Month: 12 月 2013

csgoserver: Counter Strike: Global Offensive Linux Server Manager

by Orange

http://danielgibbs.co.uk/scripts/csgoserver/

About csgoserver

csgoserver is a command line tool for quick, simple deployment and management of a Counter Strike: Global Offensive Linux dedicated server.

Current Version: 251213

Main features

  • Server installer (SteamCMD)
  • Start/Stop/Restart server
  • Server updater (SteamCMD)
  • Server monitor (including email notification)
  • Server backup
  • Server console

Compatibility

The Linux Server Manager is tested to work on the following Linux systems.

  • Debian based distros (Ubuntu, Mint etc.)
  • Redhat based distros (CentOS, Fedora etc.)

The scripts are written in BASH and Python and would probably work with other distros.

Installation

The installer will automatically download and configure a Counter Strike: Global Offensive server.

Prerequisites

Before installing, please ensure you have all the dependencies required to run the script.

Ubuntu

Ubuntu 32-bit

apt-get install gdb mailutils postfix

Ubuntu 64-bit

apt-get install gdb mailutils postfix lib32gcc1

Debian

Debian 32-bit

apt-get install gdb mailutils postfix tmux ca-certificates

Debian 64-bit

dpkg --add-architecture i386
apt-get update
apt-get install gdb mailutils postfix tmux ca-certificates lib32gcc1

RHEL 6/CentOS 6

Note: EPEL repository or equivalent is required.
http://fedoraproject.org/wiki/EPEL

RHEL 6/CentOS 6 32-bit

yum install gdb mailx wget nano tmux

RHEL 6/CentOS 6 64-bit

yum install gdb mailx wget nano tmux glibc.i686 libstdc++.i686

Install

1. Create a user and login

adduser csgoserver
passwd csgoserver
su - csgoserver

2. Download the script

wget https://raw.github.com/dgibbs64/linuxgameservers/master/CounterStrikeGlobalOffensive/csgoserver

3. Make it executable

chmod +x csgoserver

4. Run the installer and follow the instructions

./csgoserver install

Usage

Running the server

Start the server

./csgoserver start

Stop the server

./csgoserver stop

Restart the server

./csgoserver restart

Updating the server

The server can be updated automatically using SteamCMD. The update option will stop the server, run the SteamCMD update and start the server again.

./csgoserver update

Monitoring the server

The script can monitor the server to ensure it is online. Should the server go offline, the monitor will attempt to start it again.

./csgoserver monitor

Note: see Automation on how to get monitor to run automatically.

Game Server Query Plugin

The Game Server Query plugin adds improved monitoring over the standard monitoring feature.

gsquery.py query’s the server to see if it responds with its server details. If it fails to respond the server will be restarted.

This is particularly useful for if a server has locked or frozen but the server instance/process is still running.

Install Game Server Query Plugin

Download gsquery.py to the same directory as the main script.

wget https://raw.github.com/dgibbs64/linuxgameservers/master/GameServerQuery/gsquery.py

Make it executable

chmod +x gsquery.py

To test is works run monitor and it will state that gsquery.py was detected.

Email notification

Monitoring can send you an email, should the server go offline, and report details of the issue. See example email below:

Capture1

Enable email notification

nano csgoserver
# Notification Email
# (on|off)
emailnotification="on"
email="email@example.com"

Test email notification

You can test email notifications are working without restarting the server.

./csgoserver email-test

Debug mode

Use debug mode to help you if you are having issues with the server. Debug allows you to see the output of the server directly to your terminal allowing you to diagnose any problems the server might be having.

./csgoserver debug

Server Details

If you need to get all main server details you can use the following command.
You will be given the following details if applicable to your server:

  • Server Name
  • Server Ports
  • Rcon Password
  • WebAdmin Username
  • WebAdmin Password

This can be very useful if you have forgotten your servers details.

./cgsoserver details

Console mode

Console allows you to view the live console of a server as it is running and allow you to enter commands to it.

./csgoserver console

To exit the console press “CTRL+b d”
Note: pressing “CTRL+c” will terminate the server

Backup

Backup will allow you to create a complete gzip archive of the whole server.

This is designed to allow you to backup before making changes to the server just in case there is a problem.

Note: this is not designed to be an automated backup solution

./csgoserver backup

Automation

You can use cronjobs to automate the process of updating and monitoring the server. You can either run the cronjob as root or as the csgoserver user.

Server update

Update the server at 5am daily.

Root Cronjob

crontab -e
0       5       *       *       *  su – csgoserver -c ‘/home/csgoserver/csgoserver update’ > /dev/null 2>&1

csgoserver Cronjob

crontab -e
0       5       *       *       *  /home/csgoserver/csgoserver update > /dev/null 2>&1

Server Monitor

Check every 5 mins is the server is online.

Root Cronjob

crontab -e
*/5       *       *       *       *  su - csgoserver -c '/home/csgoserver/csgoserver monitor' > /dev/null 2>&1

csgoserver Cronjob

crontab -e
*/5       *       *       *       *  /home/csgoserver/csgoserver monitor > /dev/null 2>&1

Configuration

Start parameters

If you need to adjust the start parameters you can edit the ‘parms’ variable under ‘Start vars’ in the script.

parms="-game csgo -console -usercon +game_type 0 +game_mode 0 +mapgroup mg_bomb +map ${defaultmap}"

See this link for all available start parameters.
https://developer.valvesoftware.com/wiki/Command_Line_Options#Source_Dedicated_Server

Config File

The server has a default config file that will allow you to edit many different settings.

To find the config file use the details command.

./csgoserver details

Default ports

Gameport (Inbound): 27015 UDP
Source TV (Inbound): 27020 UDP
Client Port (Outbound): 27005 UDP

Should you need to change the port edit the start variables and amend the port to meet your requirements.

port="27015"
sourcetvport="27020"
clientport="27005"

Multiple Servers

It is possible to run multiple server instances.

I recommend repeating the installation however create a second user account and change the default ports.

Running as root

The script will not run as root and will error if you try. This is for security and to stop permissions issues. For example, if you run update as root any changed files are then owned by root. This means the csgoserver user will be unable to access the updated files causing the server to fail.

Useful Resources

Here are some useful resources that will help with management and configuration of your server.

Server wiki article: https://developer.valvesoftware.com/wiki/Counter-Strike:_Global_Offensive_Dedicated_Servers
CLI options wiki article: https://developer.valvesoftware.com/wiki/Command_Line_Options
SteamCMD wiki article: https://developer.valvesoftware.com/wiki/SteamCMD

Issues and troubleshooting

If you find a bug or have a suggestion please submit a bug report on GitHub .

https://github.com/dgibbs64/linuxgameservers/issues

If you have a question about the server that is not related to the script please check the games official website.

http://steampowered.com

If you are having issues getting the script to work you probably haven’t followed the instructions correctly. If you are sure you have then please leave a comment below.

GitHub

This script is developed using GitHub you can view the full project here:

https://github.com/dgibbs64/linuxgameservers

Further notes

This script is free to use and you are welcome to customise and change it. I hope the script makes it easier to manage a Counter Strike: Global Offensive server.

Donate

Found my work helpful? Show your appreciation. Please consider donating and help cover my server costs.

PayPal: me@danielgibbs.co.uk

Spread the Word

You can help by spreading the word by letting people know about this script.
Tell your friends, Tweet, Facebook, post on forums or write a blog post.

Also I am interested to know if you are using using this script tweet me.

@dangibbsuk

在CentOS/RHEL 6.2上使用YUM安装PHP5.4

by Orange

本文适用于所有CentOS6及Red Hat Enterprise Linux6版本上安装php5.4,本人测试安装环境为32位CentOS6系统。

文章来源:PHP 5.4 on CentOS/RHEL 6.2 via Yum http://www.webtatic.com/packages/php54/

php5.4于2012年5月8号发布,从php5.4.0开始php加入了一些新特色如:

 

  • Traits支持
  • 内置了一个简单的Web服务器
  • 提供了数组简短语法
  • 直接对函数返回值进行数组取值
  • 最终删除魔术方法及安全模式
你可以在这里看到更新日志
这里使用 Webtatic EL6的YUM源来安装php5.4,我们首页安装Webtatic EL6 YUM源
  1. rpm -Uvh http://repo.webtatic.com/yum/el6/latest.rpm
安装php5.4
  1. yum install php54w

如果安装失败,建议您先卸载以前的php再进行安装,使用yum remove php php-*

附带的php扩展列表:
Package Provides
php54w mod_php
php54w-bcmath
php54w-cli php-cgi, php-pcntl, php-readline
php54w-common php-api, php-bz2, php-calendar, php-ctype, php-curl, php-date, php-exif, php-fileinfo, php-ftp, php-gettext, php-gmp, php-hash, php-iconv, php-json, php-libxml, php-openssl, php-pcre, php-pecl-Fileinfo, php-pecl-phar, php-pecl-zip, php-reflection, php-session, php-shmop, php-simplexml, php-sockets, php-spl, php-tokenizer, php-zend-abi, php-zip, php-zlib
php54w-dba
php54w-devel
php54w-embedded php-embedded-devel
php54w-enchant
php54w-fpm
php54w-gd
php54w-imap
php54w-interbase php_database, php-firebird
php54w-intl
php54w-ldap
php54w-mbstring
php54w-mcrypt
php54w-mssql
php54w-mysql php-mysqli, php_database
php54w-odbc php-pdo_odbc, php_database
php54w-pdo
php54w-pgsql php-pdo_pgsql, php_database
php54w-process php-posix, php-sysvmsg, php-sysvsem, php-sysvshm
php54w-pspell
php54w-recode
php54w-snmp
php54w-soap
php54w-tidy
php54w-xml php-dom, php-domxml, php-wddx, php-xsl
php54w-xmlrpc
php54w-zts
鉴于目前Webtatic对php5.3提供的扩展也就这么多,php5.4也就提供这些。www.linuxidc.com 其它扩展像 opcode caches目前还没有出来,但是Webtatic会努力的尽快公布出来。
注意事项
最新版本中的error_reporting 中E_ALL 现在包含了 E_STRICT,会出现更多的警告及错误提示。默认情况下error_reporting是关闭状态,但是如果是从旧的php版本中升级而来,php.ini可能得不到更新,error_reporting可能开启着。
关于php5.4在centos5上的安装升级
因为centos已经过去的版本了,用的越来越少,把php5.4移植到centos5上也需要大量的工作,估计够呛能完成啊。

Linux主机安全检查

by Orange

查看版本,某些版本可能会包含特定的漏洞。
/etc/debian_version.
/etc/redhat-release
/etc/fedora-release
lsb_release -a #ubuntu
查看内核版本:
uname -a
查看开机时间,开机时间意味着有多长时间没有升级内核了。
uptime #check last kernel upgrade
查看时区:
cat /etc/timezone
时间服务
ps aux|grep ntp
时间服务log
ntpq -p -n
查看安装的软件包,也许会找到有漏洞的版本:
dpkg -l

查找有setuid的可执行文件:
find / -perm -u+s 2>/dev/null
登录日志记录:
/etc/rsyslog.conf

查看网络接口:
ip addr
查看dns是否被更改:
cat /etc/resolv.conf
查看hosts文件:
cat /etc/hosts

todo:导出shell
检查敏感文件的权限:
/etc/shadow
/etc/shadow.backup
/etc/mysql/my.cnf
备份的文件

检查有root权限的应用:
find / -perm -4000 -ls

检查用户:
cat /etc/passwd
检查用户的uid和guid是否是0:0,如果是0:0意味着他们登录后是root
确认无需登录用户bash是/bin/false或/bin/nologin

检查shadowfile
cat /etc/shadow
密码hash以$和$1$开头的分别是DES和MD5 hash,应当修改。
题外话:
在检查shadow文件的时候有这么一行

1
root:$6$BPoThzPl$2FDtPs0iYJfIBWVG1Z1BxuzSD7ZYTN.wdjkqyo7R0NlqgRiY9s0qsyQT1PhN.qfLYwYZglpzK72e4sU5Khr1B.:15664:0:99999:7:::

这个对应的用户名和密码是root:toor

检查chown和chmod的权限,普通用户应该不能访问这两个命令。

检查sudo配置文件
egrep -v ‘^#|^$’ /etc/sudoers

查看打开的端口和对应的进程
# lsof -i TCP -n -P
# lsof -i UDP -n -P

关闭ssh的root远程访问权限
echo ‘PermitRootLogig off’ >> /etc/ssh/sshd_config
强制ssh使用新版本加密:
echo ‘protocol 2′ >> /etc/ssh/sshd_config

如果无需远程访问mysql的话,将mysql端口绑定到127.0.0.1上:
cat /etc/mysql/my.cnf
[mysqld]
bind-address = 127.0.0.1

mysql登录:

1
mysql -u root #会有主机没密码么

mysql查看版本:

1
select @@version;

mysql查看用户和密码:

1
select Host, User, Password from mysql.user;

mysql查看密码hash:

1
select password(‘admin’)

mysql查看写文件权限:

1
SELECT user,file_priv FROM mysql.user WHERE FILE_PRIV=’Y’;

 

检查apache运行的用户:
ps aux|grep apache
在apache的配置文件里也能找到

1
2
3
4
5
#cat /etc/apache2/envvars
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data

确认网站目录下的文件权限:

1
2
3
4
5
#ls -lR /var/www/
/var/www/wordpress/:
total 125
-rwxrwxrwx 1 www-data www-data 395 Jul 11 07:02 index.php
-rwxrwxrwx 1 www-data www-data 19929 Jul 11 07:02 license.txt

这个例子中的文件权限应该被改为 -rwx-r–r–

关闭apache在http头中输出版本,这是Debian的设置位置

1
#echo “ServerTokens   Prod;\nServerSignature  Off” >> /etc/apache2/conf.d/security

关闭文件目录遍历
cat /etc/apache2/sitesenable/000-default

1
2
3
4
5
6
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
deny from all

Php设置
display_errors Off
reviewerror_reporting E_ALL
log_errors On;
safe_mode On;
禁用函数 eval, exec, passthru, shell_exec, system, proc_open,
popen。
allow_url_ Off.

8个简单方法提升WordPress速度

by Orange

WordPress是一个很棒的开源程序,几乎我认识的站长朋友当中,粗略估算有80%使用Wordpress。但很棒不等于完美,就在我所认识的这些朋友中,几乎所有人都会抱怨Wordpress太臃肿,运行效率太低了,大家有无同感?

所以,今天这篇博文和大家分享8个小贴士来提升WP的运行效率,如果您运用了这些方法后发现确实有帮助,请把这篇博文分享给更多的人好吧?当然为了尊重劳动成果,也烦请指明出处。

1、使用高效的缓存插件

WordPress的插件们是非常有用的, 我推荐一款缓存插件可以改善页面载入时间,它就是W3 Total Cache,有了这个插件之后咱就不再推荐你其他缓存插件了,因为所有缓存插件有的功能它都有了,而且安装和使用非常方便。

拥有这款插件之后,你的页面载入速度会加快,因为网站的主要元素已经被缓存了。

2. 使用内容分发网络 (CDN)

基本上所有你喜欢的大网站都会使用CDN。简单来说,CDN是把你站点上的文件们(CSS\JS\图片等)发布到最接近用户所在的网络区域,让用户就近下载,这样就能提高站点运行速度。在国内ChinaCache是比较有名的CDN供应商,不过价格贵了一些,像各大门户网站,比如腾讯、新浪、网易等等都是用ChinaCache。所以不管你在哪里,访问这些门户网站都会觉得速度很快。当然啦,对于小站来说,这个成本可能会高一些,

所以,你无论是在南方,或者北方,还是在北美,访问这些门户网站,感觉速度都很快,最主要的原因之一就是CDN发挥了效果。一般小网站是用不起这服务的,所以慢点就慢点了吧,可以租用互联互通的6线机房(6线机房是指包括网通、电信、铁通、移动、联通、教育网等多线接入的骨干网IDC机房,彻底消除各地网络瓶颈,保证互联网访问畅通无阻的高速机房。)

顺便提一下,还有一个Wordpress插件叫Free-CDN,号称也能达到类似的效果,虽然我还没有做过测试…

3、图片优化很重要

Yahoo! 有一个图片优化软件叫Smush.it可以最大程度无损压缩图片,不过,除非你超级有耐心,否则一张张压缩图片的话太浪费时间了,好在,还有一个很给力的WP插件叫WP-SmushIt,这货可以为你网站上所有的图片做一次性压缩,所以没有理由不去用它。

4、优化你的WP数据库

你可以用WP-Optimize这个插件来优化你的WP数据库(清理spam,反复改版的文章,草稿,表格等等为你的服务器腾出更多空间从而提升效率);还有一些插件如WP-CleanerDB-Manger等。

5、开启防盗链机制

盗链是带宽的窃贼,当其他网站直接引用你站点的图片的时候,这会影响占用你本身的服务器资源从而影响网站运行效率,你的站点越出名,就会有越多的人盗用你的图片,解决方法是Wordpress有现成的插件Hotlink Protection。当然也可以通过重写htaccess文件来达到同样的效果,欲深入了解的童鞋可以询问自己的空间商如何设置。

6、为文件添加过期时间

关于这个文件过期时间,听起来很玄乎,其实就是通过header报文来指定特定类型的文件在浏览器中的缓存时间。有些文件(例如样式表中调用的背景图片和一些装饰性图片)其实在很长一段时间内这些图片都不会有很大的变化,所以对这类文件我们不妨设置长一些的缓存时间,这样浏览器就不需要每次从服务器下载这些文件而直接从缓存中读取,这样绝对可以提升加载速度。

当然,所以做法很简单,只需要在网站的.htaccess文件中加入以下代码,

  
ExpiresActive On
ExpiresDefault A600
ExpiresByType image/x-icon A2592000
ExpiresByType application/x-javascript A604800
ExpiresByType text/css A604800
ExpiresByType image/gif A2592000
ExpiresByType image/png A2592000
ExpiresByType image/jpeg A2592000
ExpiresByType text/plain A86400
ExpiresByType application/x-shockwave-flash A2592000
ExpiresByType video/x-flv A2592000
ExpiresByType application/pdf A2592000
ExpiresByType text/html A600

稍微解释一下,text/css表示样式表文件,text/plain代表的纯文本类文件,依次类推。其中A2592000就表示这种类型文件在浏览器中的缓存时间,以秒为单位。一天86400秒,2592000就表示这类文件可以缓存30天。

如果你不是经常修改模板,那样式表文件和javasctipt文件基本上也可以设置缓存一周到一个月左右。text/html文件不要设置太长的缓存时间,因为这些东西修改的频率很高,一天更新一次是有必要的。

7、为你的图片添加延时加载

延时加载就是当用户停留在第一屏的时候,不加载任何第一屏以下的图片信息,只有当用户把鼠标往下滚动的时候,这些图片才开始加载。这玩意儿不仅可以提升站点载入速度,更是可以节省带宽。要轻松的拥有这项功能,请安装WP的jQuery Image Lazy Load 插件吧。

8、控制文章草稿存数数

通常一篇博文我会保存10次以上的草稿,而Wordpress会无限制的存储每个草稿;如果我的博文已经发布了,为啥我还需要这些储存的草稿文章呢?所以这就是为啥我会用 Revision Control 插件来确保这些草稿内容的最小化。通常我会设置只存储2-3篇草稿来防止万一,但存储的数量绝对不会太高,否则你的WordPress backend只会被这些无意义的内容塞满从而降低运行效率。

好了,今天的分享就到这里,希望对大家有帮助,其实这些要点不仅仅对Wordpress有帮助,对其他开源网站也同样奏效。:-)

本地组策略与安全策略的自动导入

by Orange

本地组策略与安全策略的自动导入

   昨天接到一个需求,由于公司要求服务器要部署必需的一些安全策略,但是对于未加入域的服务器希望能有一个便捷的部署办法。

首先,提取出需要部署的策略中能通过组策略或安全策略实施的项如表所示(部分演示):

序号 要求
1 “密码必须符合复杂性要求”选择“已启动”
2 “密码最长存留期”设置为“90天”
3 “账户锁定阀值”设置为小于或等于 6次
4 “从远端系统强制关机”设置为“只指派给Administrtors组”
5 “关闭系统”设置为“只指派给Administrators组”
6 “取得文件或其它对象的所有权”设置为“只指派给Administrators组”
7 审核登录事件,设置为成功和失败都审核。
8 “审核策略更改”设置为“成功” 和“失败”都要审核
9 “审核对象访问”设置为“成功”和“失败”都要审核
10 “审核目录服务器访问”设置为“成功” 和“失败”都要审核
11 “审核目录服务器访问”设置为“成功” 和“失败”都要审核
12 “审核系统事件”设置为“成功” 和“失败”都要审核
13 “审核账户管理”设置为“成功” 和“失败”都要审核
14 “审核过程追踪”设置为 “失败”需要审核
15 “Microsoft网络服务器”设置为“在挂起会话之前所需的空闲时间”为15分钟。
16 启用屏幕保护程序,设置等待时间为“5分钟”,启用“在恢复时使用密码保护”。
17 所有驱动器均“关闭自动播放”

上表中前15项属于安全策略,第16项属于组策略中的计算机配置策略,第17项属于用户配置策略。下面仅对Windows 2003平台的操作进行了分析与测试。

    一、 对于安全策略,可以用以下步骤进行应用部署:

::在测试用机上,先使用gpedit.msc手工更改策略(如表中前15面),再用以下命令导出当前策略

secedit /export /cfg sec.inf

::用文本编辑器编辑sec.inf文件,去除不需要调整的内容,仅保留要定制策略

表中15条策略对应的inf文件内容如下:

[Unicode]
Unicode=yes
[Version]
signature=”$CHICAGO$”
Revision=1
[System Access]
MaximumPasswordAge = 90
PasswordComplexity = 1
LockoutBadCount = 6
[Event Audit]
AuditSystemEvents = 3
AuditLogonEvents = 3
AuditObjectAccess = 3
AuditPrivilegeUse = 3
AuditPolicyChange = 3
AuditAccountManage = 3
AuditProcessTracking = 2
AuditDSAccess = 3
[Registry Values]
machine/system/currentcontrolset/services/lanmanserver/parameters/autodisconnect=4,15
[Privilege Rights]
seremoteshutdownprivilege = *S-1-5-32-544
seshutdownprivilege = *S-1-5-32-544
setakeownershipprivilege = *S-1-5-32-544

::用命令生成一个sdb文件

secedit /configure /db  sec.sdb  /cfg sec.inf

::用命令把定制策略更新到目标服务器,不能用/overwrite参数,否则除定制策略外的其它策略丢失

secedit /configure /db sec.sdb

::刷新组策略

gpupdate /force

    二、其他组策略的应用

以前曾经研究过利用gpcvreg与gpscript命令行程序来应用组策略,并且写了autoit3脚本的UDF,这次正好可以利用。
使用gpedit.msc在测试机修改16/17两条策略,在不关闭gpedit.msc的同时用regedit查看HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Group Policy Objects下,分析得到相应设置并存成Reg文件

machine.reg, 禁用所有驱动器自动播放

[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer]
“NoDriveTypeAutoRun”=dword:000000FF

user.reg,定制屏幕保护设置

[HKEY_CURRENT_USER/Software/Policies/Microsoft/Windows/Control Panel/Desktop]
“ScreenSaverIsSecure”=”1”
“ScreenSaveActive”=”1”
“ScreenSaveTimeOut”=”300”
“SCRNSAVE.EXE”=”scrnsave.scr”

三、批量应用脚本

有了sec.sdb、machine.reg及user.reg文件,然后利用以前写的poledit.au3 UDF ,只需要以下脚本就可以进行前文所列出的策略的自动应用了。


#RequireAdmin
#NoTrayIcon
#include "PolEdit.au3"

If FileExists("sec.sdb") Then RunWait(@ComSpec & " /c " & "secedit /configure /db sec.sdb", @ScriptDir, @SW_HIDE)
_RegWriteToPol("machine.reg", "MACHINE", 1)
_RegWriteToPol("user.reg")
_gpupdate()