0

Как использовать SSH для форварда локальных и удаленных портов

Port forwarding, or tunneling, is a way to forward otherwise insecure TCP traffic through SSH Secure Shell. You can secure for example POP3, SMTP and HTTP connections that would otherwise be insecure.

There are two kinds of port forwarding: local and remote forwarding. They are also called outgoing and incoming tunnels, respectively.

Local port forwarding forwards traffic coming to a local port to a specified remote port. For example, all traffic coming to port 1234 on the client could be forwarded to port 23 on the server (host).

Note: The value of localhost is resolved after the Secure Shell connection has been established — so when defining local forwarding (outgoing tunnels), localhost refers to the server (remote host computer) you have connected to.

Remote port forwarding does the opposite: it forwards traffic coming to a remote port to a specified local port. For example, all traffic coming to port 1234 on the server (host) could be forwarded to port 23 on the client (localhost).

Local port forwarding

Accessing a service (in this example SSH port tcp/22, but it could be anything like a web server on tcp/80) on a machine at work (172.16.10.10) from your machine at home (192.168.10.10), simply by connecting to the server work.example.org at work :

$ ssh user@work.example.org -L 10000:172.16.10.10:22

We see the service is available on the loopback interface only, listening on port tcp/10000 :

$ netstat -tunelp | grep 10000

tcp 0 0 127.0.0.1:10000 0.0.0.0:* LISTEN 1000 71679 12468/ssh

From your home machine, you should be able to connect to the machine at work :

$ ssh root@localhost -p 10000

Local port forward for anyone at home !

If you want other people on your home subnet to be able to reach the machine at work by SSH, add the option -g :

$ ssh user@work.example.org -L 10000:172.16.10.10:22 -g

We now see the service is available on all interfaces on your home computer, available for anyone to connect to on the local subnet :

$ netstat -tunelp | grep 10000

tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 1000 72265 12543/ssh

Anyone on your local subnet should be able to connect to the machine at work by doing this :

$ ssh root@192.168.10.10 -p 10000

Remote port forwarding

Giving access to a service (SSH port tcp/22) on your home machine (192.168.10.10) to people at work

$ ssh user@work.example.org -R 10000:192.168.1.10:22

We see on our server at work (on the loopback interface on port tcp/10000) that we have access to our SSH server at home :

work.example.org$ netstat -tunelp | grep 10000

tcp 0 0 127.0.0.1:10000 0.0.0.0:* LISTEN 0 73719534 3809/1

People logged in on the machine work.example.org now should be able to SSH into your home machine by doing :

work.example.org$ ssh user@localhost -p 10000

Remote port forwarding for anyone at work !

If you want everybody on the subnet at work to be able to SSH into your home machine, there’s no -g option for remote forward, so you need to change the SSH configuration of work.example.org, add to sshd_config :

GatewayPorts yes

Connect just as before :

home$ ssh user@work.example.org -R 10000:192.168.1.10:22

Now, it’s listening on all interfaces on the server at work :

work.example.org$ netstat -tunelp | grep 10000

tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 0 73721060 4426/1

Anyone at work can now connect to your home machine by SSH via the server :

anyone.example.org$ ssh anyone@work.example.org -p 10000

Notes

— You would need to log in as root if you want services to listen on a port < 1024.
— Don’t forget to open necessary ports on any firewall either at home or work.
— Unfortunately you can only forward services running on TCP, but there’s a way to forward UDP through SSH using netcat

0

Конфиг Nginx для закрытия сайта по тех причинам

Думаю все интуитивно понятно – закрываем сайт от всех кроме себя, чиним, открывам снова.

Не забудьте сделать красивую заставку и положить ее в корень сайта с именем 503.html.

# by rework.ws

server {
    listen 80;
    server_name www.site.ru;
    set $root_path  /var/www/ru_site;

    error_page 503 /503.html;
  
    location =/503.html {  
          root $root_path;
    }

location / {
    set $allow false;
    if ($http_x_forwarded_for ~ " ?111\.111\.111\.111$") {
    set $allow true;
      }
    if ($allow = false) {
    return 503;
      }

        root $root_path;
        proxy_set_header        Host      $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:8080;
        proxy_redirect off;
    }

    location ~ /\.ht { deny  all; }
    location ~ /\.svn { deny  all; }

}
1

ПРОБРОС USB УСТРОЙСТВ В PROXMOX VE KVM

Весь интернет облазил в посках, а ответ оказался так близко – в man qm

VM CONFIGURATION
Each VM is identified by an unique ID (integer). Configuration for a VM is
stored at «/etc/qemu-server/ID.conf»

Currently, the following parameters are supported:

….

-usb[n] host=HOSTUSBDEVICE

Configure an USB device (n is 0 to 4). This can be used to
pass-through usb devices to the guest. HOSTUSBDEVICE syntax
is:

‘bus-port(.port)*’ (decimal numbers) or
‘vendor_id:product_id’ (hexadeciaml numbers)

You can use the ‘lsusb -t’ command to list existing usb
devices.

Note: This option allows direct access to host hardware. So it
is no longer possible to migrate such machines — use with
special care.

# lsusb
Bus 001 Device 004: ID 21dd:2112 Kingston Technology
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

В файле /etc/pve/qemu-server/ID.conf

строчку:
usb1:  host=21dd:2112

Перезагрузите виртуальную машину и USB девайс должен стать доступным.

0

Настройка самого быстрого зеркала Centos

Данный плагин предназначен для тестирования скорости до каждого зеркала с последующей сортировкой для использования в YUM. Он устанавливает соединение с каждым зеркалом, время соединения и затем сортирует на быстрые к медленным.

Если используется конфигурация по умолчанию, а так же если вы находитесь не за прокси сервером, то fastestmirror настоятельно рекомендуется (в CentOS 5.3 он установлен по умолчанию).

Чтобы воспользоваться данным плагином, вы должны включить использование плагинов в файле /etc/yum.conf, см. Yum плагины для деталей. Начиная с CentOS 5, плагины включены по умолчанию.

Вы можете установить fastestmirror плагин, используя следующую команду:

yum install yum-plugin-fastestmirror

Или с помощью следующей команды на CentOS 5:

yum install yum-fastestmirror 

После установки fastestmirror, убедитесь, что он включен. Отредактируйте файл /etc/yum/pluginconf.d/fastestmirror.conf и убедитесь, что он содержит следующие строки:

[main]
verbose = 0
socket_timeout = 3
enabled = 1
hostfilepath = /var/cache/yum/timedhosts.txt
maxhostfileage = 1

Чтобы исключить конкретное зеркало, TLD (домен верхнего уровня), или что-то между ними, добавте строку ‘exclude=‘ в /etc/yum/pluginconf.d/fastestmirror.conf:

[main]
...
exclude=.gov, facebook, myspace, junk-mirror.com

С protectbase и fastestmirror плагинами YUM вы получите быстрые обновления с максимальной защитой от случайного повреждения от сторонних репозиториев.

 

Взято от сюда: http://centos.name/?page/howto/FastestMirror/

0

Install a CentOS 6.x Appliance Template in Proxmox

It’s quite easy to install a CentOS 6.0 appliance (template).

  1. Download the precreated template from the OpenVZ site (http://wiki.openvz.org/Download/template/precreated/ ) and store it in the folder /var/lib/vz/template/cache/ of your Proxmox hostnode
  2. Rename the template to <OS>-<OSVERSION>-<NAME>_<VERSION>_<ARCH>.tar.gz to suit Proxmox’ naming convention.
    E.g. centos-6-x86.tar.gz —> centos-6-standard_6.0_i386.tar.gz
    or centos-6-x86_64.tar.gz —> centos-6-standard_6.0_amd64.tar.gz
  3. In the Proxmox Virtual Environment web administrator goto "Virtual Machines -> Create" and use your new template there

Source: http://forum.proxmox.com/archive/index.php/t-6676.html