OpenVPN服务器启动脚本 该脚本为官方编写，位于/etc/init.d/openvpn目录请注意：本文章仅用于学习交流，该软件仅供运维需要使用，请勿使用该软件从事非法业务。#!/bin/sh -e ### BEGIN INIT INFO # Provides: OpenVPN # Required-Start: $network $remote_fs $syslog # Required-Stop: $network $remote_fs $syslog # Should-Start: network-manager # Should-Stop: network-manager # X-Start-Before: $x-display-manager gdm kdm xdm wdm ldm sdm nodm # X-Interactive: true # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: openvpn VPN service # Description: This script will start OpenVPN tunnels as specified # in /etc/default/openvpn and /etc/openvpn/*.conf ### END INIT INFO # Original version by Robert Leslie # <rob@mars.org>, edited by iwj and cs # Modified for openvpn by Alberto Gonzalez Iniesta <agi@inittab.org> # Modified for restarting / starting / stopping single tunnels by Richard Mueller <mueller@teamix.net> . /lib/lsb/init-functions test $DEBIAN_SCRIPT_DEBUG && set -v -x DAEMON=/usr/sbin/openvpn DESC="virtual private network daemon" CONFIG_DIR=/etc/openvpn test -x $DAEMON || exit 0 test -d $CONFIG_DIR || exit 0 # Source defaults file; edit that file to configure this script. AUTOSTART="all" STATUSREFRESH=10 OMIT_SENDSIGS=0 if test -e /etc/default/openvpn ; then . /etc/default/openvpn fi start_vpn () { if grep -q '^[ ]*daemon' $CONFIG_DIR/$NAME.conf ; then # daemon already given in config file DAEMONARG= else # need to daemonize DAEMONARG="--daemon ovpn-$NAME" fi if grep -q '^[ ]*status ' $CONFIG_DIR/$NAME.conf ; then # status file already given in config file STATUSARG="" elif test $STATUSREFRESH -eq 0 ; then # default status file disabled in /etc/default/openvpn STATUSARG="" else # prepare default status file STATUSARG="--status /run/openvpn/$NAME.status $STATUSREFRESH" fi # tun using the "subnet" topology confuses the routing code that wrongly # emits ICMP redirects for client to client communications SAVED_DEFAULT_SEND_REDIRECTS=0 if grep -q '^[[:space:]]*dev[[:space:]]*tun' $CONFIG_DIR/$NAME.conf && \ grep -q '^[[:space:]]*topology[[:space:]]*subnet' $CONFIG_DIR/$NAME.conf ; then # When using "client-to-client", OpenVPN routes the traffic itself without # involving the TUN/TAP interface so no ICMP redirects are sent if ! grep -q '^[[:space:]]*client-to-client' $CONFIG_DIR/$NAME.conf ; then sysctl -w net.ipv4.conf.all.send_redirects=0 > /dev/null # Save the default value for send_redirects before disabling it # to make sure the tun device is created with send_redirects disabled SAVED_DEFAULT_SEND_REDIRECTS=$(sysctl -n net.ipv4.conf.default.send_redirects) if [ "$SAVED_DEFAULT_SEND_REDIRECTS" -ne 0 ]; then sysctl -w net.ipv4.conf.default.send_redirects=0 > /dev/null fi fi fi log_progress_msg "$NAME" STATUS=0 start-stop-daemon --start --quiet --oknodo \ --pidfile /run/openvpn/$NAME.pid \ --exec $DAEMON -- $OPTARGS --writepid /run/openvpn/$NAME.pid \ $DAEMONARG $STATUSARG --cd $CONFIG_DIR \ --config $CONFIG_DIR/$NAME.conf || STATUS=1 [ "$OMIT_SENDSIGS" -ne 1 ] || ln -s /run/openvpn/$NAME.pid /run/sendsigs.omit.d/openvpn.$NAME.pid # Set the back the original default value of send_redirects if it was changed if [ "$SAVED_DEFAULT_SEND_REDIRECTS" -ne 0 ]; then sysctl -w net.ipv4.conf.default.send_redirects=$SAVED_DEFAULT_SEND_REDIRECTS > /dev/null fi } stop_vpn () { start-stop-daemon --stop --quiet --oknodo \ --pidfile $PIDFILE --exec $DAEMON --retry 5 if [ "$?" -eq 0 ]; then rm -f $PIDFILE [ "$OMIT_SENDSIGS" -ne 1 ] || rm -f /run/sendsigs.omit.d/openvpn.$NAME.pid rm -f /run/openvpn/$NAME.status 2> /dev/null fi } case "$1" in start) log_daemon_msg "Starting $DESC" # first create /run directory so it's present even # when no VPN are autostarted by this script, but later # by systemd openvpn@.service mkdir -p /run/openvpn # autostart VPNs if test -z "$2" ; then # check if automatic startup is disabled by AUTOSTART=none if test "x$AUTOSTART" = "xnone" -o -z "$AUTOSTART" ; then log_warning_msg " Autostart disabled." exit 0 fi if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then # all VPNs shall be started automatically for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do NAME=${CONFIG%%.conf} start_vpn done else # start only specified VPNs for NAME in $AUTOSTART ; do if test -e $CONFIG_DIR/$NAME.conf ; then start_vpn else log_failure_msg "No such VPN: $NAME" STATUS=1 fi done fi #start VPNs from command line else while shift ; do [ -z "$1" ] && break if test -e $CONFIG_DIR/$1.conf ; then NAME=$1 start_vpn else log_failure_msg " No such VPN: $1" STATUS=1 fi done fi log_end_msg ${STATUS:-0} ;; stop) log_daemon_msg "Stopping $DESC" if test -z "$2" ; then for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} stop_vpn log_progress_msg "$NAME" done else while shift ; do [ -z "$1" ] && break if test -e /run/openvpn/$1.pid ; then PIDFILE=`ls /run/openvpn/$1.pid 2> /dev/null` NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} stop_vpn log_progress_msg "$NAME" else log_failure_msg " (failure: No such VPN is running: $1)" fi done fi log_end_msg 0 ;; # Only 'reload' running VPNs. New ones will only start with 'start' or 'restart'. reload|force-reload) log_daemon_msg "Reloading $DESC" for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} # If openvpn if running under a different user than root we'll need to restart if egrep '^[[:blank:]]*user[[:blank:]]' $CONFIG_DIR/$NAME.conf > /dev/null 2>&1 ; then stop_vpn start_vpn log_progress_msg "(restarted)" else kill -HUP `cat $PIDFILE` || true log_progress_msg "$NAME" fi done log_end_msg 0 ;; # Only 'soft-restart' running VPNs. New ones will only start with 'start' or 'restart'. soft-restart) log_daemon_msg "$DESC sending SIGUSR1" for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} kill -USR1 `cat $PIDFILE` || true log_progress_msg "$NAME" done log_end_msg 0 ;; restart) shift $0 stop ${@} $0 start ${@} ;; cond-restart) log_daemon_msg "Restarting $DESC." for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} stop_vpn start_vpn done log_end_msg 0 ;; status) GLOBAL_STATUS=0 if test -z "$2" ; then # We want status for all defined VPNs. # Returns success if all autostarted VPNs are defined and running if test "x$AUTOSTART" = "xnone" ; then # Consider it a failure if AUTOSTART=none log_warning_msg "No VPN autostarted" GLOBAL_STATUS=1 else if ! test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then # Consider it a failure if one of the autostarted VPN is not defined for VPN in $AUTOSTART ; do if ! test -f $CONFIG_DIR/$VPN.conf ; then log_warning_msg "VPN '$VPN' is in AUTOSTART but is not defined" GLOBAL_STATUS=1 fi done fi fi for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do NAME=${CONFIG%%.conf} # Is it an autostarted VPN ? if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then AUTOVPN=1 else if test "x$AUTOSTART" = "xnone" ; then AUTOVPN=0 else AUTOVPN=0 for VPN in $AUTOSTART; do if test "x$VPN" = "x$NAME" ; then AUTOVPN=1 fi done fi fi if test "x$AUTOVPN" = "x1" ; then # If it is autostarted, then it contributes to global status status_of_proc -p /run/openvpn/${NAME}.pid openvpn "VPN '${NAME}'" || GLOBAL_STATUS=1 else status_of_proc -p /run/openvpn/${NAME}.pid openvpn "VPN '${NAME}' (non autostarted)" || true fi done else # We just want status for specified VPNs. # Returns success if all specified VPNs are defined and running while shift ; do [ -z "$1" ] && break NAME=$1 if test -e $CONFIG_DIR/$NAME.conf ; then # Config exists status_of_proc -p /run/openvpn/${NAME}.pid openvpn "VPN '${NAME}'" || GLOBAL_STATUS=1 else # Config does not exist log_warning_msg "VPN '$NAME': missing $CONFIG_DIR/$NAME.conf file !" GLOBAL_STATUS=1 fi done fi exit $GLOBAL_STATUS ;; *) echo "Usage: $0 {start|stop|reload|restart|force-reload|cond-restart|soft-restart|status}" >&2 exit 1 ;; esac exit 0 # vim:set ai sts=2 sw=2 tw=0:

为树莓派SD卡分配余下空间 参考资料：http://www.cnblogs.com/dongruiha/p/6817384.html在root身份下运行fdisk -l 可以发现/dev/mmcblk0p就是SD卡的名称，共有29.7GB然后开始对未使用空间进行分配fdisk /dev/mmcblk0p 选择n创建分区，然后选择p指定分区类型为主分区，并设置分区号为3；查看系统分配好的mmcblk0p2分区的End值并加上1作为mmcblk0p3分区的start值，End直接回车默认；然后t指定分区类型，指定类型为Linux，代码是83；然后w保存并reboot重启；重启后直接 mkfs -t ext3 /dev/mmcblk0p3对3分区进行格式化格式化完成后使用mount -t ext3 /dev/mmcblk0p3/ /media/mmcblk0p3 挂载即可；开机挂载：nano /etc/fstab将 /dev/mmcblk0p3 /media/mmcblk0p3 ext3 default 0 1 加入并保存即可

nmap的一些用法 nmap的一些用法常见参数:-sT/-sU 使用TCP/UDP扫描-sS 使用TCP SYN扫描，不会服务器端留痕迹-p 指定端口范围或者端口号-O 探测目标主机的操作系统-sP 使用Ping扫描主机-PU 使用UDP Ping探测扫描主机-Pn 跳过Ping，不用Ping检测主机是否存活

iptables应用小记 iptables应用小记iptables -F #清空规则iptables -X #清除各链的规则iptables -Z #流量归零iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #允许已建立的所有传入连接通过iptables -A INPUT -i lo -j ACCEPT #允许lo网卡所有流量通过iptables -A INPUT -p tcp -j DROPiptables -A INPUT -p udp -j DROP #禁止所有TCP、UDP数据包传入iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP #禁止外网ping本机iptables -nL --line-number #显示当前已保存的iptables规则及行号iptables -D INPUT 1 #删除INPUT链中第一条规则iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT #将这条规则插入INPUT链中第一行iptables -t nat -nL --line-number #显示nat规则及行号iptables -A POSTROUTING -s 172.31.0.0/16 -o eth0 -j MASQUERADE #将172.31.0.0/24网段NAT为eth0网卡的IP地址上网，常用于VPN网关iptables -A PREROUTING -d 172.31.0.1/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.0.1:80 #使用SNAT将172.31.0.1的80端口重定向到10.10.0.1的80端口

H3C路由器使用ACL禁止外网Telnet和SSH H3C-MSR系列路由器开局默认允许外网telnet和web管理，经过对大部分企业专线IP段扫描，发现大部分使用H3C路由器作为出口网关的中小企业，并未在出口路由器上配置ACL策略以屏蔽远程管理端口。由于大部分运营商已在上层路由屏蔽非IDC机房IP段的80,8080,445端口，所以只需在路由器上做ACL禁止外网或者仅允许指定IP进行Telnet和SSH。MSR系列大部分无法从WEB界面配置ACL，需要在命令行下进行配置。以下两种方法可达到禁止外网管理的目的。假设管理员vlan的IP段是172.31.255.0/24，ACL配置如下system-view[H3C]acl num 2100 [H3C-acl-basic-2100]rule 10 permit source 172.31.255.0 0.0.0.255[H3C-acl-basic-2100]rule 100 deny[H3C-acl-basic-2100]quit[H3C]user-interface vty 0 4[H3C-ui-vty-0-4]acl 2100 inbound[H3C-ui-vty-0-4]quit此方法可以禁止外网telnet或者ssh，但是从外网仍然可以扫描到主机开放的22,23端口，系统会产生大量来自世界各国的IP登录失败的日志。方法二：使用高级ACL来阻断外网的请求，假设企业出口固定IP为1.1.1.1system-view[H3C]acl num 3100[H3C-acl-adv-3100]rule 10 permit tcp source 172.31.255.0 0.0.0.255 destination-port eq 23[H3C-acl-adv-3100]rule 11 permit tcp source 172.31.255.0 0.0.0.255 destination-port eq 22[H3C-acl-adv-3100]rule 100 deny tcp destination 1.1.1.1 0 destination-port eq 23[H3C-acl-adv-3100]rule 110 deny tcp destination 1.1.1.1 0 destination-port eq 22[H3C-acl-adv-3100]quit[H3C]interface g0/0 #假设WAN口是GE0/0[H3C-GigabitEthernet0/0] acl 3100 inbound[H3C-GigabitEthernet0/0]quit[H3C]firewall enable[H3C]save方法二使用高级ACL可以完全阻断来自外网的telnet、ssh请求，可以使黑客无法扫描到端口。