> 2021年08月31日信息消化 ### 5 Practices from Stoic Philosophy to Include in Your Morning Routine origin: [5 Practices from Stoic Philosophy to Include in Your Morning Routine](https://medium.com/stoicism-philosophy-as-a-way-of-life/5-practices-from-stoic-philosophy-to-include-in-your-morning-routine-f2f91a962699) The Stoic life was built around practices and habits that had one sole purpose — to continually become better human beings. ##### 1. Prepare for Adversity When Marcus Aurelius awoke in the morning, he would **consider the day ahead** — the ways in which he would go about his day, how he would behave in accordance with the four virtues of Stoicism (wisdom, justice, courage, and temperance), the challenges he may face, and how he would work to overcome these. We can use this practice to ready ourselves for any challenges the day may bring. **By rehearsing anything that might go wrong, or any events that could potentially derail us**, we can begin to prepare, either mentally or physically, to deal with them appropriately and to continue through our day unscathed. Seneca further outlines this practice, explaining, > “Cling tooth and nail to the following rule: Not to give in to adversity, never to trust prosperity, and always to take full note of fortune’s habit of behaving just as she pleases, treating her as if she were actually going to do everything it is in her power to do. *Whatever you have been expecting for some time comes as less of a shock.*” ##### 2. Plan for a Day Lived Well The Stoics were passionate about leading meaningful and purposeful lives. Seneca reminds us, > “It is not that we have a short time to live, but that we waste a lot of it.” ##### 3. Focus on Your Purpose **The Stoics remained steadfast on their purpose in life.** We can see in Marcus Aurelius’ *Meditations* that he regularly reminded himself of his purpose. This kept him focused on the task at hand and gave him the motivation to wake up in the morning: > “Don’t you see the plants, the birds, the ants, the spiders, and the bees going about their individual tasks, putting the world in order, as best they can? And you’re not willing to do your job as a human being?” > > “At dawn, when you have trouble getting out of bed, tell yourself: “I have to go to work — as a human being. What do I have to complain of, if I’m going to do what I was born for — the things I was brought into the world to do? Or is this what I was created for? To huddle under the blankets and stay warm?” ###### What you can do - Before entering into the new day, bring to mind your purpose and remind yourself of why you are here, and why you are rising from bed in the first place. - It may be helpful to [articulate an intention](https://medium.com/change-your-mind/a-simple-practice-to-get-more-out-of-every-day-a92488c48255) for the day ahead to keep you focused on this purpose. - Throughout the day, come back to your purpose or your intention to help keep yourself focused on the task at hand. ##### 4. Remind Yourself of the Dichotomy of Control This is one of the core ideas of Stoicism. We either have control over something, or we don’t. Recognizing the difference between the two is imperative for a steady mind and a happy life. In our morning routines, we can remind ourselves of what we control, and in this way, not become upset by things we have no control over as we go about our days. Marcus Aurelius says, > “You have power over your mind — not outside events. Realize this, and you will find strength.” ###### What you can do - There is no point in wasting time or energy on things outside of your control. Focus your energy on the things you can control — your actions, your thoughts, your judgments. - Consider the happenings of the day ahead and realize that you do not have control over most things. This preparation and recognition will make it easier for you to let go of resistance to the things you don’t have control over — the traffic, your colleagues’ actions, the neighbor’s loud music. ##### 5. Remember Your Mortality Another key idea of Stoicism — memento mori. Marcus Aurelius frequently reminded himself of his mortality: > “You could leave life right now. Let that determine what you do and say and think.” Living to see another day is never promised. We must always remember this. And although it may sound morbid, including this reflective practice in our morning routines will ensure that we live each day well. If tomorrow is not guaranteed, what must we do today to be content with what we have achieved in life thus far? ### Tor is a Great SysAdmin Tool origin: [Tor is a Great SysAdmin Tool](https://www.jamieweb.net/blog/tor-is-a-great-sysadmin-tool/) Tor is a fantastic networking and privacy technology that makes private and anonymous browsing available to millions. Despite this, it is unfortunately seen by some people as a system that solely exists to facilitate an illegal criminal underground, Tor是一种神奇的网络和隐私技术,使数百万人可以进行私人和匿名浏览。尽管如此,不幸的是,它被一些人视为一个完全为非法地下犯罪提供便利的系统。 ##### Testing IP address based access rules 使用Tor和Tor浏览器,你可以从多个任意的外部IP地址测试你的访问规则。你也可以在任何时候非常容易地重置你的浏览器配置文件或建立一个新的Tor电路,让你非常容易地创建一个新的 "身份 "进行测试,而没有以前测试影响结果的风险。 如果你想测试一些不是基于网络的服务,你可以使用torsocks包装器来强制任何程序的网络连接通过Tor路由。例如,为了测试一个基于IP地址的SSH访问规则,你可以通过Tor路由一个SSH连接,使其从一个新的/未知的IP地址发起。 ```bash $ torsocks ssh jamieweb.net ``` ##### Testing Internally-Hosted Services From an External Perspective If you are hosting certain network services internally/on-site, e.g. web servers or mail servers, it can often be a challenge to properly test these from an external/public-facing perspective. 如果你在内部/现场托管某些网络服务,例如网络服务器或邮件服务器,从外部/公共角度正确测试这些服务往往是一个挑战。 It's very important that this testing is carried out, as network services will often have differing configurations or policies depending on where you are connecting from. The lack of an easy way to perform this testing internally often leads to crude solutions involving personal devices or mobile data tethering, which are neither convenient or reliable. 进行这种测试是非常重要的,因为网络服务往往有不同的配置或政策,这取决于你从哪里连接。由于缺乏在内部进行这种测试的简便方法,往往导致涉及个人设备或移动数据连接的粗糙解决方案,这既不方便也不可靠。 However, similarly to how IP address based access rules can be tested with Tor, you can also use Tor to access your internally-hosted services from an external perspective. This will allow you to carry out all required testing from your standard device. 然而,类似于用Tor测试基于IP地址的访问规则,你也可以用Tor从外部角度访问你的内部托管的服务。这将允许你从你的标准设备上进行所有需要的测试。 ```bash $ torsocks curl https://www.jamieweb.net ``` Alternatively, if you don't want to use the `torsocks` wrapper, you can point cURL to the local SOCKS5 proxy directly, which runs on `127.0.0.1:9050`: ```basg $ curl --socks5-hostname 127.0.0.1:9050 https://www.jamieweb.net ``` ##### Making Reliable External DNS Lookups When Operating in a Split-Horizon DNS Environment Most corporate networks operate a 'split-horizon' or 'split-brain' DNS setup, which is where a separate internally-hosted DNS server and associated zone is used to serve DNS requests that originate internally. The internal DNS server will often respond with 'internal' addresses, i.e. private or RFC1918 addresses, rather than 'external' public-facing addresses. 大多数企业网络都采用 "分界线 "或 "分脑 "的DNS设置,即用一个单独的内部托管的DNS服务器和相关区域来服务来自内部的DNS请求。内部DNS服务器通常使用 "内部 "地址,即私人或RFC1918地址,而不是 "外部 "公共地址来响应。 This is usually used in combination with a configured search domain or DNS scope, in order to allow internal services to be accessed via their direct hostname, without requiring the fully-qualified domain name (FQDN). 这通常与配置的搜索域或DNS范围结合使用,以允许通过其直接的主机名访问内部服务,而不需要全称域名(FQDN)。 However, these split-horizon DNS setups can often pose a problem when you explicitly need a request to go to an external DNS server. Some networks will forcefully route *all* DNS traffic to the internal DNS server, and others will even intercept and rewrite DNS responses at the network edge, e.g. using the DNS doctoring or DNS NAT rewriting features that are present in many commercial edge firewall products. 然而,当你明确需要一个请求转到一个外部DNS服务器时,这些分割范围的DNS设置往往会带来问题。一些网络会强行将*所有*DNS流量路由到内部DNS服务器,其他网络甚至会在网络边缘拦截和重写DNS响应,例如使用许多商业边缘防火墙产品中的DNS doctoring或DNS NAT重写功能。 You can usually get around these issues by forcing your external DNS lookups to take place over TCP, i.e. using the `+tcp` option in DiG (also known as 'virtual circuit' mode), but this isn't always supported or available. 你通常可以通过强迫你的外部DNS查询通过TCP进行,即使用DiG的`+tcp`选项(也称为'虚拟电路'模式)来解决这些问题,但这并不总是支持或可用。 By routing your external DNS lookup over Tor, you can know for certain that the response hasn't been tampered with during the 'last mile' as it passes through your network edge: 通过在Tor上路由你的外部DNS查询,你可以确定响应在通过你的网络边缘的 "最后一英里 "时没有被篡改过。 ```bash $ torsocks dig +tcp @1.1.1.1 jamieweb.net ``` You'll need to use `+tcp` mode, as well as ensure that the request will be routed directly to the external DNS server, and not through a local caching resolver such as `dnsmasq`. This is because the Tor daemon will block requests to access local addresses such as `127.0.0.1`. If you do accidentally attempt to access a local address, Tor will display the following error: ``` WARNING torsocks[]: [connect] Connection to a local address are denied since it might be a TCP DNS query to a local DNS server. Rejecting it for safety reasons. (in tsocks_connect() at connect.c:192) ``` ##### Bypassing Blocked Outbound Ports In many corporate network environments, permitted outbound ports are limited in order to help ensure that all outbound traffic is tightly controlled, e.g. for the purposes of Data Loss Prevention (DLP). 在许多企业网络环境中,允许的出站端口是有限的,以帮助确保所有出站流量受到严格控制,例如,为了数据丢失预防(DLP)。 However, for people in technical roles, this can pose quite a challenge, as various legitimate services will inadvertently be blocked too, and exceptions can be difficult to implement on a per-user basis. 然而,对于从事技术工作的人来说,这可能构成相当大的挑战,因为各种合法的服务也会在无意中被阻止,而且例外情况可能很难在每个用户的基础上实施。 A common one that is often overlooked is the WHOIS protocol, which operates on TCP port 43. 一个经常被忽视的问题是WHOIS协议,它在TCP 43端口运行。 Using the torsocks wrapper, you can route these requests through Tor in order to get around the blocked outbound port: 使用torsocks包装器,你可以通过Tor路由这些请求,以绕过被封锁的出站端口。 ```bash $ torsocks whois jamieweb.net ``` In some cases, firewalls performing Deep Packet Inspection (DPI) can also prevent certain connections to otherwise allowed ports. For example, a sysadmin using `openssl s_client` to retrieve a certificate from a web server may have their request blocked, as they aren't establishing a full HTTPS connection. However, by routing the request through Tor, the connection can be made successfully: ```bash $ torsocks openssl s_client -connect jamieweb.net:443 ``` ##### Exposing Services When Behind NAT or CGNAT There may be cases where you need to expose a locally running service to the internet, e.g. SSH or a web server. Unfortunately, this is often non-trivial due to NAT, and especially CGNAT (carrier-grade NAT). 在某些情况下,你可能需要将本地运行的服务暴露在互联网上,例如SSH或Web服务器。不幸的是,由于NAT,特别是CGNAT(运营商级NAT),这往往是不可行的。 One particular use case that I've worked on is accessing a 4G-connected device remotely using SSH. Because the majority of consumer data plans operate using CGNAT, you cannot just bind the service to your perceived public address and have it work, as there will potentially be hundreds of other customers sharing that same IP address. Multiple layers of NAT are often used too, which of course complicates things. 我所做的一个特殊的用例是使用SSH远程访问一个4G连接的设备。由于大多数消费者数据计划使用CGNAT操作,你不能只是将服务绑定到你认为的公共地址上而让它工作,因为有可能会有数百名其他客户共享同一个IP地址。多层NAT也经常被使用,这当然会使事情变得复杂。 However, you can use Tor to expose your service via a Hidden Service, also known as a `.onion` site. This way, your service will be easily accessible over Tor no matter how many layers of NAT or filtering you are behind. 然而,你可以使用Tor通过一个隐藏的服务,也被称为".onion "网站来公开你的服务。这样一来,无论你有多少层NAT或过滤,你的服务都可以通过Tor轻松访问。 This can be achieved by adding a few lines to your `/etc/tor/torrc` configuration file: 这可以通过在你的`/etc/tor/torrc`配置文件中添加几行来实现。 ``` HiddenServiceDir /var/lib/tor/my_service HiddenServicePort 22 127.0.0.1:22 ``` The `HiddenServiceDir` configuration specifies where your Hidden Service public/private keys will be stored. This should be an arbitrary directory in `/var/lib/tor/`. You should not create this yourself, as the Tor daemon will create it for you using the correct permissions. HiddenServiceDir "配置指定了隐藏服务公钥/私钥的存储位置。这应该是`/var/lib/tor/`中的一个任意目录。你不应该自己创建这个目录,因为Tor守护进程将使用正确的权限为你创建它。 The `HiddenServicePort` option is used to specify where incoming requests to a specific port will be forwarded to. In this case, requests to the Hidden Service on port `22` will be forwarded verbatim to `127.0.0.1:22`. HiddenServicePort "选项用于指定某个特定端口的传入请求将被转发到哪里。在这种情况下,对端口 `22`的隐藏服务的请求将被逐字转发到 `127.0.0.1:22`。 You can also optionally configure your Hidden Service in single-hop mode, which will allow it to connect to the Tor network using a single hop, rather than the usual three, potentially improving performance. **This will completely de-anonymise your Hidden Service, so DO NOT use single-hop mode if your own anonymity is important.** In most legitimate sysadmin use cases, single-hop mode is perfectly safe and acceptable. 你也可以选择将你的隐藏服务配置为单跳模式,这将允许它使用单跳连接到Tor网络,而不是通常的三跳,可能会提高性能。**这将完全取消你的隐藏服务的匿名性,所以如果你自己的匿名性很重要,请不要使用单跳模式。**在大多数合法的系统管理员使用情况下,单跳模式是完全安全和可以接受的。 You can enable single-hop mode by adding the following to your Hidden Service configuration: 你可以通过在你的隐藏服务配置中添加以下内容来启用单跳模式。 ``` HiddenServiceNonAnonymousMode 1 HiddenServiceSingleHopMode 1 ``` However, running in single-hop mode will prevent your Tor daemon being used as a client, as your connection to the Tor network is not anonymised. If a SOCKS port is configured in your `torrc` file, you'll also need to disable this: ``` SocksPort 0 ``` Once you've finalised your Hidden Service configuration, save the `torrc` file and restart the Tor daemon: ``` sudo service tor restart ``` You can now view the `/var/lib/tor/my_service/hostname` file in order to identify the `.onion` address for your Hidden Service. This can be used from any other Tor-capable device anywhere in the world in order to directly access your locally-hosted service. 你现在可以查看 /var/lib/tor/my_service/hostname 文件,以确定你的隐藏服务的 .onion 地址。这可以从世界任何地方的任何其他具有Tor功能的设备中使用,以便直接访问你的本地托管服务。