2009-11-10

在 Switch Port上鎖mac - port security

檢查
#sh port-security

設定鎖定
(config)#int f0/9
(config-if)#switchport port-security
(config-if)#switchport port-security mac-address sticky
(config-if)#switchport port-security violation restrict

取消鎖定
(config-if)#no switchport port-security dynamic interface f0/9
(config-if)#no switchport port-security dynamic

馬上生效(動作後只學到第1個mac)
#clear port-security sticky

--------------------參考資料---------------------------
思科 Port Security feature 可以防止 MAC 和 MAC/CAM 攻擊。通過配置 Port Security 可以控制:
‧ 埠上最大可以通過的 MAC 位址數量
‧ 埠上學習或通過哪些 MAC 地址
‧ 對於超過規定數量的 MAC 處理進行處理

埠上學習或通過哪些 MAC 位址,可以通過靜態手工定義,也可以在交換機自動學習
交換機動態學習埠 MAC ,直到指定的 MAC 位址數量,交換機關機後重新學習。
目前較新的技術是 Sticky Port Security ,交換機將學到的 mac 位址寫到埠配置中,交換機重啟後配置仍然存在。

對於超過規定數量的 MAC 處理進行處理一般有三種方式(針對交換機型號會有所不同):
‧ Shutdown 。這種方式保護能力最強,但是對於一些情況可能會為管理帶來麻煩。
‧ Protect 。丟棄非法流量,不報警。
‧ Restrict 。丟棄非法流量,報警,對比上面會是交換機 CPU 利用率上升但是不影響交換機使用。推薦使用這種方式。

配置方式:只接受第一次接入該埠電腦的mac位址, 預設maxumum = 1
Switch#config terminal
Switch(config)#interface f0/9 進入需要配置的埠
Switch(config-if)#switchport mode access 設置為交換模式
Switch(config-if)#switchport port-security 打開埠安全模式
Switch(config-if)#switchport port-security violation {protect | restrict | shutdown }
//針對非法接入電腦,埠處理模式:
| protect: 丟棄資料包,不發警告
| restrict: 丟棄數據包,在console發警告
| shutdown: 關閉埠為err-disable狀態,除非管理員手工啟動,否則該埠失效
配置 port-security 最大 mac 數目為2,違背處理方式,恢復方法
Cat4507(config)#int fastEthernet 3/48
Cat4507 (config-if)#switchport port-security
Cat4507 (config-if)#switchport port-security maximum 2
Cat4507 (config-if)#switchport port-security violation shutdown
Cat4507 (config)#errdisable recovery cause psecure-violation
Cat4507 (config)#errdisable recovery interval 30

通過配置 sticky port-security學得的MAC
interface FastEthernet3/29
switchport mode access
switchport port-security
switchport port-security maximum 5
switchport port-security mac-address sticky
switchport port-security mac-address sticky 000b.db1d.6ccd
switchport port-security mac-address sticky 000b.db1d.6cce
switchport port-security mac-address sticky 000d.6078.2d95
switchport port-security mac-address sticky 000e.848e.ea01
-----------------------------------------------------
綁定某PORT只允許哪些MAC進出
Switch(config)#Mac access-list extended MAC20
Switch(config)#permit host 0011.5b18.a56f any
Switch(config)#permit any host 0011.5b18.a56f
Switch(config-if )#interface Fa0/2
Switch(config-if )#mac access-group MAC20 in
-----------------------------------------------------

ex,block some attacker mac xxxx.xxxx.xxxx
Ans: deny host xxxx.xxxx.xxxx any
permit any any



mac地址與ip地址綁定
基本原理:
在交換機內建立mac位址和ip位址對應的映射表。埠獲得的ip和mac位址將匹配該表,不符合則丟棄該埠發送的資料包。

實現方法:
Switch#config terminal
Switch(config)#arp 1.1.1.1 0001.0001.1111 arpa

ex,
快速封鎖現存的某ip 192.168.1.120
arp 192.168.1.120 0000.0000.0000 arpa


配置MAC位址持續時間
1) 進入介面模式 interface 介面
2) 配置持續時間
switchport port-security aging time type [absolute | inactivity]
absolute模式:當持續時間過後,安全埠上的地址將被絕對刪除
inactivity模式:在持續時間內,沒有使用的埠將被刪

該配置的主要注意事項:
需要將網段內所有IP都建立MAC位址映射,沒有使用的IP位址可以與0000.0000.0000建立映射。
否則該綁定對於網段內沒有建立映射的IP位址無效。

2009-07-24

FreeBSD遠端Console設定UTF-8環境

http://toolbox.orzcorp.com/?p=8

proftpd big5

PS:如果要讓proftpd不使用unicode,可把unix系統設為big5後才編譯,也記得在configure時不要加--enable-nls
修改/etc/sysconfig/i18n
將LANG="zh_TW.UTF-8"
改成LANG="zh_TW.BIG5"再重開機
編譯完就可以改回來了 XD
PS:改成BIG5以後,能夠不再改就不要改,因為,有遇過客戶端軟體造成的怪異問題
這個對於只會用IE開FTP的人有用.(說穿了,就是全部統一使用非Unicode,就算你用Smartftp或是FileZilla來連也一樣,雖然FileZilla會嘗試用UTF8處理...)
或者是
在proftpd.conf裡設定UseUTF8 off
新版的proftpd.conf(1.3.2rc1)是設UseEncoding off 或 UseEncoding cp950 cp950
(在1.3.2正式版上未測試)

ftp utf-8 big5

xp的下的檔案總管不支援ftp utf-8的檔案名,只能用big 5
所以pureftpd.conf必須要配合調整一下。
compile --with-rfc2640

FileSystemCharset big5
ClientCharset big5

vista底下的ftp就support utf8 filename

pureftpd anonymous delete resume rename file

os:freebsd 6.1

使用pure-ftpd想要開啟anonymous delete resume rename file
必須在configure前就要 setenv

setenv CPPFLAGS "-DANON_CAN_DELETE -DANON_CAN_RENAME"
cd /usr/ports/ftp/pure-ftpd
make install clean
就可以了

setenv CFLAGS not work。



Hi again.

What follows is something extremely confidential, private, undocumented
and top secret. But as you subscribed to the shiny pureftpd-users
mailing-list, you need to know. Maybe this is dangerous. Maybe if
someone knows that you've read this, special agents will murder you.
So you're free to delete this message without any further reading now.

Still here? Are you sure?

Well...

Ok.

Apart from ./configure and run-time options, there are some
undocumented switches in Pure-FTPd. They are undocumented because they
were only designed for testing/debugging, or because they are uncommon
needs.

But if you are strong, you can play with these undocumented switches.

To enable them, you have to recompile pure-ftpd with something like
that :

env CFLAGS="$CFLAGS -DSTRICT_REST -DLOG_ANON_EMAIL" ./configure
make install-strip

Add as many -D as you want here.

Here's a list of these top secret features :

* ALWAYS_RESOLVE_IDS :
Always try to get full user names, even once chrooted. If you define
this, you can put a fake etc/passwd file (or similar, like pwd.db) in
a chrooted environment to get user names.

* ANON_CAN_CHANGE_PERMS :
Allow anonymous users to chmod files.

* ANON_CAN_DELETE :
Allow anonymous users to delete files.

* ANON_CAN_RENAME :
Allow anonymous users to rename files.

* ANON_CAN_RESUME :
Allow anonymous users to resume uploads.

* AUTORENAME_REVERSE_ORDER :
When autorename is enabled, put the unique id at the beginning of
file names, not at the end. Useful if you want to keep extensions.

* DEFAULT_TO_BINARY_TYPE :
Default to binary transfers even if 'bin' ('TYPE I') hasn't been
issued by the client.

* DISABLE_MKD_RMD :
People can't create/delete directories any more.

* DO_AUTHD_TIMEOUT :
Send an ALRM signal to an authentication module after 60 seconds.

* FANCY_LS_DIRECTORY_HEADERS :
Display 'ls' with multiple directories with lovely headers. This is how
the good old first releases of pure-ftpd were displaying things.
Unfortunately, it breaks parsing with some clients (like ncftp with a
recursive get) . But I really feel nostalgic when I see these headers
again.

* LOG_ANON_EMAIL :
Log what anonymous users have entered in the 'password' field.
Except for SPAM, I don't see any reason why people would enable this.
So no, no, no, don't ask, it won't become a standard feature.

* NON_BLOCKING_DATA_SOCKET :
Create transfers socket with O_NONBLOCK.

* RFC_CONFORMANT_LINES :
Assumes that all clients will end their command lines with \r\n as
expected. Unfortunately, in the real life, this is not always the case.

* RFC_CONFORMANT_PARSER :
Allows control characters and other horrible stuff in commands and
file names.

* SAVE_DESCRIPTORS :
Save file descriptors by closing/reopening the log after/before
every logged message. Slow, painful, and not chroot-friendly.

* SKIP_COMMAND_TRAILING_SPACES :
Trim spaces after commands, so that 'STOR xyz' is the same as 'STOR
xyz' . For brain damaged clients.

* SNPRINTF_IS_NOT_BUGGY :
Asserts that your snprintf() function works the ISO C99 way. Never
enable this on binary packages.

* STRICT_REST :
Disallow REST commands in ASCII mode (or at least : reply with an
error code) .

* WITHOUT_PAM_SESSION :
Do PAM authentication, but don't open PAM sessions.


Have fun...

_______________________________________________________________
Hundreds of nodes, one monster rendering program.
Now that's a super model! Visit http://clustering.foundries.sf.net/

_______________________________________________
Pureftpd-users mailing list
Pureftpd-users@lists.sourceforge.net
https://lists.sourceforge.net/lists.../pureftpd-users

2009-07-16

ffdshow thumbnails rundll32 crash

vista 底下,使用k-lite codepack 5.0
不知道為什麼看某個錄製的mpq時,一直會有rundll32 dep crash的問題...
原來是因為檔案總管自動建立thumbnails的問題。

設定了資料夾的檢視方式,使用「 Always show icons, never thumbnails 」就正常了。
不過缺點是jpg檔,也不會有thumbnails,要用預覽,或是用xnview等軟體。

或是也可以用另一種方法,讓某些副檔名的檔案不要產生thumbnails。

You can disable auto creation of thumbnails in Windows Explorer for videos files pr extention.
Just delete the following registry key:

HKEY_CLASSES_ROOT\[Extention]\ShellEx\ BB2E617C-0920-11d1-9A0B-00C04FC2D6C1

Replace [Extention] with the extention of your choice like:

.avi
.vob
.mpg
.mov
.vmw

If you at one point want it back again, just create the key again and reboot. And Vista will again happily suck all the power out of your computer, when opening a folder with lots of video files...

2009-07-08

尋找哪個cvsup server連線最快

cd /usr/ports/sysutils/fastest_cvsup

#make install clean #安裝
#rehash

#fastest_cvsup -c tw #會幫你找出前三名

-1st: cvsup?.tw.freebsd.org
-2nd: cvsup?.tw.freebsd.org
-3rd: cvsup?.tw.freebsd.org

2009-07-07

FreeBSD 7.2 ipnat ipfilter

新的版本,基本上都不需要再重編kernel,為了一點效能,而整個重編kernel也很麻煩,而且現在cpu都太快了。

rc.conf:
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="pppoe"

ipfilter_enable="YES"
ipnat_enable="YES"
ipmon_enable="NO"
ipmon_flags="-Ds"

/etc/ipf.rules

ipnat.rules
map tun0 192.168.2.0/24 -> 0/32 proxy port ftp ftp/tcp
map tun0 192.168.2.0/24 -> 0/32 portmap tcp/udp auto
map tun0 192.168.2.0/24 -> 0/32

2009-07-02

FreeBSD 7.2+Apache22+PHP+mysql51

1. Fresh Install a FreeBSD 7.2-RELEASE
install from ftp6.tw.freebsd.org

2. portsnap fetch extract

3. mysql51-server (for a long time)
mkdir /usr/local/mysql
chown /usr/local/mysql user:mysql pw:mysql
用ln -s 於/var/db/mysql建link至/usr/local/mysql(可省略)
make WITH_CHARSET=utf8 WITH_XCHARSET=all WITH_COLLATION=utf8_general_ci BUILD_OPTIMIZED=yes BUILD_STATIC=yes install clean

cp /usr/local/share/mysql/my-huge.cnf /var/db/mysql/my.cnf
ee my.cnf
[mysqld]
skip-name-resolve



4. install apache22 (for a long time with perl)
make config
BerkleyDB(subversion) mod_proxy all

/etc/newsyslog.conf
#newsyslog
/var/log/httpd-access.log 644 3 1 @T00 Z
/var/log/httpd-error.log 644 3 1 @T00 Z /var/run/httpd.pid


modify apache22.conf
#kenny
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps


5. install php5

6. install pure-ftpd

7. http://blog.cheyingwu.tw/index.php/2007/05/04/freebsd-utf8-env/
FreeBSD UTF-8 環境

FreeBSD 5.x 以上,就已經支援 i18n,之前因為 ftp 日文檔名的問題,所以全面 utf-8 記錄一下整個過程

改 csh 的登入設定

#~/.cshrc setenv LC_ALL zh_TW.UTF-8


安裝 convmv 轉 big5 中文檔名

cd /usr/ports/converters/convmv make install clean;rehash

使用法

convmv -f big5 -t utf-8 -r --notest [檔名 or 目錄名]

檔案內容編碼用 iconv 轉

iconv -f big5 -t utf-8 檔名 > 檔名

重編 pure-ftpd 支援 RFC 2640,在 Makefile 裡面加上

--with-rfc2640

編完後編輯 pure-ftpd.conf

FileSystemCharset utf-8 ClientCharset big5

這樣一來就完成 FreeBSD UTF-8 化

延伸閱讀

兔耳八克斯 » FreeBSD遠端Console設定UTF-8環境
MC104 :: 觀看文章 - [推薦] 轉換目錄/檔名編碼的 perl 程式

8. install phpmyadmin (安裝很多雜七雜八的port,也是很久)
mysqladmin -u root password xxxxxx(更改root password)
modify httpd.conf
Alias /phpmyadmin/ "/usr/local/www/phpMyAdmin/"

Options none
AllowOverride Limit

Order Deny,Allow
Deny from all
Allow from 127.0.0.1 192.168.1.x(自己的網段)

http://x.x.x.x/phpmyadmin/setup

9.cd /usr/ports/devel/ruby-gems
# make install clean
remember to install ruby-iconv
不然rails會出現undefined method `camelize' for "app":String
cd /usr/ports/converters/ruby-iconv

2009-06-01

vim + Ruby on rails

最近在 FreeBSD 上裝了 Ruby on Rails 因此把 Vim 裝起來 , 嗯 ~ 有了 Vim 之後看 Code 果然清楚多了 ~

1. 安裝 vim6+ruby , 不裝 X Windows 所以下 -DWITHOUT_X11。

#cd /usr/ports/editors/vim/
#make -DWITHOUT_X11 install clean

2. Copy Vim 設定檔 .vimrc 到使用者家目錄並且加入中文環境及自己所需要的設定。

#cp /usr/local/share/vim/vim64/vimrc_example.vim ~/.vimrc
#vi ~/.vimrc

set fileencoding=taiwan
set guifontset=8x16,kc15f,-*-16-*-big5-0
set cindent
set enc=taiwan
set fileencoding=taiwan
set hls
set nocompatible
set sw=2
set background=dark
set nomodeline
syntax on
highlight Comment ctermfg=darkcyan "更改Comment顏色
highlight Search term=reverse ctermbg=4 ctermfg=7

3. 原本的 vi 還是存在 , 若要使用 Vim 只要使用 vim 開啟檔便可。

放置rails.vim於/home/user/.vim/plugin/下

2009-05-01

Freebsd 7.0 初期環境建制

http://plog.longwin.com.tw/my_note-unix/2007/07/16/freebsd_initial_env_build_2007

cp /usr/share/examples/etc/make.conf /etc/
cp /usr/share/examples/cvsup/stable-supfile /etc/
cp /usr/share/examples/cvsup/ports-supfile /etc/
modify stable-supfile to use cvsup6.tw.freebsd.org
csup /etc/stable-supfile

ports用portsnap較快

對於Release版的security patch可以用freebsd-update來做更新
http://ohaha.ks.edu.tw/post/1/32
The freebsd-update(8) utility supports binary upgrades of i386 and amd64 systems running earlier FreeBSD releases. Systems running 7.0-RELEASE, 7.1-BETA, 7.1-BETA2, 7.1-RC1, or 7.1-RC2 can upgrade as follows:
# freebsd-update upgrade -r 7.1-RELEASE
During this process, FreeBSD Update may ask the user to help by merging some configuration files or by confirming that the automatically performed merging was done correctly.
# freebsd-update install
The system must be rebooted with the newly installed kernel before continuing.
# shutdown -r now
After rebooting, freebsd-update needs to be run again to install the new userland components, and the system needs to be rebooted again:
# freebsd-update install
# shutdown -r now
自動安裝官方已經compile好的binary

2009-04-30

cisco nat note

基本上在Cisco Router上的NAT有三種,但透過這三種NAT,又可以變化出LoadBalance等數種技巧 基本的三種NAT方式:

Static NAT:靜態NAT轉址,直接指定每個內部Private IP其對外Public IP,固定為1對1的方式。但這種方法,依然需要大量的外部真實IP供給內部IP連線使用,沒有達到節省IP的目的,已少人使用。
Dynamic NAT:動態NAT轉址,訂定一到數個NAT Pool,指定可用來做為NAT轉址所用的Public IP之集合,供給內部Private IP動態轉址使用。每一次Private IP的連線,Router會輪流分派一個Public IP對外連線使用。

PAT(Port Address Translation):埠號地址轉換,是NAT的另一種加強型的技術,它可以允許許多個內部Private IP轉換到單一的Public IP。
也可以用interface ip overload。
Private IP的可用位址:RFC1918設定了三塊區域的私人IP位址,一般都是以這三個區塊當作NAT轉址的內部IP。這些IP並不會在Internet的路由間繞送。
Addr Range IP & mask
10.0.0.0 - 10.255.255.255 10.0.0.0/255.0.0.0 1個Class A
172.16.0.0 - 172.31.255.255 172.16.0.0/255.240.0.0 12個Class B
192.168.0.0 - 192.168.255.255 192.168.0.0/255.255.255.0 16個Class C

設定範例:
1.Static NAT,一個簡單的範例,將內部192.168.1.100 /24 的IP轉址成外部200.1.1.1 /24
Router1#conf t
Router1(config)#int S 0/0/0
Router1(config-if)#ip address 200.1.1.1 255.255.255.0
Router1(config-if)#ip nat outside
Router1(config-if)#no shutdown
Router1(config-if)#exit
Router1(config)#int fa 0/1
Router1(config-if)#ip address 192.168.1.254 255.255.255.0
Router1(config-if)#ip nat inside
Router1(config-if)#no shutdown
Router1(config-if)#exit
Router1(config)#ip nat inside source static 192.168.1.100 200.1.1.1

2.Dynamic NAT,定義一個連線集合(200.1.1.1~200.1.1.10)/24給內部192.168.1.1/24連線使用
Router1#conf t
Router1(config)#int S 0/0/0
Router1(config-if)#ip address 200.1.1.1 255.255.255.0
Router1(config-if)#ip nat outside
Router1(config-if)#no shutdown
Router1(config-if)#exit
Router1(config)#int fa 0/1
Router1(config-if)#ip address 192.168.1.254 255.255.255.0
Router1(config-if)#ip nat inside
Router1(config-if)#no shutdown
Router1(config-if)#exit
Router1(config)#ip nat pool nat1 200.1.1.1 200.1.1.10 netmask 255.255.255.0
Router1(config)#access-list 1 permit 10.1.1.0 0.0.0.255
Router1(config)#ip nat inside source list 1 pool nat1
Router1(config)#exit

3.PAT(Overload),只定義一個IP提供NAT連線(200.1.1.1)/24給內部192.168.1.1/24連線使用
Router1#conf t
Router1(config)#int S 0/0/0
Router1(config-if)#ip address 200.1.1.1 255.255.255.0
Router1(config-if)#ip nat outside
Router1(config-if)#no shutdown
Router1(config-if)#exit
Router1(config)#int fa 0/1
Router1(config-if)#ip address 192.168.1.254 255.255.255.0
Router1(config-if)#ip nat inside
Router1(config-if)#no shutdown
Router1(config-if)#exit
Router1(config)#ip nat pool nat1 200.1.1.1 200.1.1.1 netmask 255.255.255.0
Router1(config)#access-list 1 permit 10.1.1.0 0.0.0.255
Router1(config)#ip nat inside source list 1 pool nat1 overload
Router1(config)#exit

2009-04-29

XP桌面圖示如何才能變成透明底色?

右擊桌面空白處,依次單擊“屬性/桌面/自定義桌面/web”選項,將“網頁”欄中的“當前主頁”以及“http//......”等所有各項前面的勾全部去掉(“http//……”為從Internet添加網頁或圖片的位址,一般不需要,可將它們全部刪除),並將下面“鎖定桌面專案”前面的勾也去掉,單擊確定完成設置,就又能看到可愛的桌面圖示了。

2023 灌籃高手 SLAM Dunk

 2023 哩哩摳摳 昨天是難得的颱風假。 去看了二輪的灌籃高手。 電影院一堆的小朋友阿。 以下有小暴雷。 雖然我不算是非常的迷灌籃高手,但是還是很喜歡這部作品。 井上老師的畫風我也非常喜歡。 整部片是以良田的角度來看的。 以前我並不是很熟習良田這個角色,但是看到良田能重新站起來...