月份: 2017 年 5 月

參考網頁：
Cacti 0.8.8b 安裝及設定Monitor & thold Plugin:::iThome Download-你要的軟體在這裡:::

1.0.x 版無法安裝，顯示 Plugin Not Compatible

Cacti monitor 下載網站：
http://docs.cacti.net/plugin:monitor#monitor
1. 下載 monitor plugin
# wget http://docs.cacti.net/_media/plugin:monitor-v1.3-1.tgz
2. 更改檔案名稱
# mv plugin:monitor-v1.3-1.tgz plugin_monitor-v1.3-1.tgz
3. 解壓縮
# tar xvzf plugin_monitor-v1.3-1.tgz -C /usr/share/cacti/plugins[@more@]
4. 登入 Cacti 後，選擇 Plugin Management

5. 選擇 Install Plugin

6. 選擇 Enable Plugin

7. 上方會出現 monitor 頁面

8. 選擇 Settings

9. 選擇 Misc 頁面

10. 進行設定

11. 觀看成果！

1. 安裝 epel 套件庫
# yum install epel-release
# yum update

2. 安裝 LAMP
# yum install httpd mariadb-server php php-mysql php-pear php-gd php-mbstring net-snmp net-snmp-utils rrdtool

3. 安裝 cacti
# yum install cacti[@more@]
4. 啟動相關服務並開機時啟動
# systemctl enable httpd.service
# systemctl enable mariadb.service
# systemctl start httpd.service
# systemctl start mariadb.service

5. 設定 MariaDB SQL Server
# /usr/bin/mysql_secure_installation

6. 建立資料庫並設定管理帳號及密碼
# /usr/bin/mysql -u root -p
MariaDB [(none)]> create database cacti;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on cacti.* to cacti@localhost identified by ‘password’;
Query OK, 0 rows affected (0.00 sec)

# For 1.0.x
MariaDB [(none)]> grant select on mysql.time_zone_name to cacti@localhost;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit

7. 匯入資料 版本會變動
# /usr/bin/mysql -u cacti -p cacti < /usr/share/doc/cacti-0.8.8h/cacti.sql
# /usr/bin/mysql -u cacti -p cacti < /usr/share/doc/cacti-1.0.4/cacti.sql

8. 修改 /etc/httpd/conf.d/cacti.conf 限制瀏覽的 IP 來源
# sed -i “/# httpd 2.4/attRequire ip 192.168.1.0/24” /etc/httpd/conf.d/cacti.conf
# cat /etc/httpd/conf.d/cacti.conf
Alias /cacti    /usr/share/cacti

<Directory /usr/share/cacti/>
        <IfModule mod_authz_core.c>
                # httpd 2.4
                Require ip 192.168.1.0/24
                Require host localhost
        </IfModule>
        <IfModule !mod_authz_core.c>
                # httpd 2.2
                Order deny,allow
                Deny from all
                Allow from localhost
        </IfModule>
</Directory>

9. 重新啟動 Web Server
# systemctl restart httpd.service

10. 修改 cacti 資料庫設定  /etc/cacti/db.php
# sed -i -e ‘s/database_username = “cactiuser”/database_username = “cacti”/’ -e ‘s/database_password = “cactiuser”/database_password = “password”/’ /etc/cacti/db.php
For 1.0.x
# sed -i -e “s/database_username = ‘cactiuser’/database_username = ‘cacti’/” -e “s/database_password = ‘cactiuser’/database_password = ‘password’/” /etc/cacti/db.php

11. 修改 cacti 工作排程設定 /etc/cron.d/cacti
# sed -i -e ‘s/^#//’ /etc/cron.d/cacti

12. 進行安裝設定 http://Server’IP/cacti

13.安裝過程 0.8.8 版本

預設帳號密碼：admin / admin

安裝完成！

1.0.x 版

解決 ERROR: Your Cacti database login account does not have access to the MySQL TimeZone database. Please provide the Cacti database account “select” access to the “time_zone_name” table in the “mysql” database, and populate MySQL’s TimeZone information before proceeding.

# /usr/bin/mysql_tzinfo_to_sql /usr/share/zoneinfo | /usr/bin/mysql -u root -p mysql
Enter password:

更改目錄擁有者及權限
# chown -R apache:apache /usr/share/cacti
# chmod -R 777 /usr/share/cacti/resource

進行安裝 http://Server’IP/cacti

有一些 Warn，先跳過

Next

程式路徑

目錄權限

安裝完成

預設帳號及密碼：admin / admin

重設密碼，密碼強度要求很高

按 Save 更改密碼

登入完成畫面

參考網頁：
CentOS 7 : Create SSL Certificates : Server World
CentOS 7 : OpenLDAP : LDAP over TLS : Server World

1. 切換目錄
# cd /etc/pki/tls/certs
2. 建立 server.key
# make server.key
umask 77 ;
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
…………….+++
…………………………………………………………+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying – Enter pass phrase:[@more@]
3. 去除密碼從 server.key
# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key

4. 建立 server.csr
# make server.csr
umask 77 ;
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Yilan]:
Locality Name (eg, city) [TouCheng]:
Organization Name (eg, company) [Elementary School]:
Organizational Unit Name (eg, section) [LDAP Server]:
Common Name (eg, your name or your server’s hostname) []:xxxx.tces.ilc.edu.tw
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

5. 建立馮證
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok
subject=/C=TW/ST=Yilan/L=TouCheng/O=Elementary School/OU=LDAP Server/CN=xxxx.tces.ilc.edu.tw
Getting Private key

6. 複製檔案到 /etc/openldap/certs 目錄
# cp /etc/pki/tls/certs/server.key /etc/pki/tls/certs/server.crt /etc/pki/tls/certs/ca-bundle.crt /etc/openldap/certs

7. 更改檔案擁有者及群組
# chown ldap:ldap /etc/openldap/certs/server.* /etc/openldap/certs/ca-bundle.crt

8. 建立 mod_ssl.ldif
# cat mod_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
–
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
–
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key

9. 匯入
#  ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “cn=config”

10. 修改 /etc/sysconfig/slapd 加入 ldaps:///
# cp /etc/sysconfig/slapd /etc/sysconfig/slapd.$(date +%F)
# sed -i ‘/SLAPD_URLS/s@ldapi:/// ldap:///@ldapi:/// ldap:/// ldaps:///@’ /etc/sysconfig/slapd

11. 重新啟動 LDAP Server
# systemctl restart slapd.service

12. 檢查是否有正常執行
# netstat -antulp | egrep ‘389|636’
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      1933/slapd
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      1933/slapd
tcp6       0      0 :::636                  :::*                    LISTEN      1933/slapd
tcp6       0      0 :::389                  :::*                    LISTEN      1933/slapd

13. 防火牆設定
# firewall-cmd –permanent –add-service=ldap
# firewall-cmd –permanent –add-service=ldaps
# firewall-cmd –reload
或
# iptables -A INPUT -p tcp -s 192.168.1.0/24 –syn -m state –state NEW –dport 389 -j ACCEPT
# iptables -A INPUT -p tcp -s 192.168.1.0/24 –syn -m state –state NEW –dport 636 -j ACCEPT

為了安全的因素，LDAP 可以走 TLS/SSL 加密協定。
參考網頁：
Linux ． 無限: 在 CentOS7/RHEL7 上安裝設定 LDAP Server(一)

1. 安裝 openssl 套件
# yum install openssl

2. 修改 /etc/pki/tls/openssl.cnf
# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.$(date +%F)
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = TW
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Yilan

localityName                    = Locality Name (eg, city)
localityName_default            = TouCheng

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Elementary School

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = LDAP Server[@more@]
3. 製作金鑰
# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 3650
Generating a 2048 bit RSA private key
………+++
……………+++
writing new private key to ‘/etc/openldap/certs/priv.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Yilan]:
Locality Name (eg, city) [TouCheng]:
Organization Name (eg, company) [Elementary School]:
Organizational Unit Name (eg, section) [LDAP Server]:
Common Name (eg, your name or your server’s hostname) []:
Email Address []:

4. 改變目錄擁有者及群組和檔案權限
# chown -R ldap:ldap /etc/openldap/certs
# chmod 600 /etc/openldap/certs/priv.pem
# ls -l /etc/openldap/certs/*
-rw-r–r– 1 ldap ldap 65536 Mar  8 17:46 /etc/openldap/certs/cert8.db
-rw-r–r– 1 ldap ldap  1391 Mar 10 14:14 /etc/openldap/certs/cert.pem
-rw-r–r– 1 ldap ldap 16384 Mar  8 17:46 /etc/openldap/certs/key3.db
-r–r—– 1 ldap ldap    45 Dec  7 10:22 /etc/openldap/certs/password
-rw——- 1 ldap ldap  1704 Mar 10 14:14 /etc/openldap/certs/priv.pem
-rw-r–r– 1 ldap ldap 16384 Dec  7 10:22 /etc/openldap/certs/secmod.db

5. 建立 tlsc.ldif
# cat tlsc.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem

dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

6. 匯入
# /bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f tlsc.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “cn=config”

modifying entry “cn=config”

7. 重新啟動 LDAP Server
# systemctl restart slapd.service

似乎沒有成功，嘗試其它方法！

直接下載最新版本安裝
Windows
x86
http://ftp.mozilla.org/pub/firefox/releases/53.0.3/win32/zh-TW/Firefox%20Setup%2053.0.3.exe
ESR 52.1.2 版本
http://ftp.mozilla.org/pub/firefox/releases/52.1.2esr/win32/zh-TW/Firefox%20Setup%2052.1.2esr.exe

x64
http://ftp.mozilla.org/pub/firefox/releases/53.0.3/win64/zh-TW/Firefox%20Setup%2053.0.3.exe
ESR 52.1.2 版本
http://ftp.mozilla.org/pub/firefox/releases/52.1.2esr/win64/zh-TW/Firefox%20Setup%2052.1.2esr.exe

Mac
http://ftp.mozilla.org/pub/firefox/releases/53.0.3/mac/zh-TW/Firefox%2053.0.3.dmg
ESR 52.1.2 版本
http://ftp.mozilla.org/pub/firefox/releases/52.1.2esr/mac/zh-TW/Firefox%2052.1.2esr.dmg

ss 的功能和 netstat 相近。
主要參數有：

[@more@]# ss -antulp
Netid State      Recv-Q Send-Q                                                          Local Address:Port                                                                         Peer Address:Port
udp   UNCONN     0      0                                                                           *:161                                                                                     *:*                   users:((“snmpd”,pid=52,fd=6))
tcp   LISTEN     0      128                                                                 127.0.0.1:199                                                                                     *:*                   users:((“snmpd”,pid=52,fd=7))
tcp   LISTEN     0      128                                                                         *:22                                                                                      *:*                   users:((“sshd”,pid=72,fd=3))
tcp   LISTEN     0      128                                                                        :::22                                                                                     :::*                   users:((“sshd”,pid=72,fd=4))

# netstat -antulp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:199           0.0.0.0:*               LISTEN      52/snmpd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      72/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      72/sshd
udp        0      0 0.0.0.0:161             0.0.0.0:*                           52/snmpd

還是比較習慣使用 netstat

ip 指令和 ifconfig 的功能有些類似，但命令可以更加簡短

1. 列出所有網路介面 IP
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
112: eth0@if113: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 9e:5b:bb:11:35:a7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.1.17/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever[@more@]2. 單獨列出某一網路介面
# ip addr show eth0
# ip a s eth0
112: eth0@if113: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 9e:5b:bc:14:35:a7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.1.17/24 brd 192.168.1.255 scope global eth0

3. 列出網路路由
# ip route
# ip r
default via 192.168.1.254 dev eth0
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.17

取出 IP
# ip a s eth0 | grep ‘inet ‘ | awk ‘{print $2}’ | awk -F’/’ ‘{print $1}’
192.168.1.17
# ip r | grep src | awk ‘{print $9}’
192.168.1.17

取出 mac address
# ip a s eth0 | grep ‘link/ether’ | awk ‘{print $2}’
9e:5b:bb:11:35:a7

nmcli 是 CentOS 7.x 預設的網路管理工具，不過之前一直習慣使用 ifconfig，所以並沒有特別去研究。
# which nmcli
/usr/bin/nmcli

如果找不到，請安裝 NetworkManager 套件
# yum install NetworkManager
# systemctl start NetworkManager.service

參考網頁：
2.3. 使用 NetworkManager 命令行工具 nmcli
RHEL / CentOS 7 網路管理工具 — nmcli – Linux 技術手札[@more@]1 顯示所有連線:
# nmcli connection show
# nmcli c s
NAME     UUID                                  TYPE            DEVICE
enp0s25  d28b1a52-51d3-482c-b36e-37b7b80d7ded  802-3-ethernet  enp0s25
enp1s0   6d31aafd-1033-4853-ba71-e062608189b0  802-3-ethernet  enp1s0
enp1s1   6af9cc1f-4fac-40e8-80e6-6bda5b66886b  802-3-ethernet  enp1s1

只顯示 active 的連線:
# nmcli connection show –active
# nmcli connection show -a
# nmcli c s -a
NAME     UUID                                  TYPE            DEVICE
enp0s25  d28b1a52-51d3-482c-b36e-37b7b80d7ded  802-3-ethernet  enp0s25
enp1s0   6d31aafd-1033-4853-ba71-e062608189b0  802-3-ethernet  enp1s0
enp1s1   6af9cc1f-4fac-40e8-80e6-6bda5b66886b  802-3-ethernet  enp1s1

顯示所有 NetworkManager 辨識到的裝置及它們目前的狀態:
# nmcli device status
# nmcli d s
DEVICE   TYPE      STATE      CONNECTION
enp0s25  ethernet  connected  enp0s25
enp1s0   ethernet  connected  enp1s0
enp1s1   ethernet  connected  enp1s1
lo       loopback  unmanaged  —

停用網卡:
# nmcli device disconnect enp1s1
# nmcli d d enp1s1
Device ‘enp1s1’ successfully disconnected.

啟用網卡:
# nmcli device connect enp1s1
# nmcli d c enp1s1
Device ‘enp1s1’ successfully activated with ‘6af9cc1f-4fac-40e8-80e6-6bda5b66886b’.

加入固定 IP:
# nmcli connection add type ethernet con-name test-lab ifname enp1s1 ip4 10.10.10.10/24 gw4 10.10.10.254
# nmcli con add type ethernet con-name test-lab ifname enp1s1 ip4 10.10.10.10/24 gw4 10.10.10.254
Connection ‘test-lab’ (‘6af9cc1f-4fac-40e8-80e6-6bda5b66886b) successfully added.
# nmcli con add type ethernet con-name test-lab ifname enp1s1 ip4 10.10.10.10/24 gw4 10.10.10.254 ip6 abbe::cafe gw6 2001:db8::1

設定使用的 Dns Servers:
# nmcli connection modify test-labipv4.dns “168.95.1.1 140.111.66.1 8.8.8.8”
# nmcli con mod test-lab ipv4.dns “168.95.1.1 140.111.66.1 8.8.8.8”
# nmcli con mod test-lab ipv6.dns “2001:b000:168::2 2001:288:a201::66:1 2001:4860:4860::8888”

啟動新連結線:
# nmcli connection up  test-lab ifname enp1s1
# nmcli con up  test-lab ifname enp1s1

diff 可以產生二個檔案之間的差異對照，然後利用 patch 來進行修正。

1.產生二個檔案間差異
-a 將所有檔案都視為文字檔
-u 輸出預設三行的相同文字行
-r 遞迴比較所有的子目錄
-N 將缺少的檔案視為空檔案
# diff -Naur server.conf.2017-02-20 server.conf > /root/server.diff

2. 將差異檔和待修正的檔案放在一起
# cp /etc/openvpn/server.conf.2017-02-20 /root/server.conf

3. 利用 patch 進行修正
# cd /root
# patch -i server.diff

4. 比較二者間是否有差異
# diff /root/server.conf /etc/openvpn/server.conf

如果執行完後沒有任何訊息，代表二個檔案完全相同

有一些 Linux 已經預設不能以 root 身份登入，或是不允許 root 以輸入密碼登入。
# grep RootLogin /etc/ssh/sshd_config
PermitRootLogin prohibit-password
或
PermitRootLogin without-password

如果還是習慣使用 root 身份登入，可以修改成
PermitRootLogin yes

重新啟動 SSH Server
# /etc/init.d/sshd restart
# systemctl restart sshd.service

或直接改用 SSH Key 的方式，來達成免密碼直接登入[@more@]Server A：192.168.1.10
Server B：192.168.1.101

1. 在 Server A 上執行
# ssh-keygen -t rsa

2. 產生的 key，id_rsa 私鑰 / id_rsa.pub 公鑰
# ls -l ~/.ssh/
-rw——- 1 root root 1675 Mar  9 19:17 id_rsa
-rw-r–r– 1 root root  390 Mar  9 19:17 id_rsa.pub
-rw-r–r– 1 root root 1330 Mar  9 14:41 known_hosts

3. 將公鑰複製到 Server B
# scp ~/.ssh/id_rsa.pub root@192.168.1.101:/root

4. 登入到 Server B，並將從 Server A 複製過來的 id_rsa 公鑰 附加入到 ~/.ssh/authorized_keys
# ssh root@192.168.1.101
# cat id_rsa >> ~/.ssh/authorized_keys
# rm -rf id_rsa

5. 更改權限
# chmod 700 ~/.ssh
# chmod 600 ~/.ssh/authorized_keys

6. 測試從 Server A 以 ssh 連線 Server B 是不是不用輸入密碼