Posts Tagged ‘ Linux

如何解决 TLS/SSL 使用了不安全的加密算法: ARCFOUR、CBC、HMAC-MD5、HMAC-RIPEMD160

弱点扫瞄

弱点: TLS Service Supports Weak Cipher Suite

Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Cryptographic algorithms do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which algorithms are untrustworthy evolves over time, and if a communication is protected with a weak cipher suite then that communication can be altered or decrypted.

  • Severity: Medium
  • Risk: A TLS service was observed supporting weak cipher suites.
  • Recommendation: Disable the cipher suites listed in the evidence column of the measurement.

Read more

如何解决 SSH Server 使用了不安全的加密算法: ARCFOUR、CBC、HMAC-MD5、HMAC-RIPEMD160

弱点扫瞄

弱点 1: SSH Supports Weak Cipher

The SSH server is configured to support either Arcfour or Cipher Block Chaining (CBC) mode cipher algorithms. SSH can be configured to use Counter (CTR) mode encryption instead of CBC. The use of Arcfour algorithms should be disabled.

  • Severity: Medium
  • Risk: A weak cipher has been detected.
  • Recommendation: Configure the SSH server to disable Arcfour and CBC ciphers.

弱点 2: SSH Supports Weak MAC

The SSH server is configured to support MD5 algorithm. The cryptographic strength depends upon the size of the key and algorithm that is used. A Modern MAC algorithms such as SHA1 or SHA2 should be used instead.

  • Severity: Medium
  • Risk: A weak Message Authentication Code (MAC) algorithm has been detected.
  • Recommendation: Configure the SSH server to disable the use of MD5.

Read more

如何解决 Web/Mail Server 使用了不安全的 SSL 通讯协定

弱点扫瞄

弱点: SSL/TLS Service Supports Weak Protocol

Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Networking protocols do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which protocols are untrustworthy evolves over time, and if communications are sent with a weak protocol then that communication can be altered or decrypted.

  • Severity: High
  • Risk: A TLS service was observed supporting weak protocols.
  • Recommendation: Disable the protocols listed in the evidence column of the measurement.

Read more

如何自动将网站的 http:// 网址转址为 https://

弱点扫瞄

弱点: Site does not enforce HTTPS

The site responds to HTTP requests without ultimately redirecting the browser to a secure version of the page. Since the site allows plaintext traffic, a man-in-the-middle attacker is able to read and modify any information passed between the site and the user. There are a variety of situations in which an attacker can intercept plaintext traffic in a man-in-the-middle position, including but not limited to:

  1. Open Wi-Fi Hotspots
  2. WPA/WPA2 encrypted hot-spots where the attacker connected before the victim
  3. Malicious Wi-Fi access points
  4. Compromised switches and routers
  5. ARP poisoning on the same wired network

It's important to remember that in many of the above situations, an attacker can not only read traffic, but also actively modify the traffic. Even if a site that does not contain sensitive information, an attacker can still inject malicious content to a user’s browser.

  • Severity: High
  • Risk: Site does not enforce the use of HTTPS encryption, leaving the user vulnerable to man-in-the-middle attackers (who can falsify data and inject malicious code).
  • Recommendation: Any site served to a user (possibly at the end of a redirect chain) should be served over HTTPS.

Read more

[Android Auto]如何解决导航时 GPS 的讯号不良、讯号中断问题

Android Auto 车机的 GPS 定位问题

我的车机是 Pioneer AVH-Z9250BT,手机是小米 12,我通常是使用无线的方式连接车机的 Android Auto

不过在车机上的 Android Auto 使用 Google Maps 导航时,偶尔会出现行车位置漂移、GPS 讯号中断、正在搜寻 GPS 讯号,或无法显示地图...之类的问题! Android Auto 的 GPS 定位应该是来自手机,但是同一时间,如果我开启手机上的导航王来查看,导航王的定位却又无比正确!

原本以为是我我的车机太烂,或有相容性的问题,上网寻找答案,又发现很多网友有同样的问题,其中也不乏一些百万名车内建的车机! 幸好有找到解决方法!
Read more

CentOS 5/6 改为可用的 yum 套件库来源 (2022)

若执行 yum 出现:

http://mirror.centos.org/centos/6/os/x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 404 Not Found"
Trying other mirror.
To address this issue please refer to the below knowledge base article

表示系统默认的 yum 套件库可能已经不存在!

我们可以在 vault.centos.org 找到可用的套件库来源:

  • vault.centos.org: http
  • archive.kernel.org: http - rsync (rsync://archive.kernel.org::centos-vault/)
  • linuxsoft.cern.ch: http - rsync (rsync://linuxsoft.cern.ch/centos-vault/)
  • mirror.nsc.liu: http - rsync (rsync://mirror.nsc.liu.se::centos-store/)

Read more

CentOS 安装 xrdp (yum)

安装流程

1. xrdp 是放在 EPEL 套件库,所以我们要先安装 EPEL。依据不同版本的 CentOS 请参考: CentOS 如何加入第三方 Yum 套件库: EPEL
2. 安装 xrdp 及 tigervnc server:

yum install xrdp tigervnc-server

3. 启动 xrdp

service xrdp start

4. 加到开机自动执行

chkconfig xrdp on

PS. 只要启动 xrdp 即可,tigervnc server 装好后就不用理它了。

设定与登入

设定与登入的方式与之前的教学一样,请自行参考。

参考网页

  1. 安装 xrdp v0.6.0 (原始档)
  2. Linux 上的远端桌面中继程式: xrdp (v0.4.2)
  3. CentOS 如何加入第三方 Yum 套件库: EPEL

Centos 6.x 如何停用 IPv6

为什么要停用 IPv6?

  1. 不熟、抗拒学习
  2. IPv6 也要设 IP 反解 PTR
  3. Gmail 会挡没有设 IPv6 反解的邮件

Read more

CentOS 如何加入第三方 Yum 套件库: EPEL

EPEL 的全称为“Extra Packages for Enterprise Linux”,是由 Fedora 社群打造,为 RHEL 及衍生发行版如 CentOS、Scientific Linux、Rocky Linux、Oracle Linux...等提供高品质套件库的专案。装了 EPEL 之后,等于添加了一个资源丰富的第三方套件库。

Read more

[MySQL]数据库的备份与还原

数据库汇出/备份

1. 备份单一数据库:

$ mysqldump -u Username -p --opt DatabaseName > Backup.sql

2. 仅备份特定数据库下的资料表:

$ mysqldump -u Username -p --opt DatabaseName Table1 Table2... > Backup.sql

3. 仅汇出资料表结构:

$ mysqldump -u Username -p --opt --no-data DatabaseName > Backup.sql

4. 备份全部的数据库:

$ mysqldump -u Username -p -A --opt > AllBackup.sql

mysql/mysqldump/mysqladmin 与“登入”有关的参数说明:

  • -u Username: 用来存取 mysql 资料表的用户名称。此参数可省略,若省略,则表示为目前登入 linux 的用户名称。
  • -p: 于执行时再询问密码。
  • -pPassword: 用来存取 mysql 资料表的密码,-p 与 Password 的中间不可有空格。

数据库汇入/还原

1. 建立数据库,再从备份档汇入单一数据库:

$ mysqladmin -u Username -p create DatabaseName
$ mysql -u Username -p DatabaseName < Backup.sql

2. 从备份档汇入全部的数据库 (不需先建立数据库):

$ mysql -u Username -p < AllBackup.sql

状况处理:

状况 1.

汇入数据库时出现错误讯息: Unknown collation: 'utf8mb4_unicode_ci' Unknown collation: 'utf8mb4_unicode_520_ci'

说明:

MySQL 于 v5.5.3 版之后才有“utf8mb4”的编码格式。原本 utf8 的最大编码长度为 3bytes,而 utf8mb4 的最大编码长度为 4bytes,因此它比 utf8 可以储存更多的字符。但是以常用的文字来讲,utf8 已经完全足够使用了。若不升级 MySQL Server,则只须将汇入的字符编码格式改为原本的 utf8。

解决方法:

先将备份档中的 utf8mb4 字串替换成 utf8: (以下的三行指令需依照顺序执行)

$ sed -i 's/utf8mb4_unicode_ci/utf8_general_ci/g' Backup.sql
$ sed -i 's/utf8mb4_unicode_520_ci/utf8_general_ci/g' Backup.sql
$ sed -i 's/utf8mb4/utf8/g' Backup.sql

全部替换完再进行汇入:

$ mysql -u Username -p DatabaseName < Backup.sql

状况 2.

以 mysqldump 汇出数据库时出现错误讯息: Got error: 1044: Access denied for user 'backup'@'localhost' to database 'test' when using LOCK TABLES

说明:

这错误讯息已说明了用来执行 mysqldump 的帐号没有“LOCK TABLES”权限! 通常用 root 帐号汇出数据库不会发生这个问题,因为我们会给 root 所有的权限。然而我们在设定其它帐号时可能会忘了给它设定“LOCK TABLES”权限,而执行 mysqldump 至少需要“SELECT”与“LOCK TABLES”权限才行,最好再加上“SHOW VIEW”、“EVENT”与“TRIGGER”。

解决方法:

重新授予用户权限:

grant SELECT, LOCK TABLES, SHOW VIEW, EVENT, TRIGGER on *.* to 'backup'@'localhost' identified by '{Password}';
flush privileges;

状况 3.

从 cpanel 下载的 MySQL 档案格式为 *.gz,可以用 gunzip 解压缩:

$ gunzip Backup.sql.gz

注意: 使用 gunzip 解压缩后,原本的 *.gz 会被删除!!若要保留旧档,须改用下列指令:

 $ gunzip -c Backup.sql.gz > Backup.sql

数据库离线备份/还原

MySQL 的数据库放在 /var/lib/mysql 下,以数据库的名称做为目录的名称。直接将 /var/lib/mysql 下的数据库目录用 tar 指令个别压缩起来即可做为备份。要还原再把档案解压缩回去。

要以这种方式执行备份与还原都必须先停止 MySQL 的服务:

$ service mysqld stop

参考网页

return top