blog
Table des matières
- 2026:
- 2025:
1 billet(s) pour avril 2026
| Notes ping ICMP | 2026/04/03 23:01 | Jean-Baptiste |
Exemples paramètres noyau kernel Linux boot
Voir aussi :
Kernel boot parameter
cat /proc/cmdline
En cas de pb
Voir :
noapic nolapic acpi=off nomodeset nodmraid
edd=on
Désactiver Cloutinit
cloud-init=disabled
Désactiver la mitigations des CPU pour améliorer les performances au dépend de la sécurité Kernel 5.1.13 et sup
mitigations=off
Avant Kernel 5.1.13
/etc/default/grub
GRUB_CMDLINE_LINUX="noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off tsx=on tsx_async_abort=off mitigations=off"
Retbleed
spectre_v2=ibrs retbleed=off
Voir https://access.redhat.com/solutions/retbleed
pnpbios=off noapic
Désactive partiellement KPTI (Kernel page-table isolation)
KPTI a été crée pour limiter l'impact de Meltdown
noibrs noibpb nopti #pti=off
Autres
pci=noaer pcie_aspm=off
Fix boot errors
Source : https://www.techradar.com/how-to/computing/how-to-fix-any-linux-problem-1322630
noapic
ou
noapictimer, acpi=off
ou
acpi=force irqpoll pci=nommconf pci=nomsi
splash=silent quiet showopts nvme_core.default_ps_max_latency_us=170000 crashkernel=192M,high crashkernel=72M,low intremap=no_x2apic_optout apic=verbose lapic irqfixup irqpoll i2c_i801.disable_features=0x10 hpet=disable initcall_blacklist=dw_i2c_init_driver nvme_core.default_ps_max_latency_us=200000 iwlmvm.power_scheme=1 iwlwifi.amsdu_size=3 lapic=notscdeadline acpi=rsdt pci=nocrs no_timer_check
Pb avec SSD BIOS : SATA sur AHCI à la place de RAID Ou change RAID On to Disabled (Disable : The SATA controllers are hidden).
nvme_load=YES
Debug
loglevel=7 systemd.log_level=debug
ignore_loglevel
Affiche tous les messages Peut être changé dynamiquement
Linux Crashes, Reboots, ACPI and APIC
Source : http://www.gilfether.com/linux-crashes-reboots-acpi-and-apic/357/
On single processor machines you can fully disable ACPI and APIC by passing kernel boot parameters:
noapic nolapic acpi=ht
On a dual core, quad core, or multiprocessor machine, you want to make sure you enable Local APIC. Local APIC has some kind of control over your Multiprocessor machine. If you shut off Local APIC on an multi-core or multiprocessor machine, you will only see one processor available. Use the following Kernel parameters:
noapic lapic acpi=ht
Exemple Oracle
numa=off transparent_hugepage=never clocksource=tsc ipv6.disable=1 audit=1 audit_backlog_limit=8192
Exemples
CloneZilla
linux /live/vmlinuz boot=live union=overlay username=user config components noswap edd=on nomodeset nodmraid noeject locales=en_US.UTF-8 keyboard-layouts=NONE ocs_live_run="ocs-live-restore" ocs_live_extra_param="-e1 auto -e2 -c -r -j2 -scr -p true restoredisk IMAGES sda sdb" ocs_live_batch=yes vga=788 ip= net.ifnames=0 quiet nosplash i915.blacklist=yes radeonhd.blacklist=yes nouveau.blacklist=yes vmwgfx.enable_fbdev=1
Autres
xdriver=vesa fastboot
UEFI
video=efifb fbcon=rotate:1
Désactive le chargement du microcode CPU
dis_ucode_ldr
Lenteur au boot à cause d'un maque d'entropie
random.trust_cpu=on
Voir https://daniel-lange.com/archives/152-hello-buster.html
memmap=512M\$1024M
/etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet memmap=512M\\\$1024M"
Autres
force_latency=cstate.id:1|3 force_latency=1
Exemples de script init iptables
Note
iptables est remplacé maintenant par nftables
Il est possible de scripter en nft en passer par bash. Voir : https://gorbe.io/posts/coredns/install/
#!/bin/bash . $(dirname "$0")/lib/common.sh dieIfNotRoot IPTABLES=/sbin/iptables pf=$(getPlateformBasename $HOSTNAME) ### DEBUT config ### INTERFACE=eth0 VLAN='172\.16\.12\.' REGEX_MACHINE='qua.*1|ftp1|gdp1' ### FIN config ### check() { # Verif si $INTERFACE est dans le bon VLAN /sbin/ifconfig $INTERFACE |sed -n -e '2p'|tr -s ' ' ':'| cut -d':' -f4 |grep -e "$VLAN" >/dev/null if [ $? -ne 0 ] then echo "ERREUR. L'interface $INTERFACE n'est pas dans le VLAN $(echo $VLAN| sed -e 's!\\.!\.!g')" exit 10 fi # iptables doit etre demarre /etc/init.d/iptables status >/dev/null if [ $? -ne 0 ] then echo "ERREUR. Le service iptables n'est pas demarre" exit 11 fi } flush() { ## On flush $IPTABLES. $IPTABLES -F ## On supprime toutes les chaines utilisateurs. $IPTABLES -X # Regle par defaut (on autorise tout) $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT } filter() { # On whitelist toutes les machines de prod $IPTABLES -N WL_PROD for ip in $(grep -v -e '^#' /etc/hosts |egrep -i -e "$REGEX_MACHINE" |awk '{print $1}') do $IPTABLES -A INPUT -i $INTERFACE -s $ip -j WL_PROD done $IPTABLES -A WL_PROD -j ACCEPT # On autorise tous les packets de retour (quand la connexion est initiee depuis ce serveur) $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Par defaut aucun accees en interne hors des machines explicitement autorisees $IPTABLES -A INPUT -i $INTERFACE -s $(echo $VLAN |tr -d '\' |sed -e 's!$!0/24!') -j REJECT } case $1 in 'start'|'restart') check if [ $? -eq 0 ] then flush filter else echo "ERREUR check" exit $? fi ;; 'stop') flush ;; *) echo "usage: $0 start|stop|restart" ;; esac
#!/bin/bash set -e PATH=$PATH:/sbin SERVERDNS=$(cat /etc/resolv.conf |grep -e '^nameserver' |awk '{print $2}') INTERFACE_OPEN=eth0 INTERFACE_SAFE=eth1 VLAN_OPEN='192\.168\.1\.' VLAN_SAFE='10\.0\.2' IPSERVER=$(ifconfig eth0 |grep -e 'inet adr:' |tr -s ' ' ':' |cut -f 4 -d':') IP_ZABBIX_SERVER="172.16.110.3" /sbin/ifconfig $INTERFACE_OPEN |sed -n -e '2p' |tr -s ' ' ':' | cut -d':' -f4 |grep -e "$VLAN_OPEN" if [ $? -ne 0 ] then echo "ERREUR. L'INTERFACE_OPEN eth0 n'est pas dans le VLAN $(echo $VLAN_OPEN| sed -e 's!\\.!\.!g')" exit 1 fi /sbin/ifconfig $VLAN_SAFE |sed -n -e '2p'|tr -s ' ' ':'| cut -d':' -f4 |grep -e "$VLAN_SAFE" if [ $? -ne 0 ] then echo "ERREUR. L'INTERFACE_OPEN eth0 n'est pas dans le VLAN $(echo $VLAN_SAFE| sed -e 's!\\.!\.!g')" exit 2 fi /etc/init.d/iptables status if [ $? -ne 0 ] then echo "ERREUR. Le service iptables n'est pas démarré" exit 3 fi ## On flush iptables. iptables -F ## On supprime toutes les chaînes utilisateurs. iptables -X ## On drop tout le trafic entrant. iptables -P INPUT DROP ## On drop tout le trafic sortant. iptables -P OUTPUT DROP ## On drop le forward. iptables -P FORWARD DROP ## Permettre à une connexion ouverte de recevoir du trafic en entrée. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ## Permettre à une connexion ouverte de recevoir du trafic en sortie. # SSH, NTP etc... iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT ## On accepte la boucle locale en entrée. iptables -I INPUT -i lo -j ACCEPT # Open bar sur eth1 iptables -I INPUT -i $INTERFACE_SAFE -j ACCEPT # DNS ==> IDEM POUR UDP iptables -A OUTPUT -o $INTERFACE_OPEN -d $SERVERDNS -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INTERFACE_OPEN -d $SERVERDNS -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT #iptables -A INPUT -i $INTERFACE_OPEN -p tcp --dport 1024:65535 --sport 53 -m state --state ESTABLISHED -j ACCEPT # SERVER SSH iptables -A INPUT -i $INTERFACE_OPEN -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT # SERVER Agent Zabbix iptables -A INPUT -i $INTERFACE_OPEN -s $IP_ZABBIX_SERVER -p tcp --dport 10050 -m state --state NEW,ESTABLISHED -j ACCEPT # On restreint des ping http://www.oregontechsupport.com/articles/icmp.txt ? # ou Ping dans tous les sens iptables -A INPUT -i $INTERFACE_OPEN -p icmp -j ACCEPT iptables -A OUTPUT -i $INTERFACE_OPEN -p icmp -j ACCEPT case $HOSTNAME in *web*) echo "Machine WEB" # SERVER HTTP/HTTPS iptables -A INPUT -i $INTERFACE_OPEN -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $INTERFACE_OPEN -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # SERVER NFS #iptables -A INPUT -i $INTERFACE_OPEN -p tcp -s dev-ci1 --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT #iptables -A INPUT -i $INTERFACE_OPEN -p udp -s dev-ci1 --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT ;; *app*) echo "Machine APP" ### iptables -A INPUT -i $INTERFACE_OPEN -s qua-web3 -p tcp --dport 9960 -m state --state NEW,ESTABLISHED -j ACCEPT ;; *db*) echo "Machine DB" # SERVER Postgres iptables -A INPUT -i $INTERFACE_OPEN -s qua-app3 -p tcp --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT ;; esac
/usr/share/doc/openvpn/examples/sample-config-files/firewall.sh
#!/bin/sh # A Sample OpenVPN-aware firewall. # eth0 is connected to the internet. # eth1 is connected to a private subnet. # Change this subnet to correspond to your private # ethernet subnet. Home will use HOME_NET/24 and # Office will use OFFICE_NET/24. PRIVATE=10.0.0.0/24 # Loopback address LOOP=127.0.0.1 # Delete old iptables rules # and temporarily block all traffic. iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -F # Set default policies iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP # Prevent external packets from using loopback addr iptables -A INPUT -i eth0 -s $LOOP -j DROP iptables -A FORWARD -i eth0 -s $LOOP -j DROP iptables -A INPUT -i eth0 -d $LOOP -j DROP iptables -A FORWARD -i eth0 -d $LOOP -j DROP # Anything coming from the Internet should have a real Internet address iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP # Block outgoing NetBios (if you have windows machines running # on the private subnet). This will not affect any NetBios # traffic that flows over the VPN tunnel, but it will stop # local windows machines from broadcasting themselves to # the internet. iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP # Check source address validity on packets going out to internet iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT iptables -A INPUT -d $LOOP -j ACCEPT # Allow incoming pings (can be disabled) iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Allow services such as www and ssh (can be disabled) iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT # Allow incoming OpenVPN packets # Duplicate the line below for each # OpenVPN tunnel, changing --dport n # to match the OpenVPN UDP port. # # In OpenVPN, the port number is # controlled by the --port n option. # If you put this option in the config # file, you can remove the leading '--' # # If you taking the stateful firewall # approach (see the OpenVPN HOWTO), # then comment out the line below. iptables -A INPUT -p udp --dport 1194 -j ACCEPT # Allow packets from TUN/TAP devices. # When OpenVPN is run in a secure mode, # it will authenticate packets prior # to their arriving on a tun or tap # interface. Therefore, it is not # necessary to add any filters here, # unless you want to restrict the # type of packets which can flow over # the tunnel. iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT # Allow packets from private subnets iptables -A INPUT -i eth1 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT # Keep state of connections from local machine and private subnets iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Masquerade local subnet iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
Source : http://www.linuxjournal.com/content/server-hardening?page=0,1
# make sure forwarding is off and clear everything # also turn off ipv6 cause if you don't need it # turn it off sysctl net.ipv6.conf.all.disable_ipv6=1 sysctl net.ipv4.ip_forward=0 iptables -F iptables --flush iptables -t nat --flush iptables -t mangle --flush iptables --delete-chain iptables -t nat --delete-chain iptables -t mangle --delete-chain #make the default -drop everything iptables --policy INPUT DROP iptables --policy OUTPUT ACCEPT iptables --policy FORWARD DROP #allow all in loopback iptables -A INPUT -i lo -j ACCEPT #allow related iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow ssh iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports ssh,http,https -j ACCEPT iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp -m state --state NEW -m multiport --dports http,https
Exemple de configuration Webalizer
Voir http://doc.ubuntu-fr.org/webalizer
En crontab :
sudo -u truc /usr/local/bin/webalizer -c /etc/webalizer.conf.truc
/etc/webalizer.conf.truc
LogFile /usr/local/apache/logs/truc-access_log OutputDir /home/truc/www/stats Incremental yes HostName truc.com PageType htm* PageType cgi PageType phtml PageType php PageType php3 PageType pl PageType shtml HideURL *.gif HideURL *.GIF HideURL *.jpg HideURL *.JPG HideURL *.png HideURL *.PNG HideURL *.ra SearchEngine yahoo.com p= SearchEngine altavista.com q= SearchEngine google.com q= SearchEngine eureka.com q= SearchEngine lycos.com query= SearchEngine hotbot.com MT= SearchEngine msn.com MT= SearchEngine infoseek.com qt= SearchEngine webcrawler searchText= SearchEngine excite search= SearchEngine netscape.com search= SearchEngine mamma.com query= SearchEngine alltheweb.com query= SearchEngine northernlight.com qr=
Ethernet NIC Drivers - Carte réseau pas détectée
dmesg dmidecode ip link ls -l /sys/class/net/
Exemple carte i219 e1000e
Solution
Voir :
apt install linux-headers-$(uname -r) linux-headers-amd64 dkms build-essential
wget https://github.com/kelebek333/e1000e-dkms/raw/master/e1000e-dkms_3.4.2.4_amd64.deb dpkg -i e1000e-dkms_3.4.2.4_amd64.deb
blog.txt · Dernière modification : de 127.0.0.1