Archive for the ‘ Server ’ Category
如何解決 TLS/SSL 使用了不安全的加密演演算法: ARCFOUR、CBC、HMAC-MD5、HMAC-RIPEMD160
弱點掃瞄
弱點: TLS Service Supports Weak Cipher Suite
Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Cryptographic algorithms do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which algorithms are untrustworthy evolves over time, and if a communication is protected with a weak cipher suite then that communication can be altered or decrypted.
- Severity: Medium
- Risk: A TLS service was observed supporting weak cipher suites.
- Recommendation: Disable the cipher suites listed in the evidence column of the measurement.
如何解決 SSH Server 使用了不安全的加密演演算法: ARCFOUR、CBC、HMAC-MD5、HMAC-RIPEMD160
弱點掃瞄
弱點 1: SSH Supports Weak Cipher
The SSH server is configured to support either Arcfour or Cipher Block Chaining (CBC) mode cipher algorithms. SSH can be configured to use Counter (CTR) mode encryption instead of CBC. The use of Arcfour algorithms should be disabled.
- Severity: Medium
- Risk: A weak cipher has been detected.
- Recommendation: Configure the SSH server to disable Arcfour and CBC ciphers.
弱點 2: SSH Supports Weak MAC
The SSH server is configured to support MD5 algorithm. The cryptographic strength depends upon the size of the key and algorithm that is used. A Modern MAC algorithms such as SHA1 or SHA2 should be used instead.
- Severity: Medium
- Risk: A weak Message Authentication Code (MAC) algorithm has been detected.
- Recommendation: Configure the SSH server to disable the use of MD5.
如何解決 Web/Mail Server 使用了不安全的 SSL 通訊協定
弱點掃瞄
弱點: SSL/TLS Service Supports Weak Protocol
Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Networking protocols do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which protocols are untrustworthy evolves over time, and if communications are sent with a weak protocol then that communication can be altered or decrypted.
- Severity: High
- Risk: A TLS service was observed supporting weak protocols.
- Recommendation: Disable the protocols listed in the evidence column of the measurement.
如何自動將網站的 http:// 網址轉址為 https://
弱點掃瞄
弱點: Site does not enforce HTTPS
The site responds to HTTP requests without ultimately redirecting the browser to a secure version of the page. Since the site allows plaintext traffic, a man-in-the-middle attacker is able to read and modify any information passed between the site and the user. There are a variety of situations in which an attacker can intercept plaintext traffic in a man-in-the-middle position, including but not limited to:
- Open Wi-Fi Hotspots
- WPA/WPA2 encrypted hot-spots where the attacker connected before the victim
- Malicious Wi-Fi access points
- Compromised switches and routers
- ARP poisoning on the same wired network
It's important to remember that in many of the above situations, an attacker can not only read traffic, but also actively modify the traffic. Even if a site that does not contain sensitive information, an attacker can still inject malicious content to a user』s browser.
- Severity: High
- Risk: Site does not enforce the use of HTTPS encryption, leaving the user vulnerable to man-in-the-middle attackers (who can falsify data and inject malicious code).
- Recommendation: Any site served to a user (possibly at the end of a redirect chain) should be served over HTTPS.
Windows 常用的指令整理
這些指令的執行檔通常是放在 C:\Windows\System32\,可在這些地方執行指令:
- 開始功能表的「執行」
- Win + R 的執行視窗
- Win + Q 或 Win + S 的搜尋視窗
- cmd 命令提示字元
- 檔案總管的「網址列」
修改 Windows 的休眠設定,避免電腦自動休眠
我的電腦在某次更新 Windows 10 之後,原本已設定好不讓它自動關機的電腦竟會進入休眠狀態! 原因似乎是進入休眠的時間被改動了,而在 Windows 的設定中卻不容易找到「休眠」的細部選項!
這 Windows 可真愛找麻煩!
先來看一下 Windows 10 關機選單的 4 個選項做為相關知識:
- 睡眠 (Sleep, S3): 會將桌面及應用程式的狀態寫入至記憶體,讓電腦以極低的耗電方式維持在開機的狀態,以便在喚醒電腦時,可以立即回到睡眠前的電腦狀態。從 Windows Vista 起,睡眠 (Sleep) 模式已取代了待命 (Standby) 模式。
- 休眠 (Hibernate, S4): 會將桌面及應用程式的狀態寫入至磁碟再關閉電腦的電源,電腦下次開機會恢復到休眠前的電腦狀態。從休眠狀態下開機的速度會比睡眠還慢。
- 關機 (Shut down, S5): 關閉所有應用程式並關閉電腦的電源,不會自動儲存任何狀態。
- 重新開機 (Restart): 關閉所有應用程式並重新啟動電腦及作業系統。
CentOS 5/6 改為可用的 yum 套件庫來源 (2022)
若執行 yum 出現:
http://mirror.centos.org/centos/6/os/x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 404 Not Found"
Trying other mirror.
To address this issue please refer to the below knowledge base article
表示系統預設的 yum 套件庫可能已經不存在!
我們可以在 vault.centos.org 找到可用的套件庫來源:
CentOS 安裝 xrdp (yum)
安裝流程
1. xrdp 是放在 EPEL 套件庫,所以我們要先安裝 EPEL。依據不同版本的 CentOS 請參考: CentOS 如何加入第三方 Yum 套件庫: EPEL。
2. 安裝 xrdp 及 tigervnc server:
yum install xrdp tigervnc-server
3. 啟動 xrdp
service xrdp start
4. 加到開機自動執行
chkconfig xrdp on
PS. 只要啟動 xrdp 即可,tigervnc server 裝好後就不用理它了。
設定與登入
設定與登入的方式與之前的教學一樣,請自行參考。
參考網頁
Linode VPS 遷移機房 (Add/Resize/Clone) 的步驟
我的某個 Linode VPS 不明所以被 GFW 給封鎖了!!無助的我,在不更換 VPS 的前題下,可以嘗試變更 IP 或是遷移機房。
早期 Linode 要做這兩件事都必須提交 Ticket,透過客服人員來處理,但現在的客服人員似乎已經不再幫忙變更 IP 了!!
不過沒關係,只要學會使用 Linode 的「Clone」功能,我們也可以自己來變更 IP 或遷移機房。
Linode 的費用
要執行「Clone」的功能之前,我們要先來了解一下 Linode 的相關費用:
- 早期 Linode 帳號的付款方式是採用: 包月 + 預付,一次買一年有 10% 折扣、買兩年有 15% 折扣。如果沒有用滿一個月就刪除 VPS 的話,那剩下的時間仍會歸還等比例的金額至你的帳戶。如果將方案降級也會歸還差額。(2019/04/01 起,已強制轉為計時 + 月結)
- 2014 年之後新用戶的付款方式是採用: 計時 + 月結。
- 最小的計費單位是「小時」,超過一秒鐘都算你一個小時。
- 只要一「新增」VPS 就會開始計費,即便你的 VPS 沒有開機。
- 啟用「Backups」功能會增加約 20~25% 費用。
- 在執行「Clone」的過程中會有兩個 VPS 同時在計費。
- 可以將計費方從由「包月」改為「計時」,但沒有將「計時」改為「包月」的功能。
INFORMATION
我們解決了什麼問題?我們創造了什麼價值?
近期迴響