Answer to the question of network-transmitted Linux operation and maintenance plane (II.)

Title Source: http://2358205.blog.51cto.com/2348205/1688323

http://mofansheng.blog.51cto.com/8792265/1627907

Most of them do it themselves, part of the original post of the blogger's answer

1. Linux boot process

BIOS post →MBR boot → load grub→ load Linux kernel → run init process, read/etc/inittab→ execute/etc/rc.d/rc.sysinit script → Execute/etc/rc.d/rc script, run/etc/rc.d/ Script in Rcx.d, X represents the run level specified in Inittab → execute/etc/rc.d/rc.local script → start mingetty process, wait for user login

2, TCP three handshake, four wave

Description: SYN (synchronous establish online) ACK (acknowledgement acknowledgment) PSH (push transfer) FIN (finish end) RST (reset reset) URG (Urgent emergency)

Sequence number (sequential) Acknowledge number (confirmation)

The first handshake ———— when a connection is established, the client sends a SYN packet (SYN=J) to the server and enters the Syn_send state, waiting for the server to confirm;

The second handshake ———— the server receives the SYN packet, it must confirm the customer's SYN (ACK=J+1), and also send itself a SYN packet (syn=k), that is, the Syn+ack packet, when the server enters the SYN_RECV state;

The third handshake ———— the client receives the Syn+ack packet from the server, sends the acknowledgement packet ack (ACK=K+1) to the server, the packet is sent, the client and server enter the established state, and the client and the server begin to transfer the data.

First wave ———— the client sends a fin to turn off the client-to-server data transfer, and the client enters the fin_wait_1 state;

The second wave ———— the server receives fin, sends an ACK packet to the client, confirms that the sequence number is received sequence number +1 (same as SYN, one fin occupies a serial number), the server enters the close_wait state;

The third wave ———— the server sends a fin to shut down the server to the client's data transfer, the server enters the Last_ack state;

The fourth wave ———— the client receives fin, the client enters the TIME_WAIT state, then sends an ACK to the server, confirms that the serial number is received sequence number +1, the server enters closed state, completes four waves.

3, how to forward the local 80 port request to 8080 port, the current host IP is 192.168.16.1, where the local NIC Eth0

Iptables-t nat-a prerouting-o eth0-d 192.168.16.1-p tcp--dport 80-j REDIRECT--to-ports 8080

4, what is NAT, commonly divided into those kinds of, dnat and snat What is the difference, application cases have those?

NAT, network address translation, is the process of translating an IP address in the IP header into another IP address. Divided into Dnat (destination network address translation) and Snat (source network address translation)

Snat is mainly used for intranet hosts to access the extranet via routers or gateways.

Dnat mapping external address and port access to internal addresses and ports

5. What is the difference between packet filtering firewall and proxy application firewall, can you list several corresponding products?

Filter firewall work in the network layer, it only to the IP packet source address, destination address and corresponding port processing, so faster, can handle more concurrent connections, the disadvantage is that the application layer of attack powerless.

The proxy server firewall works at the application layer, which restores the received IP packets to high-level protocol communication data, such as HTTP connection information, so it can intercept attacks based on high-level protocols. The disadvantage is that the processing speed is slow and the number of concurrent numbers that can be processed is relatively small. Proxy server is the development direction of firewall technology, many vendors are improving processing speed and based on agent to develop more advanced protection function of firewall.

6, iptables whether to support time to control user behavior, such as please write specific steps.

Iptables is supported by Time control, the following excerpt from man Iptables:

EXAMPLES. To match on weekends, use:

-M Time--weekdays Sa,su

Or, to match (once) on a national holiday block:

-M time--datestart 2007-12-24--datestop 2007-12-27

Since the stop time is actually inclusive, you would need the following stop time to not match the first second

Of the New Day:

-M time--datestart 2007-01-01t17:00--datestop 2007-01-01t23:59:59

During Lunch Hour:

-M time--timestart--timestop 13:30

The fourth Friday in the month:

-M time--weekdays Fr--monthdays 22,23,24,25,26,27,28

7. Say a few Linux/unix releases you know.

Linux:rhel, CentOS, Fedora, SuSE, Debian, Ubuntu, etc.

Unix:freebsd, Solaris, AIX, Mac OS x, etc.

8. List Linux common packaging tools and write corresponding decompression parameters (at least three kinds)

Tar

Gzip

Bzip2

9, plan every Sunday early 8 o'clock the server periodically sends a message with the content: test. Sender: [Email protected] Recipient: [email protected], how to achieve?

Crontab-e

XX * * 7 echo "TEST" | /bin/mail-r [email protected]-s test [email protected] &>/dev/null

10, we all know that DNS uses both the TCP protocol and the UDP protocol, when the TCP protocol is used? When do I use the UDP protocol? Why are you designing this?

First look at the length limit for TCP and UDP delivery bytes: The maximum length of UDP packets is 512 bytes, while TCP allows messages longer than 512 bytes. When a DNS query exceeds 512 bytes, the protocol's TC flag appears with a delete flag, which is then sent using TCP. Typically, a traditional UDP message is generally no larger than 512 bytes.

TCP is used for zone transfer:

The secondary domain server queries the primary name server periodically (typically 3 hours) to see if the data is changed. If there is a change, a zone transfer is performed and the data is synchronized. Zone transfers will use TCP instead of UDP, because the amount of data that is transferred synchronously is much larger than the amount of data requested and answered, and TCP is a reliable connection that guarantees the accuracy of the data.

Use UDP for Domain name resolution:

The client queries the DNS server for domain names, and generally returns no more than 512 bytes, which can be transmitted with UDP. There is no TCP three handshake, so the DNS server loads less and responds faster. While it is theoretically possible for a client to specify TCP when querying to a DNS server, in fact, many DNS servers are configured to support only UDP query packets.

11, a EXT3 file partition, when using the Touch test.file command to create a new file times wrong, the error message is the prompt disk is full, but the use of df-h command to view the disk size, only used, 60% of the disk space, why this situation, say your reason.

Df-i Viewing inode usage

Usually the inode is full.

12, we all know that the FTP protocol has two modes of operation, say their approximate one workflow?

Active mode ftp:

Command connection: Client >1024 port, server 21 port

Data connection: Client >1024 port <-server 20 port

Passive mode ftp:

Command connection: Client >1024 port, server 21 port

Data connection: Client >1024 port, server >1024 port

Here is a brief summary of the pros and cons of active and passive ftp:

Active FTP is advantageous to the management of FTP server, but it is disadvantageous to the management of the client. Because the FTP server attempts to establish a connection to the client's high-level random port, the port is likely to be blocked by the client's firewall. Passive FTP is advantageous to the management of FTP client, but it is disadvantageous to server side management. Because the client is going to establish two connections to the server, one of them is connected to a high-level random port, and the port is likely to be blocked by the server-side firewall.

Workaround: Using passive mode, you can pin the port of the data connection (greater than 1024 less than 65535) and open the port on the server-side firewall

13. Write a shell script to transfer files larger than 100K in the current directory to the/tmp directory

Find. -size +100k xargs-i {} MV {}/tmp

14, Apache has several modes of work, respectively, the characteristics of the introduction, and explain under what circumstances the use of different working mode?

Apache has two main modes of operation: Prefork (pre-derivation, default installation mode) and worker (multi-threading module that supports mixed multithreaded multi-process, which can be specified as worker mode when compiling the parameter--with-mpm=worker)

Features of Prefork:

1. Prefork MPM uses multiple child processes, with only one thread per child process. Each process can only maintain one connection at a certain time. This mode reduces system overhead by eliminating the need to generate new processes when requests arrive.

2, can prevent accidental memory leaks, but this mode consumes more memory;

3, the number of child processes will be automatically reduced when the server load drops

Characteristics of the worker:

The worker MPM uses multiple child processes, each of which has multiple threads. Each thread can only maintain one connection at a certain time. In general, worker MPM is a good choice on a high-traffic HTTP server because the worker MPM uses much less memory than Prefork MPM. But the worker mpm is also imperfect, and if a thread crashes, the entire process will "die" along with any of its threads. Because threads share memory space, a program must be recognized by the system as "every thread is safe" when it runs.

15, write the shell script to get the ip/netmask of this machine.

Ifconfig | Awk-f "[:]+" ' nr==2 {print $4} '

16, briefly describe the principle of DDoS attacks, there is no solution? There, how to solve?

Distributed service denial of attack is to use a primary server to control the N-chickens to the target server reasonable resource requests, resulting in server resources exhausted and unable to perform normal service.

Several popular DDoS attack modes: Syn/ack flood attack, TCP full connection attack, CC attack (Encyclopedia: An attacker using a proxy server to generate a legitimate request to a compromised host, implementing DDoS, and masquerading as "CC" (Challengecollapsar). CC is mainly used to attack the page. )

A simple test: first, if the site is not open, you can try to use 3389 to connect the server to see, and then you can use the ping command to test, and then one way is to use Telnet to login 80 port to see if there will be a black screen. If none of these tests are connected, that means a DDoS attack.

Then if the other than the port 80 port connections are normal, the ping test is normal, but the 80 port is not accessible, and then see if IIS is normal, you can change the 80 port to other port testing, if the normal access, it is likely to be a CC attack.

Defending against DDoS attacks:

<1> to have sufficient network bandwidth and stable and secure room: choose good word of mouth, good service, good security protection room, network bandwidth directly determines the ability to resist attack.

<2> soft and hard equipment protection: hardware DDoS Firewall black hole, ice shield are good, software such as Web server have corresponding DDoS protection module, iptables, do single IP concurrency limit, traffic limit, SYN and some attack limit.

<3> site architecture optimization, to avoid the single point of service, clustering, redundancy, load balancing, caching technology.

Optimization of <4> Server system and deployment of security parameters

<5> using high-performance network equipment

17. How to view processes that occupy 80 ports and clean up the port process.

Lsof-i: 80

Pkill or Kill

18, how to view the current user's home directory is what?

Echo $HOME

19, if the setting Umask is 001, then the user defaults to create the directory and file permissions to look like?

Contents: 776 Files: 666

20, for security reasons, how to enable others to ping your online server.

There are several ways

Use ACL to block ICMP protocol on firewall or using iptables ICMP on server

or modify kernel parameters on the server: Echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

21, how to prevent others in front of the server by pressing the Ctrl+alt+del forcibly restart the system (hint, carefully see/ETC/INITTAB)

Vim/etc/init/control-alt-delete.conf

Exec/sbin/shutdown-r Now "Control-alt-delete pressed" This item # comment out, save exit;

On my test machine (CentOS 6.7) is turned off by default

22, when the server for heavy load operation, you do not want to have a regular user login up, what should you do? Do not cut the network cable.

Touch/etc/nologin

Create a Nologin file, this file is a special file, after the creation of all ordinary users can not log on, after the system maintenance to delete the file, the user can resume login, only the shell login user, the user itself shell for/sbin/nologin can not log into the shell, not be affected;

23, you create a new batch of users, for security reasons, require these users to log on the first time must change the password, how to implement?

view password and account expiration information:chage-l username

set the password to expire, user login must change password: chage-d0 username or PASSWD-E username

24, how to change all the files in a directory (without directory) permissions to 644?

Find./! -type d-exec chmod 644 \;

25, please realize the following requirements: Only allow the use of ordinary account login, and ordinary account login, you can not enter the password to sudo switch to the root account, root is not allowed to telnet.

Vim/etc/ssh/sshd_config

Permitrootlogin set to No, root login is not allowed

/etc/init.d/sshd Reload Reload sshd configuration file in effect

Visudo, add a line: User all= (Root) nopasswd:/bin/su

26, how to make the file can only write can not be deleted? How can I make a file unable to be deleted, renamed, linked, written, or added to the data?

Chattr +a can only add data to a file, not delete

Chattr +i files cannot be deleted, renamed, linked, and cannot be written or added

27. When using LS to view a directory or a file, what does the value of the second column mean? If the value of this column in a directory is 3, how is this 3 obtained?

The numeric value of the second column represents the number of hard links, and by default, a new directory contains a directory that points to itself. and the parent directory pointing to the top level of the directory "..", the value is 2, if you create a file and a directory in the new directory, then query again, you will find that the value becomes 3, and so on.

This article is from the "Progress a little every day" blog, be sure to keep this source http://yujia2016.blog.51cto.com/59379/1841122

Answer to the question of network-transmitted Linux operation and maintenance plane (II.)