Skip to content

Instantly share code, notes, and snippets.

@mbodo
Last active October 15, 2018 21:24
Show Gist options
  • Save mbodo/f55b38a1d54d278a82b8db7d1542ade2 to your computer and use it in GitHub Desktop.
Save mbodo/f55b38a1d54d278a82b8db7d1542ade2 to your computer and use it in GitHub Desktop.

LPI-1 102 Notices

Topic 105: Shells, Scripting and Data Management

Topic 106: User Interfaces and Desktops

Topic 107: Administrative Tasks

Topic 108: Essential System Services

Topic 109: Networking Fundamentals

Topic 110: Security

105.1 Customize and use the shell environment

  • Working with shell

    • ash, bash, csh, ksh, tcsh, zsh
    • shell for user is specified in /etc/passwd
    • special shells
      • /bin/false, returns non zero error code, block user to login
      • /sbin/nologin, blocks user to login, infor with message
  • Environment variables

    • variable in bash can be upper or lowercase, with letters, numbers, _
    • by convention
    • spaces could by escaped, e.g
      • FOO="BAR BAR"
      • FOO=BAR\ BAR
    • variable scope
      • gen.sh
        #!/bin/bash
        
        cat > gen_test.sh <<EOF
        #!/bin/bash
        
        echo "It's foo=\$FOO"
        
        exit 0
        EOF
        
        if [ -e gen_test.sh ]; then
          chmod -v 0755 gen_test.sh
        fi
        
        exit 0
        
      • get_test.sh
        #!/bin/bash
        
        echo "It's foo=$FOO"
        
        exit 0
        
      • get_test.sh command starts a child process
        FOO="bar"
        
        ./gen_test.sh
        
        $ It's foo=
        
      • export, marks variable to be available to child process
        export FOO="bar"
        
        ./gen_test.sh
        
        $ It's foo=bar
        
      • setting variables from child process, with source
        config.sh
        
        FOO="bar"
        
        #!/bin/bash
        
        source ./config.sh
        
        echo "It's foo=$FOO"
        
        exit 0
        
      • setting variables from child process, with period
        #!/bin/bash
        
        . ./config.sh
        
        echo "It's foo=$FOO"
        
        exit 0
        
      • setting, unsetting variables
        • unset
          FOO="bar"
          echo $FOO
          bar
          unset FOO
          echo $FOO
          
          
        • set, enable/disable shell features
          #!/bin/bash
          
          set -x
          
          FOO="bar"
          
          echo "It's foo=$FOO"
          
          set +x
          
          exit 0
          
          Output:
          
          + FOO=bar
          + echo 'It'\''s foo=bar'
          It's foo=bar
          + set +x
          
          set -x print each execution line in script until set +x, this disable the shell script debug
          
        • noclobber
          #!/bin/bash
          
          echo "first" > out.txt
          echo "second" > out.txt
          
          set -C
          
          echo "third" > out.txt
          
          set +C
          
          echo "fourth" > out.txt
          
          set -o noclobber
          
          echo "fifth" > out.txt
          
          set +o noclobber
          
          echo "sixth" > out.txt
          
          echo "Final output: \n"
          cat out.txt
          
          exit 0
          
        • set as possitional parameters
          set x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11
          echo $1
          x1
          echo ${11}
          x11
          
  • Subshell

    • call of subshell
      #!/bin/bash
      
      echo "Parent shell $BASH_SUBSHELL pid $$"
      FOO="bar"
      echo "Parent shell FOO: $FOO"
      
      echo "Executing subshell command: "
      (echo -n "Before FOO: $FOO ";FOO="baz";echo -n "| After FOO: $FOO "; echo -n "| Inside the subshell $BASH_SUBSHELL "; echo $$)
      echo "Parent shell FOO, after subshell command: $FOO"
        
      exit 0
      
    • env
      wipes environment first
        
      env -i 
        
      e.g
        
      env -i sh -c 'echo $PATH'
        
      Output:
      /usr/local/bin:/usr/bin
        
      env sh -c 'echo $PATH'
        
      Output:
      /usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/walrus/.local/bin:/home/walrus/bin
      
  • Global/User settings

    • Login shell, when login to system
      • /etc/profile
      • /etc.profile.d/ -~/.bash_profile, if not exists shell looks at ~/.bash_login, ~/.profile -convetion that inside a ~/.bash_profile a ~/.bashrc is source-d
    • Logout
      • ~/.bash_logout, use clean to wipeout screen
    • No-Login shell
      • when started terminal in graphical session, root call su some_user
      • only ~/.bashrc is source-d
      • after exit no ~/.bash_logout are source-d
    • PATH
      • series of directories separted by colon |:|
      • add instead of replacing
        export PATH=$HOME/bin:$PATH
        
      • expand implicit check for current directory
        export PATH=$PATH:. - little bit dangerous, possibly shadowing e.g /usr/bin/cat to /tmp/cat etc
        
    • alias
      ~/.bashrc
      
      alias ls="ls -lh"
      alias one="echo $1 $2 $$ $0"
      
      source ~/.bashrc
      
      one X1 X2
      
      Output:
      
      1928 -bash X1 X2 X3
      
    • functions
      function name() { commands }
      
    • PS1
      PS1='| \h@\u > \w |\$'
      
      \$ - effective UID is 0, than # else $
      

Links:

105.2 Customize or write simple scripts

  • Running script

    • #!/bin/bash
    • bash test.sh
  • Managing scripts

    • system wide /usr/local/bin
    • output of another command
      test.sh
      
      #!/bin/bash
      
      while true; do
        echo $'Going to sleep \n'
        sleep 60
        echo $'\nWake up \n'
      done
      
      ./test.sh
      
      get commad PID:
      
      with $()
      PID=$(ps -ef | grep -i --color "[t]est.sh" | head -n 1 | awk '{ print $2 }')
      
      echo $PID
      3356
      
      with ``
      PID_APS=`ps -ef | grep -i --color "[t]est.sh" | head -n 1 | awk '{ print $2 }'`
      
      echo $PID_APS
      3356
          
      kill -15 $PID
      
  • Shell scripts commands

    • Numeric expressions

      • math in shell, an expression must be inside $(()) parenthesis
        test.sh
        
        #!/bin/bash
        
        echo $((1 + 2))
        
        exit 0
        
        ./test.sh
        
        3
        
      • bash only works with integer, to interpret decimal positions bass heeds tool bc
        test.sh
        
        #!/bin/bash
        
        RADIUS=3
        
        echo "3.14 * $RADIUS ^ 2" | bc
        
        exit 0
        
        ./test.sh
        
        28.26
        
    • Conditionals

      test.sh
      
      if date; then
        echo "It's worked"
      elif date; then
        echo "It'works again"
      else
        echo "Not worked"
      
      exit 0
      
      ./test.sh
      It's worked
      
      Modify:
      
      if de; then
        echo "It's worked"
        
      ./test.sh
      It'works again
      
      Modify:
      
      if dte; then
        echo "It's worked"
      elif dte; then
        echo "It'works again"
      
      ./test.sh
      Not worked
      
    • Testing files

      test.sh
      
      #!/bin/bash
      
      if [[ -e ~/.bashrc ]]; then
        echo ".bashrc file exist"
      fi
      
      exit 0
      
      ./test.sh
      .bashrc file exist
      
      • Pitfalls
        Correct:
        if[[ -e ~/.bashrc ]]; then
        
        Wrong:
        if[[ -e ~/.bashrc ]]; then
        if [[-e ~/.bashrc ]]; then
        if [[ -e ~/.bashrc]]; then
        
    • Testing files

      test.sh
      
      #!/bin/bash
      
      if [[ -e ~/.bashrc ]]; then
        echo ".bashrc file exist"
      fi
      
    • Testing strings

      • z zero length string
      • n nonzero length string
        test.sh
        
        #!/bin/bash
        
        echo -n "How old are you: "
        read AGE
        
        if [[ -z $AGE ]]; then
          echo "You did't write your age"
        elif [[ -n $AGE ]]; then
          echo "Your age is $AGE"
        fi
        
        ./test.sh (test -z)
        
        How old are you: 
        You did't write your age
        
        ./test.sh (test -n)
        
        How old are you: 100
        Your age is 100
        
      • string equality is tested with single equals sign (=), not equal (!=)
        test.sh
        
        #!/bin/bash
        
        if [[ 'test.sh' = $(basename $0) ]]; then
          echo "It's our script: $(basename $0)"
        fi
        
    • Testing integers

      • eq,ne,ge,le,gt,lt
      # input is not checked, suppose it will be number
      echo -n "Write one number: "
      read NUMBER
      
      if [[ $NUMBER -eq 10 ]]; then
        echo "It's 10"
      elif [[ $NUMBER -ne 10 ]]; then
        echo "Not equal 10. It's $NUMBER"
      fi
      
      if [[ $NUMBER -ge 10 ]]; then
        echo "Greater or equal 10. It's $NUMBER"
      fi
      
      if [[ $NUMBER -le 10 ]]; then
        echo "Lower or equal 10. It's number $NUMBER"
      fi
      
      if [[ $NUMBER -gt 10 ]]; then
        echo "Greater than 10. It's number $NUMBER"
      elif [[ $NUMBER -lt 10 ]]; then
       echo "Lower then 10.  It's number $NUMBER"
      fi
      
      exit 0
      
    • Combining multiple tests

      • single bracket conditions AND (-a), OR (-o)
        test.sh
        
        #!/bin/bash
        
        NUMBER=10
        
        if [ $NUMBER -ge 10 -a -f ~/.bashrc ]; then
          echo "Single bracket AND condition is met."
        else
          echo "Single bracket AND condition is not met."
        fi
        
        NUMBER=0
        
        if [ $NUMBER -ge 10 -o -f ~/.bashrc ]; then
          echo "Single bracket OR condition is met."
        else
          echo "Single bracket OR condition is not met."
        fi
        
        exit 0
        
      • double bracket conditions AND (&&), OR (||)
        test.sh
        
        #!/bin/bash
        
        NUMBER=10
        
        if [[ $NUMBER -eq 10 && -f ~/.bashrc ]]; then
          echo "Double bracket condition is met."
        else
          echo "Double bracket condition is not met."
        fi
        
        exit 0
        
      • double bracket multiple conditions [[ COND1 && ( COND2 || COND3 ) ]]
        test.sh
        
        #!/bin/bash
        
        NUMBER=10
        SECOND=0
        
        if [[ ($NUMBER -ge 10 && $SECOND -eq 0) && -f ~/.bashrc ]]; then
          echo "Double bracket multiple condition is met."
        else
          echo "Double bracket multiple condition is not met."
        fi
        
        exit 0
        
    • Combining multiple tests

        • matches everything
      • statement is terminated with ;;
      • whole case with esac
      • after first match stops
      test.sh
      
      #!/bin/bash
      
      echo -n "Which distro you use: "
      read DIST
      
      case $DIST in:
        ubuntu | debian)
          echo "It's $DIST"
          ;;
        rhel | centos)
          echo "It's $DIST"
          ;;
        *)
          echo "Never heard about it"
       esac
      
    • Loops

      • for, for in list; do statement; done
        test.sh
        
        #!/bin/bash
        
        echo -n "Rename from:"
        read FROM
        
        echo -n "Rename to:"
        read TO
        
        for file in *.$FROM; do
          new_name=$(echo $file | sed "s/$FROM$/$TO/")
          echo "New name: $new_name"
        done
        
        exit 0
        
        ./test.sh
        Rename from: TXT
        Rename to: PDF
        
      • sequences
        seq 1 6
        1
        2
        3
        4
        5
        6
        
        seq 1 3 10
        1
        4
        7
        10
        
        seq -w 1 5 10
        01
        06
        - because of 10, with seq -w 1 2 9 it won't worked, it will be 1 3 5 7 9
        
        oneliner:
        for i in $(seq -w 1 10); do echo $i; done
        
      • while
        test.sh
        
        #!/bin/bash
        
        STOP=5
        COUNT=0
        
        while [[ $COUNT -lt $STOP ]]; do
          COUNT=$(( $COUNT + 1 ))
          echo "Actual: $COUNT"
        done
        
        exit 0
        
      • until, opposite to while or while [[ ! condition ]]; do statement; done
        test.sh
        
        #!/bin/bash
        
        if [[ -f ~/done.txt ]]; then
          rm -v ~/done.txt
        fi
        
        until [[ -f ~/done.txt ]]; do
          sleep 10
          set -x
          touch ~/done.txt
          set +x
        done
        
        exit 0
        
    • returning error code

      # successfull
      exit 0
        
      # error
      exit 1
      
    • arguments

      test.sh
      
      #!/bin/bash
      
      echo "Current number of arguments: $#"
      
      until [[ $# -eq 0 ]]; do
        echo "Arg: $1"
        echo "Before shift: $#"
        shift
        echo "After shift: $#"
      done
      
      exit 0
      
      ./test.sh one1 two2 three3 four4
      
    • exec

      • normaly when shell call another function a bash fork itself to parent(bash itself) and child process (identical copy of parent bash) child the executes ls command, replacing itsef with ls, parent(bash) waits until ls exits and returns a shell
      • exec call replace a current shell session in memory and after exec finish a control is returned to the shell called the script and not continue with next command in script (in e.g echo "Current shell after exec sleep 2 s") so echo "Current shell after exec sleep 2 s" call never happend
      test.sh
      
      #!/bin/bash
      
      echo "Current shell, exec to sleep"
      exec sleep 2
      echo "Current shell after exec sleep 2 s"
      
      exit 0
      

Links:

107.1 Manage user and group accounts and related system files

  • User Accounts

    • User ID (UID)

    • Group ID (GID)

    • kernel < 2.6 support up to 65,536 users and groups

    • kernel > 2.6 support up to 4,294,967,296 users and groups

    • association between UID and user /etc/passwd

    • association between GID and group /etc/group

    • to log user into system, user entry in /etc/passwd must exist

    • /etc/passwd

      • entries range 0..499
      • 0 root user
      • 1 bin user, sytem binaries, nonlogin accounts
      • 48 apache user
      • 99 nobody, annonymous access on FTP and HTTP servers, maps root to apttempt NFS access
      /etc/passwd
      
      tux:x:500:100:Tux penguin:/home/tux:/bin/bash
      
      tux         - user name, 8 or fewer characters, should be lowercase
      x           - mark that password ist stored in /etc/shadow
      500         - UID
      100         - primary group, all the file objects created by user will have this group
      Tux penguin - GECOS (GE Common Operating System), could be blank, comment or full name
      /home/tux   - absolute path to user home directory
      /bin/bash   - define login shell
      
    • getent - displays entries from databases supported by the Name Service Switch libraries, configured in /etc/nsswitch.conf

      /etc/nsswitch.conf
      
      passwd:   files nis
      shadow:   files nis
      
    • Special Login Files:

      • /bin/false - when user's shell set to (replace, /bin/bash for e.g), user cannot log in, system accounts
      • /etc/nonlogin - when user's shell set to, attempt to login generate, account is unavailable and exits with nonzero exit code
      • /etc/motd - displays the /etc/motd after successful login
      • .hushlogin - placed in user's home directory, changes the login process, e.g does not perform motd, last login info
      • /etc/login.defs - defines defaults for users created by useradd cmd, mail, password complexity, UID, GID min - max, .etc
      • /etc/securetty - specifies where the root user is allowed to log in (e.g tty1,tty2), if not exists root can log from any location
      • /etc/usertty - set parameters for login locations, days, times, systems to user can connect from, used only if no PAM
  • Group Accounts

    • Primary - appears in /etc/passwd file, user doesn't have to be listed as member in /etc/group, the GID in /etc/passed is complementary
    • Secondary - user's name appear as last field in /etc/group, user is a member of group, access to object which group owns
    • /etc/group ordinary GIDs:
      • 0 - root group
      • 1 - bin group, similar to bin user account
      • 100 - regular group, ownership to objects all regular useres should have
      • wheel - compatibility with BSD systems, used to create "administration group", for sudo usage
      users:x:100:tux,walrus
      
      users      - name, 8 characters and should be lowercase
      x          - like /etc/shadow, group passwords in /etc/gshadow
      100        - GID
      tux,walrus - secondaty group members, no spaces are allowed, comma(,) separated
      
    • UPG (user private group) - when no primary group is assigned to users during a account creation a primary group with same name and GID (equal to UID) is created, if the GID is not available a next incremented values is used, Red Hat base distro features, Debian base do not use this feature rather assign newly created user primary group to users(100)
    • chgrp - change a group of file
      chgrp staff /somefolder
      
      Change group of folder and subfiles to "staff"
      chgrp -hR staff /somefolder
      
    • newgrp - opens a new shell with temporary changed user primary group, user must by member of that group, exit exits temporary shell and assign the original primary group
      User tux:
      uid=500(tux) gid=500(tux) groups=100(users)  - (UPG, Red Hat see uid and gid)
      
      newgrp users
      uid=500(tux) gid=100(users) groups=100(users) - temporary switch GID
      
    • gpasswd - assign password to group, if password has been assigned, then newgrp require password, even user is a member of that group
  • Account add/modify/delete

    • useradd
      useradd tux
      
      - Red Hat based: create same name and group, create same UID and GID, assign GID as primary group, create /home/tux,
                       copy /etc/skel
      - Debian based: create user name, create UID, set GID to users (GID=100), no home dir
      
      to do the same in Debian based as in Red Hat:
      
      useradd -m -d /home/tux -k skel -g 100 -u 1025 tux
      
      - c GECOS, comment
      - d home-dir HOME_DIR
      - D useradd defaults (defined in /etc/default/useradd)
      - e sets account expiration date, after that date account is disabled
      - f num of days the password reach its max. life, user able to log in, but need to change password
      - g GID of user's primary group
      - G list of secondary groups
      - k skel SKEL_DIR (/etc/skell)
      - m create home
      - o non-uniqe UID
      - u UID user's id
      - s full path to user login shell
      
    • modify useradd defaults
      useradd -D -s /bin/zsh
      
      cat /etc/default/useradd
      ...
      SHELL=/bin/zsh
      
    • /etc/skel usetadd
      ls -la /etc/skel
      
      -rw-r--r--.  1 root root   18 Apr 10 20:53 .bash_logout
      -rw-r--r--.  1 root root  193 Apr 10 20:53 .bash_profile
      -rw-r--r--.  1 root root  231 Apr 10 20:53 .bashrc
      
      
      useradd -m tux
      
      ls -la /home/tux
      
      -rw-r--r--.  1 root root   18 Apr 10 20:53 .bash_logout
      -rw-r--r--.  1 root root  193 Apr 10 20:53 .bash_profile
      -rw-r--r--.  1 root root  231 Apr 10 20:53 .bashrc
      
      
    • customized skel template
      /etc/skel/custom
      |-.bashrc
      |-.bash_profile
      |-.bash_logout
      |- walrus.txt
       
      useradd -m -k /etc/skel/custom walrus
       
      ls -la /home/walrus
      -rw-r--r--. 1 walrus walrus  18 Sep 16 13:29 .bash_logout
      -rw-r--r--. 1 walrus walrus 193 Sep 16 13:29 .bash_profile
      -rw-r--r--. 1 walrus walrus 231 Sep 16 13:29 .bashrc
      -rw-r--r--. 1 walrus walrus   0 Sep 16 13:29 walrus.txt  
      
    • groupadd
      groupadd clerks
      
      cat /etc/group
      ...
      clerks:x:1002:
      
      - GID for user is next number after GID_MIN specified in /etc/login.defs
      
    • usermod
      • d change user's home directory, also ownership of the files located in new home have to be changed (e.g chown -R tux:users /home/new_tux)
      • g change primary group, changes which file objects the user has access to
      • G changes the user's secondary group e.g
        id walrus
        
        uid=1001(walrus) gid=1001(walrus) groups=1001(walrus)
        
        usermod -a -G users,clerks walrus
        
        id walrus
        
        uid=1001(walrus) gid=1001(walrus) groups=1001(walrus),100(users),1002(clerks)
        
      • u change's the user's uid, change automatically uid in user's home dir, but not the others, so old UID remain e.g
        as root:
        touch /opt/walrus_stamp.txt
        chown walrus:users /opt/walrus_stamp.txt
        
        ls -l /opt/walrus_stamp.txt
        -rw-r--r--. 1 walrus users 0 Sep 16 15:27 walrus_stamp.txt
        
        cat /etc/passwd
        ...
        walrus:x:1001:1001::/home/walrus:/bin/bash
        
        usermod -u 1003 walrus
        
        cat /etc/passwd
        ...
        walrus:x:1003:1001::/home/walrus:/bin/bash
        
        ls -la /home/walrus
        ...
        -rw-r--r--. 1 walrus walrus 0 Sep 16 13:29 walrus.txt
        
        ls -l /opt/walrus_stamp.txt
        -rw-r--r--. 1 1001 users 0 Sep 16 15:27 walrus_stamp.txt      
        
      • L lock the account, /etc/shadow prefixing the current encrypted password with !
      • U removes a lock on user's account
    • groupmod
      • change GID has a same effect as usermod -u, in this case a GID remain
    • userdel
      • Removes user without his home directory
        ls -la /home/walrus
        ...
        -rw-r--r--. 1 walrus walrus 0 Sep 16 13:29 walrus.txt
        
        userdel walrus
        
        ls -la /home/walrus
        ...
        -rw-r--r--. 1 1003 1001 0 Sep 16 13:29 walrus.txt
        
      • Removes user with his home directory
        userdel -r walrus
        
      • Currently logged user cannot be deleted, attempt to delete the account display a error message
        userdel: user walrus is currently used by process 190909
        
      • To delete currently logged user
        Lock the user first
        usermod -L walrus
        
        Kill user's login shell PID
        kill -9 190909
        
        Then delete the user
        userdel walrus
        
    • Recreate a user
      ls -la /home/walrus
      ...
      -rw-r--r--. 1 1003 1001 0 Sep 16 13:29 walrus.txt
      
      First recreate walrus group with GID 1001
      groupadd -g 1001 walrus
         
      Second user walrus with UID 1003
      useradd -u 1003 -g walrus -d /home/walrus walrus
         
      Note: Files from /etc/skel won't be copied
      
    • groupdel
      Before delete a group:
      1, find if group doesn't have secondary members
      2, isn't primary group for any user account
      3, find all the files/dirs owned by group and assign to another
      
      groupdel clerks
      
  • Shadow suite

    • /etc/passwd without shadow suite
      walrus:&ujw7w9:1003:1001::/home/walrus:/bin/bash
      
      &ujw7w9 - encrypted string
      
    • /etc/passwd with shadow suite
      walrus:x:1003:1001::/home/walrus:/bin/bash
      
      x - replaced encrypted string
      
    • passwords are stored in:
      • /etc/shadow
      walrus:&ujw7w9:17791:0:99999:7:30:17000:
      
      walrus  - login name
      &ujw7w9 - user's encrypted password
      17791   - last change, since January 1, 1970
      0       - minimum, days before password can by changed (0 - immediate)
      99999   - maximum, days before password must be changed (99999, efective 273 years)
      7       - warning, days before password expires due to maximum, with warning displayed
      30      - inactive, days after account expires due to maximum, but user can still log on and change password durin log in
      17000   - expiration date, since January 1, 1970 the date when account will expire
      
      • /etc/gshadow
    • shadow file permissions
      /etc/passwd
      RHEL - rw-r--r-- (644)
      Debian - rw-r--r-- (644)
      
      /etc/shadow
      RHEL - r-------- (400)
      Debian - rw-r----- (640)
      
  • Change password

    • for user itself
      passwd
      
    • as a root for user
      passwd walrus
      
    • d - disables users account, remove password
    • n - min. days password lifetime
    • x - max. days password lifetime
    • w - warning days before password expires
    • i - num. of days account inactive, before it's locked
    • S - shows password info
  • chage

    • m - min. num. of days, before user is able to change password again
    • M - max. num. of days, befor user must change a password
    • d - changed the last password changed value
    • E - expiration date, since January 1, 1970, account will be disabled YYYY-MM-DD
    • I - num. of days inactivity, after account is locked and must be reenabled by root, 0 disables this feature
    • W - mun. of days user must change password with displaying the warning message
  • ulimit user variables, changes are not pernamment, have to be in /etc/bashrc, or /etc/profile

    • c - lim. size core dump
    • d - lim. size user process data
    • f - lim. max. size of files created in shell
    • n - lim. number of open file descriptors
    • t - lim. CPU time for user
    • u - lim. num. of processes user can run
    • v - lim. max. amount of virtual memory
    • a - show limits (lim.)

107.2 Automate system administration tasks by scheduling jobs

  • Cron

    • Daemon crond
    • Job configurator crontab
    • to edit a crontab
      crontab -e
      
    • to display crontab for user
      crontab -l
      
    • to display user's crontab
      as root
      
      crontab -l -u walrus
      
    • crontab format, see crontab.guru
      1.2.3.4.5
      * * * * * command
      
      1. Minute          (0 - 59)
      2. Hour            (0 - 23)
      3. Day             (1 - 31)
      4. Month           (1 - 12)
      5. Day of the week (0 - 7 with 0 and 7 being Sunday)
      
      Special case, day and day of the week is defined (e.g 
      30 5 1 * 1 - job runs 5:30 on the first of the month (defined 3.-rd column) and every monday (defined last column)
      
      * * 1 * 1  - job runs at every minute on the day-of-month 1 and on Monday
      
    • crontab multiple matches
      0 0,12 * * *           - job will run at midnight and noon
      0 0,12 * jun,jul,aug * - job will run at midnight and noon during june, july, august
      
    • crontab with range values
      0 0,12 * jun-aug * - job will run at midnight and noon during june, july, august (same as above)
      5 16-19 * * 8      - job will run at 5 minutes past every hour from 16 through 19
      
    • step values
      * */2 * * *    - every two hours
      */30 * * * *   - every 30 minutes
      * 1-23/2 * * * - every odd numbers
      
    • crontab command format
      0 0 * * * /home/walrus/crotabtest.sh
      
      also valid shell code is accepted
      
      0 0 * * * if [[ -f /home/walrus/garbage.log ]]; then cat /dev/null > /home/walrus/garbage.log; fi
      
      this will clean up garbage.log without delete it
      
    • crontab PATH setup
      • cron doesn't run .bash_profile or .bashrc
        * * * * * env > /home/walrus/crontab.env
        
        cat /home/walrus/crontab.env
        XDG_SESSION_ID=33
        SHELL=/bin/sh
        USER=walrus
        PATH=/usr/bin:/bin
        PWD=/home/walrus
        LANG=en_US.UTF-8
        SHLVL=1
        HOME=/home/walrus
        LOGNAME=walrus
        XDG_RUNTIME_DIR=/run/user/1003
        _=/usr/bin/env
        
      • Avalable variable definitions in crontab
        PATH=/bin:/usr/bin:/usr/local/bin/:/home/walrus/bin
        [email protected]
        SHELL=/bin/zsh
        CRON_TZ="Europe/Berlin"
        * * * * * crontest.sh
        
    • crontab nicknames
      @reboot   - after reboot
      @yearly   - once year at midnight 1 January
      @annually - same @yearly
      @monthly  - midnight on the first of month
      @weekly   - once a week on Sunday at midnight
      @daily    - once a day at midnight
      @hourly   - once a hour, on the hour
        
      this equals:
      0 0 * * * /home/walrus/bin/crontest.sh
      @daily /home/walrus/bin/crontest.sh
      
    • crontab are stored in /var/spool/cron
      [root@localhost ~]# cat /var/spool/cron/walrus
      */2 * * * * /home/walrus/bin/crontest.sh
      
    • system crontabs sar
    • /etc/cron.d, integrating with package management
      • crontab entries per installed packages can be added and removed without affecting shared /etc/crontab
      • contain 6 columns, a column between schedule and command is a user name which should execute the job
        0 1 * * Sun root /usr/bin/connect-check
        
    • convenience crontabs, any of those crontabs garantees only that they will run as declared in crontab.*, but the hour, day .etc are not guaranteed, scripts are placed directly to directories, no need to edit crontab
      • /etc/cron.hourly
      • /etc/cron.daily
      • /etc/cron.weekly
      • /etc/cron.monthly
    • restricting access
      • /etc/cron.allow, /etc/cron.deny normal is have only one of those, otherwise it should lead to confusion
      • /etc/cron.allow - only users in that file cuold edit their own crontab
      • /etc/cron.deny - any user could edit his own crontab, unless is not presented in this file
      • if any of cron.deny, cron.allow exists, only root have an access
      • most linux distribution starts with /etc/cron.deny
  • Anacron

    • made to run jobs daily or less frequently, jobs where precise time doesn't matter
    • advantage over cron is it runs jobs that where scheduled to go when the server is off
    • focuses on when the last time job has been running
    • no command, only /etc/anacrontab
    • job only run under root user
    • max granularity is 1 day
    • can run as daemon, but run from cron itself to check processing jobs
      # /etc/anacrontab: configuration file for anacron
      
      # See anacron(8) and anacrontab(5) for details.
      
      SHELL=/bin/sh
      PATH=/sbin:/bin:/usr/sbin:/usr/bin
      MAILTO=root
      # the maximal random delay added to the base delay of the jobs
      RANDOM_DELAY=45
      # the jobs will be started during the following hours only
      START_HOURS_RANGE=3-22
      
      #period in days   delay in minutes   job-identifier   command
      1       5       cron.daily              nice run-parts /etc/cron.daily
      7       25      cron.weekly             nice run-parts /etc/cron.weekly
      @monthly 45     cron.monthly            nice run-parts /etc/cron.monthly
      
    • run-parts - tool which comes with cron to run each file in the given directory
  • at

    • designed run task once at specific time
    • task jobs are queued up in /var/spool/at as e.g. /var/spool/at/a0007837hjvet9
    • create at command
      at now + 1 min
      > wall "It's night" [Enter]
      > <EOT> [Ctrl + d]
      job 6 at Mon Sep 17 16:12:00 2018
      
      or
      
      echo 'wall "Hey is there a walrus?"' | at now + 1 min
      
    • midnight - 00:00
    • noon - 12:00
    • teatime - 16:00
    • time-of-day - 2:00 p.m or 5 a.m
    • date - 2 pm sep 17
    • now + time - now + 1 min
    • atq - list queued jobs in /var/spool/at
    • atrm - delete queued jobs
    • /etc/at.allow, /etc/at.deny same as cron
  • batch

    • extention of at command, share same man pages
    • used to run jobs not at specifics time but a threshold of system utilization
    • to determine the system utilization, it uses load average, e.g a w command (who)
      [root@localhost ~]# w
      07:43:00 up 2 min,  1 user,  load average: 0.01, 0.02, 0.01
      USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
      root     pts/0    gateway          07:40    4.00s  0.06s  0.04s w
      
                    1.    2.    3.
      load average: 0.01, 0.02, 0.01
      
      1. 1 minute sample
      2. 5 minute sample
      3. 15 minute sample
      
      1.,2.,3. represents the average number, of processes waiting to be run
      
      e.g system with 2 CPU, will high load when all of them are about 2.0
      
    • batch e.g
      /home/walrus/bin/walrustest.sh | batch
      job 18 at Tue Sep 18 08:12:00 2018
      
      atq - should dispaly a scheduled job in queue
      
      or
      
      batch
      at>echo "I am walrus"
      at>Ctrl+d
      job 19 at Tue Sep 18 08:13:00 2018
      
    • to configure utilization average atrun commad is provided (e.g for 1 CPU)
      atrun -l 0.6
      
    • batch jobs are spooled into /var/spool/at as e.g /var/spool/at/b000073639kew038

107.3 Localisation and internationalisation

  • Timezones
    • UTC (Universal Coordinated Time)
    • GMT (Greenwich Mean Time)
    • DST (Dailight saving time)
    • in Linux all timestamps are stored in UTC, system then adds or removes the time zone offset
    • unix store time as seconds since UTC of January 1, 1970
    • date
      Display UTC time:
      date -u
      
      Display custom date:
      date +"%Y-%m-%dT%H:%M:%z"
      
      %z - Time zone offset
      
    • Setting a Time Zones
      • configurations /usr/share/zoneinfo, e.g /usr/share/zoneinfo/Europe/Zurich
      • to change timezone
        ln -sf /usr/share/zoneinfo/Europe/Zurich /etc/localtime
        
      • if user is unable to set timezone, it; spossible to override TZ enviroment variable
        export TZ=Europe/Zurich
        
        date +"%z"
        
        +0200
        
    • tzselect, tzconfig, dpkg-reconfigure tzdata
    • Character encoding
      • ASCII
      • ISO-8859
      • UCS-2 (2 byte)
      • UTF-16
      • UTF8, allow 1-6 bytes, 1 because of ASCII compatibility
    • Representing locales
      • language code (ISO 639)
      • country code (ISO 3166)
      • encoding
      locale -a | grep -i --color de_DE
      
      de_DE
      de_DE@euro
      de_DE.iso88591
      de_DE.iso885915@euro
      de_DE.utf8
      
      • fallback locales, C or 8-bit version of ASCII
    • Contents of locale
      • Addresses
      • Collation
      • Measurement
      • Messages
      • Monetary
      • Names
      • Numeric
      • Paper
      • Telephone
      • Time
      • distributed as separate packages to save space, generated through locale-gen
    • Use of locales in Linux
      • gettext library
      • LANGUAGE, when printing a messages
      • LC_ALL, highest priority, even other values are in variables, LC_ALL takes priority
      • LC_XXX, (mean LC_TIME, LC_NUMERIC .etc), could override some locale variable even, LANG contains other
        LANG=en_US.UTF-8
        LC_CTYPE="en_US.UTF-8"
        LC_NUMERIC="en_US.UTF-8"
        LC_TIME="en_US.UTF-8"
        LC_COLLATE="en_US.UTF-8"
        LC_MONETARY="en_US.UTF-8"
        LC_MESSAGES="en_US.UTF-8"
        LC_PAPER="en_US.UTF-8"
        LC_NAME="en_US.UTF-8"
        LC_ADDRESS="en_US.UTF-8"
        LC_TELEPHONE="en_US.UTF-8"
        LC_MEASUREMENT="en_US.UTF-8"
        LC_IDENTIFICATION="en_US.UTF-8"
        LC_ALL=
        
        export LANGUAGE=''
        export LC_MESSAGES=de_DE.utf8
        
        ls -l
        
        Output:
        insgesamt 0
        
    • Conver file encodings
      iconv -c -f ASCII -t UTF8 data.txt > utf8_data.txt
      

108.1 Maintain system time

  • Reasons
    • file timestamps
    • scheduled jobs
    • annotating log entries
    • current time (UTC to local)
    • cryptographic ops. token expiration
  • Clocks
    • hardware clock, separate chip a real-time clock
    • system clock, part of linux kernel (e.g timestamps)
    • driff
  • System clock
    show UTC time
    
    date -u
    
    show from epoch 1.1.1970
    
    date +%s
    
    minimum [MMDDhhmm[[CC]YY][.ss]]
    
    without year:
    
    date 09251030
    
    Tue Sep 25 10:28:00 CEST 2018
    
    with year:
    
    date 092510302014
    
    Thu Sep 25 10:30:00 CEST 2014
    
  • Hardware clock
    • RTC, real time clock on motherboard
    • hwclock, user should be root
      hwclock
      Tue 25 Sep 2018 11:07:56 AM CEST  -0.604595 seconds
      
      -0.604595 seconds - how long between the time the command was started and the clock was read, drift
      
    • /etc/adjtime, if not exists, the synchronization never happened
      0.838229 1537854497 0.000000
      1537854497
      # LOCAL
      UTC
      
      than, hwclock -u
      
    • synchronization
      Write sys. clock to hw. clock:
      
      hwclock -w | hwclock --systohc
      
      Write hw. clock to sys. clock:
      
      hwclock -s | hwclock --hctosys
      
  • NTP
    • Network Time Protocol
    • reference clocks
    • startum 1 servers
    • server that get time from startum 1 servers, called stratum 2 server
    • locally the server are stratum 3 or startum 4
    • nptdate, as a root user, one time synchronization
      ntpdate ntp1.some.net
      
    • aliases
      0.pool.ntp.org
      1.pool.ntp.org
      2.pool.ntp.org
      3.pool.ntp.org    
      
    • ntpd, continual synchronization
    • /etc/ntp.conf
    • if diff is greater then threshold (default 1000s), ntpd will exit and user adjust time manually with ntpdate
    • ntpq
      • peers
      • associations

108.2 System logging

  • syslog
    Severities:
    
    0 | emerg
    1 | alert
    2 | crit
    3 | err
    4 | warn, warning
    5 | notice
    6 | info
    7 | debug
    
    Facilities:
    kern
    user
    mail
    daemon
    auth
    syslog
    lpr
    cron
    authpriv
    local0-7
    
    • klogd, kernel logs, transfered to syslogd
    • /etc/syslog.conf
  • Logrotate

109.1 Fundamentals of internet protocols

  • IP Addresses

    • 32 bits, represented as 4 octets of 8 bits, separated with dot (.)
      192.168.10.100
      11000000.10101000.00001010.01100100
      
  • Networks and hosts

    • subnetting
  • Address classes ranges

    • A - 1-126, permits 16,777,214 host addresses, -2 ID and Broadcast (2^24 - 2)
      Low:  1   = 00000001
      High: 126 = 01111110
      
    • B - 128-191, permits 65,534 host addresses, -2 ID and Broadcast (2^16 -2)
      Low:  128 = 10000000
      High: 191 = 10111111
      
    • C - 192-223, permits 254 host addresses, 2,097,150 Class C networks
      Low:  192 = 11000000
      High: 223 = 11011111
      
    • D - 224-239, reserved for activities as multicast .etc
    • E - 240-254, reserverd for future use
    • 127.0.0.1 loopack, localhost networking
  • Network masks

    • A - 255.0.0.0 or /8, /8 is number of bit representing a network mask
    • B - 255.255.0.0 or /16
    • C - 255.255.255.0 or /24
    • CIDR - Classes Internet Domain Routing
    • default network masks
      11000000.10101000.00001010.00001010 IP
      11111111.11111111.11111111.00000000 Subnet mask
      
  • Gateway

    • e.g when route is not needed and it's possible to send packets directly to hosts
      Kernel IP routing table
      Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
      0.0.0.0         192.168.122.1   0.0.0.0         UG        0 0          0 eth0
      192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 eth0
      
      so
      
      192.168.122.5 
      
      11000000.10101000.01111010.00000101
      11111111.11111111.11111111.00000000
      
      match both:
      0.0.0.0 /0
      192.168.122.0 /24
      
      kernel choose one with higher network prefix, in this case 192.168.122.0 /24
      
    • e.g when route is needed, network mask doesn't match
      192.168.122.5 
                        |- not match
      11000000.10101000.01111010.00000101
      11111111.11111111.11111111.00000000
      
      192.168.123.5 
                        |- not match  
      11000000.10101000.01111011.00000101
      11111111.11111111.11111111.00000000
      
  • Broadcast address

    Address:           192.168.10.0
    Subnet mask:       255.255.255.0
    Broadcast address: 192.168.10.255
    
  • Custom network mask

  • Additional Protocols

    • IP - Internet Protocol, addressing and comunication between devices on network
    • TCP - Transmission Control Protocol, complemet to IP, focuses on transport of data packages, reliable, preforms error checking
    • UDP - User Datagram Protocol, complement to IP, focuses on transport of data packages, no error checking is performed
    • ICMP - Internet Control Message Protocol, allow network devices, the capability to send error messages. Other typical usage is to perform queries, through ping command if remote system is reachable
    • Common Ports
      • /etc/services
      • 0-1023 ports, well-known ports
      • 1024-49151 ports, registered ports, provided by IANA (Internet Assigned Numbers Authority)
      • 49152-65535 ports, dynamic ports, can't be reserved, use for any purpose
      • 143 - IMAP
      • 161 & 162 - SNMP
      • 389 - LDAP
      • 514 - SYSLOG
  • IPv6 Difference between IPv4:

    • IPv4 is 32-bit, has Dotted Decimal Notation, e.g 192.168.1.33
    • IPv6 is 128-bit has Hexadecimal Notation, e.g 2001:0db8:85a3:0000:0000:8a2e:0370:7334
    • Routing in IPv6 is more efficient
    • Security in IPv6 built in
    • Autoconfigure in IPv6 addresses are assigned dynamically, in IPv4 statically
    • Header in IPv6 more robust and require less processing overhead

109.2 Basic network configuration

  • Viewing IP Information

    • ifconfig
      eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
          inet 192.168.XXX.XXX  netmask 255.255.255.0  broadcast 192.168.XXX.255
          inet6 fe80::XXXX:XX:XXXX:XXXX  prefixlen 64  scopeid 0x20<link>
          ether 52:XX:00:XX:XX:XX  txqueuelen 1000  (Ethernet)
          RX packets 3251  bytes 215616 (210.5 KiB)
          RX errors 0  dropped 6  overruns 0  frame 0
          TX packets 424  bytes 37481 (36.6 KiB)
          TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
      
      
      • ether - MAC (Media Access Control), 48bit hardware address
      • inet - address assignet to the interface
      • broadcast - broadcast address
      • netmask - network mas
      • RX recieve
      • TX transmit
      • ip *
      • to view all addresses
        ip addr show
        
        1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
         link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
         inet 127.0.0.1/8 scope host lo
         valid_lft forever preferred_lft forever
         inet6 ::1/128 scope host 
         valid_lft forever preferred_lft forever
        2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
         ...
        
      • to view only for requested device
        ip addr show dev eth0
        
        eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        ...
        
  • Inteface Configuration

    • Red Hat based (RHEL 6):

      • /etc/sysconfig/network-scripts
      • /etc/sysconfig/network-scripts/ifcfg-eth0
        Static example configuration IPv4:
        
        DEVICE=eth0
        ONBOOT=yes
        BOOTPROTO=static
        IPADDR=192.168.1.20
        NETMASK=255.255.255.0
        GATEWAY=192.168.1.1
        
        Static example configuration IPv6:
        
        IPV6INIT=yes
        IPV6ADDR      =3CAE:XXXX:XXXX:XXXX:XXXX:1111:8901:0002
        IPV6_DEFAULTGW=3CAE:XXXX:XXXX:XXXX:XXXX:1111:8901:0001
        
        DHCP example configuration IPv4:
        
        DEVICE=eth0
        ONBOOT=yes
        BOOTPROTO=dhcp
        
        DHCP example configuration IPv6:
        
        IPV6INIT=yes
        DHCPV6C=yes
        
      • Parameter BOOTPROTO, used as switch between, static or dhcp interface configuration
    • Debian based

      • /etc/network/interfaces
        # /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
        # The loopback interface# automatically added when upgrading
        auto lo eth0
        iface lo inet loopback
        iface eth0 inet static
                address 192.168.1.20
                netmask 255.255.255.0
                network 192.168.20.0
                broadcast 192.168.20.255
                gateway 192.168.20.2
        
    • Viewing and Configuring Gateway Addresses

      route
      netstat -r
      
      Output:
      
      Kernel IP routing table
      Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
      0.0.0.0         192.168.XXX.1   0.0.0.0         UG        0 0          0 eth0
      192.168.XXX.0   0.0.0.0         255.255.255.0   U         0 0          0 eth0
      
    • Configuring a Default Gateway

      • RHEL based, /etc/sysconfig/network, /etc/sysconfig/network-scripts/ifcfg-eth0
        GATEWAY=10.0.0.1
        
      • Debian based, uses /etc/network/interfaces to set individual interface gateway
      • route
        route add default gw 10.0.0.1
        
      • ip route
        ip route add default via 192.168.1.1 dev eth0
        
    • Local name configuration

      • /etc/hosts
      • /etc/resolve.conf
      • /etc/nsswitch.conf
      • Example:
        cat /etc/hosts
        
        127.0.0.1 localhost
        10.0.0.2  vm1
        
        Resolve request: 
            ping vm1
            
        1. /etc/nsswitch.conf 
           hosts: file dns nis
           
        2. /etc/hosts contains vm1, it matches entry 10.0.0.2
        
        Resolve request: 
            ping donkyekong.com
        
        1. /etc/nsswitch.conf 
           hosts: file dns nis
        2. /etc/hosts doesn't contains donkyekong.com
        3. None is found, /etc/nsswitch.conf is read again, next option is dns
        4. /etc/resolv.conf
           nameserver 10.0.0.1
           nameserver 10.0.1.1
           
           System tries to query each dns until IP is resolved, or no more entries remains
        5. If dns query is successful, system returns resolved IP to client
        6. If dns query fails, than NIS server is queried as a last line in /etc/nsswitch.conf 
        
      • /etc/hostname - fqdn (fully qualified domain name)
      • /etc/networks - Solaris
      • /etc/hosts.conf - similar to /etc/nsswitch.conf, order of resolution sources, /etc/nsswitch.conf overriden it
  • Network Configuration Utilities

    • ifconfig - set and display IP and network mask

      Setup eth0 'if' to communicate on 192.168.22.0 network
      IP: 192.168.33.50
      Netmask: 255.255.255.0
      
      ifconfig eth0 192.168.33.50 netmask 255.255.255.0 up
      
      ip equivalent:
      
      ip addr add 192.168.33.50/24 dev eth0
      ip link set eth0 up
      
    • ifup - bring interface up (e.g. /etc/sysconfig/network-scripts/ifup-eth)

    • ifdown - bring interface down

    • ip - replace multiple commands, like ifconfig, route .etc

    • route - sets host's routing and gateway info

      route ip to loopback device
      
      route add 10.xx.xx.xx lo
      
    • dhcpd, dhclient, pump - init, renew, release client's DHCP assigned address

      dhcpd - DHCP daemon, invoked from startup scripts,
              RHEL   - /etc/sysconfig/network-scripts/ifup-*
              Debian - /etc/network/interfaces
      
      to refresh, re-lease of client address, run
      
      dhcpd -k
      
      dhclient - get DHCP lease, /etc/dhclient.conf, dhclient.leases
      
      to get new lease, run
      
      dhclient
      
      to correctness of lease could be verified by ifconfig, ip command
      
    • host, getent, nslookup, dig - lookup DNS names

      hosts - performs only DNS lookups 
      
      host google.com
      google.com has address 216.xx.xxx.xx
      google.com has IPv6 address 2a00:xxx:xxxx:xxx::xxxx
      google.com mail is handled by 10 aaaa...
      google.com mail is handled by 50 bbbb...
      google.com mail is handled by 30 cccc...
      google.com mail is handled by 40 dddd...
      google.com mail is handled by 20 eeee...
      
      
      getent - /etc/nsswitch.conf, query what is configured in 'hosts:', when you need lookup to both '/etc/hosts', DNS
      
      to lookup for IPv4 and IPv6 address:
      
      getent ahost google.com
      
      172.xxx.xxx.xxx  STREAM google.com
      172.xxx.xxx.xxx  DGRAM  
      172.xxx.xxx.xxx  RAW    
      2a00:xxxx:xxxx:xxx::xxxx STREAM 
      2a00:xxxx:xxxx:xxx::xxxx DGRAM  
      2a00:xxxx:xxxx:xxx::xxxx RAW    
      
      dig - perform only DNS queries, type of records MX, SIG, A, ANY
      
      dig google.com A
      
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59387
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 4096
      ;; QUESTION SECTION:
      ;google.com.                    IN      A
      
      ;; ANSWER SECTION:
      google.com.             291     IN      A       172.xxx.xx.xxx
      
      ;; Query time: 11 msec
      ;; SERVER: 192.xxx.xxx.xxx#53(192.xxx.xxx.xxx)
      ;; WHEN: Sat Sep 22 06:59:18 EDT 2018
      ;; MSG SIZE  rcvd: 55
      
      
    • hostname - view and set fqdn hosts name, (systemd hostnamectl)

      to view fully qualified domain name
      
      hostname --fqdn
      
      linked with:
      
      domainname
      dnsdomainname
      nisdomainname
      ypdomainname
      
    • netstat - networking stats, attached hosts/ports

      to view networking statistic:
      
      netstat -s
      Ip:
        11288 total packets received
        0 forwarded
        0 incoming packets discarded
        10722 incoming packets delivered
        ...
      
      to get a routing table:
      
      netstat -r
      
      Proto Recv-Q Send-Q Local Address           Foreign Address         State      
      tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
      tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
      
      Proto           - protocol
      Recv-Q          - bytes not yet recieved
      Send-Q          - bytes not yet acknowledged
      Local Address   - local machine addr,port
      Foreign Address - remote end connection
      State           - ESTABLISHED conn. recently active
                      - TIME_WAIT almost done processing packets
                      - LISTEN - socket is a service/daemon waiting for conn.
                      
      ss (socket statistic) replacement for netstat, 
         e.g (get enstablished IPv4 connections with pid(-p), -t (tcp/ip), -n(do not reslove addr))
      
      ss -4 -t -p -n state established
      
    • ping - check if host is alive, ICMP, -n (do not resolve hostnames)

    • ping6 - check if host is alive, IPv6

    • traceroute - determine routing paths to reach remote host, uses 3 UDP packets, first has TTL (Time To Live) 1, decremented when packet reach the first device, when packet TTL = 0, packet expire and the message is send to requester. Next 3 UDP packets with TTL = 2, ... etc - indicated problem or router is configured to note return ECHO_REQUEST

    • tracepath - same as traceroute, but traceroute can be used only by root, tracepath by all users

    • traceroute6, tracepath6 - for IPv6

    • tcpdump - capture packets from network

      capture ssh packets
      
      tcpdump -r tcpdump.out port 22
      
    • /proc/sys/net/ipv4/ip_forward - forwarding traffic betweend different if in system (or routing)

      enable forwarding temporary:
      
      echo 1 > /proc/sys/net/ipv4/ip-forward
      
      to control:
      
      sysctl -a --pattern "ip_forward"
      
      output:
      
      net.ipv4.ip_forward = 1
      

Links:

110.1 Perform security administration tasks

  • su,sudo

    • su
      • non-login, su
      • login, su -, su -l
    • sudo
      • edit sudo configuration with visudo
      • configuration file /etc/sudoers
      • to change editor from default vi to nano
        export EDITOR=nano
        
      • e.g /etc/sudoers
        a root access, defacto
        tux ALL=(ALL)  ALL 
        
        give a tux user rights to restart chronyd service
        tux ALL=(ALL)  systemctl restart chronyd
        
  • Providing services on demand

    • inetd, configuration file /etc/inted.conf
      Service Socket type  Protocol  Sig./Multi thread  User     Server Program       Server Argument
      ------------------------------------------------------------------------------------------
      ftp    |   stream  |   tcp   |     nowait        | root  |  /usr/sbin/in.ftpd  |   in.ftpd
      
      telnet  stream  tcp   nowait  root  /usr/sbin/in.telnetd  in.telnetd
      
    • xined
      • configuration file /etc/xinetd.conf
        defaults
        {        
                # limit nuber of daemon instances
                instances               = 60          
                log_type                = SYSLOG authpriv
                log_on_success          = HOST PID
                log_on_failure          = HOST
                # only allow 25 connection per second, more than maximum cause the service disable for 30s
                cps                     = 25 30
         }
         includedir /etc/xinetd.d       
        
      • include file /etc/xinted.d
        /etc/xinetd.d/telnet
        
        service telnet
        {
                # yes, disable connections
                # no, doesn't disable connections
                disable         = yes
                # port and service accept multiple connection
                flags           = REUSE
                # can also be dgram, raw, seqpacket
                socket_type     = stream
                # wait = yes, single threaded
                # wait = no, multi threaded
                wait            = no
                # user, group, restrict
                user            = root
                # path to daemon program
                server          = /usr/sbin/in.telnetd
                # also log_on_succes, add fwe options to log
                log_on_failure  += USERID
                # timeframe for service
                access_times     =  011:00-13:00
                # list of hostname, IP addresses .etc
                only_from        =  tux
        }
        
      • to enable service guarded by xinetd, chkonfig telnet on, this will change in /etc/xinetd.d/telnet, disable = yes to no
      • changes doesn't required restart of xinted service
      • manually changes to /etc/xinetd.d/telnet, require restarts of xinted daemon
      • to disable service from initiation from xinetd, chkconfig telnet off
      • inetd configuration changes to /etc/inetd.conf requires restart
      • xinetd configuration changes to /etc/xinetd.d files doesn't requires restart, but /etc/xinted.conf yes
  • TCP Wrappers

    • tcpd
    • libwrap.a
    • /etc/hosts.allow, /etc/hosts.deny
      daemons: hosts : option : option
      
      daemon,service 
      - ALL
      - service
      - daemon, daemon
      
      hosts
      - hostname
      - fqdn (e.g some.foo.com)
      - @group NIS
      - 10.1.1.0/255.255.255.0
      - /path/filename
      
    • TCPWrapper read order 1, /etc/hosts.allow, any match skips /etc/hosts.deny file 2, TCP Wrapper files are read each time a service is requested 3, Read is sequential, when there are conflicting entires, the first wins 4, Files hosts.* are read only if they exists, anyway garantie complete access for services
    • Format hosts.allow, hosts.deny 1, deny all by default, in hosts.deny ALL:ALL, specific hosts to hosts.allow 2, allow by default, hosts.allow not needed, banned hosts to hosts.deny 3, mix, both files
    • Using rule options
      service: bannedhost : severity auth.info
      
      • twist, use another program or action to response banned service, replace a curr. process
        /etc/hosts.deny
        
        in.fingerd: ALL : twist /bin/echo "Sorry, get out"
        
      • spawn, allow connect to service, but some action has to be taken, create achild process
        in.telnet: ALL : spawn /bin/echo 'date' from %h | mail tux
        
  • Find file by permissions

    • SUID
      we are looking for -rwsrwx---
      
      find . -perm /4000
      
    • SGID
      we are looking for -rwxrws---
      
      find . -perm /2000
      
    • SUID, SGID
      we are looking for -rwxrws---
      
      find . -perm /6000
      
    • Sticky bit
      find . -perm /1000
      
    • SUID, SGID, Sticky bit
      find . -perm /7000
      
  • GnuPG Keys

    • create keys
      gpg -gen-key
      
    • export the recipient key
      gpg -a -o pub_key_file --export 8i2WB27P
      
    • encrypt file
      gpg -e [email protected] file
      
    • both must be send, decrypted file and exported public key, so recipietn should import it
      gpg --import pub_key_file
      
      and then decrypt a file
      
    • key should be uploaded also from gpg key server
      gpg --keyserver server_URL --send-keys 8i2WB27P
      
    • recipient should then recieve keys
      gpg --recv-keys 8i2WB27P
      
    • then file could be decrypted
      gpg file.gpg
      
  • SSH

    • ssh, used for remote shell sessions
    • scp, remote copying
    • sshd, ssh daemon
    • ssh-agent, wrapper to user's session, provides authentication on request
    • ssh-add, loads a user's key into the ssh-agent
    • configuration files:
      • /etc/ssh/sshd_config - sshd daemon main configuration
      • /etc/ssh/ssh_host_[dr]sa_key - private keys, permission 600
      • /etc/ssh/ssh_host_[dr]sa_key.pub - public keys, permission 644
      • /etc/ssh/ssh_known_hosts - check a public key of hosts, connecting with ssh, permissions 644
      • ~/.ssh/known_hosts - uses's local file, connecting client gets public key of the remote server, permissions 644
      • ~/.ssh/authorized_keys - store for public keys in user's home directory for logging as this user from remote, permissions 600
    • login
      ssh -l tux server_remote
      
      -l to log as specific user, without it tries to log as local user
      
    • log for first time will add host's public key to ~/.ssh/known_hosts
    • scp
      from local:
      
      scp /path/tofile user@server:/path/on/server
      
      from server to server
      
      scp user1@server1:/path user2@server2:/path
      
    • X ssh client
      ssh -X X11 forwarding
      

Links:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment