linux shell 踢人下线, kill or terminate unwanted tty/pts

How to kill or terminate unwanted tty/pts sessions in Linux?

Did you ever face this situation, a lot of terminal connections to your server?

Before starting, we have a brief discussion on TTY. The word tty stands for teletype terminals. Some years ago, user terminals were connected to computers’ electromechanical teleprinters or teletypewriters (TeleTYpewriter, TTY), since then the name TTY has continued to be used as the name for the text-only console. Here CryBit going to explain the command-line option to kill unwanted or unused or idle ttys.

We need the PID (Process ID) of that particular terminal (tty). First check the active connections server using the command “w.” Please see the sample output pasted below:

tty
[email protected] [~]# w
 02:05:41 up 234 days, 23:46,  3 users,  load average: 1.47, 1.89, 1.98
USER     TTY      FROM              [email protected]   IDLE   JCPU   PCPU WHAT
root     pts/0    w3-oc.lolipop-i   23:51   53:49   0.04s  0.04s -bash
root     pts/2    w3-oc.lolipop-i   01:11    0.00s  0.01s  0.01s w
root     pts/3    w3-oc.lolipop-i   01:12   53:32   0.00s  0.00s -bash

Here, you can see three tty connections to your server, pts/0, pts/2 and pts/3 where PTS stands for pseudo terminal. You can also see which processes are currently executing for those tty connections. In this command we could not see the process ID (PID) of those ttys.

We can use the PS command to find out the process ID. Here is the sample output:

# ps -ft tty

Example

[email protected] [~]# ps -ft pts/0
UID          PID    PPID  C STIME TTY          TIME CMD
root      331857  331761  0 Oct09 pts/0    00:00:00 -bash

Here You will get the user info and process ID. Then use kill command to terminate that tty connection.

# kill 

For the above example

# kill 331857

If the process doesn’t gracefully terminate, just as a last option you can forcefully kill by sending a SIGKILL

# kill -9 

Another way; single command to kill tty connections

You can also use the PKILL command along with the switch “-t” to kill a tty connection forcefully. Please see the commend pasted below:

# pkill -9 -t 

Example

# pkill -9 -t pts/0

How to check the current tty/pts session where you connected?

Yup, before going with the kill command, you must have an idea about your tty/pts session. This can be simply checked using the command ps or tty. See the usages pasted below:

Using ps

[[email protected] ~]# ps
  PID TTY          TIME CMD
29849 pts/0    00:00:00 bash
29996 pts/0    00:00:00 ps

Using tty

[[email protected] ~]# tty
/dev/pts/0

tty is the best command!!

That’s it!! Go ahead and kill _/\_
Thanks!

Recovering From a Kernel Panic Using a Custom ISO linux 急救

https://www.vultr.com/docs/recovering-from-a-kernel-panic-using-a-custom-iso

There are times when we modify our kernels to optimize them, upgrade them, or tinker around with them. Unfortunately for Linux-based operating systems, this means that there is the possibility of kernel panics – the equivalent to a “blue screen of death” on Windows. It’s important that you know how to recover from these, as any KVM VPS (including Vultr) or dedicated server that you use has its own kernel.

For this article, I’ll explain how to recover from a kernel panic on a Vultr VPS. I will be using an ISO from the SystemRescueCd project.

Step 1: Finding the error

From the Vultr control panel, select your VPS and hit VNC console. Attempt to boot the server, and you’ll be able to see the error. Take note of this so that you can repair it.

Step 2: Mounting a custom ISO from the control panel

Click the “ISO” option, and input the SystemRescueCd ISO URL. You may visit the official site for newer images.

http://iweb.dl.sourceforge.net/project/systemrescuecd/sysresccd-x86/4.5.3/systemrescuecd-x86-4.5.3.iso

vultr_upload_iso.png

From there, head back to your VPS controls and click “Mount ISO”.

You will be greeted with a pop-up screen by pressing the VNC console. Click “Enter” on the first option, and your system will start up.

start_up.png

Step 3: Rescuing your kernel

Now that you have access to a shell prompt, create a directory to mount your VPS’s disk.

mkdir /rescuedisk

Now, mount the disk.

mount /dev/vda1 /rescuedisk

You now have access to your files. At this point, you can choose whether to copy your files to a remote server, or research the kernel panic’s message that you took note of earlier.

An example of a kernel panic issue would be a missing /etc/shadow file, or any missing system file. You could replace a missing file with a backup by copying over /etc/shadow- to /etc/shadow. For example:

cd /rescuedisk
cp etc/shadow- etc/shadow

Once you have finished fixing the issue, unmount the ISO from the Vultr control panel and reboot your VPS by typing reboot in the prompt. If your issue was fixed, then your VPS will boot normally.

(转)新版Conoha利用API上传镜像安装系统

 经过一番折腾,楼主我已经搞定了新版Conoha利用API上传ISO安装系统的方法了,当然,

大部分人还是会拿来安装windows(水晶党退散,迅雷这么坑还玩?)。

本教程主要利用如下API:

1.ISO上传API https://www.conoha.jp/docs/compute-iso-download-add.html

2.查看已上传的ISO的API https://www.conoha.jp/docs/compute-iso-list-show.html

3.挂载已上传的ISO的API https://www.conoha.jp/docs/compute-insert_iso_image.html

4.卸载ISO的API https://www.conoha.jp/docs/compute-eject_iso_image.html

5.身份验证API https://www.conoha.jp/docs/identity-post_tokens.html

6.VPS详细信息查看API https://www.conoha.jp/docs/compute-get_vms_detail_specified.html

 

首先,参照官方文档,我发现大部分操作并没有利用到Conoha面板API中的密码,而是用到了

X-Auth-Token,然后我找啊找,发现身份验证的API里面有一项可以生成这个。命令如下:

curl -i -X POST \

-H "Accept: application/json" \

-d ‘{

  "auth": {

    "passwordCredentials": {

      "username": "API用户名",

      "password": "API用户密码(请自己在面板里添加)"

    },

    "tenantId": "店铺ID"

  }

}’ \

https://identity.tyo1.conoha.io/v2.0/tokens 这是东京的API,其它地区的自己按照地址格式改。



运行之后会返回一串数据,请注意

{

  "access": {

    "token": {

      "issued_at": "2015-05-19T07:08:21.927295",

      "expires": "2015-05-20T07:08:21Z",

      "id": "sample00d88246078f2bexample788f7",

          其余省略

这段中的id即为X-Auth-Token,上面那个expires是有效期,之后的操作均要用到X-Auth-Token。

现在我们可以开始上传ISO了,注意,由于官方API系统没建设完全,对http链接支持不完善,请

使用ftp格式的ISO地址(ISO必须带virtio驱动),上传命令如下:

curl -i -X POST \

-H ‘Content-Type: application/json’ \

-H "Accept: application/json" \

-H "X-Auth-Token: (前面有个空格)这里是啥不用我说了吧" \

-d ‘{

    "iso-image": {

        "url": "ftp格式的ISO地址" 

    }

}’ \

https://compute.tyo1.conoha.io/v2/店铺ID/iso-images 同样,这个是东京的API地址,其它地区的

请按照格式自己修改

命令运行之后会返回数据,是ISO地址和你的API信息



之后我们应该查看ISO是否成功上传,命令如下

curl -i -X GET \

-H ‘Content-Type: application/json’ \

-H "Accept: application/json" \

-H "X-Auth-Token: (同样前面有个空格)" \

https://compute.tyo1.conoha.io/v2/店铺ID/iso-images



返回数据大概是这样的

{

  "iso-images": [

    {

      "url": "ftp://ftp.riken.jp/Linux/centos/6.6/isos/x86_64/CentOS-6.6-x86_64-minimal.iso",

      "path": "/mnt/isos/repos/tenant_iso_data/43b36734a9e541fd91a62fc63ee93fed/CentOS-6.6-x86_64-minimal.iso",

      "ctime": "Fri Oct 24 23:22:57 2014",

      "name": "CentOS-6.6-x86_64-minimal.iso",

      "size": 401604608

    },

    {

      "url": "http://ftp.riken.jp/Linux/centos/7/isos/x86_64/CentOS-7.0-1406-x86_64-Everything.iso",

      "path": "/mnt/isos/repos/tenant_iso_data/43b36734a9e541fd91a62fc63ee93fed/CentOS-7.0-1406-x86_64-Everything.iso",

      "ctime": "Sat Jul  5 07:16:46 2014",

      "name": "CentOS-7.0-1406-x86_64-Everything.iso",

      "size": 7062159360

    }

  ]

}

出现在里面的代表成功上传了,挂载镜像会使用到path

挂载命令如下(前提条件:先创建vps,然后关机,在面板——服务器——VPS(别真以为有个选项叫vps啊)——vps设置——控制台键盘映射改为en-us

curl -i -X POST \

-H "Accept: application/json" \

-H "X-Auth-Token: 不说了" \

-d ‘{"mountImage": "前面查看已上传的ISO里的path"}’ \

https://compute.tyo1.conoha.io/v2/店铺ID/servers/VPS的UUID(点开vps管理,在VPS设置里和网址上有)/action



接下来要查看VPS详细信息,确认是否成功挂载

curl -i -X GET \

-H "Accept: application/json" \

-H "X-Auth-Token: 不说了" \

https://compute.tyo1.conoha.io/v2/店铺ID/servers/上一步里的UUID



返回信息里自己看吧,有你ISO的path就代表挂载成功了。

然后你开机吧(之前挂载步骤必须在关机状态下进行,不然会失败)

开启VNC,重启,会提示你按任意键以从光驱启动,之后不用我说了吧,唯一需要注意的一点就是

VPS设置里的那个控制台键盘映射必须换成en-us(电脑是日语键盘的请无视),不然各种灵异事件。



对了,安装完之后请卸载ISO,当然你不卸貌似也没问题,请在关机状态下运行

curl -i -X POST \

-H "Accept: application/json" \

-H "X-Auth-Token: 不说了" \

-d ‘{"unmountImage": ""}’ \

https://compute.tyo1.conoha.io/v2/店铺ID/servers/VPS的UUID/action

返回信息没啥东西,无视吧。



好了,本教程END  

(别问我这些命令在什么里面运行……,随便找台联网的linux机子都行)

外网访问内网树莓派

 在外网如何方便控制家里的树莓派成了一个问题。

有个公网vps,可以作为中继连接树莓派,有几种方案选择:

1. 首选VPN

这个很简单,vps上搭建一个vpn,然后树莓派和控制端都连上vpn,那么树莓派和控制端就在同一个局域网内部了,可以直接ssh连接的。

2. 通过ssh反向隧道

树莓派上运行: ssh -NfR 80:127.0.0.1:80 [email protected][中转服务器公网IP] -p [中转服务器的ssh端口]

中转服务器还可以 将GatewayPorts参数设为yes

 

 

 

参考:https://github.com/ma6174/blog/issues/7

 

google: 访问内网 树莓派

putty winscp 登录后切换到 root

 

很多linux 默认都没有开放 root 登录,操作的时候会因为权限的问题很麻烦。

sudo -i            /        -su root      ,可以在 putty 里面切换到root

winscp 其实也可以:http://winscp.net/eng/docs/faq_su

 

 

Use sudo on Login

In some cases (with Unix/Linux server) you may be able to use sudo command straight after login to change a user, before file transfer session starts.

FTP protocol does not allow this.

The SFTP and SCP protocols allow for this, but the actual method is platform dependent.

With SFTP protocol, you can use SFTP server option on SFTP page of Advanced Site Settings dialog to execute SFTP binary under a different user. With OpenSSH server, you can specify:

sudo /bin/sftp-server

Note that SFTP server binary may be located elsewhere2) (e.g. in /usr/lib/sftp-server/usr/lib/openssh/sftp-server or /usr/libexec/openssh/sftp-server).

With SCP protocol, you can specify following command as custom shell on the SCP/Shell page of Advanced Site Settings dialog:

sudo -s

Change default network name to old “eth0″ on RHEL 7 / Fedora

 https://esuareznotes.wordpress.com/2014/07/11/change-default-network-name-to-old-eth0-on-rhel-7-fedora-19-above/

 

Red Hat Enterprise 7 is based on fedora 19 and upstream of kernel 3.10

Ever wanted to change back to the default network device name like "ethX"

This is based on VMware installation i have the default nic name as"en01677736"
 

 [[email protected] ~]# ip addr show

1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno16777736: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:92:78:40 brd ff:ff:ff:ff:ff:ff
inet XX.X.XX.XX/24 brd 10.0.10.255 scope global dynamic eno16777736
valid_lft 85931sec preferred_lft 85931sec
inet6 fe80::20c:29ff:fe92:7840/64 scope link
valid_lft forever preferred_lft forever

[[email protected] ~]# vi /etc/default/grub

GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=”$(sed ‘s, release .*$,,g’ /etc/system-release)”
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT=”console”
GRUB_CMDLINE_LINUX=”rd.lvm.lv=rootvg/usrlv rd.lvm.lv=rootvg/swaplv crashkernel=auto vconsole.keymap=usrd.lvm.lv=rootvg/rootlv vconsole.font=latarcyrheb-sun16 rhgb quiet”
GRUB_DISABLE_RECOVERY=”true”

Look for this line “GRUB_CMDLINE_LINUX” and add the following: “net.ifnames=0 biosdevname=0″

Should look like this:
GRUB_CMDLINE_LINUX=”rd.lvm.lv=rootvg/usrlv rd.lvm.lv=rootvg/swaplv crashkernel=auto vconsole.keymap=usrd.lvm.lv=rootvg/rootlv vconsole.font=latarcyrheb-sun16 rhgb quiet net.ifnames=0 biosdevname=0

[[email protected] ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file …
Found linux image: /boot/vmlinuz-3.10.0-121.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-121.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-df30d92ad3eb414583d85bb471003eb4
Found initrd image: /boot/initramfs-0-rescue-df30d92ad3eb414583d85bb471003eb4.img
done

If you didn’t put any names during the installation, you will need to rename the interface files by renaming the file /etc/sysconfig/network-scripts/ifcfg-*.

[[email protected] ~]# mv /etc/sysconfig/network-scripts/ifcfg-eno16777736 /etc/sysconfig/network-scripts/ifcfg-eth0
[[email protected] ~]# shutdown -r now

After system reboot

[[email protected] ~]# ip addr show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:92:78:40 brd ff:ff:ff:ff:ff:ff
inet 10.0.10.77/24 brd 10.0.10.255 scope global dynamic eth0
valid_lft 86141sec preferred_lft 86141sec
inet6 fe80::20c:29ff:fe92:7840/64 scope link
valid_lft forever preferred_lft forever

Linux 下用 speedtest-cli 进行测速

 Windows 下我们可以很方便的直接浏览器访问 speedtest.net 进行网速测试,在没有图形管理界面的 Linux 系统下,我们也可以用一个小脚本 speedtest-cli 进行测速。

本文使用的小脚本在 CentOS 6、Debian 7、Ubuntu 12.04/14.04 下均测试通过,因为这些发行版都默认包含了 Python 2.7.* 使用起来灰常方便。

 

一、下载脚本并赋予权限

wget -O speedtest-cli https://raw.github.com/sivel/speedtest-cli/master/speedtest_cli.py
chmod +x speedtest-cli

curl -o speedtest-cli https://raw.github.com/sivel/speedtest-cli/master/speedtest_cli.py
chmod +x speedtest-cli

二、运行方法

默认的测速方法只需要运行一个命令即可:

./speedtest-cli

 

 

 

from http://ttt.tt/164/

(转)DDoS deflate – Linux下防御/减轻DDOS攻击

 原文:http://www.vpser.net/security/ddos-deflate.html

DDoS deflate介绍

DDoS deflate是一款免费的用来防御和减轻DDoS攻击的脚本。它通过netstat监测跟踪创建大量网络连接的IP地址,在检测到某个结点超过预设的限 制时,该程序会通过APF或IPTABLES禁止或阻挡这些IP.

DDoS deflate官方网站:http://deflate.medialayer.com/

 如何确认是否受到DDOS攻击?

执行:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

执行后,将会显示服务器上所有的每个IP多少个连接数。

以下是我自己用VPS测试的结果:

li88-99:~# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
1 114.226.9.132
1 174.129.237.157
1 58.60.118.142
1 Address
1 servers)
2 118.26.131.78
3 123.125.1.202
3 220.248.43.119
4 117.36.231.253
4 119.162.46.124
6 219.140.232.128
8 220.181.61.31    VPS侦探 http://www.vpser.net/
2311 67.215.242.196

每个IP几个、十几个或几十个连接数都还算比较正常,如果像上面成百上千肯定就不正常了。

1、安装DDoS deflate

wget http://www.inetbase.com/scripts/ddos/install.sh   //下载DDoS  deflate
chmod 0700 install.sh    //添加权限
./install.sh             //执行

2、配置DDoS deflate

下面是DDoS deflate的默认配置位于/usr/local/ddos/ddos.conf ,内容如下:

##### Paths of the script and other files
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list"  //IP地址白名单
CRON="/etc/cron.d/ddos.cron"    //定时执行程序
APF="/etc/apf/apf"
IPT="/sbin/iptables"

##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
#####          option so that the new frequency takes effect
FREQ=1   //检查时间间隔,默认1分钟

##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150     //最大连接数,超过这个数IP就会被屏蔽,一般默认即可

##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1        //使用APF还是iptables。推荐使用iptables,将APF_BAN的值改为0即可。

##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1   //是否屏蔽IP,默认即可

##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="root"   //当IP被屏蔽时给指定邮箱发送邮件,推荐使用,换成自己的邮箱即可

##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600    //禁用IP时间,默认600秒,可根据情况调整

用户可根据给默认配置文件加上的注释提示内容,修改配置文件。

查看/usr/local/ddos/ddos.sh文件的第117行

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST

修改为以下代码即可!

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sed -n ‘/[0-9]/p’ | sort | uniq -c | sort -nr > $BAD_IP_LIST

喜欢折腾的可以用Web压力测试软件测试一下效果,相信DDoS deflate还是能给你的VPS或服务器抵御一部分DDOS攻击,给你的网站更多的保护。

tc 基于 port 的控制

 

9.6. Classifying packets with filters

To determine which class shall process a packet, the so-called ‘classifier chain’ is called each time a choice needs to be made. This chain consists of all filters attached to the classful qdisc that needs to decide.

To reiterate the tree, which is not a tree:

                    root 1:
                      |
                    _1:1_
                   /  |  \
                  /   |   \
                 /    |    \
               10:   11:   12:
              /   \       /   \
           10:1  10:2   12:1  12:2

When enqueueing a packet, at each branch the filter chain is consulted for a relevant instruction. A typical setup might be to have a filter in 1:1 that directs a packet to 12: and a filter on 12: that sends the packet to 12:2.

You might also attach this latter rule to 1:1, but you can make efficiency gains by having more specific tests lower in the chain.

You can’t filter a packet ‘upwards’, by the way. Also, with HTB, you should attach all filters to the root!

And again – packets are only enqueued downwards! When they are dequeued, they go up again, where the interface lives. They do NOT fall off the end of the tree to the network adaptor!

9.6.1. Some simple filtering examples

As explained in the Classifier chapter, you can match on literally anything, using a very complicated syntax. To start, we will show how to do the obvious things, which luckily are quite easy.

Let’s say we have a PRIO qdisc called ’10:’ which contains three classes, and we want to assign all traffic from and to port 22 to the highest priority band, the filters would be:

 

# tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \ 
  ip dport 22 0xffff flowid 10:1
# tc filter add dev eth0 protocol ip parent 10: prio 1 u32 match \
  ip sport 80 0xffff flowid 10:1
# tc filter add dev eth0 protocol ip parent 10: prio 2 flowid 10:2

 

What does this say? It says: attach to eth0, node 10: a priority 1 u32 filter that matches on IP destination port 22 *exactly* and send it to band 10:1. And it then repeats the same for source port 80. The last command says that anything unmatched so far should go to band 10:2, the next-highest priority.

You need to add ‘eth0’, or whatever your interface is called, because each interface has a unique namespace of handles.

To select on an IP address, use this:

 

 

后续:

http://lartc.org/howto/lartc.qdisc.filters.html