Goal: 類rlogin方式,使用免密碼登入特定主機
1: ssh server : enable the HostbasedAuthentication feature on ssh server.
2: ssh client : enable the HostbasedAuthentication and EnableSSHKeysign feature on ssh client
3: add rsa fingerprint to /etc/ssh/ssh_known_hosts :
issue: ssh-keyscan -vt rsa remote_machine >> /etc/ssh/ssh_known_hosts
4: add hosts that are permitted to use the HostbasedAuthentication method to logon to/etc/ssh/shosts.equiv
issue: echo +@linuxbox > /etc/ssh/ssh_known_hosts
2009年9月16日 星期三
2009年8月27日 星期四
manage local GPO on remote machine
利用指令開啟遠端機器的本機GPO
gpedit.msc /gpcomputer: machine
利用mmc嵌入方法管理遠端本機GPO
當current user的權限不足時~~可用runas利用對方管理者群組的等同帳號密碼,啟動一條cmd的session去執行即可~~
ie: 遠端欲管理電腦kido_client , 管控端kido_controller
kido_client中administrators群組成員帳號kido, kido_controller的current user kido_member
於kido_controller中建立一帳號kido,並且密碼與kido_client中的kido相同~~
接著runas /user:kido cmd
於新啟動的cmd session中進行遠端控制即可~~
2009年8月5日 星期三
default share permission change
基於資訊安全原則,我們不想讓everyone出現在預設的分享權限中,所以必須對系統作微調
機碼位置
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity]
"SrvsvcDefaultShareInfo"
由於這各機碼值是不容易讀取的,所以必須藉由tweak-ui去作調整
機碼位置
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity]
"SrvsvcDefaultShareInfo"
由於這各機碼值是不容易讀取的,所以必須藉由tweak-ui去作調整
事後的部署
在AD的環境下~~可透過GPO來安裝~~
Computer Configuration --> Windows Settings --> Scripts (Startup/Shutdown)
regedit /s xxx.reg
在workgroup的環境下可透過psexec,wmi,reg add,powershell來補正
for windows vista and/or higher version
Once you apply default share permission onto your system. All the other machines access either root share or adminitravtive share until you apply below setup onto your machine.
reg add HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters /v Level2Compatibility /f /t REG_DWORD /d 1
restart server service to apply the setup to system immediately
net stop server /y
net start server /y
http://support.microsoft.com/kb/971277/en-us?sd=rss&spid=14019
Below artical instructs you how to customize your default share
all your share permission setup can be found at below path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Shares\Security\
customize permission for specific folder and then import the setup to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity\SrvsvcDefaultShareInfo
http://www.sepago.de/d/helge/2010/07/23/how-to-modify-default-share-permissions-and-other-tweaks
for windows vista and/or higher version
Once you apply default share permission onto your system. All the other machines access either root share or adminitravtive share until you apply below setup onto your machine.
reg add HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters /v Level2Compatibility /f /t REG_DWORD /d 1
restart server service to apply the setup to system immediately
net stop server /y
net start server /y
http://support.microsoft.com/kb/971277/en-us?sd=rss&spid=14019
Below artical instructs you how to customize your default share
all your share permission setup can be found at below path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Shares\Security\
customize permission for specific folder and then import the setup to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity\SrvsvcDefaultShareInfo
http://www.sepago.de/d/helge/2010/07/23/how-to-modify-default-share-permissions-and-other-tweaks
2009年7月31日 星期五
group permission control via GPO
利用GPO管理用戶端群組設定
1:于電腦物件所在之OU下新增一GPO以利管理
3-1:新增原則(修改群組物件屬性) ie:替換本機local admin群組成員 -> 新增群組(以用戶端群組為命名方式) -> 將欲套用之成員加入群組
.PNG)
3-1:新增原則(修改群組物件屬性) ie:替換本機Administrators群組成員 -> 新增群組(以網域群組為命民方式) -> 將網域成員加入該群組.PNG)
1:于電腦物件所在之OU下新增一GPO以利管理
2:于Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups 新增物件
3-1:新增原則(修改群組物件屬性) ie:替換本機local admin群組成員 -> 新增群組(以用戶端群組為命名方式) -> 將欲套用之成員加入群組
.PNG)
3-1:新增原則(修改群組物件屬性) ie:替換本機Administrators群組成員 -> 新增群組(以網域群組為命民方式) -> 將網域成員加入該群組
.PNG)
2009年7月29日 星期三
forwarding through ssh tunnel
架構解說:
A <-B-> C
B端點為bridge~~可以連通A與C~~
預設狀態A與C不可互通~~
是故我們要建立tunnel~~讓資料可以直接在AC對傳~~而非暫存至B然後再轉送到C
1: 于端點建立tunnel: issue# ssh -T username@B -L local_port:C:port_number_of_c
說明:當資料送到local的local_port後,他其實是傳到C指定的port去
2: 透過scp進行資料傳送: issue# scp -P local_port file account_on_c@localhost
透過rsync的ssh option: issue# rsync -avz -e "ssh -p local_port" file account_on_c@localhost
注意:原本要送到遠端server的部分需改為localhost~~因為我們要利用建立好的通道幫你送資料~~
A <-B-> C
B端點為bridge~~可以連通A與C~~
預設狀態A與C不可互通~~
是故我們要建立tunnel~~讓資料可以直接在AC對傳~~而非暫存至B然後再轉送到C
1: 于端點建立tunnel: issue# ssh -T username@B -L local_port:C:port_number_of_c
說明:當資料送到local的local_port後,他其實是傳到C指定的port去
2: 透過scp進行資料傳送: issue# scp -P local_port file account_on_c@localhost
透過rsync的ssh option: issue# rsync -avz -e "ssh -p local_port" file account_on_c@localhost
注意:原本要送到遠端server的部分需改為localhost~~因為我們要利用建立好的通道幫你送資料~~
2009年6月10日 星期三
2009年6月8日 星期一
監控FS存取狀態
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colShare = objWMIService.ExecNotificationQuery("Select * From __InstanceCreationEvent Within 10 Where TargetInstance ISA 'Win32_ServerConnection'")
Do While True
Set objShare = colShare.NextEvent
If Right(objShare.TargetInstance.ShareName,1) <> "$" Then
Wscript.echo objShare.TargetInstance.ShareName
Wscript.echo objShare.TargetInstance.ComputerName
Wscript.echo objShare.TargetInstance.UserName
Wscript.echo objShare.TargetInstance.NumberOfFiles
Wscript.echo objShare.TargetInstance.ActiveTime
End If
'ShareName
'ComputerName
'UserName
'上述三者為pk,當比對不到資料時進行DUMP
Loop
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colShare = objWMIService.ExecNotificationQuery("Select * From __InstanceCreationEvent Within 10 Where TargetInstance ISA 'Win32_ServerConnection'")
Do While True
Set objShare = colShare.NextEvent
If Right(objShare.TargetInstance.ShareName,1) <> "$" Then
Wscript.echo objShare.TargetInstance.ShareName
Wscript.echo objShare.TargetInstance.ComputerName
Wscript.echo objShare.TargetInstance.UserName
Wscript.echo objShare.TargetInstance.NumberOfFiles
Wscript.echo objShare.TargetInstance.ActiveTime
End If
'ShareName
'ComputerName
'UserName
'上述三者為pk,當比對不到資料時進行DUMP
Loop
重整user本機群組
可以在AD上透過此script來達成修改本機群組的需求
Set WshShell = WScript.CreateObject("WScript.Shell")
HostName = WshShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set oADsSysInfo = CreateObject("ADSystemInfo")
'get domain dns name
'Set GroupSetup = objWMIService.ExecQuery("select Domain from Win32_ComputerSystem where PartOfDomain = True")
'For Each objGroupSetup in GroupSetup
' LocalDomain = objGroupSetup.Domain
'Next
'convert domain from dns name
'If Trim(LocalDomain) <> "" Then
' RegKey = """HKLM\Software\Microsoft\Windows nt\CurrentVersion\Winlogon\DomainCache""|find/I """ & LocalDomain & """"
' Result = WshShell.Exec("%ComSpec% /c reg query " & RegKey ).StdOut.ReadAll
' For Each tmp in Split(Result,vbCrLf)
' If Trim(tmp) <> "" Then
' Data = Split(Tmp,vbTab)
' If UCASE(data(2)) = UCASE(LocalDomain) Then
' Domain = UCase(Trim(data(0)))
' End If
' ENd If
' Next
'End If
Domain = oADsSysInfo.DomainShortName
set colGroup = objWMIService.ExecQuery("select * from Win32_Group where ((SID = 'S-1-5-32-544') and (Domain = '" & HostName & "')) or ((SID like 'S-1-5-%-512') and (Domain = '" & Domain & "'))")
For Each objGroup in colGroup
If UCase(objGroup.Domain) = UCase(HostName) Then
LocalAdminGroup = objGroup.name
Else
DomainAdminGroup = objGroup.name
End If
next
set colAccount = objWMIService.ExecQuery("select * from Win32_UserAccount where SID like 'S-1-5-%-500' and Domain = '" & HostName &"'")
For Each objAccount In colAccount
LocalAdminUser = objAccount.name
next
'remove account from local administrators
' Set objGroup = GetObject("WinNT://" & HostName & "/" & LocalAdminGroup)
' Set memberlist = objGroup.members
' For Each member In memberlist
' Tmp = Split(member.Parent,"/")
' If UCase(Tmp(UBound(Tmp))) = UCase(HostName) Then 'local account
' If UCase(member.Name) <> UCase(LocalAdminUser) Then
' objGroup.Remove(member.AdsPath)
' End If
' Else 'Domain Account
' If UCASE(member.AdsPath) <> UCASE("WinNT://" & Domain & "/" & DomainAdminGroup) Then ' Keep domain admins in the local administrators group
' objGroup.Remove(member.AdsPath)
' End If
' End IF
' next
'change local admin password
' set objUser = GetObject("WinNT://" & HostName & "/" & LocalAdminUser)
' objUser.SetPassword("Password")
Set WshShell = WScript.CreateObject("WScript.Shell")
HostName = WshShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set oADsSysInfo = CreateObject("ADSystemInfo")
'get domain dns name
'Set GroupSetup = objWMIService.ExecQuery("select Domain from Win32_ComputerSystem where PartOfDomain = True")
'For Each objGroupSetup in GroupSetup
' LocalDomain = objGroupSetup.Domain
'Next
'convert domain from dns name
'If Trim(LocalDomain) <> "" Then
' RegKey = """HKLM\Software\Microsoft\Windows nt\CurrentVersion\Winlogon\DomainCache""|find/I """ & LocalDomain & """"
' Result = WshShell.Exec("%ComSpec% /c reg query " & RegKey ).StdOut.ReadAll
' For Each tmp in Split(Result,vbCrLf)
' If Trim(tmp) <> "" Then
' Data = Split(Tmp,vbTab)
' If UCASE(data(2)) = UCASE(LocalDomain) Then
' Domain = UCase(Trim(data(0)))
' End If
' ENd If
' Next
'End If
Domain = oADsSysInfo.DomainShortName
set colGroup = objWMIService.ExecQuery("select * from Win32_Group where ((SID = 'S-1-5-32-544') and (Domain = '" & HostName & "')) or ((SID like 'S-1-5-%-512') and (Domain = '" & Domain & "'))")
For Each objGroup in colGroup
If UCase(objGroup.Domain) = UCase(HostName) Then
LocalAdminGroup = objGroup.name
Else
DomainAdminGroup = objGroup.name
End If
next
set colAccount = objWMIService.ExecQuery("select * from Win32_UserAccount where SID like 'S-1-5-%-500' and Domain = '" & HostName &"'")
For Each objAccount In colAccount
LocalAdminUser = objAccount.name
next
'remove account from local administrators
' Set objGroup = GetObject("WinNT://" & HostName & "/" & LocalAdminGroup)
' Set memberlist = objGroup.members
' For Each member In memberlist
' Tmp = Split(member.Parent,"/")
' If UCase(Tmp(UBound(Tmp))) = UCase(HostName) Then 'local account
' If UCase(member.Name) <> UCase(LocalAdminUser) Then
' objGroup.Remove(member.AdsPath)
' End If
' Else 'Domain Account
' If UCASE(member.AdsPath) <> UCASE("WinNT://" & Domain & "/" & DomainAdminGroup) Then ' Keep domain admins in the local administrators group
' objGroup.Remove(member.AdsPath)
' End If
' End IF
' next
'change local admin password
' set objUser = GetObject("WinNT://" & HostName & "/" & LocalAdminUser)
' objUser.SetPassword("Password")
windows預設分享權限設置
機碼位置
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity
此內容會被經過編碼,導致無法直接進行修改
可以透過tweakui將預設值修改完成後,匯出重新整入系統
注意:因為此為HKLM等級機碼,非一般user即可套用,此時可採用GPO的開機指令碼,亦或是利用autohotkey來作patch
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity
此內容會被經過編碼,導致無法直接進行修改
可以透過tweakui將預設值修改完成後,匯出重新整入系統
注意:因為此為HKLM等級機碼,非一般user即可套用,此時可採用GPO的開機指令碼,亦或是利用autohotkey來作patch
exchange使用空間監控通知
If Weekday(Date) <2 OR Weekday(Date)>6 Then
Wscript.Quit
End If
ExChangeServer = "kido.idv.tw"
ExtremeSize = 50*1024
Set objService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & ExChangeServer & "\root\MicrosoftExchangeV2")
Set colSettings = objService.ExecQuery("Select * from Exchange_Mailbox")
On Error Resume Next
For Each obj in colSettings
If Instr(UCase(obj.MailboxDisplayName),"(NTCTX)") And CLng(obj.Size) > CLng(ExtremeSize) Then
Result = Result & "" & vbCrLf &_
"" & obj.MailboxDisplayName & " " & vbCrLf &_
"" & obj.Size & " " & vbCrLf &_
"" & obj.TotalItems & " " & vbCrLf &_
" "
End If
Next
If Result <> "" Then
Mail "Mailbox healthy check!",RebuildMsg(Result)
End If
Function RebuildMsg(msg)
msg = "" &_
"
RebuildMsg = msg
End Function
Sub Mail(Subject,Content)
MailFrom = "kido@kido.idv.tw"
MailTo = "kido@kido.idv.tw"
If Len(Content) = 0 Then
Exit Sub
End If
Set objEmail = CreateObject("CDO.Message")
objEmail.From = MailFrom
objEmail.To = MailTo
objEmail.Cc = MailCC
objEmail.Subject = Subject
objEmail.HTMLBody = Content
objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = ExChangeServer
objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objEmail.Configuration.Fields.Update
objEmail.Send
End Sub
除此方法外~~上可利用powershell來作~~功能相同~~都是利用WMI去截取Exchange的值
Wscript.Quit
End If
ExChangeServer = "kido.idv.tw"
ExtremeSize = 50*1024
Set objService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & ExChangeServer & "\root\MicrosoftExchangeV2")
Set colSettings = objService.ExecQuery("Select * from Exchange_Mailbox")
On Error Resume Next
For Each obj in colSettings
If Instr(UCase(obj.MailboxDisplayName),"(NTCTX)") And CLng(obj.Size) > CLng(ExtremeSize) Then
Result = Result & "
"
"
"
"
End If
Next
If Result <> "" Then
Mail "Mailbox healthy check!",RebuildMsg(Result)
End If
Function RebuildMsg(msg)
msg = "
| " & "Emp Name" & " | " & vbCrLf &_" & "Mail Size (KB)" & " | " & vbCrLf &_" & "Mail Count" & " | " & vbCrLf &_
RebuildMsg = msg
End Function
Sub Mail(Subject,Content)
MailFrom = "kido@kido.idv.tw"
MailTo = "kido@kido.idv.tw"
If Len(Content) = 0 Then
Exit Sub
End If
Set objEmail = CreateObject("CDO.Message")
objEmail.From = MailFrom
objEmail.To = MailTo
objEmail.Cc = MailCC
objEmail.Subject = Subject
objEmail.HTMLBody = Content
objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = ExChangeServer
objEmail.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objEmail.Configuration.Fields.Update
objEmail.Send
End Sub
除此方法外~~上可利用powershell來作~~功能相同~~都是利用WMI去截取Exchange的值
iptables的設定
1:先將iptables全數
iptables -F
iptables -Z
iptables -X
2:確認現有policy chain
iptables -L
3:定立規則並初始化policy chain
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP
4:初始化本機連線,啟用連線保留功能,方便遠端調整
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
5:新增區塊連入
iptables -A INPUT -s NETWORKID/NETMASK -j ACCEPT
6:將設定寫回系統
/etc/init.d/iptables save active
iptables設定的porting -> /etc/sysconfig/iptables
sample!
# Generated by iptables-save v1.2.11 on Tue Sep 16 20:00:17 2008
*filter
:INPUT ACCEPT [3181787:4475034848]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1601837:84186272]
-A INPUT -s ! 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -d 192.168.0.51 -p tcp -m iprange --src-range 192.168.0.1-192.168.0.10 -m tcp --dport 5500 -j DROP
COMMIT
# Completed on Tue Sep 16 20:00:17 2008
iptables -F
iptables -Z
iptables -X
2:確認現有policy chain
iptables -L
3:定立規則並初始化policy chain
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP
4:初始化本機連線,啟用連線保留功能,方便遠端調整
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
5:新增區塊連入
iptables -A INPUT -s NETWORKID/NETMASK -j ACCEPT
6:將設定寫回系統
/etc/init.d/iptables save active
iptables設定的porting -> /etc/sysconfig/iptables
sample!
# Generated by iptables-save v1.2.11 on Tue Sep 16 20:00:17 2008
*filter
:INPUT ACCEPT [3181787:4475034848]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1601837:84186272]
-A INPUT -s ! 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -d 192.168.0.51 -p tcp -m iprange --src-range 192.168.0.1-192.168.0.10 -m tcp --dport 5500 -j DROP
COMMIT
# Completed on Tue Sep 16 20:00:17 2008
2009年6月7日 星期日
傳送互動式job至用戶端
一般要讓指令碼在用戶端執行~~僅需使用wmi中win32_process處理即可
若要讓指令碼作互動執行,則需透過Win32_ScheduledJob來處理~~
此外尚可透過現成的sysinternal的工具來直接部屬會更快速~~
On Error Resume Next
RemoteHost = "kido"
SendSourceToRemote RemoteHost
InstallScheduleJob RemoteHost
Sub SendSourceToRemote(RemoteHost)
Set WshShell = CreateObject("WScript.Shell")
ScriptPath = Left(WScript.ScriptFullName,Len(WScript.ScriptFullName) - Len(WScript.ScriptName))
SRCFile = ScriptPath & "writeEventLog.vbs"
DestPath = "c$\"
WshShell.Exec("cmd.exe /c xcopy " & SRCFile & " \\" & RemoteHost & "\" & DestPath & " /Y").StdOut.ReadAll
End Sub
Sub InstallScheduleJob(RemoteHost)
Const Delay = 2
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate, authenticationLevel=pktPrivacy}!\\" & RemoteHost & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
For Each obj in colItems
LocalDateTime = obj.LocalDateTime
CurrentTimeZone = obj.CurrentTimeZone
Next
CurrentTime = Mid(LocalDateTime,9,2) & ":" & Mid(LocalDateTime,11,2)
ScheduleTime = "********" & Replace(FormatDateTime(DateAdd("n", Delay ,CurrentTime),4),":","") & "00.000000" & CurrentTimeZone
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objNewJob = objWMIService.Get("Win32_ScheduledJob")
errcode = objNewJob.Create("c:\writeEventLog.vbs", ScheduleTime ,False, 0, , True, JobID)
End Sub
2009年6月5日 星期五
透過VNC連線terminal 0的圖形化界面
在資安論壇參考門神兄的文章~~打算利用VNC來讓user擷取自己Linux機器的畫面~~
由於我的平台都是Linux~~且使用vino-preferences發現都會有問題(很多人有問,我也懶得找root cause)~~
最後利用下列方法,一樣讓user可以透過VNC去把畫面傳到另外一台Linux的Terminal去~~
1:假設原本有跑vino-preferences的話,先把它停掉
issue# gconftool-2 -s -t bool /desktop/gnome/remote_access/enabled false
2:確認設定VNC密碼
issue# vncpasswd
3:開啟桌面連線通道
issue# x0vncserver PasswordFile=~/.vnc/passwd display=:0
4:透過VNC Viewer連線終端(其中可考慮使用vnc over ssh方式加強安全性)
2009年6月4日 星期四
vnc server設置
issue # vncserver :1
set vnc password -> issue # vncpasswd
connect to VNC server through VNC viewer
變更VNC登入畫面 issue # vi ~/.vnc/xstartup
follow the instructions to perform change on VNC
註:當X未被正常結束,此時會發生登入錯誤,必須要將/tmp/下的快取資料刪除才可恢復正常
set vnc password -> issue # vncpasswd
connect to VNC server through VNC viewer
變更VNC登入畫面 issue # vi ~/.vnc/xstartup
follow the instructions to perform change on VNC
註:當X未被正常結束,此時會發生登入錯誤,必須要將/tmp/下的快取資料刪除才可恢復正常
vnc over ssh
如果只有兩台電腦跑的話~~server啟用VNC後~~client端用下列方式來處理
ssh -N -T -L 9999:VNC_SERVER:VNC_PORT username@ssh_tunnel_machine
連線後把這個指令往背景丟~~Ctrl +z --> bg
接著啟用vncviewer連線~vncviewer 127.0.0.1:9999
username@ssh_tunnel_machine這個就是作X forward的通道~~
假設網路架構如下
A (LAN_IP) (WAN_IP) <-----> B (WAN_IP) (LAN_IP) C(LAN_IP)
若A在NAT下面~~B可以透過網路連到,C不可以透過網路連到~~
那麼A就是run這個指令去初始化X forward通道 ssh -N -T -L 9999:C_LAN_IP:VNC_PORT username@B_WAN_IP
接下來client只要初始連線vncviewer 127.0.0.1:9999
注意:因為你用A去建X forward通道~~所以是用127.0.0.1~~如果你中間有其他的機器在建SSH通道~~那麼vncviewer的連線目標應該為建立起X forward通道的IP跟你指定他通道的PORT~~
ssh -N -T -L 9999:VNC_SERVER:VNC_PORT username@ssh_tunnel_machine
連線後把這個指令往背景丟~~Ctrl +z --> bg
接著啟用vncviewer連線~vncviewer 127.0.0.1:9999
username@ssh_tunnel_machine這個就是作X forward的通道~~
假設網路架構如下
A (LAN_IP) (WAN_IP) <-----> B (WAN_IP) (LAN_IP) C(LAN_IP)
若A在NAT下面~~B可以透過網路連到,C不可以透過網路連到~~
那麼A就是run這個指令去初始化X forward通道 ssh -N -T -L 9999:C_LAN_IP:VNC_PORT username@B_WAN_IP
接下來client只要初始連線vncviewer 127.0.0.1:9999
注意:因為你用A去建X forward通道~~所以是用127.0.0.1~~如果你中間有其他的機器在建SSH通道~~那麼vncviewer的連線目標應該為建立起X forward通道的IP跟你指定他通道的PORT~~
vnc session share
用途描述:可以讓一個VNC Session給多人共同連線使用~~
ex: server端開一個vnc的session :1~~多於1個以上的client去共同連線~~
server端開vncserver就略過~~直接講client~~
只要用option shared即可~~
vncviewer Shared=1 server_ip:port
預設狀態下大家都可以去管理該session~~如果要設定只有read只要用Viewonly
vncviewer Shared=1 Viewonly=1 server_ip:port
如果你電腦開N個VNC session~~那麼session間都可以獨立運作~~每一個session都可以獨立作share的功能~~
註:VNC服務不需倚賴X,是故再runlevel 3, VNC服務即可啟用
ex: server端開一個vnc的session :1~~多於1個以上的client去共同連線~~
server端開vncserver就略過~~直接講client~~
只要用option shared即可~~
vncviewer Shared=1 server_ip:port
預設狀態下大家都可以去管理該session~~如果要設定只有read只要用Viewonly
vncviewer Shared=1 Viewonly=1 server_ip:port
如果你電腦開N個VNC session~~那麼session間都可以獨立運作~~每一個session都可以獨立作share的功能~~
註:VNC服務不需倚賴X,是故再runlevel 3, VNC服務即可啟用
2009年6月1日 星期一
解壓縮rpm
今天使用tar ball要安裝xv,發現問題不少~~最後決定使用rpm安裝~~
但是礙於rpm會限制於單台電腦使用~~且我必須部署約40台主機,太耗費人力了~~加上先前有把/usr/local/bin給導出到NFS的空間~~
所以決定由rpm去retrieve出執行檔案~~並且擺到/usr/local/bin下作統一部署
確定rpm是有效的
1:下載rpm檔案後~~ issue# rpm -ivh xv-3.10a-13.i386.rpm
2:嘗試執行xv ~~ issue# xv
3:檢查rpm套件~~ issue# rpm -qa|grep xv
4:移除rpm套件~~ issue# rpm -e xv-3.10a-13
5:將檔案解壓縮~~ rpm2cpio xv-3.10a-13.i386.rpm| cpio -idmv
6:把相關檔案擷取出來即可
但是礙於rpm會限制於單台電腦使用~~且我必須部署約40台主機,太耗費人力了~~加上先前有把/usr/local/bin給導出到NFS的空間~~
所以決定由rpm去retrieve出執行檔案~~並且擺到/usr/local/bin下作統一部署
確定rpm是有效的
1:下載rpm檔案後~~ issue# rpm -ivh xv-3.10a-13.i386.rpm
2:嘗試執行xv ~~ issue# xv
3:檢查rpm套件~~ issue# rpm -qa|grep xv
4:移除rpm套件~~ issue# rpm -e xv-3.10a-13
5:將檔案解壓縮~~ rpm2cpio xv-3.10a-13.i386.rpm| cpio -idmv
6:把相關檔案擷取出來即可
2009年5月27日 星期三
Linux顯示異常?
一般在我們安裝完Linux過後,他應該會自動幫你apply正確的顯示驅動才對
但是有時候因為某些特殊原因,會造成顯示設定無法正常
如果執意要跑圖形化介面的話,可以嘗試把顯示的驅動改為vesa
在Linux環境下,預設情況下應該有多餘5個以上的terminal
而terminal 7預設是給X使用
當顯示無法正常使用,可以切換到其他文字介面的tty進行微調設定
tty切換的方式為Ctrl+Alt+fnx ...
假設切到tty1的狀態下,登入系統並且修改/etc/X11/xorg.conf
將driver的區段改為vesa..接著重新啟用X server..
一般較新的distro預設都是使用gdm來管理X~~
所以只要重新啟動gdm即可套用更新~~而不用瘋狂重開來驗證是否套用正常
issue # gdm-restart
但是有時候因為某些特殊原因,會造成顯示設定無法正常
如果執意要跑圖形化介面的話,可以嘗試把顯示的驅動改為vesa
在Linux環境下,預設情況下應該有多餘5個以上的terminal
而terminal 7預設是給X使用
當顯示無法正常使用,可以切換到其他文字介面的tty進行微調設定
tty切換的方式為Ctrl+Alt+fnx ...
假設切到tty1的狀態下,登入系統並且修改/etc/X11/xorg.conf
將driver的區段改為vesa..接著重新啟用X server..
一般較新的distro預設都是使用gdm來管理X~~
所以只要重新啟動gdm即可套用更新~~而不用瘋狂重開來驗證是否套用正常
issue # gdm-restart
依照有線網路連線狀態停/啟用無線
windows xp/2003預設的netsh雖然在help有說明有disable,不過實際上disable的參數不管怎樣設定都會失敗~~
要解決這個問題,必須透過微軟的devcon來控制裝置~~
On Error Resume Next
Set objShell = CreateObject("WScript.Shell")
Col_WirelessObj=Split(objShell.Exec("%ComSpec% /c devcon.exe find * |findstr /I wireless|findstr /I DEV").StdOut.ReadAll,VbCrLf)
If UBound(Col_WirelessObj) = 0 Then
Wscript.Echo "Wireless device is not found"
Wscript.Quit
Else
ReDim DEVID_Wireless(0)
ReDim Prod_Wireless(0)
For index=0 to (UBound(Col_WirelessObj)-1)
If Instr(Col_WirelessObj(index),"PCI") Then
Buf=Split(Col_WirelessObj(index),"&")
If UBound(Buf) = 6 Then
DEVID_Wireless(UBound(DEVID_Wireless)) = Buf(1)
Prod_Wireless(UBound(Prod_Wireless)) = Trim(Split(Buf(6),":")(1))
ReDim Preserve DEVID_Wireless(UBound(DEVID_Wireless)+1)
ReDim Preserve Prod_Wireless(UBound(Prod_Wireless)+1)
End If
End If
Next
End If
Set objWMIService = GetObject("winmgmts:{(Security)}\\.\root\cimv2")
Set colEvent = objWMIService.ExecNotificationQuery("Select * from __InstanceCreationEvent within 60 Where TargetInstance ISA 'Win32_NTLogEvent' AND (TargetInstance.Logfile='System' AND (TargetInstance.EventCode=4 OR TargetInstance.EventCode=9))")
'EventCode 4 for LinkDown; 9 For LinkUp
Do
Set CurrentEvent = colEvent.NextEvent
If CurrentEvent.TargetInstance.EventCode = 4 Then
For Index=0 to (UBound(DevID_Wireless)-1)
Wscript.Echo "Enable " & Prod_Wireless(index)
objShell.Exec("%ComSpec% /c devcon.exe enable *" & DEVID_Wireless(Index) & "*")
Next
Else
For Index=0 to (UBound(DevID_Wireless)-1)
Wscript.Echo "Disable " & Prod_Wireless(index)
objShell.Exec("%ComSpec% /c devcon.exe disable *" & DEVID_Wireless(Index) & "*")
Next
End If
Loop
要解決這個問題,必須透過微軟的devcon來控制裝置~~
On Error Resume Next
Set objShell = CreateObject("WScript.Shell")
Col_WirelessObj=Split(objShell.Exec("%ComSpec% /c devcon.exe find * |findstr /I wireless|findstr /I DEV").StdOut.ReadAll,VbCrLf)
If UBound(Col_WirelessObj) = 0 Then
Wscript.Echo "Wireless device is not found"
Wscript.Quit
Else
ReDim DEVID_Wireless(0)
ReDim Prod_Wireless(0)
For index=0 to (UBound(Col_WirelessObj)-1)
If Instr(Col_WirelessObj(index),"PCI") Then
Buf=Split(Col_WirelessObj(index),"&")
If UBound(Buf) = 6 Then
DEVID_Wireless(UBound(DEVID_Wireless)) = Buf(1)
Prod_Wireless(UBound(Prod_Wireless)) = Trim(Split(Buf(6),":")(1))
ReDim Preserve DEVID_Wireless(UBound(DEVID_Wireless)+1)
ReDim Preserve Prod_Wireless(UBound(Prod_Wireless)+1)
End If
End If
Next
End If
Set objWMIService = GetObject("winmgmts:{(Security)}\\.\root\cimv2")
Set colEvent = objWMIService.ExecNotificationQuery("Select * from __InstanceCreationEvent within 60 Where TargetInstance ISA 'Win32_NTLogEvent' AND (TargetInstance.Logfile='System' AND (TargetInstance.EventCode=4 OR TargetInstance.EventCode=9))")
'EventCode 4 for LinkDown; 9 For LinkUp
Do
Set CurrentEvent = colEvent.NextEvent
If CurrentEvent.TargetInstance.EventCode = 4 Then
For Index=0 to (UBound(DevID_Wireless)-1)
Wscript.Echo "Enable " & Prod_Wireless(index)
objShell.Exec("%ComSpec% /c devcon.exe enable *" & DEVID_Wireless(Index) & "*")
Next
Else
For Index=0 to (UBound(DevID_Wireless)-1)
Wscript.Echo "Disable " & Prod_Wireless(index)
objShell.Exec("%ComSpec% /c devcon.exe disable *" & DEVID_Wireless(Index) & "*")
Next
End If
Loop
SATA hotplug
確認機器是否支援sata熱插拔
1:驗證SATA控制是否有支援AHCI --> issue# lspci
2:驗證BIOS中的SATA控制晶片是否設定為AHCI模式
開始使用SATA熱插拔
3:在機器online狀態下,先將SATA排線的一頭連接主機板,再將SATA排線另一頭與硬碟串接
4:將硬碟通電,機器即可偵測到新增裝置
避免power supply 的overloaded
5:購置esata bracket,將bracket的SATA線接頭串接至支援AHCI的SATA控制器上
6:購置ESATA dock station,在dock station未通電前先將dock station的ESATA PORT串接至ESATA bracket
7:插上硬碟後啟動ESATA dock station的電源
將硬碟mount上系統使用
8:檢查所掛載上的位置 issue # cat /proc/partition
卸除ESATA裝置
9: umount partition,若裝置佔用中fuser -k /mount_ponit
10:寫回硬碟快取並截斷控制器位址,issue # echo "scsi remove-single-device host channel id lun " > /proc/scsi/scsi
tip: host channel could be found from dmesg
1:驗證SATA控制是否有支援AHCI --> issue# lspci
2:驗證BIOS中的SATA控制晶片是否設定為AHCI模式
開始使用SATA熱插拔
3:在機器online狀態下,先將SATA排線的一頭連接主機板,再將SATA排線另一頭與硬碟串接
4:將硬碟通電,機器即可偵測到新增裝置
避免power supply 的overloaded
5:購置esata bracket,將bracket的SATA線接頭串接至支援AHCI的SATA控制器上
6:購置ESATA dock station,在dock station未通電前先將dock station的ESATA PORT串接至ESATA bracket
7:插上硬碟後啟動ESATA dock station的電源
將硬碟mount上系統使用
8:檢查所掛載上的位置 issue # cat /proc/partition
卸除ESATA裝置
9: umount partition,若裝置佔用中fuser -k /mount_ponit
10:寫回硬碟快取並截斷控制器位址,issue # echo "scsi remove-single-device host channel id lun " > /proc/scsi/scsi
tip: host channel could be found from dmesg
Linux 下安裝nvidia驅動
1:連結至nvidia官方網站下載對應驅動
2:切換至runlevel 3 --> issue# init 3
3:執行安裝驅動
4:切換至runlevel 5 --> issue# init 5
5:確認顯示是否正常
異常處理
6:檢查/var/log/Xorg.0.log與/var/log/messages
7:確認是否發生IRQ衝突現象 (我使用Dell precision T3400雙PCI_E x16版本發生IRQ衝突)
8:根據分析得知之結果,將發生衝突之IRQ做調整,或者是將衝突之IRQ給關閉 (我是在BIOS關掉音效卡,因為log說音效衝突)
2:切換至runlevel 3 --> issue# init 3
3:執行安裝驅動
4:切換至runlevel 5 --> issue# init 5
5:確認顯示是否正常
異常處理
6:檢查/var/log/Xorg.0.log與/var/log/messages
7:確認是否發生IRQ衝突現象 (我使用Dell precision T3400雙PCI_E x16版本發生IRQ衝突)
8:根據分析得知之結果,將發生衝突之IRQ做調整,或者是將衝突之IRQ給關閉 (我是在BIOS關掉音效卡,因為log說音效衝突)
訂閱:
文章 (Atom)