Generate hash value in /etc/shadow

在 /etc/shadow 內會紀錄每個人的 password hash value, 第一欄是名字， 第二欄就是 hash value

echen:$6$D3PHrOW9$tyD6jY830eKaz8ctBXZznSZ8MVdMq.f6VPmFdFSKfy6zNqJtDgNsNWYc42RyAS2VmRBekWN4S1gALcZM9wNbi1:15975:0:99999:7:::

hash value 的最前面的三碼代表演算法, $1$ 是 MD5, $5$ 是 SHA-256, $6$ 是 SHA-512

$ man crypt
 ID  | Method
─────────────────────────────────────────────────────────
 1   | MD5
 2a  | Blowfish (not in mainline glibc; added in some Linux distributions)
 5   | SHA-256 (since glibc 2.7)
 6   | SHA-512 (since glibc 2.7)

接下來8個 Character 代表 SALT 值， 我們會把 SALT 和 password 連結在一起去做 HASH, 而 SALT 是 random 產生的字串， 以這邊為例就是D3PHrOW9, 接下來的就是 hash 值
http://www.aychedee.com/2012/03/14/etc_shadow-password-hash-formats/

用以下的指令可以產生這個 hash 值, -m 接演算法， 再下來是要加密的 password, 最後是 Random 生出來的 SALT 值

mkpasswd -m sha-512 MyPAsSwOrD $(openssl rand -base64 16 | tr -d '+=' | head -c 16)

$ apg -Mcln -a1 -m16
r9yyTyMgAY5M9Lwv
0yo8zsFRL3TSnPzK
ZwbnEPjmi3SBsa0e
6tiAxbCJWJPx2Z2X
VAulxq6hevbirzTs
jHCV7WBiA7CBVwrA

$ openssl rand -base64 16 | tr -d '+='
L6VYvmgovdLScofodk7DPg

$ </dev/urandom tr -dc '_A-Z-a-z-0-9!@#$%' | head -c16; echo ""
LmzB!j4#ah_p8lm7

CPU/顯卡比較網址

http://www.game-debate.com/gpu/index.php?gid=1481&gid2=1247&compare=radeon-hd-8670-oem-vs-geforce-gt-740m

http://www.game-debate.com/cpu/index.php?pid=1882&pid2=1245&compare=core-i5-4200u-1-6ghz-vs-core-i5-3230m-2-6ghz

Percona MySQL server tuning guide from webinar

When: Jul 24, 2013
Where: Percona MySQL Webinar
Presenter: Alexander Rubin, Principal Consultant


Tuning MySQL queries and indexes can significantly increase the performance of your application and decrease response times. In this webinar, Percona Principal Consultant Alexander Rubin will discuss advanced techniques for optimizing MySQL queries. Topics include:
1. GROUP BY and ORDER BY optimization
2. MySQL temporary tables and filesort
3. Using covered indexes to optimize your queries
4. Loose and tight index scans in MySQL

Recorded Video: https://www.youtube.com/watch?v=TPFibi2G_oo

Slides: http://www.percona.com/resources/technical-presentations/advanced-mysql-query-tuning-percona-mysql-webinar

Follow Q&A: http://www.mysqlperformanceblog.com/2013/08/02/advanced-mysql-query-tuning-webinar-followup-qa/

Scan SSL Cipher Suite

SSL Cipher Suite

TLS protocol 1.0 RFC
http://www.ietf.org/rfc/rfc2246.txt
TLS protocol 1.1 RFC
http://www.ietf.org/rfc/rfc4346.txt
TLS protocol 1.2 RFC
http://www.ietf.org/rfc/rfc5246.txt
Elliptic Curve Cryptography (ECC) Cipher Suites
http://www.ietf.org/rfc/rfc4492.txt
統整
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml

Server Side SSL Cipher Suite

這個網站可以幫忙 scan 你的 server 的提供的 SSL 安全等級, 以及支援的 SSL Cipher Suite
https://www.ssllabs.com/ssltest/index.html


在 Linux 上也有個 sslscan 的工具

$ apt-get install sslscan
$ sslscan --no-failed www.google.com
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009

Testing SSL server www.google.com on port 443

  Supported Server Cipher(s):
    Accepted  SSLv3  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  168 bits  ECDHE-RSA-DES-CBC3-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  SSLv3  128 bits  ECDHE-RSA-RC4-SHA
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  168 bits  ECDHE-RSA-DES-CBC3-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5

  Prefered Server Cipher(s):
    SSLv3  128 bits  ECDHE-RSA-RC4-SHA
    TLSv1  128 bits  ECDHE-RSA-RC4-SHA

  SSL Certificate:
    Version: 2
    Serial Number: 5892482494032825274
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
    Not valid before: Aug 29 12:35:17 2013 GMT
    Not valid after: Aug 29 12:35:17 2014 GMT
    Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
      Public-Key: (2048 bit)
      Modulus:
          00:8e:b7:62:be:81:a1:02:43:0b:5d:93:66:41:c3:
          69:c7:b1:8f:af:3f:cf:90:88:c3:fa:b6:1f:b7:dd:
          eb:c5:f4:11:e5:81:9f:01:66:3c:eb:c7:4c:16:b8:
          ab:2e:4f:00:1d:58:53:e0:48:55:0f:ef:5f:a9:2b:
          e0:e5:23:d1:52:f0:2b:3a:b7:19:92:f5:42:74:4b:
          7d:60:eb:95:f8:7c:68:c6:c4:66:ec:37:d8:1e:dd:
          0f:01:df:30:6e:c2:25:00:57:36:5e:2c:a5:fd:01:
          54:65:89:60:e8:ab:98:b6:4b:d6:44:0f:8f:f9:27:
          53:5f:51:d9:01:50:7b:aa:2d:0f:da:0d:8d:2a:d8:
          22:c8:a2:e8:77:16:db:fa:f7:0c:42:dd:af:77:3f:
          71:af:d2:92:c5:00:48:41:93:81:1e:61:0f:a8:6b:
          04:96:25:b4:70:2a:da:e6:4a:0d:23:fd:5c:72:0e:
          68:a6:1d:59:e4:78:31:07:c5:8a:9f:75:fd:9a:93:
          8b:70:ba:00:c5:47:c4:fa:2f:8a:14:bd:7b:c7:b4:
          3a:f2:45:d8:1d:6e:38:fd:27:81:15:8f:4c:96:aa:
          45:f8:7c:d6:f2:c0:d9:fc:17:b9:75:3d:14:66:71:
          8e:cf:d4:0b:cb:bf:e3:08:71:5d:88:fa:e5:53:3d:
          41:9f
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Subject Alternative Name: 
        DNS:www.google.com
      Authority Information Access: 
        CA Issuers - URI:http://pki.google.com/GIAG2.crt
        OCSP - URI:http://clients1.google.com/ocsp
      X509v3 Subject Key Identifier: 
        6B:36:89:3B:32:31:63:1B:D7:13:7E:07:BA:4B:3F:E9:27:E9:58:76
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Authority Key Identifier: 
        keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F

      X509v3 Certificate Policies: 
        Policy: 1.3.6.1.4.1.11129.2.5.1

      X509v3 CRL Distribution Points: 

        Full Name:
          URI:http://pki.google.com/GIAG2.crl

  Verify Certificate:
    unable to get local issuer certificate

Client Side SSL Cipher Suite

如果想知道 Client 端支援的情況, 可以參考
https://groups.google.com/a/chromium.org/forum/#!topic/chromium-reviews/Mvp-tGW2RaI

To test, I've been using Certicom's SECG ECC test server -  http://tls.secg.org/

The exact steps are:
1) Navigate to http://tls.secg.org/
2) Click "Connect Now"
3) Choose secp256p1 (the default)
4) Click Continue (link for 1 - 4: http://tls.secg.org/?action=go&ciphersuite=0&curve=23 )
5) Click "here" to continue ( link: https://tls.secg.org:40023/connect.php )
6) Observe under cipher suites, a list of cipher suites. Some numeric, some
string form. String forms are listed at http://www.iana.org/assignments/tls-parameters/tls-parameters.xml . Without any command line flags, see that TLS_RSA_WITH_RC4_128_MD5 (0x0004) and TLS_RSA_WITH_RC4_128_SHA (0x0005) appear in the list
7) Relaunch chrome with chrome --cipher-suite-blacklist="0x0004,0x0005"
8) Repeat steps 1-5.
9) Observe that neither TLS_RSA_WITH_RC4_128_MD5 or  TLS_RSA_WITH_RC4_128_SHA are listed.

選 "Connect Now"

選擇要測試的 Cipher Suite

最後的 report 也有列出所有 Client 端開放的 Cipher Suite, 可以看看有沒有安全性太低的項目

Browser Config

RC4 越來越不安全, 如果想要加強安全性, 可以主動要求 Browser 不要使用 RC4

TLS_RSA_WITH_RC4_128_MD5 = { 0x00, 0x04 }
TLS_RSA_WITH_RC4_128_SHA = { 0x00, 0x05 }
TLS_ECDH_ECDSA_WITH_RC4_128_SHA = { 0xC0, 0x02 }
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = { 0xC0, 0x07 }
TLS_ECDH_RSA_WITH_RC4_128_SHA = { 0xC0, 0x0C }
TLS_ECDHE_RSA_WITH_RC4_128_SHA = { 0xC0, 0x11 }
TLS_ECDH_anon_WITH_RC4_128_SHA = { 0xC0, 0x16 }

參考這篇來設定 Browser
http://luxsci.com/blog/256-bit-aes-encryption-for-ssl-and-tls-maximal-security.html

Google Chrome 試了好幾次, 按照他的方式去做, 但都沒有作用, 我覺得可能是 Google Chrome 把這個功能拿掉了, Firefox 則是有 UI , 要關掉很容易, 用 https://www.google.com.tw 來測試

關掉前是用 RC4

進入 about:config, 把所有的 rc4 都設成 false

再重新連線, 加密就變成 AES 了

希望 Google Chrome 早一點把這個功能做好, 因為現在大部份的時間我都使用它來上網, 最後使用 IE 的人, 也要參考連結去打開 SSL Cipher Suite Order

1. Open your group policy editor by entering gpedit.msc at a command prompt.
2. Choose Computer Configuration | Administrative Templates | Network | SSL Configuration Settings.
3. There’s only one item here: SSL Cipher Suite Order. Open it.
4. Select Enabled.

Update BIOS and Firmware of DELL Server

BIOS Upgrade

以這個為例
http://www.dell.com/support/drivers/us/en/19/DriverDetails/Product/poweredge-2950?driverId=16RCK&osCode=LNUX&fileId=3000127372&languageCode=EN&categoryId=BI#OtherFormats

他提供的檔案類型當中, 有一個是 Non-Packaged
File Format: Non-Packaged Download File Download File
File Name: PE2950-020700C.exe
Description: This file format consists of a BIOS-executable file. To use it, download the file and copy it to a DOS-bootable USB flash drive, then boot the system to the USB flash drive and run the program.

你所需要做的事情是先做出可開機的 DOS bootable USB stick, 可以參考這篇
http://pjack1981.blogspot.tw/2012/05/create-freedos-bootable-usb-stick.html

之後就把這個執行檔放進  USB, 開機後切換到 C:\ 就可以執行了

DARC Upgrade

以這個為例, 裡面有提供單純的 .img 檔, 可以從現在的 DRAC 更新
http://www.dell.com/support/drivers/us/en/19/DriverDetails/Product/poweredge-2950?driverId=D8GP9&osCode=LNUX&fileId=3009896401&languageCode=EN&categoryId=SM

File Format: Hard-Drive
File Name: f_drac5v165_A00.exe
Description: This file format consists of an archive of files that may be decompressed to a directory on the hard drive. The installation can then be done from that directory.

解開來後得到 firmimg.d5, 丟進去 Firmware Update 就可以了

如果不幸舊版的 DRAC 出了問題, 無法更新成功, 那就要靠 .BIN , 可以參考下一節做的作法來更新

File Format: Update Package for Red Hat Linux
File Name: Systems-Management_Firmware_D8GP9_LN32_1.65_A00.BIN
Description: Dell Update Packages for Linux can be used as stand-alone applications that ensure that specific validation criteria are met, then apply an update.

BMC and other Firmware Upgrade

Bootable CentOS LiveCD

作法是參考這篇, 雖然古老, 但保証有用
http://www.niftiestsoftware.com/2012/05/20/upgrading-dell-esm-firmware-on-an-unsupported-os/

1. Download .BIN file

以這個為例
http://www.dell.com/support/drivers/us/en/19/DriverDetails/Product/poweredge-2950?driverId=4NNNG&osCode=LNUX&fileId=3078114159&languageCode=EN&categoryId=ES

File Format: Update Package for Red Hat Linux
File Name: 2950_ESM_Firmware_4NNNG_LN32_2.50_A00.BIN
Description: Dell Update Packages for Linux can be used as stand-alone applications that ensure that specific validation criteria are met, then apply an update. For more

2. Select a bootable Live CD .iso file

http://linux.dell.com/files/openmanage-contributions/
基本上能開的了機就沒問題, 我是使用 OMSA_55 也沒問題, 拿到 .iso 後, 有很多方法可以用來開機, 燒成光碟, 燒成 bootable USB, 遠端 virtual Optical Drive, 如果網路有問題, 就建議燒成 bootable USB, 然後把第一步抓到的  .BIN 放進去, 開機後就可以執行, 就不用再透過網路把 .BIN 傳進去

Bootable Firmware LiveCD

參考這篇
http://en.community.dell.com/techcenter/b/techcenter/archive/2011/08/17/centos-based-livedvd-to-update-firmware-on-dell-servers.asp

可以到這篇下載 DELL 提供的 firmware Upgrade LiveCD, 開機進去後是 GUI 畫面, 除了可以自動找出那些 Firmware 需要 Upgrade 之外, 也可以看到整體 hardware 的狀況, 還滿方便的, 有網路時可以用這個方案
http://linux.dell.com/files/openmanage-contributions/

DELL Repository Manager

參考這篇
http://www.vmadmin.co.uk/component/content/article?id=332:dellbiosfirmwareupdaterepomanager

安裝 DELL 的一個工具 Repository Manager, 他只有 Windows 版本
http://www.dell.com/support/drivers/us/en/555/DriverDetails?driverId=XV4NV
裝好之後就可以利用他做出 Upgrade LiveCD iso 檔, 或是 SUU (Server Update Utility), 前者一開機之後就會自動安裝你選擇的 Firmware, 後者則是在當下的 OS執行, 不過只支援 Redhat/CentOS 系列.

Other Reference

http://www.dell.com/support/Manuals/us/en/19/Product/dell-opnmang-srvr-admin-v7.1
http://en.community.dell.com/techcenter/systems-management/w/wiki/1764.openmanage-server-update-utility-suu.aspx

Fully Buffered DIMM, DDR2

看到 Server 內還插著 DDR2 的 RAM, 下巴都要掉下來, 想說這是什麼古董, 查了一下, 原來限定只能使用 Fully Buffered DIMM, 第一次聽到 DDR2 還有這種特別的產品給 Server 使用

http://en.wikipedia.org/wiki/Fully_Buffered_DIMM
http://zh.wikipedia.org/wiki/FB-DIMM

而且目前仍然要價不斐, 一條 4G 的, 台幣也要 $5000 以上
http://shop.transcend.com.tw/product/ItemDetail.asp?ItemID=TS512MFB72V6U-T

Amazon 查一下, 便宜一點, 但二條也要 US$240
http://www.amazon.com/Crucial-Technology-CT2CP51272AF80E-DIMM%C2%A0%C2%A0DDR2-PC2-6400/dp/B001O2JE96/ref=sr_1_15?s=electronics&ie=UTF8&qid=1378488632&sr=1-15

IDE/SATA/SAS Interface

好文推薦

介紹什麼是 IDE/SATA/SAS 介面, 以及近年來企業級的硬碟應用

http://www.computerdiy.com.tw/all-articles/articles-hard-drive/2930-sas-sata

wa (Waiting for I/O) from top command is high

遇到有台機器動作很慢， 用 top 一看，loading 滿重的， 而且 wa 高達 96.9%, 看起來應該是 io 出了問題

$ top
top - 03:08:30 up 34 days, 15:48,  1 user,  load average: 41.70, 43.33, 43.77
Tasks: 323 total,   1 running, 322 sleeping,   0 stopped,   0 zombie
Cpu(s):  1.4%us,  1.4%sy,  0.0%ni,  0.0%id, 96.9%wa,  0.0%hi,  0.3%si,  0.0%st
Mem:   1019112k total,   953076k used,    66036k free,     1092k buffers
Swap:  4111356k total,  2204620k used,  1906736k free,    22320k cached

http://serverfault.com/questions/155882/wa-waiting-for-i-o-from-top-command-is-big

$ iostat 1
avg-cpu:  %user   %nice %system %iowait  %steal   %idle
           1.03    0.00    1.03   97.94    0.00    0.00

Device:            tps    kB_read/s    kB_wrtn/s    kB_read    kB_wrtn
scd0              0.00         0.00         0.00          0          0
sda             493.81      7327.84       738.14       7108        716
sdb               0.00         0.00         0.00          0          0

Software RAID mdadm

Get Volume List

$ mdadm --detail --scan
ARRAY /dev/md125 metadata=0.90 spares=1 UUID=ad192d4a:114eb1c4:7dadf8c1:9019de71
ARRAY /dev/md127 metadata=0.90 UUID=8b53927c:8e569dae:c589cde9:18eb45a5
ARRAY /dev/md126 metadata=0.90 UUID=ab76aade:4b9bd34d:c589cde9:18eb45a5

Get Volume Detail

$ mdadm --detail /dev/md125
/dev/md125:
        Version : 0.90
  Creation Time : Mon Jul 30 04:13:15 2012
     Raid Level : raid1
     Array Size : 29296576 (27.94 GiB 30.00 GB)
  Used Dev Size : 29296576 (27.94 GiB 30.00 GB)
   Raid Devices : 2
  Total Devices : 3
Preferred Minor : 125
    Persistence : Superblock is persistent

    Update Time : Mon Sep  2 04:12:09 2013
          State : clean 
 Active Devices : 2
Working Devices : 3
 Failed Devices : 0
  Spare Devices : 1

$ mdadm --detail /dev/md127
/dev/md127:
        Version : 0.90
  Creation Time : Wed Oct 17 15:43:53 2012
     Raid Level : raid6
     Array Size : 46884321792 (44712.37 GiB 48009.55 GB)
  Used Dev Size : 1953513408 (1863.02 GiB 2000.40 GB)
   Raid Devices : 26
  Total Devices : 26
Preferred Minor : 127
    Persistence : Superblock is persistent

    Update Time : Mon Sep  2 04:14:36 2013
          State : active, checking 
 Active Devices : 26
Working Devices : 26
 Failed Devices : 0
  Spare Devices : 0

         Layout : left-symmetric
     Chunk Size : 64K

   Check Status : 99% complete

           UUID : 8b53927c:8e569dae:c589cde9:18eb45a5 (local to host osdp-backup1.sjc1)
         Events : 0.120544

Get Checking Progress

$ cat /proc/mdstat 
Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10] 
md126 : active raid1 sdb4[1] sda4[0]
      1922262976 blocks [2/2] [UU]
      
md127 : active raid6 sdc1[0] sdw1[20] sdac1[22] sdu1[18] sdm1[10] sdj1[7] sdl1[9] sdab1[25] sdg1[4] sdo1[12] sdt1[17] sdq1[14] sdr1[15] sdp1[13] sdn1[11] sdz1[23] sdv1[19] sde1[2] sds1[16] sdx1[21] sdd1[1] sdi1[6] sdaa1[24] sdf1[3] sdh1[5] sdk1[8]
      46884321792 blocks level 6, 64k chunk, algorithm 2 [26/26] [UUUUUUUUUUUUUUUUUUUUUUUUUU]
      [===================>.]  check = 99.6% (1945938304/1953513408) finish=118.6min speed=1064K/sec
      
md125 : active raid1 sda2[0] sdb2[1] sdaj1[2](S)
      29296576 blocks [2/2] [UU]
      

Reference

Linux Man Page
Wiki
鳥哥的 Linux 私房菜