Tuifei.com

　　net.ipv4.tcp_syncookies = 1
表示开启SYN Cookies。当出现SYN等待队列溢出时，启用cookies来处理，可防范少量SYN攻击，默认为0，表示关闭；
　　net.ipv4.tcp_tw_reuse = 1
表示开启重用。允许将TIME-WAIT sockets重新用于新的TCP连接，默认为0，表示关闭；
　　net.ipv4.tcp_tw_recycle = 1
表示开启TCP连接中TIME-WAIT sockets的快速回收，默认为0，表示关闭。
　　net.ipv4.tcp_fin_timeout = 30
表示如果套接字由本端要求关闭，这个参数决定了它保持在FIN-WAIT-2状态的时间。
　　net.ipv4.tcp_keepalive_time = 1200
表示当keepalive起用的时候，TCP发送keepalive消息的频度。缺省是2小时，改为20分钟。
　　net.ipv4.ip_local_port_range = 1024 ? ?65000
表示用于向外连接的端口范围。缺省情况下很小：32768到61000，改为1024到65000。
　　net.ipv4.tcp_max_syn_backlog = 8192
表示SYN队列的长度，默认为1024，加大队列长度为8192，可以容纳更多等待连接的网络连接数。
　　net.ipv4.tcp_max_tw_buckets = 5000
表示系统同时保持TIME_WAIT套接字的最大数量，如果超过这个数字，TIME_WAIT套接字将立刻被清除并打印警告信息。默认为180000，改为5000。对于Apache、Nginx等服务器，上几行的参数可以很好地减少TIME_WAIT套接字数量，但是对于Squid，效果却不大。此项参数可以控制TIME_WAIT套接字的最大数量，避免Squid服务器被大量的TIME_WAIT套接字拖死。

Continue Reading »

Share This

转至CU
###################
所有rfc相关的选项都是默认启用的，因此网上的那些还自己写rfc支持的都可以扔掉了:)
###############################

net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
#############################
通过源路由，攻击者可以尝试到达内部IP地址 –包括RFC1918中的地址，所以
不接受源路由信息包可以防止你的内部网络被探测。
#################################
Continue Reading »

Share This

VMware ACE

VMware ESX Server

VMware GSX Server

VMware Server

VMware Workstation

Details

Why does the clock in my Linux guest consistently run more slowly or more quickly than real world time?

Solution

Linux guest operating systems keep time by counting timer interrupts. Unpatched 2.4 and earlier kernels program the virtual system timer to request clock interrupts at 100Hz (100 interrupts per second). 2.6 kernels, on the other hand, request interrupts at 1000Hz — ten times as often. Some 2.4 kernels modified by distribution vendors to contain 2.6 features also request 1000Hz interrupts, or in some cases, interrupts at other rates, such as 512Hz.
Furthermore, an SMP-capable Linux kernel requests additional timer interrupts from the virtual local APIC timer. An SMP-capable kernel running on a one-CPU system generates twice as many total timer interrupts as the corresponding UP kernel, while such a kernel running on a two-CPU system requests three times as many. In general, an SMP-capable kernel running on CPUs requests times as many interrupts per second as a UP kernel. For example, an unmodified 2.6 Linux kernel running on a two-CPU virtual machine requests a total of 3000 clock interrupts per second.
When a guest asks for more than 1000 clock interrupts per second, it can be difficult for the virtual machine to keep up, especially if other applications are running on the host at the same time. This can cause the clock in the guest operating system to fall so far behind real time that it is unable to catch up. The overhead of delivering so many virtual clock interrupts can also hurt guest performance and increase host CPU consumption.
It can also be difficult for the guest operating system to field 1000 clock interrupts per second. Even on real hardware, clock interrupts are sometimes lost because the operating system is busy for more than 1 millisecond and another clock interrupt comes in before the previous one was handled. Linux 2.6 contains code to detect such “lost ticks” and correct for them. Unfortunately, this code can trigger the correction spuriously in some cases, resulting in the Linux clock running more quickly than real time. This problem happens more often in a virtual machine than on real hardware, and can cause noticeable time gains. In some cases, the guest clock has been observed to run more than 10% more quickly than real time.
Continue Reading »

Share This

我在esx3.02的操作过程，大家需要做的是打开防火墙的端口161。
[root@esx02 root]#esxcfg-firewall –enableService ntpClient

[root@esx02 root]# vi /etc/ntp.conf
# Prohibit general access to this service.
restrict default ignore

# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict 127.0.0.1
restrict default kod nomodify notrap
server 0.vmware.pool.ntp.org
server 1.vmware.pool.ntp.org
server 2.vmware.pool.ntp.org
driftfile /var/lib/ntp/drift

# — CLIENT NETWORK ——-
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

“/etc/ntp.conf” 83L, 2970C written
[root@esx02 root]# vi /etc/ntp/step-tickers
re.pool.ntp.org
1.vmware.pool.ntp.org
2.vmware.pool.ntp.org
~

~

“/etc/ntp/step-tickers” 4L, 61C written
[root@esx02 root]# vi /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
172.16.1.130 esx02.vmware.cn
0.vmware.pool.ntp.org
1.vmware.pool.ntp.org
2.vmware.pool.ntp.org

~
~
~
~
~
~
~
~
~
“/etc/hosts” 8L, 244C written
[root@esx02 root]# service ntpd restart
Shutting down ntpd: [ OK ]
ntpd: Synchronizing with time server: [ OK ]
Starting ntpd: [ OK ]
[root@esx02 root]#
设置ESX开机, NTP服务自启动:

chkconfig –level 345 ntpd on

指定ESX关机时, 硬件时钟与系统时钟同步:

hwclock –systohc

关于vmware 客户机的配置
VM时间同步十分重要. 普通计算机一般都可以通过硬件所提供的时钟中断(CLOCK INTERRUPT)或时钟标记(CLOCK TICK), 来计算出系统时间. 对于运行在ESX上的VM来说, 它们并不直接使用ESX硬件, 时钟中断或时钟标记是由ESX的虚拟提供的. 在ESX繁忙的时候, 常常无法准时准确的为所有VM提供时钟中断和.时钟标记. 这样VM就很根据这些信号计算出准确的时间. 所以需要与时间源同步.

VM可以选择与ESX服务器做时间同步, 或是采用惯常的同步方式与其他时间源同步.

VM与ESX时间同步. 是由ESX直接提供时间给VM(而不是上述的时钟中断, 标记, 由VM自己计算出时间). VM必需安装VMWARE TOOLS. 然后在VMWARE TOOLS的配置中选择: 与ESX HOST同步. 如果是WINDOWS VM, 必需关闭WINDOWS TIME SERVICE, 否则WINDOWS TIME SERVICE将霸占UDP 123口, 使与ESX的时间同步无法正常进行.

VM与ESX时间同步, 只有当VM的时间>>落后<<于ESX时才能起到校正的作用!

如果不采用VM与ESX进行时间同步. VM可以与其他NTP时间源同步. 加入了WINDOWS AD的WINDOWS PC/服务器, 一般莫认与PD同步. 其他的需要手动设置.

1、windows os关闭时钟同步功能，安装vmware-tools,设置同步为开。
2、linux os 关闭ntpd服务，安装vmware-tools ,设置同步为开，或者直接编辑vmx文件，并加入：
tools.syncTime = “TRUE”。

Share This

1、确保本机已经安装了snmp服务

[root@idc ~]# rpm -qa |grep snmp

net-snmp-libs-5.1.2-11.EL4.7

net-snmp-5.1.2-11.EL4.7

如果没有，那么放入linux安装盘找到snmp的rpm包进行安装，或者到网上搜索适合自己linux发行版本的rpm包进行安装
在新版本的centos及redhat es版本中可能在安装时会提示依赖性错误，这时需要安装lm_sensors-2.8.7-2.40.3.i386.rpm，再安装netsnmp软件。

2、snmpd.conf文件配置

按照如下方式修改snmpd.conf文件

A、修改默认的community string

com2sec notConfigUser default public

将public修改为你才知道的字符串

B、把下面的#号去掉

#view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc

C、把下面的语句

access notConfigGroup “” any noauth exact systemview none none

改成：

access notConfigGroup “” any noauth exact mib2 none none

3、重启snmpd服务

#/etc/rc.d/init.d/snmpd restart

完成snmpd的配置

4、确保linux的iptables防火墙对我们的流量监控服务器开放了udp 161端口的访问权限

可使用iptables –L –n 查看当前iptables规则

可编辑/etc/sysconfig/iptables文件来修改iptables规则。

把snmpd服务添加为自启动

chkconfig snmpd on

可以用chkconfig –list |grep on 来查看是否已经是自启组

如果chkconfig –list |grep snmpd 没有的话可以先用以下命令增加

chkconfig –add snmpd

Share This