One, unified account management
1.LDAP
Unified management of various platform accounts and passwords, including but not limited to a variety of operating systems (Windows, Linux), Linux system sudo integration, System user grouping, host login restrictions, etc. can be with Apache,http,ftp,samba,zabbix, Jenkins and other integration, support password policy (password strength, password expiration time, forced modification, more than the number of verification errors locked account), etc. support plug-in authentication module Pam; Different platform permission setting, Division;
2.JumpServer
An open-source Springboard machine (Fortress machine) system developed by Python, which realizes the function of the springboard machine. Based on the SSH protocol to manage, the client does not need to install agent, the current version is in beta phase, online environment with caution. Trial demo, feeling in the unified account management is not mature.
3.NIS
Similar to LDAP.
second, automated deployment
1. Fabric
Advantages: Small, no need to install agent, you can do some simple server deployment operations, easy to use, easy to get started, but the function is relatively limited, with a two-day cut to ansible;
Disadvantage: The deployment machine is not very friendly with server interaction.
2. Ansible
Advantages: No agent, based on the implementation of SSH, the new application of the machine to initialize the extension is good, more features, the daily deployment needs of the functions are basically covered, such as git, packaging decompression, copy files, yum installation, etc. have been integrated into the core module, alternatives, Modules such as xattr are also integrated, and, of course, all operations can be done with command modules in theory.
Disadvantage: More dependent on the robustness of the network, the network is not good words will compare pits;
In addition there are saltstack, Pupet, chef and so on.
Third, DNS
1. DNSMASQ
Provide DNS caching, DNS redirection, record forwarding, DNS reverse resolution, DHCP service function, simple configuration;
You can configure the log for upper-level DNS polling requests, configure support wildcard characters, and do not bulk modify hosts.
2. PDNSD
Provide the DNS cache service;
Set up DNS request to parent (TCP, Udp,both), set multiple superior DNS and set request rules, and configure cache retention time.
3. Namebench
Google self-developed a DNS speed measurement tool.
iv.. Pressure test
1. Apachebench
Create multiple concurrent threads to simulate multi-user stress testing for URL access
Apache has a program called AB, AB can create a lot of concurrent access threads, simulating multiple visitors to a URL address at the same time access.
2. Tcpcopy, Udpcopy
Directly to a machine to copy to another machine for stress testing;
Referring to stress testing, probably most people think of the first is apachebench, but AB is analog access, simulation is after all simulation, but the line will encounter errors may often unpredictable, in fact, has been developed in the country a tool for online traffic copy, is tcpcopy, udpcopy , the ability to copy online traffic to the test environment, greatly reducing the risk of pre-launch. Supports setting the copy traffic multiplier to zoom in, zoom out, modify the client IP source address of the traffic.
3. Tcpburn
Similar Apachebench
Tcpburn is a software developed by NetEase to simulate the tens of concurrent users, the purpose is to be able to use less resources to simulate a large number of concurrent users, and can be more realistic stress testing, to solve the network message push service stress testing problems and traditional stress testing problems.
v. Security
1. Portsentry
The port scan of the machine to do defense strategy;
Characteristics: Give false routing information, redirect all information flow to a non-existent host;
Automatically add a port scan to the server to the Tcp-wrappers/etc/hosts.deny file, using netfilter mechanism, packet filtering programs such as iptables and Ipchain, etc., all illegal packets ( From the server for port scanning of the host) are filtered out;
A log message is given through the syslog () function, which can even be returned to the scanner for a warning message.
2.fail2ban
A defense strategy for the SSH password brute force hack machine;
To protect against brute force attacks on SSH servers, it is recommended to disable password login for servers with high security requirements, using a key or key + password authentication.
3. Google Authenticator
You can set up the second validation to receive verification codes via SMS or voice calls, and also support Android, iPhone or BlackBerry devices to generate verification codes;
An open-source software that generates one-time passwords based on open rules, such as hmap/-based timing. Google also supports plug-in authentication module Pam, which works with other tools that also work with Pam (such as OpenSSH).
4. KNOCKD
Fear that the server is compromised, but how often does the IP that is logged in or logged in in different places often change? Knock, please. In the server-side settings only you know the "code" to let the server give you sesame open door.
KNOCKD can let the server listen to a specific port, if the client in the specified order and protocol (TCP/UDP) access to the server specified port, then run the specified command, so we can use it to do some interesting things, such as the use of iptables dynamically increase the firewall and so on.
In addition, the knock client can also be used to simulate packet detection network connectivity. For example, if you are unsure whether a port on the opposite side of the machine is available, you can listen to the corresponding port remotely with tcpdump, and then use the knock client to simulate the contract.
VI. Virtualization
1.vagrant
Do you have to set the virtual machine name each time you want to create a new virtual machine? Set the virtual machine type, version, select image, memory size, number of virtual machine CPU cores, equipment, and more, and then install the system ...
However, I only need to enter a vagrant up machine under the terminal to create a pre-configured VM. Oh, it's a good choice for you to test yourself and create a unified programming environment for your developers.
Support for fast new virtual machines
Support for fast setting up port forwarding
Support for custom image packaging (raw image mode, incremental patching method)
Basically the basic configuration that can be used every day can be set up quickly
Support Boot start autorun command
You can write your own extension
2.docker
Is it a hassle to build a new set of environments every time? What if there are two different programs that depend on different versions of the same environment? Specify an absolute path in the program? Do soft links?
Docker helps you solve this problem, the image is packaged and then pushed to register after the pull down on the corresponding machine, put the code, done.
Seven, log collection
1. ELK
Usually we may need to analyze some logs, alarm, such as Nginx log, we want to count the number of HTTP request response Code, statistics request the geographical distribution of IP, the request of the body of the keyword timely alarm and so on. Using elk can easily do the above things, but also combined with Zabbix and other tools to alarm.
Eight, monitoring
1. smokeping
IDC location is a headache, do not know the quality of a node network, do not trust the supplier to the data? Try Smokeping, be able to test the quality of a place, multiple to a node (including packet loss rate, rate)
Master Linux Operations Management essential Tools Daquan