Sysadmin stuff
Removing large amounts of files
https://unix.stackexchange.com/questions/167823/finds-exec-rm-vs-delete
Check week of the year
date --help
%U week number of year, with Sunday as first day of week (00..53)
%V ISO week number, with Monday as first day of week (01..53)
Add a file to fill disk
fallocate -l 50G file
Ubuntu set service to start at boot
update-rc.d nagios-nrpe-server defaults
Perform a full TCP/UDP nmap scan (takes a while):
nmap -n -PN -sT -sU -p- 192.168.0.1
Login to a site with curl:
curl --user name:password http://somesite.com -v
Find all folders except:
find . -maxdepth 1 ! -name ['CEH*','EC*','CBT*','Cert*'] ! -name '.*'
Dig to get all records:
dig yahoo.com ANY +noall +answer
yahoo.com. 1800 IN A 98.138.253.109
yahoo.com. 1800 IN A 206.190.36.45
yahoo.com. 1800 IN A 98.139.183.24
yahoo.com. 86400 IN NS ns6.yahoo.com.
yahoo.com. 86400 IN NS ns4.yahoo.com.
yahoo.com. 86400 IN NS ns2.yahoo.com.
yahoo.com. 86400 IN NS ns5.yahoo.com.
yahoo.com. 86400 IN NS ns3.yahoo.com.
yahoo.com. 86400 IN NS ns1.yahoo.com.
yahoo.com. 1800 IN SOA ns1.yahoo.com. hostmaster.yahoo-inc.com. 2014070401 3600 300 1814400 600
yahoo.com. 1800 IN MX 1 mta7.am0.yahoodns.net.
yahoo.com. 1800 IN MX 1 mta6.am0.yahoodns.net.
yahoo.com. 1800 IN MX 1 mta5.am0.yahoodns.net.
yahoo.com. 1800 IN TXT "v=spf1 redirect=_spf.mail.yahoo.com"
Get an alert on user/root login
echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" support@domain.co.za
Mirror site
wget --mirror -p --convert-links -P ./<Local-Folder> website-url
wget -r -p -e robots=off www.domain.com (add -k to convert links)
Calculator
75% of 3750
echo 3750*.75 | bc
Get a MAC address over the network
nmap -v -O --osscan-guess 172.29.21.238 | grep MAC
Check for free IP addresses on a network
nmap -sP 172.29.21.1/24
Break out of stuck SSH shell
There is a way out that doesn’t require opening another terminal to kill the SSH client: press enter, tilde (~), and then period (.), typing each as a separate keystroke. This doesn’t appear to be a well-known feature (perhaps it’s just my poor luck in looking for it), but can be quite a time saver.
Simple tar commands
tar -zcvf me.tar.gz /etc/postfix/
If you wish to extract files in particular directory, for example in /tmp then you need to use following command:
$ tar -zxvf me.tar.gz -C /tmp
$ cd /tmp
$ ls -lah /tmp
Logrotate
Make sure vixie-cron is installed and started...
cat /etc/logrotate.d/postfix
/var/log/maillog {
# daily
size=900M
rotate 10
compress
delaycompress
notifempty
create 640 root root
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
http://www.cyberciti.biz/faq/how-do-i-rotate-log-files/
To force a log rotation:
logrotate --force $CONFIG_FILE
SSH Tunnel
ssh -L 902:localhost:902 root@41.181.73.101
Simple Python webserver:
cd /home/somedir
python -m SimpleHTTPServer
Install packages from a file
for line in $(cat packs); do yum -y install $line; done
Checking your iso's
md5sum cs/CentOS-5.5-x86_64-bin-1of8.iso
And compare to the checksum text file
CentOS / RedHat syntax highlighting etc:
yum install vim-enhanced
echo alias vi=vim >> .bashrc
source .bashrc
Mounting a remote machine quickly:
aptitude search sshfs
aptitude install sshfs
sshfs openx.iol:/home/shares/allusers /mnt/share/
mount
ls /mnt/share/
fusermount -u (to unmount)
Create SSH key pair:
vi .ssh/authorized_keys2
ssh-keygen -t rsa
cat .ssh/id_rsa.pub
Do on both machines
Show disk usage except a file pattern:
rsync -avP --exclude=/data/MISC/MySQL/dbsrv* /data/MISC/MySQL/
Find and replace text in a file:
CLI:
sed -i 's/172.16.20.113/172.16.20.115/g' /etc/hosts
sed 's|/some/UNIX/path|/a/new/path|g' files
VIM:
%s/172.16.20.113/172.16.20.115/g
Find large files:
yum install ncdu
or
du -shm `ls` | sort -g
To exclude a folder:
# du -hd1 --exclude '/sftpdata' /
Find files older than 5 days and delete:
find /path/to/files* -mtime +5 -type f -exec rm {} \;
Find files newer than 5 days and rsync:
find /userdata/squirtle/e/Marketing/ -mtime +5 -type f -exec rsync -avP marketing/ {} \;
Find 1000 pics and copy to a folder:
find fullsize/ -type f -print0 | xargs -0 ls | head -1000 | while read file ; do cp "$file" /mnt/dropfolders/md/ ; done
Clear MBR:
dd if=/dev/zero of=/dev/hda bs=512 count=1
Clear last login / history
> /var/log/wtmp
history -c
Whenever you run last command on your machine, it shows lists of a particular number of logins along with their IP’s and and timestamp. Basically this command gets these values from /var/log/wtmp file. Now the simplest way to remove the last login IP is that you should either empty this file or just remove it, it will be created automatically then.
Following command with empty this file:
> /var/log/wtmp
Following command will remove it:
rm -rf /var/log/wtmp
Also if clearing or removing above mentioned file does not helps you then check /var/log/lastlog file. Clear its contents and you will no longer be able to see last login IP addresses.
Remount / in rw after a a rogue entry in fstab:
mount -n -o remount,rw /
Capture SMTP traffic in readable format:
tcpdump -vv -x -X -s 1500 -i eth1 'port 25'
-vv : More verbose output
-x : When parsing and printing, in addition to printing the headers of each packet, print the data of each packet.
-X : hen parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. This is very handy for analysing new protocols.
-s 1500: Snarf snaplen bytes of data from each packet rather than the default of 68. This is useful to see lots of information.
-i eth1 : Monitor eth1 interface
Dump traffic from src on specific port
tcpdump -nnvvS src <client ip> and dst port 80 and tcp -w <some_file>
Test firewall by flooding a box
hping3 —flood —fastest <IP>
Disable PC speaker:
modprobe -r pcspkr
Add the the line “blacklist pcspkr” to /etc/modprobe.d/blacklist
Find all email addresses on a Godaddy hosted server:
locate Maildir | grep mailnames | cut -d"/" -f5,6 | uniq > /tmp/addresses
Cat a file with hashes:
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
Cronjob to find and delete prf files:
30 6 * * * root "find /shares/data/ -name prf*.tmp -print0 | xargs -0 rm" > /dev/null 2&>1
Delete all files older than 3 days
find . -type f -mtime +3 -exec rm {} \;
Create an ISO image from a CD
# dd if=/dev/cdrom of=/tmp/cdimg.iso
Check motherboard type
dmidecode | head -20
If you have too many files to remove, try this trick:
find . -name '*' | xargs rm -v
Lock a user's password / account
usermod -L username
Permanently adding a static route
route add 196.44.1.33 gw 162.49.209.1
Put the route in /etc/sysconfig/static-routes or
Put the route in /etc/rc.local or
Put the route in /etc/sysconfig/network-scripts/ifup-routes
Detecting rootkits
http://www.cyberciti.biz/faq/howto-check-linux-rootkist-with-detectors-s...
Add your passphrase for future sessions
use ssh-add so you don't have to type it in every time
Mount a CD
insert the dcrom into the drive
Create a mountpoint called /mnt/cd or simply just use an existing mountpoint
mkdir /mnt/cd
mount -t iso9660 -o ro /dev/cdrom /mnt/cd/
Cat a field of a file
cat /etc/samba/smbpasswd | cut -d":" -f1
(this will display the first field of that file where the delimeter is a colon
Shape traffic (upload) and prioritise eg 8001
iptables -t mangle -I PREROUTING -p tcp --dport 8001 -j TOS --set-tos Minimize-Delay
Issue a user root access without pass
Add them to the wheel group
edit /etc/pam.d/su
remove the hash from the line: "auth sufficient..."
Getting a Dynamic MMap ran out of room when apt-get on Debian
Add the following line to either /etc/apt/apt.conf or /etc/apt/apt.conf.d/70debconf
APT::Cache-Limit "8388608";
Extract the contents of an RPM
rpm2cpio .rpm | cpio -i [--make-directories]
How many mails has a user received today?
exigrep username /var/log/exim/main.log | grep 2007-05-21 | grep Complet | wc -l
Kernel Update (Centos)
yum update
rpm -qa | grep kernel
yum update kernel kernel-devel kernel-smp
# Check that grub will boot the new kernel:
vi /boot/grub/menu.lst
Crontabs
http://www.tech-geeks.org/contrib/mdrone/cron&crontab-howto.htm
1 of 3 31/07/2008 13:50
Sysadmin stuff - Confluence http://wiki.synaq.com/display/Technical/Sysadmin+st...
Use telnet to view mails waiting to be downloaded
-telnet localhost 110
-enter user and pass
-list
-top 1 5 (to see the first 5 lines of message 1)
-top 2 10 (to see the first 10 lines of message 2)
-can also try retr eg retr 1 0 (to see the headers of message 1)
Check for a mailing virus on a network
tcpdump -tnli eth0 not port ssh and not port smtp and not domain and not http and not https and not imap
Connect to Internet via another Linux machine
* On the other machine:
# service squid start
* On the local machine:
# ssh -L 3128:localhost:3128 root@
* Log in
* Then on the local machine in Firefox:
* Change the connection settings to:
* localhost:3128 - for all services
* And off you go connecting to the internet via the other Linux machine.
* This "host" machine can be ANY machine that has internet connectivity and with squid installed.
The following worked when connected to Nandos viewing the Nessus server web front end:
# ssh -L 8080:172.17.1.111:80 root@nanftp.nandocas.com
Then in your browser, set up connection: directly to internet.
Got URL: http://localhost:8080
* It can also be done if IP tables are installed with IP & port forwarding.
Add more memory to WIKI JVM
* Log onto support
# vi /usr/local/src/confluence-2.2.9-std/bin/setenv.sh
* -Xms256m is the minimum memory to be used
* -Xmx384m is the maximum memory to be used
* Save the file.
# ps ax | grep java
* Kill the java process
# export JAVA_HOME=/usr/local/src/j2sdk1.4.2_13/
# /usr/local/src/confluence-2.2.9-std/bin/startup.sh
Using the Nokia N73 modem on Linux
http://users.utu.fi/tmwire/nokia_n73_linux.html
Verify NRPE connections
-check commands on tagret host in nrpe.cfg
-test from the monitor box like so:
/usr/local/groundwork/nagios/libexec/check_nrpe-nossl -t 25 -H 196.15.171.135 -c check_sxservices
Run a script in Debug mode http://www.cyberciti.biz/tips/debugging-shell-script.html
-bash -x script-name
Timestamp HISTORY command (only for bash 3 and above (rpm -q bash)
-vi /etc/bashrc
-append to the bottom: export HISTTIMEFORMAT="%h/%d - %H:%M:%S "
Wiki formatting
-Make sure that Main headers are h3. Header with a link in Contents and a link back to Contents and if applicable the customer area
-check this section for code formatting http://wiki.synaq.com/renderer/notationhelp.action?section=advanced
-sub headings should just be in bold
-code samples should opened and closed with
You can't edit this wiki
On support.synaq
-ps aux | grep java
-kill the confluence java processexport JAVA_HOME=/usr/local/src/j2sdk1.4.2_13/
/usr/local/src/confluence-2.2.9-std/bin/startup.sh
Check squid
# telnet localhost 3128
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
get http://www.google.co.za HTTP/1.0
enter twice
Set server to shutdown
-at 10pm Sat 12
>halt
>ctrl-D
2 of 3 31/07/2008 13:50
Sysadmin stuff - Confluence http://wiki.synaq.com/display/Technical/Sysadmin+st...
-atq
-use atrm jobnumber to remove a job
-Remember to schedule downtime on Groundwork so notifications are not sent out
Debian / Ubuntu equivalent chkconfig
apt-get install sysv-rc-conf
sysv-rc-conf --list nrpe
(to see nrpe status)
sysv-rc-conf
(to start an ncurses type view of which services can be started etc)
Lost root passwd
-boot off a live CD (knoppix/ubuntu)
-open a terminal and mount / in /mnt/yourfolder
mkdir /mnt/recover
mount /dev/hda1 /mnt/recover (assuming / partition is on /dev/hda1)
chroot /mnt/recover /bin/bash to get a root shell and be operating on /
passwd to set the new pass
umount /dev/recover
reboot
Check for duplicate files
find . -type f -print0 | xargs -0 md5sum | sort | uniq -w32 -d --all-repeated=separate | cut -c35- >/tmp/dupes.txt
Check for files older that 5 years
find /share/data/ -mtime +1825 > /tmp/data_5yrs_old.txt
Check for and remove prf files:
find /shares/data/ -name prf*.tmp -print0 | xargs -0 rm