vpn时如何自动区分国内国外-chnroutes-autoddvpn

针对这个需求,有专门的开源项目 chnroutes

最起源的代码仓库:https://code.google.com/p/chnroutes/

1. 与这个最接近的github上的代码:

https://github.com/fivesheep/chnroutes

2. 还有一个差异比较大的,从时间上看是比较旧的,但需要比较代码才能知道哪个更合适

https://github.com/jimmyxu/chnroutes

3. 还有一个改进版,提供 go python 以及window界面版本,从其文档连接看是以 fivesheep 的版本为基线版本。

https://github.com/sabersalv/freedom-routes 

本文验证了pptp windows 环境下的功能,工作OK。

其中python 使用 2.7.10 版,请安装完整版,因为可能需要其他关联库。

脚本执行要使用管理员权限。

1,2,3生成的路由数据略有差异,经简单测试,以 baidu.com 和weibo.com 为test case, 似乎3的效果好些,但因每人宽带出口不同,不作为唯一结论,使用者请自行测试。

如果要让路由器实现上述功能,提供用户透明的vpn体验,也有相应的项目  https://code.google.com/p/autoddvpn/

pptp的安全风险

原文已经无法访问了,特意搬运过来,英文吃力的同学,可以用google翻译,当然你要会科  学  上  网

总结起来最终的要的亮点

  • 明文传输
  • 采用简单的用户名和密码验证,方法过于简单

原文:

http://pptpclient.sourceforge.net/protocol-security.phtml

PPTP Client

Protocol Security

References

by James Cameron

Summary

by Peter Mueller

PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn’t mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead.

(Posted on 2005-08-10 to the mailing list)


Why not use PPTP?

by James Cameron

The point to point tunneling protocol (PPTP) is not secure enough for some information security policies.

It’s the nature of the MSCHAP V2 authentication, how it can be broken trivially by capture of the datastream, and how MPPE depends on the MSCHAP tokens for cryptographic keys. MPPE is also only 128-bit, reasonably straightforward to attack, and the keys used at each end are the same, which lowers the effort required to succeed. The obvious lack of two-factor authentication, instead relying on a single username and password, is also a risk. The increasing use of domestic wireless systems makes information capture more likely.

However, that doesn’t mean people don’t accept the risks. There are many corporations and individuals using PPTP with full knowledge of these risks. Some use mitigating controls, and some don’t.

Many people seem to judge the security of a protocol by the availability of the implementation, the ease of installation, or the level of documentation on our web site. Improving the documentation is the purpose of this web site, and we aren’t doing that in order to say anything about the risks of the software! Any judgement of security should be rigorously applied to the design and implementation alone.

PPTP on Linux, and Microsoft’s PPTP, both implement fixes for vulnerabilities that were detected years ago in Microsoft’s PPTP. But there remain the design vulnerabilities that cannot be fixed without changing the design. The changes needed would break interoperability. We can’t change the Linux PPTP design, because it would stop working with Microsoft PPTP. They can’t change their design, because it would stop working with all the other components out there, such as Nortel and Cisco, embedded routers, ADSL modems and their own Windows installed base.

The only option then is to deprecate the product and promote the replacement. Microsoft promote something else. Our choice for Open Source systems is OpenVPN or IPsec.

Level of acceptance isn’t a good indicator of risk either. Some have said that the shipping of MSCHAP V2, MPPE and PPTP in Linux distributions is an indication of design security, but that’s not the reason. It’s for interoperability. As an example, see how Linux distributions still ship telnet, ftp, and rsh, even though these components are insecure because they reveal the password in cleartext in the network packets. The same can be said of many other components and packages.

Our recommendations are;

  1. do not implement PPTP between open source systems, because there’s no justification, better security can be had from OpenVPN or IPsec,
  2. do not implement PPTP servers unless the justification is that the clients must not have to install anything to get going (Microsoft PPTP is included already), and be aware of the risks of information interception,
  3. do not implement PPTP clients unless the justification is that the server only provides PPTP, and there’s nothing better that can be used, and again be aware of the risks of information interception.

(Posted on 2005-08-10 to the mailing list)

密码管理app体验

  1. CODE: 密码工具。进去后,每条密码是明文,特点是每条记录按用户名和密码分开存储显示     评价 :一般
  2. keeper:密码工具。记录是明文存储,支持  faastfill ,支持 keeper DNA    评价:中
  3. 隐私卫士:app隐私锁 评价:高
  4. 私密锁:app锁,评价:一般
  5. 应用程序锁:评价:一般
  6. 隐私应用锁:app锁。评价低
  7. 密码本:密码工具,每个字段分开存储。 评价 :中
  8. NS Wallet :分文件夹-item 对字段做了详细的分类。 :一般
  9. safeincloud :有详细的模板 ,支持云同步 评价:高
  10. SSE  功能强大,支持密码管理 ,文件本加密 ,文件加密  评价 :高
  11. password keepox: 简单的字段记录,支持同步到dropbox ,评价:低
  12. 秘密管理器:简单的字段记录:评价:极低
  13. sis密码管理:同上

nginx设置后端保持长连接

nginx 做反向代理分发时,为了提高效率,最好使用长连接,以下是nginx 支持的几种后端长连接配置方案:

Nginx从 1.1.4 开始,实现了对后端机器的长连接支持,这是一个激动人心的改进,这意味着 Nginx 与后端机器的通信效率更高,后端机器的负担更低。

例如,对一个没有长连接支持的后端机器,会出现大量TIME_WAIT 状态的连接,使用以下命令验证之:

netstat -n | grep TIME_WAIT

经过查阅官方文档,其目前已经实现了http, fastcgi, memcache 协议的长连接支持。而之前的版本中仅支持memcache 协议。

1. 启用到 memcache 服务器的长连接
在upstream 配置段中增加 keepalive N 指令即可:
upstream memcached_backend {

    server 127.0.0.1:11211;

    server 10.0.0.2:11211;

     keepalive 32;

}

server {

    …

    location /memcached/ {

        set $memcached_key $uri;

        memcached_pass memcached_backend;

    }

}

2.  启用fastcgi 长连接支持
除了需要在upstream 中配置 keepalive N 外,还需要在 location 中增加 fastcgi_keep_conn on;

upstream fastcgi_backend {

    server 127.0.0.1:9000;

     keepalive 8;

}

server {

    …

    location /fastcgi/ {

        fastcgi_pass fastcgi_backend;

         fastcgi_keep_conn on;

        …

    }

}

3.  启用对后端机器HTTP 长连接支持

upstream http_backend {

    server 127.0.0.1:8080;

    keepalive 16;

}

server {

    …

    location /http/ {

        proxy_pass http://http_backend;

        proxy_http_version 1.1;

        proxy_set_header Connection “”;

        …

    }

}

注意:需要设置nginx 代理请求的 http 协议版本号为 1.1,  以及清除掉 Connection 请求header,  官方文档描述:

For HTTP, the proxy_http_version directive should be set to “ 1.1 ”  and the “ Connection ”  header field should be cleared .

The connections parameter should be set low enough to allow upstream servers to process additional new incoming connections as well.

即是说:keepalive N 指令中 , N 的值应该尽可能设置小一些,以便后端机器可以同时接受新的连接。

Too many connections

在php的日志里我们看到了如下的告警日志:
mysql_connect(): Too many connections

查看默认参数:
mysql> show variables;

实时修改:
mysql> set global wait_timeout=10;
Query OK, 0 rows affected (0.01 sec)

mysql> set GLOBAL max_connections=1024;
Query OK, 0 rows affected (0.00 sec)

注意 interactive_timeout  和 wait_timeout,根据不同场景,修改不同的参数。

还可以修改 my.cnf , 然后 重启 mysqld 服务。

还需要关注查询慢的本质原因:

1)DB是innodb 还是myisam

2)  高频查询的表的index创建是否合理

3)业务的mysql 语句写的是否合理

如果以上还搞不定,就需要考虑 分库分表 , 加proxy 做集群来分流了。

如何使用ssh登录openshift

openshift是免费的云平台,适合搞个公司网站或者个人blog。最近想把博客从openshift上迁移出去,wordpress本身有插件可以导出文章内容。但是对应的附件和图片利用导入工具,会有导入不完整的问题,简单的办法就是用ssh访问,将整个 uploads文件下载下来。要支持ssh,openshift有一套安全机制。通过 rhc 上传key,实现无密码登录。

具体参考:

https://developers.openshift.com/en/getting-started-windows.html#client-tools

如果不使用git,可以跳过 git的步骤。

ruby是从 www.rubygems.org/gems/rhc  下载的,需要自己搞定 vpn的问题,否则提示ssl失败

rhc登陆openshift

安装rhc

可能出现的问题:

no such file dl/import

http://stackoverflow.com/questions/28896733/rhc-setup-gives-error-no-such-file-dl-import

中间会提示输入openshift的账号和密码,成功后,会在本地.ssh 目录生成公私钥。并提示上传服务器。

这里要关注 .ssh的路径,后面客户端登录时要用到

ssh登录

登录你的openshift账号,点击application ,进去就能看到详细的信息:

openshift信息

根据右侧的账号和地址 ,用ssh就可以登录了

登录时选择key:

ssh key

这样就直接登录进去了,可以进行相关资料的备份了

centos系统lnmp(nginx,mysql,php)环境搭建

新拿到vps,基本是裸机环境,如果要搞wordpress或者php后台,就需要php环境。

本来想手动安装,结果发现lnmp的一键脚本有更新。作者已经更新了1.2版本,基本都可以选择最新的版本了。http://lnmp.org/install.html

安装成功!

如果你担心以上脚本的安全性,也可以自己亲手安装官方的版本

  • 安装mysql
yum install -y mysql-server mysql mysql-deve

开机启动

chkconfig mysqld on

设置密码

mysqladmin -uroot password 'newpassword'
  • 安装nginx

设置 yum源

vi /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/6/$basearch/
gpgcheck=0
enabled=

安装

yum install nginx

如果需要添加www 用户和组

groupadd -f www
useradd -g www www
  • 安装apache

安装apache 主要是因为wordpress的静态url路由需要相应的组件。

yum install httpd
chkconfig httpd on

 

 

 

 

关于IOS后台socket长连接的问题

1. 进程退到后体后,只有3-10的时间,如果没有进一步处理,处于功耗考虑,socket就会被系统关闭。 2. ios8后,允许后台,ios8之前的版本,只能通过设置后台模式 Required background modes来实现,但如果本身没有voip功能,苹果审查会遭拒。 ①打开info.plist,添加下面的键值对: Required background modes = App provides Voice over IP services ②配置XMPPStream的enableBackgroundingOnSocket属性为YES: _xmppStream.enableBackgroundingOnSocket = YES; 3. 参考 http://my.oschina.net/bankofchina/blog/281233 voip的方法,理论上定位消息也可以实现 4. 网上大段都是voip的例子,但按照苹果的审查规范,用voip实现后台keepalive 而没有实现voip是会被拒的。 综上所述,ios8以后,直接支持后台。ios8以前的,理论上gps位置信息也是可以在后台触发,从而通过策略实现长连接的,目前没有看到验证的例子,可以在这个方向下尝试下,毕竟所有的app都是需要位置服务器的,不属于伪造服务

c++编译工具链

1. gcc

yum -y install gcc automake autoconf libtool make

安装g++:

yum install gcc gcc-c++

2. protobuf

protobuf-2.4.1.tar.gz

./configure –prefix=/usr/local/protobuf
 make
 make check
 make install
sudo vim /etc/profile
 添加
export PATH=$PATH:/usr/local/protobuf/bin/
export PKG_CONFIG_PATH=/usr/local/protobuf/lib/pkgconfig/
保存执行
source /etc/profile

3. google 库文件,将google的库文件路径添加到gcc 编译路径

1).加到gcc的环境变量 C_INCLUDE_PATH, CPLUS_INCLUDE_PATH, OBJC_INCLUDE_PATH

2).放到系统默认目录
/usr/include
/usr/local/include

我们选择直接拷贝protobuf 生成的目录 includegoogle  到 /usr/local/include 下

4. zlib

编译时提示:”/usr/bin/ld: cannot find -lz”

解决:去lib64目录下看是有libz  相关库的,根据好使的环境比对,猜测是缺少特定的连接

# ln -s libz.so.1 libz.so

编译ok…

 

centos7配置samba

  1. 开放端口
    确认自己本地的iptable 或者firewalld,打开对应的端口。
    如果是阿里云,还要开启对应ecs的安全组端口配置。
    建议:
    UDP 137-138
    TCP:139 445
  2. 确认SELinux的相关权限设置
    在没搞明白之前,先关闭,等调试通了后再开启,根据相关的问题来配置。不建议粗暴的关闭。
  3. 安装 samba
yum install samba
systemctl enable smb
systemctl start smb
  1. 创建用户

– 创建用户组
groupadd dev
– 创建用户
useradd -g dev aaa
– 设置用户的密码
passwd aaa
– 将用户添加到samba账号中
smbpasswd -a aaa
5. 配置samba
/etc/samba/smb.conf
参考配置:

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
        workgroup = SAMBA
        security = user

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw
        map to guest = Bad User
        log file = /var/log/samba/log.%m
[homes]
        comment = Home Directories
        browseable = no
        writable = yes
[public]
        comment = Public Stuff
        path = /data/share
        public = yes
[dev]
        comment = developer
        path = /dev
        valid users = @dev
  1. 参考
    https://www.cnblogs.com/muscleape/p/6385583.html
    https://wiki.centos.org/HowTos/SetUpSamba