过驱动开启这个功能，BIOS中无法直接开启。
操作系统：Windows 10/ubuntu 20.04双系统，双系统都需要进行配置，才能实现全部系统关机之后都能正常唤醒。

BIOS 设置

高级–整合周边设备–网卡ROM启动，设置为允许
高级–电源管理设置–Eup 2013，设置为禁止
高级–唤醒事件设置–PCIE设备唤醒，设置为允许

Windows 10 设置

控制面板–所有控制面板项–网络连接
在网卡适配器点击鼠标右键–属性，弹出的属性对话框中
选择网络选项卡–配置
选择高级选项卡，将关机网络唤醒设置为开启，将魔术封包唤醒设置为开启
电源管理选项卡，勾选下面三个选项，允许此设备唤醒计算机。

ubuntu 20.04设置

$ sudo apt-get install ethtool

$ sudo apt-get install vim

$ sudo vim /etc/systemd/system/wol.service

$ sudo apt-get install ethtool

$ sudo apt-get install vim

$ sudo vim /etc/systemd/system/wol.service

里面的内容如下：

[Unit]
Description=Configure Wake On LAN

[Service]
Type=oneshot
ExecStart=/sbin/ethtool -s eth0 wol g

# 如果有多张网卡
# ExecStart=/bin/bash -c '/sbin/ethtool -s enp5s0 wol g && /sbin/ethtool -s eth0 wol g'


[Install]
WantedBy=basic.target

[Unit]

Description=Configure Wake On LAN

[Service]

Type=oneshot

ExecStart=/sbin/ethtool -s eth0 wol g

# 如果有多张网卡

# ExecStart=/bin/bash -c '/sbin/ethtool -s enp5s0 wol g && /sbin/ethtool -s eth0 wol g'

[Install]

WantedBy=basic.target

上述配置是向驱动发送控制命令，启用网络唤醒功能。

启用服务

$ sudo systemctl daemon-reload

$ sudo systemctl enable wol.service

$ sudo systemctl start wol.service

$ sudo systemctl daemon-reload

$ sudo systemctl enable wol.service

$ sudo systemctl start wol.service

远程唤醒

$ sudo apt-get install wakeonlan -y

$ wakeonlan MAC

$ sudo apt-get install wakeonlan -y

$ wakeonlan MAC

也可尝试 etherwake

$ sudo apt-get install etherwake -y

$ etherwake MAC

# OpenWrt
# opkg install etherwake
# /usr/bin/etherwake -i br-lan MAC

$ sudo apt-get install etherwake -y

$ etherwake MAC

# OpenWrt

# opkg install etherwake

# /usr/bin/etherwake -i br-lan MAC

2026 年 1 月
一	二	三	四	五	六	日
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

安装配置为数据同步进行准备

客户端同步,测试是否正常工作

转化为定时任务，自动同步

参考链接

参考链接

Installing Fail2ban on Ubuntu

Fail2ban Configuration

Whitelist IP Addresses

Ban Settings

Email Notifications

Fail2ban Jails

Fail2ban Client

Conclusion

移除被禁止访问的IP

参考链接

参考链接

USB 的加速方式

提升为全双工模式

BOT 加速模式

UASP 加速模式

参考链接

参考链接

参考链接

网络唤醒

BIOS 设置

Windows 10 设置

ubuntu 20.04设置

远程唤醒

参考链接