Just a very good video to learn about the foundations of Cloud Spanner:

https://www.youtube.com/watch?v=QPpSzxs_8bc

隨記

久違的看了一眼服務器的監控圖表,發現連接數異常的多(對比網站流量來說),奇怪的打開了 netstat / tcpdump,一臉 SYN_RECV。

雖然不至於造成 SYN FLOOD,直接把來源 IP 段 BAN 了了事。(然後換成一堆 AWS 的 IP 段發過來了,好傢伙…)

新部署:

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds {value} --hitcount {value} --name "syn-fw" -j DROP
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name "syn-fw"
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds {value} --hitcount {value} --name "syn-fw" -j LOG --log-prefix "[syn-fw] " --log-level 4


Refs:
https://serverfault.com/a/1033162
http://www.snowman.net/projects/ipt_recent/

  • Bonus:Fail2ban filter

  • [INCLUDES]
    before = common.conf


    [Definition]
    _daemon = kernel
    failregex = ^%(__prefix_line)s\[syn-fw\].*SRC=<HOST> DST=.*$
    ignoreregex =

    The new era

    # nginx -V
    nginx version: nginx/1.21.3
    built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
    built with OpenSSL 3.0.0 7 sep 2021
    TLS SNI support enabled
    configure arguments: --with-openssl=.../openssl-3.0.0 --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3'
    

    Took such a long time to compile though… 😅

    Safer everyday, just a memo

    早就應該給伺服器的數據庫備份加密了,現在終於加上了。

    Should have encrypted the database backup already, finally changed it.

    [crontab time] /usr/bin/tar czf - -C /etc/nginx . | /usr/local/bin/openssl enc -aes-256-cbc -pbkdf2 -k [password] > /backup/nginx.tar.gz.enc

    [crontab time] /usr/bin/mysqldump -u root --all-databases | /usr/local/bin/openssl enc -aes-256-cbc -pbkdf2 -k [password] > /backup/all-databases.sql.enc

    高效雲盤 & SSD 雲盤性能對比(使用 t6 實例)

    根據阿里雲官方塊存儲性能測試步驟(https://www.alibabacloud.com/help/zh/doc-detail/147897.htm)。

    系統:Alibaba Cloud Linux 3
    實例:ecs.t6-c1m1.large
    地域:新加坡

    高效雲盤 50 GB:(理論 2200 IOPS)

    隨機寫 IOPS: Jobs: 1 (f=1): [w(1)][100.0%][w=8768KiB/s][w=2192 IOPS][eta 00m:00s]
    隨機讀 IOPS: Jobs: 1 (f=0): [f(1)][100.0%][r=8668KiB/s][r=2167 IOPS][eta 00m:00s]
    順序寫吞吐量:Jobs: 1 (f=1): [W(1)][100.0%][w=106MiB/s][w=106 IOPS][eta 00m:00s]
    順序讀吞吐量:Jobs: 1 (f=1): [R(1)][100.0%][r=96.0MiB/s][r=96 IOPS][eta 00m:00s]
    隨機寫時延: Jobs: 1 (f=1): [w(1)][100.0%][w=8908KiB/s][w=2227 IOPS][eta 00m:00s]
    隨機讀時延: Jobs: 1 (f=1): [r(1)][100.0%][r=8816KiB/s][r=2204 IOPS][eta 00m:00s]

    SSD 雲盤 50 GB:(理論 3300 IOPS)

    隨機寫 IOPS: Jobs: 1 (f=1): [w(1)][100.0%][w=13.0MiB/s][w=3336 IOPS][eta 00m:00s]
    隨機讀 IOPS: Jobs: 1 (f=1): [r(1)][100.0%][r=13.0MiB/s][r=3336 IOPS][eta 00m:00s]
    順序寫吞吐量:Jobs: 1 (f=1): [W(1)][100.0%][w=105MiB/s][w=105 IOPS][eta 00m:00s]
    順序讀吞吐量:Jobs: 1 (f=1): [R(1)][100.0%][r=97.1MiB/s][r=97 IOPS][eta 00m:00s]
    隨機寫時延: Jobs: 1 (f=1): [w(1)][100.0%][w=13.0MiB/s][w=3333 IOPS][eta 00m:00s]
    隨機讀時延: Jobs: 1 (f=1): [r(1)][100.0%][r=13.0MiB/s][r=3336 IOPS][eta 00m:00s]

    Alibaba Cloud Anycast EIP is worse than its origin EIP

    I created an Alibaba Cloud Anycast EIP to see how big of an improvement it can have compared to my Singapore EIP. It is impressive to see how it has a negative impact on the global latency department.

    * Test result only applies to today at this moment. Origin server (SLB) in Singapore.

    Anycast EIP

    Using their own benchmark method from Tokyo server: (https://www.alibabacloud.com/help/doc-detail/171864.htm#title-mk4-1or-ni4)

    # curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "Anycast EIP"
    time_connect: 0.081
    time_starttransfer: 0.167
    time_total: 0.167

    Normal Singapore EIP

    # curl -o /dev/null -s -w "time_connect: %{time_connect}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" "Singapore EIP"
    time_connect: 0.076
    time_starttransfer: 0.152
    time_total: 0.153

    Utilize iptables to monitor traffic (by port|ip)

    # iptables -A INPUT -s 10.0.0.1
    # iptables -A OUTPUT -d 10.0.0.1
    # iptables -vnL
    Chain INPUT (policy ACCEPT 7967 packets, 4273K bytes)
     pkts bytes target     prot opt in     out     source               destination
    16572 4535K            all  --  *      *       10.0.0.1             0.0.0.0/0
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
    Chain OUTPUT (policy ACCEPT 8562 packets, 6767K bytes)
     pkts bytes target     prot opt in     out     source               destination
     2823 2974K            all  --  *      *       0.0.0.0/0            10.0.0.1
    # iptables -A INPUT -p tcp --dport 12000
    # iptables -A OUTPUT -p tcp --sport 12000
    # iptables -vnL
    Chain INPUT (policy ACCEPT 9806 packets, 5038K bytes)
     pkts bytes target     prot opt in     out     source               destination
     669K  184M            all  --  *      *       10.0.0.1             0.0.0.0/0
       50  3640            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:12000
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
    Chain OUTPUT (policy ACCEPT 10285 packets, 7196K bytes)
     pkts bytes target     prot opt in     out     source               destination
     665K  687M            all  --  *      *       0.0.0.0/0            10.0.0.1
       10  1288            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:12000

    按照 iptables 的規則語法即可自由組合。需要特定時間的紀錄,用 crontab 導出 iptables -vnL 內容,iptables -D 刪除紀錄,再重新添加即可。

    Utilize crontab to run ssh command in tmux

    0 22 * * * /usr/bin/tmux new -d && /usr/bin/tmux send-keys -t 0 “vnstat -l” ENTER
    0 23 * * * /usr/bin/tmux send-keys -t 0 C-c

    Just for reference, please verify if the command fits your needs. Such as, if there are old tmux sessions in place, the new session number won’t be 0, you might want to specify session name with -s.