PiAPWorkingTips

Jun 29, 2022
Technology

Hide ssid

Configuration for hostapd:

# vim /etc/hostapd/hostapd.conf
...
ignore_broadcast_ssid=1
...
# systemctl restart hostapd

dhcp server

Changed from dnsmasq to isc-dhcp-server.

pdnsd changes

Install via:

# apt install pdnsd
Select manual for manually configure the pdnsd server

Configuration files:

Changes for:  
# Generated by resolvconf
server {
	label=resolvconf;
	#ip=192.168.1.117;
}

others refers to previous article(written in 2017-12-24)

redsocks changes

Change the redsocks configuration to listen to 0.0.0.0:12345:

redsocks {
        /* `local_ip' defaults to 127.0.0.1 for security reasons,
         * use 0.0.0.0 if you want to listen on every interface.
         * `local_*' are used as port to redirect to.
         */
        local_ip = 0.0.0.0;
        local_port = 12345;

        // `ip' and `port' are IP and tcp-port of proxy-server
        ip = 127.0.0.1;
        port = 1080;

        // known types: socks4, socks5, http-connect, http-relay
        type = socks5;
}

Configuration for the iptables:

sudo iptables -t nat -N SHADOWSOCKS

# 注意这里要把 $server_IP 改成你自己的 socks5 远程IP，即你的VPS IP，不然无法正常工作
sudo iptables -t nat -A SHADOWSOCKS -d xx.xx.xx.xxx  -j RETURN
sudo iptables -t nat -A SHADOWSOCKS -d xx.xx.xx.xxx -j RETURN

# 忽略局域网地址
sudo iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
sudo iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
sudo iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
sudo iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
sudo iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
sudo iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
sudo iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
sudo iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
#sudo iptables -t nat -A SHADOWSOCKS -m set --match-set chnroute dst -j RETURN

# 把流量转发到 12345 端口，即redsocks
sudo iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345
sudo iptables -t nat -A OUTPUT -p tcp -j SHADOWSOCKS
sudo iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS

iptables result:

# Generated by xtables-save v1.8.2 on Thu Jun 30 14:34:24 2022
*filter
:INPUT ACCEPT [1455927:2412196175]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [927092:2335234307]
-A FORWARD -i wlan0 -j ACCEPT
-A FORWARD -o wlan0 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
COMMIT
# Completed on Thu Jun 30 14:34:24 2022
# Generated by xtables-save v1.8.2 on Thu Jun 30 14:34:24 2022
*nat
:PREROUTING ACCEPT [4873:855180]
:INPUT ACCEPT [10699:685912]
:POSTROUTING ACCEPT [9810:590833]
:OUTPUT ACCEPT [14989:908253]
:SHADOWSOCKS - [0:0]
-A PREROUTING -p tcp -j SHADOWSOCKS
-A POSTROUTING -o eth0 -j MASQUERADE
-A SHADOWSOCKS -d xxx.xxx.xxx.xxx/32 -j RETURN
-A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
-A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
-A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
-A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
-A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
-A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
-A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
-A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
-A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345
-A SHADOWSOCKS -d 1xx.xx.xxx.xxx/32 -j RETURN
-A SHADOWSOCKS -d 1xx.xx.xxx.xxx/32 -j RETURN
COMMIT
# Completed on Thu Jun 30 14:34:24 2022

WorkingTipsOnv2ray

Jun 14, 2022
Technology

Client

Install v2rayA client on archlinux, then yay xray, uninstall all v2ray related.

Refers to https://v2raya.org/docs/manual/use-other-core/ Changes to xray-core

Server

Install acme:

# curl  https://get.acme.sh | sh

Generate the certification:

acme.sh --issue --server letsencrypt --test -d www.fuckgfwmother.cn -w /root/blog/html --keylength ec-256
acme.sh --set-default-ca --server letsencrypt
acme.sh --issue -d www.fuckgfwmother.cn -w /root/blog/html --keylength ec-256 --force

Then copy the cerfitication to /etc/xray:

# cp /root/.acme.sh/www.fuckgfwmother.cn_ecc/fullchain.cer /etc/xray/chain.crt
# cp /root/.acme.sh/www.fuckgfwmother.cn_ecc/www.fuckgfwmother.cn.key /etc/xray/key.key

Edit the config.json under the folder /etc/xray, then start the docker instance via:

$ docker run -d -p 443:443 --name xray --restart=always -v /etc/xray:/etc/xray teddysun/xray

Configuration

Via:

/images/2022_06_14_08_31_50_496x768.jpg

Now start via sudo v2raya, then you could use the proxy.

WorkingTipsForSG1ForOS

May 27, 2022
Technology

Create disk via:

 qemu-img create -f qcow2 -b /images/Centos1810Base.qcow2 sg1_openstack.qcow2

Create a vm, using bridged networking and set its ip address to 192.168.89.25.
Upload the kernel and deployment files onto the server:

scp ./kernel_4.19.12-1.xxx_rpms.tar.gz SG1Deployment.tar.gz ctctest@192.168.89.25:~

To 25, and install the kernel via:

# ./install_kernel.sh
# reboot

After reboot, check the kernel version.

SecurityEnhancement

May 24, 2022
Technology

nessus整改策略

1. SSH SHA-1 HMAC Algorithms Enabled

问题:

/images/2022_05_24_08_58_34_930x453.jpg

原因:
sshd服务器开启了hmac-sha1，需要在sshd配置文件中将其关闭并重启, Ubuntu为例整改步骤如下:

列出所有支持的MAC算法:

# sshd -T | grep macs
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

将上述输出的条目，去掉hmac-sha1后，加入到sshd配置文件:

# vim /etc/ssh/sshd_config
........
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
# systemctl restart ssh && systemctl restart sshd

重启后，检查是否移除mac:

# sshd -T | grep macs
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512

2. MEDIUMUnencrypted Telnet Server

关闭23端口的xinetd服务:

# sudo netstat -anp | grep 23
# sudo systemctl stop xinetd
# sudo systemctl disable xinetd
# sudo netstat -anp | grep 23

3. SSH Weak Key Exchange Algorithms Enabled

Info:

The following weak key exchange algorithms are enabled : 

  diffie-hellman-group-exchange-sha1
  diffie-hellman-group1-sha1

检测、更改配置:

# sshd -T | grep diffie
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
# vim /etc/ssh/sshd_config
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

Restart the sshd via systemctl restart sshd

4. SSH Server CBC Mode Ciphers Enabled

检测:

# sshd -T |grep ciphers
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc

更改配置并重启

# vim /etc/ssh/sshd_config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

以上修改效果(整改前):

/images/2022_05_24_09_49_30_1323x496.jpg

整改后:

WorkingTipsOnGuestVM

May 23, 2022
Technology

Add Channel

Add a channel named Channel spice:

/images/2022_05_23_10_02_46_551x307.jpg

Install python and let python2 to be the default python version:

# sudo apt-get install -y python2
# update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
update-alternatives: using /usr/bin/python2.7 to provide /usr/bin/python (python) in auto mode
# python
Python 2.7.18 (default, Mar 12 2022, 06:24:29) 
[GCC 11.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> quit()
# sudo apt-get install -y libevent-dev
# cd /usr/ && cp ./lib/aarch64-linux-gnu/libevent-2.1.so.7 ./lib/aarch64-linux-gnu/libevent-2.1.so.6

很惭愧，就做了一点微小的工作