今天周一，学生上课，开学了。早上7点多，路上就开始热闹起来了，有大人牵小孩走路的；有开摩托搭小孩的；也有开小车送小孩上学的。

图1：和中埂上，学生买好扫把、洗身桶等，返校

图2：学府花园附近，应该是二小学生，带小水桶在学校搞卫生后，返家

图3：东堤路上，学生带拖把回家

之前在Windows 2016和Windows 10的无人值守安装文件Unattend.xml里使用powershell.exe，直接这样写 powershell.exe 就可以了。但在Windows 2008 R2 SP1这样写，是不行的。一定要写powershell.exe的完整路径，即 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe。

以下是示例：

• 设置administrator密码
• 设置自动登录
• 在防火墙里允许远程桌面连接
• 将活动（插有网线）的网卡重命名（为iEthernet）
• 为名为iEthernet的网卡设置静态IP
• 为名为iEthernet的网卡设置DNS
• 不允许外网访问TCP 135，137，139和445端口

<file xml Unattend.xml>
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="specialize">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        </component>
        <component name="Microsoft-Windows-TerminalServices-LocalSessionManager" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <fDenyTSConnections>false</fDenyTSConnections>
        </component>
        <component name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <UserAuthentication>0</UserAuthentication>
        </component>
    </settings>
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <InputLocale>007f:00000804</InputLocale>
            <SystemLocale>zh-CN</SystemLocale>
            <UILanguage>zh-CN</UILanguage>
            <UserLocale>zh-CN</UserLocale>
        </component>
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <AutoLogon>
                <Password>
                    <Value>xinNIANhao2019</Value>
                    <PlainText>true</PlainText>
                </Password>
                    <Enabled>true</Enabled>
                    <LogonCount>2</LogonCount> 
                <Username>Administrator</Username>
            </AutoLogon>
            <FirstLogonCommands>
                <SynchronousCommand wcm:action="add">
                    <CommandLine>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "$wmi = Get-WmiObject -Class Win32_NetworkAdapter -Filter "netconnectionstatus=2"; $wmi.NetConnectionID = 'iEthernet'; $wmi.Put()"</CommandLine>
                    <Description>rename nic name</Description>
                    <Order>1</Order>
                </SynchronousCommand>
                <SynchronousCommand wcm:action="add">
                    <CommandLine>netsh interface ip set address name="iEthernet" static 144.172.126.32 255.255.255.0 144.172.126.1 1</CommandLine>
                    <Description>set static ip address</Description>
                    <Order>2</Order>
                </SynchronousCommand>
                <SynchronousCommand wcm:action="add">
                    <CommandLine>netsh interface ip set dns name="iEthernet" static 8.8.8.8</CommandLine>
                    <Description>set dns server</Description>
                    <Order>3</Order>
                </SynchronousCommand>
                <SynchronousCommand wcm:action="add">
                    <CommandLine>netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135 name="Block_TCP-135"</CommandLine>
                    <Description>Block_TCP-135</Description>
                    <Order>4</Order>
                </SynchronousCommand>
                <SynchronousCommand wcm:action="add">
                    <CommandLine>netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=137 name="Block_TCP-137"</CommandLine>
                    <Description>Block_TCP-137</Description>
                    <Order>5</Order>
                </SynchronousCommand>
                <SynchronousCommand wcm:action="add">
                    <CommandLine>netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=139 name="Block_TCP-139"</CommandLine>
                    <Description>Block_TCP-139</Description>
                    <Order>6</Order>
                </SynchronousCommand>
                <SynchronousCommand wcm:action="add">
                    <CommandLine>netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445"</CommandLine>
                    <Description>Block_TCP-445</Description>
                    <Order>7</Order>
                </SynchronousCommand>               
                <SynchronousCommand wcm:action="add">
                    <CommandLine>netsh advfirewall firewall add rule dir=in action=allow protocol=TCP localport=3389 name="Allow_TCP-3389"</CommandLine>
                    <Description>Allow_TCP-3389</Description>
                    <Order>8</Order>
                </SynchronousCommand>                                                                                                  
            </FirstLogonCommands>          
            <UserAccounts>
                <AdministratorPassword>
                    <Value>xinNIANhao2019</Value>
                    <PlainText>true</PlainText>
                </AdministratorPassword>
            </UserAccounts>
            <OOBE>
                <HideEULAPage>true</HideEULAPage>
                <SkipMachineOOBE>true</SkipMachineOOBE>
            </OOBE>
            <TimeZone>China Standard Time</TimeZone>
        </component>
    </settings>
    <cpi:offlineImage cpi:source="catalog:d:/temp/install_windows server 2012 r2 serverdatacenter.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

图1：安装好系统后，可以查看 C:\Windows\panther\Unattend.xml 文件内容，回看设置

图2：C:\Windows\panther\UnattendGC\setupact.txt 可以查看无人值守安装准备内容

参考：

• https://social.technet.microsoft.com/Forums/windows/en-US/19e79485-a4ba-4305-a3ff-2c4f981ecdfd/trying-to-use-powershell-script-with-quotsynchronouscommandquot-section-in-unattend-file?forum=winserversetup
• https://blogs.technet.microsoft.com/heyscriptingguy/2014/01/14/renaming-network-adapters-by-using-powershell/

一用户收到BitNinJa.io发来的通知邮件，说扫了他们机子的445端口。觉得有些疑问，因为Windows 2008 R2 SP1的系统是昨天才安装的，一个晚上功夫，就收到端口扫描警告信了。

我想登录到测试机（一样的系统模板），无法成功远程桌面，但在ipmi里可以看到Windows正在运行。

图1：从ipmi登录到桌面，用 netstat 的命令查看，发现不少连接外网445端口的连接

图2：在任务管理器里查对应PID的异常进程，mssecsvc.exe，以系统用户运行

图3：查找进程所在的位置，文件的创建时间是前一天的18点左右

图4：程序是注册成Windows服务自动运行，无描述内容

图5：再查服务列表，又有一个异常的，Stuvwx，显示名称和描述是自动填写，无意义的

图6：再查进程，又有一个异常的，GoogleCdoeUpdate ，查看文件所在位置，创建时间是当天的凌晨4点41分，还有扫描IP的列表和结果

图7：在事件记录里，有当天凌晨4点41分开机的记录，Windows异常重启过

图8：安装系统时，是通过无人值守安装配置文件允许远程桌面连接的，不知道为什么会自动允许“DFS管理”（包括允许SMB）

图9：在Windows防火墙里取消勾选“DFS管理”后，用 netstat 查看，外网连接本地的445端口会中断

图10：无奈，重装系统容易些，重装好系统，阻止外网访问TCP 445端口，且马上进行Windows更新。Windows 2008 R2 Service Pack 1，产品周期，2011-02至2020-01。7年后的今天，累积了很多的Windows补丁

参考：https://support.microsoft.com/en-us/lifecycle/search?alpha=Windows%20Server%202008%20R2%20Service%20Pack%201

之前“51”网友推荐的活动，在华为云论坛上发测试帖，抽奖。被抽到“华为手环3”一只。多谢。

图1：通过邮政EMS寄来的

图2：一次性纸包装箱

图3：手环产品包装和清单

感谢昵昵。

环境：Debian 9

过程：

1.python -v # 查看默认的python版本，本例是 python2.7

2.pip install -U selenium # 安装 selenium

3.apt install xvfb # 如需运行firefox，需安装 xvfb

4.pip install PyVirtualDisplay # 如需运行firefox，还需安装 PyVirtualDisplay

5.wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - # 添加谷歌的安装源key

6.echo 'deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main' | tee /etc/apt/sources.list.d/google-chrome.list # 添加谷歌chrome安装源

7.apt updat && apt install google-chrome-stable # 安装 google-chrome-stable

8.mkdir /home/dev && cd /home/dev && wget https://chromedriver.storage.googleapis.com/2.39/chromedriver_linux64.zip # 下载 chromedriver，保存到 /home/dev 目录

9 unzip chromedriver_linux64.zip # 解压

10.vi test.py # 创建测试文件，内容如下，获取本博客首页的标题

from selenium import webdriver
# Option 1 - with ChromeOptions
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument('--headless')
chrome_options.add_argument('--no-sandbox') # required when running as root user. otherwise you would get no sandbox errors. 
driver = webdriver.Chrome(executable_path='/home/dev/chromedriver', chrome_options=chrome_options,
          service_args=['--verbose', '--log-path=/tmp/chromedriver.log'])
# Option 2 - with pyvirtualdisplay
# from pyvirtualdisplay import Display 
#display = Display(visible=0, size=(1024, 768)) 
# display.start() 
#driver = webdriver.Chrome(executable_path='/home/dev/chromedriver', 
#          service_args=['--verbose', '--log-path=/tmp/chromedriver.log'])
# Log path added via service_args to see errors if something goes wrong (always a good idea - many of the errors I encountered were described in the logs)
# And now you can add your website / app testing functionality: 
driver.get('https://liujia.anqun.org') 
print(driver.title)
# driver.click...

11.python test.py # 测试，能显示正确标题

参考：

• https://blog.testproject.io/2018/02/20/chrome-headless-selenium-python-linux-servers/
• https://askubuntu.com/questions/510056/how-to-install-google-chrome
• https://stackoverflow.com/questions/51686224/typeerror-urlopen-got-multiple-values-for-keyword-argument-body-while-execu
• https://github.com/python-telegram-bot/python-telegram-bot/issues/481