[Free VPS] Oracle Cloud Infrastructure (OCI) Tips and Tricks - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Saturday, January 16, 2021

[Free VPS] Oracle Cloud Infrastructure (OCI) Tips and Tricks

Some special notes and scripts while using Oracle Cloud Infrastructure (OCI). 


Other related posts:

Enable Root Account with Password Login

Before you click Create button to create your instance

Click Advanced option during create your instance

oracle cloud 甲骨文云使用 root 用户+自定义密码登录

Enter following script into cloud-int script textbox:

#!/bin/bash
echo root:Password1234 |sudo chpasswd root
sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin yes/g' /etc/ssh/sshd_config;
sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication yes/g' /etc/ssh/sshd_config;
sudo service sshd restart


oracle cloud 甲骨文云使用 root 用户+自定义密码登录

Then click Create button to create your instance.

After instance created, you can use the username root and password set in the script to log in. In our this script, we set the password to "Password1234". You had better to change it to something only you know before you copied into your instance's Cloud-int script. 

After your created instance

If you already launched your instance, and you are using ssh key pair to login, here is the way to enable password login and change root password. 

vi /etc/ssh/sshd_config

PermitRootLogin yes  #allow root login
PasswordAuthentication yes #allow password authentication


  • sudo -i
  • echo root:<YOUR PASSWORD>@ |sudo chpasswd root
  • sudo sed -i 's/^.*PermitRootLogin.*/PermitRootLogin yes/g' /etc/ssh/sshd_config;
  • sudo sed -i 's/^.*PasswordAuthentication.*/PasswordAuthentication yes/g' /etc/ssh/sshd_config;
  • sudo service sshd restart

 

Performance Test

SuperBench

  • wget -qO- git.io/superbench.sh | bash




LemonBench

  • wget -O- https://ilemonra.in/LemonBenchIntl | bash -s full

Bench.sh

  • wget -qO- bench.sh | bash

Three Networks Speed Testing

  • bash <(curl -Lso- http://yun.789888.xyz/speedtest.sh)

Streaming Media Test

  • # 第一个
  • bash <(curl -L -s https://raw.githubusercontent.com/lmc999/RegionRestrictionCheck/main/check.sh)
  • # 第二个
  • bash <(curl -sSL "https://github.com/CoiaPrant/MediaUnlock_Test/raw/main/check.sh")

Three Networks Traceback Testing

  • # 第一个
  • wget https://raw.githubusercontent.com/nanqinlang-script/testrace/master/testrace.sh
  • bash testrace.sh
  • # 第二个
  • wget -qO- git.io/besttrace | bash
  • # 第三个
  • curl http://tutu.ovh/bash/returnroute/test.sh | bash

VPS Performance Test(yabs)

  • curl -sL yabs.sh | bash



CentOS 7 Install BBR

BBR stands for Bottleneck Bandwidth and RTT is a congestion control system. You can enable TCP BBR on your Linux desktop to improve overall web surfing experience. By default, Linux uses the Reno and CUBIC congestion control algorithm.


1. switch to root
2. Rebuild grub2.cfg,Command:
grub2-mkconfig -o /boot/grub2/grub.cfg
3. Run your bbr.sh


1. wget -N --no-check-certificate "https://raw.githubusercontent.com/chiakge/Linux-NetSpeed/master/tcp.sh" && chmod +x tcp.sh && ./tcp.sh

Notes:  https://github.com/chiakge/Linux-NetSpeed


If it is Oracle VPS, following command need to execute first: grub2-mkconfig -o /boot/grub2/grub.cfg

wget --no-check-certificate -O /opt/bbr.sh https://github.com/teddysun/across/raw/master/bbr.sh && chmod 755 /opt/bbr.sh && /opt/bbr.sh


If it is GcoreLabs  VPS and stopped at [Info] rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org

You will need to changebbr.sh script. Replace  www.elrepo.orgwithwc.ci. Total, there are four places to replace.

You can download those four files then put in somewhere else. 

https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
https://www.elrepo.org/elrepo-release-6-10.el6.elrepo.noarch.rpm
https://www.elrepo.org/elrepo-release-7.0-5.el7.elrepo.noarch.rpm
https://www.elrepo.org/elrepo-release-8.2-1.el8.elrepo.noarch.rpm

Verify

Runlsmod | grep bbr

If it shows tcp_bbr that means it was enabled successfully. 


Ubuntu 20.04 Install BBR

Requirements:

  • BBR requires Linux kernel version 4.9 or above. Since Ubuntu 20.04 comes with the 5.4.0 kernel, we can enable BBR right away.

Run the following command to check available congestion control algorithms,

sysctl net.ipv4.tcp_available_congestion_control

Output:

root@vps:~# sysctl net.ipv4.tcp_available_congestion_control
net.ipv4.tcp_available_congestion_control = reno cubic

Run the below command to check the current congestion control algorithm used in your system,

sysctl net.ipv4.tcp_congestion_control

Output:

root@vps:~# sysctl net.ipv4.tcp_congestion_control
net.ipv4.tcp_congestion_control = cubic


Enabling TCP BBR in Ubuntu


Open the following configuration file vi /etc/sysctl.conf to enable enable TCP BBR.

vi /etc/sysctl.conf

At the end of the config file, add the following lines.

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

Save the file, and refresh your configuration by using this command,

sysctl -p

Output:

root@vps:~# sysctl -p
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

Now, Verify if BBR is enabled in your system,

sysctl net.ipv4.tcp_congestion_control

Output:

root@vps:~# sysctl net.ipv4.tcp_congestion_control
net.ipv4.tcp_congestion_control = bbr

Done!



VNC Connection for Oracle Cloud Platform


1ssh log in   (I am using centos as root ,main folder is /root/ but following command is fine with any folder)
2、Generate auto login key. command ssh-keygen <Enter> If using password, it will be fine, but less secure.
3cat .ssh/id_rsa.pub,  Copy content of id_rsa.pub to oracle console。
4、copy VNC Parameters(linux/mac)and write to myvnc.sh (command:ssh -o ProxyCommand='ssh -W %h:%p -p 443 [email protected]' -N -L localhost:5900:XXXXXX:5900 XXXXXX
5ifconfig to check local IP 10.0.3.5 Change 'myvnc.sh   -N -L localhost:5900'. localhost change to 10.0.3.5:9988 (Note:If you have public IP,(not from NAT)use 0.0.0.0 ,Aliyun,tencent Yun all using NAT,So it has to listen on localhost IP)。
6、run sh myvnc.sh ,you might need to enter yes ,and password for your key
7、Open local firewall 9988 port.
8、From local computer: vnc view <cloud public IP>:9988 to connect

notes: https://luotianyi.vc/4199.html

DD System into Oracle Cloud VM

Notes: Only Ubuntu works in Oracle Cloud.

Ubuntu Environment Preparation:
#Debian/Ubuntu:
apt-get update
apt-get install -y xz-utils openssl gawk file

Download script and install image from one of moeclub.org's sharing post:
Sudo -i
wget --no-check-certificate -qO InstallNET.sh 'https://moeclub.org/attachment/LinuxShell/InstallNET.sh' && bash InstallNET.sh -dd 'https://api.moeclub.org/GoogleDrive/1NHKdm3xfQ3HySNCGvrzgdz7RMVCI1qGy'


After one or two minutes, you will lose your SSH connection. Please give the machine 5-10 minutes, before you manual reboot your Ubuntu VM. During reboot, the VM status will become stopping.
The VM will maintain this stopping status for 20-25 minutes, then it will become Running status.

At that time, all imaging process, system rebooting process will be completed. You will be able to RDP to this VM's public ip with port 3389. Please make sure you have add RDP port 3389 into your Network Security Groups.
Default RDP account for this Windows 7 64B image at https://api.moeclub.org/GoogleDrive/1NHKdm3xfQ3HySNCGvrzgdz7RMVCI1qGy :

username : administrator
password : www.nat.ee

After log in, please change password asap. It is best also change 3389 port to others.

The system is Chinese Windows 7 64B Ultimate version. You will need to activate it by yourself. 

The default system after installed,  memory usage will be around 366MB, and CPU usage will be less than 1%. 


Notes:
bash <(wget --no-check-certificate -qO- 'https://moeclub.org/attachment/LinuxShell/InstallNET.sh') -d 9 -v 64 -a -firmware
default root password: MoeClub.org



Oracle Linux VPS Firewall Configuration and BBR

~~~~~~~~~~~~~~~~For opening all ports~~~~~~~~~~~~~~~~~~~~

Ubuntu (Especially for ARM machines):

sudo iptables -P INPUT ACCEPT

sudo iptables -P FORWARD ACCEPT

sudo iptables -P OUTPUT ACCEPT

sudo iptables -F

apt-get purge netfilter-persistent

Centos:

sudo iptables -P INPUT ACCEPT

sudo iptables -P FORWARD ACCEPT

sudo iptables -P OUTPUT ACCEPT

sudo iptables -F

apt-get purge netfilter-persistent

~~~~~~~~~~~~~~~~For opening one port~~~~~~~~~~~~~~~~~~~~

Ubuntu:

sud ufw allow 443/tcp #开放443 tcp端口

sud ufw allow 123/udp #开放123 udp端口

sud ufw reload #重启防火墙以生效

Centos:

sudo firewall-cmd --zone=public --permanent --add-port=443/tcp #开放443 tcp端口

sudo firewall-cmd --zone=public --permanent --add-port=123/udp #开放443 tcp端口

sudo firewall-cmd --reload #重启防火墙以生效

~~~~~~~~~~~~~~BBR原版~~~~~~~~~~~~~~~~~~~~~~

Ubuntu:Open it directly

echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf

echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf

sysctl -p 保存生效

sysctl net.ipv4.tcp_available_congestion_control 检查内核是否开启bbr

net.ipv4.tcp_available_congestion_control = reno cubic bbr 如果结果是这样就开启了

lsmod | grep bbr 以检测 BBR 是否开启

Centos:Upgrade kernel first

1、查看当前内核

uname -r

2、导入ELRepo公钥

rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org

3、安装ELRepo

yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm -y

4、查看ELRepo提供的内核版本

yum --disablerepo="*" --enablerepo="elrepo-kernel" list available

5、安装kernel-ml内核,此步安装时间可能比较长,耐心等待并非卡住了
kernel-lt:表示longterm,即长期支持的内核;当前为4.4.*。
kernel-ml:表示mainline,即当前主线的内核;当前为5.2.*

yum --disablerepo='*' --enablerepo=elrepo-kernel install kernel-ml -y

6、设置默认启动为新内核

grub2-set-default 0

7、启用BBR

echo 'net.core.default_qdisc=fq' >> /etc/sysctl.conf

echo 'net.ipv4.tcp_congestion_control=bbr' >> /etc/sysctl.conf

8、重启系统

reboot

9、检查BBR是否成功

sysctl -n net.ipv4.tcp_congestion_control

lsmod | grep bbr



Docker related

Docker  - One Command to install

  • Update, Install wget and vim
  • apt-get update && apt-get install -y wget vim
  • #If it is outside of China:
  • curl -sSL https://get.docker.com/ | sh
  • #If it is in China:
  • curl -sSL https://get.daocloud.io/docker | sh

Docker Uninstall

  • sudo apt-get remove docker docker-engine
  • rm -fr /var/lib/docker/

Docker-compose - One Command to Install

  • #Outside of China:
  • sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
  • sudo chmod +x /usr/local/bin/docker-compose
  • #Inside of China
  • curl -L https://get.daocloud.io/docker/compose/releases/download/v2.1.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
  • chmod +x /usr/local/bin/docker-compose



Operations After Logged Into VPS


3、开启SSH登陆
sudo -i
vi /etc/ssh/sshd_config
centOS
按i进如编辑:

1、PermitRootLogin改为yes



2、PasswordAuthentication改为yes



esc,:wq,保存退出。

Ubuntu
ubuntu感觉是故意的,颜色搞成这样看也看不清楚……

可以最前面的#注释了,颜色会变亮一些,修改的部分如下:





3、重启sshd服务

systemctl restart sshd.service
或者

sudo service sshd restart
好了,至此,我们可以愉快地像登陆普通VPS一样登陆甲骨文啦,换个终端登陆试试吧。

甲骨文云之所以这么做,其实是为了安全考量,用密钥登陆,取消root登陆,取消SSH登陆,会在一定程度上让我们的机子更安全,大家如果对自己的服务器安全性能要求高,也可以反向操作!

4、卸载相关程序
pcbind
使用netstat -ntlp命令发现rpcbind监听了111端口,如担心安全可执行以下命令卸载禁用:

systemctl stop rpcbind
systemctl stop rpcbind.socket
systemctl disable rpcbind
systemctl disable rpcbind.socket
oracle-cloud-agent
卸载甲骨文云官方后台监控程序

systemctl stop oracle-cloud-agent
systemctl disable oracle-cloud-agent
systemctl stop oracle-cloud-agent-updater
systemctl disable oracle-cloud-agent-updater
5、防火墙相关
停止firewall
systemctl stop firewalld.service
禁止firewall开机启动
systemctl disable firewalld.service
6、Ubuntu系统
开放所有端口
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
Ubuntu镜像默认设置了Iptable规则,关闭它,

apt-get purge netfilter-persistent
reboot
禁用插件
可以把这几个都关闭了。

Switch to root

sudo -i

1、Install dependencies

CentOS:

yum -y install wget
yum update -y && yum install curl -y

Ubuntu:

apt-get install wget
apt-get update -y && apt-get install curl -y

2、Set root password

passwd   # change password

3、Endable ssh login

sudo -i
vi /etc/ssh/sshd_config

centOS

i进如编辑:

1、PermitRootLogin改为yes

2、PasswordAuthentication改为yes

esc,:wq,保存退出。

Ubuntu

ubuntu感觉是故意的,颜色搞成这样看也看不清楚……

可以最前面的#注释了,颜色会变亮一些,修改的部分如下:

3、重启sshd服务

systemctl restart sshd.service

或者

sudo service sshd restart

好了,至此,我们可以愉快地像登陆普通VPS一样登陆甲骨文啦,换个终端登陆试试吧。

甲骨文云之所以这么做,其实是为了安全考量,用密钥登陆,取消root登陆,取消SSH登陆,会在一定程度上让我们的机子更安全,大家如果对自己的服务器安全性能要求高,也可以反向操作!

4、卸载相关程序

pcbind

使用netstat -ntlp命令发现rpcbind监听了111端口,如担心安全可执行以下命令卸载禁用:

systemctl stop rpcbind
systemctl stop rpcbind.socket
systemctl disable rpcbind
systemctl disable rpcbind.socket 

oracle-cloud-agent

卸载甲骨文云官方后台监控程序

systemctl stop oracle-cloud-agent
systemctl disable oracle-cloud-agent
systemctl stop oracle-cloud-agent-updater
systemctl disable oracle-cloud-agent-updater

5、防火墙相关

停止firewall

systemctl stop firewalld.service

禁止firewall开机启动

systemctl disable firewalld.service

6、Ubuntu系统

开放所有端口

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F

Ubuntu镜像默认设置了Iptable规则,关闭它,

apt-get purge netfilter-persistent
reboot

禁用插件

可以把这几个都关闭了。

Tips: Further info can check https://blog.laoda.de/archives/oracle-always-free-vps


SL (Security List) vs NSG (Network Security Group)

Both are using Security Rules to control traffic at the packet level. These two features offer different ways to apply security rules to a set of virtual network interface cards (VNICs) in the virtual cloud network (VCN).
3、开启SSH登陆
sudo -i
vi /etc/ssh/sshd_config
centOS
按i进如编辑:

1、PermitRootLogin改为yes



2、PasswordAuthentication改为yes



esc,:wq,保存退出。

Ubuntu
ubuntu感觉是故意的,颜色搞成这样看也看不清楚……

可以最前面的#注释了,颜色会变亮一些,修改的部分如下:





3、重启sshd服务

systemctl restart sshd.service
或者

sudo service sshd restart
好了,至此,我们可以愉快地像登陆普通VPS一样登陆甲骨文啦,换个终端登陆试试吧。

甲骨文云之所以这么做,其实是为了安全考量,用密钥登陆,取消root登陆,取消SSH登陆,会在一定程度上让我们的机子更安全,大家如果对自己的服务器安全性能要求高,也可以反向操作!

4、卸载相关程序
pcbind
使用netstat -ntlp命令发现rpcbind监听了111端口,如担心安全可执行以下命令卸载禁用:

systemctl stop rpcbind
systemctl stop rpcbind.socket
systemctl disable rpcbind
systemctl disable rpcbind.socket
oracle-cloud-agent
卸载甲骨文云官方后台监控程序

systemctl stop oracle-cloud-agent
systemctl disable oracle-cloud-agent
systemctl stop oracle-cloud-agent-updater
systemctl disable oracle-cloud-agent-updater
5、防火墙相关
停止firewall
systemctl stop firewalld.service
禁止firewall开机启动
systemctl disable firewalld.service
6、Ubuntu系统
开放所有端口
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
Ubuntu镜像默认设置了Iptable规则,关闭它,

apt-get purge netfilter-persistent
reboot
禁用插件
可以把这几个都关闭了。
  • Security lists: The original virtual firewall feature from the Networking service.
  • Network security groups (NSGs): A subsequent feature designed for application components that have different security postures.
Security toolApplies toTo enableLimitations
Security listsAll VNICs in a subnet using that security listAssociate the security list with the subnetMaximum five security lists per subnet
Network security groupsChosen VNICs in the same VCNAdd specific VNICs to the NSGMaximum five NSGs per VNIC


Comparing SL vs NSG


If you use both: https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/securityrules.htm#use_both
You can use security lists alone, network security groups alone, or both together. It depends on your particular security needs.

If you choose to use both security lists and network security groups, the set of rules that applies to a given VNIC is the union of these items:

  • The security rules in the security lists associated with the VNIC's subnet
  • The security rules in all NSGs that the VNIC is in
For example, if we have security list 1, security list 2, and NSGA and NSGB applies to VNIC1, the firewall rules wll be the union of all of those four set of security rules. Also, at the end of this union, there is a hidden default deny any any rule for IPv4 and IPv6. 


No comments:

Post a Comment