Posts Tagged ‘ Linux

如何解決 TLS/SSL 使用了不安全的加密演算法: ARCFOUR、CBC、HMAC-MD5、HMAC-RIPEMD160

弱點掃瞄

弱點: TLS Service Supports Weak Cipher Suite

Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Cryptographic algorithms do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which algorithms are untrustworthy evolves over time, and if a communication is protected with a weak cipher suite then that communication can be altered or decrypted.

  • Severity: Medium
  • Risk: A TLS service was observed supporting weak cipher suites.
  • Recommendation: Disable the cipher suites listed in the evidence column of the measurement.

Read more

如何解決 SSH Server 使用了不安全的加密演算法: ARCFOUR、CBC、HMAC-MD5、HMAC-RIPEMD160

弱點掃瞄

弱點 1: SSH Supports Weak Cipher

The SSH server is configured to support either Arcfour or Cipher Block Chaining (CBC) mode cipher algorithms. SSH can be configured to use Counter (CTR) mode encryption instead of CBC. The use of Arcfour algorithms should be disabled.

  • Severity: Medium
  • Risk: A weak cipher has been detected.
  • Recommendation: Configure the SSH server to disable Arcfour and CBC ciphers.

弱點 2: SSH Supports Weak MAC

The SSH server is configured to support MD5 algorithm. The cryptographic strength depends upon the size of the key and algorithm that is used. A Modern MAC algorithms such as SHA1 or SHA2 should be used instead.

  • Severity: Medium
  • Risk: A weak Message Authentication Code (MAC) algorithm has been detected.
  • Recommendation: Configure the SSH server to disable the use of MD5.

Read more

如何解決 Web/Mail Server 使用了不安全的 SSL 通訊協定

弱點掃瞄

弱點: SSL/TLS Service Supports Weak Protocol

Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Networking protocols do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which protocols are untrustworthy evolves over time, and if communications are sent with a weak protocol then that communication can be altered or decrypted.

  • Severity: High
  • Risk: A TLS service was observed supporting weak protocols.
  • Recommendation: Disable the protocols listed in the evidence column of the measurement.

Read more

如何自動將網站的 http:// 網址轉址為 https://

弱點掃瞄

弱點: Site does not enforce HTTPS

The site responds to HTTP requests without ultimately redirecting the browser to a secure version of the page. Since the site allows plaintext traffic, a man-in-the-middle attacker is able to read and modify any information passed between the site and the user. There are a variety of situations in which an attacker can intercept plaintext traffic in a man-in-the-middle position, including but not limited to:

  1. Open Wi-Fi Hotspots
  2. WPA/WPA2 encrypted hot-spots where the attacker connected before the victim
  3. Malicious Wi-Fi access points
  4. Compromised switches and routers
  5. ARP poisoning on the same wired network

It's important to remember that in many of the above situations, an attacker can not only read traffic, but also actively modify the traffic. Even if a site that does not contain sensitive information, an attacker can still inject malicious content to a user’s browser.

  • Severity: High
  • Risk: Site does not enforce the use of HTTPS encryption, leaving the user vulnerable to man-in-the-middle attackers (who can falsify data and inject malicious code).
  • Recommendation: Any site served to a user (possibly at the end of a redirect chain) should be served over HTTPS.

Read more

[Android Auto]如何解決導航時 GPS 的訊號不良、訊號中斷問題

Android Auto 車機的 GPS 定位問題

我的車機是 Pioneer AVH-Z9250BT,手機是小米 12,我通常是使用無線的方式連接車機的 Android Auto

不過在車機上的 Android Auto 使用 Google Maps 導航時,偶爾會出現行車位置漂移、GPS 訊號中斷、正在搜尋 GPS 訊號,或無法顯示地圖...之類的問題! Android Auto 的 GPS 定位應該是來自手機,但是同一時間,如果我開啟手機上的導航王來查看,導航王的定位卻又無比正確!

原本以為是我我的車機太爛,或有相容性的問題,上網尋找答案,又發現很多網友有同樣的問題,其中也不乏一些百萬名車內建的車機! 幸好有找到解決方法!
Read more

CentOS 5/6 改為可用的 yum 套件庫來源 (2022)

若執行 yum 出現:

http://mirror.centos.org/centos/6/os/x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 404 Not Found"
Trying other mirror.
To address this issue please refer to the below knowledge base article

表示系統預設的 yum 套件庫可能已經不存在!

我們可以在 vault.centos.org 找到可用的套件庫來源:

  • vault.centos.org: http
  • archive.kernel.org: http - rsync (rsync://archive.kernel.org::centos-vault/)
  • linuxsoft.cern.ch: http - rsync (rsync://linuxsoft.cern.ch/centos-vault/)
  • mirror.nsc.liu: http - rsync (rsync://mirror.nsc.liu.se::centos-store/)

Read more

CentOS 安裝 xrdp (yum)

安裝流程

1. xrdp 是放在 EPEL 套件庫,所以我們要先安裝 EPEL。依據不同版本的 CentOS 請參考: CentOS 如何加入第三方 Yum 套件庫: EPEL
2. 安裝 xrdp 及 tigervnc server:

yum install xrdp tigervnc-server

3. 啟動 xrdp

service xrdp start

4. 加到開機自動執行

chkconfig xrdp on

PS. 只要啟動 xrdp 即可,tigervnc server 裝好後就不用理它了。

設定與登入

設定與登入的方式與之前的教學一樣,請自行參考。

參考網頁

  1. 安裝 xrdp v0.6.0 (原始檔)
  2. Linux 上的遠端桌面中繼程式: xrdp (v0.4.2)
  3. CentOS 如何加入第三方 Yum 套件庫: EPEL

Centos 6.x 如何停用 IPv6

為什麼要停用 IPv6?

  1. 不熟、抗拒學習
  2. IPv6 也要設 IP 反解 PTR
  3. Gmail 會擋沒有設 IPv6 反解的郵件

Read more

CentOS 如何加入第三方 Yum 套件庫: EPEL

EPEL 的全稱為「Extra Packages for Enterprise Linux」,是由 Fedora 社群打造,為 RHEL 及衍生發行版如 CentOS、Scientific Linux、Rocky Linux、Oracle Linux...等提供高品質套件庫的專案。裝了 EPEL 之後,等於添加了一個資源豐富的第三方套件庫。

Read more

[MySQL]資料庫的備份與還原

資料庫匯出/備份

1. 備份單一資料庫:

$ mysqldump -u Username -p --opt DatabaseName > Backup.sql

2. 僅備份特定資料庫下的資料表:

$ mysqldump -u Username -p --opt DatabaseName Table1 Table2... > Backup.sql

3. 僅匯出資料表結構:

$ mysqldump -u Username -p --opt --no-data DatabaseName > Backup.sql

4. 備份全部的資料庫:

$ mysqldump -u Username -p -A --opt > AllBackup.sql

mysql/mysqldump/mysqladmin 與「登入」有關的參數說明:

  • -u Username: 用來存取 mysql 資料表的用戶名稱。此參數可省略,若省略,則表示為目前登入 linux 的用戶名稱。
  • -p: 於執行時再詢問密碼。
  • -pPassword: 用來存取 mysql 資料表的密碼,-p 與 Password 的中間不可有空格。

資料庫匯入/還原

1. 建立資料庫,再從備份檔匯入單一資料庫:

$ mysqladmin -u Username -p create DatabaseName
$ mysql -u Username -p DatabaseName < Backup.sql

2. 從備份檔匯入全部的資料庫 (不需先建立資料庫):

$ mysql -u Username -p < AllBackup.sql

狀況處理:

狀況 1.

匯入資料庫時出現錯誤訊息: Unknown collation: 'utf8mb4_unicode_ci' Unknown collation: 'utf8mb4_unicode_520_ci'

說明:

MySQL 於 v5.5.3 版之後才有「utf8mb4」的編碼格式。原本 utf8 的最大編碼長度為 3bytes,而 utf8mb4 的最大編碼長度為 4bytes,因此它比 utf8 可以儲存更多的字元。但是以常用的文字來講,utf8 已經完全足夠使用了。若不昇級 MySQL Server,則只須將匯入的字元編碼格式改為原本的 utf8。

解決方法:

先將備份檔中的 utf8mb4 字串替換成 utf8: (以下的三行指令需依照順序執行)

$ sed -i 's/utf8mb4_unicode_ci/utf8_general_ci/g' Backup.sql
$ sed -i 's/utf8mb4_unicode_520_ci/utf8_general_ci/g' Backup.sql
$ sed -i 's/utf8mb4/utf8/g' Backup.sql

全部替換完再進行匯入:

$ mysql -u Username -p DatabaseName < Backup.sql

狀況 2.

以 mysqldump 匯出資料庫時出現錯誤訊息: Got error: 1044: Access denied for user 'backup'@'localhost' to database 'test' when using LOCK TABLES

說明:

這錯誤訊息已說明了用來執行 mysqldump 的帳號沒有「LOCK TABLES」權限! 通常用 root 帳號匯出資料庫不會發生這個問題,因為我們會給 root 所有的權限。然而我們在設定其它帳號時可能會忘了給它設定「LOCK TABLES」權限,而執行 mysqldump 至少需要「SELECT」與「LOCK TABLES」權限才行,最好再加上「SHOW VIEW」、「EVENT」與「TRIGGER」。

解決方法:

重新授予用戶權限:

grant SELECT, LOCK TABLES, SHOW VIEW, EVENT, TRIGGER on *.* to 'backup'@'localhost' identified by '{Password}';
flush privileges;

狀況 3.

從 cpanel 下載的 MySQL 檔案格式為 *.gz,可以用 gunzip 解壓縮:

$ gunzip Backup.sql.gz

注意: 使用 gunzip 解壓縮後,原本的 *.gz 會被刪除!!若要保留舊檔,須改用下列指令:

 $ gunzip -c Backup.sql.gz > Backup.sql

資料庫離線備份/還原

MySQL 的資料庫放在 /var/lib/mysql 下,以資料庫的名稱做為目錄的名稱。直接將 /var/lib/mysql 下的資料庫目錄用 tar 指令個別壓縮起來即可做為備份。要還原再把檔案解壓縮回去。

要以這種方式執行備份與還原都必須先停止 MySQL 的服務:

$ service mysqld stop

參考網頁

return top