document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-28 23:20:10 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'LCTT/master'

Browse Source
This commit is contained in:
Xingyu Wang 2020-07-15 13:04:34 +08:00
commit fd1e9f1865
8 changed files with 623 additions and 499 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
translated/tech/20200701 Back up your phone-s storage with this Linux utility.md → published/20200701 Back up your phone-s storage with this Linux utility.md
View File

@ -1,39 +1,36 @@
[#]: collector: (lujun9972)
[#]: translator: (summer2233)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: reviewer: (wxy)
[#]: publisher: (wxy)
[#]: url: (https://linux.cn/article-12415-1.html)
[#]: subject: (Back up your phone's storage with this Linux utility)
[#]: via: (https://opensource.com/article/20/7/gphoto2-linux)
[#]: author: (Seth Kenlon https://opensource.com/users/seth)
使用 Linux 实用程序备份手机存储
使用 Linux 实用程序 gPhoto2 备份手机存储
======
尽情地拍照吧gphoto2 能够方便、快速地将照片从您的设备传输到 Linux 计算机上。
![A person looking at a phone][1]
移动设备的最大缺点之一就是其将数据从设备传输到计算机很困难。移动设备在这一缺点上有着悠久的历史。早期的移动设备,如 Pilot 和掌上电脑 PDA 设备,需要使用特殊的同步软件来传输数据(你必须小心翼翼地做这件事,因为你的设备可能会因为电池耗尽而导致数据永久丢失);旧版 iPod 只提供特定平台的界面。现代移动设备默认将您的数据发送到在线帐户,以便您可以在计算机上再次下载
> 尽情地拍照吧gphoto2 能够方便、快速地将照片从你的设备传输到 Linux 计算机上。
好消息——如果您正在运行 Linux您可以使用 `gphoto2` 命令与移动设备进行连接。`gphoto2` 最初是为了实现与数码相机通讯而开发的,那时的数码相机只有传统的相机功能,现在的 `gphoto2` 可以和许多不同种类的移动设备通讯。别让这个名字骗了你,它可以处理所有类型的文件,而不仅仅是照片。更棒的是,它可以编写脚本、很灵活、并且比大多数 GUI 界面功能强大得多。
![](https://img.linux.net.cn/data/attachment/album/202007/14/170729pzljppapojy44ro4.jpg)
如果您曾经为在计算机和移动设备之间同步数据而苦恼,请了解一下 `gphoto2`
移动设备的最大缺点之一就是其将数据从设备传输到计算机很困难。移动设备在这一缺点上有着悠久的历史。早期的移动设备,如 Pilot 和掌上电脑 PDA 设备,需要使用特殊的同步软件来传输数据(你必须小心翼翼地做这件事,因为你的设备可能会因为电池耗尽而导致数据永久丢失);旧版 iPod 只提供特定平台的界面。现代移动设备默认将你的数据发送到在线帐户,以便你可以在计算机上再次下载
好消息——如果你正在运行 Linux你可以使用 `gphoto2` 命令与移动设备进行连接。`gphoto2` 最初是作为一种与数码相机通信的方式而开发的,那时的数码相机只有传统的相机功能,现在的 `gphoto2` 可以和许多不同种类的移动设备通讯。别让这个名字骗了你,它可以处理所有类型的文件,而不仅仅是照片。更棒的是,它可以编写脚本、很灵活、并且比大多数 GUI 界面功能强大得多。
如果你曾经为在计算机和移动设备之间同步数据而苦恼,请了解一下 `gphoto2`
### 安装 gPhoto2
### Install gPhoto2
很可能您的 Linux 系统已经安装了 libgphoto2因为它是与移动设备连接的一个关键库但您可能还需要安装命令 `gphoto2`,该命令可以在您的存储库中。
很可能你的 Linux 系统已经安装了 libgphoto2因为它是与移动设备连接的一个关键库但你可能还需要安装命令 `gphoto2`,该命令可能在你的存储库中。
在 Fedora 或 RHEL 上:
```
$ sudo dnf install gphoto2
```
在 Debian 或 Ubuntu上
在 Debian 或 Ubuntu 上:
```
$ sudo apt install gphoto2
@ -41,15 +38,13 @@ $ sudo apt install gphoto2
### 验证兼容性
若要确认您的移动设备是否受支持,请使用 `--list-cameras`,通过管道传输到 `less`
若要确认你的移动设备是否受支持,请使用 `--list-cameras`,通过管道传输到 `less`
```
`$ gPhoto2 --list-cameras | less`
$ gPhoto2 --list-cameras | less
```
或者您可以通过管道把它传送到 `grep` 来搜索一个词。例如,如果您有三星 Galaxy则使用 `grep`,并通过选项 `-i` 关闭区分大小写:
或者你可以通过管道把它传送到 `grep` 来搜索一个词。例如,如果你有三星 Galaxy则使用 `grep`,并通过选项 `-i` 关闭区分大小写:
```
$ gphoto2 --list-cameras | grep -i galaxy
@ -58,34 +53,32 @@ $ gphoto2 --list-cameras | grep -i galaxy
  "Samsung Galaxy models Kies mode"
```
这证实了三星 Galaxy 设备支持通过 MTP 连接和同时连接 ADB、MTP。
这证实了三星 Galaxy 设备支持通过 MTP 连接和通过 ADB 连接 MTP。
如果您没有在列表中找到自己的移动设备,您仍然可以尝试使用 `gphoto2`,以防您的设备在列表中使用了不同的称呼。
如果你没有在列表中找到自己的移动设备,你仍然可以尝试使用 `gphoto2`,可能你的设备在列表中使用了不同的称呼。
### 查找移动设备
要使用 gPhoto2首先必须将移动设备插入计算机设置为 MTP 模式,并且授予计算机与它交互的权限。这通常需要在的移动设备上操作,往往是在屏幕上按下一个按钮,以允许其文件系统被刚刚连接的计算机访问。
要使用 gPhoto2首先必须将移动设备插入计算机设置为 MTP 模式,并且授予计算机与它交互的权限。这通常需要在的移动设备上操作,往往是在屏幕上按下一个按钮,以允许其文件系统被刚刚连接的计算机访问。
![Screenshot of allow access message][2]
如果您不授权电脑访问移动设备,那么 gPhoto2 可以检测到您的移动设备,但它不能与之交互。
要确保计算机检测到您连接的移动设备,请使用 `--auto-detect` 选项:
如果你不授权电脑访问移动设备,那么 gPhoto2 可以检测到你的移动设备,但它不能与之交互。
要确保计算机检测到你连接的移动设备,请使用 `--auto-detect` 选项:
```
$ gphoto2 --auto-detect
Model                       Port
\---------------------------------------
---------------------------------------
Samsung Galaxy models (MTP) usb:002,010
```
如果您的移动设备没有被检测到,请先检查数据线,然后检查您的设备是否配置为通过 MTP、ADB 或其它 gPhoto2 支持的协议连接,如 `--list-cameras` 所示。
如果你的移动设备没有被检测到,请先检查数据线,然后检查你的设备是否配置为通过 MTP、ADB 或其它 gPhoto2 支持的协议连接,如 `--list-cameras` 所示。
### 查询您的设备支持的特性
对于现代设备,通常有过多的潜在功能,但并非所有移动设备都支持这些功能。您可以用 `--abilities` 选项来确定自己的移动设备支持哪些功能。我觉得结果看起来直观。
### 查询你的设备支持的特性
对于现代设备,通常有过多的潜在功能,但并非所有移动设备都支持这些功能。你可以用 `--abilities` 选项来确定自己的移动设备支持哪些功能。我觉得结果看起来直观。
```
$ gphoto2 --abilities
@ -102,34 +95,32 @@ File upload support             : yes
如果只连接一个设备,那么不需要指定查询的设备。但是,如果连接了多个 gPhoto2 可以与之交互的设备,则可以通过端口、相机型号或 usbid 指定设备。
### 与您的移动设备交互
如果您的设备支持拍摄功能,则可以从计算机调用您的摄像头来获取媒体。例如,要拍摄照片:
### 与你的移动设备交互
如果你的设备支持拍摄功能,则可以从计算机调用你的摄像头来获取媒体。例如,要拍摄照片:
```
$ gphoto2 --capture-image
```
要拍摄照片并立即将其传输到连接的计算机:
```
$ gphoto2 --capture-image-and-download
```
您也可以录制视频和声音。如果连接了多个拍摄设备,可以按端口、相机型号或 usbid 指定要使用的设备:
你也可以录制视频和声音。如果连接了多个拍摄设备,可以按端口、相机型号或 usbid 指定要使用的设备:
```
$ gphoto2 --camera "Samsung Galaxy models (MTP)" \
\--capture-image-and-download
--capture-image-and-download
```
### 文件和文件夹
要想更加智能地管理移动设备上的文件,您需要了解 gPhoto2 连接的文件系统的结构。
您可以使用 `--get-folders` 选项查看可用文件夹:
要想更加智能地管理移动设备上的文件,你需要了解 gPhoto2 连接的文件系统的结构。
你可以使用 `--get-folders` 选项查看可用文件夹:
```
$ gphoto2 --list-folders
@ -140,53 +131,49 @@ There are 0 folders in folder '/store_00010001'.
There are 0 folders in folder '/store_00020002'.
```
每个文件夹代表设备上的一个存储单元。在本例中,`store_00010001` 是内部存储器,`store_00020002` 是 SD 卡,这可能与的设备的结构不同。
每个文件夹代表设备上的一个存储单元。在本例中,`store_00010001` 是内部存储器,`store_00020002` 是 SD 卡,这可能与的设备的结构不同。
### 获取文件
现在您知道了设备的文件夹布局,就可以从设备获取照片了。您可以使用许多不同的选项,具体取决于您想从设备中获取什么。
如果您知道绝对路径,则可以获取指定的文件:
现在你知道了设备的文件夹布局,就可以从设备获取照片了。你可以使用许多不同的选项,具体取决于你想从设备中获取什么。
如果你知道绝对路径,则可以获取指定的文件:
```
`$ gphoto2 --get-file IMG_0001.jpg --folder /store_00010001/myphotos`
$ gphoto2 --get-file IMG_0001.jpg --folder /store_00010001/myphotos
```
您可以同时获得所有的文件:
你可以同时获得所有的文件:
```
`$ gphoto2 --get-all-files --folder /store_00010001/myfiles`
$ gphoto2 --get-all-files --folder /store_00010001/myfiles
```
您可以只获取音频文件:
你可以只获取音频文件:
```
`gphoto2 --get-all-audio-data --folder /store_00010001/mysounds`
gphoto2 --get-all-audio-data --folder /store_00010001/mysounds
```
gPhoto2 还有其他的选择,其中大多数取决于你连接的设备和使用协议是否支持。
## 上传文件
现在您知道了潜在的目标文件夹,就可以将文件从计算机上传到您的设备。例如,假设有一个名为 `example.epub` 的文件在当前目录中,您可以使用 `--upload-file` 选项和 `--folder` 选项将文件发送到设备并指定要上传到的目录:
### 上传文件
现在你知道了潜在的目标文件夹,就可以将文件从计算机上传到你的设备。例如,假设有一个名为 `example.epub` 的文件在当前目录中,你可以使用 `--upload-file` 选项和 `--folder` 选项将文件发送到设备并指定要上传到的目录:
```
$ gphoto2 --upload file example.epub \
\--folder store_00010001
--folder store_00010001
```
如果您希望将多个文件上传到同一个位置,您可以在设备上创建一个目录:
如果你希望将多个文件上传到同一个位置,你可以在设备上创建一个目录:
```
$ gphoto2 --mkdir books \
\--folder store_00010001
--folder store_00010001
$ gphoto2 --upload-file *.epub \
\--folder store_00010001/books
--folder store_00010001/books
```
### 列出文件
@ -204,11 +191,11 @@ There is 1 file in folder '/store_00010001'
[...]
```
### 探索的使用方式
### 探索的使用方式
gPhoto2 的大部分功能取决于您的设备,因此不同用户的体验可能不尽相同。在`gphoto2 --help` 中列出了许多操作供您探索。使用gPhoto2再也不用费劲把文件从你的设备传输到电脑上了
gPhoto2 的大部分功能取决于你的设备,因此不同用户的体验可能不尽相同。在 `gphoto2 --help` 中列出了许多操作供你探索。使用gPhoto2再也不用费劲把文件从你的设备传输到电脑上了
这些开源图片库能够帮助组织文件,并让的图片看起来很棒。
这些开源图片库能够帮助组织文件,并让的图片看起来很棒。
--------------------------------------------------------------------------------
@ -217,7 +204,7 @@ via: https://opensource.com/article/20/7/gphoto2-linux
作者:[Seth Kenlon][a]
选题:[lujun9972][b]
译者:[summer2233](https://github.com/summer2233)
校对:[校对者ID](https://github.com/校对者ID)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出

56
sources/talk/20200714 My Linux story- breaking language barriers with open source.md Normal file
View File

@ -0,0 +1,56 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (My Linux story: breaking language barriers with open source)
[#]: via: (https://opensource.com/article/20/7/linux-bengali)
[#]: author: (Dr Anirban Mitra https://opensource.com/users/mitradranirban)
My Linux story: breaking language barriers with open source
======
Open source projects can help change the world by removing barriers,
linguistic and otherwise.
![India on the globe][1]
My open source journey started rather late in comparison to many of my peers and colleagues.
I was pursuing a post-graduate degree in medicine in 2000 when I managed to fulfill a dream Id had since high school—to buy my own PC. Before that, my only exposure to computers was through occasional access in libraries or cyber cafés, which charged exorbitant prices for access at that time. So I saved up portions of my grad student stipend and managed to buy a Pentium III 550 Mhz with 128MB RAM, and as came standard in most computers in India at that time, a pirated version of Windows 98.
There was no Internet access in my hostel room. I had to go to the nearby cyber café, download software there, and then carry around dozens of floppy discs.
As happy as I was finally owning my own computer, it bothered me that I could not write in my mother tongue, Bangla. I came across resources provided by CDAC, a government agency that provided Indian language tools based on ISCII, an older national standard upon which the Unicode standard of Indic language was based. It was difficult to learn the keyboard layouts.
### My first contribution
Soon, I came across a software called [Yudit][2], which offered phonetic typing of Indic language using the standard QWERTY keyboard. It was with Yudit that I first came across terms like open source and free software, GNU, and Linux. Yudit allowed me to translate UI elements into Bengali too, and when I submitted the translations to the developer, he gladly incorporated them into the next version and credited me in the README of the software.
This was exciting for me, as I was seeing, for the very first time, an application user element in my mother tongue. Moreover, I had been able to contribute to the development of a software despite having almost zero knowledge of coding. I went on to create an ISCII-to-Unicode converter for Yudit, which can also be used for transliteration between various Indian languages. I also bought a Linux magazine that came with a free live CD of Knoppix, and thats how I got a feel for the Linux desktop.
Another issue I faced was the lack of availability of Unicode-compliant OpenType Bangla font. The font I used was shareware, and I was supposed to pay a license fee for it. I thought, “Why not try my hand at developing it myself?” In the process, I came in contact with Bangla speakers scattered worldwide who were trying to enable Bangla in the Linux operating system, via `bengalinux.org` (later renamed Ankur group).
I joined their mailing list, and we discussed among ourselves and the authorities the various flaws in the Unicode and OpenType specifications of Bangla, which were then corrected in due course. I contributed by converting legacy Bangla fonts into OpenType Unicode-compliant fonts, translating UI, and so on. That group also came out with the worlds first Live Linux CD with a Bangla user interface.
In 2003, I had moved to a place where I did not have access to the Internet; I could only connect to the group on Sundays when I came to Kolkata. By that time, Bangla localization of Linux had become a mainstream thing. Some of our volunteers joined Red Hat to work on translation and font development. I also became busy in my medical practice and had little time left for open source development.
Now, I feel more comfortable using Linux to do my daily work than any other operating system. I also feel proud to be associated with a project which allows people to communicate in their own language. It also brought computing power to a population who were for a long time considered to be on the other side of the “digital divide” because they did not speak English. Bangla is actually one of the most widely spoken languages in the world, and this project removed a major barrier to access for a large chunk of the global population.
### Joining open source
Joining in on the open source movement is easy. Take the initiative to do something that is useful to yourself, and then think about how it could be useful to others. The key is to keep it freely available, and it can add untold value to the world.
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/7/linux-bengali
作者:[Dr Anirban Mitra][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/mitradranirban
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/india-globe-map.jpg?itok=6sSEL5iO (India on the globe)
[2]: http://www.yudit.org/

347
sources/tech/20200622 Protect your system with fail2ban and firewalld blacklists.md
View File

@ -1,347 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Protect your system with fail2ban and firewalld blacklists)
[#]: via: (https://fedoramagazine.org/protect-your-system-with-fail2ban-and-firewalld-blacklists/)
[#]: author: (hobbes1069 https://fedoramagazine.org/author/hobbes1069/)
Protect your system with fail2ban and firewalld blacklists
======
![][1]
If you run a server with a public-facing SSH access, you might have experienced malicious login attempts. This article shows how to use two utilities to keep the intruder out of our systems.
To protect against repeated ssh login attempts, well look at _fail2ban_. And if you dont travel much, and perhaps stay in one or two countries, you can configure _firewalld_ to only [allow access from the countries you choose][2].
First lets work through a little terminology for those not familiar with the various applications well need to make this work:
**fail2ban:** Daemon to ban hosts that cause multiple authentication errors.
fail2ban will monitor the SystemD journal to look for failed authentication attempts for whichever jails have been enabled. After the number of failed attempts specified it will add a firewall rule to block that specific IP address for an amount of time configured.
**firewalld:** A firewall daemon with D-Bus interface providing a dynamic firewall.
Unless youve manually decided to use traditional iptables, youre already using firewalld on all supported releases of Fedora and CentOS.
### Assumptions
* The host system has an internet connection and is either fully exposed directly, through a DMZ (both REALLY bad ideas unless you know what youre doing), or has a port being forwarded to it from a router.
* While most of this might apply to other systems, this article assumes a current version of Fedora (31 and up) or RHEL/CentOS 8. On CentOS you must enable the Fedora EPEL repo with sudo dnf install epel-release
### Install & Configuration
#### Fail2Ban
More than likely whichever FirewallD zone is set already allows SSH access but the sshd service itself is not enabled by default. To start it manually and without permanently enabling on boot:
```
$ sudo systemctl start sshd
```
Or to start and enable on boot:
```
$ sudo systemctl enable --now sshd
```
The next step is to install, configure, and enable fail2ban. As usual the install can be done from the command line:
```
$ sudo dnf install fail2ban
```
Once installed the next step is to configure a jail (a service you want to monitor and ban at whatever thresholds youve set). By default IPs are banned for 1 hour (which is not near long enough). The best practice is to override the system defaults using *.local files instead of directly modifying the *.config files. If we look at my jail.local we see:
```
# cat /etc/fail2ban/jail.local
[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
bantime = 1d
# A host is banned if it has generated "maxretry" during the last "findtime"
findtime = 1h
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
```
Turning this into plain language, after 5 attempts within the last hour the IP will be blocked for 1 day. Theres also options for increasing the ban time for IPs that get banned multiple times, but thats the subject for another article.
The next step is to configure a jail. In this tutorial sshd is shown but the steps are more or less the same for other services. Create a configuration file inside _/etc/fail2ban/jail.d_. Heres mine:
```
# cat /etc/fail2ban/jail.d/sshd.local
[sshd]
enabled = true
```
Its that simple! A lot of the configuration is already handled within the package built for Fedora (Hint: Im the current maintainer). Next enable and start the fail2ban service.
```
$ sudo systemctl enable --now fail2ban
```
Hopefully there were not any immediate errors, if not, check the status of fail2ban using the following command:
```
$ sudo systemctl status fail2ban
```
If it started without errors it should look something like this:
```
$ systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2020-06-16 07:57:40 CDT; 5s ago
Docs: man:fail2ban(1)
Process: 11230 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 11235 (f2b/server)
Tasks: 5 (limit: 4630)
Memory: 12.7M
CPU: 109ms
CGroup: /system.slice/fail2ban.service
└─11235 /usr/bin/python3 -s /usr/bin/fail2ban-server -xf start
Jun 16 07:57:40 localhost.localdomain systemd[1]: Starting Fail2Ban Service…
Jun 16 07:57:40 localhost.localdomain systemd[1]: Started Fail2Ban Service.
Jun 16 07:57:41 localhost.localdomain fail2ban-server[11235]: Server ready
```
If recently started, fail2ban is unlikely to show anything interesting going on just yet but to check the status of fail2ban and make sure the jail is enabled enter:
```
$ sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
```
And the high level status of the sshd jail is shown. If multiple jails were enabled they would show up here.
To check the detailed status a jail, just add the jail to the previous command. Heres the output from my system which has been running for a while. I have removed the banned IPs from the output:
```
$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 8
| |- Total failed: 4399
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 101
|- Total banned: 684
`- Banned IP list: ...
```
Monitoring the fail2ban log file for intrusion attempts can be achieved by “tailing” the log:
```
$ sudo tail -f /var/log/fail2ban.log
```
Tail is a nice little command line utility which by default shows the last 10 lines of a file. Adding the “-f” tells it to follow the file which is a great way to watch a file thats still being written to.
Since the output has real IPs in it, a sample wont be provided but its pretty human readable. The INFO lines will usually be attempts at a login. If enough attempts are made from a specific IP address you will see a NOTICE line showing an IP address was banned. After the ban time has been reached you will see an NOTICE unban line.
Lookout for several WARNING lines. Most often this happens when a ban is added but fail2ban finds the IP address already in its ban database, which means banning may not be working correctly. If recently installed the fail2ban package it should be setup for FirewallD rich rules. The package was only switched from “ipset” to “rich rules” as of _fail2ban-0.11.1-6_ so if you have an older install of fail2ban it may still be trying to use the ipset method which utilizes legacy iptables and is not very reliable.
#### FirewallD Configuration
##### Reactive or Proactive?
There are two strategies that can be used either separately or together. Reactive or proactive permanent blacklisting of individual IP address or subnets based on country of origin.
For the reactive approach once fail2ban has been running for a while its a good idea to take a look at how “bad is bad” by running _sudo fail2ban-client status sshd_ again. There most likely will be many banned IP addresses. Just pick one and try running _whois_ on it. There can be quite a bit of interesting information in the output but for this method, only the country of origin is of importance. To keep things simple, lets filter out everything but the country.
For this example a few well known domain names will be used:
```
$ whois google.com | grep -i country
Registrant Country: US
Admin Country: US
Tech Country: US
```
```
$ whois rpmfusion.org | grep -i country
Registrant Country: FR
```
```
$ whois aliexpress.com | grep -i country
Registrant Country: CN
```
The reason for the _grep -i_ is to make grep non-case sensitive while most entries use “Country”, some are in all lower case so this method matches regardless.
Now that the country of origin of an intrusion attempt is known the question is, “Does anyone from that country have a legitimate reason to connect to this computer?” If the answer is NO, then it should be acceptable to block the entire country.
Functionally the proactive approach it not very different from the reactive approach, however, there are countries from which intrusion attempts are very common. If the system neither resides in one of those countries, nor has any customers originating from them, then why not add them to the blacklist now rather than waiting?
##### Blacklisting Script and Configuration
So how do you do that? With FirewallD ipsets. I developed the following script to automate the process as much as possible:
```
#!/bin/bash
# Based on the below article
# https://www.linode.com/community/questions/11143/top-tip-firewalld-and-ipset-country-blacklist
# Source the blacklisted countries from the configuration file
. /etc/blacklist-by-country
# Create a temporary working directory
ipdeny_tmp_dir=$(mktemp -d -t blacklist-XXXXXXXXXX)
pushd $ipdeny_tmp_dir
# Download the latest network addresses by country file
curl -LO http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
tar xf all-zones.tar.gz
# For updates, remove the ipset blacklist and recreate
if firewall-cmd -q --zone=drop --query-source=ipset:blacklist; then
firewall-cmd -q --permanent --delete-ipset=blacklist
fi
# Create the ipset blacklist which accepts both IP addresses and networks
firewall-cmd -q --permanent --new-ipset=blacklist --type=hash:net \
--option=family=inet --option=hashsize=4096 --option=maxelem=200000 \
--set-description="An ipset list of networks or ips to be dropped."
# Add the address ranges by country per ipdeny.com to the blacklist
for country in $countries; do
firewall-cmd -q --permanent --ipset=blacklist \
--add-entries-from-file=./$country.zone && \
echo "Added $country to blacklist ipset."
done
# Block individual IPs if the configuration file exists and is not empty
if [ -s "/etc/blacklist-by-ip" ]; then
echo "Adding IPs blacklists."
firewall-cmd -q --permanent --ipset=blacklist \
--add-entries-from-file=/etc/blacklist-by-ip && \
echo "Added IPs to blacklist ipset."
fi
# Add the blacklist ipset to the drop zone if not already setup
if firewall-cmd -q --zone=drop --query-source=ipset:blacklist; then
echo "Blacklist already in firewalld drop zone."
else
echo "Adding ipset blacklist to firewalld drop zone."
firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist
fi
firewall-cmd -q --reload
popd
rm -rf $ipdeny_tmp_dir
```
This should be installed to _/usr/local/sbin_ and dont forget to make it executable!
```
$ sudo chmod +x /usr/local/sbin/firewalld-blacklist
```
Then create a configure file: _/etc/blacklist-by-country_:
```
# Which countries should be blocked?
# Use the two letter designation separated by a space.
countries=""
```
And another configuration file _/etc/blacklist-by-ip_, which is just one IP per line without any additional formatting.
For this example 10 random countries were selected from the ipdeny zones:
```
# ls | shuf -n 10 | sed "s/\.zone//g" | tr '\n' ' '
nl ee ie pk is sv na om gp bn
```
Now as long as at least one country has been added to the config file its ready to run!
```
$ sudo firewalld-blacklist
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 142 100 142 0 0 1014 0 --:--:-- --:--:-- --:--:-- 1014
100 662k 100 662k 0 0 989k 0 --:--:-- --:--:-- --:--:-- 989k
Added nl to blacklist ipset.
Added ee to blacklist ipset.
Added ie to blacklist ipset.
Added pk to blacklist ipset.
Added is to blacklist ipset.
Added sv to blacklist ipset.
Added na to blacklist ipset.
Added om to blacklist ipset.
Added gp to blacklist ipset.
Added bn to blacklist ipset.
Adding ipset blacklist to firewalld drop zone.
success
```
To verify that the firewalld blacklist was successful, check the drop zone and blacklist ipset:
```
$ sudo firewall-cmd --info-zone=drop
drop (active)
target: DROP
icmp-block-inversion: no
interfaces:
sources: ipset:blacklist
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
$ sudo firewall-cmd --info-ipset=blacklist | less
blacklist
type: hash:net
options: family=inet hashsize=4096 maxelem=200000
entries:
```
The second command will output all of the subnets that were added based on the countries blocked and can be quite lengthy.
##### So now what do I do?
While it will be a good idea to monitor things more frequently at the beginning, over time the number of intrusion attempts should decline as the blacklist grows. Then the goal should be maintenance rather than active monitoring.
To this end I created a SystemD service file and timer so that on a monthly basis the by country subnets maintained by ipdeny are refreshed. In fact everything discussed here can be downloaded from my pagure.io project:
<https://pagure.io/firewalld-blacklist>
Arent you glad you read the whole article? Now just download the service file and timer to _/etc/systemd/system/_ and enable the timer:
```
$ sudo systemctl daemon-reload
$ sudo systemctl enable --now firewalld-blacklist.timer
```
--------------------------------------------------------------------------------
via: https://fedoramagazine.org/protect-your-system-with-fail2ban-and-firewalld-blacklists/
作者:[hobbes1069][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://fedoramagazine.org/author/hobbes1069/
[b]: https://github.com/lujun9972
[1]: https://fedoramagazine.org/wp-content/uploads/2020/06/fail2ban-and-firewalld-816x345.png
[2]: https://www.linode.com/community/questions/11143/top-tip-firewalld-and-ipset-country-blacklist

89
sources/tech/20200709 What you need to know about automation testing in CI-CD.md
View File

@ -1,89 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: (geekpi)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (What you need to know about automation testing in CI/CD)
[#]: via: (https://opensource.com/article/20/7/automation-testing-cicd)
[#]: author: (Taz Brown https://opensource.com/users/heronthecli)
What you need to know about automation testing in CI/CD
======
Continuous integration and continuous delivery is powered by testing.
Here's how.
![Net catching 1s and 0s or data in the clouds][1]
> "If things seem under control, you're just not going fast enough." —Mario Andretti
Test automation means focusing continuously on detecting defects, errors, and bugs as early and quickly as possible in the software development process. This is done using tools that pursue quality as the highest value and are put in place to _ensure_ quality—not just pursue it.
One of the most compelling features of a continuous integration/continuous delivery (CI/CD) solution (also called a DevOps pipeline) is the opportunity to test more frequently without burdening developers or operators with more manual work. Let's talk about why that's important.
### Why automate testing in CI/CD?
Agile teams iterate faster to deliver software and customer satisfaction at higher rates, and these pressures can jeopardize quality. Global competition has created _low tolerance_ for defects while increasing pressure on agile teams for _faster iterations_ of software delivery. What's the industry solution to alleviate this pressure? [DevOps][2].
DevOps is a big idea with many definitions, but one technology that is consistently essential to DevOps success is CI/CD. Designing a continuous cycle of improvement through a pipeline of software development can lead to new opportunities for testing.
### What does this mean for testers?
For testers, this generally means they must:
* Test earlier and more often (with automation)
* Continue to test "real-world" workflows (automated and manual)
To be more specific, the role of testing in any form, whether it's run by the developers who write the code or designed by a team of quality assurance engineers, is to take advantage of the CI/CD infrastructure to increase quality while moving fast.
### What else do testers need to do?
To get more specific, testers are responsible for:
* Testing new and existing software applications
* Verifying and validating functionality by evaluating software against system requirements
* Utilizing automated-testing tools to develop and maintain reusable automated tests
* Collaborating with all members of the scrum team to understand the functionality being developed and the implementation's technical design to design and develop accurate, high-quality automated tests
* Analyzing documented user requirements and creating or assisting in designing test plans for moderately to highly complex software or IT systems
* Developing automated tests and working with the functional team to review and evaluate test scenarios
* Collaborating with the technical team to identify the proper approach to automating tests within the development environment
* Working with the team to understand and resolve software problems with automated tests, and responding to suggestions for modifications or enhancements
* Participating in backlog grooming, estimation, and other agile scrum ceremonies
* Assisting in defining standards and procedures to support testing activities and materials (e.g., scripts, configurations, utilities, tools, plans, and results)
Testing is a great deal of work, but it's an essential part of building software effectively.
### What kind of continuous testing is important?
There are many types of tests you can use. The different types aren't firm lines between disciplines; instead, they are different ways of expressing how to test. It is less important to compare the types of tests and more important to have coverage for each test type.
* **Functional testing:** Ensures that the software has the functionality in its requirements
* **Unit testing:** Independently tests smaller units/components of a software application to check their functionality
* **Load testing:** Tests the performance of the software application during heavy load or usage
* **Stress testing:** Determines the software application's breakpoint when under stress (maximum load)
* **Integration testing:** Tests a group of components that are combined or integrated to produce an output
* **Regression testing:** Tests the entire application's functionality when any component (no matter how small) has been modified
### Conclusion
Any software development process that includes continuous testing is on its way toward establishing a critical feedback loop to go fast and build effective software. Most importantly, the practice builds quality into the CI/CD pipeline and implies an understanding of the connection between increasing speed while reducing risk and waste in the software development lifecycle.
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/7/automation-testing-cicd
作者:[Taz Brown][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/heronthecli
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/data_analytics_cloud.png?itok=eE4uIoaB (Net catching 1s and 0s or data in the clouds)
[2]: https://opensource.com/resources/devops

2
sources/tech/20200713 My feature-rich and minimal Linux terminal.md
View File

@ -1,5 +1,5 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: translator: (geekpi)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )

90
sources/tech/20200714 5 things to look for in an open source alternative to SharePoint.md Normal file
View File

@ -0,0 +1,90 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (5 things to look for in an open source alternative to SharePoint)
[#]: via: (https://opensource.com/article/20/7/sharepoint-alternative)
[#]: author: (Will Kelly https://opensource.com/users/willkelly)
5 things to look for in an open source alternative to SharePoint
======
If you're considering an open source collaboration platform to meet your
remote workforce's needs, here are five things to keep in mind.
![Digital images of a computer desktop][1]
We're entering a collaboration platform renaissance as remote work becomes the norm for enterprises large and small. [Microsoft SharePoint][2]—a collaboration platform available on premises or in the cloud—is the de-facto standard for corporations and government agencies. However, SharePoint implementations are infamous for the [challenges][3] that prevent their completion. Combine those common speedbumps with shrinking IT budgets and rising collaboration requirements because of remote work, and open source alternatives to SharePoint become well worth a look.
Here are five things to consider in an open source alternative to SharePoint.
### Is it easy to install, set up, and use in the cloud?
Looking beyond installation and initial configuration, you want an open source alternative that's easy to set up. Treat open source collaboration tools as something you must take responsibility for, particularly in setup and user support, whether you have your IT department's approval or you're going shadow IT.
Chances are you'll be installing the platform in a public or private cloud space, so look for an open source collaboration platform that's cloud-friendly. For example, if your organization is running Amazon Web Services (AWS), you can install open source wikis, including [MediaWiki][4], [DokuWiki][5], and [TikiWiki][6], from the AWS Marketplace. After installing them, you can get an idea of how much using the platform will affect your organization's cloud bill.
### Is it friendly to end-users?
Show me a complex collaboration site, and I'll show you the developers and other staff who are doing their darndest to work around it. You don't want to make this mistake.
Keep it simple if you want to spin up an open source collaboration platform to replace or augment SharePoint for your remote workers. The easier the collaboration platform is for your users, the better chance you have of winning them over as allies.
With features like a Configure Sites wizard, TikiWiki is an example of an open source collaboration platform that's end-user friendly.
### Are the content-editing tools easy to use?
Editing options are a major benefit to the diverse communities of open source contributors building these technologies. MediaWiki is one example of how open source collaboration platforms approach authoring tools. The project has an [Editing team][7] that focuses just on editing and authoring tools. Some of its projects include [WikiEditor][8], [VisualEditor][9], and [CodeEditor][10] extensions. You're bound to find an editor that fits your users' workstyle.
This feature becomes especially important for developers, who have been known to rebel against SharePoint because it lacks Markdown support. Get feedback from your developers about their authoring needs. If Markdown is one of their requirements, make sure you choose an open source collaboration platform that supports it.
Also be sure to follow open source adoption best practices by ensuring the technology has an active community. For example, some DokuWiki editor plugins, such as [Ace Editor][11] and [Editor Plugin][12], haven't been updated in years.
### What kind of access control is available to protect content?
If you're dealing with project documentation or any type of sensitive corporate information, examine the access control options in any open source collaboration platform you're considering. Look for support for read-only pages and access-control lists (ACLs).
Open source wikis are open by default. That's not necessarily a bad thing, depending on your security posture. SharePoint permissions are a [known trouble spot][13], even in the eyes of SharePoint experts. In contrast, DokuWiki has a well-documented [ACL feature][14].
### Is it integration-friendly for your organization?
Even if you're moving to an open source collaboration platform as a last-minute replacement for an ailing SharePoint implementation, you can't ignore your integration requirements.
MediaWiki and TikiWiki use a MySQL backend. DokuWiki doesn't require a database; it uses plain text files. Databases can be an integration consideration, based on your team members' database chops.
Integration with an authentication backend such as LDAP will also be necessary for some organizations. Security and compliance people get worried about new platforms that aren't aligned with corporate standards. Users often resent having yet another password to remember.
### Deploy with care
Open source collaboration alternatives have a unique growth opportunity, as organizations find their once-ignored collaboration tools aren't serving their burgeoning remote workforces. Regardless of your goals, deploy your open source SharePoint alternative with care.
Have you moved to an open source collaboration platform to better serve your remote workers? If so, please share your experiences in the comments.
Sandstorm's Jade Wang shares some of her favorite open source web apps that are self-hosted...
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/7/sharepoint-alternative
作者:[Will Kelly][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/willkelly
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/computer_browser_web_desktop.png?itok=Bw8ykZMA (Digital images of a computer desktop)
[2]: https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration
[3]: https://sharepointmaven.com/sharepoint-implementation-failed/
[4]: https://www.mediawiki.org/wiki/MediaWiki
[5]: https://www.dokuwiki.org/
[6]: https://tiki.org/HomePage
[7]: https://www.mediawiki.org/wiki/Editing_team
[8]: https://www.mediawiki.org/wiki/Extension:WikiEditor
[9]: https://www.mediawiki.org/wiki/Extension:VisualEditor
[10]: https://www.mediawiki.org/wiki/Extension:CodeEditor
[11]: https://www.dokuwiki.org/plugin:aceeditor
[12]: https://www.dokuwiki.org/plugin:editor
[13]: https://www.varonis.com/blog/why-do-sharepoint-permissions-cause-so-much-trouble/
[14]: https://www.dokuwiki.org/acl

339
translated/tech/20200622 Protect your system with fail2ban and firewalld blacklists.md Normal file
View File

@ -0,0 +1,339 @@
[#]: collector: (lujun9972)
[#]: translator: (wxy)
[#]: reviewer: (wxy)
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Protect your system with fail2ban and firewalld blacklists)
[#]: via: (https://fedoramagazine.org/protect-your-system-with-fail2ban-and-firewalld-blacklists/)
[#]: author: (hobbes1069 https://fedoramagazine.org/author/hobbes1069/)
使用 fail2ban 和 FirewallD 黑名单保护你的系统
======
![][1]
如果你运行的服务器有面向公众的 SSH 访问,你可能遇到过恶意登录尝试。本文介绍了如何使用两个实用程序来防止入侵者进入我们的系统。
为了防止反复的 ssh 登录尝试,我们来看看 fail2ban。而且如果你不经常旅行基本上停留在一两个国家你可以将 FirewallD 配置为只允许[从你选择的国家访问][2]。
首先,让我们为不熟悉这些应用程序的人员介绍一些术语,以完成这项工作:
**fail2ban**一个守护进程用于禁止发生多次认证错误的主机。fail2ban 将监控 SystemD 日志,以查找对任何已启用的“<ruby>监狱<rt>jail</rt></ruby>”的失败的验证尝试。在达到指定失败次数后,它将添加一个防火墙规则,在配置的时间内阻止该特定 IP 地址。
**FirewallD**:一个带有 D-Bus 接口的防火墙守护进程,提供动态防火墙。除非你另行决定使用传统的 iptables否则你已经在所有支持的 Fedora 和 CentOS 上安装了 FirewallD。
### 假定前提
* 主机系统有一个互联网连接,并且要么是直接暴露在互联网上,要么是通过 DMZ这两个都是非常糟糕的想法除非你知道你在做什么要么是有一个端口从路由器转发过来。
* 虽然大部分的内容可能适用于其他系统,但本文假设当前系统是 Fedora31 及以上)或 RHEL/CentOS 8 版本。在 CentOS 上,你必须用 `sudo dnf install epel-release` 启用 Fedora EPEL 仓库。
### 安装与配置
#### Fail2Ban
很有可能已经有某个 Firewalld 区已经允许 SSH 访问,但 sshd 服务本身默认没有启用。要手动启动它,并且不在启动时永久启用它:
```
$ sudo systemctl start sshd
```
或者在系统启动时启用,并同时启动它:
```
$ sudo systemctl enable --now sshd
```
下一步就是安装、配置、启用 fail2ban。和往常一样安装可以通过命令行完成
```
$ sudo dnf install fail2ban
```
安装完毕后下一步就是配置“监狱”你要以设置的任何阈值监视并禁止的服务。默认情况下IP 会被禁止 1 小时(这其实不够长)。最好的做法是使用 `*.local` 文件覆盖系统默认值,而不是直接修改 `*.config` 文件。如果我们查看我的 `jail.local`,我们可以看到:
```
# cat /etc/fail2ban/jail.local
[DEFAULT]
# "bantime" is the number of seconds that a host is banned.
bantime = 1d
# A host is banned if it has generated "maxretry" during the last "findtime"
findtime = 1h
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
```
换成通俗的语言讲,就是在过去一小时内尝试 5 次后,该 IP 将被封禁 1 天。对于多次被封的 IP也可以选择增加封禁时间但这是另一篇文章的主题。
下一步是配置“监狱”。在本教程中显示的是 `sshd`,但其他服务的步骤大致相同。在 `/etc/fail2ban/jail.d` 中创建一个配置文件。这是我的文件:
```
# cat /etc/fail2ban/jail.d/sshd.local
[sshd]
enabled = true
```
就这么简单! 很多配置已经在为 Fedora 构建的软件包中处理了(提示:我是当前的维护者)。接下来启用并启动 fail2ban 服务:
```
$ sudo systemctl enable --now fail2ban
```
希望没有立即出错,如果没有,请使用下面的命令检查 fail2ban 的状态:
```
$ sudo systemctl status fail2ban
```
如果它没有错误地启动,应该是这样的:
```
$ systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2020-06-16 07:57:40 CDT; 5s ago
Docs: man:fail2ban(1)
Process: 11230 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 11235 (f2b/server)
Tasks: 5 (limit: 4630)
Memory: 12.7M
CPU: 109ms
CGroup: /system.slice/fail2ban.service
└─11235 /usr/bin/python3 -s /usr/bin/fail2ban-server -xf start
Jun 16 07:57:40 localhost.localdomain systemd[1]: Starting Fail2Ban Service…
Jun 16 07:57:40 localhost.localdomain systemd[1]: Started Fail2Ban Service.
Jun 16 07:57:41 localhost.localdomain fail2ban-server[11235]: Server ready
```
如果是刚刚启动的fail2ban 不太可能显示任何有意思的信息,但要检查 fail2ban 的状态,并确保“监狱”被启用,请输入:
```
$ sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: sshd
```
sshd “监狱”的上级状态也会显示出来。如果启用了多个“监狱”,它们会在这里显示出来。
要查看一个“监狱”的详细状态,只需在前面的命令中添加“监狱”名称。下面是我的系统的输出,它已经运行了一段时间。我已经从输出中删除了被禁止的 IP
```
$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 8
| |- Total failed: 4399
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 101
|- Total banned: 684
`- Banned IP list: ...
```
监控 fail2ban 日志文件是否有入侵尝试,可以通过“尾随”日志来实现:
```
$ sudo tail -f /var/log/fail2ban.log
```
`tail` 是一个很好的命令行工具,默认情况下,它可以显示一个文件的最后 10 行。添加 `-f` 告诉它尾随文件,这是个观察一个仍在被写入的文件的很好方式。
由于输出的内容中有真实的 IP所以这里不会提供样本但它的可读性很高。`INFO` 行通常是登录的尝试。如果从一个特定的 IP 地址进行了足够多的尝试,你会看到一个 `NOTICE` 行显示一个 IP 地址被禁止。在达到禁止时间后,你会看到一个 `NOTICE` 解禁行。
注意几个警告行。最常见的情况是当添加了一个禁止后fail2ban 发现该 IP 地址已经在其禁止数据库中,这意味着禁止可能无法正常工作。如果是最近安装的 fail2ban 包,它应该被设置为 FirewallD 的富规则。这个包在 fail2ban-0.11.1-6 版本时从 ipset 方式切换到了富规则方式,所以如果你的 fail2ban 安装时间较早,它可能还在尝试使用 ipset 方式,这种方式使用的是传统的 iptables不是很可靠。
#### FirewallD 配置
##### 被动还是主动?
有两种策略可以分开或一起使用:**被动**地将单个 IP 地址或**主动**地根据来源国将子网永久列入黑名单。
对于被动方式,一旦 fail2ban 运行了一段时间,最好再运行 `sudo fail2ban-client status sshd` 来看看有哪些坏蛋。很可能会有很多被禁止的 IP 地址。选择一个,然后试着对它运行 `whois`。在输出结果中可能会有很多有趣的信息,但是对于这个方法来说,只有来源国是重要的。为了保持简单,让我们过滤掉除了国家以外的所有信息。
在这个例子中,我们将使用一些著名的域名:
```
$ whois google.com | grep -i country
Registrant Country: US
Admin Country: US
Tech Country: US
```
```
$ whois rpmfusion.org | grep -i country
Registrant Country: FR
```
```
$ whois aliexpress.com | grep -i country
Registrant Country: CN
```
使用 `grep -i` 的原因是为了使 `grep` 不区分大小写,而大多数条目都使用的是 “Country”而有些条目则是全小写的 “country”所以这种方法无论如何都能匹配。
现在知道了尝试入侵的来源国,问题是,“是否有来自这个国家的人有合法的理由连接到这台计算机?”如果答案是否定的,那么封锁整个国家应该是可以接受的。
从功能上看主动式方法它与被动式方法没有太大区别然而来自有些国家的入侵企图是非常普遍的。如果你的系统既不放在这些国家里也没有任何源自这些国家的客户那么为什么不现在就把它们加入黑名单而是等待呢LCTT 译注:我的经验是,动辄以国家的范畴而列入黑名单有些过于武断。建议可以将该 IP 所属的 WHOIS 网段放入到黑名单,因为这些网段往往具有相同的使用性质,如都用于用户接入或 IDC 托管,其安全状况也大致相同,因此,如果有来自该网段的某个 IP 的恶意尝试,可以预期该网段内的其它 IP 也可能被利用来做这样的尝试。)
##### 黑名单脚本和配置
那么如何做到这一点呢?用 FirewallD ipset。我开发了下面的脚本来尽可能地自动化这个过程
```
#!/bin/bash
# Based on the below article
# https://www.linode.com/community/questions/11143/top-tip-firewalld-and-ipset-country-blacklist
# Source the blacklisted countries from the configuration file
. /etc/blacklist-by-country
# Create a temporary working directory
ipdeny_tmp_dir=$(mktemp -d -t blacklist-XXXXXXXXXX)
pushd $ipdeny_tmp_dir
# Download the latest network addresses by country file
curl -LO http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
tar xf all-zones.tar.gz
# For updates, remove the ipset blacklist and recreate
if firewall-cmd -q --zone=drop --query-source=ipset:blacklist; then
firewall-cmd -q --permanent --delete-ipset=blacklist
fi
# Create the ipset blacklist which accepts both IP addresses and networks
firewall-cmd -q --permanent --new-ipset=blacklist --type=hash:net \
--option=family=inet --option=hashsize=4096 --option=maxelem=200000 \
--set-description="An ipset list of networks or ips to be dropped."
# Add the address ranges by country per ipdeny.com to the blacklist
for country in $countries; do
firewall-cmd -q --permanent --ipset=blacklist \
--add-entries-from-file=./$country.zone && \
echo "Added $country to blacklist ipset."
done
# Block individual IPs if the configuration file exists and is not empty
if [ -s "/etc/blacklist-by-ip" ]; then
echo "Adding IPs blacklists."
firewall-cmd -q --permanent --ipset=blacklist \
--add-entries-from-file=/etc/blacklist-by-ip && \
echo "Added IPs to blacklist ipset."
fi
# Add the blacklist ipset to the drop zone if not already setup
if firewall-cmd -q --zone=drop --query-source=ipset:blacklist; then
echo "Blacklist already in firewalld drop zone."
else
echo "Adding ipset blacklist to firewalld drop zone."
firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist
fi
firewall-cmd -q --reload
popd
rm -rf $ipdeny_tmp_dir
```
这个应该安装到 `/usr/local/sbin`,不要忘了让它可执行!
```
$ sudo chmod +x /usr/local/sbin/firewalld-blacklist
```
然后创建一个配置文件 `/etc/blacklist-by-country`
```
# Which countries should be blocked?
# Use the two letter designation separated by a space.
countries=""
```
而另一个配置文件 `/etc/blacklist-by-ip`,每行只有一个 IP没有任何额外的格式化。
在这个例子中,从 ipdeny 的区文件中随机选择了 10 个国家:
```
# ls | shuf -n 10 | sed "s/\.zone//g" | tr '\n' ' '
nl ee ie pk is sv na om gp bn
```
现在只要在配置文件中加入至少一个国家,就可以运行了!
```
$ sudo firewalld-blacklist
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 142 100 142 0 0 1014 0 --:--:-- --:--:-- --:--:-- 1014
100 662k 100 662k 0 0 989k 0 --:--:-- --:--:-- --:--:-- 989k
Added nl to blacklist ipset.
Added ee to blacklist ipset.
Added ie to blacklist ipset.
Added pk to blacklist ipset.
Added is to blacklist ipset.
Added sv to blacklist ipset.
Added na to blacklist ipset.
Added om to blacklist ipset.
Added gp to blacklist ipset.
Added bn to blacklist ipset.
Adding ipset blacklist to firewalld drop zone.
success
```
要验证 FirewallD 黑名单是否成功,请检查 `drop` 区和 `blacklist` ipset。
```
$ sudo firewall-cmd --info-zone=drop
drop (active)
target: DROP
icmp-block-inversion: no
interfaces:
sources: ipset:blacklist
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
$ sudo firewall-cmd --info-ipset=blacklist | less
blacklist
type: hash:net
options: family=inet hashsize=4096 maxelem=200000
entries:
```
第二条命令将输出所有的子网,这些子网是基于被封杀的国家而添加的,可能会相当长。
### 那么现在我该怎么做?
虽然在开始的时候,监控的频率会比较高,但随着时间的推移,入侵尝试的次数应该会随着黑名单的增加而减少。那么目标应该是维护而不是主动监控。
为此,我创建了一个 SystemD 服务文件和定时器,这样每月都会刷新由 ipdeny 维护的每个国家的子网。事实上,这里讨论的所有内容都可以从我的 [pagure.io](https://pagure.io/firewalld-blacklist) 项目中下载。
是不是很高兴你看完了整篇文章?现在只要把服务文件和定时器下载到 `/etc/systemd/system/`,并启用定时器就行了:
```
$ sudo systemctl daemon-reload
$ sudo systemctl enable --now firewalld-blacklist.timer
```
--------------------------------------------------------------------------------
via: https://fedoramagazine.org/protect-your-system-with-fail2ban-and-firewalld-blacklists/
作者:[hobbes1069][a]
选题:[lujun9972][b]
译者:[wxy](https://github.com/wxy)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://fedoramagazine.org/author/hobbes1069/
[b]: https://github.com/lujun9972
[1]: https://fedoramagazine.org/wp-content/uploads/2020/06/fail2ban-and-firewalld-816x345.png
[2]: https://www.linode.com/community/questions/11143/top-tip-firewalld-and-ipset-country-blacklist

88
translated/tech/20200709 What you need to know about automation testing in CI-CD.md Normal file
View File

@ -0,0 +1,88 @@
[#]: collector: (lujun9972)
[#]: translator: (geekpi)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (What you need to know about automation testing in CI/CD)
[#]: via: (https://opensource.com/article/20/7/automation-testing-cicd)
[#]: author: (Taz Brown https://opensource.com/users/heronthecli)
你需要了解有关 CI/CD 中的自动化测试的知识
======
持续集成和持续交付是由测试提供支持。以下是如何做的。
![Net catching 1s and 0s or data in the clouds][1]
>“如果一切似乎都在控制之中,那么你就不会足够快。” —Mario Andretti
测试自动化意味着持续专注于在软件开发过程中尽早地检测到缺陷,错误和 bug。这是使用那些追求质量为最高价值的工具完成的它们旨在_确保_质量而不仅仅是追求。
持续集成/持续交付CI / CD解决方案也称为 DevOps 管道)最引人注目的功能之一是可以更频繁地进行测试,而又不会给开发人员或操作人员增加更多的手动工作。让我们谈谈为什么这很重要。
### 为什么要在 CI/CD 中自动化测试?
敏捷团队迭代速度更快以更高的速度交付软件和客户满意度而这些压力可能会损害质量。全球竞争制造了对缺陷_低容忍度_同时对敏捷团队软件交付_更快迭代_增加了压力。减轻压力的行业解决方案是什么 是 [DevOps][2]。
DevOps 是一个有很多定义的大创意,但是对 DevOps 成功至关重要的一项技术是 CI/CD。通过软件开发流程设计一个连续的改进周期可以带来新的测试机会。
### 这对测试人员意味着什么?
对于测试人员,这通常意味着他们必须:
* 更早且更频繁地进行测试(使用自动化)
* 持续测试“真实世界”的工作流(自动和手动)
更具体地说,任何形式的测试(无论是由编写代码的开发人员运行还是由质量保证工程师团队设计)的作用是利用 CI/CD 基础架构在快速推进的同时提高质量。
### 测试人员还需要做什么?
具体点说,测试人员负责:
* 测试新的和现有的软件应用
* 通过根据系统要求评估软件来验证功能
* 利用自动化测试工具来开发和维护可重复使用的自动化测试
* 与 scrum 团队的所有成员合作,了解正在开发的功能以及实施的技术设计,以设计和开发准确、高质量的自动化测试
* 分析记录的用户需求,并创建或协助设计针对中度到高度复杂的软件或 IT 系统的测试计划
* 开发自动化测试,并与职能团队一起审查和评估测试方案
* 与技术团队合作,确定在开发环境中自动化测试的正确方法
* 与团队合作,通过自动化测试来理解和解决软件问题,并回应有关修改或增强的建议
* 参与需求梳理,估算和其他敏捷 scrum 仪式
* 协助定义标准和流程以支持测试活动和材料(例如脚本、配置、程序、工具、划和结果)
测试是一项艰巨的工作,但这是有效构建软件的重要组成部分。
### 哪些持续测试很重要?
你可以使用多种测试。不同的类型并不是学科之间的界限。相反,它们是表示测试的不同方式。比较测试类型不太重要,而覆盖每种测试类型更重要。
* **功能测试:**确保软件具有其要求的功能
* **单元测试:**独立测试软件的较小单元/组件以检查其功能
* **负载测试:**在重负载或使用期间测试软件的性能
* **压力测试:**确定承受压力(最大负载)时软件的断点
* **集成测试:**测试组合或集成的一组组件的输出
* **回归测试:**当修改任意组件(无论多么小),测试整个应用的功能
### 总结
任何包含持续测试的软件开发过程都将朝着建立关键反馈环路的方向发展,以快速发展并构建有效的软件。最重要的是,该实践将质量内置到 CI/CD 管道中,并意味着了解在软件开发生命周期中提高速度同时减少风险和浪费之间的联系。
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/7/automation-testing-cicd
作者:[Taz Brown][a]
选题:[lujun9972][b]
译者:[geekpi](https://github.com/geekpi)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/heronthecli
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/data_analytics_cloud.png?itok=eE4uIoaB (Net catching 1s and 0s or data in the clouds)
[2]: https://opensource.com/resources/devops