Rootop 服务器运维与web架构

2014-09-20
发表者 Venus
记一次追踪CDN后端真实服务器IP过程已关闭评论

记一次追踪CDN后端真实服务器IP过程

一个网站用了360网站宝的cdn加速,在做了cdn之后,想得知服务器的真实IP就不那么容易了。要么通过社会工程学,要么黑站。本身360提供了安全过滤,防攻击,所以从黑站角度讲难度有点大。而且这台服务器是阿里云的机器,阿里云本身也有安全保障—云盾。

想通过火狐的firebug插件来看看打开一个网页会有多少个资源,能否找到个二级域名直连服务器,点了好多页面也没发现有什么可利用的信息。

后来在想,cdn是通过不同地域的来源ip解析到不同地址,如果是在国外的IP是否会解析到真实ip。遂找了一台美国的服务器,解析IP,发现解析到  61.160.224.237 这是360在江苏的一个cdn节点,还不是最终真实服务器ip。

这个方法排除。

看到这个网站备案了,那么从工信部查查看是否有有用信息,输入域名,查询,也没有IP信息显示,还是不行,查域名whois信息,看到解析服务器直接是360的dns服务器。

360网站宝后台

无聊中,通过网站查到了网站站长的一些个人相关信息,判定站长位于湖南省 湘潭县 ,小学都查出来了···那么已经知道此服务器是阿里云,阿里云在国内有好几个节点,根据个人习惯,会选择离自己最近的节点,就像我位于青岛,那么选择节点的时候我选的青岛节点。判定站长位于南方,那么网站可能是位于杭州或者深圳。

阿里云后台界面

还是从站长网站上出发,网站使用wordpress搭建,找后台,一般是wp-admin,发现可以注册用户,思路来了。马上从163注册了一个新用户,在此网站后台提交注册信息。

163收到邮件,邮件头如下:

从邮件头中找到了服务器的真实IP。 183.60.2.225是腾讯邮件服务器的地址,下面received: from xxxx 是发起端的ip,也就是服务器的ip,经查证,此ip位于杭州。

可以确定是服务器真实ip,通过ip访问,确认!还可以在本地hosts中添加ip和域名的映射,访问域名看是否能打开网站。确认是否为真实ip。

发送邮件的时候,客户端的ip会记录到邮件信息头中,从邮件头就可以确认发送者IP,也就是服务器IP。

至此追踪结束。

2014-09-19
发表者 Venus
应用层慢速DoS攻击压力测试工具 – SlowHTTPTest已关闭评论

应用层慢速DoS攻击压力测试工具 – SlowHTTPTest

原文:http://www.freebuf.com/tools/40413.html

特别提示:本工具仅供安全测试和教学使用,禁止非法用途!

SlowHTTPTest是一个可配置的应用层拒绝服务攻击测试攻击,它可以工作在Linux,OSX和Cygwin环境以及Windows命令行接口,可以帮助安全测试人员检验服务器对慢速攻击的处理能力。
这个工具可以模拟低带宽耗费下的DoS攻击,比如慢速攻击,慢速HTTP POST,通过并发连接池进行的慢速读攻击(基于TCP持久时间)等。慢速攻击基于HTTP协议,通过精心的设计和构造,这种特殊的请求包会造成服务器延时,而当服务器负载能力消耗过大即会导致拒绝服务。

Name

slowhttptest – Denial Of Service attacks simulator

Synopsis

slowhttptest [-H|B|R|X] [-g] [-a range start] [-b range limit] [-c number of connections] [-d all traffic directed through HTTP proxy at host:port] [-e probe traffic directed through HTTP proxy at host:port] [-i interval in seconds] [-k request multiply factor] [-l test duration in seconds] [-n slow read interval in seconds] [-o output file path and/or name] [-p timeout for probe connection in seconds] [-r connection per second] [-s value of Content-Length header] [-t HTTP verb] [-u absolute URL] [-v output verbosity level] [-w advertised window size range start] [-x max length of follow up data] [-y advertised window size range end] [-z slow read from recieve buffer in bytes]

Description

The slowhttptest implements most common low-bandwidth Application Layer DoS attacks and produces CSV and HTML files with test statistics.

Currently supported attacks are:

• Slowloris
• Slow HTTP POST
• Apache Range Header
• Slow Read
The options are as follows:

-g’ Forces slowhttptest to generate CSV and HTML files when test finishes with timestamp in filename.

-H’ Starts slowhttptest in SlowLoris mode, sending unfinished HTTP requests.

-B’ Starts slowhttptest in Slow POST mode, sending unfinished HTTP message bodies.

-R’ Starts slowhttptest in Range Header mode, sending malicious Range Request header data.

-X’ Starts slowhttptest in Slow Read mode, reading HTTP responses slowly.

-a start
Sets the start value of range-specifier for Range Header attack.

-b bytes
Sets the limit value of range-specifier for Range Header attack.

-c number of connections
Specifies the target number of connections to establish during the test.

-d HTTP proxy host:port
Specifies HTTP proxy server to connect to for all connections.

-e HTTP proxy host:port
Specifies HTTP proxy server to connect to for probe connections.

-i seconds
Specifies the interval between follow up data for slowrois and Slow POST tests.

-k pipeline factor
Specifies number of times the resource would be requested per socket in Slow Read test.

-l seconds
Specifies test duration in seconds.

-n seconds
Specifies the interval between read operations for Slow Read test.

-o file name
Specifies custom file name, effective with -g.

-p seconds
Specifies the interval to wait for HTTP response onprobe connection, before marking the server as DoSed.

-r connections per second
Specifies the connection rate.

-s bytes
Specifies the value of Content-Length header for Slow POST test.

-t HTTP verb
Specifies the verb to use in HTTP request.

-u URL
Specifies the URL.

-v level
Specifies the verbosity level of logging.

-w bytes
Specifies the start of the range the TCP advertised window size would be picked from in Slow Read test.

-x bytes
Specifies the maximum length of follow up data for slowloris and Slow POST tests.

-y bytes
Specifies the end of the range the TCP advertised window size would be picked from in Slow Read test.

-z bytes
Specifies the number of bytes to read from receive buffer with each read() operation.

Examples

Start a slowloris test of host.example.com with 1000 connections, statistics goes into my_header_stats, interval between follow up headers is 10 seconds and connection rate is 200 connections per second:

$ slowhttptest -c 1000 -H -g -o my_header_stats -i 10 -r 200 -t GET -u https://host.example.com/index.html -x 24 -p 3
Start slow POST test of host.example.com with 3000 connections, statistics goes into my_body_stats, interval between follow up headers is 110 seconds, connection rate is 200 connections per second, Content-Length header value is 8192, maximum length of follow up data is random value limited by 10 bytes and probe connections waits 3 seconds for HTTP response before marking server as DoSed:

$ slowhttptest -c 3000 -B -g -o my_body_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u http://host.example.com/loginform.html -x 10 -p 3
Start Range Header test of host.example.com with 1000 connections, use HEAD verb, and generate HTTP header Range:0-, x-1, x-2, x-3, … x-y, where x is 10 and y is 3000, connection rate is 500: interval between follow up headers is 10 seconds and connection rate is 200 connections per second:

$ slowhttptest -R -u http://host.example.com/ -t HEAD -c 1000 -a 10 -b 3000 -r 500
Start Slow Read test of host.example.com with 8000 connections, no statistics is generated, connection rate is 200 connections per second, TCP advertised window size is a random value between 512 and 1024, slowhttptest reads 32 bytes from each connections every 5 seconds, 3 requests are pipelined per each connections, probe connection waits 3 seconds for HTTP response before marking server as DoSed:

$ slowhttptest -c 8000 -X -r 200 -w 512 -y 1024 -n 5 -z 32 -k 3 -u https://host.example.com/resources/index.html -p 3
Start Slow Read test of host.example.com through HTTP proxy server at 10.10.0.1:8080 with 8000 connections, no statistics is generated, the rest test vaules are default. slowhttptest most likely would test HTTP proxy server itself, rather than target server, but it all depends on the HTTP proxy server implementation:

$ slowhttptest -d 10.10.0.1:8080 -c 8000 -X -u https://host.example.com/resources/index.html
Start Slow Read test of host.example.com and direct probe traffic through HTTP proxy server at 10.10.0.1:8080 with 8000 connections, no statistics is generated, the rest test vaules are default. Specifying another connection channel for probe connections helps to make sure that slowhttptest shows valid statistics for availability of server under test:

$ slowhttptest -e 10.10.0.1:8080 -c 8000 -X -u https://host.example.com/resources/index.html

这是来自老外的测试方法,相比国内的翻译过的内容好很多,特别是参数解释看中文不堪入目。

attack rootop :
[root@Rootop ~]# slowhttptest -c 1000 -X -g -o -slow_read_stats -r 500 -w 512 -y 1024 -n 5 -z 32 -k 3 -u https://www.rootop.org -p 3

本身rootop服务器配置不高,单核、512内存,瞬间服务器压力上去,ESTABLISHED TIME_WAIT连接数不断升高。网站无法打开。

lowHTTPTest 运行界面:

 

 

2014-09-18
发表者 Venus
centos下单网卡pptp搭建vpn及速度慢的解决方法已关闭评论

centos下单网卡pptp搭建vpn及速度慢的解决方法

环境: centos6
安装:

[root@Rootop ~]# yum install -y pptpd

配置:
编辑配置文件:

[root@Rootop ~]# vi /etc/pptpd.conf #在最后添加如下两行,定义本地ip和客户端ip段
localip 192.168.100.100
remoteip 192.168.100.101-110

编辑配置文件:

[root@Rootop ~]# vi /etc/ppp/options.pptpd #添加dns解析地址
ms-dns 202.102.134.68
ms-dns 202.102.128.68

编辑配置文件:

[root@Rootop ~]# vi /etc/ppp/chap-secrets #添加账户
venus pptpd 123123 *

4个字段代表用户名、服务、密码、分配的ip (*为自动)

编辑配置文件:

[root@Rootop ~]# vi /etc/sysctl.conf #打开ip转发
net.ipv4.ip_forward = 1

执行 sysctl -p 生效

iptables添加规则:

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source 42.96.158.236
iptables -A FORWARD -p tcp --syn -s 192.168.100.0/24 -j TCPMSS --set-mss 1356

第一条是设置192.168.100.0/24网段即客户端获取的ip允许上网
第二条是解决通过pptpd上网速度慢(原因为pptpd接口MTU太小)的问题。

最后用windows设置vpn拨号即可。
速度慢的原理参考:http://wdj01.blog.51cto.com/1059856/521113

附:
我这台服务器有2块网卡一个接内网一个接外网,阿里云机器。1723为pptpd服务端口。
我的iptables规则:

#!/bin/bash

iptables -F
iptables -Z
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source 42.96.158.236
iptables -A FORWARD -p tcp --syn -s 192.168.100.0/24 -j TCPMSS --set-mss 1356

service iptables save
service iptables restart
exit

2014-09-17
发表者 Venus
开启Nginx目录文件列表已关闭评论

开启Nginx目录文件列表

有一个文件夹用来存放软件,提供下载用,为了方便想在访问此路径的时候列出文件目录。这样一目了然,对nginx配置如下:

在虚拟主机配置文件server{}段中添加一个location:

location /rs {
                        autoindex on; #开启目录列出
                        autoindex_exact_size off;  #以MB为单位默认BYTE
                        autoindex_localtime on;  #本地时间显示默认GMT
                                }

/rs 就是要分享的文件夹,完整路径为https://www.rootop.org/rs ,当访问此路径时,会列出当前目录所有内容。

效果图:

如果文件夹中有中文的话,可能会显示乱码,所以要指定一下默认编码。

在虚拟主机配置文件的server{}段中添加 charset utf-8; 指定为utf8为默认编码。

reload nginx即可

2014-09-16
发表者 Venus
Unable to load dynamic library ‘/usr/lib64/php/modules/pdo_mysql.so’ – /usr/lib64/php/modules/pdo_mysql.so: undefined symbol: php_pdo_int64_to_str in Unknown on line 0已关闭评论

Unable to load dynamic library ‘/usr/lib64/php/modules/pdo_mysql.so’ – /usr/lib64/php/modules/pdo_mysql.so: undefined symbol: php_pdo_int64_to_str in Unknown on line 0

日志报错信息:

PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib64/php/modules/pdo_mysql.so’ – /usr/lib64/php/modules/pdo_mysql.so: undefined symbol: php_pdo_int64_to_str in Unknown on line 0

提示pdo_mysql.so无法正儿八经加载。

解决方法:

之前的配置人员安装了php的pdo_mysql模块,在/etc/php.ini中配置加载参数(常规思路都是需要手动配置加载的):

[pdo_mysql]
extension=/usr/lib64/php/modules/pdo_mysql.so

其实在php安装模块的时候会自动将配置文件写入到 /etc/php.d/ 下。

所以不需要配置加载,并且php加载模块好像有顺序,所以屏蔽 /etc/php.ini 中加载的 pdo_mysql 配置参数即可。