kk的blog: 2025

2025/02/06

要如何讓使用者能看影片但不被下載

首先把 mp4 分片

ffmpeg -i abc.mp4 -codec: copy -start_number 0 -hls_time 15 -hls_list_size 0 -f hls abc.m3u8

分片後把 abc.mp4 移出目錄

依照 https://videojs.com/getting-started 使用範例

建立 index.html

<html>

<head>

</head>

<body>

<video

id="my-video"

class="video-js"

controls

preload="auto"

width="640"

height="480"

刪除以下一行

~~poster="MY_VIDEO_POSTER.jpg"~~

data-setup="{}"

~~<source src="MY_VIDEO.mp4" type="video/mp4" />~~

~~<source src="MY_VIDEO.webm" type="video/webm" />~~

刪除以上二行

把第一步產生的所有分片檔放到 web server 的目錄並依需求修改以下文字

To view this video please enable JavaScript, and consider upgrading to a

web browser that

<a href="https://videojs.com/html5-video-support/" target="_blank"

>supports HTML5 video</a

</p>

</video>

</body>

</html>

用browser打開即可觀看

https://videojs.com/

2025/01/23

本次ZAP弱掃出現二個Medium

其實上次就有不過這次要求連Medium都要處理

看來二個都是CSP的問題

之前改過一次版面會亂

這次再處理看看吧

要修改 /etc/apache2/apache2.conf

加上以這這段

Header set Content-Security-Policy "\

default-src 'self';\

img-src 'self' http://10.0.0.1 http://www.fcounter.net http://s11.flagcounter.com data:;\

frame-src 'self' https://abc.com.tw https://www.youtube.com;\

style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com;\

script-src 'self' https://cdn.jsdelivr.net https://code.jquery.com https://cdn.datatables.net 'unsafe-eval' 'unsafe-inline';\

font-src 'self' https://cdnjs.cloudflare.com;\

</IfModule>

內容需要依照自己的需求去修正

一個網頁一個網頁去看格式有沒亂掉版面有沒正常

可以打開 browser 的開發人員工具

會顯示那些被CSP阻擋了

然後再補上去

需要補什麼問 https://www.perplexity.ai/ 比較快

把主控台上的訊息直接問就可以了

不難但真的很花時間

2025/01/16

今天登入n8n看到通知

想說之前升級都沒問題就沒先snapshot

結果升完後出現白畫面

只好倒回備分

再下一版看看吧

之後要升一定要先snapshot

2025/01/14

又到了弱掃的時間

昨天看報告

有二個問題

Vulnerability Detection Result

The remote SSH server supports the following weak KEX algorithm(s):

KEX algorithm | Reason

------------------------------------------------

diffie-hellman-group-exchange-sha1 | Using SHA-1

Vulnerability Detection Result

The remote SSH server supports the following weak client-to-server encryption algorithm(s):

aes128-cbc

aes256-cbc

The remote SSH server supports the following weak server-to-client encryption algorithm(s):

aes128-cbc

aes256-cbc

想說改一下 /etc/ssh/sshd_config就可以了

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

沒想到重掃還是一樣

因為每次掃都要花很多時間

所以使用 nmap 特別針對ssh server來掃

nmap --script ssh2-enum-algos -sV -p 22 10.0.0.1

Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-21 13:47 CST

Nmap scan report for 10.0.0.1

Host is up (0.00079s latency).

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 8.0 (protocol 2.0)

| ssh2-enum-algos:

| kex_algorithms: (12)

| curve25519-sha256

| curve25519-sha256@libssh.org

| ecdh-sha2-nistp256

| ecdh-sha2-nistp384

| ecdh-sha2-nistp521

| diffie-hellman-group-exchange-sha256

| diffie-hellman-group14-sha256

| diffie-hellman-group16-sha512

| diffie-hellman-group18-sha512

| diffie-hellman-group-exchange-sha1

| diffie-hellman-group14-sha1

| kex-strict-s-v00@openssh.com

| server_host_key_algorithms: (5)

| rsa-sha2-512

| rsa-sha2-256

| ssh-rsa

| ecdsa-sha2-nistp256

| ssh-ed25519

| encryption_algorithms: (7)

| aes256-gcm@openssh.com

| chacha20-poly1305@openssh.com

| aes256-ctr

| aes256-cbc

| aes128-gcm@openssh.com

| aes128-ctr

| aes128-cbc

| mac_algorithms: (8)

| hmac-sha2-256-etm@openssh.com

| hmac-sha1-etm@openssh.com

| umac-128-etm@openssh.com

| hmac-sha2-512-etm@openssh.com

| hmac-sha2-256

| hmac-sha1

| umac-128@openssh.com

| hmac-sha2-512

| compression_algorithms: (2)

| none

|_ zlib@openssh.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

果然還是沒用

找了半天資料才找到解決方法

先處理

aes128-cbc

aes256-cbc

先建一個文件內容如下

vi /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod

cipher = -AES-128-CBC -AES-256-CBC

ssh_cipher = -AES-128-CBC -AES-256-CBC

更新加密策略

update-crypto-policies --set DEFAULT:DISABLE-CBC

再來處理

diffie-hellman-group-exchange-sha1

vi /etc/crypto-policies/back-ends/opensshserver.config

刪除以下文字

,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

重啟 sshd

systemctl restart sshd

再跑一次

nmap --script ssh2-enum-algos -sV -p 22 10.0.0.1

Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-21 13:59 CST

Nmap scan report for 10.0.0.1

Host is up (0.00077s latency).

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 8.0 (protocol 2.0)

| ssh2-enum-algos:

| kex_algorithms: (10)

| curve25519-sha256

| curve25519-sha256@libssh.org

| ecdh-sha2-nistp256

| ecdh-sha2-nistp384

| ecdh-sha2-nistp521

| diffie-hellman-group-exchange-sha256

| diffie-hellman-group14-sha256

| diffie-hellman-group16-sha512

| diffie-hellman-group18-sha512

| kex-strict-s-v00@openssh.com

| server_host_key_algorithms: (5)

| rsa-sha2-512

| rsa-sha2-256

| ssh-rsa

| ecdsa-sha2-nistp256

| ssh-ed25519

| encryption_algorithms: (5)

| aes256-gcm@openssh.com

| chacha20-poly1305@openssh.com

| aes256-ctr

| aes128-gcm@openssh.com

| aes128-ctr

| mac_algorithms: (8)

| hmac-sha2-256-etm@openssh.com

| hmac-sha1-etm@openssh.com

| umac-128-etm@openssh.com

| hmac-sha2-512-etm@openssh.com

| hmac-sha2-256

| hmac-sha1

| umac-128@openssh.com

| hmac-sha2-512

| compression_algorithms: (2)

| none

|_ zlib@openssh.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

已經全部修正

再重掃一次也沒問題了

2025/01/13

從昨天晚上開始 suricata的cpu就會一直跑到98以上而且降不下來

看了一下 log 出現大量的 truncated

Jan 13 04:30:33 suricata suricata[77297]: [1:2200003:2] SURICATA IPv4 truncated packet [Classification: Gen

eric Protocol Command Decode] [Priority: 3] [**] [Raw pkt: C0 C5 20 6B A9 DA 00 60 E0 8A 76 E3 08 00 45 00

0A 8C 8F C5 00 0]

Jan 13 10:44:03 suricata suricata[78]: [1:2200013:2] SURICATA IPv6 truncated packet [Classification: Generic Protocol Command Decode] [Priority: 3] [**] [Raw pkt: C0 C5 20 6B A9 DA 00 60 E0 8A 76 E3 86 DD 60 81 56 A3 10 DC 06 3]

先把這二個偵測暫停

/etc/suricata/rules/decoder-events.rules

再觀察看看

2025/01/10

在PVE中撈出所有guest的 cpu使用率並在超過上限值時發出告警

#!/bin/bash

pvesh get /cluster/resources|awk '{print $2" "$33" "$8}'|grep -E "lxc|qemu"|sed 's/....$//' > /tmp/all_guest_cpu

cat /tmp/all_guest_cpu | awk '$3 > 80 {print $0}' > /tmp/guest_cpu_high

if [ -s /tmp/guest_cpu_high ]; then

sed -i '1i network guest cpu high' /tmp/guest_cpu_high

sed -i '2i ==========' /tmp/guest_cpu_high

cp /tmp/guest_cpu_high /tmp/guest_cpu_high_network

/usr/bin/lftp ftp://user:pwd@10.0.0.1 -e "put /tmp/guest_cpu_high_network; bye"

mutt -s guest_cpu_high user@abc.com < /tmp/guest_cpu_high

2025/01/03

今天使用 tabby ssh 到almalinux 8 後 vi打中文時出現以下的狀況

中�~V~G試�~\~K�~\~K

但 cat 正常

找了資料說要改 tabby config

appearance:

- Character encoding: utf-8

改了還是沒用

最後解決的方法是先在 almalinux 8 安裝vim

dnf install vim

在home目錄建立 .vimrc 內容如下

set encoding=utf-8

set fileencoding=utf-8

設定 alias

echo "alias vi='vim'" >> ~/.bashrc

醬就正常了

https://blog.csdn.net/lisacumt/article/details/140498396

https://www.cyberciti.biz/faq/how-to-install-vim-on-centos-8-using-dnf-yum/

訂閱：文章 (Atom)