分类: xNix

一个比较复杂的ProFTPD配置

Posted on by yaoge123

ProFTPD 1.3.2e的配置文件,1.3.3版本则需要进行一些修改,
ServerName                      “yaoge123 FTP Server”
ServerType                      standalone
DefaultServer                   on
ScoreboardFile                  /var/run/proftpd/proftpd.scoreboard
Port                            21
UseIPv6                         on
Umask                           022
MaxInstances                    100
MaxConnectionsPerHost           10
CommandBufferSize               512
UseReverseDNS                   off
IdentLookups                    off
ServerIdent                     on “Welcome to yaoge123 FTP Server”
User                            nobody
Group                           nogroup
DefaultRoot                     ~
AllowOverwrite                  off
requirevalidshell               off
AllowForeignAddress             on
AllowRetrieveRestart            on
DirFakeUser                     on yaoge123
DirFakeGroup                    on yaoge123
DirFakeMode                     0000
TimeoutLogin                    30
TimeoutIdle                     300
SystemLog                       /var/log/proftpd.log
TransferLog                     /var/log/xferlog
WtmpLog                         on

AdminControlsEngine             on
AdminControlsACLs               all allow user root

BanEngine                       on
BanControlsACLs                 all allow user root
BanOnEvent                      ClientConnectRate 10/00:01:00 01:00:00 “Stop connecting frequently”
BanTable                        /var/run/proftpd/ban.tab
BanLog                          /var/log/proftpd-ban.log
BanMessage                      “%a OR %u has been banned”

#AuthOrder mod_auth_file.c mod_sql.c mod_auth_unix.c
#AuthUserFile /usr/local/etc/proftpd/ftpd.passwd
#AuthGroupFile /usr/local/etc/proftpd/ftpd.group
AuthOrder mod_sql.c
SQLAuthenticate users
SQLAuthTypes crypt plaintext
SQLConnectInfo proftpd@localhost username password
SQLUserInfo users user password userid usergroupid homedir NULL
SQLLogFile /var/log/proftpd-sql.log

SQLLog PASS counter
SQLNamedQuery counter UPDATE “lastloginip=’%a’, lastlogin=now(), logincount=logincount+1 WHERE user=’%u'” users
SQLLog EXIT time_logout
SQLNamedQuery time_logout UPDATE “lastlogout=now() WHERE user=’%u'” users
SQLLog RETR,ERR_RETR download
SQLNamedQuery download UPDATE “downloadbytes=downloadbytes+%b, downloadfiles=downloadfiles+1 WHERE user=’%u'” users
SQLLog STOR,ERR_STOR,APPE,ERR_APPE,STOU,ERR_STOU upload
SQLNamedQuery upload UPDATE “uploadbytes=uploadbytes+%b, uploadfiles=uploadfiles+1 WHERE user=’%u'” users

SQLNamedQuery logincount SELECT “logincount from users where user=’%u'”
SQLNamedQuery lastlogin SELECT “lastlogin from users where user=’%u'”
SQLNamedQuery lastloginip SELECT “lastloginip from users where user=’%u'”
SQLNamedQuery downloadbytes SELECT “ROUND(downloadbytes/1048576) from users where user=’%u'”
SQLNamedQuery downloadfiles SELECT “downloadfiles from users where user=’%u'”
SQLNamedQuery uploadbytes SELECT “ROUND(uploadbytes/1048576) from users where user=’%u'”
SQLNamedQuery uploadfiles SELECT “uploadfiles from users where user=’%u'”
SQLShowInfo PASS “230” “You’ve logged on %{logincount} times”
SQLShowInfo PASS “230” “*** Last login at %{lastlogin}”
SQLShowInfo PASS “230” “*** Last login from %{lastloginip}”
SQLShowInfo PASS “230” “*** Downloaded %{downloadbytes} MB in %{downloadfiles} files”
SQLShowInfo PASS “230” “*** Uploaded %{uploadbytes} MB in %{uploadfiles} files”

<Limit SITE_CHMOD>
  DenyAll
</Limit>

<Directory />
  <Limit ALL>
    DenyAll
  </Limit>
  <Limit PROT>
    AllowAll
  </Limit>
</Directory>

TLSEngine on
TLSLog /var/log/proftpd-tls.log
TLSProtocol SSLv23
TLSRSACertificateFile /usr/local/etc/proftpd/ftpd.cert.pem
TLSRSACertificateKeyFile /usr/local/etc/proftpd/ftpd.key.pem
TLSCACertificateFile /usr/local/etc/proftpd/ftpdca.cert.pem
TLSVerifyClient off
TLSRenegotiate required off

<Anonymous /ftp/anonymous>
  User                          anonymous
  Group                         anonymous
  UserAlias                     guest anonymous
  MaxClients                    10
  MaxClientsPerHost             1
  TransferRate                  RETR 512

  <Limit LOGIN>
    Allow from 172.16.,172.20,172.21
    DenyAll
  </Limit>

  <Limit ALL>
    DenyAll
  </Limit>

  <Limit FEAT DIRS READ>
    AllowAll
  </Limit>
</Anonymous>

<IfUser OR friend1,friend2>
  <Directory /ftp/friend>
    <Limit FEAT DIRS READ>
      AllowAll
    </Limit>
  </Directory>
</IfUser>

<IfUser regex @yaoge123$>
  DisplayLogin .welcome.msg
  MaxHostsPerUser               1
  MaxClientsPerUser             3
  <Directory /ftp/yaoge123>
    HideFiles                  ^\.
    <Limit FEAT DIRS READ>
        AllowAll
    </Limit>
  </Directory>
</IfUser>

sql中的表
CREATE TABLE `users` (
`user` varchar(50) NOT NULL default ”,
`password` varchar(50) NOT NULL default ”,
`username` varchar(50) NOT NULL default ”,
`userid` int(10) unsigned NOT NULL default ‘10000’,
`usergroupid` int(10) unsigned NOT NULL default ‘10000’,
`lastloginip` varchar(22) NOT NULL default ”,
`logincount` int(16) unsigned NOT NULL default ‘0’,
`lastlogin` datetime NOT NULL default ‘0000-00-00 00:00:00’,
`lastlogout` datetime NOT NULL default ‘0000-00-00 00:00:00’,
`downloadbytes` bigint unsigned NOT NULL default ‘0’,
`downloadfiles` int unsigned NOT NULL default ‘0’,
`uploadbytes` bigint unsigned NOT NULL default ‘0’,
`uploadfiles` int unsigned NOT NULL default ‘0’,
`homedir` varchar(50) NOT NULL default ”,
`mark` varchar(10) NOT NULL default ”,
PRIMARY KEY (`userid`)
) ;

配置ProFTPD加密SSL

Posted on by yaoge123

下载脚本 http://www.castaglia.org/openssl/contrib/cert-tool ,修改cert-tool中openssl的路径,用这个脚本调用OpenSSL自签名颁发一个证书
cert-tool --create-ca=serverca --signing-ca=self
cert-tool --create-cert=server --signing-ca=serverca.cert.pem --signing-key=serverca.key.pem
修改proftpd.conf,增加TLS配置

TLSEngine on #开启TLS
TLSLog /var/log/proftpd-tls.log #TLS日志
TLSProtocol SSLv23 #允许使用SSLv3和TLSv1
TLSRSACertificateFile /usr/local/etc/server.cert.pem #cert-tool生成的证书
TLSRSACertificateKeyFile /usr/local/etc/server.key.pem #cert-tool生成的key
TLSCACertificateFile /usr/local/etc/serverca.cert.pem #cert-tool生成的CA证书
TLSVerifyClient off #不验证客户端证书。如要启用客户端证书验证,则需要用TLSCACertificateFile这个CA来颁发客户端证书
TLSRenegotiate required off #不强制要求重协商

另外加密传输需要使用FTP命令PROT,如果Deny ALL过,需要Allow
DenyAll AllowAll

Apache和ProFTPD的Order区别

Posted on (Updated by yaoge123
Order Allow,Deny Apache ProFTPD
仅匹配Allow Allow Allow
仅匹配Deny Deny Deny
没有匹配 默认Deny 默认Allow
匹配Allow和Deny 最后匹配Deny 首先匹配Allow

Order Deny,Allow Apache ProFTPD
仅匹配Allow Allow Allow
仅匹配Deny Deny Deny
没有匹配 默认Allow 默认Deny
匹配Allow和Deny 最后匹配Allow 首先匹配Deny

参考:
http://httpd.apache.org/docs/1.3/mod/mod_access.html
http://www.proftpd.org/docs/directives/linked/config_ref_Order.html
http://www.proftpd.org/docs/howto/Limit.html

FreeBSD Tomcat 安装后注意事项

Posted on (Updated by yaoge123

编辑 /usr/local/etc/rc.d/tomcat6
在java_command=中增加如下内容禁用IPv6
-Djava.net.preferIPv4Stack="true" \
-Djava.net.preferIPv4Address="true" \

相关版本信息:
Apache/2.2.14 (FreeBSD) mod_ssl/2.2.14 OpenSSL/0.9.8k DAV/2 PHP/5.2.12 with Suhosin-Patch mod_jk/1.2.30
javavmwrapper-2.3.4
diablo-jdk-1.6.0.07.02_8
jdk-1.6.0.3p4_14
tomcat-6.0.24
tomcat-native-1.1.20
mod_jk-ap2-1.2.30_1

FreeBSD下ZFS RaidZ硬盘替换扩容实践

Posted on by yaoge123

创建一个raidz1的ZFS pool
test# zpool create zfspool raidz da1 da2 da3
test# zpool list
NAME SIZE USED AVAIL CAP HEALTH ALTROOT
zfspool 23.9G 192K 23.9G 0% ONLINE –
test# zpool status
pool: zfspool
state: ONLINE
scrub: none requested
config:

NAME STATE READ WRITE CKSUM
zfspool ONLINE 0 0 0
raidz1 ONLINE 0 0 0
da1 ONLINE 0 0 0
da2 ONLINE 0 0 0
da3 ONLINE 0 0 0

errors: No known data errors

用更大的da4、da5、da6替换原来小的da1、da2、da3 Continue reading

FreeBSD下ZFS mirror升降级、硬盘替换和在线/离线扩容实践

Posted on by yaoge123

创建一个非冗余的ZFS pool
test# zpool create zfspool da1
test# zpool list
NAME SIZE USED AVAIL CAP HEALTH ALTROOT
zfspool 7.94G 110K 7.94G 0% ONLINE –
test# zpool status
pool: zfspool
state: ONLINE
scrub: none requested
config:

NAME STATE READ WRITE CKSUM
zfspool ONLINE 0 0 0
da1 ONLINE 0 0 0

errors: No known data errors

增加一个盘,升级为双路mirror
test# zpool attach zfspool da1 da2
test# zpool list
NAME SIZE USED AVAIL CAP HEALTH ALTROOT
zfspool 7.94G 112K 7.94G 0% ONLINE –
test# zpool status
pool: zfspool
state: ONLINE
scrub: resilver completed with 0 errors on Tue Jul 21 21:24:27 2009
config:

NAME STATE READ WRITE CKSUM
zfspool ONLINE 0 0 0
mirror ONLINE 0 0 0
da1 ONLINE 0 0 0
da2 ONLINE 0 0 0

errors: No known data errors

如果想直接建立一个双路mirror的ZFS pool用
test# zpool create zfspool mirror da1 da2

再增加一个盘,升级为三路mirror Continue reading

openSUSE 安装 VMware Tools 之前的准备

Posted on by yaoge123

openSUSE 11.2:
安装make, gcc, kernel-source
/usr/bin/vmware-config-tools.pl –clobber-kernel-modules=vmci –clobber-kernel-modules=vsock –clobber-kernel-modules=vmxnet3 –clobber-kernel-modules=pvscsi –clobber-kernel-modules=vmmemctl –clobber-kernel-modules=vmhgfs –clobber-kernel-modules=vmxnet –clobber-kernel-modules=vmblock

openSUSE 11.1:
删除/lib/modules/2.6.27.7-9-default/updates中的vmxnet.ko vmblock.ko vmmemctl.ko vmhgfs.ko vmci.ko vmsync.ko 这些文件
安装make, gcc, kernel-source

openSUSE 10.3:
安装less, psmisc, make, gcc, kernel-source

FreeBSD下PT client选择

Posted on (Updated by yaoge123

HDChina和HDBits上可用的client有Azureus、 BitTornado、 KTorrent、 rtorrent、 Transmission、 uTorrent。uTorrent需要Wine;Azureus(Vuze)和KTorrent需要X,因此都不考虑了。BitTornado 0.3.18 HDChina不认,Transmission 1.61 HDBits不认。rtorrent里凡是没有下载完成的任务,重启后都需要重新hash,Transmission则没有该问题,而且且速度比rtorrent要快。难道用uTorrent + samba?

FreeBSD使用VMware Tools无法关闭电源

Posted on (Updated by yaoge123

  FreeBSD安装了VMware Tools以后,可以通过VI关闭客户机,但是系统停留在“The operating system has halted.Please press any key to reboot.”不能够自动关闭电源。解决方法为
ee /usr/local/etc/rc.d/vmware-tools.sh
  查找vmware_start_guestd()可见
vmware_start_guestd() {
cd "$vmdb_answer_SBINDIR" && "$vmdb_answer_SBINDIR"/vmware-guestd \
--background "$GUESTD_PID_FILE"
}
  在vmware-guestd命令下增加参数–halt-command “/sbin/shutdown -p now”,修改为
vmware_start_guestd() {
cd "$vmdb_answer_SBINDIR" && "$vmdb_answer_SBINDIR"/vmware-guestd \
--background "$GUESTD_PID_FILE" --halt-command "/sbin/shutdown -p now"
}
  保存退出。执行 /usr/local/etc/rc.d/vmware-tools.sh restart,重启vmware tools即可。