Given the following status quo:

The primary x.x.x.x is a great IP and has good connectivity all over the world, however their y.y.y.y secondary IP has a premium networking route to certain places in the world in addition. I’d like to have both IP working in the mean time make y.y.y.y the default IP. My operating system is CentOS 7.

I would like to achieve the goal of:
1. Add y.y.y.y to the system
2. Make y.y.y.y the default IP, if seen from outside world.
3. Keep the primary x.x.x.x IP available and connected just in case for failover.

So here is how I did it:

1. Copy from ifcfg-eth0 to ifcfg-eth0:1 and change ifcfg-eth0:1 file in /etc/sysconfig/network-scripts

BOOTPROTO=none
DEFROUTE=yes
DEVICE=eth0:1
GATEWAY=y.y.y.1
HWADDR=be:ef:be:ef:be:ef
IPADDR=y.y.y.y
IPV6INIT=no
NETMASK=255.255.255.0
ONBOOT=yes
TYPE=Ethernet
USERCTL=no

Here BOOTPROTO must be none, make sure you keep the MAC address the same as ifcfg-eth0 and replace the values I obfuscated.

2. Modify ifcfg-eth0 file with DEFROUTE=no
3. Add a static route to make sure. Create a file route-eth0 in /etc/sysconfig/network-scripts

default via y.y.y.1 dev eth0:1

4. Restart network service

systemctl restart network

5. Confirm your IP and route

# confirm IP:
ip a

# confirm route:
ip ro

And your VM’s default IP to the outside world should be y.y.y.y now.

I have been renting a dedicated server for a long time, on the server I have been hosting a few virtual servers to serve my needs. In order to bring up the performance a little bit, I decide to bring the CPU frequency in high ranges at all times.

The raw way is to put performance (should be defined in /sys/devices/system/cpu/cpu*/cpufreq/scaling_available_governors) to /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor

Now if my server has 1 or 2 cores, I may just change the cpu0 and cpu1 values directly, but what if I have 32 cores or even more? Human errors will occur while scripting. We have command line tools to help us changing the governor instead, it is called cpupower.

All commands are run under root.

Install cpupower

On CentOS, cpupower is brought by kernel-tools package.

yum install kernel-tools -y

Turn on cpupower service

systemctl daemon-reload
systemctl enable cpupower
systemctl start cpupower

Now by your definition of the cpupower service, you may have already turned on performance mode, please check any of the scaling_governor file.

Make machine performant

cpupower frequency-set -g performance

You should be set. Check your CPU cores by watch -s 2 cat /proc/cpuinfo (control+c terminates watch)
Your CPU cores should be running at high frequency range at all times.

My primary OS is Fedora and right now I am using Fedora 27.

Strangely I failed to start mocp command once I installed moc, with a little searching, add ~/.moc/config file with the content:

TiMidity_Config = /etc/timidity.cfg

Make sure this config file has 600 permission or it will complain about insecure permission.

Then I would be able to use mocp in any directory.

MOC has Equalizer support, download the eqset from their official website and the presets to ~/.moc/eqsets

First, install RPMFusion repo on Fedora 23:

dnf install http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-23.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-23.noarch.rpm

Now install the necessary h264 packages:

dnf install gstreamer1-libav gstreamer1-vaapi gstreamer1-plugins-{good,good-extras,ugly} -y

Restart your browser.

sudo dnf install texlive-collection-fontsrecommended texlive-xetex texlive-latex texlive-titlesec 'tex(datetime.sty)' 'tex(eu1enc.def)' 'tex(polyglossia.sty)' 

rpm -e --nodeps sqlite

Then shit hit the fan.

When I then try to run rpm or dnf, both giving me errors.

dnf gave me:

Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib64/python3.4/sqlite3/__init__.py", line 24, in 
    from dbapi2 import *
  File "/usr/lib64/python3.4/sqlite3/dbapi2.py", line 27, in 
    from _sqlite3 import *
ImportError: File not found

And RPM gave me this error:

error: Failed to initialize NSS library

So rpm and dnf could not install packages. With a little searching around, I eventually figure out a way.

Step 1: Download sqlite3 from https://www.sqlite.org/download.html
Download the autoconf version of sqlite3 source code.

Step 2: compile. You need gcc and other tools. You better have this before this incident!

./configure && make

Step 3: Install those libs to /usr/local/lib

make install

Step 4：Using DNF to install.

LD_LIBRARY_PATH=/usr/local/lib dnf --best install sqlite

Should work.

gdb a.out

Multi processes:

Then:

set follow-fork-mode child
set schedule-multiple on
set detach-on-fork off
b ##
r

## means a number, in this case, line number.

Switching between processes:

info inferiors
inferior #

In this case, # means process number.

Multi Threads:

info threads
thread #

Please consult the official docs for more features.

I use the built-in script provided from RHEL/CentOS to generate a private key. The location is under /etc/ssl/cert, by typing

make site.key

It will generate a private key. Its actual command is:

openssl genrsa -aes128 2048 

You can adjust the key size for your own needs, but at least 2048 is needed for a relatively secure certificate.

Then we make its CSR by typing:

make site.csr

The actual command is:

openssl req -new -key site.key -out site.csr -aes256

The name site must be the same as the key name for the script to work. You can now copy and paste the CSR to whoever your trusted SSL Certificate Provider to sign. It doesn’t matter who choose to sign it as long as your user and you trust it, therefore I used CACert.org

Before we do anything else, we need to generate a different DH param. Let’s cd into /etc/nginx/ssl (or whatever you prefer), and do the following command:

openssl dhparam -out dhparams.pem 2048

Now we generate a custom DH param for securer DH. In the configuration next, we will use it.

Next, we need to setup a website that runs on SSL. Choosing the cipher is the most important part that prevents most of the crackers cracking decipher your server’s communication. The httpd side of software I choose is nginx, I like its versatility and efficiency.

Inside the server block, we must have the following lines:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;

ssl_dhparam /etc/nginx/ssl/dhparams.pem;

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; # includeSubdomains only needed for the whole site encryption. You may or may not need it.

# The following settings only works with CA certified certs, not self-signed certs.
ssl_stapling on; 
resolver 8.8.8.8;
ssl_trusted_certificate /etc/nginx/ssl/root.crt; # Your CA Root cert.

The main purpose of Line 1 is to stop accepting requests from insecure protocols such as SSLv2, Line 2 restricts the cipher we will be using, and stop some insecure ciphers such as MD5 and RC4. If we add RC4 back on the list, we eliminate the chance to get BEAST attack, but will suffer RC4 attack. By removing RC4, some of the older browsers will not support visiting the website and possible to suffer BEAST attack. The future trend is, RC4 attack will get more sophisticated, and chance of BEAST attack will get smaller, I’d recommend to remove RC4 from the list.

Line 4 and 5 are for the SSL reuse, this can improve the performance. Line 6, 7, 8 are related to OCSP stapling, it enables the server to check the OCSP status, which can check the revocation of the certificates. The root.crt is the Class 1 PKI key of your CA.

Go to SSLLabs for a test, you might get an A+ if your signing authority is trusted!

Read more:
http://crypto.stackexchange.com/questions/8933/how-can-i-use-ssl-tls-with-perfect-forward-secrecy
https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
http://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-ranking-signal_6.html
https://istlsfastyet.com/?utm_source=wmx_blog&utm_medium=referral&utm_campaign=tls_en_post
http://chimera.labs.oreilly.com/books/1230000000545/ch04.html#TLS_RECORD_SIZE
https://gist.github.com/plentz/6737338
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
http://nginx.com/blog/nginx-poodle-ssl/
https://weakdh.org/sysadmin.html

Changelog:
2014.08.13 – Added 3DES back to cipher suites for Windows XP compability.
2014.10.17 – SSLv3 support is removed (POODLE). Strict Transport Security is added.
2015.03.03 – RC4 removed and banned.
2015.06.02 – Update DH strength

It doesn’t bother me too much, I still have my Linux as a guest VM on the second screen for transition. Now I need to study some PowerShell scripting.

Vim doesn’t support ps1 files for highlighting. So there is a plugin for that. (Check out its github page for installation)

I have linebreaks set up, I honour “80 chars per line” rule. I don’t think the nature of PowerShell honours that, at least not our internal scripts. Still I want to keep linebreaks in my vimrc, but to skip linebreaks for any ps1 files. A little bit of research and documentation lookup, add a line to my vimrc:

autocmd BufRead,BufNewFile *.ps1    set nolbr

It works perfectly.

Here is my personal .zshrc:

# Vim key binding
bindkey -v

# The important part.
export GROFF_NO_SGR=1

# PATH to current directory
export PATH=$PATH:.