技术

SecureFX连接失败

by

连接linux主机A失败,返回

i Available Remote Kex Methods = curve25519-sha256,curve25519-sha256@libssh.org,...
i Selected Kex Method =

连接linux主机B成功,返回

i Available Remote Kex Methods = curve25519-sha256@libssh.org,ecdh-sha2-nistp256,...
i Selected Kex Method = diffie-hellman-group14-sha1

原因是主机A中的OpenSSH升级了,可用以下命令确认

1

ssh -V

解决办法为,在/etc/ssh/sshd_config文件尾部加入

1
2
3

#Ciphers aes128-cbc
#MACs hmac-md5,hmac-sha1
KexAlgorithms diffie-hellman-group14-sha1

重启sshd

1

service sshd restart

refer to:
https://blog.csdn.net/lk_db/article/details/50964912

验证IPSec抗重放攻击

by

linux内核xfrm参数replay-window用于设定抗重放攻击效果。

replay-window为0表示不启用抗重放攻击,大于0时表示当前esp/ah包活动序列窗口大小,序号太旧的包因赶不上活动窗口而被丢弃或回复失败包。

在基于
StrongSwan PSK RSA
连通的环境下。

在C机器中编辑/etc/strongswan.d/charon.conf,更改replay-window值。
重启strongswan并启动连接后,可能通过命令

1

ip xfrm state

查看strongswan有没有将参数值设定到内核中。

在B机器中

1

apt install tcpreplay

在B机器中启动两个wireshark进程,分别抓包vmnet2和vmnet3。

当B和C中的strongswan都启动并连通后,在A中ping D的ip。

此时在B中抓vmnet3上的esp包,抓了几个后,点击对应wireshark窗口菜单

1

File/Export Specified Packet

将这些esp包保存为文件

1

/tmp/esp-b2c.pcapng

在A中停止ping D的ip。

在B的bash中执行

1

tcpreplay -i enp2s6 /tmp/esp-b2c.pcapng

其中enp2s6是网卡vmnet3对应的识别名。

可以看到,
当C中的replay-window参数设为0时,B中的vmnet2上会抓到模拟重放的icmp ping包,并且方向是10.2.0.10至10.1.0.10。
当C中的replay-window参数不为0时,B中的vmnet2上抓不到模拟重放的icmp ping包。
一旦重启B或C中的strongswan,使用旧的esp-b2c.pcapng文件重放时,不管C中的replay-window取何值,B中的vmnet2上都不会出现模拟重放包。

Strongswan中验证NATT

by

在基于
StrongSwan PSK RSA
连通的环境下。

四台虚拟机ABCD,三段Host Only虚拟网络vmnet2、vmnet3、vmnet4,DHCP都禁掉。

1
2
3
4
5
6
7
8
9
10

A
vmnet2: 10.1.0.10/24 gw 10.1.0.2
B
vmnet2: 10.1.0.2/24
vmnet3: 192.168.0.12/24  <--这里变了
C
vmnet3: 192.168.0.3/24
vmnet4: 10.2.0.2/24
D
vmnet4: 10.2.0.10/24 gw 10.2.0.2

在B的bash中执行

1
2

iptables -t nat -A POSTROUTING -s 192.168.0.12 -j SNAT --to-source 192.168.0.2
iptables -t nat -A PREROUTING -d 192.168.0.2 -j DNAT --to-destination 192.168.0.12

在B中用ifconfig命令查看vmnet3的hwaddr,比如为00:0c:29:5a:fc:8e。
在C的bash中执行

1

arp -s 192.168.0.2 00:0c:29:5a:fc:8e

修改B的ipsec.conf中指定conn下的left为192.168.0.12。
而仍将C的ipsec.conf中指定conn下的right设为192.168.0.2。

之后再重启BC中的strongswan并连接会看到第5条ISAKMP消息开始端口都走4500了。

gdb调试有管道的命令行

by

以pcre2调试为例

1
2
3
4
5
6
7
8
9

#!/bin/sh
 
cd `pwd`/installed/bin
 
mkfifo /tmp/pcre
echo "<h1>hello</h1>" > /tmp/pcre &
 
gdb ./pcre2grep -ex 'b main' -ex 'r -o "<.*>" < /tmp/pcre'
rm /tmp/pcre

refer to:
http://www.voidcn.com/article/p-migwptlv-bsq.html

apt testing source

by

/etc/apt/sources.list

1
2
3
4

deb http://http.us.debian.org/debian/ testing non-free contrib main
#deb http://http.us.debian.org/debian/ stable non-free contrib main
#deb http://http.us.debian.org/debian/ unstable non-free contrib main
#deb http://http.us.debian.org/debian/ wheezy non-free contrib main
1
2

#apt edit-sources
apt update

NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138

1
2

apt-key adv --keyserver keyserver.ubuntu.com --recv 04EE7237B7D453EC
apt-key adv --keyserver keyserver.ubuntu.com --recv 648ACFD622F3D138

ubuntu repo names

1
2
3

wheezy: debian 7.0
xenial: Ubuntu 16.04
focal: Ubuntu 20.04

refer to:
https://serverfault.com/questions/550855/how-to-add-debian-testing-repository-to-apt-get
https://yunwei365.blog.csdn.net/article/details/114930145

in gdb tui mode scroll the command window

by

Use cgdb instead.

Let GDBW denote the command window,
let SRCW denote the source window
let TTYW denote the input window.

Cgdb basic usage

1
2
3
4
5
6

ESC key in GDBW: switch to SRCW
i key in SRCW: switch to GDBW
T key in SRCW: switch on/off TTYW
PgUp/PgDn key in GDBW: scroll GDBW
PgUp/PgDn key in SRCW: scroll SRCW
-/= in SRCW: decrease/increase SRCW size

Patch: GDBW output is truncated.
cgdb/scroller.cpp:146
https://github.com/cgdb/cgdb/pull/269

refer to:
https://github.com/cgdb/cgdb/blob/master/doc/cgdb.texi

webrtc备忘录

by

名词

1
2
3
4
5
6
7

I帧: Intra-coded picture
P帧: Predictive-coded Picture
B帧: Bidirectionally predicted picture
GOP: Group of Pictures
IDR: Instantaneous Decoding Refresh
DTS: Decoding Time Stamp
PTS: Presentation Time Stamp

WebRTC 之视频捕获
https://hyjk2000.github.io/2015/04/21/webrtc-video-capture/
https://github.com/uxctx/DesktopLiveStreaming

so动态库只导出指定函数

by

retain_sym.txt

1
2

func1
func2

ver_script.txt

1
2
3
4
5
6
7

LIBA_1.1 {
	global:
		foo1;
		foo2;
	local:
		*;
};
1

ld -shared --retain-symbols-file=retain_sym.txt --version-script=ver_script.txt tst.o -o tst.so

refer to:
https://blog.csdn.net/chdhust/article/details/79356717
http://blog.sina.com.cn/s/blog_493667730100csde.html
http://www.gnu.org/software/gnulib/manual/html_node/LD-Version-Scripts.html

linux命令备忘录

by

名词

1
2
3
4
5

pie: position-independent executable
pic: position-independent code
aslr: address space layout randomization
got: global offset table
vdso: virtual dynamic shared object

Basic command

1
2
3
4
5
6
7
8
9
10
11
12
13

grep [OPTION]... PATTERNS [FILE]...
find [-H] [-L] [-P] [-Olevel] [-D debugopts] [path...] [expression]
find . -size +2G -exec du -sh {} \;
ps axl | grep VirtualBoxVM | grep -v grep | awk '{print $3};'
cat /etc/passwd | sort -k5,5 -t: | column -t -s:
while true; do echo sleep 1 sec; sleep 1; cat /home/work/aa.txt 2>/dev/null && echo ok && break; done
echo first | xargs -i echo {} second
 
cat /etc/shadow
sudo !!
 
cd other_dir
cd - # return back

swap文件

1
2
3
4

dd if=/dev/zero of=./swap_file bs=1G count=8
mkswap ./swap_file
swapon ./swap_file
swapoff ./swap_file

objcopy

1
2
3

objcopy -I binary -O elf32-i386 -B i386 test.jpg test.o
objdump -s -b binary test.o
readelf -s test.o

静态链编stdc++

1

-Bstatic -lstdc++ -Bdynamic

工具

1
2
3
4
5
6

systemtap
inotify-tools
windres
reptyr
nmcli
nmtui

自启动

1
2
3
4
5
6
7
8
9
10
11
12

#/lib/systemd/system/mytask.service
#ln -s /lib/systemd/system/mytask.service /etc/systemd/system/multi-user.target.wants/mytask.service
[Unit]
Description=mytask
After=network.target
 
[Service]
Type=simple
ExecStart=mytask.sh
 
[Install]
WantedBy=multi-user.target

ubuntu

1
2
3
4
5
6
7
8
9
10

#网络配置文件路径,默认DHCP的连接不会生成文件
/etc/NetworkManager/system-connections/
#run arm64 binary on x86
dpkg --add-architecture armhf && apt-get update && apt-get install libc6:armhf
cat /proc/sys/fs/binfmt_misc/
qemu-user -L /home/bamanzi/i386-libs ./prog
#disable background process
systemctl disable unattended-upgrades
ss -tap
pv -d <pid>

centos

1
2
3
4

#网络配置文件路径
/etc/sysconfig/network-scripts/ifcfg-
#compiz
https://spins.fedoraproject.org/mate-compiz/download/index.html

refer to:
http://blog.chinaunix.net/uid-28461677-id-5766451.html
https://blog.csdn.net/weixin_33842304/article/details/91443399
https://unix.stackexchange.com/questions/4034/how-can-i-disown-a-running-process-and-associate-it-to-a-new-screen-shell
https://blog.csdn.net/wuzhong8809/article/details/117450302
https://stackoverflow.com/questions/18312935/find-file-in-linux-then-report-the-size-of-file-searched
https://www.toutiao.com/a7073448755428688399/
https://www.likecs.com/show-695436.html

Optimizing the kernel for VMware

by 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

[*] 64-bit kernel (leave blank for x86)
 
General Setup --->
  [*] Optimize very unlikely/likely branches
 
Power management and ACPI options --->
  [*] ACPI (Advanced Configuration and Power Interface) Support --->
 
Processor type and features --->
  Processor Family (usually Core2/Newer Xeon)
 
Bus Options --->
  < > PCCard (PCMCIA/Cardbus) support
 
Networking support --->
  [ ] Amateur Radio support
  [ ] Wireless (only if you plan on using nat EXCLUSIVELY)
 
Device Drivers --->
  Generic Driver Options
    [*] Maintain a devtmpfs filesystem to mount at /dev
 
  Misc Devices --->
    [*] VMware Balloon Driver (manages memory between VM and host)
    [*] VMware VMCI Driver (Virtual Machine Communication Interface - low-latency access to host memory bus)
 
  SCSI device support --->
    [*] SCSI low-level drivers --->
      <*> VMware PVSCSI driver support (high throughput storage adapter)
 
  [*] Fusion MPT device support --->
    <*> Fusion MPT ScsiHost drivers for SPI
 
  [*] Network device support --->
    [*] Ethernet driver support --->
      (disable every driver but this)
      [*] AMD Devices
        <*> AMD PCNet32 PCI support
    [ ] Wireless LAN (ONLY if you disabled Wireless networking support above)
    < > VMware VMXNET3 ethernet driver (PCNet32 is more than enough for most use cases - enable this only if you have spare cpu cycles to burn)
 
  Graphics support --->
    <*> Direct Rendering Manager
    < > Intel 8xx/9xx/G3x/G4x/HD Graphics
    <*> DRM driver for VMware Virtual GPU
      [*] Enable framebuffer console support under vmwgfx by default
    <*> Support for frame buffer devices
 
    Console display driver support --->
      <*> Framebuffer Console support
 
  Sound card support --->
    <*> Advanced Linux Sound Architecture --->
      [*] PCI sound devices
        <*> (Creative) Ensoniq AudioPCI 1371/1373
        < > Intel HD Audio
 
  File systems --->
    (enable only those you anticipate using)
    <*> Second extended fs support
    <*> The Extended 4 (ext4) filesystem
    <*> XFS filesystem support
    <*> Btrfs filesystem Unstable disk format
 
    Pseudo filesystems --->
      [*] Tmpfs virtual memory file system support (former shm fs)
        [*] Tmpfs POSIX Access Control Lists

efi boot (uncertain, maybe need to ask pc maker for signing the kernel.)

1
2
3
4
5
6

Processor type and features --->
  [*] EFI runtime service support 
  [*]   EFI stub support
Firmware Drivers  --->
   EFI (Extensible Firmware Interface) Support  --->
       <*> EFI Variable Support via sysfs

device mapper

1
2
3

Device Drivers
	Multiple devices driver support (RAID and LVM)
		<M>   Device mapper support

refer to:
https://forums.gentoo.org/viewtopic-p-7332884.html
https://stackoverflow.com/questions/40344484/cant-load-self-compiled-linux-kernel