| //wearversion | |
| //wearlog | |
| //wearvoiceinputenable | |
| //wearvoiceinputdisable | |
| //weargoogleapi | |
| //assert | |
| //pushassert | |
| //uplog | |
| //upcrash | |
| //switchnotificationstatus |
| #Read multiple keys from an authorized_keys file and print the finger print | |
| [root@server01 .ssh]# while read line; do ssh-keygen -l -f /dev/stdin <<< $line; done < authorized_keys | |
| 2048 87:7a:4d:70:d2:10:a4:4b:b7:e1:2b:7c:77:92:25:04 /dev/stdin (RSA) | |
| 2048 7d:f0:89:94:00:09:bc:70:46:59:8d:9a:70:3b:ac:70 /dev/stdin (RSA) | |
| 2048 61:63:ee:0d:f6:d2:d8:d6:ae:37:0c:35:ae:da:51:6a /dev/stdin (RSA) | |
| #read a key from authorized key file | |
| [root@server01 .ssh]# ssh-keygen -l -f authorized_keys | |
| 2048 87:7a:4d:70:d2:10:a4:4b:b7:e1:2b:7c:77:92:25:04 authorized_keys (RSA) |
由于路由管控系统的建立,实时动态黑洞路由已成为最有效的封锁手段,TCP连接重置和DNS污染成为次要手段,利用漏洞的穿墙方法已不再具有普遍意义。对此应对方法是多样化协议的VPN来抵抗识别。这里介绍一种太简单、有时很朴素的“穷人VPN”。
朴素VPN只需要一次内核配置(Linux内核),即可永久稳定运行,不需要任何用户态守护进程。所有流量转换和加密全部由内核完成,原生性能,开销几乎没有。静态配置,避免动态握手和参数协商产生指纹特征导致被识别。并且支持NAT,移动的内网用户可以使用此方法。支持广泛,基于L2TPv3标准,Linux内核3.2+都有支持,其他操作系统原则上也能支持。但有两个局限:需要root权限;一个隧道只支持一个用户。
朴素VPN利用UDP封装的静态L2TP隧道实现VPN,内核XFRM实现静态IPsec。实际上IP-in-IP隧道即可实现VPN,但是这种协议无法穿越NAT,因此必须利用UDP封装。内核3.18将支持Foo-over-UDP,在UDP里面直接封装IP,与静态的L2TP-over-UDP很类似。
| $ LD_PRELOAD=$PWD/sendmsg.so dig twitter.com @8.8.8.8 | |
| ;; Warning: Message parser reports malformed message packet. <-- malformed 因为把压缩指针当作域名一部分了 | |
| ;; Question section mismatch: got twitter.com/RESERVED0/CLASS256 | |
| ; <<>> DiG 9.9.5-3-Ubuntu <<>> twitter.com @8.8.8.8 | |
| ;; global options: +cmd | |
| ;; Got answer: | |
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44722 | |
| ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 |
| ---- | |
| Linux 基于策略的路由(Linux Policy Routing) | |
| Linux 有传统的基于数据包目的地址的路由算法,和新的基于策略的路由算法 | |
| 新算法优点:支持多个路由表,支持按数据报属性(源地址、目的地址、协议、端口、数据包大小、内容等)选择不同路由表 | |
| # 查看规则命令,后面可跟其它参数,默认为 show(list) 显示全部 | |
| ip rule |
| # | |
| # /etc/sysctl.conf - Configuration file for setting system variables | |
| # See /etc/sysctl.d/ for additonal system variables | |
| # See sysctl.conf (5) for information. | |
| # | |
| #kernel.domainname = example.com | |
| # Uncomment the following to stop low-level messages on console | |
| #kernel.printk = 3 4 1 3 |
| # Kernel sysctl configuration file for Red Hat Linux | |
| # | |
| # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and | |
| # sysctl.conf(5) for more details. | |
| # Turn on execshield | |
| # 0 completely disables ExecShield and Address Space Layout Randomization | |
| # 1 enables them ONLY if the application bits for these protections are set to “enable” | |
| # 2 enables them by default, except if the application bits are set to “disable” | |
| # 3 enables them always, whatever the application bits |
| #!/bin/sh | |
| ### | |
| # | |
| # Change Tor exit node | |
| # | |
| # Sometimes when using Tor you'd like to change the IP address that | |
| # servers see when you connect (that is, change your Tor exit node). | |
| # This happens automatically from time to time, but this shell script | |
| # lets you force it. | |
| # |
