Sysadmin stuff

echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" support@domain.co.za

Mirror site

wget --mirror -p --convert-links -P ./<Local-Folder> website-url

wget -r -p -e robots=off www.domain.com (add -k to convert links)

Calculator

75% of 3750

echo 3750*.75 | bc

Get a MAC address over the network

nmap -v -O --osscan-guess 172.29.21.238 | grep MAC

Check for free IP addresses on a network

nmap -sP 172.29.21.1/24

Break out of stuck SSH shell

There is a way out that doesn’t require opening another terminal to kill the SSH client: press enter, tilde (~), and then period (.), typing each as a separate keystroke. This doesn’t appear to be a well-known feature (perhaps it’s just my poor luck in looking for it), but can be quite a time saver.

Simple tar commands

tar -zcvf me.tar.gz /etc/postfix/

If you wish to extract files in particular directory, for example in /tmp then you need to use following command:

$ tar -zxvf me.tar.gz -C /tmp

$ cd /tmp

$ ls -lah /tmp

Logrotate

Make sure vixie-cron is installed and started...

cat /etc/logrotate.d/postfix

/var/log/maillog {

# daily

size=900M

rotate 10

compress

delaycompress

notifempty

create 640 root root

postrotate

/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true

endscript

}

http://www.cyberciti.biz/faq/how-do-i-rotate-log-files/

To force a log rotation:

logrotate --force $CONFIG_FILE

SSH Tunnel

ssh -L 902:localhost:902 root@41.181.73.101

Simple Python webserver:

cd /home/somedir

python -m SimpleHTTPServer

Install packages from a file

for line in $(cat packs); do yum -y install $line; done

Checking your iso's

md5sum cs/CentOS-5.5-x86_64-bin-1of8.iso

And compare to the checksum text file

CentOS / RedHat syntax highlighting etc:

yum install vim-enhanced

echo alias vi=vim >> .bashrc

source .bashrc

Mounting a remote machine quickly:

aptitude search sshfs

aptitude install sshfs

sshfs openx.iol:/home/shares/allusers /mnt/share/

mount

ls /mnt/share/

fusermount -u (to unmount)

Create SSH key pair:

vi .ssh/authorized_keys2

ssh-keygen -t rsa

cat .ssh/id_rsa.pub

Do on both machines

Show disk usage except a file pattern:

rsync -avP --exclude=/data/MISC/MySQL/dbsrv* /data/MISC/MySQL/

Find and replace text in a file:

CLI:

sed -i 's/172.16.20.113/172.16.20.115/g' /etc/hosts

sed 's|/some/UNIX/path|/a/new/path|g' files

VIM:

%s/172.16.20.113/172.16.20.115/g

Find large files:

yum install ncdu

du -shm `ls` | sort -g

To exclude a folder:

# du -hd1 --exclude '/sftpdata' /

Find files older than 5 days and delete:

find /path/to/files* -mtime +5 -type f -exec rm {} \;

Find files newer than 5 days and rsync:

find /userdata/squirtle/e/Marketing/ -mtime +5 -type f -exec rsync -avP marketing/ {} \;

Find 1000 pics and copy to a folder:

find fullsize/ -type f -print0 | xargs -0 ls | head -1000 | while read file ; do cp "$file" /mnt/dropfolders/md/ ; done

Clear MBR:

dd if=/dev/zero of=/dev/hda bs=512 count=1

Clear last login / history

> /var/log/wtmp

history -c

Whenever you run last command on your machine, it shows lists of a particular number of logins along with their IP’s and and timestamp. Basically this command gets these values from /var/log/wtmp file. Now the simplest way to remove the last login IP is that you should either empty this file or just remove it, it will be created automatically then.

Following command with empty this file:

> /var/log/wtmp

Following command will remove it:

rm -rf /var/log/wtmp

Also if clearing or removing above mentioned file does not helps you then check /var/log/lastlog file. Clear its contents and you will no longer be able to see last login IP addresses.

Remount / in rw after a a rogue entry in fstab:

mount -n -o remount,rw /

Capture SMTP traffic in readable format:

tcpdump -vv -x -X -s 1500 -i eth1 'port 25'

- -vv : More verbose output
- -x : When parsing and printing, in addition to printing the headers of each packet, print the data of each packet.
- -X : hen parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. This is very handy for analysing new protocols.
- -s 1500: Snarf snaplen bytes of data from each packet rather than the default of 68. This is useful to see lots of information.
- -i eth1 : Monitor eth1 interface

Dump traffic from src on specific port

tcpdump -nnvvS src <client ip> and dst port 80 and tcp -w <some_file>

Test firewall by flooding a box

hping3 —flood —fastest <IP>

Disable PC speaker:

modprobe -r pcspkr

Add the the line “blacklist pcspkr” to /etc/modprobe.d/blacklist

Find all email addresses on a Godaddy hosted server:

locate Maildir | grep mailnames | cut -d"/" -f5,6 | uniq > /tmp/addresses

Cat a file with hashes:

# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'

Cronjob to find and delete prf files:

30 6 * * * root "find /shares/data/ -name prf*.tmp -print0 | xargs -0 rm" > /dev/null 2&>1

Delete all files older than 3 days

find . -type f -mtime +3 -exec rm {} \;

Create an ISO image from a CD

# dd if=/dev/cdrom of=/tmp/cdimg.iso

Check motherboard type

dmidecode | head -20

If you have too many files to remove, try this trick:

find . -name '*' | xargs rm -v

Lock a user's password / account

usermod -L username

Permanently adding a static route

route add 196.44.1.33 gw 162.49.209.1

Put the route in /etc/sysconfig/static-routes or

Put the route in /etc/rc.local or

Put the route in /etc/sysconfig/network-scripts/ifup-routes

Detecting rootkits

http://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-s...

Add your passphrase for future sessions

use ssh-add so you don't have to type it in every time

Mount a CD

insert the dcrom into the drive

Create a mountpoint called /mnt/cd or simply just use an existing mountpoint

mkdir /mnt/cd

mount -t iso9660 -o ro /dev/cdrom /mnt/cd/

Cat a field of a file

cat /etc/samba/smbpasswd | cut -d":" -f1

(this will display the first field of that file where the delimeter is a colon

Shape traffic (upload) and prioritise eg 8001

iptables -t mangle -I PREROUTING -p tcp --dport 8001 -j TOS --set-tos Minimize-Delay

Issue a user root access without pass

Add them to the wheel group

edit /etc/pam.d/su

remove the hash from the line: "auth sufficient..."

Getting a Dynamic MMap ran out of room when apt-get on Debian

Add the following line to either /etc/apt/apt.conf or /etc/apt/apt.conf.d/70debconf

APT::Cache-Limit "8388608";

Extract the contents of an RPM

rpm2cpio .rpm | cpio -i [--make-directories]

How many mails has a user received today?

exigrep username /var/log/exim/main.log | grep 2007-05-21 | grep Complet | wc -l

Kernel Update (Centos)

yum update

rpm -qa | grep kernel

yum update kernel kernel-devel kernel-smp

# Check that grub will boot the new kernel:

vi /boot/grub/menu.lst

Crontabs

http://www.tech-geeks.org/contrib/mdrone/cron&crontab-howto.htm

1 of 3 31/07/2008 13:50

Sysadmin stuff - Confluence http://wiki.synaq.com/display/Technical/Sysadmin+st...

Use telnet to view mails waiting to be downloaded

-telnet localhost 110

-enter user and pass

-list

-top 1 5 (to see the first 5 lines of message 1)

-top 2 10 (to see the first 10 lines of message 2)

-can also try retr eg retr 1 0 (to see the headers of message 1)

Check for a mailing virus on a network

tcpdump -tnli eth0 not port ssh and not port smtp and not domain and not http and not https and not imap

Connect to Internet via another Linux machine

* On the other machine:

# service squid start

* On the local machine:

# ssh -L 3128:localhost:3128 root@

* Log in

* Then on the local machine in Firefox:

* Change the connection settings to:

* localhost:3128 - for all services

* And off you go connecting to the internet via the other Linux machine.

* This "host" machine can be ANY machine that has internet connectivity and with squid installed.

The following worked when connected to Nandos viewing the Nessus server web front end:

# ssh -L 8080:172.17.1.111:80 root@nanftp.nandocas.com

Then in your browser, set up connection: directly to internet.

Got URL: http://localhost:8080

* It can also be done if IP tables are installed with IP & port forwarding.

Add more memory to WIKI JVM

* Log onto support

# vi /usr/local/src/confluence-2.2.9-std/bin/setenv.sh

* -Xms256m is the minimum memory to be used

* -Xmx384m is the maximum memory to be used

* Save the file.

# ps ax | grep java

* Kill the java process

# export JAVA_HOME=/usr/local/src/j2sdk1.4.2_13/

# /usr/local/src/confluence-2.2.9-std/bin/startup.sh

Using the Nokia N73 modem on Linux

http://users.utu.fi/tmwire/nokia_n73_linux.html

Verify NRPE connections

-check commands on tagret host in nrpe.cfg

-test from the monitor box like so:

/usr/local/groundwork/nagios/libexec/check_nrpe-nossl -t 25 -H 196.15.171.135 -c check_sxservices

Run a script in Debug mode http://www.cyberciti.biz/tips/debugging-shell-script.html

-bash -x script-name

Timestamp HISTORY command (only for bash 3 and above (rpm -q bash)

-vi /etc/bashrc

-append to the bottom: export HISTTIMEFORMAT="%h/%d - %H:%M:%S "

Wiki formatting

-Make sure that Main headers are h3. Header with a link in Contents and a link back to Contents and if applicable the customer area

-check this section for code formatting http://wiki.synaq.com/renderer/notationhelp.action?section=advanced

-sub headings should just be in bold

-code samples should opened and closed with

You can't edit this wiki

On support.synaq

-ps aux | grep java

-kill the confluence java processexport JAVA_HOME=/usr/local/src/j2sdk1.4.2_13/

/usr/local/src/confluence-2.2.9-std/bin/startup.sh

Check squid

# telnet localhost 3128

Trying 127.0.0.1...

Connected to localhost.localdomain (127.0.0.1).

Escape character is '^]'.

get http://www.google.co.za HTTP/1.0

enter twice

Set server to shutdown

-at 10pm Sat 12

>halt

>ctrl-D

2 of 3 31/07/2008 13:50

Sysadmin stuff - Confluence http://wiki.synaq.com/display/Technical/Sysadmin+st...

-atq

-use atrm jobnumber to remove a job

-Remember to schedule downtime on Groundwork so notifications are not sent out

Debian / Ubuntu equivalent chkconfig

apt-get install sysv-rc-conf

sysv-rc-conf --list nrpe

(to see nrpe status)

sysv-rc-conf

(to start an ncurses type view of which services can be started etc)

Lost root passwd

-boot off a live CD (knoppix/ubuntu)

-open a terminal and mount / in /mnt/yourfolder

mkdir /mnt/recover

mount /dev/hda1 /mnt/recover (assuming / partition is on /dev/hda1)

chroot /mnt/recover /bin/bash to get a root shell and be operating on /

passwd to set the new pass

umount /dev/recover

reboot

Check for duplicate files

find . -type f -print0 | xargs -0 md5sum | sort | uniq -w32 -d --all-repeated=separate | cut -c35- >/tmp/dupes.txt

Check for files older that 5 years

find /share/data/ -mtime +1825 > /tmp/data_5yrs_old.txt

Check for and remove prf files:

find /shares/data/ -name prf*.tmp -print0 | xargs -0 rm