phanx

 groupadd informix

 useradd -g informix informix

passwd informix

cp jdk-1_5_0_04-linux-i586.bin /usr/local

cd /usr/local

./jdk-1_5_0_04-linux-i586.bin

cd /usr/bin

ln –s /usr/local/ jdk1.5.0_04/bin/java java

 

export JAVA_HOME=/usr/local/jdk1.5.0_04

export INFORMIXDIR=/home/informix

tar xvf  ./informix-linux.tar –C ./informix

cd informix

./ids_install

 

 

 

 

          Initializing InstallShield Wizard……..

          Launching InstallShield Wizard……..

 

 

   1. Release Notes

   2. Installation Guide

   3. Begin Installation

 

Please select one of these options [3]

 

Beginning installation…

 

 

Press 1 for Next, 3 to Cancel or 4 to Redisplay [1]

 

Welcome to the InstallShield Wizard for IBM Informix Dynamic Server Bundle

 

The InstallShield Wizard will install IBM Informix Dynamic Server Bundle on

your computer.

To continue, choose Next.

 

 

 

 

 

 

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

 

Language not supported in console mode, will display in English

 

 

Software Licensing Agreement

Press Enter to display the license agreement on your screen. Please

read the agreement carefully before installing the Program. After

 reading the agreement, you will be given the opportunity to accept it

 or decline it. If you choose to decline the agreement, installation

 will not be completed and you will not be able to use the Program.

 

 1

     International Program License Agreement

     

     Part 1 - General Terms

     

     BY DOWNLOADING, INSTALLING, COPYING, ACCESSING, OR USING

     THE PROGRAM YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU

      ARE ACCEPTING THESE TERMS ON BEHALF OF ANOTHER PERSON OR A

      COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT AND WARRANT

      THAT YOU HAVE FULL AUTHORITY TO BIND THAT PERSON, COMPANY,

      OR LEGAL ENTITY TO THESE TERMS. IF YOU DO NOT AGREE TO

      THESE TERMS, 

    

 

    

- DO NOT DOWNLOAD, INSTALL, COPY, ACCESS, OR USE THE

      PROGRAM; AND

    

 

    

- PROMPTLY RETURN THE PROGRAM AND PROOF OF ENTITLEMENT TO

      THE PARTY FROM WHOM YOU ACQUIRED IT TO OBTAIN A REFUND OF

      THE AMOUNT YOU PAID. IF YOU DOWNLOADED THE PROGRAM, CONTACT

      THE PARTY FROM WHOM YOU ACQUIRED IT.

    

 

    

“IBM” is International Business Machines Corporation or one

      of its subsidiaries.

    

 

    

“License Information” (”LI”) is a document that provides

      information specific to a Program. The Program’s LI is

      available at http://www.ibm.com/software/sla/ . The LI may

      also be found in a file in the Program’s directory, by the

      use of a system command, or as a booklet which accompanies

      the Program.

    

 

 

Press Enter to continue viewing the license agreement, or, Enter 1 to

accept the agreement, 2 to decline it or 99 to go back to the previous

 screen.

 

1

 

按 1 到下一步, 3 取消 或者 4 重新显示 [1]

 

IBM Informix Dynamic Server Bundle Install Location

 

Please specify a directory or press Enter to accept the default directory.

 

Directory Name: [/home/informix]

 

Press 1 for Next, 3 to Cancel or 4 to Redisplay [1]

 

 

Searching for products available for install: this may take a few minutes.

 

Select the products you would like to install:

 

   To select/deselect a product or to change its setup type, type its number:

 

   Product                                          Setup Type

   ———————————————— ————————

    1. [ ] IBM Informix IConnect                                           

    2. [x] IBM Informix Client-SDK                   Typical

    3. [x] IBM Informix Dynamic Server               Typical

    4. [x] IBM Informix JDBC Driver                                         

 

   Other options:

 

    0. Continue installing

 

   Enter command [0]

 

 

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

 

Do you want to enable role separation?

 

[ ] 1 - Yes

[X] 2 - No

 

To select an item enter its number, or 0 when you are finished: [0]

 

 

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

 

Would you like to create an IDS demo instance?

 

[ ] 1 - Create Demo

[X] 2 - Do Not Create Demo

 

To select an item enter its number, or 0 when you are finished: [0]

 

 

The primary purpose of the demo instance is to ensure that the product is

properly installed and the hardware is configured to work with IDS.

This demo instance can be used as an actual production instance if properly

configured.

 

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]   

 

IBM Informix Dynamic Server Bundle will be installed in the following location:

 

/home/informix

 

with the following features:

 

IBM Informix Client-SDK

IBM Informix Dynamic Server

IBM Informix JDBC Driver

 

for a total size:

 

 51.6 MB

 

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

 

Creating uninstaller…

 

0 % complete

10 % complete

20 % complete

30 % complete

40 % complete

50 % complete

60 % complete

70 % complete

80 % complete

90 % complete

100 % complete

 

 

Installing IBM Informix JDBC Driver. Please wait…

 

 

Creating uninstaller…

 

 

Installing Message Files by RPM

 

 

Installing GLS Files by RPM

 

 

Installing IDS Files by RPM

 

 

Installing SDK Message Files by RPM

 

 

Installing SDK GLS Files by RPM

 

 

Installing SDK Files by RPM

 

 

Branding Files …

Installing directory .

Installing directory etc

Installing directory bin

Installing directory lib

Installing directory lib/client

Installing directory lib/client/csm

Installing directory lib/esql

Installing directory lib/dmi

Installing directory lib/c++

Installing directory lib/cli

Installing directory release

Installing directory release/en_us

Installing directory release/en_us/0333

Installing directory incl

Installing directory incl/esql

Installing directory incl/dmi

Installing directory incl/c++

Installing directory incl/cli

Installing directory demo

Installing directory demo/esqlc

Installing directory demo/c++

Installing directory demo/cli

Installing directory doc

Installing directory doc/gls_api

Installing directory doc/gls_api/en_us

Installing directory doc/gls_api/en_us/0333

 

IBM Informix Product:       IBM INFORMIX-Client SDK

Installation Directory: /home/informix

 

Performing root portion of installation of IBM INFORMIX-Client SDK…

 

 

Installation of IBM INFORMIX-Client SDK complete.

 

Installing directory etc

Installing directory gls

Installing directory gls/cm3

Installing directory gls/cv9

Installing directory gls/dll

Installing directory gls/etc

Installing directory gls/lc11

Installing directory gls/lc11/cs_cz

Installing directory gls/lc11/da_dk

Installing directory gls/lc11/de_at

Installing directory gls/lc11/de_ch

Installing directory gls/lc11/de_de

Installing directory gls/lc11/en_au

Installing directory gls/lc11/en_gb

Installing directory gls/lc11/en_us

Installing directory gls/lc11/es_es

Installing directory gls/lc11/fi_fi

Installing directory gls/lc11/fr_be

Installing directory gls/lc11/fr_ca

Installing directory gls/lc11/fr_ch

Installing directory gls/lc11/fr_fr

Installing directory gls/lc11/is_is

Installing directory gls/lc11/it_it

Installing directory gls/lc11/ja_jp

Installing directory gls/lc11/ko_kr

Installing directory gls/lc11/nl_be

Installing directory gls/lc11/nl_nl

Installing directory gls/lc11/no_no

Installing directory gls/lc11/os

Installing directory gls/lc11/pl_pl

Installing directory gls/lc11/pt_br

Installing directory gls/lc11/pt_pt

Installing directory gls/lc11/ru_ru

Installing directory gls/lc11/sk_sk

Installing directory gls/lc11/sv_se

Installing directory gls/lc11/th_th

Installing directory gls/lc11/zh_cn

Installing directory gls/lc11/zh_tw

 

IBM Informix Product:       Gls

Installation Directory: /home/informix

 

Performing root portion of installation of Gls…

 

 

Installation of Gls complete.

 

Installing directory etc

Installing directory msg

Installing directory msg/en_us

Installing directory msg/en_us/0333

 

IBM Informix Product:       messages

Installation Directory: /home/informix

 

Performing root portion of installation of messages…

 

 

Installation of messages complete.

 

 

 

Branding Installed Files …

 

Please read the information below.

 

Set required environment variables

        Set $INFORMIXDIR to the directory where the IDS server is installed.

        Set $PATH to include $INFORMIXDIR/bin

        Set $INFORMIXSERVER to the name of the database server

        Set $ONCONFIG to the name of the active onconfig configuration file.

        If using a sqlhosts file other than $INFORMIXDIR/etc/sqlhosts

                Set $INFORMIXSQLHOSTS

        If using a locale/language other than the default

                Set $CLIENT_LOCALE

                Set $DB_LOCALE

                Set $SERVER_LOCALE

                Set $DBLANG

Prepare connectivity files

        sqlhosts

        /etc/hosts

        /etc/services

Prepare configuration file

        Set DBSERVERNAME

        Set SERVERNUM

        Set ROOTNAME

 

Press ENTER to read the text [Type q to quit]

 

        Set ROOTPATH

        Set ROOTSIZE   

Initialize database server

        As informix or root, run oninit

        If initializing a new server for the FIRST time, run oninit -i

This will overwrite any existing data, so use caution on an exis

ting setup

 

 

For more information please refer to the IBM Informix Dynamic Server Getting

Started Guide

 

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

 

The InstallShield Wizard has successfully installed IBM Informix Dynamic Server

Bundle. Choose Next to continue the wizard.

 

Press 1 for Next, 2 for Previous, 3 to Cancel or 4 to Redisplay [1]

 

   1. Release Notes

   2. Quick Beginnings Guide

   3. Finish Installation

 

Please select one of these options [3]

 

Finishing Installation…

 

 

Press 3 to Finish or 4 to Redisplay [3]

vi /home/informix/.bash_profile

 

PATH=$PATH:$HOME/bin

INFORMIXDIR=/home/informix

INFORMIXTMP=/home/informix/tmp

INFORMIXSERVER=testsvr

ONCONFIG=onconfig

 

TERMCAP=$HOME/etc/termcap

export PATH INFORMIXDIR INFORMIXTMP INFORMIXSERVER ONCONFIG TERMCAP

cd /home/informix/etc

cp onconfig.std onconfig

cp sqlhosts.std sqlhosts

# Local services

informix         60000/tcp                       # Informix Server

vi /home/informix/etc/sqlhosts

#ServerName Connect           Hostname   ServicesName(对应/etc/services中)

testsvr          onsoctcp        localhost       informix

 

vi /home/informix/etc/onconfig

DBSERVERNAME    testsvr

 

TAPEDEV         /dev/null       # Tape device path

LTAPEDEV        /dev/null       # Log tape device path

 

 

将默认/usr/informix/ 替换为 /home/informix/

vi命令 1,$  s/\/usr\/informix\//\/home\/informix\//g

chmod o-r /home/informix/tmp

chmod o-x /home/informix/tmp

lvcreate –size 1G –name nwrootdbs datavg

lvcreate –size 512M –name nwphydbs datavg

lvcreate –size 512M –name nwlogdbs datavg

lvcreate –size 512M –name nwtmpdbs datavg

lvcreate –size 512M –name nwidxdbs datavg

lvcreate –size 1G –name nwdatadbs datavg

raw /dev/raw/raw1 /dev/datavg/nwrootdbs

raw /dev/raw/raw2 /dev/datavg/nwphydbs

raw /dev/raw/raw3 /dev/datavg/nwlogdbs

raw /dev/raw/raw4 /dev/datavg/nwtmpdbs

raw /dev/raw/raw5 /dev/datavg/nwidxdbs

raw /dev/raw/raw6 /dev/datavg/nwdatadbs

ACTION==”add”, ENV{MAJOR}==”253″, ENV{MINOR}==”2″, RUN+=”/bin/raw /dev/raw/raw1 %M %m”

ACTION==”add”, ENV{MAJOR}==”253″, ENV{MINOR}==”3″, RUN+=”/bin/raw /dev/raw/raw2 %M %m

ACTION==”add”, ENV{MAJOR}==”253″, ENV{MINOR}==”4″, RUN+=”/bin/raw /dev/raw/raw3 %M %m”

ACTION==”add”, ENV{MAJOR}==”253″, ENV{MINOR}==”5″, RUN+=”/bin/raw /dev/raw/raw4 %M %m”

ACTION==”add”, ENV{MAJOR}==”253″, ENV{MINOR}==”6″, RUN+=”/bin/raw /dev/raw/raw5 %M %m”

ACTION==”add”, ENV{MAJOR}==”253″, ENV{MINOR}==”7″, RUN+=”/bin/raw /dev/raw/raw6 %M %m”

[root@localhost ~]# raw /dev/raw/raw1 /dev/datavg/nwrootdbs

/dev/raw/raw1:  bound to major 253, minor 2

/dev/raw/raw1 /dev/datavg/nwrootdbs

/dev/raw/raw2 /dev/datavg/nwphydbs

/dev/raw/raw3 /dev/datavg/nwlogdbs

/dev/raw/raw4 /dev/datavg/nwtmpdbs

/dev/raw/raw5 /dev/datavg/nwidxdbs

/dev/raw/raw6 /dev/datavg/nwdatadbs

chown informix:informix /dev/mapper/datavg-nw*

chmod 660 /dev/mapper/datavg-*nw

chown informix:informix /dev/raw/raw1

chown informix:informix /dev/raw/raw2

chown informix:informix /dev/raw/raw3

chown informix:informix /dev/raw/raw4

chown informix:informix /dev/raw/raw5

chown informix:informix /dev/raw/raw6

chmod 660 /dev/raw/raw1

chmod 660 /dev/raw/raw2

chmod 660 /dev/raw/raw3

chmod 660 /dev/raw/raw4

chmod 660 /dev/raw/raw5

chmod 660 /dev/raw/raw6

chown informix:informix /dev/raw/raw1

chown informix:informix /dev/raw/raw2

chown informix:informix /dev/raw/raw3

chown informix:informix /dev/raw/raw4

chown informix:informix /dev/raw/raw5

chown informix:informix /dev/raw/raw6

chmod 660 /dev/raw/raw1

chmod 660 /dev/raw/raw2

chmod 660 /dev/raw/raw3

chmod 660 /dev/raw/raw4

chmod 660 /dev/raw/raw5

chmod 660 /dev/raw/raw6

ln -s /dev/raw/raw1 /dev/datavg/rnwrootdbs

ln -s /dev/raw/raw2 /dev/datavg/rnwphydbs

ln -s /dev/raw/raw3 /dev/datavg/rnwlogdbs

ln -s /dev/raw/raw4 /dev/datavg/rnwtmpdbs

ln -s /dev/raw/raw5 /dev/datavg/rnwidxdbs

ln -s /dev/raw/raw6 /dev/datavg/rnwdatadbs

mkdir /home/informix/dbspaces

ln -s /dev/raw/raw1  rootdbschunks

ln -s /dev/raw/raw2  phydbschunks

ln -s /dev/raw/raw3  logdbschunks

ln -s /dev/raw/raw4  tmpdbschunks

ln -s /dev/raw/raw5  idxdbschunks

ln -s /dev/raw/raw6  datadbschunks

vi /home/informix/etc/onconfig

ROOTPATH        /home/informix/dbspaces/rootdbschunks

ROOTOFFSET       100

ROOTSIZE        1048476     #512M  1024*1024-OFFSET= 1048576

mkdir /home/informix/dbspaces

cat /dev/null > /home/informix/dbspaces/rootdbs

chown informix:informix /home/informix/dbspaces/rootdbs

chmod 660 /home/informix/dbspaces/rootdbs

vi /home/informix/etc/onconfig

ROOTPATH        /home/informix/dbspaces/rootdbs

ROOTOFFSET       0

ROOTSIZE        1048576     #1G  1024*1024-OFFSET= 1048576

alias oninitfirst=”oninit -iv”

oninitfirst

 

This action will initialize IBM Informix Dynamic Server;

any existing IBM Informix Dynamic Server databases will NOT be accessible -

Do you wish to continue (y/n)? y

 

Checking group membership to determine server run mode…succeeded

Reading configuration file ‘/home/informix/etc/onconfig’…succeeded

Creating /INFORMIXTMP/.infxdirs…succeeded

Creating infos file “/home/informix/etc/.infos.testsvr”…succeeded

Linking conf file “/home/informix/etc/.conf.testsvr”…succeeded

Writing to infos file…succeeded

Checking config parameters…Invalid value of DUMPDIR ‘/usr/informix/tmp’ in onconfig file. Setting it to default value

 ‘/home/informix/tmp’…succeeded

13:50:32  IBM Informix Dynamic Server Started.

Allocating and attaching to shared memory…succeeded

Creating resident pool 866 kbytes…succeeded

Allocating 18384 kbytes for buffer pool of 2K page size…succeeded

Initializing rhead structure…succeeded

 

Thu Dec 10 13:50:32 2009

 

13:50:32  Event alarms enabled.  ALARMPROG = ‘/usr/informix/etc/alarmprogram.sh’

Initializing ASF…succeeded

Initializing Dictionary Cache and SPL Routine Cache…13:50:32  Booting Language <c> from module <>

13:50:32  Loading Module <CNULL>

13:50:32  Booting Language <builtin> from module <>

13:50:32  Loading Module <BUILTINNULL>

succeeded

Bringing up ADM VP…succeeded

Creating VP classes…succeeded

Onlining 0 additional cpu vps…succeeded

Onlining 2 IO vps…succeeded

Initialization of Encryption…succeeded

Forking main_loop thread…succeeded

Initializing DR structures…13:50:37  DR: DRAUTO is 0 (Off)

succeeded

Forking 1 ’soctcp’ listener threads…13:50:37  Dynamically allocated new virtual shared memory segment (size 8192KB)

succeeded

13:50:37  IBM Informix Dynamic Server Version 10.00.UC3R1   Software Serial Number AAA#B000000

Starting tracing…succeeded

Initializing 1 flushers…succeeded

Initializing log/checkpoint information…succeeded

Opening primary chunks…succeeded

Opening mirror chunks…succeeded

Initializing dbspaces…succeeded

Validating chunks…succeeded

Creating database partition…succeeded

Initialize Async Log Flusher…succeeded

13:50:39  IBM Informix Dynamic Server Initialized — Complete Disk Initialized.

Forking btree cleaner…succeeded

Initializing DBSPACETEMP list…succeeded

Checking database partition index…succeeded

13:50:39  Checkpoint Completed:  duration was 0 seconds.

13:50:39  Checkpoint loguniq 1, logpos 0xd0, timestamp: 0×4f

 

13:50:39  Maximum server connections 0

Checking location of physical log…succeeded

Initializing dataskip structure…13:50:39  Dataskip is now OFF for all dbspaces

succeeded

Checking for temporary tables to drop…succeeded

Forking onmode_mon thread…succeeded

Verbose output complete: mode = 5

13:50:39  On-Line Mode

13:50:39  Building ’sysmaster’ database …

[informix@localhost ~]$ 13:50:40  Booting Language <spl> from module <>

13:50:40  Loading Module <SPLNULL>

13:50:40  Unloading Module <SPLNULL>

13:50:40  Logical Log 2 Complete, timestamp: 0×93ba.

13:50:40  Process exited with return code 127: /bin/sh /bin/sh -c /usr/informix/etc/alarmprogram.sh 2 23 “Logical Log 2 Complete, timestamp: 0×93ba.” “Logical Log 2 Com

13:50:41  Loading Module <SPLNULL>

13:50:42  ’sysmaster’ database built successfully.

13:50:42  ’sysutils’ database built successfully.

13:50:42  ’sysuser’ database built successfully.

13:50:42  Logical Log 3 Complete, timestamp: 0xe915.

13:50:42  Process exited with return code 127: /bin/sh /bin/sh -c /usr/informix/etc/alarmprogram.sh 2 23 “Logical Log 3 Complete, timestamp: 0xe915.” “Logical Log 3 Com

onspaces -c -d phydbs -p /home/informix/dbspaces/phydbschunks -o 100 -s 1048476

onspaces -c -d logdbs -p /home/informix/dbspaces/logdbschunks -o 100 -s 524188

onspaces -c -t -d tmpdbs -p /home/informix/dbspaces/tmpdbschunks -o 100 -s 524188

  onspaces -c -d idxdbs -p /home/informix/dbspaces/idxdbschunks -o 100 -s 524188

  onspaces -c -d datadbs -p /home/informix/dbspaces/datadbschunks -o 100 -s 1048476

onparams -a -d logdbs -s 15000

onparams -a -d logdbs -s 15000

onparams -a -d logdbs -s 15000

onmode -l

onmode -l

onmode -l

 

onmode -c

while true; do onparams -a -d logdbs -s 15000; done;

onparams -d -l 1

onparams -d -l 2

onparams -d -l 3

onmode -sy

onparams -p -s 1048476 -d phydbs

---

今日处理某客户一个网络故障。某个节点总是间歇性故障，重启设备又好了。

开始抓包发现有网络中有一半以上流量是目的地址为随机IP的445包。于是将发送源IP清理出来，断网隔离。

没想到过了几个小时又出毛病了。3550交换机不转发流量，抓包看就只有交换机自身产生的STP，DTP，Loop Detect这些数据。

这时候通过show mac-address-table发现某个端口下有大量伪造的MAC地址，当时就翻了有2000行，n屏都翻不完，放弃，估计CAM表是爆了。

于是在端口下做port-security限制MAC数量，然后清空CAM表。交换机还是不转发流量，估计已经软件已经有问题了，重启好了。

经过观察，故障解决了。

经过了解，判断可能是一台服务器中毒了，可惜没有条件去服务器上确认病毒的名字和类型。

引用一张Cisco上面的图：

FTP分为两种模式： 主动Active   被动 Passive

主动模式下是使用21作为控制， 20作为数据口。

首先是客户端通过大于1023的端口发起到服务器21端口的控制连接，信息交换完成后。服务器从20端口发起连接到客户端提供的接收端口。

这是传统意义上的FTP行为。

 

被动模式是使用21作为控制，然后服务器自动选择一个大于1023的端口作为数据。

首先是客户端通过大于1023的端口发起到服务器21端口的控制连接，信息交换完成后。服务器告诉客户端一个大于1023的端口作为数据口，

然后客户端再以另外一个大于1023的端口发起连接到服务器提供的数据端口进行数据传输。

 

目前大多数服务器都支持这种模式，而且大部分客户端都默认采用被动模式和服务器进行传输。

 

 

好了，当我们在内网有两台服务器FTP SEVER1和FTP SERVER2都需要被外网访问的时侯，我们会分别为这两个服务器做映射出去。

假定FTP SERVE1(10.0.0.100)占用公网IP(x.x.x.x)的21端口，FTP SERVER2(10.0.0.200)占用公网IP(x.x.x.x)的2211端口。那么我们就会这么写：

ip nat inside source static tcp 10.0.0.100 21 x.x.x.x 21 extendable

今天费劲周折，去电信换了一个号称无线Modem的东西。结果回来翻了半天说明书都没有看见在什么地方设置路由和NAT。

Google一番，发现这个玩意儿是电信定制过的。电信可以远程网管。。。给大家贴在机器上的实际上是个Viewer帐号，

真正的管理员帐号是 telecomadmin 密码是 nE7jA%5m

通过这个帐号登录进去以后就可以配置拨号和路由了。

点击“网络”，即可看到配置界面。

连接名称选“1_INTERNET_R_x_xx"

模式选"Route"

 "PPPoE"

勾上"PPPoE路由桥混合模式"

VPI用已有的

VCI用已有的

服务类型选"UBR Without PCR"

勾上"NAT"

用户名填入 拨号的用户名

密码填入对应的密码

服务名称 任意填

拨号方式 包月的就选 "自动连接"

服务模式选 "INTERNET"

然后保存，重启即可。

 

 

说明以下 VPI/VCI 号各个地方电信都不一样，一般来说领回来的机器上是默认设置好了的。

如果没有，可以参考http://www.chinadsl.net/bbs/thread-29151-1-1.html 全国ADSL宽带虚拟通道值 VPI、VCI值征集【电信、网通、铁通】

默认还有一个TR069连接，那是电信用来管理这个MODEM的连接，走的另外的VPI/VCI，用的DHCP方式得到地址。

可以把这个连接删了，这样电信就没有办法管理了，要不然你的telecomadmin的口令可能就被改了。

 

 

========phanx.com=========
Author:  phanx
Updated: 2008-12-18
=========================

 

今天居然有人SynFlood我的Web Server，无聊的人还真多。。。

偶然跑到Router上检查，居然发现有大量的NAT条目，一看端口很规律，都是去往Web Server的80的，而且源地址是同一个，源端口依次递增。

估计是TCP SynFlood了，不过幸好还不是超多。

 

于是使用2800自带的防止SynFlood DoS的功能TCP Intercept。

配置简单，立马见效，5 seconds 不Established，就向Server发送TCP RST了 。

 

ip tcp intercept list TCPINTERCEPT
ip tcp intercept connection-timeout 300

ip tcp intercept watch-timeout 5
ip tcp intercept mode watch

 

ip access-list extended TCPINTERCEPT
   permit tcp any host 188.8.8.8 eq 80

 

 

phanx_Router#sh tcp intercept con
Incomplete:
Client                Server                State    Create   Timeout  Mode
221.201.145.24:51247  188.8.8.8:80        SYNSENT  00:00:04 00:00:00 W
221.201.145.24:51246  188.8.8.8:80        SYNSENT  00:00:04 00:00:00 W
221.201.145.24:51245  188.8.8.8:80        SYNSENT  00:00:04 00:00:00 W
221.201.145.24:51251  188.8.8.8:80        SYNSENT  00:00:03 00:00:01 W
221.201.145.24:51250  188.8.8.8:80        SYNSENT  00:00:04 00:00:00 W
221.201.145.24:51249  188.8.8.8:80        SYNSENT  00:00:04 00:00:00 W
221.201.145.24:51248  188.8.8.8:80        SYNSENT  00:00:04 00:00:00 W
         
Established:

 

 

phanx_Router#sh tcp intercept st
Watching new connections using access-list TCPINTERCEPT
11 incomplete, 0 established connections (total 11)
55 connection requests per minute

 

还好还好，不是动真格的。。。

 

---

以下是NAT记录。

phanx_Router#sh ip nat translations
Pro Inside global         Inside local          Outside local         Outside global
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:1055    60.240.247.48:1055
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:1060    60.240.247.48:1060
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:1061    60.240.247.48:1061
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:1094    60.240.247.48:1094
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:1116    60.240.247.48:1116
。

。

。

tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:3688    60.240.247.48:3688
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:3689    60.240.247.48:3689
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:3690    60.240.247.48:3690
。

。

。

tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:4887    60.240.247.48:4887
tcp 218.104.217.135:80    188.8.8.8:80        60.240.247.48:4993    60.240.247.48:4993
Pro Inside global         Inside local          Outside local         Outside global
tcp 218.104.217.135:80    188.8.8.8:80        94.240.224.240:59779  94.240.224.240:59779
tcp 218.104.217.135:80    188.8.8.8:80        94.240.224.240:60091  94.240.224.240:60091
tcp 218.104.217.135:80    188.8.8.8:80        94.240.224.240:62937  94.240.224.240:62937
tcp 218.104.217.135:80    188.8.8.8:80        94.240.224.240:64645  94.240.224.240:64645
tcp 218.104.217.135:80    188.8.8.8:80        94.240.224.240:65373  94.240.224.240:65373
tcp 218.104.217.135:80    188.8.8.8:80        121.229.68.69:1134    121.229.68.69:1134
tcp 218.104.217.135:80    188.8.8.8:80        123.115.1.69:7744     123.115.1.69:7744
tcp 218.104.217.135:80    188.8.8.8:80        123.115.1.69:8241     123.115.1.69:8241
tcp 218.104.217.135:80    188.8.8.8:80        221.201.145.24:18860  221.201.145.24:18860
tcp 218.104.217.135:80    188.8.8.8:80        221.201.145.24:18999  221.201.145.24:18999
。

。

。

。

。

。

tcp 218.104.217.135:80    188.8.8.8:80        221.201.145.24:40572  221.201.145.24:40572
tcp 218.104.217.135:80    188.8.8.8:80        221.201.145.24:40573  221.201.145.24:40573
tcp 218.104.217.135:80    188.8.8.8:80        221.201.145.24:40574  221.201.145.24:40574
tcp 218.104.217.135:80    188.8.8.8:80        221.201.145.24:40575  221.201.145.24:40575
tcp 218.104.217.135:80    188.8.8.8:80        221.201.145.24:40576  221.201.145.24:40576
tcp 218.104.217.135:80    188.8.8.8:80        —                   —

 ========phanx.com=========
Author:  phanx
Updated: 2008-11-21
=========================

 

C:Documents and SettingsAdministrator>nslookup bbs.scu.edu.cn
Server:  68.128.128.61.cq.cq.cta.net.cn
Address:  61.128.128.68

Non-authoritative answer:
Name:    bbs.scu.edu.cn.huawei.com1
Address:  219.153.42.248

C:Documents and SettingsAdministrator>ping bbs.scu.edu.cn

Pinging bbs.scu.edu.cn [125.69.85.16] with 32 bytes of data:

Reply from 125.69.85.16: bytes=32 time=8ms TTL=54
Reply from 125.69.85.16: bytes=32 time=8ms TTL=54
Reply from 125.69.85.16: bytes=32 time=8ms TTL=54
Reply from 125.69.85.16: bytes=32 time=8ms TTL=54

Ping statistics for 125.69.85.16:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 8ms, Average = 8ms

C:Documents and SettingsAdministrator>

 

用nslookup解析的时候为什么会多出一个 huawei.com1的后缀呢？

原来nslookup解析域名的时候会自动把domain附加在输入的名字后面

在nslookup中用set all检查参数

> set all
Default Server:  68.128.128.61.cq.cq.cta.net.cn
Address:  61.128.128.68

Set options:
  nodebug
  defname
  search
  recurse
  nod2
  novc
  noignoretc
  port=53
  type=A
  class=IN
  timeout=2
  retry=1
  root=A.ROOT-SERVERS.NET.
  domain=huawei.com1
  MSxfr
  IXFRversion=1
  srchlist=huawei.com1

>
原来附加了一个huawei.com1

修改一下set nosearch

然后再解析就对了

 

> bbs.scu.edu.cn
Server:  68.128.128.61.cq.cq.cta.net.cn
Address:  61.128.128.68

Non-authoritative answer:
Name:    bbs.scu.edu.cn
Address:  125.69.85.16

>

 

========phanx.com=========
Author:  phanx
Updated: 2008-11-13

                    2009-03-08
=========================

 

某用户需要用SPA-IPSEC-2G在7600上实现到n多节点的IPSec Site-to-Site VPN, 由于7600引擎上的以太口做子接口配合IPSEC SPA不支持CBWFQ,

故又弄了块SPA-5xGE-V2.

========phanx.com=========
Author:  phanx
Updated: 2008-11-13
=========================

 

一台2950出现大量的Port Manager Internal Software Error. LOG如下:

CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid
< PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 564: pm_vlan_get_vlan_data)

 -Traceback= 5B7438 60A1E0 617A48 B36EB8 B3A5BC AE7380 AE840C BDD138 BD470C
*Mar  1 08:06:02.052 CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 609: pm_vlan_get_vlan_data)
-Traceback= 5B7438 60A1E0 617A48 B36EB8 B3A5BC AE7380 AE840C BDD138 BD470C
*Mar  1 08:06:04.048 CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 609: pm_vlan_get_vlan_data)
-Traceback= 5B7438 60A1E0 617A48 B36EB8 B3A5BC AE7380 AE840C BDD138 BD470C
*Mar  1 08:06:04.048 CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 609: pm_vlan_get_vlan_data)
-Traceback= 5B7438 60A1E0 617A48 B36EB8 B3A5BC AE7380 AE840C BDD138 BD470C
*Mar  1 08:06:06.053 CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 609: pm_vlan_get_vlan_data)
-Traceback= 5B7438 60A1E0 617A48 B36EB8 B3A5BC AE7380 AE840C BDD138 BD470C
*Mar  1 08:06:06.053 CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 609: pm_vlan_get_vlan_data)

 

开始以为是软件BUG,遂即升级到最新的12.1(22)EA12,故障依旧.

后来,更换成一台2960,仍然报错.

 

检查STP.

 

========phanx.com=========
Author:  phanx
Updated: 2007-7-11
=========================

 

默认情况下，Cisco VPN Client软件在断线以后无法自动重连。某个地方,却需要自动重连功能.

search了一番guide.找到如下解决办法:

 

通过修改vpnclient.ini，可以实现断线后自动重连。

 

vpnclient.ini

在[Main]段上添加三句

AutoInitiationEnable=1       // 允许自动发起连接
AutoInitiationRetryInterval=1    // 自动发起连接重试间隔时间(单位分钟)
AutoInitiationList=XXXXX      // 自动连接配置段名称

XXXXX为自动连接的字段名
然后在[XXXXX]字段下写四句

[XXXXX]
Network=15.66.13.0            // 实际地址段
Subnet=255.255.255.252     // 实际掩码
ConnectionEntry=ATM1        // 需要连接的项目,对应VPN Client中建立的连接项目
Connect=1                        // 允许自动连接

 

修改后，VPN GUI界面在Options下也会多出一项Automatic VPN Initiation…