寻觅生命中的那一片浅草......

文章带标签 Linux

syslog记录history历史记录

2011年01月6日 写评论 作者 夜行人

工作中可能会有无聊的黑客在你服务器上转悠,黑客智商都不错,所有离开的时候就会删除history记录。怎么办才能记录下用户的历史记录呢?
原理:将history记录到syslog上面,并实时的传送到了远端的日志集中服务器上。

方法:使用bash4.1的新功能:历史命令保存到syslog!然后使用syslog-ng构建集中型日志服务器收集主机日志。

1、下载bash:
#wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz
#tar zxvf bash-4.1.tar.gz –C /tmp/bash-4.1
#cd /tmp/bash-4.1

2、修改源码

(根据个人需要,我只保留了pid,uid,sid等,参数请看目录下的shell.c中):
文件bashhist.c大约708行的位置开始,修改成以下一段:

syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, “HISTORY: PID=%d PPID=%d SID=%d User=%s CMD=%s”, getpid(), getppid(), getsid(getpid()), current_user.user_name, line);
else
{
strncpy (trunc, line, SYSLOG_MAXLEN);
trunc[SYSLOG_MAXLEN – 1] = ‘\0’;
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, “HISTORY (TRUNCATED): PID=%d PPID=%d SID=%d User=%s CMD=%s”, getpid(), getppid(), getsid(getpid()), current_user.user_name, trunc);
}
注:
ppid:跟踪sh切换后的用户
Sid: 跟踪 su 切换后的用户
第二段代表log长度超过600后使用的语句
修改config-top.h文件

/*#define SYSLOG_HISTORY*/
修改为
#define SYSLOG_HISTORY
编译安装
# ./configure –prefix=/usr/local/bash_4.1 && make && make install
修改用户配置:
将用户的bash换成现在的bash4.1
# vi /etc/passwd
dongwm:x:501:501::/home/dongwm:/usr/local/bash_4.1/bin/bash
这样日志就会记在/var/log/messages
结果类似这样:

Dec 23 17:40:28 server -bash: HISTORY: PID=4089 PPID=4088 SID=4089 User=dongwm CMD=exit
Dec 23 17:41:47 server -bash: HISTORY: PID=4282 PPID=4278 SID=4282 User=root CMD=exit
Dec 23 17:41:53 server -bash: HISTORY: PID=4321 PPID=4317 SID=4321 User=root CMD=ssh java00
Dec 23 17:44:09 server -bash: HISTORY: PID=2152 PPID=2137 SID=2152 User=root CMD=vi Clean_javalog.sh
Dec 23 17:45:16 server -bash: HISTORY: PID=2152 PPID=2137 SID=2152 User=root CMD=sh Clean_javalog.sh
Dec 23 17:45:30 server -bash: HISTORY: PID=2152 PPID=2137 SID=2152 User=root CMD=cat /dev/shm/cleanJavaLog.log
Dec 23 17:46:08 server -bash: HISTORY: PID=2152 PPID=2137 SID=2152 User=root CMD=vi Clean_javalog.sh
Dec 23 17:48:54 server -bash: HISTORY: PID=2152 PPID=2137 SID=2152 User=root CMD=cat Clean_javalog.sh

……
在整个环境布置了记录功能,就能方便的查出来谁-在何时,用什么账号,做了什么操作…

3、主机syslog配置(添加日志服务器的地址)
# vi /etc/syslog.conf

在最后添加一列:
*.* @server.dongwm.com

4、搭建日志服务器
请参看:http://wenku.baidu.com/view/c3bb49c58bd63186bcebbc7a.html

转载自:http://salogs.com/2010/12/syslog%E8%AE%B0%E5%BD%95history%E5%8E%86%E5%8F%B2%E8%AE%B0%E5%BD%95/

Security

Python处理keepass导出的xml文件

2010年12月20日 写评论 作者 夜行人

用keepass管理密码
现在有员工需要将用户名和密码导出来
格式如下
username password

我觉得最难的地方是根据Value取出来的list中,有空值,如果是空值,取其值或者类型时,都会提示
“AttributeError: ‘NoneType’ object has no attribute ‘nodeType’”
可以加if i.firstChild is None:continue进行判断,如果是空值则跳出本次循环
if i.firstChild is None:continue这个是非常pythonic的写法哦

程序

[python]
#!/bin/env python
import sys
from xml.dom import minidom
if len(sys.argv[0:]) != 2:
print “./keepass.py your xml file’s path”
sys.exit()

list=[]
xmldoc = minidom.parse(sys.argv[1])
reflist = xmldoc.getElementsByTagName(‘Value’)
for i in reflist[::-1]:
if i.firstChild is None:continue
list.append(i.firstChild.nodeValue)

for j in range(0,len(list),3):
print list[j]+” “+list[j+2]

[/python]

输出结果
lisi BiPqIcbHVfUDxaONKjNV
zhangsan h5LGhEYc3OASZf1VcGbD

keepass.xml

[xml]



KeePass

2010-10-18T06:08:30Z

2010-10-18T06:08:30Z

2010-10-18T06:08:30Z
365
2010-11-12T05:41:29Z
-1
-1

False
False
True
False
False

True
c8kwCXpGOE+MBy1jzCOT/g==
2010-10-18T06:08:30Z
AAAAAAAAAAAAAAAAAAAAAA==
2010-10-18T06:08:30Z
NHp/A6+c1kqAdPJrncQ5mQ==
Vgbin7aoeEuGRJXKiJk47g==




NHp/A6+c1kqAdPJrncQ5mQ==
keepass

48

2010-12-20T13:00:58Z
2010-12-20T13:00:52Z
2010-12-20T13:01:06Z
2010-12-18T10:04:30Z
False
3
2010-12-20T13:00:52Z

True

null
null
NMjEkhZudUiMAnPQOYQa+Q==

NMjEkhZudUiMAnPQOYQa+Q==
0





2010-12-20T13:01:18Z
2010-12-20T13:01:07Z
2010-12-20T13:01:18Z
2010-12-18T10:04:30Z
False
1
2010-12-20T13:01:07Z


Notes



Password
h5LGhEYc3OASZf1VcGbD


Title
张三


URL



UserName
zhangsan


True
0




b3KWP7kC+UmZnnSA4d0byg==
0





2010-12-20T13:01:31Z
2010-12-20T13:01:22Z
2010-12-20T13:01:31Z
2010-12-18T10:04:30Z
False
1
2010-12-20T13:01:22Z


Notes



Password
BiPqIcbHVfUDxaONKjNV


Title
李四


URL



UserName
lisi


True
0






9LVoDcHI9UquYgzy1tRXzg==
2010-11-12T05:49:57Z


gimxTDSBBkWdSIFORZUx0w==
2010-11-12T05:50:02Z


7/7Rd5KBT0CyY9O9A2RDpA==
2010-11-12T05:50:05Z


tPT9aQPrNkOM2mmj6kP3CA==
2010-11-16T02:58:07Z


gN/uXsDF206oc1g783tsLQ==
2010-11-16T02:58:11Z


jMYxMK3iakOWgPJGVz9lSg==
2010-11-22T08:55:46Z


j8UaFYCZbE2drG+gNysIwg==
2010-11-26T08:30:23Z


13QkVRyovk+9TNqxneYO5w==
2010-11-26T08:33:04Z


1+DFhfzAYUmL74gsRFzZNw==
2010-12-20T12:41:13Z




[/xml]

Python

调查服务器响应时间的利器 tcprstat

2010年12月17日 写评论 作者 夜行人

我们在做服务器程序的时候,经常要知道一个请求的响应时间,借以优化或者定位问题。 通常的做法是在代码里面加入日志计算时间,这个方法有问题,时间不准确。因为数据从网卡到应用程序,从应用到网卡的时间没有被计算在内。 而且这个时间随着系统的负载有很大的变化。
那同学说,我wireshark, tcpdump抓包人肉统计不行吗。 可以的,只不过我会很同情你,此举需要耐心且不具可持续性。 所以我们希望有个工具能够最少费力的做这个事情。

这时候来自percona的tcprstat来救助了! 这个工具原本开发用来调查mysqld的性能问题,所以不要奇怪它的默认端口是3306, 但是我们可以用这个工具来调查典型的request->response类型的服务器。

什么是tcprstat:

tcprstat is a free, open-source TCP analysis tool that watches network traffic and computes the delay between requests and responses. From this it derives response-time statistics and prints them out. The output is similar to other Unix -stat tools such as vmstat, iostat, and mpstat. The tool can optionally watch traffic to only a specified port, which makes it practical for timing requests and responses to a single daemon process such as mysqld, httpd, memcached, or any of a variety of other server processes.

文档很详细: 请参考: http://www.percona.com/docs/wiki/tcprstat:start

不愿意编译的同学直接从这里下载64位系统的编译好的二进制: http://github.com/downloads/Lowercases/tcprstat/tcprstat-static.v0.3.1.x86_64

源码编译也挺容易的: 由于它自带libpcap包, 这个包有可能在configure的时候没认识好netlink, 只要把config.h里面的netlink那个define注释掉就好。

编译好了, 典型使用很简单:

# tcprstat -p 3306 -t 1 -n 5
timestamp count max min avg med stddev 95_max 95_avg 95_std 99_max 99_avg 99_std
1283261499 1870 559009 39 883 153 13306 1267 201 150 6792 323 685
1283261500 1865 25704 29 578 142 2755 889 175 107 23630 333 1331
1283261501 1887 26908 33 583 148 2761 714 176 94 23391 339 1340
1283261502 2015 304965 35 624 151 7204 564 171 79 8615 237 507
1283261503 1650 289087 35 462 146 7133 834 184 120 3565 244 358

但是这个tcprstat在bonding的网卡下有点问题:

# /sbin/ifconfig
bond0 Link encap:Ethernet HWaddr A4:BA:DB:28:B5:AB
inet addr:10.232.31.19 Bcast:10.232.31.255 Mask:255.255.255.0
inet6 addr: fe80::a6ba:dbff:fe28:b5ab/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:19451951688 errors:0 dropped:4512 overruns:0 frame:0
TX packets:26522074966 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6634368171533 (6.0 TiB) TX bytes:32576206882863 (29.6 TiB)

# tcprstat -p 3306 -t 1 -n 5
pcap: SIOCGIFFLAGS: bonding_masters: No such device

解决方案是:

# sudo tcprstat -p 3306 -t 1 -n 0 -l `/sbin/ifconfig | grep ‘addr:[^ ]\+’ -o | cut -f 2 -d : | xargs echo | sed -e ’s/ /,/g’`

在典型满负载的mysql服务器上抓包的开销是:

26163 root 18 0 104m 5304 4696 S 18.3 0.0 49:47.58 tcprstat

用IP方式,而不是网络接口方式搞定。

祝大家玩的开心。

转载自:http://rdc.taobao.com/blog/cs/?p=728

Linux下杀僵尸进程办法

2010年12月10日 写评论 作者 夜行人

1) 检查当前僵尸进程信息

# ps -ef | grep defunct | grep -v grep | wc -l

175

# top | head -2

top – 15:05:54 up 97 days, 23:49, 4 users, load average: 0.66, 0.45, 0.39

Tasks: 829 total, 1 running, 479 sleeping, 174 stopped, 175 zombie

# ps -ef | grep defunct | grep -v grep

2) 获得杀僵尸进程语句

# ps -ef | grep defunct | grep -v grep | awk ‘{print “kill -9 ” $2,$3}’

执行上面获得的语句即可, 使用信号量9, 僵尸进程数会大大减少.

3) 过一会儿检查当前僵尸进程信息

# ps -ef | grep defunct | grep -v grep | wc -l

125

# top | head -2

top – 15:29:26 up 98 days, 12 min, 7 users, load average: 0.27, 0.54, 0.56

Tasks: 632 total, 1 running, 381 sleeping, 125 stopped, 125 zombie

发现僵尸进程数减少了一些, 但还有不少啊.

4) 再次获得杀僵尸进程语句

# ps -ef | grep defunct | grep -v grep | awk ‘{print “kill -18 ” $3}’

执行上面获得的语句即可, 这次使用信号量18杀其父进程, 僵尸进程应该会全部消失.

5) 过一会儿再检查当前僵尸进程信息

# ps -ef | grep defunct | grep -v grep | wc -l

0

# top | head -2

top – 15:39:46 up 98 days, 23 min, 7 users, load average: 5.46, 2.20, 1.12

Tasks: 134 total, 1 running, 133 sleeping, 0 stopped, 0 zombie

6) 清除ZOMBIE(僵尸)进程原理

# kill -18 PPID

PPID是其父进程, 这个信号是告诉父进程, 该子进程已经死亡了, 请收回分配给他的资源. 如果还不行则看先看其父进程又无其他子进程, 如果有, 可能需要先kill其他子进程, 也就是兄弟进程.

方法是:

# kill -15 PID1 PID2

PID1,PID2是僵尸进程的父进程的其它子进程.

然后再kill父进程:

# kill -15 PPID

–End–

How to: Linux / UNIX Delete or Remove Files With Inode Number

2010年11月16日 写评论 作者 夜行人

An inode identifies the file and its attributes such as file size, owner, and so on. A unique inode number within the file system identifies each inode. But, why to delete file by an inode number? Sure, you can use rm command to delete file. Sometime accidentally you creates filename with control characters or characters which are unable to be input on a keyboard or special character such as ?, * ^ etc. Removing such special character filenames can be problem. Use following method to delete a file with strange characters in its name:

Please note that the procedure outlined below works with Solaris, FreeBSD, Linux, or any other Unixish oses out there:

Find out file inode
First find out file inode number with any one of the following command:

stat {file-name}

OR

ls -il {file-name}

Use find command to remove file:
Use find command as follows to find and remove a file:

find . -inum [inode-number] -exec rm -i {} \;

When prompted for confirmation, press Y to confirm removal of the file.

Delete or remove files with inode number
Let us try to delete file using inode number.

(a) Create a hard to delete file name:
$ cd /tmp
$ touch “\+Xy \+\8”
$ ls
(b) Try to remove this file with rm command:
$ rm \+Xy \+\8

(c) Remove file by an inode number, but first find out the file inode number:
$ ls -ilOutput:

781956 drwx—— 3 viv viv 4096 2006-01-27 15:05 gconfd-viv
781964 drwx—— 2 viv viv 4096 2006-01-27 15:05 keyring-pKracm
782049 srwxr-xr-x 1 viv viv 0 2006-01-27 15:05 mapping-viv
781939 drwx—— 2 viv viv 4096 2006-01-27 15:31 orbit-viv
781922 drwx—— 2 viv viv 4096 2006-01-27 15:05 ssh-cnaOtj4013
781882 drwx—— 2 viv viv 4096 2006-01-27 15:05 ssh-SsCkUW4013
782263 -rw-r–r– 1 viv viv 0 2006-01-27 15:49 \+Xy \+\8Note: 782263 is inode number.

(d) Use find command to delete file by inode:
Find and remove file using find command, type the command as follows:
$ find . -inum 782263 -exec rm -i {} \;
Note you can also use add \ character before special character in filename to remove it directly so the command would be:
$ rm “\+Xy \+\8”
If you have file like name like name “2005/12/31” then no UNIX or Linux command can delete this file by name. Only method to delete such file is delete file by an inode number. Linux or UNIX never allows creating filename like 2005/12/31 but if you are using NFS from MAC OS or Windows then it is possible to create a such file.

转载自:http://www.cyberciti.biz/tips/delete-remove-files-with-inode-number.html

Security
Newer Entries
Older Entries
2024年四月
« 5月    
1234567
891011121314
15161718192021
22232425262728
2930