apt-get update 出现 这种错误
Reading package lists… Done
W: There is no public key available for the following key IDs:
7638D0442B90D010
W: There is no public key available for the following key IDs:
7638D0442B90D010
W: There is no public key available for the following key IDs:
9D6D8F6BC857C906
解决方法
apt-get install debian-keyring debian-archive-keyring
apt-get update
In one of our previous article we have posted an instructional guide on how to secure your Debian/Ubuntu based VPS using IPTABLES/Netfilter.
In the following article we are adding a blacklist to the firewall script which will allow you to block any abusive IP addresses or ranges of IPs in your Debian or Ubuntu based virtual server.
What is iptables?
It is is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.
Before proceeding any further, make sure you read the article on how to secure/design the firewall in your linux vps. This includes:
Flushing the old firewall rules
Determining service ports
Setting-up default policies
Setting-up your firewall rules
Saving your firewall rules
BLOCKING IPs USING IPTABLES
To block some abusive IP address or range of IPs, you can use the following iptables rules:
## iptables -I INPUT -s 1.2.3.4 -j DROP
## iptables -I INPUT -s 1.2.0.0/16 -j DROP
CREATING THE BLACKLIST
For better readability and maintenance, it is a good idea to have all abusing IPs in one particular file, for example /etc/blacklist.ips. This way, you can add the IP addresses or subnets in this file (one IP or subnet per line) and use the fwall-rules script below to block anything listed in this file.
So, create or edit /usr/local/bin/fwall-rules and make it as follows:
#!/bin/bash
#
# iptables firewall script
# http://www.rosehosting.com
#
IPTABLES=/sbin/iptables
BLACKLIST=/etc/blacklist.ips
echo ” * flushing old rules”
${IPTABLES} –flush
${IPTABLES} –delete-chain
${IPTABLES} –table nat –flush
${IPTABLES} –table nat –delete-chain
echo ” * setting default policies”
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT ACCEPT
echo ” * allowing loopback devices”
${IPTABLES} -A INPUT -i lo -j ACCEPT
${IPTABLES} -A OUTPUT -o lo -j ACCEPT
${IPTABLES} -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
${IPTABLES} -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
## BLOCK ABUSING IPs HERE ##
#echo ” * BLACKLIST”
#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP
echo ” * allowing ssh on port 5622″
${IPTABLES} -A INPUT -p tcp –dport 5622 -m state –state NEW -j ACCEPT
echo ” * allowing ftp on port 21″
${IPTABLES} -A INPUT -p tcp –dport 21 -m state –state NEW -j ACCEPT
echo ” * allowing dns on port 53 udp”
${IPTABLES} -A INPUT -p udp -m udp –dport 53 -j ACCEPT
echo ” * allowing dns on port 53 tcp”
${IPTABLES} -A INPUT -p tcp -m tcp –dport 53 -j ACCEPT
echo ” * allowing http on port 80″
${IPTABLES} -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
echo ” * allowing https on port 443″
${IPTABLES} -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT
echo ” * allowing smtp on port 25″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 25 -j ACCEPT
echo ” * allowing submission on port 587″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 587 -j ACCEPT
echo ” * allowing imaps on port 993″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 993 -j ACCEPT
echo ” * allowing pop3s on port 995″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 995 -j ACCEPT
echo ” * allowing imap on port 143″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 143 -j ACCEPT
echo ” * allowing pop3 on port 110″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 110 -j ACCEPT
echo ” * allowing ping responses”
${IPTABLES} -A INPUT -p ICMP –icmp-type 8 -j ACCEPT
# DROP everything else and Log it
${IPTABLES} -A INPUT -j LOG
${IPTABLES} -A INPUT -j DROP
#
# Block abusing IPs
# from ${BLACKLIST}
#
if [[ -f “${BLACKLIST}” ]] && [[ -s “${BLACKLIST}” ]]; then
echo ” * BLOCKING ABUSIVE IPs”
while read IP; do
${IPTABLES} -I INPUT -s “${IP}” -j DROP
done < <(cat “${BLACKLIST}”) fi # # Save settings # echo ” * SAVING RULES” if [[ -d /etc/network/if-pre-up.d ]]; then if [[ ! -f /etc/network/if-pre-up.d/iptables ]]; then echo -e “#!/bin/bash” > /etc/network/if-pre-up.d/iptables
echo -e “test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules” >> /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables
fi
fi
iptables-save > /etc/fwall.rules
iptables-restore -c /etc/fwall.rules
make sure the script is executable by adding an ‘x’ bit to it:
chmod +x /usr/local/bin/fwall-rules
APPLYING THE RULES
To apply the firewall rules and block the abusers, you need to just execute the fwall-rules script and that’s it.
## fwall-rules
* flushing old rules
* setting default policies
* allowing loopback devices
* allowing ssh on port 5622
* allowing ftp on port 21
* allowing dns on port 53 udp
* allowing dns on port 53 tcp
* allowing http on port 80
* allowing https on port 443
* allowing smtp on port 25
* allowing submission on port 587
* allowing imaps on port 993
* allowing pop3s on port 995
* allowing imap on port 143
* allowing pop3 on port 110
* allowing ping responses
* BLOCKING ABUSIVE IPs
* SAVING RULES
[download id=”8″]
apt-get install ocaml camlp4-extra
git clone https://github.com/OCamlPro/opam.git
cd opam
./configure
make
sudo make install
apt-get install m4 libcurl4-gnutls-dev libfuse-dev libsqlite3-dev
opam init //**if error( opam init https://opam.ocaml.org/1.1 )
opam update
opam install google-drive-ocamlfuse
安装成功后,进入Google Project建立一个Project
https://console.developers.google.com/project
进入项目的API设置开启Drive API
建立一个OAuth验证ID
建立项目的Client ID
记录下这两个生成的参数做稍后使用
进入/root/.opam/system/bin/目录绑定项目
cd /root/.opam/system/bin/
./google-drive-ocamlfuse -headless -label googledrive -id ##Client ID##.apps.googleusercontent.com -secret ##secret key##
执行完上述指令会返回一个https的网址在浏览器粘贴到浏览器后会进入google页面询问是否允许访问该项目,选accept然后记录下浏览器页面返回的密码,粘贴进去回车即可。
进入~/.gdfuse/googledrive
cd ~/.gdfuse/googledrive
nano config
编辑config修改内容例如
verification_code= [key returned from browser]
client_id= [eg. 123123231.apps.googleusercontent.com]
client_secret= [eg. ASDQWEWGSD!$@#@#ASD]
完成配置加载Google Drive远端存储到本地/googledrive
mkdir /googledrive
cd ~/.opam/system/bin
./google-drive-ocamlfuse -label googledrive /googledrive
aptitude search gnome|grep
gir1.2-gnomebluetooth-1.0 – Introspection data for GnomeBluetooth
gir1.2-gnomekeyring-1.0 – GNOME keyring services library – introspec
gnome – Full GNOME Desktop Environment, with extra
gnome-accessibility-themes – Accessibility themes for the GNOME desktop
gnome-applets – Various applets for the GNOME panel – bina
gnome-applets-data – Various applets for the GNOME panel – data
gnome-backgrounds – Set of backgrounds packaged with the GNOME
gnome-bluetooth – GNOME Bluetooth tools
gnome-brave-icon-theme – blue variation of the GNOME-Colors icon th
gnome-cards-data – data files for the GNOME card games
gnome-color-manager – Color management integration for the GNOME
gnome-colors-common – common icons for all GNOME-Colors icon the
gnome-common – common scripts and macros to develop with
gnome-contacts – Contacts manager for GNOME
gnome-control-center – utilities to configure the GNOME desktop
gnome-control-center-data – configuration applets for GNOME – data fil
gnome-core – GNOME Desktop Environment — essential com
gnome-desktop-data – Common files for GNOME desktop apps
gnome-desktop-environment – The GNOME Desktop Environment – transition
gnome-desktop3-data – Common files for GNOME desktop apps
gnome-dictionary – GNOME dictionary application
gnome-disk-utility – manage and configure disk drives and media
gnome-doc-utils – collection of documentation utilities for
gnome-documents – Document manager for GNOME
gnome-font-viewer – font viewer for GNOME
gnome-games – games for the GNOME desktop
gnome-games-data – data files for the GNOME games
gnome-games-extra-data – games for the GNOME desktop (extra artwork
gnome-icon-theme – GNOME Desktop icon theme
gnome-icon-theme-extras – GNOME Desktop icon theme (additional icons
gnome-icon-theme-gartoon – Gartoon icon theme for GTK+ 2.x
gnome-icon-theme-nuovo – Dropline Nuovo icon theme for GTK+ 2.x
gnome-icon-theme-suede – Suede icon theme for GTK+ 2.x
gnome-icon-theme-symbolic – GNOME desktop icon theme (symbolic icons)
gnome-icon-theme-yasis – YASIS (Yet Another Scalable Icon Set)
gnome-js-common – Common modules for GNOME JavaScript interp
gnome-keyring – GNOME keyring services (daemon and tools)
gnome-mag – a screen magnifier for the GNOME desktop
gnome-media – GNOME media utilities
gnome-media-common – GNOME media utilities – common files
gnome-menus – GNOME implementation of the freedesktop me
gnome-mime-data – base MIME and Application database for GNO
gnome-nettool – network information tool for GNOME
gnome-online-accounts – GNOME Online Accounts
gnome-orca – Scriptable screen reader
gnome-packagekit – Graphical distribution neutral software ma
gnome-packagekit-data – Data files for graphical distribution neut
gnome-panel – launcher and docking facility for GNOME
gnome-panel-data – common files for the GNOME Panel
gnome-power-manager – power management tool for the GNOME deskto
gnome-rdp – remote desktop client for GNOME
gnome-screensaver – GNOME screen saver and locker
gnome-screenshot – screenshot application for GNOME
gnome-search-tool – GNOME tool to search files
gnome-session – GNOME Session Manager – GNOME 3 session
gnome-session-bin – GNOME Session Manager – Minimal runtime
gnome-session-canberra – GNOME session log in and log out sound eve
gnome-session-common – GNOME Session Manager – common files
gnome-session-fallback – GNOME Session Manager – GNOME fallback ses
gnome-settings-daemon – daemon handling the GNOME session settings
gnome-shell – graphical shell for the GNOME desktop
gnome-shell-common – common files for the GNOME graphical shell
gnome-shell-extensions – Extensions to extend functionality of GNOM
gnome-sudoku – Sudoku puzzle game for GNOME
gnome-sushi – sushi is a quick previewer for nautilus
gnome-system-log – system log viewer for GNOME
gnome-system-monitor – Process viewer and system resource monitor
gnome-system-tools – Cross-platform configuration utilities for
gnome-terminal – GNOME terminal emulator application
gnome-terminal-data – Data files for the GNOME terminal emulator
gnome-themes – official themes for the GNOME desktop
gnome-themes-extras – extra themes for the GNOME desktop
gnome-themes-standard – Standard GNOME themes
gnome-themes-standard-data – Data files for GNOME standard themes
gnome-tweak-tool – tool to adjust advanced configuration sett
gnome-user-guide – GNOME user’s guide
gnome-user-share – User level public file sharing via WebDAV
gnome-video-effects – GNOME Video Effects
guile-gnome2-glib – Guile bindings for GLib
guile-gnome2-gtk – Guile bindings for GTK+, libglade, Pango a
libgnome-bluetooth10 – GNOME Bluetooth tools – support library
libgnome-bluetooth7 – GNOME Bluetooth tools – support library
libgnome-desktop-2-17 – Utility library for loading .desktop files
libgnome-desktop-3-2 – Utility library for loading .desktop files
libgnome-keyring-common – GNOME keyring services library – data file
libgnome-keyring0 – GNOME keyring services library
libgnome-keyring1.0-cil – CLI library to access the GNOME Keyring da
libgnome-mag2 – screen magnification library for the GNOME
libgnome-media-profiles-3.0-0 – GNOME Media Profiles library
libgnome-media0 – runtime libraries for the GNOME media util
libgnome-menu-3-0 – GNOME implementation of the freedesktop me
libgnome-menu2 – GNOME implementation of the freedesktop me
libgnome-speech7 – GNOME text-to-speech library
libgnome-window-settings1 – Utility library for getting window manager
libgnome2-0 – The GNOME library – runtime files
libgnome2-canvas-perl – Perl interface to the GNOME canvas library
libgnome2-common – The GNOME library – common files
libgnome2-perl – Perl interface to the GNOME libraries
libgnome2-vfs-perl – Perl interface to the 2.x series of the GN
libgnomecanvas2-0 – powerful object-oriented display engine –
libgnomecanvas2-common – powerful object-oriented display engine –
libgnomekbd-common – GNOME library to manage keyboard configura
libgnomekbd4 – GNOME library to manage keyboard configura
libgnomekbd7 – GNOME library to manage keyboard configura
libgnomeui-0 – GNOME user interface library – runtime fil
libgnomeui-common – GNOME user interface library – common file
libgnomevfs2-0 – GNOME Virtual File System (runtime librari
libgnomevfs2-common – GNOME Virtual File System (common files)
libgnomevfs2-extra – GNOME Virtual File System (extra modules)
libpam-gnome-keyring – PAM module to unlock the GNOME keyring upo
libreoffice-gnome – office productivity suite — GNOME integra
libsoup-gnome2.4-1 – HTTP library implementation in C — GNOME
network-manager-gnome – network management framework (GNOME fronte
policykit-1-gnome – GNOME authentication agent for PolicyKit-1
python-gnome2 – Python bindings for the GNOME desktop envi
python-gnomedesktop – Python bindings for the GNOME desktop libr
python-gnomekeyring – Python bindings for the GNOME keyring libr
task-gnome-desktop – GNOME desktop environment
vim-gnome – Vi IMproved – enhanced vi editor – with GN
解决方法:
aptitude install alsa-base
echo blacklist snd-pcsp >> /etc/modprobe.d/alsa-base-blacklist.conf
如果alsa-base-blacklist.conf文件里有blacklist snd-pcsp就不必执行echo了
debian
service ssh restart
出现Could not load host key: /etc/ssh/ssh_host_ecdsa_key
解决方法:
dpkg-reconfigure openssh-server
执行
apt-get install python-pip python-m2crypto supervisor
pip install shadowsocks
服务端安装好以后,创建一个配置文件 /etc/shadowsocks.json。 示例:
{
“server”:”服务器 IP 地址”,
“server_port”:8388,
“local_address”: “127.0.0.1”,
“local_port”:1080,
“password”:”mypassword”,
“timeout”:300,
“method”:”aes-256-cfb”,
“fast_open”: false,
“workers”: 1
}
多用户配置文件
{
“server”:”your_server_ip”,
“local_address”: “127.0.0.1”,
“local_port”:1080,
“port_password”:{
“8989”:”password0″,
“9001”:”password1″,
“9002”:”password2″,
“9003”:”password3″,
“9004”:”password4″
},
“timeout”:60,
“method”:”aes-256-cfb”,
“fast_open”: false,
“workers”: 1
}
在服务器上运行 ssserver -c /etc/shadowsocks.json 即可。
在本地,用上文的客户端shadowsocks-gui进行相应配置并运行客户端,
shadowsocks-gui下载地址:http://sourceforge.net/projects/shadowsocksgui/files/dist/
最后设置浏览器代理。Chrome 推荐使用 SwitchySharp 切换代理设置。把浏览器代理设为下列参数即可:
协议: socks5
地址: 127.0.0.1
端口: 你填的 local_port
如果要在后台运行, 使用supervisor, supervisor配置如下:
安装完supervisor后创建
vi /etc/supervisor/conf.d/shadowsocks.conf
内容如下:
[program:shadowsocks]
command=ssserver -c /etc/shadowsocks.json
autorestart=true
user=nobody
如果端口 < 1024,把上面的 user=nobody 改成 user=root。保存
在 /etc/default/supervisor 最后加一行:
ulimit -n 51200
执行
service supervisor start
supervisorctl reload
就好了。
如果遇到问题,可以检查日志:
supervisorctl tail -f shadowsocks stderr
如果修改了 shadowsocks 配置 /etc/shadowsocks.json, 可以重启 shadowsocks:
supervisorctl restart shadowsocks
如果修改了 Supervisor 的配置文件 /etc/supervisor/*, 可以更新 supervisor 配置:
supervisorctl update
要拒绝系统用户登录,可以将其shell设置为/usr/sbin/nologin或者/bin/false
# usermod -s | –shell /usr/sbin/nologin username
或者
# usermod -s | -shell /bin/false username
/bin/false
/bin/false什么也不做只是返回一个错误状态,然后立即退出。将用户的shell设置为/bin/false,用户会无法登录,并且不会有任何提示。
/usr/sbin/nologin
nologin会礼貌的向用户显示一条信息,并拒绝用户登录:
This account is currently not available.
有一些软件,比如一些ftp服务器软件,对于本地非虚拟账户,只有用户有有效的shell才能使用ftp服务。这时候就可以使用nologin使用户即不能登录系统,还能使用一些系统服务,比如ftp服务。/bin/false则不行,这是二者的重要区别之一。
/etc/nologin
如果存在/etc/nologin文件,则系统只允许root用户登录,其他用户全部被拒绝登录,并向他们显示/etc/nologin文件的内容。
锁定用户账户
# passwd -l | –lock username
#解锁用户账户
# passwd -u | –unlock username
删除用户密码
# passwd -d | –delete username
===
apt-get install openvpn
cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0
source vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-dh
注意:上面操作全部直接回车即可,如果有选择Y/N的 全部选择Y即可。
OpenVPN需要tun和iptables_nat模块支持,所以先检查你的VPS支持不支持。
SSH登陆VPS后输入
cat /dev/net/tun
若返回信息为:cat: /dev/net/tun: File descriptor in bad state 说明tun/tap已经可以使用;
如果返回:cat: /dev/net/tun: No such device 或其他则说明tun/tap没有被正确配置,发TK联系客服申请开通tun/tap。
apt-get install iptables #如已安装跳过
如果你的VPS是Xen或KVM的请输入:(eth0要根据具体的网卡标识来,可以通过ifconfig查看)
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE
如果是OpenVZ的请输入:(11.22.33.44是你VPS的IP)
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT –to-source 11.22.33.44
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o venet0 -j SNAT –to 11.22.33.44 //注意如果是venet0
修改vi /etc/sysctl.conf net.ipv4.ip_forward=1 用sysctl –p使其生效
然后用
iptables -t nat -L
查看iptables转发状态,如果显示以下类似的结果则说明转发成功:
target prot opt source destination
SNAT all — 10.0.0.0/8 anywhere to:11.22.33.44
配置OpenVPN服务器端文件
dev tap
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client
push “redirect-gateway def1”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 4.2.2.4”
comp-lzo
重启/etc/init.d/openvpn restart
用FTP将
/etc/openvpn/easy-rsa/2.0/keys/ca.crt
/etc/openvpn/easy-rsa/2.0/keys/client1.crt
/etc/openvpn/easy-rsa/2.0/keys/client1.key
三个文件下载到本地并保存在OpenVPN的config目录,然后添加client.ovpn客户端文件,内容如下:
client
dev tap
proto tcp
# The hostname/IP and port of the server.
# CHANGE THIS TO YOUR VPS IP ADDRESS
remote 11.22.33.44 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
重启一下VPS基本上可以连接了。
总结:
最后可能遇到的问题
1、Wed Oct 13 21:57:57 2010 us=250000 TCP: connect to 2**.*3*.*1*.1**:23 failed, will try again in 5 seconds: Connection refused (WSAECONNREFUSED)
检查dev 将dev tun 改 dev tap 或反之 就OK了
2、有可能无法连接ROUTE: route addition failed using CreateIpForwardEntry: 拒绝访问。
这是无法添加路由,在windows7中想用route add 或相关route等命令需要以管理员身份运行,如果windows7下面没有以管理身份运行那么添加路由时候route命令后提示:请求的操作需要提升!
解决方法:更改OpenVPN GUI兼容性
[download id=”5″]
首先到java官网下载相对应的Linux版本的java。下载地址:http://www.java.com/zh_CN/download/manual.jsp?locale=zh_CN
然后解压 tar zxfv <file name>,记住解压目录,如:/usr/local/java/jre<version>/
mkdir /opt/google/chrome/plugins/
ln -s /usr/local/java/jre<version>/lib/i386/libnpjp.so /opt/google/chrome/plugins/
chrome://plugins/可以看到java插件已经安装完成,刷新google chrome即可运行java插件。