发布于Software分类中的文章

Sep 19

一直更新记录吧,老了记性太差了。 :sad: :sad: :sad:

#强化随机熵
sudo apt install haveged

#开启 bbr
sudo nano /etc/sysctl.conf

net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

sudo sysctl -p

#shadowsocks offcial tweak
sudo nano /etc/sysctl.conf

# max open files
fs.file-max = 51200
# max read buffer
net.core.rmem_max = 67108864
# max write buffer
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096

# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# turn off fast timewait sockets recycling
net.ipv4.tcp_tw_recycle = 0
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max SYN backlog
net.ipv4.tcp_max_syn_backlog = 4096
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# turn on TCP Fast Open on both client and server side
net.ipv4.tcp_fastopen = 3
# TCP receive buffer
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1

# for high-latency network
net.ipv4.tcp_congestion_control = hybla

# for low-latency network, use cubic instead
# net.ipv4.tcp_congestion_control = cubic

# for 4.9+
# net.ipv4.tcp_congestion_control = bbr

sudo vim /etc/security/limits.conf

* soft nofile 81920
* hard nofile 81920
www-data soft nofile 81920
www-data hard nofile 81920
root soft nofile 81920
root hard nofile 81920

sudo nano/etc/pam.d/common-session

session required pam_limits.so

#给予程序监听底端口权限
sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/local/sbin/overture
sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/caddy

#ubuntu 允许所有进出站
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -F
sudo netfilter-persistent save
sudo systemctl restart netfilter-persistent

#启用 rc.local
sudo nano /etc/systemd/system/rc-local.service

[Unit]
Description=/etc/rc.local Compatibility
ConditionPathExists=/etc/rc.local
[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99
[Install]
WantedBy=multi-user.target

printf '%s\n' '#!/bin/bash' 'exit 0' | sudo tee -a /etc/rc.local
sudo chmod +x /etc/rc.local
sudo systemctl enable rc-local
sudo systemctl start rc-local.service
sudo systemctl status rc-local.service

#改 DNS
sudo nano /etc/netplan/50-cloud-init.yaml

nameservers:
addresses: [8.8.8.8, 8.8..4.4]
addresses: [1.1.1.1, 1.0.0.1]

sudo netplan apply or sudo netplan --debug apply

Tags: , ,

Sep 18

申请见: 申请 Oracle Cloud 永久免费服务 + 300 美元试用额度,不过文中 SSH 有错误,创建实例的时候需要贴入生成的公匙,私匙用来在客户端登陆。

测试结果,可用度不高。 :roll: :roll: :roll:

2019-09-18_001233.jpg

Tags: , ,

Sep 16

Maximum Wan->Lan throughput:

RT-N16 without bcm_nat ~100-120Mbps
RT-N16 with bcm_nat ~ 170Mbps
RT-N66U/AC66u without bcm_nat ~240Mbps
RT-N66U/AC66u with bcm_nat ~320Mbps
RT-N18u/AC56u/AC68u without CTF ~330Mbps
RT-N18u/AC56u/AC68u with CTF ~600Mbps
R7000 without CTF ~410Mbps
R7000 with CTF ~950Mbps

but if you load CPU by any others services then throughput will be much lower. USB support is the most
aggravating CPU service. And it`s not samba/ftp/torrents only. Also if you have syslog/bw monitor/etc stored in USB device, then it also load CPU.


Sep 14

先看这个脚本:

#!/bin/bash
alias elog="logger -t $0 -s"
elog() {
    logger -t $0 -s "$@"
}
elog "hahahaha"
test123(){
    elog "i am in function!"
}
test123

运行后提示:

elog: command not found

如果换成 #!/bin/sh 则无问题:

#!/bin/sh
alias elog="logger -t $0 -s"
elog() {
    logger -t $0 -s "$@"
}
elog "hahahaha"
test123(){
    elog "i am in function!"
}
test123

执行后:

<13>Sep 14 11:59:48 /root/init.d/testme: hahahaha
<13>Sep 14 11:59:48 /root/init.d/testme: i am in function!

参考:Execute a passed alias inside a function?

Aliases are expanded when a command is read, not when it is executed. Therefore, an alias definition appearing on the same line as another command does not take effect until the next line of input is read. The commands following the alias definition on that line are not affected by the new alias. This behavior is also an issue when functions are executed. Aliases are expanded when a function definition is read, not when the function is executed, because a function definition is itself a compound command. As a consequence, aliases defined in a function are not available until after that function is executed. To be safe, always put alias definitions on a separate line, and do not use alias in compound commands.

修改为:(函数形式)

#!/bin/bash
elog() {
    logger -t $0 -s "$@"
}
elog "hahahaha"
test123(){
    elog "i am in function!"
}
test123

可行。 :roll: :roll: :roll:

再参考:Linux 环境中 alias 不生效问题

Tags: , , ,

Sep 13

Overture 自 1.5rc4 开始默认使用正则来匹配域名列表,这直接导致运行在路由器上的实例性能骤降。

以 Asus RT-AC68P 为例,在启用 gfwlistdnsmasq-china-list 后,使用默认的 regex-list 匹配方式:

"DomainFile": {
"Primary": "/opt/etc/chinalist",
"Alternative": "/opt/etc/gfwlist",
"Matcher": "regex-list"
}

查询境外网站的时间由几百毫秒(300~800ms)飙升到 1.2 秒,国内网站则因为有 chinaroute 的 IPNetworkFile 规则在先而不受影响。

把 Matcher 改为 "full-map", "suffix-tree", "full-list" (性能影响依次递增)可在单次 dig 查询下缓解这一现象,但是用 D-N-SPerf 做压力测试时,与取消 DomainFile.Matcher 相比,仍然急剧的体现出性能下降,Overture 的每秒查询能力由 300 次骤降到 40 次

所以在路由器上使用 Overture 1.5rc4+ 版本只做解毒用途,而且带机较多的情况下,建议关闭 DomainFile.Matcher,也就是把这两个文件置空。范例:(empty 为空文本文件)

"IPNetworkFile": {
"Primary": "/opt/etc/chinaroute",
"Alternative": "/opt/etc/empty"
},
"DomainFile": {
"Primary": "/opt/etc/empty",
"Alternative": "/opt/etc/empty",
"Matcher": "full-map"
}

2019-09-15 追加,暂时不要用 suffix-tree 匹配模式,有 Bug!无论域名文件是否为空,总会使用主 DNS 查询!

https://github.com/shawn1m/overture/issues/172


Sep 09

DNS 搞对了速度还行,8K 也能看,CPU 是瓶颈了。

:oops: :oops: :oops:

Tags: , ,

Sep 02

Window10 1903 打上最近的 KB4512941 升级后 (版本号 18362.329),重启你会发现即使什么也不干, SearchUI.exe 也占用 20%-30% 的 CPU。具体分析请看:

Windows 10 1903 update 18362329 causes high cpu usage

Windows 10 v1903 update KB4512941 workaround for the cortana high cpu load issue

解决办法一:

注册表编辑器打开

HKEY_CURRENT_USER\
Software\Microsoft\Windows\CurrentVersion\Search

删除 BingSearchEnabled 键,或者改键值为 1 ,重启系统;

这个方法会启用小娜的 Bing 搜索功能。

解决办法二:

下载附件运行即可,无需重启系统。

妈的阿三 :roll: :roll: :roll:


Aug 29

ECS (edns-client-subnet)的支持上,国内 DNS派,国外 Google 支持最好,而 Overture 支持上发 EDNS 信息,基于这几个特点,可以在 VPS (无论在国内还是国外)建立一个 CDN 友好的 DNS 服务器。

国外 VPS 配置范例:

{
"BindAddress": ":5353",
"DebugHTTPAddress": "127.0.0.1:5555",
"PrimaryDNS": [
{
"Name": "DNSPaiS",
"Address": "218.30.118.6:53",
"Protocol": "udp",
"SOCKS5Address": "",
"Timeout": 6,
"EDNSClientSubnet": {
"Policy": "auto",
"ExternalIP": "223.73.56.110",
"NoCookie": true
}
},
{
"Name": "DNSPaiM",
"Address": "101.226.4.6:53",
"Protocol": "udp",
"SOCKS5Address": "",
"Timeout": 6,
"EDNSClientSubnet": {
"Policy": "auto",
"ExternalIP": "223.73.56.110",
"NoCookie": true
}
}
],
"AlternativeDNS": [
{
"Name": "GoogleM",
"Address": "8.8.8.8:53",
"Protocol": "udp",
"SOCKS5Address": "",
"Timeout": 3,
"EDNSClientSubnet": {
"Policy": "auto",
"ExternalIP": "223.73.56.110",
"NoCookie": true
}
},
{
"Name": "GoogleS",
"Address": "8.8.4.4:53",
"Protocol": "udp",
"SOCKS5Address": "",
"Timeout": 3,
"EDNSClientSubnet": {
"Policy": "auto",
"ExternalIP": "223.73.56.110",
"NoCookie": true
}
}
],
"OnlyPrimaryDNS": false,
"IPv6UseAlternativeDNS": false,
"WhenPrimaryDNSAnswerNoneUse": "PrimaryDNS",
"IPNetworkFile": {
"Primary": "./cn.zone",
"Alternative": "./ip_network_alternative_sample"
},
"DomainFile": {
"Primary": "./domain_primary_sample",
"Alternative": "./domain_alternative_sample",
"Matcher": "regex-list"
},
"HostsFile": "./hosts_sample",
"MinimumTTL": 0,
"DomainTTLFile" : "./domain_ttl_sample",
"CacheSize" : 10000,
"RejectQType": [255]
}

国内/路由器等配置范例:(注意与国外的主要差别,使用了 Google 的 DNS-Over-TLS,否则会被污染)

{
"BindAddress": "0.0.0.0:5554",
"DebugHTTPAddress": "0.0.0.0:8081",
"PrimaryDNS": [
{
"Name": "DNSPaiS",
"Address": "123.125.81.6:53",
"Protocol": "udp",
"SOCKS5Address": "",
"Timeout": 3,
"EDNSClientSubnet": {
"Policy": "auto",
"ExternalIP": "223.73.56.110",
"NoCookie": true
}
},
{
"Name": "DNSPaiM",
"Address": "101.226.4.6:53",
"Protocol": "udp",
"SOCKS5Address": "",
"Timeout": 3,
"EDNSClientSubnet": {
"Policy": "auto",
"ExternalIP": "223.73.56.110",
"NoCookie": true
}
}
],
"AlternativeDNS": [
{
"Name": "GoogleM",
"Address": "dns.google:853@8.8.8.8",
"Protocol": "tcp-tls",
"SOCKS5Address": "",
"Timeout": 6,
"EDNSClientSubnet": {
"Policy": "auto",
"ExternalIP": "223.73.56.110",
"NoCookie": true
}
},
{
"Name": "GoogleS",
"Address": "dns.google:853@8.8.4.4",
"Protocol": "tcp-tls",
"SOCKS5Address": "",
"Timeout": 6,
"EDNSClientSubnet": {
"Policy": "auto",
"ExternalIP": "223.73.56.110",
"NoCookie": true
}
}
],
"OnlyPrimaryDNS": false,
"IPv6UseAlternativeDNS": false,
"WhenPrimaryDNSAnswerNoneUse": "AlternativeDNS",
"IPNetworkFile": {
"Primary": "/opt/etc/cn.zone",
"Alternative": "/opt/etc/empty"
},
"DomainFile": {
"Primary": "/opt/etc/empty",
"Alternative": "/opt/etc/empty"
},
"HostsFile": "",
"MinimumTTL": 300,
"DomainTTLFile" : "/opt/etc/domain_ttl.txt",
"CacheSize" : 8192,
"RejectQtype": [255]
}

:cool: :cool: :cool:


Aug 28

移动网络完全没法下载 BT,想到用电信网络做代理,试过 shadowsocks,3proxy 等大量 Socks5 服务器软件,都因为不支持 udp:// 格式的 Tracker 服务器导致速度上不去,最后用 Dante 解决问题。证据看下面用 Proxifier 代理 qBittorrent 的截图:

我们从源码安装 Dante:

# cd /usr/src
# wget http://www.inet.no/dante/files/dante-1.4.2.tar.gz
# tar -zxf dante-1.4.2.tar.gz
# cd dante-1.4.2/
# apt-get install gcc make
# ./configure --prefix=/usr/local --sysconfdir=/etc --localstatedir=/var --disable-client --without-libwrap --without-bsdauth --without-gssapi --without-krb5 --without-upnp --without-pam
# make && make install

之后检查下安装情况:

# /usr/local/sbin/sockd -v
Dante v1.4.2. Copyright (c) 1997 - 2014 Inferno Nettverk A/S, Norway

编辑配置文件:

# nano /etc/sockd.conf

内容如下:

logoutput: /var/log/socks.log

internal: 0.0.0.0 port = 10086
external: br0/eth0/ppp0 #这里一定要设置对,可用 ifconfig 查看

socksmethod: username #使用 Linux 内置用户登录,请添加一个不能 SSH 的专用账户,Socks5 连接时账户密码是明文,如无认证需要这里填 none
user.privileged: root
user.notprivileged: nobody

client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: error connect disconnect
}

client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}

socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: error connect disconnect
}

socks block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}

启动服务器:

/usr/local/sbin/sockd -f /etc/sockd.conf -D

然后在路由器上做端口映射,把 10086 端口暴露出去即可。 :mrgreen: :mrgreen: :mrgreen:


Aug 27

劫持 53 就算了,还他妈长期缓存一些错误的结果,记录下。注释的是曾经错误的目前好了的。

#SHIT CMCC
#server=/ikafan.com/127.0.0.1#5053
#server=/ikafan.com/211.136.17.107#53
#server=/ikafan.com/211.136.20.203#53
#ignore-address=42.236.6.20
server=/g.csdnimg.cn/127.0.0.1#5053

:evil: :evil: :evil:

Tags: ,

[1/20]  1 2 3 4 5 6 7 8 9 10 > ... »