====== Linux Commands ====== This guide is designed to be a solution to frequently googled Linux information. It contains simplified commands for doing a series of tasks within a Linux/UNIX system. For extended information behind the commands themselves, please see the resource links below each category. Please note there may be references to information from a previous technology manager position; these references should be ignored. //**Note**: Many of the commands listed here require sudo/root access in order to work.// ---- ===== Keyboard Shortcuts ===== CTRL + C stop/kill a bad command CTRL + Z pause/suspend a bad bash command (use "ps" and "kill" to kill) CTRL + U erase what you were typing (when backspace/esc just prints special characters) CTRL + D exit/logout CTRL + L clear the terminal CTRL + ALT + Fn switch screen (can switch between F1 to F6) CTRL + R search bash/command history ===== System ===== ==== General ==== poweroff # shutdown a linux system (needs sudo/root access) reboot # reboot a linux system (needs sudo/root access) sudo !! # repeat previous command as sudo ssh SVR # connect to a remote server through current server ssh USR@SVR # connect to a remote server with USR username ssh SVR "command" # connect to a remote server, run a command, then disconnect ssh-keygen # generate ssh public/private key pair ssh-copy-id USR@SVR # push ssh public key to remote server SVR under user USR cat ~/.ssh/id_rsa.pub | ssh USR@SVR 'cat >> .ssh/authorized_keys' # same as previous command screen # start a screen session screen -r # reconnect a screen session # CTRL + A, then D to disconnect a screen session watch CMD # repeat CMD command every 2 seconds watch -d CMD # repeat CMD command every 2 seconds and highlight the differences watch -n 10 CMD # repeat CMD command every 10 seconds watch "CMD; CMD2" # repeat CMD and CMD2 every 2 seconds history # view command history history -c # clear entire command history history -d NUM # delete command NUM from history (use "history" to get number) !NUM # run command NUM from history (use "history" to get number) ^STR^RPL # in previous command, replace STR with RPL, then run modified command uptime # view uptime since last reboot date # view current date timedatectl # view expanded time/date timedatectl list-timezones # view all available timezones timedatectl set-timezone TZN # set timezone to TZN which CMD # find out the location of CMD command wall TXT # broadcast a message TXT to all connected users write USR # broadcast message to a specific user (type message, then press CTRL+D) echo TXT | write USR # alternate way to broadcast message TXT to a specific user USR ==== Hardware Info ==== cat /etc/issue # get Linux distro version cat /etc/*release # get more detailed info on Linux version lsb_release -a # another way to get Linux distro info uname -r # get Linux kernel version rpm -qa kernel # list all Linux kernels lscpu # get cpu info (model, speed, etc) cat /proc/cpuinfo # get more detailed cpu info free -m # get memory info cat /proc/meminfo # get memory info dmidecode --type memory # get expanded memory info (how many slots, what's in each slot, etc) lshw -class memory # another way to get expanded memory info lspci # list all pci devices lsusb # list all usb devices lsblk # list all block devices (hard drives, cdrom, etc) blkid # get the UUID for all block devices ethtool IFACE # get hardware info on network interface IFACE (max speed, etc) dmidecode | less # dump all hardware information (vendor, serial numbers, etc) -- press 'q' to exit lshw | less # another way to dump all hardware info === Memory === swapoff -a -v # turn swap file off (verbose) swapon -a -v # turn swap file on (verbose) dd if=/dev/zero of=/SWAPFILE count=4096 bs=1MiB # create a 4GB file called SWAPFILE chmod 600 /SWAPFILE # set proper permissions on file SWAPFILE mkswap /SWAPFILE # convert file SWAPFILE to a swap file swapon /SWAPFILE # add file SWAPFILE to the swap filesystem === GPU === nvidia-smi # NVIDIA System Management Interface program nvidia-smi -h # show help and options nvidia-smi -L # list all GPUs nvidia-smi -q # GPU info, including serial number nvidia-smi topo -m # get GPU topology (multi-gpu systems) nvidia-smi mig -lgip # get available MIG modes === BMC/IPMI === ipmitool -H IP -U USR -I lanplus CMD # run command CMD for system IP with user USR (will ask for password) ipmitool -H IP -U USR -P PASS -I lanplus CMD # same as previous, but use password PASS (non-interactive) ipmitool -H IP -U USR -I lanplus lan print # print BMC configuration ipmitool -H IP -U USR -I lanplus mc info # get firmware information for BMC ==== Booting Up ==== efibootmgr -v # view current EFI boot entries efibootmgr -o 0000,0002 # change boot sequence to 0000, then 0002 (run prev command to make sense of this) efibootmgr -b 2 -B # remove boot entry 0002 # Disable/Enable the GUI/X11 in CentOS 7 systemctl get-default # get default runlevel systemctl list-units --type=target # get list of valid runlevels systemctl set-default LVL.target # change default runlevel to LVL # Install/Enable the GUI in AlmaLinux 8 yum group list # show environment groups yum groupinstall "Server with GUI" # install GUI systemctl set-default graphical.target # set GUI as default (not needed if only remote GUI access is required) reboot # reboot the system # Install Grub Customizer in Ubuntu -- For Changing Boot Order After Ubuntu is Installed sudo add-apt-repository ppa:danielrichter2007/grub-customizer sudo apt-get update sudo apt-get install grub-customizer grubby --default-kernel # centos8: get full path of default boot kernel grubby --default-index # centos8: get index of default boot kernel grubby --info=ALL # centos8: get info on all boot entries grubby --set-default-index=NUM # centos8: set index NUM as default boot entry grubby --set-default=KRN # centos8: set full path KRN as default boot entry awk -F\' '/menuentry / {print $2}' /boot/grub/grub.cfg # ubuntu16: get all grub menu entries Resources: [[http://askubuntu.com/questions/325048/cleaning-up-and-changing-the-efi-boot-order-permanently-using-eifbootmgr|Modify an EFI boot order using efibootmgr]], [[http://askubuntu.com/questions/100232/how-do-i-change-the-grub-boot-order|How to Change GRUB Boot Order in Ubuntu]], [[https://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-rescuemode-booting-single.html|How to boot into Single User Mode in CentOS]], [[http://www.cyberciti.biz/faq/howto-set-date-time-from-linux-command-prompt/|Set Time and Date]], [[https://www.rackaid.com/blog/linux-screen-tutorial-and-how-to/|Screen How To Guide]], [[http://unix.stackexchange.com/questions/105026/boot-partition-is-almost-full-in-centos|Boot Partition is Full]], [[https://linuxconfig.org/how-to-install-gui-on-almalinux|Install GUI on AlmaLinux]] ==== Software & Updates ==== === RHEL/CentOS === yum update # patch system by applying all updates yum update PKG # update the package PKG yum update --exclude=PKG # patch system, but exclude PKG (can also do wildcard: PKG*) yum update --disablerepo=REPO # patch system, but temporarily disable repository REPO (see 'yum repolist' for valid entries) yum list updates # show list of updated software (security fix) yum list installed # list all installed packages yum list available # list all available packages yum list PKG # search for package PKG yum list *PKG* # search for package with "PKG" in the name yum repolist # list all installed repositories yum install PKG1 PKG2 # install package PKG1 and PKG2 (PKG2 is optional, or you can add more) yum install PKG.rpm # install local package PKG.rpm using YUM yum remove PKG1 PKG2 # uninstall package PKG1 and PKG2 (PKG2 is optional, or you can add more) yum whatprovides FILE # display what package provides the file FILE yum provides FILE # same as "yum whatprovides FILE" yum --enablerepo=extras install epel-release # enables CentOS extra repos (used for installing open-vm-tools) package-cleanup --oldkernels --count=2 # delete old kernels except for the last 2 === Debian/Ubuntu === apt-get update # get updated repositories for updating packages apt-get upgrade # actually perform the upgrade apt list --installed # list all installed packages apt search PKG # find all available packages with keyword PKG apt-get install PKG # install the package PKG apt-get remove PKG # uninstall the package PKG, keep settings data apt-get remove purge PKG # uninstall the package PKG including settings data apt-mark hold PKG # keep package PKG from updating when apt-get update/upgrade is run apt-mark unhold PKG # un-holds the package; will now be updated with everything else === Convert from CentOS 8 to CentOS 8 Stream === dnf install centos-release-stream -y # install stream repository dnf swap centos-{linux,stream}-repos # replace centos with centos-stream dnf install epel-release # install new epel dnf config-manager --set-enabled epel # enable new epel dnf config-manager --set-enabled powertools # enable powertools dnf distro-sync # sync and perform upgrade Resources: [[http://www.cyberciti.biz/faq/rhel-centos-fedora-linux-yum-command-howto/|How To yum Command]], [[http://www.cyberciti.biz/howto/question/linux/apt-get-cheat-sheet.php|apt-get Cheat Sheet]], [[https://www.techrepublic.com/article/how-to-convert-centos-8-to-centos-8-stream/|Convert CentOS 8 to Stream]] ===== Users ===== ==== General Info ==== id -u USR # check if a user exists id USR # get extended info about USR who # see who is logged onto the system who -u # same as who, but also gives PID for users whoami # see who you are logged in as last # print login history of all users for the past month last -wad # print login history with sorted full user/domain, ip/dns last USR # print login history of USR for the past month lastb # print bad login history lastb -wad # print bad login history with sorted full user/domain, ip/dns cut -d: -f1 /etc/passwd # List All Users cut -d: -f1 /etc/group # List All User Groups groups # List Current User Groups grep 'GRP' /etc/group # List All Users In Group GRP getent passwd # List All User Details listusers # List All Users -- Solaris/SunOS Only! ==== Sudo/Administrator ==== su # promote yourself to super user su USR # switch to user USR (must be root, does not require that user's password) sudo su # same as above sudo su - # same as above, but keeps environment variables visudo # open vi editor to modify sudo/admin access for users # To grant someone sudo access to a particular file/command, open sudoers via visudo and type # username ALL=/path/to/command.sh wall -n MSG # broadcast MSG to all users of the server wall -n < FILE # broadcast contents of FILE to all users of the server echo "TXT" | write USR XXX/N # send TXT to the terminal of USR (use who to find the XXX/N part, e.g.: pts/1) Resources: [[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/2/html/Getting_Started_Guide/ch02s03.html|Configuring SUDO Access]], [[http://www.ab-weblog.com/en/creating-a-restricted-ssh-user-for-ssh-tunneling-only/|Creating a Restricted SSH User for SSH Tunneling Only]], [[https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=how%20to%20use%20visudo|How to Use VISUDO]], [[http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/|Understanding /etc/passwd File Format]], [[http://www.computerhope.com/unix/last.htm|Using LAST]] ==== Create/Modify/Delete ==== useradd USR # create new user useradd -m USR # create new user, create home directory if none useradd -d DIR -s SHL -G GRP1,GRP2 USR # create user USR, set home directory DIR, set login shell SHL, add to groups GRP1, GRP2 userdel -r USR # delete user and remove user folder passwd USR # reset the password of a specific user passwd -l USR # lock a user acct from use passwd -u USR # unlock a user acct passwd -d root # delete password of root account groupadd GRP # create a group named GRP groupdel GRP # delete a group named GRP usermod -a -G GRP USR # add existing user USR to group GRP gpasswd -d USR GRP # remove user USR from group GRP usermod -c "INFO" USR # modify the comment INFO for user USR (name, email) usermod -s SHLL USR # modify user USR to use shell SHLL (e.g: "usermod -s /bin/bash username") Resources: [[http://www.cyberciti.biz/faq/howto-add-new-linux-user-account/|How to Add New Linux User Account]], [[http://www.cyberciti.biz/faq/linux-remove-user-command/|Remove User Account in Linux]], [[https://www.tecmint.com/usermod-command-examples/|Usermod Examples]] ==== Permissions ==== stat -c "%a %n" FILE # get current file/directory permissions octal number for FILE chmod # change file/directory permissions chmod a+r FILE # add READ permissions for ALL users for FILE chmod +x FILE # add EXECUTE permissions for current user for FILE # other options: a=all, o=owner, g=group, +x=add execute, -r=remove read, +w=add write chmod 644 FILE # default permissions for files chmod 755 DIR # default permissions for folders chown # change file/directory ownership chown USR DIR # change DIR ownership to USR, keep original group chown USR:GRP FILE # change FILE ownership to USR, change group ownership to GRP chown -R USR:GRP DIR # recursively change DIR ownership to USR and GRP, also affects files find DIR -type d -exec chmod 755 {} \; # set all folders in DIR to 755 find DIR -type f -exec chmod 644 {} \; # set all files in DIR to 644 ==== SELinux ==== getenforce # get current SELinux mode setenforce 0 # set SELinux to Permissive mode (still reports, does not survive between reboots) setenforce 1 # set SELinux to Enforcing mode (default) getsebool BOOLEAN # get value of SELinux boolean setsebool -P BOOLEAN # set value of SELinux boolean permanently restorecon -Rv DIR # restore SELinux context for DIR (useful for apache/httpd "403 forbidden" errors) /etc/selinux/config # selinux configuration (permanently set permissive or disable modes) # this is a more aggressive SELinux setter; it looks at logs and sets everything within the log to be permissible # useful when restorecon does not work, but turning off selinux does grep httpd /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp ===== Processes ===== top # see a list of running processes (like taskmon), also kill processes top -U USR # see a list of running processes for USR # q exit application # z toggle color on/off # 1 toggle individual cpu on/off # m toggle memory info # W save current display for future sessions # o filter list (example: "PID=XXX" where XXX is a PID) w # show only the top part of "top" htop # more detailed version of top (must be installed) ps # see a list of processes on the system (simpler than top) ps -al # see a more detailed list of processes ps -u USR # see a list of running processes for USR iotop # monitor disk IO per process (must be installed) jobs # see a list of running/paused jobs bg # continue a recently paused process in the background, shows job id when successful fg # bring the last backrounded process to the foreground nice -NN CMD # run command CMD with priority NN (default priority is 0) nice --NN CMD # run command CMD with priority -NN (must be root) renice NN -p PID # change priority of process PID to NN kill %### # kill job with number ###, for when you stopped jobs with CTRL+Z kill -15 ### # kill the process with PID ### (use first, less harsh) kill -9 ### # kill the process with PID ### (use second, more harsh) killall -u USR # kill all processes from a user (good for ending hanging login sessions) disown %### # disown a process, process keeps running even on disconnect, NO WAY TO UNDO! ===== Services ===== service SVC status # check if a service is running -- older method (CentOS 6) service --status-all # check status of all services -- older method (CentOS 6) chkconfig --list # check service configuration -- older method (CentOS 6) systemctl enable SVC # enable a service (start on boot) systemctl disable SVC # disable a service systemctl start SVC # start the service SVC systemctl stop SVC # stop the service SVC systemctl restart SVC # restart the service SVC systemctl status SVC # check if a service is running systemctl status -l SVC # same as above but gets status without truncation systemctl is-active SVC # check if a service is active (enabled & running) systemctl list-unit-files # check status of all services ===== Networking ===== ==== General ==== ping # ping a computer ibping # same as ping but for InfiniBand interfaces ifconfig # show network configuration ifconfig -a | grep ether | awk '{print $2}' # print all mac addresses for network interfaces ip addr show # netplan: show network configuration ip addr show dev ETH # netplan: show specific network configuration for ETH ip route show # netplan: get gateway ip link show dev ETH # netplan: see ETH network interface info cat /etc/resolv.conf # get dns netstat -tulpn | grep :### # find out what process is using port ### ss -tulpn | grep :### # same as previous line (ss replaces netstat) netstat -tulpn | grep LISTEN # find all ports currently in use iftop # detailed CLI view of network traffic (must be installed) hostname # view current hostname hostname NAME # set hostname as NAME temporary (goes away on reboot) hostnamectl set-hostname NAME # set hostname as NAME permanently Resources: [[https://access.redhat.com/sites/default/files/attachments/rh_ip_command_cheatsheet_1214_jcs_print.pdf|'ip' Command Cheat Sheet]] ==== Settings ==== # To manually change your network settings using Netplan (Ubuntu 18+)... ip link # see all network interfaces and status nano /etc/netplan/*.yaml # modify network configuration (* means file could be named anything) netplan apply # reload network configuration # To manually change your network settings using the Network Manager GUI (CentOS 7+)... system-config-network # configure all network settings in GUI window (need CentOS 7 w/ GUI) nmtui # configure network settings in a command line GUI nmtui edit IFACE # configure network settings for IFACE in a command line GUI systemctl restart network # restart network interface (CentOS 7) systemctl restart NetworkManager # restart network interface (CentOS 8) # To manually change your network settings using Network Manager (CentOS 7+)... nmcli d # see all network interfaces and status nmcli c modify ETH ipv4.addresses IP/SUB # set ETH interface to IP with SUB subnet (i.e: 10.0.0.30/24) nmcli c modify ETH ipv4.gateway GATEIP # set ETH interface to GATE gateway nmcli c modify ETH ipv4.dns "DNSIP1 DNSIP2" # set ETH interface to DNS address DNSIP1, DNSIP2 optional nmcli c modify ETH ipv4.method manual # set ETH interface to manual IP settings nmcli c modify ETH ipv4.method auto # set ETH interface to DHCP nmcli c down ETH; nmcli c up ETH # reload ETH interface and settings # To manually change your network settings without Network Manager (CentOS 6)... nano /etc/sysconfig/network-scripts/ifcfg-eth0 # Configure eth0 Interface nano /etc/sysconfig/network # Configure Default Gateway /etc/init.d/network restart # Restart Network Interface service network restart # Restart Network Interface nano /etc/resolv.conf # Configure DNS Server nano /etc/hosts # Configure Hosts Resources: [[https://www.server-world.info/en/note?os=CentOS_7&p=initial_conf&f=3|CentOS 7 Network Settings]], [[https://askubuntu.com/questions/464747/channel-bonding-modes|Channel bonding modes]], [[https://www.snel.com/support/how-to-set-up-lacp-bonding-on-ubuntu-18-04-with-netplan/|How to create a bond in Ubuntu]], [[https://linuxize.com/post/how-to-configure-static-ip-address-on-ubuntu-20-04/|Configure Static IP using Netplan]], [[https://urclouds.com/2019/03/22/how-to-configure-vlan-network-in-rhel-7-and-centos-7/|Configure VLAN in CentOS 7]] ==== Proxy ==== === CentOS 8: Global Proxy === Create the file ''/etc/profile.d/proxy.sh'' with the following content: MY_PROXY_URL="<_PROXY_SERVER_>:3128" HTTP_PROXY=$MY_PROXY_URL HTTPS_PROXY=$MY_PROXY_URL FTP_PROXY=$MY_PROXY_URL http_proxy=$MY_PROXY_URL https_proxy=$MY_PROXY_URL ftp_proxy=$MY_PROXY_URL export HTTP_PROXY HTTPS_PROXY FTP_PROXY http_proxy https_proxy ftp_proxy === CentOS 8: DNF/YUM Proxy === DNF does not use the global proxy. Add the following line to the end of ''/etc/dnf/dnf.conf'' to enable a proxy for DNF only. proxy=<_PROXY_SERVER_>:3128 === Docker Proxy === Docker does not use the global proxy. Create the file ''/etc/systemd/system/docker.service.d/http-proxy.conf'' with the following content: [Service] Environment="HTTP_PROXY=<_PROXY_SERVER_>:3128" Environment="HTTPS_PROXY=<_PROXY_SERVER_>:3128" ... then run the following commands: systemctl daemon-reload # reload service configuration systemctl restart docker # restart docker service systemctl show --property=Environment docker # verify that environment variables are loaded Resources: [[https://www.server-world.info/en/note?os=CentOS_8&p=squid&f=2|CentOS 8 Proxy Client]], [[https://docs.docker.com/config/daemon/systemd/#httphttps-proxy|Docker Proxy]] ==== File Transfer ==== wget "http://remote.file" # Download file from the internet to current directory wget -O FILE "http://remote.file/" # Download file from the internet, rename file to FILE wget "http://remote.file/" -P DIR # Download file from the internet to DIR directory scp FILE USR@SVR: # Upload file FILE to server SVR as user USR scp -r SRC USR@SVR:DEST # Upload directory SRC to server SVR in directory DEST as user USR rsync -avu SRC USR@SVR:DEST # Same as previous, but only send newer files source <(curl -s http://script.sh) # Download script from internet, run script directly bash <(curl -s http://script.sh) # Same as previous, but works on macOS/FreeBSD curl -L https://script.sh | bash # Another method to do the same ==== Firewall ==== === IPTables === iptables -S # see current iptables configuration iptables -L # lists all rules for default tables only iptables -F # flush all rules === FirewallD (CentOS) === firewall-cmd --state # check if firewall is running and active firewall-cmd --list-all # show all open ports in each active zone firewall-cmd --get-active-zones # show all active zones firewall-cmd --get-services # list all services firewall-cmd --zone=ZNE --add-service=SVC --permanent # open service SVC in zone ZNE permanently firewall-cmd --zone=ZNE --add-port=XXX/tcp --permanent # open tcp port XXX in zone ZNE permanently firewall-cmd --zone=ZNE --remove-port=XXX/tcp --permanent # close tcp port XXX in zone ZNE permanently firewall-cmd --zone=drop --add-source=IP --permanent # block IP from connecting (drops all packets) firewall-cmd --zone=drop --add-source=IP/SUB --permanent # block subnet SUB from connecting firewall-cmd --zone=ZNE --list-sources --permanent # list sources in zone ZNE firewall-cmd --zone=ZNE --add-source=IP --permanent # whitelist IP in zone ZNE firewall-cmd --zone=ZNE --remove-source=IP --permanent # remove IP from whitelist firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -d IP/SUB -j REJECT # block outgoing connection to IP firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 -d IP/SUB -j REJECT # remove IP block rule firewall-cmd --direct --get-all-rules # view all direct rules firewall-cmd --reload # reload firewall /etc/firewalld # location of firewalld configuration (backup) /etc/firewalld/direct.xml # location of firewalld direct rules === UncomplicatedFirewall (Ubuntu) === ufw enable # enable firewall ufw disable # disable firewall ufw status verbose # get status, shows rules if firewall is enabled ufw status numbered # get status, show number for each firewall rule ufw allow PRT # open port PRT for all protocols ufw allow PRT/tcp # open port PRT for protocol TCP ufw allow SVC # open service SVC (http, https, ssh, ...) ufw allow PRT:RNG # open port range from PRT to RNG for all protocols ufw delete NUM # close port relating to rule NUM (see "ufw status numbered") ufw delete allow PRT # close port PRT by removing allow rule for PRT ufw deny from IP # block ip address IP (or range IP/SUB) ufw allow from IP to any port PRT # allow ip address IP to connect to port PRT ufw reload # reload firewall ufw reset # reset to factory settings Resources: [[http://linux.die.net/man/8/ibping|IBPING Manual]], [[https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-networkscripts-files.html|Network Configuration]], [[http://www.cyberciti.biz/faq/unix-network-service-restart-stop/|Restart Network Service]], [[http://stackoverflow.com/questions/808560/how-to-detect-the-physical-connected-state-of-a-network-cable-connector|Detect Physical State of Connector]], [[http://stackoverflow.com/questions/24729024/centos-7-open-firewall-port|Open Firewall Port in CentOS 7]], [[http://www.server-world.info/en/note?os=CentOS_7&p=firewalld|Basic Operation of Firewalld]], [[https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos|Introduction to FirewallD on CentOS]], [[https://help.ubuntu.com/lts/serverguide/firewall.html|Ubuntu Firewall]], [[https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-16-04|How To Set Up a Firewall with UFW]] ==== SSL/TLS ==== === OpenSSL === openssl genrsa -out KEY 2048 # generate private key KEY openssl req -new -key KEY -out CSR # generate CSR (named CSR) openssl x509 -req -days 365 -in CSR -signkey KEY -out CRT # generate self-signed cert CRT openssl x509 -enddate -noout -in CRT # get expiration date of certificate CRT /etc/pki/tls/certs/ # location of certificates (CRT) /etc/pki/tls/private/ # location of private key (KEY) and CSR /etc/ssl/certs/ # location of certificates (ubuntu) /etc/ssl/private/ # location of private key (ubuntu) Resources: [[https://wiki.centos.org/HowTos/Https|Setup SSL with CentOS]] ===== File Management ===== ==== Navigation ==== pwd # print the current working directory cd .. # go up a directory cd - # go to previous directory mkdir NAME # create a directory cp SRC DEST # copy a file/directory cp -R SRC DEST # copy a directory recursively cp -p SRC DEST # copy a file/directory, preserving its permissions, owner, etc mv SRC DEST # move/rename a file/directory rm SRC # delete a file/directory/symlink rmdir DIR # delete a directory (will fail if DIR is not empty) rm -rf SRC # delete entire directory recursively with no prompts (*DANGEROUS*) ln -s SRC LINK # make the symbolic link LINK pointing to SRC ==== File/Directory Sizes ==== ls -lh /DIR/ # list DIR info in human readable form ls -d PREFIX* # list all directories with PREFIX df -lh # check amount of filesystem in use in human readable form df -aTh # similar to above du -sh /DIR/ # check total size of directory, summarizes to just 1 line du -hsx /DIR/ | sort -rh | head -10 # get largest folders, sort by largest, show the top 10 for i in G M K; do du -hsx /DIR/ | grep [0-9]$i | sort -nr -k 1; done | head -n 11 # same as above (for when the prev command doesn't quite work) ==== Finding Files/Directories ==== find # find all files in current directory and subdirectories find DIR -name "FILE" # find all files matching FILE in DIR directory find / -name "FILE" -ls # find all files on ROOT matching FILE and show details find . -type f -mtime +30 # find all files in current directory older than 30 days locate FILE # find all files matching FILE; faster than find as it's database driven locate -r /FILE$ # find all files matching exact string FILE whereis BIN # find the path for the binary BIN (like program files) Resources: [[http://www.cyberciti.biz/faq/howto-find-a-directory-linux-command/|Find a Directory On Linux Based System]] === Directory Color Guide === {{::gnt32.png?nolink|}} ==== Filesystem ==== fdisk -l # list all connected partitions fdisk -l | grep '^Disk' # simpler view of previous command df -h # list partitions, mount points, and Avail/Used/Free space df -aTh # a more detailed version of the previous command df -h -x overlay # list partitions, but don't show overlay filesystems (i.e: docker, etc) nano /etc/fstab # Edit file table umount DIR # Unmount DIR mount -a # Remount all mount points listed in file table mount SRC MNT # Mount SRC at MNT: e.g: "mount /dev/sdc1 /student" mount -t FS -o loop SRC MNT # Mount disk image: e.g: "mount -t vfat -o loop floppy.img /mnt/floppy/" mount -t iso9660 -o loop SR MT # Mount CD/DVD image SR at mount point MT mount -o ro SRC MNT # mount SRC at MNT as read-only mount -t nfs SRC MNT # mount NFS mount SRC at MNT: e.g: "mount -t nfs csc-san3:/mnt/SAN3/BACKUP2 /storage/san3" cat /dev/sdb >/dev/sdc # copy entire contents of drive SDB to drive SDC (like dd but fast & efficient) fdisk /dev/sdXX # partition disk sdXX, n=create partition, w=write partition, q=quit w/o change mkfs.ext4 /dev/sdXX1 # format partition sdXX1 as EXT4 file system mke2fs -n /dev/sdXX # see all superblocks needed to repair filesystem on SDXX (eg: sda2, sdd1, etc) e2fsck -b 000 /dev/sda2 # repair a file system using the superblock 000 vgdisplay # view all volume groups lvdisplay # view all logical volumes (lvm) cfdisk # visual partition manager (useful for lvm in ubuntu 16) lvresize -l +100%FREE /dev/VGLG # resize logical volume to remaining physical free space (useful for ubuntu 18) resize2fs /dev/VGLG # resize underlying file system to new logical drive size (useful for ubuntu 18) fallocate -l SIZ FIL # create file FIL of blank size SIZ (e.g: 10G, 2G, 100M...), faster than dd Resources: [[http://www.cyberciti.biz/faq/linux-disk-format/|How to Format a Disk in Linux]], [[http://www.thegeekstuff.com/2013/01/mount-umount-examples/|Mount and Unmount Examples]], [[https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nfs-mount-on-centos-6|How To Setup NFS]], [[https://kb.vmware.com/s/article/1006371|Extend Logical Volume in RHEL VM]], [[http://www.geoffstratton.com/expand-hard-disk-ubuntu-lvm|Expand a Hard Disk with Ubuntu LVM]] ==== Archives (Zip/Tar) ==== tar -C DEST -zxvf SRC # decompress SRC file to DEST directory, filename e.g: grid-db.tar.gz tar -czvf DEST SRC # compress SRC file/dir to DEST file unzip FILE # decompress FILE to current directory unzip FILE -d DIR # decompress FILE to directory DIR zip FILE * # compress everything in current directory to FILE zip -r FILE * # compress everything in current directory INCLUDING subdirectories to FILE zip -ur FILE FILE2 # add FILE2 to the existing archive FILE zip FILE -@ < LIST # add each file listed in LIST (1 filename per line) to the archive FILE jar -vxf FILE.war # unzip FILE.war to current directory ==== RAID Management ==== mdadm --examine /dev/sdXX /dev/sdYY # check for existing RAID blocks on drives/partitions mdadm --create /dev/mdZZ --level=Y --raid-devices=N /dev/sdXX /dev/sdYY # creates a raid device mdZZ, with raid level Y, using N devices, etc # mdZZ: md0, md1... # Y: RAID Level (0, 1, 5, 6, 10) # N: Number of drives in array cat /proc/mdstat # get instantaneous status raid build mdadm --detail /dev/md0 # get status of raid array mdadm --detail --scan --verbose >> /etc/mdadm.conf # generate linux raid config Resources: [[https://www.tecmint.com/create-raid-5-in-linux/|Creating RAID 5 in Linux]], [[https://askubuntu.com/questions/1234949/install-ubuntu-20-04-focal-fossa-with-raid-1-on-two-devices|Configure RAID on Ubuntu 20 Installation]] ==== iSCSI Management ==== yum install iscsi-initiator-utils # install iscsi initiator, if not installed systemctl start iscsi # start iscsi systemctl stop iscsi # stop iscsi systemctl restart iscsi # restart iscsi systemctl status iscsi # get status of iscsi /etc/iscsi/iscsid.conf # iscsi configuration (set CHAP user/pass) iscsiadm -m discovery -t st -p IPADDR # discover iscsi targets on target IPADDR iscsiadm -m node --login # login to discovered iscsi targets iscsiadm -m session -o show # show currently connected iscsi targets cat /proc/partitions # confirm available partitions iscsiadm -m node -T TRGT -u -p IPADDR:3260 # log out of iscsi target TRGT located on IPADDR iscsiadm -m node -T TRGT -p IPADDR -o delete # delete discovered target TRGT located on IPADDR from memory iscsiadm -m node # show all discovered targets Resources: [[http://www.cyberciti.biz/tips/rhel-centos-fedora-linux-iscsi-howto.html|Configure iSCSI on CentOS]], [[https://www.server-world.info/en/note?os=CentOS_7&p=iscsi&f=2|Configure iSCSI Initiator]] ==== Miscellaneous ==== lsof # list all open files lsof FILE # list all processes that opened FILE lsof /MNTPT # list all open files on MNTPT mountpoint lsof | grep ETC # list all open processes related to ETC rsync # see http://www.techonthenet.com/linux/commands/rsync.php rsync -avzP SRC DEST # copy SRC to DEST, archival mode, preserve permissions, owner, timestamps, etc. # use when you want to do a dd/cat but operating with files instead of blocks/bytes /etc/skel/ # Anything that goes in here gets copied to a new users directory Resources: [[http://www.thegeekstuff.com/2012/08/lsof-command-examples/|LSOF Command Examples]], [[http://www.techonthenet.com/linux/commands/rsync.php|How to Use RSYNC]], [[https://blog.interlinked.org/tutorials/rsync_time_machine.html|RSYNC Backup Help]], [[http://www.mikerubel.org/computers/rsync_snapshots/|More RSYNC Backup Help]] ===== Text Editors & Text Manipulation ===== vi FILE # open a file to read vim FILE # open a file to read in VIM (similar to VI, but advanced with colored text) # ESC [then] :q! [then] ENTER exit without saving changes # ESC [then] :w [then] ENTER save changes, leave vi running # ESC [then] :noh [then] ENTER clear search highlighting # ESC [then] :s/STR [then] ENTER search for STR in document # ESC [then] :## [then] ENTER skip to line ## in document nano FILE # open a file to read tail TXT # view the last 10 lines of file TXT tail -f TXT # view the last 10 lines of file TXT and keep showing any new lines (ctrl+c to exit) tail -20 TXT # view last 20 lines of file TXT tail -20 -f TXT # view last 20 lines of file TXT, keep showing any new lines (ctrl+c to exit) cat TXT # print entire file TXT to screen cat -n TXT # print entire file and show line numbers cat TXT | grep STR # print only the lines containing string STR in entire file TXT grep STR FILE # functionally the same as the previous command cat TXT | more # print file TXT to screen, make it scrollable # ENTER scroll by line # SPACE scroll by page # CTRL+C exit cat TXT | less # print file TXT to screen, scroll forward and backward # ARROW-DOWN scroll by line down # ARROW-UP scroll by line up # SPACE scroll down by page # q exit cat TXT | cut -c1-80 # print file to screen, only show from char 25-50 (neat way to disable word wrap) sed "s/STR/RPL/" FILE # substitute STR with RPL in FILE, do not modify file sed -i "s/STR/RPL/" FIL # substitute STR with RPL in FIL, save changes to file sed -i "/STR/d" FILE # delete lines containing STR from FILE, save changes to file diff FILE1 FILE2 # compare two files, FILE1 (<) and FILE2 (>) diff -c FILE1 FILE2 # same as above, but show more context around differences Resources: [[https://docs.oracle.com/cd/E19683-01/806-7612/6jgfmsvqf/index.html|Basic vi Commands]] ===== Services & Applications ===== ==== Apache/HTTPD ==== === General === yum install httpd mod_ssl # install apache with ssl support (centos) apt install apache2 # install apache (ubuntu) a2enmod ssl # (ubuntu) enable ssl mod (required for ssl) a2enmod headers # (ubuntu) enable header mod (required for security hardening) systemctl start httpd.service # start apache systemctl stop httpd.service # stop apache systemctl restart httpd.service # restart apache systemctl status httpd.service # get status of service systemctl start apache2.service # (ubuntu) start apache systemctl stop apache2.service # (ubuntu) stop apache systemctl restart apache2.service # (ubuntu) restart apache systemctl status apache2.service # (ubuntu) get status of service /etc/httpd/conf/httpd.conf # main configuration /etc/httpd/conf.d/ssl.conf # ssl configuration (optional, has location of cert/key) /etc/httpd/conf.d/userdir.conf # user folder configuration (optional) /etc/httpd/conf.d/vhosts.conf # virtual hosts configuration (optional) /etc/httpd/conf.modules.d/90-alias.conf # aliases configuration (optional) /etc/apache2/apache2.conf # (ubuntu) main configuration /etc/apache2/sites-enabled/000-default.conf # (ubuntu) default virtual host (also put ssl & force ssl here) /var/log/httpd/* # all log files, including php logs apachectl configtest # check apache configuration for errors chcon -R --type=httpd_sys_rw_content_t DIR # enable DIR to host web pages with SELinux enabled (useful for userdir) === Security Hardening === Modify configuration file ''/etc/httpd/conf/httpd.conf'' (CentOS) or ''/etc/apache2/apache2.conf'' (Ubuntu)... # Modify line ~144 to disable indexes and symlinks Options -Indexes -FollowSymLinks # --- Place At End Of File --- # Web Server Security Hardening ServerSignature Off ServerTokens Prod TraceEnable off Header set X-Content-Type-Options nosniff Header set X-XSS-Protection "1; mode=block" Header set X-Permitted-Cross-Domain-Policies "none" Header always append X-Frame-Options SAMEORIGIN Header set Referrer-Policy "no-referrer" Header set Content-Security-Policy "default-src 'unsafe-inline' *.<_COMPANY_TLD_>; script-src 'unsafe-inline' 'unsafe-eval' *.<_COMPANY_TLD_>; font-src 'self' data:; img-src 'self' data:;" Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Custom Error Pages ErrorDocument 404 /404.html ErrorDocument 403 /403.html # Force SSL ServerName __SERVER_HOSTNAME_HERE__ RedirectMatch permanent ^/(.*)$ https://__SERVER_HOSTNAME_HERE__/$1 # Force SSL (Alternative Method) RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L] For CentOS, modify configuration file ''/etc/httpd/conf.d/ssl.conf''... # Modify relevant parts to the following (line ~54) SSLEngine on SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder on SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS SSLCertificateFile /path/to/ssl/certificate SSLCertificateKeyFile /path/to/ssl/key For Ubuntu, modify configuration file ''/etc/apache2/sites-enabled/000-default.conf''... # --- Place At End Of File --- ServerName __SERVER_HOSTNAME_HERE__ DocumentRoot /var/www/html SSLEngine on SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder on SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS SSLCertificateFile /path/to/ssl/certificate SSLCertificateKeyFile /path/to/ssl/key Resources: [[http://www.cyberciti.biz/faq/howto-install-linux-apache-mariadb-php-lamp-stack-on-centos7-rhel7/|Install a LAMP Stack using CentOS 7]], [[https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-20-04|Install a LAMP Stack using Ubuntu 20]], [[https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-20-04|Configure SSL in Apache on Ubuntu 20]], [[https://www.if-not-true-then-false.com/2010/enable-apache-userdir-with-selinux-on-fedora-centos-red-hat-rhel/|Enable Per-User Directories]], [[https://content-security-policy.com/|Content Security Policy]], [[https://geekflare.com/http-header-implementation/|How to Implement Security HTTP Headers]] ==== PHP ==== === Ubuntu 20: Install PHP === apt install php libapache2-mod-php php-mysql # install php === CentOS 8: Install PHP === dnf install php php-cli php-gd php-curl php-mysqlnd php-ldap php-zip # install php dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm # add remi repo (for php >v7.2) dnf install dnf-utils # install dnf utilities dnf module reset php # reset php repo dnf module install php:remi-7.4 # enable remi repo for php 7 (v7.4) dnf module install php:remi-8.1 # enable remi repo for php 8 (v8.1) dnf install php php-cli php-gd php-curl php-mysqlnd php-ldap php-zip # install php 7.4 /etc/httpd/conf/httpd.conf # Modify line ~167 to add index.php === CentOS 7: Upgrade to v7.x === yum --enablerepo=extras install epel-release # enable rhel epel yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm # add remi repo yum-config-manager --enable remi-php74 # enable remi repo (php71, php72, php73, php74) yum install php php-cli php-gd php-curl php-mysql php-ldap php-zip # install php /etc/httpd/conf/httpd.conf # Modify line ~167 to add index.php === Security Hardening === Modify configuration file ''/etc/php.ini'' (CentOS) or ''/etc/php/7.4/apache2/php.ini'' (Ubuntu)... # Modify line ~375 and change expose_php from ON to OFF expose_php = Off ==== Postfix (Sendmail) ==== systemctl start postfix.service # start postfix systemctl stop postfix.service # stop postfix systemctl restart postfix.service # restart postfix systemctl status postfix.service # get status of postfix service /etc/aliases # email aliases file /etc/postfix/main.cf # postfix configuration file /etc/postfix/master.cf # postfix master configuration (enable amavisd/clamav here) /etc/postfix/header_checks # block unapproved mail attachments /etc/postfix/client_checks # block/allow senders by IP (smtpd_client_restrictions) /etc/postfix/sender_checks # block/allow senders by email (smtpd_sender_restrictions) /etc/postfix/rbl_override # whitelist servers from rbl checks (smtpd_relay_restrictions) newaliases # rehash aliases file (required for postfix) postmap /etc/postfix/client_checks # rehash client checks file (required) postmap /etc/postfix/sender_checks # rehash sender checks file (required) postmap /etc/postfix/rbl_override # rehash rbl override file (required) /var/log/maillog # postfix log file (contains postgrey log as well) mail EMAIL < FILE # send email to EMAIL, the body will be FILE mailq # view the mail queue postfix flush # flush themail queue postsuper -d NUM # delete message id NUM from the mail queue postsuper -d ALL # remove all mail from the queue postsuper -d ALL deferred # remove all deferred mail from the queue === Security Hardening === Modify configuration file ''/etc/postfix/main.cf''... relayhost = [<_COMPANY_EMAIL_SERVER_>] # route all mail through mail server (e.g: 'mailhost.example.org') smtpd_client_restrictions = sleep 5 # rate limit outgoing mail ==== MySQL/MariaDB ==== yum install mariadb-server mariadb # install mysql curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup # download mariadb repo (for mysql >v10.3) bash mariadb_repo_setup --mariadb-server-version=10.6 # set for v10.6 dnf install boost-program-options # install utilities dnf module reset mariadb # reset mariadb repo dnf install mariadb-server mariadb-client mariadb-backup # install mysql v10.6 systemctl start mariadb.service # start mariadb service systemctl stop mariadb.service # stop mariadb service systemctl restart mariadb.service # restart mariadb service systemctl status mariadb.service # get status of mariadb service /usr/bin/mysql_secure_installation # first run security hardening /usr/bin/mariadb-secure-installation # same as above, for v10.6 mysql --version # test if mysql is installed and see what version is running mysql -u root -pPASS # log into mysql as administrator/root mysqlcheck -c DATABASE -u root -pPASS # check DATABASE for errors, PASS is for administrator/root mysqldump DATABASE > FILE # backup DATABASE to file FILE mysql DATABASE < FILE # restore DATABASE from file FILE mysqladmin -u root -pPASS password NEWPASS # change root password from PASS to NEWPASS === SQL-Specific Commands === source SRC.sql -- run a set of sql commands stored in a file SHOW DATABASES; -- show all databases CREATE DATABASE DB; -- create a database DROP DATABASE DB; -- delete a database USE DB; -- select a database to view/edit SHOW TABLES; -- show all tables in a database SET PASSWORD FOR 'user'@'localhost' = PASSWORD('mypass'); -- set USER password as MYPASS GRANT ALL ON DB.* to 'user'@'localhost' identified by 'pass'; -- grant USER access to DB with password PASS SELECT host, user, password FROM mysql.user; -- list all users Resources: [[http://geroldm.com/2012/10/migrate-mysql-databases-users-and-privileges-to-different-server/|Migrate MySQL User Privileges]] ==== Tomcat ==== systemctl start tomcat.service # start tomcat service systemctl stop tomcat.service # stop tomcat service systemctl restart tomcat.service # restart tomcat service systemctl status tomcat.service # get status of tomcat service /opt/tomcat/conf/tomcat-users.xml # users config file (web mgmt console user/pass goes here) /opt/tomcat/conf/server.xml # server config file (per user folder listener goes here) /opt/tomcat/logs/ # log files ==== SSH/Secure Shell ==== === General === systemctl start sshd.service # start ssh systemctl stop sshd.service # stop ssh systemctl restart sshd.service # restart ssh systemctl status sshd.service # get status of ssh service /etc/ssh/sshd_config # main configuration /etc/hosts.deny # block specific IP/IP ranges from SSH (tcp wrappers) /etc/hosts.allow # allow specific IP/IP ranges for SSH (tcp wrappers) /var/log/secure # log file location (CentOS/RHEL) /var/log/auth.log # log file location (Ubuntu/Debian) dnf install rsyslog # Required to enable log location on RHEL 8+ === Security Hardening === Modify configuration file ''/etc/ssh/sshd_config''... # Disable weak and deprecated ciphers Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org,gss-gex-sha1-,gss-group14-sha1- MACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 For company-only access, run the following commands... # FirewallD (CentOS/RHEL) firewall-cmd --permanent --zone=internal --add-source=<_COMPANY_IP_RANGE_> firewall-cmd --permanent --zone=internal --add-source=10.0.0.0/8 firewall-cmd --permanent --zone=public --remove-service=ssh firewall-cmd --reload; firewall-cmd --list-all # UncomplicatedFirewall (Ubuntu) ufw allow from <_COMPANY_IP_RANGE_> to any port 22 ufw allow from 10.0.0.0/8 to any port 22 ufw reload; ufw status For non-company IP access, remove firewall commands and instead install Fail2Ban. # Remove Restrictions (FirewallD) firewall-cmd --permanent --zone=internal --remove-source=<_COMPANY_IP_RANGE_> firewall-cmd --permanent --zone=internal --remove-source=10.0.0.0/8 firewall-cmd --permanent --zone=public --add-service=ssh firewall-cmd --reload; firewall-cmd --list-all # Remove Restrictions (UFW) ufw delete allow from <_COMPANY_IP_RANGE_> to any port 22 ufw delete allow from 10.0.0.0/8 to any port 22 ufw reload; ufw status === Log Analysis === Replace ''LOG'' with the appropriate log file for the Linux architecture # Total number of log entries for SSHD cat LOG | grep sshd | wc -l # Number of successful logins cat LOG | grep sshd | grep 'session opened' | wc -l # List IPs of successful logins cat LOG | grep -oE '.*Accepted password.*' | awk '{ print $11 }' | sort | uniq # Total number of port scan attempts (bad) cat LOG | grep -oE 'Received disconnect.*' | wc -l # Total number of IPs that did port scans (bad) cat LOG | grep -oE 'Received disconnect.*' | awk '{ print $4 }' | sort | uniq | wc -l # List IPs of port scanners, with number of attacks per IP cat LOG | grep -oE 'Received disconnect.*' | awk '{ print $4 }' | sort | uniq -c | sort -n # Total number of bad login attempts cat LOG | grep 'Invalid user' | wc -l # List usernames of bad login attempts, with number of attempts per username cat LOG | grep -oE 'Invalid user.*' | awk '{ print $3 }' | sort | uniq -c | sort -n Resources: [[http://redgreenrepeat.com/2017/02/17/parsing-ssh-logs-basics/|Parsing SSH Logs]], [[https://unix.stackexchange.com/questions/406245/limit-ssh-access-to-specific-clients-by-ip-address|Limit SSH by IP Address]], [[http://www.programmersought.com/article/14691447370/;jsessionid=85E2EC0CEB779BA884E8DF8456C57A5A|Limit SSH without TCP Wrappers]] ==== Fail2Ban ==== yum install fail2ban # install fail2ban systemctl start fail2ban # start fail2ban service systemctl stop fail2ban # stop fail2ban service systemctl restart fail2ban # restart fail2ban service systemctl status fail2ban # get status of fail2ban service fail2ban-client status # list active jails fail2ban-client status sshd # view banned ips in sshd jail fail2ban-client set sshd banip IPADDR # manually ban ip address IPADDR fail2ban-client set sshd unbanip IPADDR # manually unban ip address IPADDR fail2ban-client unban --all # unban all ips in all jails fail2ban-client -h # show list of commands /etc/fail2ban/jail.conf # default config /etc/fail2ban/jail.local # custom config (overrides jail.conf, set ignored ips) /etc/fail2ban/jail.d/sshd.local # sshd config (required to protect ssh) /etc/fail2ban/filter.d/f2b-loop.conf # nested jail processor /var/log/fail2ban.log # log of fail2ban activity (bans/unbans) Resources: [[https://www.howtoforge.com/tutorial/how-to-install-fail2ban-on-centos/|Install Fail2Ban on CentOS]], [[https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/|Increased Ban Times for Repeat Offenders]] ==== CRON ==== crontab -e # edit current user crontab /etc/crontab # location of system crontab /var/spool/cron/crontabs/ # location of user crontabs # Special Strings @reboot /path/to/script # Run once, at startup. @yearly /path/to/script # Run once a year........ "0 0 1 1 *" @annually /path/to/script # (same as @yearly) @monthly /path/to/script # Run once a month....... "0 0 1 * *" @weekly /path/to/script # Run once a week........ "0 0 * * 0" @daily /path/to/script # Run once a day......... "0 0 * * *" @midnight /path/to/script # (same as @daily) @hourly /path/to/script # Run once an hour....... "0 * * * *" Resources [[https://www.axllent.org/docs/view/crontab/|Using crontab on Linux]] ==== CylancePROTECT ==== === General === systemctl start cylancesvc # start cylance service systemctl stop cylancesvc # stop cylance service systemctl restart cylancesvc # restart cylance service systemctl status cylancesvc # get status of cylance service /opt/cylance/config_defaults.txt # installation defaults (required) === Installation === # First, create the installation defaults file: /opt/cylance/config_defaults.txt InstallToken=<_REDACTED_> SelfProtectionLevel=2 LogLevel=2 VenueZone=<_REDACTED_> UiMode=2 # Install Dependencies on Ubuntu apt update apt install libxml2-utils make gcc bzip2 linux-headers-generic # Install Application on Ubuntu dpkg -i cylance-protect.1604.x86_64.deb # Install Dependencies + Application on CentOS 7 yum install zlib CylancePROTECT.el7.rpm # Register Installation w/ Cylance Console /opt/cylance/desktop/cylance -r <_REDACTED_> ==== Active Directory ==== === Join via 'Realm' === # Install Required Dependencies (RHEL/CentOS) yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python # Install Required Dependencies (Debian/Ubuntu) apt -y install realmd oddjob oddjob-mkhomedir adcli samba-common-bin libnss-sss libpam-sss sssd sssd-tools packagekit # Join to Domain realm join --user=<_ADMIN_USER_>@<_USER_AD_DOMAIN_> <_AD_DOMAIN_SERVER_> realm list # confirm proper join # Fix /etc/sssd/sssd.conf by uploading the correct copy /etc/sssd/sssd.conf # upload correct copy systemctl restart sssd # restart sssd service # Test access (should show AD groups) id <_AD_USER_> # Ubuntu Systems Only pam-auth-update # make sure 'create home directory on login' is checked dpkg-reconfigure gdm3 # fix login loop issue for GUI Resources: [[https://www.linuxtechi.com/integrate-rhel7-centos7-windows-active-directory/|Join CentOS 7 to AD]], [[https://computingforgeeks.com/join-ubuntu-debian-to-active-directory-ad-domain/|Join Ubuntu 20 to AD]], [[https://letsfoss.com/ubuntu-login-loop-fix/|Ubuntu Login Loop Fix]] === Leave via 'Realm' === # Leave the Domain realm leave <_AD_DOMAIN_> -U '<_USER_AD_DOMAIN_PREFIX_>\<_ADMIN_USER_>' Resources: [[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/realmd-ad-unenroll|Removing a System from a Domain]] === Restrict Access by AD Group === Modify /etc/sssd/sssd.conf with the following... [domain/<_AD_DOMAIN_>] access_provider = simple # required simple_allow_groups = group1, group2 # group(s) to allow simple_deny_groups = group3 # group(s) to deny [domain/<_USER_AD_DOMAIN_>] access_provider = simple # required simple_allow_users = user1, user2 # user(s) to allow [DOES NOT WORK, 1/25/23] simple_deny_users = user3 # user(s) to deny [DOES NOT WORK, 1/25/23] **Note:** Because user specific allow/deny isn't working, it's best to use AD groups to allow/deny in the interim. ==== Qualys Cloud Agent ==== === General === systemctl start qualys-cloud-agent # start qualys service systemctl stop qualys-cloud-agent # stop qualys service systemctl restart qualys-cloud-agent # restart qualys service systemctl status qualys-cloud-agent # get status of qualys service === Installation === # Install Application on Ubuntu apt update sudo dpkg --install QualysCloudAgent.deb sudo /usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh ActivationId=<_REDACTED_> CustomerId=<_REDACTED_> # Install Application on CentOS 7 sudo rpm -ivh QualysCloudAgent.rpm sudo /usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh ActivationId=<_REDACTED_> CustomerId=<_REDACTED_> ==== ULimit ==== :!: This does not seem to work very well on RHEL/CentOS 7 systems. Please use cgroups instead. /etc/security/limits.conf # adjust soft/hard limits for system resources Resources: [[https://linux.die.net/man/5/limits.conf|limits.conf Manual]], [[https://access.redhat.com/solutions/61334|How to set ulimit values]] ==== XRDP ==== # Install XRDP on CentOS 8 (Rocky/AlmaLinux/RHEL) dnf groupinstall "Server with GUI" # install system GUI dnf install epel-release # install pre-requisites dnf install xrdp # install xrdp systemctl enable xrdp # enable xrdp service systemctl start xrdp # start xrdp service firewall-cmd --add-port=3389/tcp --permanent # open firewall port for RDP (3389) firewall-cmd –reload # reload firewall # Install XRDP on Ubuntu 20/22 apt update # update package manager apt install ubuntu-desktop # install system GUI apt install xrdp # install xrdp systemctl status xrdp # check if xrdp service is running adduser xrdp ssl-cert # add xrdp user to ssl-cert group ufw allow 3389; ufw reload; ufw status # open firewall port for RDP (3389), reload Resources: [[https://vitux.com/centos-desktop-rdp-xrdp/#:~:text=To%20connect%20through%20Centos%208,password%20and%20click%20on%20Ok.|CentOS 8 Remote GUI with RDP]], [[https://linuxize.com/post/how-to-install-xrdp-on-ubuntu-20-04/|Install XRDP on Ubuntu]] ==== Disk Quotas ==== /dev/sdbX /DIR ext4 defaults,usrquota,grpquota 0 0 # edit /etc/fstab, add 'usrquota' & 'grpquota' to mount, reboot quotacheck -um /DIR # create user quota config quotacheck -gm /DIR # create group quota config quotaon -uv /DIR # enable user quota quotaon -gv /DIR # enable group quota quotaon -ap # show on/off status edquota -u USR # edit quota for user USR edquota -g GRP # edit quota for group GRP repquota -asu # show user quota report/status repquota -asg # show group quota report/status Resources: [[https://www.server-world.info/en/note?os=CentOS_6&p=quota|Set Disk Quota, EXT4]], [[https://www.server-world.info/en/note?os=CentOS_7&p=quota|Set Disk Quota, XFS]] ==== Docker ==== === CentOS 7/8: Install Docker === yum install -y yum-utils # install utils yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo # install repo yum install docker-ce docker-ce-cli containerd.io docker-compose-plugin # install docker Resources: [[https://docs.docker.com/engine/install/centos/|Install Docker on CentOS]] === General === systemctl start docker # start docker service systemctl stop docker # stop docker service systemctl restart docker # restart docker service systemctl status docker # get status of docker service docker run hello-world # test if docker is working docker compose up # run all dockers listed in ./docker-compose.yml docker compose up -d # same as previous but runs in the background docker compose down # stop all dockers listed in ./docker-compose.yml docker ps -a # see status of all containers, get container id docker stats # show performance statistics of all containers docker stop MYAPP # kill container MYAPP gracefully (can use id or name) docker compose pull # pull updated containers (will recreate containers on next 'compose up') ==== CGroups ==== # Install cgroups yum install libcgroup libcgroup-tools # Enable Services chkconfig cgconfig on chkconfig cgred on # Control Services systemctl status cgconfig # service that does the actual controlling systemctl status cgred # service that decides how to apply controls systemd-cgtop # see which cgroups are running and their resources # Configure /etc/cgconfig.conf # Default configuration - do not edit /etc/cgconfig.d/cpu_cap.conf # Custom configuration (can be named anything) /etc/cgrules.conf # Apply specific cgconfig rules to specific users/processes Resources: [[https://www.redhat.com/en/blog/world-domination-cgroups-part-5-hand-rolling-your-own-cgroup|Hand rolling your own cgroup]] ==== GIT ==== [working dir] -> git add -> [staging area] -> git commit -> [repository] | | | | | git log | | (shows files tracked in repo) | | | git status | (shows what's in staging) git diff (shows changes between working & staging) get --version # show current installed version of git git init # create repo in current directory git add FILE # add FILE to repo git commit -m "MSG" # commit repo, add MSG as description git diff # show differences since last commit git log # see change log git status # see status of files (between add and commit ) git branch # see branches git branch BRCH # create branch named BRCH git checkout BRCH # switch to branch BRCH git config --global user.name # set author name to NAME git config --global user.email # set author email to EMAIL