Cheatsheet - User contributions [en]

Linux:Tools

2026-03-11T18:17:14Z

Patrick: /* Curl */

[[Category:Cheatsheet]]

== Commands ==
=== Quick access ===
<syntaxhighlight lang="bash">
# Scroll through a file with less
less -s myfile.txt

# Select line 5 from the output
cat example.txt | sel -e '5'

# Select lines from the output, starting from the top
cat example.txt | head -5

# Select lines from the output, starting from the bottom
cat example.txt | tail -5
</syntaxhighlight>

=== Commands ===
<syntaxhighlight lang="bash">
# Display the full path of a file(assuming the syslog file is available in the current folder)
readlink -f syslog

# Unzip a file
gunzip /var/log/messages.2.gz
</syntaxhighlight>

=== Uncommon commands ===
* https://ngelinux.com/what-is-proc-sysrq-trigger-in-linux-and-how-to-use-sysrq-kernel-feature/

<syntaxhighlight lang="bash">
# CrASHing THIs SERVer, WiTH no SurVIvORS!
echo c > /proc/sysrq-trigger
</syntaxhighlight>

== Network ==
=== ping ===
Troubleshooting MTU: https://access.redhat.com/solutions/2440411

<syntaxhighlight lang="bash">
# Ping with an interval of 5 seconds
ping -i 5 192.168.0.1

# Ping 192.168.10.5 using a specific interface
ping -I bond0 192.168.10.5

# Ping 8.8.8.8 for 20 times
ping -c 20 8.8.8.8

# Ping google.com using IPv4
ping -4 google.com

# Ping google.com using IPv6
ping -6 google.com

# Ping using packets of size 264
ping -s 264 1.1.1.1

# Test an MTU-size of 9000 by sending non-fragmented packages of size 8972 (28 bytes left for the headers)
ping -M do -s 8972 192.168.77.88
</syntaxhighlight>

=== traceroute ===
Package '''mtr''' (My traceroute) is also very good

* https://web.archive.org/web/20110101100046/https://www.exit109.com/~jeremy/news/providers/traceroute.html
* [https://en.wikipedia.org/wiki/Traceroute UDP ports 33434 to 33534 are used by traceroute by default.]

<syntaxhighlight lang="bash">
# Show the traversed hops towards google.com using IPv4
traceroute -4 google.com

# Show the traversed hops towards google.com using IPv6
traceroute -6 google.com

# Does the same as "traceroute -6 google.com"
traceroute6 google.com

# Use ICMP for checking hops
traceroute -4 -I brammerloo.nl
</syntaxhighlight>

=== route ===
<syntaxhighlight lang="bash">
# List configured routes
route

# List routes but display IPs instead of hostnames
route -n

# Delete default route
ip route del 0.0.0.0/0 via 192.168.10.1 dev ens3

# Delete default route (explicit)
ip route del default via 192.168.0.1 dev eth0 proto static metric 100

# Add a default route via a specific IP and interface
ip route add default via 192.168.0.1 dev eth0 proto static metric 90

# Add route for a network via gateway on an interface
ip route add 10.0.100.0/24 via 10.0.100.254 dev ens5

# Add default route met een specifieke metric
ip route add default via 10.0.180.1 dev ens7 proto static metric 90
</syntaxhighlight>

=== netstat ===
<syntaxhighlight lang='bash'>
# Display network connections and current states
netstat

# Check listening ports, connected remote IPs, processes, states and more
netstat -taupen

# Check listening ports and IPs of the local server
netstat -tulpn

# List the routing table
netstat -r

# List verbose common TCP and ICMP information
netstat -s
</syntaxhighlight>

=== ss ===
Replacement for netstat
<syntaxhighlight lang='bash'>
# Check open ports, connected IPs, processes, states and more
ss -taupen
</syntaxhighlight>

=== tcpdump ===
<syntaxhighlight lang='bash'>
# Listen on interface eth0 for traffic coming from host 172.16.0.11
tcpdump -i eth0 host 172.16.0.11

# Listen on interface eno2 for traffic coming from host 172.16.1.20, going to port 443
tcpdump -i en02 host 172.16.1.20 port 443
</syntaxhighlight>

=== uuidgen ===
<syntaxhighlight lang="bash">
# Generate a unique UUID (for an interface)
uuidgen eth0
7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
</syntaxhighlight>

=== ip ===
<syntaxhighlight lang="bash">
# Show network information
ip address
ip a

# Show all configured routes
ip r show

# Display statistics for all interfaces
ip -s link

# Display detailed statistics for all interfaces
ip -s -s link

# Execute the ifconfig command within a specific router
ip netns exec qrouter-asdwe49-as8d7-asd2-ert0-cvb7klj2 "ifconfig"
</syntaxhighlight>

=== DNS | dig & nslookup ===
* https://intodns.com/

<syntaxhighlight lang="bash">
# Lookup reverse DNS host information
dig -x 10.0.2.15

# Lookup the nameservers of google.com, by asking nameserver 1.1.1.1
dig google.com @1.1.1.1 NS

# Lookup reverse DNS host information
host 10.0.2.15

# Lookup DNS host information
nslookup 10.0.2.15

# Lookup host information for google.com while using DNS-server 8.8.8.8
nslookup google.com 8.8.8.8
</syntaxhighlight>

== Package managers ==
=== apt ===
<syntaxhighlight lang="bash">
# Check for updates
apt update

# List packages that can be upgraded
apt list --upgradable

# Installed available updates
apt upgrade

# List installed packages
apt list --installed

# List package details and description
apt show net-tools

# Search inside all package descriptions for your keyword
apt-cache search ssh
</syntaxhighlight>

=== rpm ===
<syntaxhighlight lang="bash">
# List all local RPM packages
rpm -qa

# Query for a specific installed rpm package
rpm -qi nginx
</syntaxhighlight>

=== yum ===
<syntaxhighlight lang="bash">
# Search for all available packages that include string "nginx"
yum search nginx

# Install the package named Nginx
yum install nginx

# List installed packages
yum list installed
</syntaxhighlight>

=== dnf ===
<syntaxhighlight lang="bash">
# Upgrade and install updates
dnf upgrade

# Remove the podman package
dnf remove podman

# Show information about the zlib package
dnf info zlib

# Show mandatory/optional/default packages within the Networking Tools group
dnf group info "Networking Tools"
</syntaxhighlight>

== Filesystem ==
=== fdisk ===
'''cfdisk''' is also nice

==== Checks ====
<syntaxhighlight lang="bash">
# Check your disks and partitions
fdisk -l

# Enter fdisk interactive mode
fdisk /dev/nvme0n2p1

# List available partition types
l
</syntaxhighlight>

==== Configuration ====
<syntaxhighlight lang="bash">
# Format /dev/vdb as BTRFS
echo -e "n\np\n1\n\n\nt\n8E\np\nw" | fdisk /dev/vdb
</syntaxhighlight>

== Other ==
=== man + mandb ===
<syntaxhighlight lang="bash">
# Open the manual for the man tool
man man

# Open the manual for the ls tool
man ls

# 'Update' mandb by purging and or processing manuals
mandb

# Purge everything and regenerate manuals
mandb --create
</syntaxhighlight>

=== ls ===
<syntaxhighlight lang="bash">
# List folders sorted by modified date
ls -trol

# List folder contents recursively
ls -alsR myfolder/

# List folder contents sorted by time, newest first and reverse order
ls -latr myfolder
</syntaxhighlight>

=== grep ===
<syntaxhighlight lang="bash">
# Search for any occurences of "inet_interface" in a file
grep inet_interface /etc/postfix/main.cf

# Search for pattern "audit" in file /var/log/syslog
grep -e "audit" /var/log/syslog

# Search for text "started" in everything in /var/log/, and list the filename for each occurence
grep -H "started" /var/log/*

# Search for any mention of "md" within a file, by piping to grep
cat /var/log/messages | grep md

# Search for any of text "test" within the /etc folder recursively, also shows filename by default
grep -r "test" /etc

# Recursively search for any mention of "audit" in each file within the specified directory, display linenumber and ignore low/upper case
grep -rni audit /var/log/
</syntaxhighlight>

=== lsof ===
<syntaxhighlight lang="bash">
# List what has files opened on the directory/mount
lsof /data/mount/lustre-01

# List processes listening on port 443
lsof -i :443
</syntaxhighlight>

=== awk ===
<syntaxhighlight lang="bash">
# List the first column of the output generated by docker ps
docker ps | awk '{print $1}'

# Print 9th column of folder contents
ll /mnt/btrfs/share1/ | awk '{print $9}'
</syntaxhighlight>

=== tar ===
<syntaxhighlight lang="bash">
# Compress the destination directory and keep the source path within the zipped file
tar -czvf name-of-archive.tar.gz /path/to/directory-or-file

# Compress the destination directory, but put the folder contents into the . within the zipped file
tar -czvf name-of-archive.tar.gz -C /path/to/directory-or-file .

# Extract a tar.gz file to the current folder
tar -xzvf name-of-archive.tar.gz
</syntaxhighlight>

=== find ===
<syntaxhighlight lang="bash">
# Basic find command
find / -name name-to-search-for

# Search the current folder for all files
find . -name \*

# Search the current folder for all files and count them
find . -name \* | wc -l

# Find all files with the SUID bit set
find / -name "*" -perm /u+s

# Find the current folder for files that were modified in the last 15 minutes
find . -mmin -15 -type f -name "*"

# Search for all modified files between 2023-01-01 and 2023-12-30
find /var/log/ -type f -name "*" -newermt 2023-01-01 ! -newermt 2023-12-30

# Search for all modified folders between 2022-01-01 and 2022-02-10, limited to a single folders' depth
find /data/research001/ -maxdepth 1 -type d -newermt 2022-01-01 ! -newermt 2022-02-10

# Search the current folder for all .log files and search & output any line containing string "error"
find . -name \*.log -exec grep -H error {} \;

# Screwing around
for i in $(find URL* -name "*.report" | sort); do echo "$i" && cat "$i" | grep TOTAL_SIZE ; done
for i in $(find URL* -name "*.report"); do basename "$i" | sort && cat "$i" | grep TOTAL_SIZE ; done
for i in $(find URL* -name "*.report"); do basename "$i" | sort && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
for i in $(find URL* -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
ll URL* | awk '{print $9}' | grep "*.report" | sort | for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
ll URL* | awk '{print $9}' | grep .report | sort | for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE

find URL1 -name \*.report -exec grep -H TOTAL_SIZE {} \; | LC_ALL=C awk -M 'BEGIN{FS=OFS="\t"} {printf("%s\t%.02f\n", $1, $2/(1024*1024*1024))}' | sed -e 's~^.*/~~' -e 's~\..*SIZE~~' | sort
</syntaxhighlight>

=== less ===
<pre>
25 = Go to line 25
g = Go to top of file
G = Go to bottom of file
/ = Activate search mode
/Error = Search for "Error"
n = Move to next search result
N = Move to previous search result
</pre>

<syntaxhighlight lang="bash">
# Don't wrap long lines to the current screen (move left or right to see non-truncated line)
less -S /var/log/syslog

# Output a file's contents and read it with less
cat /etc/snmpd/snmp.conf | less -S

# Number the lines when viewing
less -N /var/log/messages

# Open less at the first search result for "error". (Do not use space between the -p parameter and your search query)
less -p"Error" /var/log/messages
</syntaxhighlight>

=== ssh ===
* https://man.openbsd.org/ssh.1
* https://www.openssh.com/legacy.html

<syntaxhighlight lang="bash">
# Stolen from https://www.openssh.com/legacy.html
ssh -Q cipher # List supported ciphers
ssh -Q mac # List supported MACs
ssh -Q key # List supported public key types
ssh -Q kex # List supported key exchange algorithms
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Connect to a server using a specific user
ssh mirelurk@192.168.0.1

# Connect to a server using a specific RSA private key
ssh 192.168.0.1 -i /home/john/.ssh/id_rsa_key-5

# Connect to a server using a specific SSH port
ssh 192.168.0.1 -p 1111

# Show verbose information when connecting to a server
ssh -v 192.168.0.1

# Connect using an ancient algorithm and keytype
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc admin@10.50.10.50

# Execute 'ls' on a remote server and output the result to your shell session
echo 'ls' | ssh -T user@10.0.20.75

# Execute a command on a remote server and output the result to a local file
echo 'ls' | ssh -T user@10.0.20.75 > <filename>.log

# Log in by providing a password in the CLI
sshpass 'MyPassword' ssh -XY root@10.100.25.1

# Copy a local file to another server
scp /home/root/myfiletocopy ubuntu@192.168.0.10:/home/ubuntu
</syntaxhighlight>

=== vim ===
<pre>
Esc Switches between input/command mode

o Create a new line below the current cursor position and switch to input mode
:wq Save (write) and quit the file
:q! Quit immediately without applying any changes

j Move the cursor one line downwards
</pre>

<syntaxhighlight lang="bash">
# Enter the Vim tutorial
vimtutor
</syntaxhighlight>

=== rsync ===
Also see rclone for enterprise storage enviroments.

<syntaxhighlight lang="bash">
# Copy contents of source /mnt/science/data/ to target /home/garyon/backup/science/ recursively
rsync -a /mnt/science/data/ /home/garyon/backup/science/

# Copy everything: symlinks, hardlinks, extended attributes, modified times, files, folders, etc
rsync -avHXS --progress /mnt/science/data/ /home/mayra/backup/science/

# Show progress during a transfer
rsync -avHXS --progress /mnt/science/data/ /home/stefanie/backup/science/

# rsync is additive by default
# After an initial rsync, delete files in the target that were deleted in the source
rsync --delete -avHXS /mnt/science/data/ /home/bob/backup/science/

# Sync using SSH
rsync -avrS --delete /data/cardio/ 192.168.0.15:/backup/cardio/

# Sync using a specific SSH port
rsync -avrS --rsh='ssh -p2020' --delete /data/science/ 192.168.0.20:/backup/science/
</syntaxhighlight>

=== Curl ===
<syntaxhighlight lang='bash'>
# Fetch the https://brammerloo.nl webpage
curl https://brammerloo.nl

# Set a max-timeout for fetching the webpage
curl --connect-timeout 5 https://brammerloo.nl
</syntaxhighlight>

Basic CURL call to an API fetch information:
<syntaxhighlight lang='bash'>
mytoken="supersecrettoken"

curl -X "GET" 'https://mywebsite.brammerloo.nl/cluster/health' \
-H 'X-Requested-By: peach' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--silent \
-u "${mytoken}":token
</syntaxhighlight>

Example of executing a CURL call with a graylog-structured JSON-payload

<syntaxhighlight lang='bash'>
mytoken="supersecrettoken"

payload='{
"queries": [{
"id": "?",
"timerange": {
"type": "keyword",
"keyword": "one day ago"
}
}
]
}'

curl -X "POST" "https://mywebsite.brammerloo.nl/api/search" \
-H 'X-Requested-By: roshani' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--silent \
-u "${mytoken}":token \
-d "$payload"
</syntaxhighlight>

=== cron ===
Run tasks at specific intervals.

* https://crontab.guru/

<syntaxhighlight lang="bash">
# List cron jobs for the current user
crontab -l

# Modify cron jobs for the current user
crontab -eq

# Run the "ls" command every 5 minutes
*/5 * * * * ps aux
</syntaxhighlight>

=== screen ===
Create virtual sessions on the server you're connected to.

<syntaxhighlight lang="bash">
# List all current sessions
screen -list

# Create new session "mynewsession"
screen -S mynewsession

# Detach current session
CTRL + A + D

# Attach session "mynewssion"
screen -r mynewsession
</syntaxhighlight>

=== ldapsearch ===
<pre>
DC = Domain Component
The values that identify the domain in which the object is located, may contain subdomains too i.e. "DC=customer,DC=amazon,DC=com"

OU = Organization Unit
A container/folder in which objects or users are stored. Actively used in Microsoft Active Directory's i.e. "OU=janitors,DC=customer,DC=amazon,DC=com"

CN = Canonical Name
The name of the group you're searching for or in i.e. "CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"

UID = User Identifier
The unique identifier to find a user with, usually the username i.e. "uid=magicmike,CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"

DN = Distinguished Name
The entire path to an object, consisting of a combination of above values, at least the DCs and a CN or UID, i.e. "uid=magicmike,CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"
</pre>

The following assumes domain "brammerloo.nl", based on usage for FreeIPA
<syntaxhighlight lang="bash">
# Search and show attributes for user tonberry in group users in group accounts in domain brammerloo.nl, using the admin user to authenticatie
ldapsearch -W -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify LDAP-server ipa01.brammerloo.nl to send the query to
ldapsearch -W -H ldap://ipa01.brammerloo.nl -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify a specific port
ldapsearch -W -H ldap://ipa01.brammerloo.nl:389 -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Use the "elastic" user to query for attributes of the "elastic-users" group which itself is a member of the "groups" group
ldapsearch -W -b "cn=elastic-users,cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=elastic,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify you only want the member attribute
ldapsearch -W -b "cn=elastic-users,cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl" member

# Show all groups of which tonberry is a member of by searching for the memberOf attribute
ldapsearch -W -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl" memberOf

# List attributes for all groups in the group "groups"
ldapsearch -W -b "cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"
</syntaxhighlight>

=== git ===
==== Checks ====
<syntaxhighlight lang="bash">
# List your current branch and situation
git status

# List all branches and your current one
git branch --all

# List all available tags
git tag

# List the current selected tag
git describe
git describe --tags

# Compare changes in the current working directory to the committed tree, and list what files have been changed
git diff-files

# Compare changes in the current working directory to the committed tree, and list what has changed
git diff-files -p

# Compare the committed tree to the current working directory, and list what has changed
git diff HEAD
</syntaxhighlight>

==== Common ====
<syntaxhighlight lang="bash">
# Create a folder and initialize it for use by git
mkdir gitrepo1; cd gitrepo1; git init

# Switch to another branch
git checkout stable/zed

# Switch to a specific tag
git checkout tags/14.11.0

# Fetch data from the current upstream branch
git pull

# Pull data from a specific branch
git pull origin unmaintained/yoga
</syntaxhighlight>

=== rclone ===
* https://rclone.org/

==== Installation ====
<syntaxhighlight lang='bash'>
# Install the latest version from the website
curl https://rclone.org/install.sh | sudo bash
</syntaxhighlight>

==== Configuration ====
Example configuration based on OpenStack swift. Config should be in the homefolder of your user .config/rclone/rclone.conf:
<syntaxhighlight lang='bash'>
[swift-ssd]
type = swift
user = patrick
key = <PASSWORD>
auth = https://openstack.brammerloo.nl:5000/v3
region = Rotterdam
domain = Default
tenant = patrickproject
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang='bash'>
# List all containers, buckets and or folders of container "swift-ssd"
rclone lsd "swift-ssd:"
20 2025-02-10 09:46:00 2 ssd-container
0 2025-02-10 09:46:00 1 swift-ssd
0 2025-02-10 09:46:00 1 swift-ssd2

rclone lsd "swift-ssd:ssd-container"
0 2025-02-10 09:48:02 -1 mystorage

# List contents, files, folders of bucket "ssd-container", within container "swift-ssd"
rclone ls "swift-ssd:ssd-container"

# List the contents of file "asd"
rclone cat "swift-ssd:ssd-container/asd"

# Mount an object storage to local folder /mnt/object-ssd/
rclone mount swift-ssd:ssd-container /mnt/object-ssd

# Synchronize a local folder to a destination folder inside a bucket, in interactive mode
rclone sync -i /etc/rsyslog.d swift-ssd:ssd-container/mystorage/
</syntaxhighlight>

=== mdtest ===
This chapter was mostly written and contributed by Ivo Palli.

==== General ====
mdtest is part of the ior performance test package.

==== RHEL Installation ====
<syntaxhighlight lang='bash'>
wget https://github.com/hpc/ior/releases/download/3.3.0/ior-3.3.0.tar.bz2
tar xjf ior-*.tar.bz2
cd ior-*/

yum install openmpi-devel environment-modules
# Relog your shell so 'module' is available
module load mpi
module list
./configure
make -j4
make install
</syntaxhighlight>

==== Ubuntu Installation ====
* https://gist.github.com/hokiegeek2/3057f8bb3beb519ae9b556e41824be30
* https://ior.readthedocs.io/en/latest/userDoc/install.html

<syntaxhighlight lang='bash'>
VERSION=4.0.0
wget https://github.com/hpc/ior/releases/download/$VERSION/ior-$VERSION.tar.gz
tar -xzvf ior-$VERSION.tar.gz
cd ior-$VERSION/

apt install libopenmpi-dev environment-modules openmpi-bin openmpi-common libgtk2.0-dev -y
./configure

make -j4
make install
</syntaxhighlight>

===== Usage =====
Note: Number of items should be a multiple of depth x branching factor
<syntaxhighlight lang='bash'>
module load mpi

# Run command "mdtest -n 2000 -z 5 -b 2 -d /mnt/ssd/" 10 times in a row
mpirun --oversubscribe --allow-run-as-root -n 10 mdtest -n 2000 -z 5 -b 2 -d /mnt/nfs
</syntaxhighlight>

===== Links =====
* https://github.com/hpc/ior
* https://www.glennklockwood.com/benchmarks/mdtest.html Guide

Linux:Tools

2026-02-23T19:11:08Z

Patrick: /* Curl */

[[Category:Cheatsheet]]

== Commands ==
=== Quick access ===
<syntaxhighlight lang="bash">
# Scroll through a file with less
less -s myfile.txt

# Select line 5 from the output
cat example.txt | sel -e '5'

# Select lines from the output, starting from the top
cat example.txt | head -5

# Select lines from the output, starting from the bottom
cat example.txt | tail -5
</syntaxhighlight>

=== Commands ===
<syntaxhighlight lang="bash">
# Display the full path of a file(assuming the syslog file is available in the current folder)
readlink -f syslog

# Unzip a file
gunzip /var/log/messages.2.gz
</syntaxhighlight>

=== Uncommon commands ===
* https://ngelinux.com/what-is-proc-sysrq-trigger-in-linux-and-how-to-use-sysrq-kernel-feature/

<syntaxhighlight lang="bash">
# CrASHing THIs SERVer, WiTH no SurVIvORS!
echo c > /proc/sysrq-trigger
</syntaxhighlight>

== Network ==
=== ping ===
Troubleshooting MTU: https://access.redhat.com/solutions/2440411

<syntaxhighlight lang="bash">
# Ping with an interval of 5 seconds
ping -i 5 192.168.0.1

# Ping 192.168.10.5 using a specific interface
ping -I bond0 192.168.10.5

# Ping 8.8.8.8 for 20 times
ping -c 20 8.8.8.8

# Ping google.com using IPv4
ping -4 google.com

# Ping google.com using IPv6
ping -6 google.com

# Ping using packets of size 264
ping -s 264 1.1.1.1

# Test an MTU-size of 9000 by sending non-fragmented packages of size 8972 (28 bytes left for the headers)
ping -M do -s 8972 192.168.77.88
</syntaxhighlight>

=== traceroute ===
Package '''mtr''' (My traceroute) is also very good

* https://web.archive.org/web/20110101100046/https://www.exit109.com/~jeremy/news/providers/traceroute.html
* [https://en.wikipedia.org/wiki/Traceroute UDP ports 33434 to 33534 are used by traceroute by default.]

<syntaxhighlight lang="bash">
# Show the traversed hops towards google.com using IPv4
traceroute -4 google.com

# Show the traversed hops towards google.com using IPv6
traceroute -6 google.com

# Does the same as "traceroute -6 google.com"
traceroute6 google.com

# Use ICMP for checking hops
traceroute -4 -I brammerloo.nl
</syntaxhighlight>

=== route ===
<syntaxhighlight lang="bash">
# List configured routes
route

# List routes but display IPs instead of hostnames
route -n

# Delete default route
ip route del 0.0.0.0/0 via 192.168.10.1 dev ens3

# Delete default route (explicit)
ip route del default via 192.168.0.1 dev eth0 proto static metric 100

# Add a default route via a specific IP and interface
ip route add default via 192.168.0.1 dev eth0 proto static metric 90

# Add route for a network via gateway on an interface
ip route add 10.0.100.0/24 via 10.0.100.254 dev ens5

# Add default route met een specifieke metric
ip route add default via 10.0.180.1 dev ens7 proto static metric 90
</syntaxhighlight>

=== netstat ===
<syntaxhighlight lang='bash'>
# Display network connections and current states
netstat

# Check listening ports, connected remote IPs, processes, states and more
netstat -taupen

# Check listening ports and IPs of the local server
netstat -tulpn

# List the routing table
netstat -r

# List verbose common TCP and ICMP information
netstat -s
</syntaxhighlight>

=== ss ===
Replacement for netstat
<syntaxhighlight lang='bash'>
# Check open ports, connected IPs, processes, states and more
ss -taupen
</syntaxhighlight>

=== tcpdump ===
<syntaxhighlight lang='bash'>
# Listen on interface eth0 for traffic coming from host 172.16.0.11
tcpdump -i eth0 host 172.16.0.11

# Listen on interface eno2 for traffic coming from host 172.16.1.20, going to port 443
tcpdump -i en02 host 172.16.1.20 port 443
</syntaxhighlight>

=== uuidgen ===
<syntaxhighlight lang="bash">
# Generate a unique UUID (for an interface)
uuidgen eth0
7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
</syntaxhighlight>

=== ip ===
<syntaxhighlight lang="bash">
# Show network information
ip address
ip a

# Show all configured routes
ip r show

# Display statistics for all interfaces
ip -s link

# Display detailed statistics for all interfaces
ip -s -s link

# Execute the ifconfig command within a specific router
ip netns exec qrouter-asdwe49-as8d7-asd2-ert0-cvb7klj2 "ifconfig"
</syntaxhighlight>

=== DNS | dig & nslookup ===
* https://intodns.com/

<syntaxhighlight lang="bash">
# Lookup reverse DNS host information
dig -x 10.0.2.15

# Lookup the nameservers of google.com, by asking nameserver 1.1.1.1
dig google.com @1.1.1.1 NS

# Lookup reverse DNS host information
host 10.0.2.15

# Lookup DNS host information
nslookup 10.0.2.15

# Lookup host information for google.com while using DNS-server 8.8.8.8
nslookup google.com 8.8.8.8
</syntaxhighlight>

== Package managers ==
=== apt ===
<syntaxhighlight lang="bash">
# Check for updates
apt update

# List packages that can be upgraded
apt list --upgradable

# Installed available updates
apt upgrade

# List installed packages
apt list --installed

# List package details and description
apt show net-tools

# Search inside all package descriptions for your keyword
apt-cache search ssh
</syntaxhighlight>

=== rpm ===
<syntaxhighlight lang="bash">
# List all local RPM packages
rpm -qa

# Query for a specific installed rpm package
rpm -qi nginx
</syntaxhighlight>

=== yum ===
<syntaxhighlight lang="bash">
# Search for all available packages that include string "nginx"
yum search nginx

# Install the package named Nginx
yum install nginx

# List installed packages
yum list installed
</syntaxhighlight>

=== dnf ===
<syntaxhighlight lang="bash">
# Upgrade and install updates
dnf upgrade

# Remove the podman package
dnf remove podman

# Show information about the zlib package
dnf info zlib

# Show mandatory/optional/default packages within the Networking Tools group
dnf group info "Networking Tools"
</syntaxhighlight>

== Filesystem ==
=== fdisk ===
'''cfdisk''' is also nice

==== Checks ====
<syntaxhighlight lang="bash">
# Check your disks and partitions
fdisk -l

# Enter fdisk interactive mode
fdisk /dev/nvme0n2p1

# List available partition types
l
</syntaxhighlight>

==== Configuration ====
<syntaxhighlight lang="bash">
# Format /dev/vdb as BTRFS
echo -e "n\np\n1\n\n\nt\n8E\np\nw" | fdisk /dev/vdb
</syntaxhighlight>

== Other ==
=== man + mandb ===
<syntaxhighlight lang="bash">
# Open the manual for the man tool
man man

# Open the manual for the ls tool
man ls

# 'Update' mandb by purging and or processing manuals
mandb

# Purge everything and regenerate manuals
mandb --create
</syntaxhighlight>

=== ls ===
<syntaxhighlight lang="bash">
# List folders sorted by modified date
ls -trol

# List folder contents recursively
ls -alsR myfolder/

# List folder contents sorted by time, newest first and reverse order
ls -latr myfolder
</syntaxhighlight>

=== grep ===
<syntaxhighlight lang="bash">
# Search for any occurences of "inet_interface" in a file
grep inet_interface /etc/postfix/main.cf

# Search for pattern "audit" in file /var/log/syslog
grep -e "audit" /var/log/syslog

# Search for text "started" in everything in /var/log/, and list the filename for each occurence
grep -H "started" /var/log/*

# Search for any mention of "md" within a file, by piping to grep
cat /var/log/messages | grep md

# Search for any of text "test" within the /etc folder recursively, also shows filename by default
grep -r "test" /etc

# Recursively search for any mention of "audit" in each file within the specified directory, display linenumber and ignore low/upper case
grep -rni audit /var/log/
</syntaxhighlight>

=== lsof ===
<syntaxhighlight lang="bash">
# List what has files opened on the directory/mount
lsof /data/mount/lustre-01

# List processes listening on port 443
lsof -i :443
</syntaxhighlight>

=== awk ===
<syntaxhighlight lang="bash">
# List the first column of the output generated by docker ps
docker ps | awk '{print $1}'

# Print 9th column of folder contents
ll /mnt/btrfs/share1/ | awk '{print $9}'
</syntaxhighlight>

=== tar ===
<syntaxhighlight lang="bash">
# Compress the destination directory and keep the source path within the zipped file
tar -czvf name-of-archive.tar.gz /path/to/directory-or-file

# Compress the destination directory, but put the folder contents into the . within the zipped file
tar -czvf name-of-archive.tar.gz -C /path/to/directory-or-file .

# Extract a tar.gz file to the current folder
tar -xzvf name-of-archive.tar.gz
</syntaxhighlight>

=== find ===
<syntaxhighlight lang="bash">
# Basic find command
find / -name name-to-search-for

# Search the current folder for all files
find . -name \*

# Search the current folder for all files and count them
find . -name \* | wc -l

# Find all files with the SUID bit set
find / -name "*" -perm /u+s

# Find the current folder for files that were modified in the last 15 minutes
find . -mmin -15 -type f -name "*"

# Search for all modified files between 2023-01-01 and 2023-12-30
find /var/log/ -type f -name "*" -newermt 2023-01-01 ! -newermt 2023-12-30

# Search for all modified folders between 2022-01-01 and 2022-02-10, limited to a single folders' depth
find /data/research001/ -maxdepth 1 -type d -newermt 2022-01-01 ! -newermt 2022-02-10

# Search the current folder for all .log files and search & output any line containing string "error"
find . -name \*.log -exec grep -H error {} \;

# Screwing around
for i in $(find URL* -name "*.report" | sort); do echo "$i" && cat "$i" | grep TOTAL_SIZE ; done
for i in $(find URL* -name "*.report"); do basename "$i" | sort && cat "$i" | grep TOTAL_SIZE ; done
for i in $(find URL* -name "*.report"); do basename "$i" | sort && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
for i in $(find URL* -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
ll URL* | awk '{print $9}' | grep "*.report" | sort | for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
ll URL* | awk '{print $9}' | grep .report | sort | for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE

find URL1 -name \*.report -exec grep -H TOTAL_SIZE {} \; | LC_ALL=C awk -M 'BEGIN{FS=OFS="\t"} {printf("%s\t%.02f\n", $1, $2/(1024*1024*1024))}' | sed -e 's~^.*/~~' -e 's~\..*SIZE~~' | sort
</syntaxhighlight>

=== less ===
<pre>
25 = Go to line 25
g = Go to top of file
G = Go to bottom of file
/ = Activate search mode
/Error = Search for "Error"
n = Move to next search result
N = Move to previous search result
</pre>

<syntaxhighlight lang="bash">
# Don't wrap long lines to the current screen (move left or right to see non-truncated line)
less -S /var/log/syslog

# Output a file's contents and read it with less
cat /etc/snmpd/snmp.conf | less -S

# Number the lines when viewing
less -N /var/log/messages

# Open less at the first search result for "error". (Do not use space between the -p parameter and your search query)
less -p"Error" /var/log/messages
</syntaxhighlight>

=== ssh ===
* https://man.openbsd.org/ssh.1
* https://www.openssh.com/legacy.html

<syntaxhighlight lang="bash">
# Stolen from https://www.openssh.com/legacy.html
ssh -Q cipher # List supported ciphers
ssh -Q mac # List supported MACs
ssh -Q key # List supported public key types
ssh -Q kex # List supported key exchange algorithms
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Connect to a server using a specific user
ssh mirelurk@192.168.0.1

# Connect to a server using a specific RSA private key
ssh 192.168.0.1 -i /home/john/.ssh/id_rsa_key-5

# Connect to a server using a specific SSH port
ssh 192.168.0.1 -p 1111

# Show verbose information when connecting to a server
ssh -v 192.168.0.1

# Connect using an ancient algorithm and keytype
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc admin@10.50.10.50

# Execute 'ls' on a remote server and output the result to your shell session
echo 'ls' | ssh -T user@10.0.20.75

# Execute a command on a remote server and output the result to a local file
echo 'ls' | ssh -T user@10.0.20.75 > <filename>.log

# Log in by providing a password in the CLI
sshpass 'MyPassword' ssh -XY root@10.100.25.1

# Copy a local file to another server
scp /home/root/myfiletocopy ubuntu@192.168.0.10:/home/ubuntu
</syntaxhighlight>

=== vim ===
<pre>
Esc Switches between input/command mode

o Create a new line below the current cursor position and switch to input mode
:wq Save (write) and quit the file
:q! Quit immediately without applying any changes

j Move the cursor one line downwards
</pre>

<syntaxhighlight lang="bash">
# Enter the Vim tutorial
vimtutor
</syntaxhighlight>

=== rsync ===
Also see rclone for enterprise storage enviroments.

<syntaxhighlight lang="bash">
# Copy contents of source /mnt/science/data/ to target /home/garyon/backup/science/ recursively
rsync -a /mnt/science/data/ /home/garyon/backup/science/

# Copy everything: symlinks, hardlinks, extended attributes, modified times, files, folders, etc
rsync -avHXS --progress /mnt/science/data/ /home/mayra/backup/science/

# Show progress during a transfer
rsync -avHXS --progress /mnt/science/data/ /home/stefanie/backup/science/

# rsync is additive by default
# After an initial rsync, delete files in the target that were deleted in the source
rsync --delete -avHXS /mnt/science/data/ /home/bob/backup/science/

# Sync using SSH
rsync -avrS --delete /data/cardio/ 192.168.0.15:/backup/cardio/

# Sync using a specific SSH port
rsync -avrS --rsh='ssh -p2020' --delete /data/science/ 192.168.0.20:/backup/science/
</syntaxhighlight>

=== Curl ===
<syntaxhighlight lang='bash'>
# Fetch the https://brammerloo.nl webpage
curl https://brammerloo.nl

# Set a max-timeout for fetching the webpage
curl --connect-timeout 5 https://brammerloo.nl
</syntaxhighlight>

Basic CURL call to an API fetch information:
<syntaxhighlight lang='bash'>
mytoken="supersecrettoken"

curl -X "GET" 'https://mywebsite.brammerloo.nl/cluster/health' \
-H 'X-Requested-By: peach' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--silent \
-u "${mytoken}":token
</syntaxhighlight>

Example of executing a CURL call with a JSON-payload

<syntaxhighlight lang='bash'>
mytoken="supersecrettoken"

curl -X "POST" "https://mywebsite.brammerloo.nl/api/search" \
-H 'X-Requested-By: roshani' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--silent \
-u "${mytoken}":token \
-d "$curly"

curly='{
"queries": [{
"id": "?",
"timerange": {
"type": "keyword",
"keyword": "one day ago"
}
}
]
}'
</syntaxhighlight>

=== cron ===
Run tasks at specific intervals.

* https://crontab.guru/

<syntaxhighlight lang="bash">
# List cron jobs for the current user
crontab -l

# Modify cron jobs for the current user
crontab -eq

# Run the "ls" command every 5 minutes
*/5 * * * * ps aux
</syntaxhighlight>

=== screen ===
Create virtual sessions on the server you're connected to.

<syntaxhighlight lang="bash">
# List all current sessions
screen -list

# Create new session "mynewsession"
screen -S mynewsession

# Detach current session
CTRL + A + D

# Attach session "mynewssion"
screen -r mynewsession
</syntaxhighlight>

=== ldapsearch ===
<pre>
DC = Domain Component
The values that identify the domain in which the object is located, may contain subdomains too i.e. "DC=customer,DC=amazon,DC=com"

OU = Organization Unit
A container/folder in which objects or users are stored. Actively used in Microsoft Active Directory's i.e. "OU=janitors,DC=customer,DC=amazon,DC=com"

CN = Canonical Name
The name of the group you're searching for or in i.e. "CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"

UID = User Identifier
The unique identifier to find a user with, usually the username i.e. "uid=magicmike,CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"

DN = Distinguished Name
The entire path to an object, consisting of a combination of above values, at least the DCs and a CN or UID, i.e. "uid=magicmike,CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"
</pre>

The following assumes domain "brammerloo.nl", based on usage for FreeIPA
<syntaxhighlight lang="bash">
# Search and show attributes for user tonberry in group users in group accounts in domain brammerloo.nl, using the admin user to authenticatie
ldapsearch -W -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify LDAP-server ipa01.brammerloo.nl to send the query to
ldapsearch -W -H ldap://ipa01.brammerloo.nl -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify a specific port
ldapsearch -W -H ldap://ipa01.brammerloo.nl:389 -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Use the "elastic" user to query for attributes of the "elastic-users" group which itself is a member of the "groups" group
ldapsearch -W -b "cn=elastic-users,cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=elastic,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify you only want the member attribute
ldapsearch -W -b "cn=elastic-users,cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl" member

# Show all groups of which tonberry is a member of by searching for the memberOf attribute
ldapsearch -W -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl" memberOf

# List attributes for all groups in the group "groups"
ldapsearch -W -b "cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"
</syntaxhighlight>

=== git ===
==== Checks ====
<syntaxhighlight lang="bash">
# List your current branch and situation
git status

# List all branches and your current one
git branch --all

# List all available tags
git tag

# List the current selected tag
git describe
git describe --tags

# Compare changes in the current working directory to the committed tree, and list what files have been changed
git diff-files

# Compare changes in the current working directory to the committed tree, and list what has changed
git diff-files -p

# Compare the committed tree to the current working directory, and list what has changed
git diff HEAD
</syntaxhighlight>

==== Common ====
<syntaxhighlight lang="bash">
# Create a folder and initialize it for use by git
mkdir gitrepo1; cd gitrepo1; git init

# Switch to another branch
git checkout stable/zed

# Switch to a specific tag
git checkout tags/14.11.0

# Fetch data from the current upstream branch
git pull

# Pull data from a specific branch
git pull origin unmaintained/yoga
</syntaxhighlight>

=== rclone ===
* https://rclone.org/

==== Installation ====
<syntaxhighlight lang='bash'>
# Install the latest version from the website
curl https://rclone.org/install.sh | sudo bash
</syntaxhighlight>

==== Configuration ====
Example configuration based on OpenStack swift. Config should be in the homefolder of your user .config/rclone/rclone.conf:
<syntaxhighlight lang='bash'>
[swift-ssd]
type = swift
user = patrick
key = <PASSWORD>
auth = https://openstack.brammerloo.nl:5000/v3
region = Rotterdam
domain = Default
tenant = patrickproject
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang='bash'>
# List all containers, buckets and or folders of container "swift-ssd"
rclone lsd "swift-ssd:"
20 2025-02-10 09:46:00 2 ssd-container
0 2025-02-10 09:46:00 1 swift-ssd
0 2025-02-10 09:46:00 1 swift-ssd2

rclone lsd "swift-ssd:ssd-container"
0 2025-02-10 09:48:02 -1 mystorage

# List contents, files, folders of bucket "ssd-container", within container "swift-ssd"
rclone ls "swift-ssd:ssd-container"

# List the contents of file "asd"
rclone cat "swift-ssd:ssd-container/asd"

# Mount an object storage to local folder /mnt/object-ssd/
rclone mount swift-ssd:ssd-container /mnt/object-ssd

# Synchronize a local folder to a destination folder inside a bucket, in interactive mode
rclone sync -i /etc/rsyslog.d swift-ssd:ssd-container/mystorage/
</syntaxhighlight>

=== mdtest ===
This chapter was mostly written and contributed by Ivo Palli.

==== General ====
mdtest is part of the ior performance test package.

==== RHEL Installation ====
<syntaxhighlight lang='bash'>
wget https://github.com/hpc/ior/releases/download/3.3.0/ior-3.3.0.tar.bz2
tar xjf ior-*.tar.bz2
cd ior-*/

yum install openmpi-devel environment-modules
# Relog your shell so 'module' is available
module load mpi
module list
./configure
make -j4
make install
</syntaxhighlight>

==== Ubuntu Installation ====
* https://gist.github.com/hokiegeek2/3057f8bb3beb519ae9b556e41824be30
* https://ior.readthedocs.io/en/latest/userDoc/install.html

<syntaxhighlight lang='bash'>
VERSION=4.0.0
wget https://github.com/hpc/ior/releases/download/$VERSION/ior-$VERSION.tar.gz
tar -xzvf ior-$VERSION.tar.gz
cd ior-$VERSION/

apt install libopenmpi-dev environment-modules openmpi-bin openmpi-common libgtk2.0-dev -y
./configure

make -j4
make install
</syntaxhighlight>

===== Usage =====
Note: Number of items should be a multiple of depth x branching factor
<syntaxhighlight lang='bash'>
module load mpi

# Run command "mdtest -n 2000 -z 5 -b 2 -d /mnt/ssd/" 10 times in a row
mpirun --oversubscribe --allow-run-as-root -n 10 mdtest -n 2000 -z 5 -b 2 -d /mnt/nfs
</syntaxhighlight>

===== Links =====
* https://github.com/hpc/ior
* https://www.glennklockwood.com/benchmarks/mdtest.html Guide

Windows

2026-02-18T10:18:27Z

Patrick: /* Processes */

[[Category:Cheatsheet]]

== Important applications ==
=== Desktop ===
'''SSH'''
* MobaxTerm - https://mobaxterm.mobatek.net/
* Putty & Puttygen - https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

'''Code / Automation'''
* VSCodium
* Intellij Idea

'''Databases'''
* DBeaver

'''Windows management'''
* Windows Remote Desktop
* Windows Remote Server Administration Tools - https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/remote-server-administration-tools

'''Hypervisors'''
* Hyper-V
* VirtualBox
* VMWare Worststation

=== Server ===
* BgInfo - https://learn.microsoft.com/en-us/sysinternals/downloads/bginfo
* Process Monitor - https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

=== Processes ===
Open the "Run" program by pressing '''Windows key + R'''
<pre>
control Open the Control Panel
ncpa.cpl Network Control Panel
resmon Resource Monitor
sysdm.cpl System properties
devmgmt.msc Device Manager
services.msc Services
compmgmt.msc Computer management
wf.msc Advanced Windows Firewall
</pre>

== Powershell ==
=== Checks ===
==== Network ====
* https://azega.org/list-open-ports-using-powershell/

<syntaxhighlight lang='bash'>
# List open ports and related IP-addresses
Get-NetTCPConnection

# Test the network-connection to a specific IP and port
Test-NetConnection -ComputerName 192.168.200.20 -InformationLevel "Detailed" -Port 443

# List basic interface information
Get-NetAdapter

# List basic interface address information
Get-NetIPConfiguration

# "To show only the listening ports we need to filter for all items in the Listen state with the remote address of 0.0.0.0"
get-nettcpconnection | where {($_.State -eq "Listen") -and ($_.RemoteAddress -eq "0.0.0.0")}

# "You can add additional fields like the process ID for each port. Changing the fields from the default requires selecting each one you want and then piping to ft (format-table)."
get-nettcpconnection | where {($_.State -eq "Listen") -and ($_.RemoteAddress -eq "0.0.0.0")} | Select LocalAddress,LocalPort,RemoteAddress,RemotePort,State,OwningProcess | ft

# "This example will get the name of the process associated with each item."
get-nettcpconnection | where {($_.State -eq "Listen") -and ($_.RemoteAddress -eq "0.0.0.0")} | select LocalAddress,LocalPort,RemoteAddress,RemotePort,State,@{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}} | ft
</syntaxhighlight>

==== Active Directory ====
<syntaxhighlight lang='bash'>
# List available dcdiag commands
dcdiag /h

# Test all servers in this site
dcdiag /a

# Test all servers in the enterprise
dcdiag /e

# Test specific Active Directory components
dcdiag /test:connectivity
dcdiag /test:kccevent
dcdiag /test:topology
</syntaxhighlight>

===== Group Policy =====
<syntaxhighlight lang='bash'>
# Show currently applied Group Policy objects
gpresult /R
</syntaxhighlight>

=== Commands ===
<syntaxhighlight lang='bash'>
# Import users from file my-users.csv
csvde -i -f .\my-users.csv -v

# Import data from another AD using company-1.ldf
ldifde -v -i -f .\company-1.ldf

# Check for users that have been inactive for longer than 2 weeks
dsquery user -inactive 2

# Add user Kenpachi to the OU Captain, in the Seireitei.local domain, and add the description 'Strongest sword' to his account
dsadd user "CN=Kenpachi,ou=Captain,dc=Seireitei,dc=local" -desc "Strongest sword"

# Find all users that haven't changed their password in the last 10 days
dsquery user -stalepwd 10

## patienten5.csv
# GivenNAme,Surname,Name,SamAccountNAme,Description,Department,EmployeeID,Path,Enabled,Password,PasswordNeverExpires
# User,local1,Userlocal1,Userlocal1,Userlocal1,IT,189478,"OU=test,DC=BMC,DC=local",$True,a$$w0rd,$True
# User,local2,Userlocal2,Userlocal2,Userlocal2,IT,187516,"OU=test,DC=BMC,DC=local",$True,a$$w0rd,$True

# Import and create users Userlocal1 and Userlocal2 from the given .csv file, and populate certain fields with the given values
Import-Csv -Path .\patienten5.csv | New-ADUser

# Add various metadata values to the Kirby user, located in the Protagonists OU, existing in the Dreamland.local domain
dsmod user "CN=Kirby,ou=Protagonists,dc=Dreamland,dc=local" -office Skyborn -Title Hungry -dept Mental -webpg www.dreamland.local/Kirby -company Dreamland.local

# Find all users with the description 'Wrestler', and modify their manager to be 'Hulk Hogan' located in the Legendary OU in the WWE domain
dsquery user -desc Wrestler | dsmod user -mgr "cn=Hulk Hogan,OU=Legendary,DC=WWE,dc=local"

# Turn all disabled users within the WuTang folder into enabled users
dsquery user ou=WuTang,dc=Clan,dc=local -disabled -limit 0 | dsmod user -disabled no

# Create folder 2019 in the Students OU
New-ADOrganizationalUnit -Name "2019" -Description "The year 2019" -Path "OU=Students,DC=Rotterdam,DC=.nl
</syntaxhighlight>

==== Active Directory ====
<syntaxhighlight lang='bash'>
# Check what has yet to be replicated
repadmin /queue

# Perform a Consistency Check for the local server
repadmin /kcc

# Show basic replication information, neighbours, last attempts and their statuses
repadmin /showrepl

# Show statistical data concerning replication
repadmin /replsummary

# Replicate Active Directory changes/settings/configuration
repadmin /syncall
</syntaxhighlight>

===== Group Policy =====
<syntaxhighlight lang='bash'>
# Force a Group Policy update on the device you execute this on
gpupdate /force
</syntaxhighlight>

==== Firewall ====
<syntaxhighlight lang='bash'>
# Turn off your Firewall entirely
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled false
</syntaxhighlight>

== Command Prompt ==
=== Checks ===
==== Common ====
<syntaxhighlight lang='bash'>
# Open the System information window
msinfo32
</syntaxhighlight>

==== Network ====
<syntaxhighlight lang='bash'>
# List all available routes
route print

# List detailed Network information
ipconfig /all
</syntaxhighlight>

=== Commands ===
==== Common ====
<syntaxhighlight lang='bash'>
# Open Server Configuration menu for common configuration
sconfig

# Logout the current user
logoff

# Open User Management
lusrmgr.msc

# Add this machine (SRV01) to domain clinic.local, ask for a password prompt for the Administrator user password
NETDOM JOIN SRV01 /Domain:clinic.local /UserO:Administrator /PasswordO:* /SecurePasswordPrompt
</syntaxhighlight>

===== Shutdown or restart =====
<syntaxhighlight lang='bash'>
# Shutdown the computer
shutdown /s

# Restart the computer (60 seconds time-out)
shutdown /r

# Shutdown the computer in 200 seconds
shutdown /t 200

# Restart the computer right now
shutdown /r /t 0

# Abort a timed shutdown
shutdown /a
</syntaxhighlight>

===== Windows Update =====
https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-servicing

<syntaxhighlight lang='bash'>
# For Windows Server Core, use the sconfig menu for easy Windows Update configuration
sconfig
</syntaxhighlight>

<syntaxhighlight lang='bash'>
# Check current configured settings
%systemroot%\system32\Cscript %systemroot%\system32\scregedit.wsf /AU /v

# Disable automatic updates
Net stop wuauserv
%systemroot%\system32\Cscript %systemroot%\system32\scregedit.wsf /AU 1
Net start wuauserv

# Enable automatic updates
Net stop wuauserv
%systemroot%\system32\Cscript %systemroot%\system32\scregedit.wsf /AU 4
Net start wuauserv

# Update and install updates
Wuauclt /detectnow
</syntaxhighlight>

===== License =====
<syntaxhighlight lang='bash'>
# For Windows Server Core, use the sconfig menu for easy license installation and activation
sconfig
</syntaxhighlight>

<syntaxhighlight lang='bash'>
# Install a license key
slmgr.vbs /ipk ASDI1-POQW2-QOWE5-ASDP0-QWEI3

# Activate installed license key
slmgr.vbs /dli

# Verify active license
slmgr.vbs /dli
</syntaxhighlight>

==== Network ====
<syntaxhighlight lang='bash'>
# Add a route for a specific network
route add 192.168.15.0 mask 255.255.255.0 192.168.15.1

# Delete a route for a specific network
route delete 192.168.15.0 mask 255.255.255.0 192.168.15.1
</syntaxhighlight>

==== Firewall ====
<syntaxhighlight lang='bash'>
# Allow ICMPv4 communication inwards
netsh advfirewall firewall add rule name="ICMPv4 Allow" protocol="icmpv4:8,any" dir=in action=allow
</syntaxhighlight>

==== Shares ====
* https://www.windows-commandline.com/list-create-delete-network-shares/

<pre>
net share sharename=folderpath /grant:username,permissions
permission: Read, Change or Full
</pre>

<syntaxhighlight lang='bash'>
# Create the folder and share it with a user
mkdir C:\Shares\Users\Mike
net share MyShareName="C:\Shares\Users\Mike" /grant:"big.mike,FULL"

# Delete the share
net share MyShareName /DELETE

# Create a share but with multi-user access
net share Karel="C:\Shares\Users\Mike" /grant:"Big.Mike,FULL" /grant:"Big.John,READ" /grant:"Administrator,FULL"
</syntaxhighlight>

==== Sysprep ====
# Download and install updates;
# Restart;
# Repeat step 1 and 2 until no more updates are available;
# Optionally disable automatic updates;
# Set the proper timezone;
# Set proper keyboard/region format;
# Optionally activate your license;
# Optionally enable Remote Desktop - "Allow remote connections to this computer"
# Optionally take a snapshot before the sysprep;
# Perform a Sysprep (see commands below).

<syntaxhighlight lang='bash'>
# Sysprep
C:\Windows\System32\Sysprep\sysprep.exe /generalize /shutdown

# Sysprep using an unattend.xml
C:\Windows\System32\Sysprep\sysprep.exe /generalize /shutdown /unattend:C:\Windows\System32\Sysprep\unattended.xml
</syntaxhighlight>

Windows

2026-02-10T09:48:48Z

Patrick:

[[Category:Cheatsheet]]

== Important applications ==
=== Desktop ===
'''SSH'''
* MobaxTerm - https://mobaxterm.mobatek.net/
* Putty & Puttygen - https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

'''Code / Automation'''
* VSCodium
* Intellij Idea

'''Databases'''
* DBeaver

'''Windows management'''
* Windows Remote Desktop
* Windows Remote Server Administration Tools - https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/remote-server-administration-tools

'''Hypervisors'''
* Hyper-V
* VirtualBox
* VMWare Worststation

=== Server ===
* BgInfo - https://learn.microsoft.com/en-us/sysinternals/downloads/bginfo
* Process Monitor - https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

=== Processes ===
Open the "Run" program by pressing '''Windows key + R'''
<pre>
control Open the Control Panel
ncpa.cpl Network Control Panel
sysdm.cpl System properties
devmgmt.msc Device Manager
Services services.msc
compmgmt.msc Computer management
wf.msc Advanced Windows Firewall
</pre>

== Powershell ==
=== Checks ===
==== Network ====
* https://azega.org/list-open-ports-using-powershell/

<syntaxhighlight lang='bash'>
# List open ports and related IP-addresses
Get-NetTCPConnection

# Test the network-connection to a specific IP and port
Test-NetConnection -ComputerName 192.168.200.20 -InformationLevel "Detailed" -Port 443

# List basic interface information
Get-NetAdapter

# List basic interface address information
Get-NetIPConfiguration

# "To show only the listening ports we need to filter for all items in the Listen state with the remote address of 0.0.0.0"
get-nettcpconnection | where {($_.State -eq "Listen") -and ($_.RemoteAddress -eq "0.0.0.0")}

# "You can add additional fields like the process ID for each port. Changing the fields from the default requires selecting each one you want and then piping to ft (format-table)."
get-nettcpconnection | where {($_.State -eq "Listen") -and ($_.RemoteAddress -eq "0.0.0.0")} | Select LocalAddress,LocalPort,RemoteAddress,RemotePort,State,OwningProcess | ft

# "This example will get the name of the process associated with each item."
get-nettcpconnection | where {($_.State -eq "Listen") -and ($_.RemoteAddress -eq "0.0.0.0")} | select LocalAddress,LocalPort,RemoteAddress,RemotePort,State,@{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}} | ft
</syntaxhighlight>

==== Active Directory ====
<syntaxhighlight lang='bash'>
# List available dcdiag commands
dcdiag /h

# Test all servers in this site
dcdiag /a

# Test all servers in the enterprise
dcdiag /e

# Test specific Active Directory components
dcdiag /test:connectivity
dcdiag /test:kccevent
dcdiag /test:topology
</syntaxhighlight>

===== Group Policy =====
<syntaxhighlight lang='bash'>
# Show currently applied Group Policy objects
gpresult /R
</syntaxhighlight>

=== Commands ===
<syntaxhighlight lang='bash'>
# Import users from file my-users.csv
csvde -i -f .\my-users.csv -v

# Import data from another AD using company-1.ldf
ldifde -v -i -f .\company-1.ldf

# Check for users that have been inactive for longer than 2 weeks
dsquery user -inactive 2

# Add user Kenpachi to the OU Captain, in the Seireitei.local domain, and add the description 'Strongest sword' to his account
dsadd user "CN=Kenpachi,ou=Captain,dc=Seireitei,dc=local" -desc "Strongest sword"

# Find all users that haven't changed their password in the last 10 days
dsquery user -stalepwd 10

## patienten5.csv
# GivenNAme,Surname,Name,SamAccountNAme,Description,Department,EmployeeID,Path,Enabled,Password,PasswordNeverExpires
# User,local1,Userlocal1,Userlocal1,Userlocal1,IT,189478,"OU=test,DC=BMC,DC=local",$True,a$$w0rd,$True
# User,local2,Userlocal2,Userlocal2,Userlocal2,IT,187516,"OU=test,DC=BMC,DC=local",$True,a$$w0rd,$True

# Import and create users Userlocal1 and Userlocal2 from the given .csv file, and populate certain fields with the given values
Import-Csv -Path .\patienten5.csv | New-ADUser

# Add various metadata values to the Kirby user, located in the Protagonists OU, existing in the Dreamland.local domain
dsmod user "CN=Kirby,ou=Protagonists,dc=Dreamland,dc=local" -office Skyborn -Title Hungry -dept Mental -webpg www.dreamland.local/Kirby -company Dreamland.local

# Find all users with the description 'Wrestler', and modify their manager to be 'Hulk Hogan' located in the Legendary OU in the WWE domain
dsquery user -desc Wrestler | dsmod user -mgr "cn=Hulk Hogan,OU=Legendary,DC=WWE,dc=local"

# Turn all disabled users within the WuTang folder into enabled users
dsquery user ou=WuTang,dc=Clan,dc=local -disabled -limit 0 | dsmod user -disabled no

# Create folder 2019 in the Students OU
New-ADOrganizationalUnit -Name "2019" -Description "The year 2019" -Path "OU=Students,DC=Rotterdam,DC=.nl
</syntaxhighlight>

==== Active Directory ====
<syntaxhighlight lang='bash'>
# Check what has yet to be replicated
repadmin /queue

# Perform a Consistency Check for the local server
repadmin /kcc

# Show basic replication information, neighbours, last attempts and their statuses
repadmin /showrepl

# Show statistical data concerning replication
repadmin /replsummary

# Replicate Active Directory changes/settings/configuration
repadmin /syncall
</syntaxhighlight>

===== Group Policy =====
<syntaxhighlight lang='bash'>
# Force a Group Policy update on the device you execute this on
gpupdate /force
</syntaxhighlight>

==== Firewall ====
<syntaxhighlight lang='bash'>
# Turn off your Firewall entirely
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled false
</syntaxhighlight>

== Command Prompt ==
=== Checks ===
==== Common ====
<syntaxhighlight lang='bash'>
# Open the System information window
msinfo32
</syntaxhighlight>

==== Network ====
<syntaxhighlight lang='bash'>
# List all available routes
route print

# List detailed Network information
ipconfig /all
</syntaxhighlight>

=== Commands ===
==== Common ====
<syntaxhighlight lang='bash'>
# Open Server Configuration menu for common configuration
sconfig

# Logout the current user
logoff

# Open User Management
lusrmgr.msc

# Add this machine (SRV01) to domain clinic.local, ask for a password prompt for the Administrator user password
NETDOM JOIN SRV01 /Domain:clinic.local /UserO:Administrator /PasswordO:* /SecurePasswordPrompt
</syntaxhighlight>

===== Shutdown or restart =====
<syntaxhighlight lang='bash'>
# Shutdown the computer
shutdown /s

# Restart the computer (60 seconds time-out)
shutdown /r

# Shutdown the computer in 200 seconds
shutdown /t 200

# Restart the computer right now
shutdown /r /t 0

# Abort a timed shutdown
shutdown /a
</syntaxhighlight>

===== Windows Update =====
https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-servicing

<syntaxhighlight lang='bash'>
# For Windows Server Core, use the sconfig menu for easy Windows Update configuration
sconfig
</syntaxhighlight>

<syntaxhighlight lang='bash'>
# Check current configured settings
%systemroot%\system32\Cscript %systemroot%\system32\scregedit.wsf /AU /v

# Disable automatic updates
Net stop wuauserv
%systemroot%\system32\Cscript %systemroot%\system32\scregedit.wsf /AU 1
Net start wuauserv

# Enable automatic updates
Net stop wuauserv
%systemroot%\system32\Cscript %systemroot%\system32\scregedit.wsf /AU 4
Net start wuauserv

# Update and install updates
Wuauclt /detectnow
</syntaxhighlight>

===== License =====
<syntaxhighlight lang='bash'>
# For Windows Server Core, use the sconfig menu for easy license installation and activation
sconfig
</syntaxhighlight>

<syntaxhighlight lang='bash'>
# Install a license key
slmgr.vbs /ipk ASDI1-POQW2-QOWE5-ASDP0-QWEI3

# Activate installed license key
slmgr.vbs /dli

# Verify active license
slmgr.vbs /dli
</syntaxhighlight>

==== Network ====
<syntaxhighlight lang='bash'>
# Add a route for a specific network
route add 192.168.15.0 mask 255.255.255.0 192.168.15.1

# Delete a route for a specific network
route delete 192.168.15.0 mask 255.255.255.0 192.168.15.1
</syntaxhighlight>

==== Firewall ====
<syntaxhighlight lang='bash'>
# Allow ICMPv4 communication inwards
netsh advfirewall firewall add rule name="ICMPv4 Allow" protocol="icmpv4:8,any" dir=in action=allow
</syntaxhighlight>

==== Shares ====
* https://www.windows-commandline.com/list-create-delete-network-shares/

<pre>
net share sharename=folderpath /grant:username,permissions
permission: Read, Change or Full
</pre>

<syntaxhighlight lang='bash'>
# Create the folder and share it with a user
mkdir C:\Shares\Users\Mike
net share MyShareName="C:\Shares\Users\Mike" /grant:"big.mike,FULL"

# Delete the share
net share MyShareName /DELETE

# Create a share but with multi-user access
net share Karel="C:\Shares\Users\Mike" /grant:"Big.Mike,FULL" /grant:"Big.John,READ" /grant:"Administrator,FULL"
</syntaxhighlight>

==== Sysprep ====
# Download and install updates;
# Restart;
# Repeat step 1 and 2 until no more updates are available;
# Optionally disable automatic updates;
# Set the proper timezone;
# Set proper keyboard/region format;
# Optionally activate your license;
# Optionally enable Remote Desktop - "Allow remote connections to this computer"
# Optionally take a snapshot before the sysprep;
# Perform a Sysprep (see commands below).

<syntaxhighlight lang='bash'>
# Sysprep
C:\Windows\System32\Sysprep\sysprep.exe /generalize /shutdown

# Sysprep using an unattend.xml
C:\Windows\System32\Sysprep\sysprep.exe /generalize /shutdown /unattend:C:\Windows\System32\Sysprep\unattended.xml
</syntaxhighlight>

Linux:Tools

2026-01-24T15:30:49Z

Patrick: /* rsync */

[[Category:Cheatsheet]]

== Commands ==
=== Quick access ===
<syntaxhighlight lang="bash">
# Scroll through a file with less
less -s myfile.txt

# Select line 5 from the output
cat example.txt | sel -e '5'

# Select lines from the output, starting from the top
cat example.txt | head -5

# Select lines from the output, starting from the bottom
cat example.txt | tail -5
</syntaxhighlight>

=== Commands ===
<syntaxhighlight lang="bash">
# Display the full path of a file(assuming the syslog file is available in the current folder)
readlink -f syslog

# Unzip a file
gunzip /var/log/messages.2.gz
</syntaxhighlight>

=== Uncommon commands ===
* https://ngelinux.com/what-is-proc-sysrq-trigger-in-linux-and-how-to-use-sysrq-kernel-feature/

<syntaxhighlight lang="bash">
# CrASHing THIs SERVer, WiTH no SurVIvORS!
echo c > /proc/sysrq-trigger
</syntaxhighlight>

== Network ==
=== ping ===
Troubleshooting MTU: https://access.redhat.com/solutions/2440411

<syntaxhighlight lang="bash">
# Ping with an interval of 5 seconds
ping -i 5 192.168.0.1

# Ping 192.168.10.5 using a specific interface
ping -I bond0 192.168.10.5

# Ping 8.8.8.8 for 20 times
ping -c 20 8.8.8.8

# Ping google.com using IPv4
ping -4 google.com

# Ping google.com using IPv6
ping -6 google.com

# Ping using packets of size 264
ping -s 264 1.1.1.1

# Test an MTU-size of 9000 by sending non-fragmented packages of size 8972 (28 bytes left for the headers)
ping -M do -s 8972 192.168.77.88
</syntaxhighlight>

=== traceroute ===
Package '''mtr''' (My traceroute) is also very good

* https://web.archive.org/web/20110101100046/https://www.exit109.com/~jeremy/news/providers/traceroute.html
* [https://en.wikipedia.org/wiki/Traceroute UDP ports 33434 to 33534 are used by traceroute by default.]

<syntaxhighlight lang="bash">
# Show the traversed hops towards google.com using IPv4
traceroute -4 google.com

# Show the traversed hops towards google.com using IPv6
traceroute -6 google.com

# Does the same as "traceroute -6 google.com"
traceroute6 google.com

# Use ICMP for checking hops
traceroute -4 -I brammerloo.nl
</syntaxhighlight>

=== route ===
<syntaxhighlight lang="bash">
# List configured routes
route

# List routes but display IPs instead of hostnames
route -n

# Delete default route
ip route del 0.0.0.0/0 via 192.168.10.1 dev ens3

# Delete default route (explicit)
ip route del default via 192.168.0.1 dev eth0 proto static metric 100

# Add a default route via a specific IP and interface
ip route add default via 192.168.0.1 dev eth0 proto static metric 90

# Add route for a network via gateway on an interface
ip route add 10.0.100.0/24 via 10.0.100.254 dev ens5

# Add default route met een specifieke metric
ip route add default via 10.0.180.1 dev ens7 proto static metric 90
</syntaxhighlight>

=== netstat ===
<syntaxhighlight lang='bash'>
# Display network connections and current states
netstat

# Check listening ports, connected remote IPs, processes, states and more
netstat -taupen

# Check listening ports and IPs of the local server
netstat -tulpn

# List the routing table
netstat -r

# List verbose common TCP and ICMP information
netstat -s
</syntaxhighlight>

=== ss ===
Replacement for netstat
<syntaxhighlight lang='bash'>
# Check open ports, connected IPs, processes, states and more
ss -taupen
</syntaxhighlight>

=== tcpdump ===
<syntaxhighlight lang='bash'>
# Listen on interface eth0 for traffic coming from host 172.16.0.11
tcpdump -i eth0 host 172.16.0.11

# Listen on interface eno2 for traffic coming from host 172.16.1.20, going to port 443
tcpdump -i en02 host 172.16.1.20 port 443
</syntaxhighlight>

=== uuidgen ===
<syntaxhighlight lang="bash">
# Generate a unique UUID (for an interface)
uuidgen eth0
7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
</syntaxhighlight>

=== ip ===
<syntaxhighlight lang="bash">
# Show network information
ip address
ip a

# Show all configured routes
ip r show

# Display statistics for all interfaces
ip -s link

# Display detailed statistics for all interfaces
ip -s -s link

# Execute the ifconfig command within a specific router
ip netns exec qrouter-asdwe49-as8d7-asd2-ert0-cvb7klj2 "ifconfig"
</syntaxhighlight>

=== DNS | dig & nslookup ===
* https://intodns.com/

<syntaxhighlight lang="bash">
# Lookup reverse DNS host information
dig -x 10.0.2.15

# Lookup the nameservers of google.com, by asking nameserver 1.1.1.1
dig google.com @1.1.1.1 NS

# Lookup reverse DNS host information
host 10.0.2.15

# Lookup DNS host information
nslookup 10.0.2.15

# Lookup host information for google.com while using DNS-server 8.8.8.8
nslookup google.com 8.8.8.8
</syntaxhighlight>

== Package managers ==
=== apt ===
<syntaxhighlight lang="bash">
# Check for updates
apt update

# List packages that can be upgraded
apt list --upgradable

# Installed available updates
apt upgrade

# List installed packages
apt list --installed

# List package details and description
apt show net-tools

# Search inside all package descriptions for your keyword
apt-cache search ssh
</syntaxhighlight>

=== rpm ===
<syntaxhighlight lang="bash">
# List all local RPM packages
rpm -qa

# Query for a specific installed rpm package
rpm -qi nginx
</syntaxhighlight>

=== yum ===
<syntaxhighlight lang="bash">
# Search for all available packages that include string "nginx"
yum search nginx

# Install the package named Nginx
yum install nginx

# List installed packages
yum list installed
</syntaxhighlight>

=== dnf ===
<syntaxhighlight lang="bash">
# Upgrade and install updates
dnf upgrade

# Remove the podman package
dnf remove podman

# Show information about the zlib package
dnf info zlib

# Show mandatory/optional/default packages within the Networking Tools group
dnf group info "Networking Tools"
</syntaxhighlight>

== Filesystem ==
=== fdisk ===
'''cfdisk''' is also nice

==== Checks ====
<syntaxhighlight lang="bash">
# Check your disks and partitions
fdisk -l

# Enter fdisk interactive mode
fdisk /dev/nvme0n2p1

# List available partition types
l
</syntaxhighlight>

==== Configuration ====
<syntaxhighlight lang="bash">
# Format /dev/vdb as BTRFS
echo -e "n\np\n1\n\n\nt\n8E\np\nw" | fdisk /dev/vdb
</syntaxhighlight>

== Other ==
=== man + mandb ===
<syntaxhighlight lang="bash">
# Open the manual for the man tool
man man

# Open the manual for the ls tool
man ls

# 'Update' mandb by purging and or processing manuals
mandb

# Purge everything and regenerate manuals
mandb --create
</syntaxhighlight>

=== ls ===
<syntaxhighlight lang="bash">
# List folders sorted by modified date
ls -trol

# List folder contents recursively
ls -alsR myfolder/

# List folder contents sorted by time, newest first and reverse order
ls -latr myfolder
</syntaxhighlight>

=== grep ===
<syntaxhighlight lang="bash">
# Search for any occurences of "inet_interface" in a file
grep inet_interface /etc/postfix/main.cf

# Search for pattern "audit" in file /var/log/syslog
grep -e "audit" /var/log/syslog

# Search for text "started" in everything in /var/log/, and list the filename for each occurence
grep -H "started" /var/log/*

# Search for any mention of "md" within a file, by piping to grep
cat /var/log/messages | grep md

# Search for any of text "test" within the /etc folder recursively, also shows filename by default
grep -r "test" /etc

# Recursively search for any mention of "audit" in each file within the specified directory, display linenumber and ignore low/upper case
grep -rni audit /var/log/
</syntaxhighlight>

=== lsof ===
<syntaxhighlight lang="bash">
# List what has files opened on the directory/mount
lsof /data/mount/lustre-01

# List processes listening on port 443
lsof -i :443
</syntaxhighlight>

=== awk ===
<syntaxhighlight lang="bash">
# List the first column of the output generated by docker ps
docker ps | awk '{print $1}'

# Print 9th column of folder contents
ll /mnt/btrfs/share1/ | awk '{print $9}'
</syntaxhighlight>

=== tar ===
<syntaxhighlight lang="bash">
# Compress the destination directory and keep the source path within the zipped file
tar -czvf name-of-archive.tar.gz /path/to/directory-or-file

# Compress the destination directory, but put the folder contents into the . within the zipped file
tar -czvf name-of-archive.tar.gz -C /path/to/directory-or-file .

# Extract a tar.gz file to the current folder
tar -xzvf name-of-archive.tar.gz
</syntaxhighlight>

=== find ===
<syntaxhighlight lang="bash">
# Basic find command
find / -name name-to-search-for

# Search the current folder for all files
find . -name \*

# Search the current folder for all files and count them
find . -name \* | wc -l

# Find all files with the SUID bit set
find / -name "*" -perm /u+s

# Find the current folder for files that were modified in the last 15 minutes
find . -mmin -15 -type f -name "*"

# Search for all modified files between 2023-01-01 and 2023-12-30
find /var/log/ -type f -name "*" -newermt 2023-01-01 ! -newermt 2023-12-30

# Search for all modified folders between 2022-01-01 and 2022-02-10, limited to a single folders' depth
find /data/research001/ -maxdepth 1 -type d -newermt 2022-01-01 ! -newermt 2022-02-10

# Search the current folder for all .log files and search & output any line containing string "error"
find . -name \*.log -exec grep -H error {} \;

# Screwing around
for i in $(find URL* -name "*.report" | sort); do echo "$i" && cat "$i" | grep TOTAL_SIZE ; done
for i in $(find URL* -name "*.report"); do basename "$i" | sort && cat "$i" | grep TOTAL_SIZE ; done
for i in $(find URL* -name "*.report"); do basename "$i" | sort && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
for i in $(find URL* -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
ll URL* | awk '{print $9}' | grep "*.report" | sort | for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
ll URL* | awk '{print $9}' | grep .report | sort | for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE

find URL1 -name \*.report -exec grep -H TOTAL_SIZE {} \; | LC_ALL=C awk -M 'BEGIN{FS=OFS="\t"} {printf("%s\t%.02f\n", $1, $2/(1024*1024*1024))}' | sed -e 's~^.*/~~' -e 's~\..*SIZE~~' | sort
</syntaxhighlight>

=== less ===
<pre>
25 = Go to line 25
g = Go to top of file
G = Go to bottom of file
/ = Activate search mode
/Error = Search for "Error"
n = Move to next search result
N = Move to previous search result
</pre>

<syntaxhighlight lang="bash">
# Don't wrap long lines to the current screen (move left or right to see non-truncated line)
less -S /var/log/syslog

# Output a file's contents and read it with less
cat /etc/snmpd/snmp.conf | less -S

# Number the lines when viewing
less -N /var/log/messages

# Open less at the first search result for "error". (Do not use space between the -p parameter and your search query)
less -p"Error" /var/log/messages
</syntaxhighlight>

=== ssh ===
* https://man.openbsd.org/ssh.1
* https://www.openssh.com/legacy.html

<syntaxhighlight lang="bash">
# Stolen from https://www.openssh.com/legacy.html
ssh -Q cipher # List supported ciphers
ssh -Q mac # List supported MACs
ssh -Q key # List supported public key types
ssh -Q kex # List supported key exchange algorithms
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Connect to a server using a specific user
ssh mirelurk@192.168.0.1

# Connect to a server using a specific RSA private key
ssh 192.168.0.1 -i /home/john/.ssh/id_rsa_key-5

# Connect to a server using a specific SSH port
ssh 192.168.0.1 -p 1111

# Show verbose information when connecting to a server
ssh -v 192.168.0.1

# Connect using an ancient algorithm and keytype
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc admin@10.50.10.50

# Execute 'ls' on a remote server and output the result to your shell session
echo 'ls' | ssh -T user@10.0.20.75

# Execute a command on a remote server and output the result to a local file
echo 'ls' | ssh -T user@10.0.20.75 > <filename>.log

# Log in by providing a password in the CLI
sshpass 'MyPassword' ssh -XY root@10.100.25.1

# Copy a local file to another server
scp /home/root/myfiletocopy ubuntu@192.168.0.10:/home/ubuntu
</syntaxhighlight>

=== vim ===
<pre>
Esc Switches between input/command mode

o Create a new line below the current cursor position and switch to input mode
:wq Save (write) and quit the file
:q! Quit immediately without applying any changes

j Move the cursor one line downwards
</pre>

<syntaxhighlight lang="bash">
# Enter the Vim tutorial
vimtutor
</syntaxhighlight>

=== rsync ===
Also see rclone for enterprise storage enviroments.

<syntaxhighlight lang="bash">
# Copy contents of source /mnt/science/data/ to target /home/garyon/backup/science/ recursively
rsync -a /mnt/science/data/ /home/garyon/backup/science/

# Copy everything: symlinks, hardlinks, extended attributes, modified times, files, folders, etc
rsync -avHXS --progress /mnt/science/data/ /home/mayra/backup/science/

# Show progress during a transfer
rsync -avHXS --progress /mnt/science/data/ /home/stefanie/backup/science/

# rsync is additive by default
# After an initial rsync, delete files in the target that were deleted in the source
rsync --delete -avHXS /mnt/science/data/ /home/bob/backup/science/

# Sync using SSH
rsync -avrS --delete /data/cardio/ 192.168.0.15:/backup/cardio/

# Sync using a specific SSH port
rsync -avrS --rsh='ssh -p2020' --delete /data/science/ 192.168.0.20:/backup/science/
</syntaxhighlight>

=== Curl ===
Basic CURL call to fetch information from somewhere.

<syntaxhighlight lang='bash'>
mytoken="supersecrettoken"

curl -X "GET" 'https://mywebsite.brammerloo.nl/cluster/health' \
-H 'X-Requested-By: peach' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--silent \
-u "${mytoken}":token
</syntaxhighlight>

Example of executing a CURL call with a JSON-payload

<syntaxhighlight lang='bash'>
mytoken="supersecrettoken"

curl -X "POST" "https://mywebsite.brammerloo.nl/api/search" \
-H 'X-Requested-By: roshani' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--silent \
-u "${mytoken}":token \
-d "$curly"

curly='{
"queries": [{
"id": "?",
"timerange": {
"type": "keyword",
"keyword": "one day ago"
}
}
]
}'
</syntaxhighlight>

=== cron ===
Run tasks at specific intervals.

* https://crontab.guru/

<syntaxhighlight lang="bash">
# List cron jobs for the current user
crontab -l

# Modify cron jobs for the current user
crontab -eq

# Run the "ls" command every 5 minutes
*/5 * * * * ps aux
</syntaxhighlight>

=== screen ===
Create virtual sessions on the server you're connected to.

<syntaxhighlight lang="bash">
# List all current sessions
screen -list

# Create new session "mynewsession"
screen -S mynewsession

# Detach current session
CTRL + A + D

# Attach session "mynewssion"
screen -r mynewsession
</syntaxhighlight>

=== ldapsearch ===
<pre>
DC = Domain Component
The values that identify the domain in which the object is located, may contain subdomains too i.e. "DC=customer,DC=amazon,DC=com"

OU = Organization Unit
A container/folder in which objects or users are stored. Actively used in Microsoft Active Directory's i.e. "OU=janitors,DC=customer,DC=amazon,DC=com"

CN = Canonical Name
The name of the group you're searching for or in i.e. "CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"

UID = User Identifier
The unique identifier to find a user with, usually the username i.e. "uid=magicmike,CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"

DN = Distinguished Name
The entire path to an object, consisting of a combination of above values, at least the DCs and a CN or UID, i.e. "uid=magicmike,CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"
</pre>

The following assumes domain "brammerloo.nl", based on usage for FreeIPA
<syntaxhighlight lang="bash">
# Search and show attributes for user tonberry in group users in group accounts in domain brammerloo.nl, using the admin user to authenticatie
ldapsearch -W -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify LDAP-server ipa01.brammerloo.nl to send the query to
ldapsearch -W -H ldap://ipa01.brammerloo.nl -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify a specific port
ldapsearch -W -H ldap://ipa01.brammerloo.nl:389 -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Use the "elastic" user to query for attributes of the "elastic-users" group which itself is a member of the "groups" group
ldapsearch -W -b "cn=elastic-users,cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=elastic,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify you only want the member attribute
ldapsearch -W -b "cn=elastic-users,cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl" member

# Show all groups of which tonberry is a member of by searching for the memberOf attribute
ldapsearch -W -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl" memberOf

# List attributes for all groups in the group "groups"
ldapsearch -W -b "cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"
</syntaxhighlight>

=== git ===
==== Checks ====
<syntaxhighlight lang="bash">
# List your current branch and situation
git status

# List all branches and your current one
git branch --all

# List all available tags
git tag

# List the current selected tag
git describe
git describe --tags

# Compare changes in the current working directory to the committed tree, and list what files have been changed
git diff-files

# Compare changes in the current working directory to the committed tree, and list what has changed
git diff-files -p

# Compare the committed tree to the current working directory, and list what has changed
git diff HEAD
</syntaxhighlight>

==== Common ====
<syntaxhighlight lang="bash">
# Create a folder and initialize it for use by git
mkdir gitrepo1; cd gitrepo1; git init

# Switch to another branch
git checkout stable/zed

# Switch to a specific tag
git checkout tags/14.11.0

# Fetch data from the current upstream branch
git pull

# Pull data from a specific branch
git pull origin unmaintained/yoga
</syntaxhighlight>

=== rclone ===
* https://rclone.org/

==== Installation ====
<syntaxhighlight lang='bash'>
# Install the latest version from the website
curl https://rclone.org/install.sh | sudo bash
</syntaxhighlight>

==== Configuration ====
Example configuration based on OpenStack swift. Config should be in the homefolder of your user .config/rclone/rclone.conf:
<syntaxhighlight lang='bash'>
[swift-ssd]
type = swift
user = patrick
key = <PASSWORD>
auth = https://openstack.brammerloo.nl:5000/v3
region = Rotterdam
domain = Default
tenant = patrickproject
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang='bash'>
# List all containers, buckets and or folders of container "swift-ssd"
rclone lsd "swift-ssd:"
20 2025-02-10 09:46:00 2 ssd-container
0 2025-02-10 09:46:00 1 swift-ssd
0 2025-02-10 09:46:00 1 swift-ssd2

rclone lsd "swift-ssd:ssd-container"
0 2025-02-10 09:48:02 -1 mystorage

# List contents, files, folders of bucket "ssd-container", within container "swift-ssd"
rclone ls "swift-ssd:ssd-container"

# List the contents of file "asd"
rclone cat "swift-ssd:ssd-container/asd"

# Mount an object storage to local folder /mnt/object-ssd/
rclone mount swift-ssd:ssd-container /mnt/object-ssd

# Synchronize a local folder to a destination folder inside a bucket, in interactive mode
rclone sync -i /etc/rsyslog.d swift-ssd:ssd-container/mystorage/
</syntaxhighlight>

=== mdtest ===
This chapter was mostly written and contributed by Ivo Palli.

==== General ====
mdtest is part of the ior performance test package.

==== RHEL Installation ====
<syntaxhighlight lang='bash'>
wget https://github.com/hpc/ior/releases/download/3.3.0/ior-3.3.0.tar.bz2
tar xjf ior-*.tar.bz2
cd ior-*/

yum install openmpi-devel environment-modules
# Relog your shell so 'module' is available
module load mpi
module list
./configure
make -j4
make install
</syntaxhighlight>

==== Ubuntu Installation ====
* https://gist.github.com/hokiegeek2/3057f8bb3beb519ae9b556e41824be30
* https://ior.readthedocs.io/en/latest/userDoc/install.html

<syntaxhighlight lang='bash'>
VERSION=4.0.0
wget https://github.com/hpc/ior/releases/download/$VERSION/ior-$VERSION.tar.gz
tar -xzvf ior-$VERSION.tar.gz
cd ior-$VERSION/

apt install libopenmpi-dev environment-modules openmpi-bin openmpi-common libgtk2.0-dev -y
./configure

make -j4
make install
</syntaxhighlight>

===== Usage =====
Note: Number of items should be a multiple of depth x branching factor
<syntaxhighlight lang='bash'>
module load mpi

# Run command "mdtest -n 2000 -z 5 -b 2 -d /mnt/ssd/" 10 times in a row
mpirun --oversubscribe --allow-run-as-root -n 10 mdtest -n 2000 -z 5 -b 2 -d /mnt/nfs
</syntaxhighlight>

===== Links =====
* https://github.com/hpc/ior
* https://www.glennklockwood.com/benchmarks/mdtest.html Guide

Linux:Scripts

2026-01-24T15:29:32Z

Patrick: /* Curl */

[[Category:Cheatsheet]]

== Advice ==
* Lowercase or Camelcase only: all BASH variables are uppercase, so don't get in their way!

== Templates ==
=== #1 ===
Script with a single passed variable, description and common exit-protocols.

<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -eq 0 ]] ; then
echo ""
echo 'Usage: myscript.sh value1

This is the description of my script.
'
exit
echo ""
fi
</syntaxhighlight>

=== #2 ===
Inspired by: https://stackoverflow.com/questions/16483119/an-example-of-how-to-use-getopts-in-bash

Dedicated usage/help function to catch faulty script usage. This template catches custom flags and save them as variables.
<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
# We comment this because we explicitly check for variable existence later
#set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

# Basic help output
usage () {
echo ""
echo "Usage: ${0} -s something -o something-else
Examples:
${0} -s herp -o derp

This is the description of my script.
"
exit 0
echo ""
}

# Catch insufficent arguments and or help parameter, then run the usage function
if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -lt 2 ]] ; then
usage
fi

# Create options "s" and "o" and save them as variables "var1" and "var2" respectively
# Missing or wrong arguments will run the usage function
while getopts ":s:o:" arg; do
case "${arg}" in
s) var1=${OPTARG};;
o) var2=${OPTARG};;
*) usage ;;
esac
done

# Remove parsed parameters done by getopts, so that any remaining options can be interpreted as i.e. $1, $2, $3 etc
shift $((OPTIND-1))

# Check whether the filled arguments are not empty, set -o nounset was commented to make this work properly
# If the variables aren't filled, run the usage function
if [[ -z "${var1}" ]] || [[ -z "${var2}" ]]; then
usage
fi
</syntaxhighlight>

== Common syntax ==
=== for ===
<syntaxhighlight lang='bash'>
# Execute a command for all objects within this folder and all subdirectories
for i in *; do du -h "$i" ; done

# Execute a command x amount of times based on $i
for((i=1;i<=5;++i)); do dd if=/dev/zero of=myshare/file-$i bs=1M count=1; done

# Shell script version - Execute a command x amount of times based on $i
for((i=1;i<=5;++i)) do
echo $i
done
</syntaxhighlight>

=== if ===
==== Testing - [[ ]] ====
<syntaxhighlight lang='bash'>
# Use the test functionality [[ ]] to compare values and types using expressions
man test

# Test whether the directory saved in the $MyDirectoryVariable variable exists
[[ -d "$MyDirectoryVariable" ]]

# Combine testing with an if statement
if [[ $(echo "world") == "world" ]]; then
echo -e "all is bad in da world"
else
echo -e "all is good"
fi
</syntaxhighlight>

<pre>
https://stackoverflow.com/questions/638975/how-do-i-tell-if-a-file-does-not-exist-in-bash

FILE=/home/javier/wopper.txt
[ -b "$FILE" ] = Block special file
[ -c "$FILE" ] = Special character file
[ -d "$FILE" ] = If directory exists
[ -e "$FILE" ] = Check for file existence, regardless of type (node, directory, socket, etc.)
[ -f "$FILE" ] = Check for regular file existence not a directory
[ -G "$FILE" ] = Check if file exists and is owned by effective group ID
[ -G "$FILE" ] = set-group-id - True if file exists and is set-group-id
[ -k "$FILE" ] = Sticky bit
[ -L "$FILE" ] = Symbolic link
[ -O "$FILE" ] = True if file exists and is owned by the effective user id
[ -r "$FILE" ] = Check if file is a readable
[ -S "$FILE" ] = Check if file is socket
[ -s "$FILE" ] = Check if file is nonzero size
[ -u "$FILE" ] = Check if file set-user-id bit is set
[ -w "$FILE" ] = Check if file is writable
[ -x "$FILE" ] = Check if file is executable

FOLDER=/home/javier/
[ -d "$FOLDER" ] = If directory exists
</pre>

==== Examples ====
<syntaxhighlight lang='bash'>
FILE=~/todo.txt
if [ -f "$FILE" ]; then
cat "~/todo.txt"
else
echo "You don't have the file, so you should make it."
fi
</syntaxhighlight>

<syntaxhighlight lang='bash'>
USER=$(whoami)
FILE=~/todo.txt

if [ "$USER" != "root" -a -f "$FILE" ]; then
echo "You're a normal user, you do have the file and this is its output:"
cat "$FILE"
elif [ "$USER" != "root" -a ! -f "$FILE" ]; then
echo "You're a normal user, you don't have the file, so you should make it."
fi
</syntaxhighlight>

== Scripts ==
=== SSH ===
==== centos-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./centos-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
useradd -m ${USER} -G wheel

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

==== ubuntu-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./ubuntu-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
adduser ${USER} --disabled-password

echo "Adding ${USER} to the sudo group"
usermod -aG sudo ${USER}

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

=== Mail ===
==== Automatic sendmail ====
<syntaxhighlight lang="bash">
#!/bin/bash
#requires: date,sendmail
function fappend {
echo "$2">>$1;
}
YYYYMMDD=`date +%Y%m%d`

# CHANGE THESE
TOEMAIL="ADMINISTRATOR@MYDOMAIN.COM";
FREMAIL="FROMNOREPLY@MYDOMAIN.com";
SUBJECT="E-mail Subject";
MSGBODY=$(Command);

# DON'T CHANGE ANYTHING BELOW
TMP=`mktemp`

rm -rf $TMP;
fappend $TMP "From: $FREMAIL";
fappend $TMP "To: $TOEMAIL";
fappend $TMP "Reply-To: $FREMAIL";
fappend $TMP "Subject: $SUBJECT";
fappend $TMP "";
fappend $TMP "$MSGBODY";
fappend $TMP "";
fappend $TMP "";
cat $TMP|/usr/sbin/sendmail -t;
rm $TMP;
</syntaxhighlight>

Linux:Scripts

2026-01-24T15:25:28Z

Patrick: /* Examples */

[[Category:Cheatsheet]]

== Advice ==
* Lowercase or Camelcase only: all BASH variables are uppercase, so don't get in their way!

== Templates ==
=== #1 ===
Script with a single passed variable, description and common exit-protocols.

<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -eq 0 ]] ; then
echo ""
echo 'Usage: myscript.sh value1

This is the description of my script.
'
exit
echo ""
fi
</syntaxhighlight>

=== #2 ===
Inspired by: https://stackoverflow.com/questions/16483119/an-example-of-how-to-use-getopts-in-bash

Dedicated usage/help function to catch faulty script usage. This template catches custom flags and save them as variables.
<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
# We comment this because we explicitly check for variable existence later
#set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

# Basic help output
usage () {
echo ""
echo "Usage: ${0} -s something -o something-else
Examples:
${0} -s herp -o derp

This is the description of my script.
"
exit 0
echo ""
}

# Catch insufficent arguments and or help parameter, then run the usage function
if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -lt 2 ]] ; then
usage
fi

# Create options "s" and "o" and save them as variables "var1" and "var2" respectively
# Missing or wrong arguments will run the usage function
while getopts ":s:o:" arg; do
case "${arg}" in
s) var1=${OPTARG};;
o) var2=${OPTARG};;
*) usage ;;
esac
done

# Remove parsed parameters done by getopts, so that any remaining options can be interpreted as i.e. $1, $2, $3 etc
shift $((OPTIND-1))

# Check whether the filled arguments are not empty, set -o nounset was commented to make this work properly
# If the variables aren't filled, run the usage function
if [[ -z "${var1}" ]] || [[ -z "${var2}" ]]; then
usage
fi
</syntaxhighlight>

== Common syntax ==
=== for ===
<syntaxhighlight lang='bash'>
# Execute a command for all objects within this folder and all subdirectories
for i in *; do du -h "$i" ; done

# Execute a command x amount of times based on $i
for((i=1;i<=5;++i)); do dd if=/dev/zero of=myshare/file-$i bs=1M count=1; done

# Shell script version - Execute a command x amount of times based on $i
for((i=1;i<=5;++i)) do
echo $i
done
</syntaxhighlight>

=== if ===
==== Testing - [[ ]] ====
<syntaxhighlight lang='bash'>
# Use the test functionality [[ ]] to compare values and types using expressions
man test

# Test whether the directory saved in the $MyDirectoryVariable variable exists
[[ -d "$MyDirectoryVariable" ]]

# Combine testing with an if statement
if [[ $(echo "world") == "world" ]]; then
echo -e "all is bad in da world"
else
echo -e "all is good"
fi
</syntaxhighlight>

<pre>
https://stackoverflow.com/questions/638975/how-do-i-tell-if-a-file-does-not-exist-in-bash

FILE=/home/javier/wopper.txt
[ -b "$FILE" ] = Block special file
[ -c "$FILE" ] = Special character file
[ -d "$FILE" ] = If directory exists
[ -e "$FILE" ] = Check for file existence, regardless of type (node, directory, socket, etc.)
[ -f "$FILE" ] = Check for regular file existence not a directory
[ -G "$FILE" ] = Check if file exists and is owned by effective group ID
[ -G "$FILE" ] = set-group-id - True if file exists and is set-group-id
[ -k "$FILE" ] = Sticky bit
[ -L "$FILE" ] = Symbolic link
[ -O "$FILE" ] = True if file exists and is owned by the effective user id
[ -r "$FILE" ] = Check if file is a readable
[ -S "$FILE" ] = Check if file is socket
[ -s "$FILE" ] = Check if file is nonzero size
[ -u "$FILE" ] = Check if file set-user-id bit is set
[ -w "$FILE" ] = Check if file is writable
[ -x "$FILE" ] = Check if file is executable

FOLDER=/home/javier/
[ -d "$FOLDER" ] = If directory exists
</pre>

==== Examples ====
<syntaxhighlight lang='bash'>
FILE=~/todo.txt
if [ -f "$FILE" ]; then
cat "~/todo.txt"
else
echo "You don't have the file, so you should make it."
fi
</syntaxhighlight>

<syntaxhighlight lang='bash'>
USER=$(whoami)
FILE=~/todo.txt

if [ "$USER" != "root" -a -f "$FILE" ]; then
echo "You're a normal user, you do have the file and this is its output:"
cat "$FILE"
elif [ "$USER" != "root" -a ! -f "$FILE" ]; then
echo "You're a normal user, you don't have the file, so you should make it."
fi
</syntaxhighlight>

==== Curl ====
Example of executing a CURL call with a JSON-payload

<syntaxhighlight lang='bash'>
mytoken="supersecrettoken"

curl -X "POST" "https://mywebsite.brammerloo.nl" \
-H 'X-Requested-By: roshani' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--silent \
-u "${mytoken}":token \
-d "$curly"

curly='{
"queries": [{
"id": "?",
"timerange": {
"type": "keyword",
"keyword": "one day ago"
}
}
]
}'
</syntaxhighlight>

== Scripts ==
=== SSH ===
==== centos-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./centos-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
useradd -m ${USER} -G wheel

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

==== ubuntu-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./ubuntu-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
adduser ${USER} --disabled-password

echo "Adding ${USER} to the sudo group"
usermod -aG sudo ${USER}

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

=== Mail ===
==== Automatic sendmail ====
<syntaxhighlight lang="bash">
#!/bin/bash
#requires: date,sendmail
function fappend {
echo "$2">>$1;
}
YYYYMMDD=`date +%Y%m%d`

# CHANGE THESE
TOEMAIL="ADMINISTRATOR@MYDOMAIN.COM";
FREMAIL="FROMNOREPLY@MYDOMAIN.com";
SUBJECT="E-mail Subject";
MSGBODY=$(Command);

# DON'T CHANGE ANYTHING BELOW
TMP=`mktemp`

rm -rf $TMP;
fappend $TMP "From: $FREMAIL";
fappend $TMP "To: $TOEMAIL";
fappend $TMP "Reply-To: $FREMAIL";
fappend $TMP "Subject: $SUBJECT";
fappend $TMP "";
fappend $TMP "$MSGBODY";
fappend $TMP "";
fappend $TMP "";
cat $TMP|/usr/sbin/sendmail -t;
rm $TMP;
</syntaxhighlight>

Linux:Scripts

2026-01-24T15:20:46Z

Patrick: /* Testing - [[]] */

Linux:Scripts

2026-01-24T15:18:56Z

Patrick:

[[Category:Cheatsheet]]

== Advice ==
* Lowercase or Camelcase only: all BASH variables are uppercase, so don't get in their way!

== Templates ==
=== #1 ===
Script with a single passed variable, description and common exit-protocols.

<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -eq 0 ]] ; then
echo ""
echo 'Usage: myscript.sh value1

This is the description of my script.
'
exit
echo ""
fi
</syntaxhighlight>

=== #2 ===
Inspired by: https://stackoverflow.com/questions/16483119/an-example-of-how-to-use-getopts-in-bash

Dedicated usage/help function to catch faulty script usage. This template catches custom flags and save them as variables.
<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
# We comment this because we explicitly check for variable existence later
#set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

# Basic help output
usage () {
echo ""
echo "Usage: ${0} -s something -o something-else
Examples:
${0} -s herp -o derp

This is the description of my script.
"
exit 0
echo ""
}

# Catch insufficent arguments and or help parameter, then run the usage function
if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -lt 2 ]] ; then
usage
fi

# Create options "s" and "o" and save them as variables "var1" and "var2" respectively
# Missing or wrong arguments will run the usage function
while getopts ":s:o:" arg; do
case "${arg}" in
s) var1=${OPTARG};;
o) var2=${OPTARG};;
*) usage ;;
esac
done

# Remove parsed parameters done by getopts, so that any remaining options can be interpreted as i.e. $1, $2, $3 etc
shift $((OPTIND-1))

# Check whether the filled arguments are not empty, set -o nounset was commented to make this work properly
# If the variables aren't filled, run the usage function
if [[ -z "${var1}" ]] || [[ -z "${var2}" ]]; then
usage
fi
</syntaxhighlight>

== Common syntax ==
=== for ===
<syntaxhighlight lang='bash'>
# Execute a command for all objects within this folder and all subdirectories
for i in *; do du -h "$i" ; done

# Execute a command x amount of times based on $i
for((i=1;i<=5;++i)); do dd if=/dev/zero of=myshare/file-$i bs=1M count=1; done

# Shell script version - Execute a command x amount of times based on $i
for((i=1;i<=5;++i)) do
echo $i
done
</syntaxhighlight>

=== if ===
==== Testing - [[]] ====
<syntaxhighlight lang='bash'>
# Use the test functionality [[]] to compare values and types, using expressions
man test
[[ -d "$MyDirectoryVariable" ]]

# Combine testing with an if statement
if [[ $(echo "world") == "world" ]]; then
echo -e "all is bad in da world"
else
echo -e "all is good"
fi
</syntaxhighlight>

<pre>
https://stackoverflow.com/questions/638975/how-do-i-tell-if-a-file-does-not-exist-in-bash

FILE=/home/javier/wopper.txt
[ -b "$FILE" ] = Block special file
[ -c "$FILE" ] = Special character file
[ -d "$FILE" ] = If directory exists
[ -e "$FILE" ] = Check for file existence, regardless of type (node, directory, socket, etc.)
[ -f "$FILE" ] = Check for regular file existence not a directory
[ -G "$FILE" ] = Check if file exists and is owned by effective group ID
[ -G "$FILE" ] = set-group-id - True if file exists and is set-group-id
[ -k "$FILE" ] = Sticky bit
[ -L "$FILE" ] = Symbolic link
[ -O "$FILE" ] = True if file exists and is owned by the effective user id
[ -r "$FILE" ] = Check if file is a readable
[ -S "$FILE" ] = Check if file is socket
[ -s "$FILE" ] = Check if file is nonzero size
[ -u "$FILE" ] = Check if file set-user-id bit is set
[ -w "$FILE" ] = Check if file is writable
[ -x "$FILE" ] = Check if file is executable

FOLDER=/home/javier/
[ -d "$FOLDER" ] = If directory exists
</pre>

==== Examples ====
<syntaxhighlight lang='bash'>
FILE=~/todo.txt
if [ -f "$FILE" ]; then
cat "~/todo.txt"
else
echo "You don't have the file, so you should make it."
fi
</syntaxhighlight>

<syntaxhighlight lang='bash'>
USER=$(whoami)
FILE=~/todo.txt

if [ "$USER" != "root" -a -f "$FILE" ]; then
echo "You're a normal user, you do have the file and this is its output:"
cat "$FILE"
elif [ "$USER" != "root" -a ! -f "$FILE" ]; then
echo "You're a normal user, you don't have the file, so you should make it."
fi
</syntaxhighlight>

== Scripts ==
=== SSH ===
==== centos-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./centos-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
useradd -m ${USER} -G wheel

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

==== ubuntu-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./ubuntu-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
adduser ${USER} --disabled-password

echo "Adding ${USER} to the sudo group"
usermod -aG sudo ${USER}

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

=== Mail ===
==== Automatic sendmail ====
<syntaxhighlight lang="bash">
#!/bin/bash
#requires: date,sendmail
function fappend {
echo "$2">>$1;
}
YYYYMMDD=`date +%Y%m%d`

# CHANGE THESE
TOEMAIL="ADMINISTRATOR@MYDOMAIN.COM";
FREMAIL="FROMNOREPLY@MYDOMAIN.com";
SUBJECT="E-mail Subject";
MSGBODY=$(Command);

# DON'T CHANGE ANYTHING BELOW
TMP=`mktemp`

rm -rf $TMP;
fappend $TMP "From: $FREMAIL";
fappend $TMP "To: $TOEMAIL";
fappend $TMP "Reply-To: $FREMAIL";
fappend $TMP "Subject: $SUBJECT";
fappend $TMP "";
fappend $TMP "$MSGBODY";
fappend $TMP "";
fappend $TMP "";
cat $TMP|/usr/sbin/sendmail -t;
rm $TMP;
</syntaxhighlight>

Linux:Scripts

2026-01-24T15:17:50Z

Patrick: /* Template */

[[Category:Cheatsheet]]

== Advice ==
* Lowercase or Camelcase only: all BASH variables are uppercase, so don't get in their way!

== Templates ==
=== #1 ===
Script with a single passed variable, description and common exit-protocols.

<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -eq 0 ]] ; then
echo ""
echo 'Usage: myscript.sh value1

This is the description of my script.
'
exit
echo ""
fi
</syntaxhighlight>

=== #2 ===
Inspired by: https://stackoverflow.com/questions/16483119/an-example-of-how-to-use-getopts-in-bash

Dedicated usage/help function to catch faulty script usage. This template catches custom flags and save them as variables.
<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
# We comment this because we explicitly check for variable existence later
#set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

# Basic help output
usage () {
echo ""
echo "Usage: ${0} -s something -o something-else
Examples:
${0} -s herp -o derp

This is the description of my script.
"
exit 0
echo ""
}

# Catch insufficent arguments and or help parameter, then run the usage function
if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -lt 2 ]] ; then
usage
fi

# Create options "s" and "o" and save them as variables "var1" and "var2" respectively
# Missing or wrong arguments will run the usage function
while getopts ":s:o:" arg; do
case "${arg}" in
s) var1=${OPTARG};;
o) var2=${OPTARG};;
*) usage ;;
esac
done

# Remove parsed parameters done by getopts, so that any remaining options can be interpreted as i.e. $1, $2, $3 etc
shift $((OPTIND-1))

# Check whether the filled arguments are not empty, set -o nounset was commented to make this work properly
# If the variables aren't filled, run the usage function
if [[ -z "${var1}" ]] || [[ -z "${var2}" ]]; then
usage
fi
</syntaxhighlight>

== Testing - [[]] ==
<syntaxhighlight lang='bash'>
# Use the test functionality [[]] to compare values and types, using expressions
man test
[[ -d "$MyDirectoryVariable" ]]

# Combine testing with an if statement
if [[ $(echo "world") == "world" ]]; then
echo -e "all is bad in da world"
else
echo -e "all is good"
fi
</syntaxhighlight>

<pre>
https://stackoverflow.com/questions/638975/how-do-i-tell-if-a-file-does-not-exist-in-bash

FILE=/home/javier/wopper.txt
[ -b "$FILE" ] = Block special file
[ -c "$FILE" ] = Special character file
[ -d "$FILE" ] = If directory exists
[ -e "$FILE" ] = Check for file existence, regardless of type (node, directory, socket, etc.)
[ -f "$FILE" ] = Check for regular file existence not a directory
[ -G "$FILE" ] = Check if file exists and is owned by effective group ID
[ -G "$FILE" ] = set-group-id - True if file exists and is set-group-id
[ -k "$FILE" ] = Sticky bit
[ -L "$FILE" ] = Symbolic link
[ -O "$FILE" ] = True if file exists and is owned by the effective user id
[ -r "$FILE" ] = Check if file is a readable
[ -S "$FILE" ] = Check if file is socket
[ -s "$FILE" ] = Check if file is nonzero size
[ -u "$FILE" ] = Check if file set-user-id bit is set
[ -w "$FILE" ] = Check if file is writable
[ -x "$FILE" ] = Check if file is executable

FOLDER=/home/javier/
[ -d "$FOLDER" ] = If directory exists
</pre>

== Common syntax ==
=== for ===
<syntaxhighlight lang='bash'>
# Execute a command for all objects within this folder and all subdirectories
for i in *; do du -h "$i" ; done

# Execute a command x amount of times based on $i
for((i=1;i<=5;++i)); do dd if=/dev/zero of=myshare/file-$i bs=1M count=1; done

# Shell script version - Execute a command x amount of times based on $i
for((i=1;i<=5;++i)) do
echo $i
done
</syntaxhighlight>

=== if ===
==== Examples ====
<syntaxhighlight lang='bash'>
FILE=~/todo.txt
if [ -f "$FILE" ]; then
cat "~/todo.txt"
else
echo "You don't have the file, so you should make it."
fi
</syntaxhighlight>

<syntaxhighlight lang='bash'>
USER=$(whoami)
FILE=~/todo.txt

if [ "$USER" != "root" -a -f "$FILE" ]; then
echo "You're a normal user, you do have the file and this is its output:"
cat "$FILE"
elif [ "$USER" != "root" -a ! -f "$FILE" ]; then
echo "You're a normal user, you don't have the file, so you should make it."
fi
</syntaxhighlight>

== Scripts ==
=== SSH ===
==== centos-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./centos-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
useradd -m ${USER} -G wheel

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

==== ubuntu-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./ubuntu-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
adduser ${USER} --disabled-password

echo "Adding ${USER} to the sudo group"
usermod -aG sudo ${USER}

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

=== Mail ===
==== Automatic sendmail ====
<syntaxhighlight lang="bash">
#!/bin/bash
#requires: date,sendmail
function fappend {
echo "$2">>$1;
}
YYYYMMDD=`date +%Y%m%d`

# CHANGE THESE
TOEMAIL="ADMINISTRATOR@MYDOMAIN.COM";
FREMAIL="FROMNOREPLY@MYDOMAIN.com";
SUBJECT="E-mail Subject";
MSGBODY=$(Command);

# DON'T CHANGE ANYTHING BELOW
TMP=`mktemp`

rm -rf $TMP;
fappend $TMP "From: $FREMAIL";
fappend $TMP "To: $TOEMAIL";
fappend $TMP "Reply-To: $FREMAIL";
fappend $TMP "Subject: $SUBJECT";
fappend $TMP "";
fappend $TMP "$MSGBODY";
fappend $TMP "";
fappend $TMP "";
cat $TMP|/usr/sbin/sendmail -t;
rm $TMP;
</syntaxhighlight>

Linux:Scripts

2026-01-24T15:17:30Z

Patrick: /* Template */

[[Category:Cheatsheet]]

== Advice ==
* Lowercase or Camelcase only: all BASH variables are uppercase, so don't get in their way!

== Template ==
=== #1 ===
Script with a single passed variable, description and common exit-protocols.

<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -eq 0 ]] ; then
echo ""
echo 'Usage: myscript.sh value1

This is the description of my script.
'
exit
echo ""
fi
</syntaxhighlight>

=== #2 ===
Inspired by: https://stackoverflow.com/questions/16483119/an-example-of-how-to-use-getopts-in-bash

Dedicated usage/help function to catch faulty script usage. This template catches custom flags and save them as variables.
<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
# We comment this because we explicitly check for variable existence later
#set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

# Basic help output
usage () {
echo ""
echo "Usage: ${0} -s something -o something-else
Examples:
${0} -s herp -o derp

This is the description of my script.
"
exit 0
echo ""
}

# Catch insufficent arguments and or help parameter, then run the usage function
if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -lt 2 ]] ; then
usage
fi

# Create options "s" and "o" and save them as variables "var1" and "var2" respectively
# Missing or wrong arguments will run the usage function
while getopts ":s:o:" arg; do
case "${arg}" in
s) var1=${OPTARG};;
o) var2=${OPTARG};;
*) usage ;;
esac
done

# Remove parsed parameters done by getopts, so that any remaining options can be interpreted as i.e. $1, $2, $3 etc
shift $((OPTIND-1))

# Check whether the filled arguments are not empty, set -o nounset was commented to make this work properly
# If the variables aren't filled, run the usage function
if [[ -z "${var1}" ]] || [[ -z "${var2}" ]]; then
usage
fi
</syntaxhighlight>

== Testing - [[]] ==
<syntaxhighlight lang='bash'>
# Use the test functionality [[]] to compare values and types, using expressions
man test
[[ -d "$MyDirectoryVariable" ]]

# Combine testing with an if statement
if [[ $(echo "world") == "world" ]]; then
echo -e "all is bad in da world"
else
echo -e "all is good"
fi
</syntaxhighlight>

<pre>
https://stackoverflow.com/questions/638975/how-do-i-tell-if-a-file-does-not-exist-in-bash

FILE=/home/javier/wopper.txt
[ -b "$FILE" ] = Block special file
[ -c "$FILE" ] = Special character file
[ -d "$FILE" ] = If directory exists
[ -e "$FILE" ] = Check for file existence, regardless of type (node, directory, socket, etc.)
[ -f "$FILE" ] = Check for regular file existence not a directory
[ -G "$FILE" ] = Check if file exists and is owned by effective group ID
[ -G "$FILE" ] = set-group-id - True if file exists and is set-group-id
[ -k "$FILE" ] = Sticky bit
[ -L "$FILE" ] = Symbolic link
[ -O "$FILE" ] = True if file exists and is owned by the effective user id
[ -r "$FILE" ] = Check if file is a readable
[ -S "$FILE" ] = Check if file is socket
[ -s "$FILE" ] = Check if file is nonzero size
[ -u "$FILE" ] = Check if file set-user-id bit is set
[ -w "$FILE" ] = Check if file is writable
[ -x "$FILE" ] = Check if file is executable

FOLDER=/home/javier/
[ -d "$FOLDER" ] = If directory exists
</pre>

== Common syntax ==
=== for ===
<syntaxhighlight lang='bash'>
# Execute a command for all objects within this folder and all subdirectories
for i in *; do du -h "$i" ; done

# Execute a command x amount of times based on $i
for((i=1;i<=5;++i)); do dd if=/dev/zero of=myshare/file-$i bs=1M count=1; done

# Shell script version - Execute a command x amount of times based on $i
for((i=1;i<=5;++i)) do
echo $i
done
</syntaxhighlight>

=== if ===
==== Examples ====
<syntaxhighlight lang='bash'>
FILE=~/todo.txt
if [ -f "$FILE" ]; then
cat "~/todo.txt"
else
echo "You don't have the file, so you should make it."
fi
</syntaxhighlight>

<syntaxhighlight lang='bash'>
USER=$(whoami)
FILE=~/todo.txt

if [ "$USER" != "root" -a -f "$FILE" ]; then
echo "You're a normal user, you do have the file and this is its output:"
cat "$FILE"
elif [ "$USER" != "root" -a ! -f "$FILE" ]; then
echo "You're a normal user, you don't have the file, so you should make it."
fi
</syntaxhighlight>

== Scripts ==
=== SSH ===
==== centos-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./centos-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
useradd -m ${USER} -G wheel

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

==== ubuntu-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./ubuntu-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
adduser ${USER} --disabled-password

echo "Adding ${USER} to the sudo group"
usermod -aG sudo ${USER}

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

=== Mail ===
==== Automatic sendmail ====
<syntaxhighlight lang="bash">
#!/bin/bash
#requires: date,sendmail
function fappend {
echo "$2">>$1;
}
YYYYMMDD=`date +%Y%m%d`

# CHANGE THESE
TOEMAIL="ADMINISTRATOR@MYDOMAIN.COM";
FREMAIL="FROMNOREPLY@MYDOMAIN.com";
SUBJECT="E-mail Subject";
MSGBODY=$(Command);

# DON'T CHANGE ANYTHING BELOW
TMP=`mktemp`

rm -rf $TMP;
fappend $TMP "From: $FREMAIL";
fappend $TMP "To: $TOEMAIL";
fappend $TMP "Reply-To: $FREMAIL";
fappend $TMP "Subject: $SUBJECT";
fappend $TMP "";
fappend $TMP "$MSGBODY";
fappend $TMP "";
fappend $TMP "";
cat $TMP|/usr/sbin/sendmail -t;
rm $TMP;
</syntaxhighlight>

Linux:Scripts

2026-01-24T13:56:29Z

Patrick: /* Pointers */

[[Category:Cheatsheet]]

== Advice ==
* Lowercase or Camelcase only: all BASH variables are uppercase, so don't get in their way!

== Template ==
Script with a single passed variable, description and common exit-protocols.

<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -eq 0 ]] ; then
echo ""
echo 'Usage: myscript.sh value1

This is the description of my script.
'
exit
echo ""
fi
</syntaxhighlight>

== Testing - [[]] ==
<syntaxhighlight lang='bash'>
# Use the test functionality [[]] to compare values and types, using expressions
man test
[[ -d "$MyDirectoryVariable" ]]

# Combine testing with an if statement
if [[ $(echo "world") == "world" ]]; then
echo -e "all is bad in da world"
else
echo -e "all is good"
fi
</syntaxhighlight>

<pre>
https://stackoverflow.com/questions/638975/how-do-i-tell-if-a-file-does-not-exist-in-bash

FILE=/home/javier/wopper.txt
[ -b "$FILE" ] = Block special file
[ -c "$FILE" ] = Special character file
[ -d "$FILE" ] = If directory exists
[ -e "$FILE" ] = Check for file existence, regardless of type (node, directory, socket, etc.)
[ -f "$FILE" ] = Check for regular file existence not a directory
[ -G "$FILE" ] = Check if file exists and is owned by effective group ID
[ -G "$FILE" ] = set-group-id - True if file exists and is set-group-id
[ -k "$FILE" ] = Sticky bit
[ -L "$FILE" ] = Symbolic link
[ -O "$FILE" ] = True if file exists and is owned by the effective user id
[ -r "$FILE" ] = Check if file is a readable
[ -S "$FILE" ] = Check if file is socket
[ -s "$FILE" ] = Check if file is nonzero size
[ -u "$FILE" ] = Check if file set-user-id bit is set
[ -w "$FILE" ] = Check if file is writable
[ -x "$FILE" ] = Check if file is executable

FOLDER=/home/javier/
[ -d "$FOLDER" ] = If directory exists
</pre>

== Common syntax ==
=== for ===
<syntaxhighlight lang='bash'>
# Execute a command for all objects within this folder and all subdirectories
for i in *; do du -h "$i" ; done

# Execute a command x amount of times based on $i
for((i=1;i<=5;++i)); do dd if=/dev/zero of=myshare/file-$i bs=1M count=1; done

# Shell script version - Execute a command x amount of times based on $i
for((i=1;i<=5;++i)) do
echo $i
done
</syntaxhighlight>

=== if ===
==== Examples ====
<syntaxhighlight lang='bash'>
FILE=~/todo.txt
if [ -f "$FILE" ]; then
cat "~/todo.txt"
else
echo "You don't have the file, so you should make it."
fi
</syntaxhighlight>

<syntaxhighlight lang='bash'>
USER=$(whoami)
FILE=~/todo.txt

if [ "$USER" != "root" -a -f "$FILE" ]; then
echo "You're a normal user, you do have the file and this is its output:"
cat "$FILE"
elif [ "$USER" != "root" -a ! -f "$FILE" ]; then
echo "You're a normal user, you don't have the file, so you should make it."
fi
</syntaxhighlight>

== Scripts ==
=== SSH ===
==== centos-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./centos-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
useradd -m ${USER} -G wheel

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

==== ubuntu-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./ubuntu-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
adduser ${USER} --disabled-password

echo "Adding ${USER} to the sudo group"
usermod -aG sudo ${USER}

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

=== Mail ===
==== Automatic sendmail ====
<syntaxhighlight lang="bash">
#!/bin/bash
#requires: date,sendmail
function fappend {
echo "$2">>$1;
}
YYYYMMDD=`date +%Y%m%d`

# CHANGE THESE
TOEMAIL="ADMINISTRATOR@MYDOMAIN.COM";
FREMAIL="FROMNOREPLY@MYDOMAIN.com";
SUBJECT="E-mail Subject";
MSGBODY=$(Command);

# DON'T CHANGE ANYTHING BELOW
TMP=`mktemp`

rm -rf $TMP;
fappend $TMP "From: $FREMAIL";
fappend $TMP "To: $TOEMAIL";
fappend $TMP "Reply-To: $FREMAIL";
fappend $TMP "Subject: $SUBJECT";
fappend $TMP "";
fappend $TMP "$MSGBODY";
fappend $TMP "";
fappend $TMP "";
cat $TMP|/usr/sbin/sendmail -t;
rm $TMP;
</syntaxhighlight>

Fortinet

2026-01-24T13:55:50Z

Patrick: /* Syslog */

[[Category:Cheatsheet|Cheatsheets]]

== Links ==
* https://docs.fortinet.com/product/fortigate/6.4
* https://docs.fortinet.com/document/fortigate/6.4.7/administration-guide/954635/getting-started
* https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/830108/ping-options-ping6-options

== CLI Configuration ==
'''Don't forget to enter the proper vDOM when applicable'''

=== DHCP server ===
'''edit 0''' will cause the first available ID to be assigned to this range.

<syntaxhighlight>
config system dhcp server
edit 0
set lease-time 86400
set default-gateway 192.168.20.1
set netmask 255.255.255.0
set interface "VDOM-LAN01"
config ip-range
edit 1
set start-ip 192.168.20.10
set end-ip 192.168.20.254
next
end
set dns-server1 192.168.20.2
set dns-server2 8.8.8.8
next
</syntaxhighlight>

== Checks ==
=== Common ===
<syntaxhighlight>
# Ping IP 8.8.8.8
execute ping 8.8.8.8

# Ping from a specific interface IP
execute ping-options source 10.0.25.1

# Ping for a certain amount of times
execute ping-options repeat-count

# Traceroute to IP 1.1.1.1
execute traceroute 1.1.1.1

# List all available interfaces
diagnose netlink interface list

# Show detailed interface statistics
diagnose netlink interface list name <INTERFACE>
</syntaxhighlight>

=== VPN ===
* https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/168495/ipsec-vpn-troubleshooting
* https://www.fortinetguru.com/2017/10/ipsec-phase-2-parameters/
* https://docs.fortinet.com/document/fortigate/6.2.11/cookbook/031670/ikev2-ipsec-site-to-site-vpn-to-an-aws-vpn-gateway

<syntaxhighlight>
# Show phase 1 configuration for a specific interface.
show vpn ipsec phase1-interface <PHASE1NAME>

# Ping for a certain amount
show vpn ipsec phase2-interface <PHASE2NAME>

# Show summary of VPN tunnel when within a vDom
get vpn ipsec tunnel summary

# Show detailed phase 1 information of a VPN.
diagnose vpn ike gateway list name <Phase1name>
</syntaxhighlight>

<syntaxhighlight>
# Enable VPN phase-1 debug mode and display logs in the console
diagnose vpn ike log filter name <phase1-name>
diagnose debug app ike -1
diagnose debug enable

# Disable debug mode
diagnose debug disable
</syntaxhighlight>

=== Syslog ===
<section begin="fortinetsyslog"/>

<syntaxhighlight>
# Test logging capability
diag log test
</syntaxhighlight>

==== Custom UDP Configuration ====
Example has Syslog traffic going over a VPN-interface and an IP-address specified that's allowed to travel over it.

<syntaxhighlight>
config log syslogd setting
set status enable
set server "192.168.77.88"
set port 1514
set source-ip "192.168.77.1"
set interface-select-method specify
set interface "My_VPN_interface"
end
</syntaxhighlight>

==== TCP Configuration ====
The set mode command support multiple RFC-compliant Syslog message structures.

<syntaxhighlight>
config log syslogd setting
set status enable
set server "logger.brammerloo.nl"
set mode reliable
set port 1515
end
</syntaxhighlight>

<section end="fortinetsyslog"/>

Fortinet

2026-01-24T13:51:31Z

Patrick: /* Syslog */

Linux:Network

2026-01-23T16:08:42Z

Patrick: /* Routes */

[[Category:Cheatsheet]]

* https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

== Checks ==
=== Common ===
<syntaxhighlight lang="bash">
# List route table
route -n

# Display network connections and current states
netstat

# Check listening ports, connected remote IPs, processes, states and more
netstat -taupen

# Check listening ports and IPs of the local server
netstat -tulpn

# List the routing table
netstat -r

# List verbose common TCP and ICMP information
netstat -s

# List iptable rules (Nftables)
iptables -nvL

# List iptable rules (Legacy iptables)
iptables-legacy -nvL

# Test specific IP and port combination for connectivity
telnet 172.16.2.1 22

# Wireshark on a specific interface to a file, listening on a local port and for a remote IP
tshark -p -i bond0 -w file.pcap -f "port 443 and host 172.16.16.25"

# List available routers
ip netns

# Show interfaces with an IPv4 address
ip -4 a

# Show interfaces with an IPv6 address
ip -6 a
</syntaxhighlight>

=== nmcli ===
<syntaxhighlight lang='bash'>
# Show all active network connections
nmcli connection show

# Show connection information for interface ens5
nmcli connection show ens5

# Show active and unactive network connections
nmcli dev status
</syntaxhighlight>

== Common configuration ==
=== Routing ===
<syntaxhighlight lang="bash">
# Add a route for 192.168.7.0/24 via a specific IP and interface
ip route add 192.168.7.0/24 via 192.168.7.199 dev eth0

# Delete the route we added previously
ip route del 192.168.7.0/24 via 192.168.7.199 dev eth0
</syntaxhighlight>

=== nmcli ===
'''nmtui''' is a GUI-tool for managing NetworkManager connections.

<syntaxhighlight lang='bash'>
# Bring logical interface ens6 up
nmcli device up ens6

# Turn off DHCP
nmcli con mod ens6 ipv4.method manual
nmcli con mod ens6 connection.autoconnect yes

# Add an IP-address to interface ens6
nmcli connection modify ens6 ipv4.address "192.168.0.10/24"

# Add DNS-servers to interface ens6
nmcli connection modify ens6 ipv4.dns "8.8.8.8,1.1.1.1,196.168.0.1"

# Add a gateway to interface ens6
nmcli con mod ens6 ipv4.gateway "192.168.0.1"

# Add a default route to interface ens160
nmcli connection modify ens160 +ipv4.routes "0.0.0.0/0 192.168.3.100"

# Remove an IP-address from interface ens6
nmcli con mod ens6 -ipv4.addresses 192.168.0.11/24

# Apply changes to interface ens
nmcli device reapply ens6
</syntaxhighlight>

== Network ==
=== RHEL ===
==== Generic Interface ====
<code> BOOTPROTO=static </code> for static address </br>
<code> BOOTPROTO=dhcp </code> for DHCP

<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-ens128
DEVICE=ens128
NAME=ens128
HWADDR=ab:cd:ef:gh:ij:kl
UUID=0a8d3485-d512-46da-8225-19f4721813c1
BOOTPROTO=static
STARTMODE=auto
ONBOOT=yes
IPADDR=192.168.10.2
NETMASK=255.255.255.0
GATEWAY=192.168.10.1
</syntaxhighlight>

==== Generic VLAN Interface ====
<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-eno2.100
VLAN=yes
TYPE=Vlan
PHYSDEV=eno2
VLAN_ID=100
NAME=eno2.100
BOOTPROTO=static
HWADDR=ab:cd:ef:gh:ij:kl
IPADDR=192.168.100.217
NETMASK=255.255.255.0
STARTMODE=auto
UUID=689cff6f-c750-4db7-936c-234fb80b6018
GATEWAY=192.168.100.1
</syntaxhighlight>

==== VLAN Bond interface configuration ====
===== Virtual Bond Master =====
<syntaxhighlight lang='bash'>
BONDING_OPTS="mode=802.3ad miimon=100"
TYPE=Bond
BONDING_MASTER=yes
PROXY_METHOD=none
BROWSER_ONLY=no
IPV6INIT=no
NAME=bond0
UUID=7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
DEVICE=bond0
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
AUTOCONNECT_SLAVES=yes
MTU=1500
</syntaxhighlight>

===== Physical bond Slaves =====
<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-ens1
TYPE=Ethernet
NAME=ens1
UUID=c6a4da43-b84a-44f4-b49f-4bdc717d4238
DEVICE=ens1
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
MASTER_UUID=7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
MASTER=bond0
SLAVE=yes
</syntaxhighlight>

<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-ens2
TYPE=Ethernet
NAME=ens2
UUID=ca09a126-a082-4620-a920-be45269e5d8a
DEVICE=ens2
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
MASTER_UUID=7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
MASTER=bond0
SLAVE=yes
</syntaxhighlight>

===== VLAN 100 Interface =====
<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-vlan-bond0.100
VLAN=yes
TYPE=Vlan
PHYSDEV=bond0
VLAN_ID=100
REORDER_HDR=yes
GVRP=no
MVRP=no
HWADDR=
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
IPADDR=192.168.100.10
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=vlan-bond0.100
UUID=83b0e31c-9a9f-47da-9dc6-645796bc47aa
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
GATEWAY=192.168.100.1
</syntaxhighlight>

=== Ubuntu/Debian ===
==== Netplan ====
<syntaxhighlight lang='bash'>
# Apply the configuration, but if the dialogue is left unconfirmed, the configuration will be reverted.
netplan try

# Apply the configuration
netplan apply
</syntaxhighlight>

===== Generic DCHP interface =====
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
ens4:
# Some info about the Interface/why does it exist
dhcp4: true
match:
macaddress: fa:16:3e:aa:bb:cc
set-name: ens4
</syntaxhighlight>

Generic DHCP Interfaces, but while ignoring the routes for an Interface and disabling DHCP on the other.
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
ens4:
# Some info about the Interface/why does it exist
dhcp4: true
dhcp4-overrides:
use-routes: false
match:
macaddress: fa:16:3e:aa:bb:cc
set-name: ens4
ens5:
# Some info about the Interface/why does it exist
dhcp4: no
match:
macaddress: fa:16:cc:dd:ee
set-name: ens5
</syntaxhighlight>

===== Generic static interface =====
You may have to disable automatic network-configuration:
<syntaxhighlight lang='yaml'>
sudo bash -c 'echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg'
</syntaxhighlight>

<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
ens7:
addresses:
- 192.168.0.23/24
match:
macaddress: ab:cd:ef:gh:ij:kl
mtu: 1500
set-name: ens7
nameservers:
addresses: [1.1.1.1, 8.8.8.8]
routes:
- to: default
via: 192.168.0.1
</syntaxhighlight>

===== VLAN Interface =====
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
eno1: {}
vlans:
eno1.10:
id: 10
link: eno1
addresses: [192.168.1.1/24]
eno1.20:
id: 20
link: eno1
addresses: [192.168.2.1/24]
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
search: []
routes:
- to: default
via: 192.168.2.1
eno1.30:
id: 30
link: eno1
addresses: [192.168.3.1/24]
</syntaxhighlight>

===== Empty Interface =====
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
eno2:
dhcp4: false
dhcp6: false
</syntaxhighlight>

==== Interface files ====
Classic <code>/etc/network/interfaces.d</code> files i.e. <code> /etc/network/interfaces.d/ens200.conf </code>
Otherwise use <code>/etc/network/interfaces </code>

===== Generic IPv4 =====
<syntaxhighlight lang='bash'>
# /etc/network/interfaces.d/ens160.conf
auto ens160
iface ens160 inet static
address 192.168.23.7
netmask 255.255.255.0
gateway 192.168.23.1
</syntaxhighlight>

===== Generic IPv6 =====
<syntaxhighlight lang='bash'>
# /etc/network/interfaces.d/ens3.conf
iface ens3 inet6 static
address abcd:defg:0:1234:5123:abcd:abcd:1234
netmask 48
gateway abcd:defg::1
</syntaxhighlight>

===== Bond =====
<syntaxhighlight lang='bash'>
auto eno1
iface eno1 inet manual

auto eno2
iface eno2 inet manual

auto bond0
iface bond0 inet static
address 192.168.39.245
gateway 192.168.39.254
network 255.255.255.0
bond-slaves eno1 eno2
bond-miimon 100
bond-mode 802.3ad
bond-xmit-hash-policy layer2+3
</syntaxhighlight>

Linux:Network

2026-01-23T16:08:35Z

Patrick:

[[Category:Cheatsheet]]

* https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

== Checks ==
=== Common ===
<syntaxhighlight lang="bash">
# List route table
route -n

# Display network connections and current states
netstat

# Check listening ports, connected remote IPs, processes, states and more
netstat -taupen

# Check listening ports and IPs of the local server
netstat -tulpn

# List the routing table
netstat -r

# List verbose common TCP and ICMP information
netstat -s

# List iptable rules (Nftables)
iptables -nvL

# List iptable rules (Legacy iptables)
iptables-legacy -nvL

# Test specific IP and port combination for connectivity
telnet 172.16.2.1 22

# Wireshark on a specific interface to a file, listening on a local port and for a remote IP
tshark -p -i bond0 -w file.pcap -f "port 443 and host 172.16.16.25"

# List available routers
ip netns

# Show interfaces with an IPv4 address
ip -4 a

# Show interfaces with an IPv6 address
ip -6 a
</syntaxhighlight>

=== nmcli ===
<syntaxhighlight lang='bash'>
# Show all active network connections
nmcli connection show

# Show connection information for interface ens5
nmcli connection show ens5

# Show active and unactive network connections
nmcli dev status
</syntaxhighlight>

== Common configuration ==
=== Routes ===
<syntaxhighlight lang="bash">
# Add a route for 192.168.7.0/24 via a specific IP and interface
ip route add 192.168.7.0/24 via 192.168.7.199 dev eth0

# Delete the route we added previously
ip route del 192.168.7.0/24 via 192.168.7.199 dev eth0
</syntaxhighlight>

=== nmcli ===
'''nmtui''' is a GUI-tool for managing NetworkManager connections.

<syntaxhighlight lang='bash'>
# Bring logical interface ens6 up
nmcli device up ens6

# Turn off DHCP
nmcli con mod ens6 ipv4.method manual
nmcli con mod ens6 connection.autoconnect yes

# Add an IP-address to interface ens6
nmcli connection modify ens6 ipv4.address "192.168.0.10/24"

# Add DNS-servers to interface ens6
nmcli connection modify ens6 ipv4.dns "8.8.8.8,1.1.1.1,196.168.0.1"

# Add a gateway to interface ens6
nmcli con mod ens6 ipv4.gateway "192.168.0.1"

# Add a default route to interface ens160
nmcli connection modify ens160 +ipv4.routes "0.0.0.0/0 192.168.3.100"

# Remove an IP-address from interface ens6
nmcli con mod ens6 -ipv4.addresses 192.168.0.11/24

# Apply changes to interface ens
nmcli device reapply ens6
</syntaxhighlight>

== Network ==
=== RHEL ===
==== Generic Interface ====
<code> BOOTPROTO=static </code> for static address </br>
<code> BOOTPROTO=dhcp </code> for DHCP

<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-ens128
DEVICE=ens128
NAME=ens128
HWADDR=ab:cd:ef:gh:ij:kl
UUID=0a8d3485-d512-46da-8225-19f4721813c1
BOOTPROTO=static
STARTMODE=auto
ONBOOT=yes
IPADDR=192.168.10.2
NETMASK=255.255.255.0
GATEWAY=192.168.10.1
</syntaxhighlight>

==== Generic VLAN Interface ====
<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-eno2.100
VLAN=yes
TYPE=Vlan
PHYSDEV=eno2
VLAN_ID=100
NAME=eno2.100
BOOTPROTO=static
HWADDR=ab:cd:ef:gh:ij:kl
IPADDR=192.168.100.217
NETMASK=255.255.255.0
STARTMODE=auto
UUID=689cff6f-c750-4db7-936c-234fb80b6018
GATEWAY=192.168.100.1
</syntaxhighlight>

==== VLAN Bond interface configuration ====
===== Virtual Bond Master =====
<syntaxhighlight lang='bash'>
BONDING_OPTS="mode=802.3ad miimon=100"
TYPE=Bond
BONDING_MASTER=yes
PROXY_METHOD=none
BROWSER_ONLY=no
IPV6INIT=no
NAME=bond0
UUID=7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
DEVICE=bond0
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
AUTOCONNECT_SLAVES=yes
MTU=1500
</syntaxhighlight>

===== Physical bond Slaves =====
<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-ens1
TYPE=Ethernet
NAME=ens1
UUID=c6a4da43-b84a-44f4-b49f-4bdc717d4238
DEVICE=ens1
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
MASTER_UUID=7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
MASTER=bond0
SLAVE=yes
</syntaxhighlight>

<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-ens2
TYPE=Ethernet
NAME=ens2
UUID=ca09a126-a082-4620-a920-be45269e5d8a
DEVICE=ens2
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
MASTER_UUID=7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
MASTER=bond0
SLAVE=yes
</syntaxhighlight>

===== VLAN 100 Interface =====
<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-vlan-bond0.100
VLAN=yes
TYPE=Vlan
PHYSDEV=bond0
VLAN_ID=100
REORDER_HDR=yes
GVRP=no
MVRP=no
HWADDR=
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
IPADDR=192.168.100.10
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=vlan-bond0.100
UUID=83b0e31c-9a9f-47da-9dc6-645796bc47aa
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
GATEWAY=192.168.100.1
</syntaxhighlight>

=== Ubuntu/Debian ===
==== Netplan ====
<syntaxhighlight lang='bash'>
# Apply the configuration, but if the dialogue is left unconfirmed, the configuration will be reverted.
netplan try

# Apply the configuration
netplan apply
</syntaxhighlight>

===== Generic DCHP interface =====
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
ens4:
# Some info about the Interface/why does it exist
dhcp4: true
match:
macaddress: fa:16:3e:aa:bb:cc
set-name: ens4
</syntaxhighlight>

Generic DHCP Interfaces, but while ignoring the routes for an Interface and disabling DHCP on the other.
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
ens4:
# Some info about the Interface/why does it exist
dhcp4: true
dhcp4-overrides:
use-routes: false
match:
macaddress: fa:16:3e:aa:bb:cc
set-name: ens4
ens5:
# Some info about the Interface/why does it exist
dhcp4: no
match:
macaddress: fa:16:cc:dd:ee
set-name: ens5
</syntaxhighlight>

===== Generic static interface =====
You may have to disable automatic network-configuration:
<syntaxhighlight lang='yaml'>
sudo bash -c 'echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg'
</syntaxhighlight>

<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
ens7:
addresses:
- 192.168.0.23/24
match:
macaddress: ab:cd:ef:gh:ij:kl
mtu: 1500
set-name: ens7
nameservers:
addresses: [1.1.1.1, 8.8.8.8]
routes:
- to: default
via: 192.168.0.1
</syntaxhighlight>

===== VLAN Interface =====
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
eno1: {}
vlans:
eno1.10:
id: 10
link: eno1
addresses: [192.168.1.1/24]
eno1.20:
id: 20
link: eno1
addresses: [192.168.2.1/24]
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
search: []
routes:
- to: default
via: 192.168.2.1
eno1.30:
id: 30
link: eno1
addresses: [192.168.3.1/24]
</syntaxhighlight>

===== Empty Interface =====
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
eno2:
dhcp4: false
dhcp6: false
</syntaxhighlight>

==== Interface files ====
Classic <code>/etc/network/interfaces.d</code> files i.e. <code> /etc/network/interfaces.d/ens200.conf </code>
Otherwise use <code>/etc/network/interfaces </code>

===== Generic IPv4 =====
<syntaxhighlight lang='bash'>
# /etc/network/interfaces.d/ens160.conf
auto ens160
iface ens160 inet static
address 192.168.23.7
netmask 255.255.255.0
gateway 192.168.23.1
</syntaxhighlight>

===== Generic IPv6 =====
<syntaxhighlight lang='bash'>
# /etc/network/interfaces.d/ens3.conf
iface ens3 inet6 static
address abcd:defg:0:1234:5123:abcd:abcd:1234
netmask 48
gateway abcd:defg::1
</syntaxhighlight>

===== Bond =====
<syntaxhighlight lang='bash'>
auto eno1
iface eno1 inet manual

auto eno2
iface eno2 inet manual

auto bond0
iface bond0 inet static
address 192.168.39.245
gateway 192.168.39.254
network 255.255.255.0
bond-slaves eno1 eno2
bond-miimon 100
bond-mode 802.3ad
bond-xmit-hash-policy layer2+3
</syntaxhighlight>

Linux:Network

2026-01-23T16:06:48Z

Patrick: /* Config changes */

[[Category:Cheatsheet]]

* https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

== Checks ==
=== Common ===
<syntaxhighlight lang="bash">
# List route table
route -n

# Display network connections and current states
netstat

# Check listening ports, connected remote IPs, processes, states and more
netstat -taupen

# Check listening ports and IPs of the local server
netstat -tulpn

# List the routing table
netstat -r

# List verbose common TCP and ICMP information
netstat -s

# List iptable rules (Nftables)
iptables -nvL

# List iptable rules (Legacy iptables)
iptables-legacy -nvL

# Test specific IP and port combination for connectivity
telnet 172.16.2.1 22

# Wireshark on a specific interface to a file, listening on a local port and for a remote IP
tshark -p -i bond0 -w file.pcap -f "port 443 and host 172.16.16.25"

# List available routers
ip netns

# Show interfaces with an IPv4 address
ip -4 a

# Show interfaces with an IPv6 address
ip -6 a
</syntaxhighlight>

== Common configuration ==
=== Routes ===
<syntaxhighlight lang="bash">
# Add a route for 192.168.7.0/24 via a specific IP and interface
ip route add 192.168.7.0/24 via 192.168.7.199 dev eth0

# Delete the route we added previously
ip route del 192.168.7.0/24 via 192.168.7.199 dev eth0
</syntaxhighlight>

== Network ==
=== NetworkManager ===
'''nmtui''' is a GUI-tool for managing NetworkManager connections.

==== Checks ====
<syntaxhighlight lang='bash'>
# Show all active network connections
nmcli connection show

# Show connection information for interface ens5
nmcli connection show ens5

# Show active and unactive network connections
nmcli dev status
</syntaxhighlight>

==== nmcli ====
<syntaxhighlight lang='bash'>
# Bring logical interface ens6 up
nmcli device up ens6

# Turn off DHCP
nmcli con mod ens6 ipv4.method manual
nmcli con mod ens6 connection.autoconnect yes

# Add an IP-address to interface ens6
nmcli connection modify ens6 ipv4.address "192.168.0.10/24"

# Add DNS-servers to interface ens6
nmcli connection modify ens6 ipv4.dns "8.8.8.8,1.1.1.1,196.168.0.1"

# Add a gateway to interface ens6
nmcli con mod ens6 ipv4.gateway "192.168.0.1"

# Add a default route to interface ens160
nmcli connection modify ens160 +ipv4.routes "0.0.0.0/0 192.168.3.100"

# Remove an IP-address from interface ens6
nmcli con mod ens6 -ipv4.addresses 192.168.0.11/24

# Apply changes to interface ens
nmcli device reapply ens6
</syntaxhighlight>

=== RHEL ===
==== Generic Interface ====
<code> BOOTPROTO=static </code> for static address </br>
<code> BOOTPROTO=dhcp </code> for DHCP

<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-ens128
DEVICE=ens128
NAME=ens128
HWADDR=ab:cd:ef:gh:ij:kl
UUID=0a8d3485-d512-46da-8225-19f4721813c1
BOOTPROTO=static
STARTMODE=auto
ONBOOT=yes
IPADDR=192.168.10.2
NETMASK=255.255.255.0
GATEWAY=192.168.10.1
</syntaxhighlight>

==== Generic VLAN Interface ====
<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-eno2.100
VLAN=yes
TYPE=Vlan
PHYSDEV=eno2
VLAN_ID=100
NAME=eno2.100
BOOTPROTO=static
HWADDR=ab:cd:ef:gh:ij:kl
IPADDR=192.168.100.217
NETMASK=255.255.255.0
STARTMODE=auto
UUID=689cff6f-c750-4db7-936c-234fb80b6018
GATEWAY=192.168.100.1
</syntaxhighlight>

==== VLAN Bond interface configuration ====
===== Virtual Bond Master =====
<syntaxhighlight lang='bash'>
BONDING_OPTS="mode=802.3ad miimon=100"
TYPE=Bond
BONDING_MASTER=yes
PROXY_METHOD=none
BROWSER_ONLY=no
IPV6INIT=no
NAME=bond0
UUID=7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
DEVICE=bond0
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
AUTOCONNECT_SLAVES=yes
MTU=1500
</syntaxhighlight>

===== Physical bond Slaves =====
<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-ens1
TYPE=Ethernet
NAME=ens1
UUID=c6a4da43-b84a-44f4-b49f-4bdc717d4238
DEVICE=ens1
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
MASTER_UUID=7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
MASTER=bond0
SLAVE=yes
</syntaxhighlight>

<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-ens2
TYPE=Ethernet
NAME=ens2
UUID=ca09a126-a082-4620-a920-be45269e5d8a
DEVICE=ens2
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
MASTER_UUID=7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
MASTER=bond0
SLAVE=yes
</syntaxhighlight>

===== VLAN 100 Interface =====
<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-vlan-bond0.100
VLAN=yes
TYPE=Vlan
PHYSDEV=bond0
VLAN_ID=100
REORDER_HDR=yes
GVRP=no
MVRP=no
HWADDR=
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
IPADDR=192.168.100.10
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=vlan-bond0.100
UUID=83b0e31c-9a9f-47da-9dc6-645796bc47aa
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
GATEWAY=192.168.100.1
</syntaxhighlight>

=== Ubuntu/Debian ===
==== Netplan ====
<syntaxhighlight lang='bash'>
# Apply the configuration, but if the dialogue is left unconfirmed, the configuration will be reverted.
netplan try

# Apply the configuration
netplan apply
</syntaxhighlight>

===== Generic DCHP interface =====
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
ens4:
# Some info about the Interface/why does it exist
dhcp4: true
match:
macaddress: fa:16:3e:aa:bb:cc
set-name: ens4
</syntaxhighlight>

Generic DHCP Interfaces, but while ignoring the routes for an Interface and disabling DHCP on the other.
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
ens4:
# Some info about the Interface/why does it exist
dhcp4: true
dhcp4-overrides:
use-routes: false
match:
macaddress: fa:16:3e:aa:bb:cc
set-name: ens4
ens5:
# Some info about the Interface/why does it exist
dhcp4: no
match:
macaddress: fa:16:cc:dd:ee
set-name: ens5
</syntaxhighlight>

===== Generic static interface =====
You may have to disable automatic network-configuration:
<syntaxhighlight lang='yaml'>
sudo bash -c 'echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg'
</syntaxhighlight>

<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
ens7:
addresses:
- 192.168.0.23/24
match:
macaddress: ab:cd:ef:gh:ij:kl
mtu: 1500
set-name: ens7
nameservers:
addresses: [1.1.1.1, 8.8.8.8]
routes:
- to: default
via: 192.168.0.1
</syntaxhighlight>

===== VLAN Interface =====
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
eno1: {}
vlans:
eno1.10:
id: 10
link: eno1
addresses: [192.168.1.1/24]
eno1.20:
id: 20
link: eno1
addresses: [192.168.2.1/24]
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
search: []
routes:
- to: default
via: 192.168.2.1
eno1.30:
id: 30
link: eno1
addresses: [192.168.3.1/24]
</syntaxhighlight>

===== Empty Interface =====
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
eno2:
dhcp4: false
dhcp6: false
</syntaxhighlight>

==== Interface files ====
Classic <code>/etc/network/interfaces.d</code> files i.e. <code> /etc/network/interfaces.d/ens200.conf </code>
Otherwise use <code>/etc/network/interfaces </code>

===== Generic IPv4 =====
<syntaxhighlight lang='bash'>
# /etc/network/interfaces.d/ens160.conf
auto ens160
iface ens160 inet static
address 192.168.23.7
netmask 255.255.255.0
gateway 192.168.23.1
</syntaxhighlight>

===== Generic IPv6 =====
<syntaxhighlight lang='bash'>
# /etc/network/interfaces.d/ens3.conf
iface ens3 inet6 static
address abcd:defg:0:1234:5123:abcd:abcd:1234
netmask 48
gateway abcd:defg::1
</syntaxhighlight>

===== Bond =====
<syntaxhighlight lang='bash'>
auto eno1
iface eno1 inet manual

auto eno2
iface eno2 inet manual

auto bond0
iface bond0 inet static
address 192.168.39.245
gateway 192.168.39.254
network 255.255.255.0
bond-slaves eno1 eno2
bond-miimon 100
bond-mode 802.3ad
bond-xmit-hash-policy layer2+3
</syntaxhighlight>

Linux:Network

2026-01-23T16:06:16Z

Patrick: /* Common */

[[Category:Cheatsheet]]

* https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

== Checks ==
=== Common ===
<syntaxhighlight lang="bash">
# List route table
route -n

# Display network connections and current states
netstat

# Check listening ports, connected remote IPs, processes, states and more
netstat -taupen

# Check listening ports and IPs of the local server
netstat -tulpn

# List the routing table
netstat -r

# List verbose common TCP and ICMP information
netstat -s

# List iptable rules (Nftables)
iptables -nvL

# List iptable rules (Legacy iptables)
iptables-legacy -nvL

# Test specific IP and port combination for connectivity
telnet 172.16.2.1 22

# Wireshark on a specific interface to a file, listening on a local port and for a remote IP
tshark -p -i bond0 -w file.pcap -f "port 443 and host 172.16.16.25"

# List available routers
ip netns

# Show interfaces with an IPv4 address
ip -4 a

# Show interfaces with an IPv6 address
ip -6 a
</syntaxhighlight>

=== Config changes ===
<syntaxhighlight lang="bash">
# Add a route for 192.168.7.0/24 via a specific IP and interface
ip route add 192.168.7.0/24 via 192.168.7.199 dev eth0

# Delete the route we added previously
ip route del 192.168.7.0/24 via 192.168.7.199 dev eth0
</syntaxhighlight>

== Network ==
=== NetworkManager ===
'''nmtui''' is a GUI-tool for managing NetworkManager connections.

==== Checks ====
<syntaxhighlight lang='bash'>
# Show all active network connections
nmcli connection show

# Show connection information for interface ens5
nmcli connection show ens5

# Show active and unactive network connections
nmcli dev status
</syntaxhighlight>

==== nmcli ====
<syntaxhighlight lang='bash'>
# Bring logical interface ens6 up
nmcli device up ens6

# Turn off DHCP
nmcli con mod ens6 ipv4.method manual
nmcli con mod ens6 connection.autoconnect yes

# Add an IP-address to interface ens6
nmcli connection modify ens6 ipv4.address "192.168.0.10/24"

# Add DNS-servers to interface ens6
nmcli connection modify ens6 ipv4.dns "8.8.8.8,1.1.1.1,196.168.0.1"

# Add a gateway to interface ens6
nmcli con mod ens6 ipv4.gateway "192.168.0.1"

# Add a default route to interface ens160
nmcli connection modify ens160 +ipv4.routes "0.0.0.0/0 192.168.3.100"

# Remove an IP-address from interface ens6
nmcli con mod ens6 -ipv4.addresses 192.168.0.11/24

# Apply changes to interface ens
nmcli device reapply ens6
</syntaxhighlight>

=== RHEL ===
==== Generic Interface ====
<code> BOOTPROTO=static </code> for static address </br>
<code> BOOTPROTO=dhcp </code> for DHCP

<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-ens128
DEVICE=ens128
NAME=ens128
HWADDR=ab:cd:ef:gh:ij:kl
UUID=0a8d3485-d512-46da-8225-19f4721813c1
BOOTPROTO=static
STARTMODE=auto
ONBOOT=yes
IPADDR=192.168.10.2
NETMASK=255.255.255.0
GATEWAY=192.168.10.1
</syntaxhighlight>

==== Generic VLAN Interface ====
<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-eno2.100
VLAN=yes
TYPE=Vlan
PHYSDEV=eno2
VLAN_ID=100
NAME=eno2.100
BOOTPROTO=static
HWADDR=ab:cd:ef:gh:ij:kl
IPADDR=192.168.100.217
NETMASK=255.255.255.0
STARTMODE=auto
UUID=689cff6f-c750-4db7-936c-234fb80b6018
GATEWAY=192.168.100.1
</syntaxhighlight>

==== VLAN Bond interface configuration ====
===== Virtual Bond Master =====
<syntaxhighlight lang='bash'>
BONDING_OPTS="mode=802.3ad miimon=100"
TYPE=Bond
BONDING_MASTER=yes
PROXY_METHOD=none
BROWSER_ONLY=no
IPV6INIT=no
NAME=bond0
UUID=7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
DEVICE=bond0
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
AUTOCONNECT_SLAVES=yes
MTU=1500
</syntaxhighlight>

===== Physical bond Slaves =====
<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-ens1
TYPE=Ethernet
NAME=ens1
UUID=c6a4da43-b84a-44f4-b49f-4bdc717d4238
DEVICE=ens1
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
MASTER_UUID=7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
MASTER=bond0
SLAVE=yes
</syntaxhighlight>

<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-ens2
TYPE=Ethernet
NAME=ens2
UUID=ca09a126-a082-4620-a920-be45269e5d8a
DEVICE=ens2
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
MASTER_UUID=7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
MASTER=bond0
SLAVE=yes
</syntaxhighlight>

===== VLAN 100 Interface =====
<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-vlan-bond0.100
VLAN=yes
TYPE=Vlan
PHYSDEV=bond0
VLAN_ID=100
REORDER_HDR=yes
GVRP=no
MVRP=no
HWADDR=
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
IPADDR=192.168.100.10
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=vlan-bond0.100
UUID=83b0e31c-9a9f-47da-9dc6-645796bc47aa
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
GATEWAY=192.168.100.1
</syntaxhighlight>

=== Ubuntu/Debian ===
==== Netplan ====
<syntaxhighlight lang='bash'>
# Apply the configuration, but if the dialogue is left unconfirmed, the configuration will be reverted.
netplan try

# Apply the configuration
netplan apply
</syntaxhighlight>

===== Generic DCHP interface =====
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
ens4:
# Some info about the Interface/why does it exist
dhcp4: true
match:
macaddress: fa:16:3e:aa:bb:cc
set-name: ens4
</syntaxhighlight>

Generic DHCP Interfaces, but while ignoring the routes for an Interface and disabling DHCP on the other.
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
ens4:
# Some info about the Interface/why does it exist
dhcp4: true
dhcp4-overrides:
use-routes: false
match:
macaddress: fa:16:3e:aa:bb:cc
set-name: ens4
ens5:
# Some info about the Interface/why does it exist
dhcp4: no
match:
macaddress: fa:16:cc:dd:ee
set-name: ens5
</syntaxhighlight>

===== Generic static interface =====
You may have to disable automatic network-configuration:
<syntaxhighlight lang='yaml'>
sudo bash -c 'echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg'
</syntaxhighlight>

<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
ens7:
addresses:
- 192.168.0.23/24
match:
macaddress: ab:cd:ef:gh:ij:kl
mtu: 1500
set-name: ens7
nameservers:
addresses: [1.1.1.1, 8.8.8.8]
routes:
- to: default
via: 192.168.0.1
</syntaxhighlight>

===== VLAN Interface =====
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
eno1: {}
vlans:
eno1.10:
id: 10
link: eno1
addresses: [192.168.1.1/24]
eno1.20:
id: 20
link: eno1
addresses: [192.168.2.1/24]
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
search: []
routes:
- to: default
via: 192.168.2.1
eno1.30:
id: 30
link: eno1
addresses: [192.168.3.1/24]
</syntaxhighlight>

===== Empty Interface =====
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
eno2:
dhcp4: false
dhcp6: false
</syntaxhighlight>

==== Interface files ====
Classic <code>/etc/network/interfaces.d</code> files i.e. <code> /etc/network/interfaces.d/ens200.conf </code>
Otherwise use <code>/etc/network/interfaces </code>

===== Generic IPv4 =====
<syntaxhighlight lang='bash'>
# /etc/network/interfaces.d/ens160.conf
auto ens160
iface ens160 inet static
address 192.168.23.7
netmask 255.255.255.0
gateway 192.168.23.1
</syntaxhighlight>

===== Generic IPv6 =====
<syntaxhighlight lang='bash'>
# /etc/network/interfaces.d/ens3.conf
iface ens3 inet6 static
address abcd:defg:0:1234:5123:abcd:abcd:1234
netmask 48
gateway abcd:defg::1
</syntaxhighlight>

===== Bond =====
<syntaxhighlight lang='bash'>
auto eno1
iface eno1 inet manual

auto eno2
iface eno2 inet manual

auto bond0
iface bond0 inet static
address 192.168.39.245
gateway 192.168.39.254
network 255.255.255.0
bond-slaves eno1 eno2
bond-miimon 100
bond-mode 802.3ad
bond-xmit-hash-policy layer2+3
</syntaxhighlight>

Linux:Scripts

2026-01-03T08:04:42Z

Patrick:

[[Category:Cheatsheet]]

== Pointers ==
* Lowercase or Camelcase only: all BASH variables are uppercase, so don't get in their way!

== Template ==
Script with a single passed variable, description and common exit-protocols.

<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -eq 0 ]] ; then
echo ""
echo 'Usage: myscript.sh value1

This is the description of my script.
'
exit
echo ""
fi
</syntaxhighlight>

== Testing - [[]] ==
<syntaxhighlight lang='bash'>
# Use the test functionality [[]] to compare values and types, using expressions
man test
[[ -d "$MyDirectoryVariable" ]]

# Combine testing with an if statement
if [[ $(echo "world") == "world" ]]; then
echo -e "all is bad in da world"
else
echo -e "all is good"
fi
</syntaxhighlight>

<pre>
https://stackoverflow.com/questions/638975/how-do-i-tell-if-a-file-does-not-exist-in-bash

FILE=/home/javier/wopper.txt
[ -b "$FILE" ] = Block special file
[ -c "$FILE" ] = Special character file
[ -d "$FILE" ] = If directory exists
[ -e "$FILE" ] = Check for file existence, regardless of type (node, directory, socket, etc.)
[ -f "$FILE" ] = Check for regular file existence not a directory
[ -G "$FILE" ] = Check if file exists and is owned by effective group ID
[ -G "$FILE" ] = set-group-id - True if file exists and is set-group-id
[ -k "$FILE" ] = Sticky bit
[ -L "$FILE" ] = Symbolic link
[ -O "$FILE" ] = True if file exists and is owned by the effective user id
[ -r "$FILE" ] = Check if file is a readable
[ -S "$FILE" ] = Check if file is socket
[ -s "$FILE" ] = Check if file is nonzero size
[ -u "$FILE" ] = Check if file set-user-id bit is set
[ -w "$FILE" ] = Check if file is writable
[ -x "$FILE" ] = Check if file is executable

FOLDER=/home/javier/
[ -d "$FOLDER" ] = If directory exists
</pre>

== Common syntax ==
=== for ===
<syntaxhighlight lang='bash'>
# Execute a command for all objects within this folder and all subdirectories
for i in *; do du -h "$i" ; done

# Execute a command x amount of times based on $i
for((i=1;i<=5;++i)); do dd if=/dev/zero of=myshare/file-$i bs=1M count=1; done

# Shell script version - Execute a command x amount of times based on $i
for((i=1;i<=5;++i)) do
echo $i
done
</syntaxhighlight>

=== if ===
==== Examples ====
<syntaxhighlight lang='bash'>
FILE=~/todo.txt
if [ -f "$FILE" ]; then
cat "~/todo.txt"
else
echo "You don't have the file, so you should make it."
fi
</syntaxhighlight>

<syntaxhighlight lang='bash'>
USER=$(whoami)
FILE=~/todo.txt

if [ "$USER" != "root" -a -f "$FILE" ]; then
echo "You're a normal user, you do have the file and this is its output:"
cat "$FILE"
elif [ "$USER" != "root" -a ! -f "$FILE" ]; then
echo "You're a normal user, you don't have the file, so you should make it."
fi
</syntaxhighlight>

== Scripts ==
=== SSH ===
==== centos-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./centos-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
useradd -m ${USER} -G wheel

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

==== ubuntu-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./ubuntu-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
adduser ${USER} --disabled-password

echo "Adding ${USER} to the sudo group"
usermod -aG sudo ${USER}

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

=== Mail ===
==== Automatic sendmail ====
<syntaxhighlight lang="bash">
#!/bin/bash
#requires: date,sendmail
function fappend {
echo "$2">>$1;
}
YYYYMMDD=`date +%Y%m%d`

# CHANGE THESE
TOEMAIL="ADMINISTRATOR@MYDOMAIN.COM";
FREMAIL="FROMNOREPLY@MYDOMAIN.com";
SUBJECT="E-mail Subject";
MSGBODY=$(Command);

# DON'T CHANGE ANYTHING BELOW
TMP=`mktemp`

rm -rf $TMP;
fappend $TMP "From: $FREMAIL";
fappend $TMP "To: $TOEMAIL";
fappend $TMP "Reply-To: $FREMAIL";
fappend $TMP "Subject: $SUBJECT";
fappend $TMP "";
fappend $TMP "$MSGBODY";
fappend $TMP "";
fappend $TMP "";
cat $TMP|/usr/sbin/sendmail -t;
rm $TMP;
</syntaxhighlight>

Linux:Scripts

2026-01-02T16:58:37Z

Patrick: /* Testing - [] */

[[Category:Cheatsheet]]

== Pointers ==
* Lowercase or and Upper+lowercase variables only - all BASH variables use uppercase, so don't get in their way!

== Template ==
Script with a single passed variable, description and common exit-protocols.

<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -eq 0 ]] ; then
echo ""
echo 'Usage: myscript.sh value1

This is the description of my script.
'
exit
echo ""
fi
</syntaxhighlight>

== Testing - [[]] ==
<syntaxhighlight lang='bash'>
# Use the test functionality [[]] to compare values and types, using expressions
man test
[[ -d "$MyDirectoryVariable" ]]

# Combine testing with an if statement
if [[ $(echo "world") == "world" ]]; then
echo -e "all is bad in da world"
else
echo -e "all is good"
fi
</syntaxhighlight>

<pre>
https://stackoverflow.com/questions/638975/how-do-i-tell-if-a-file-does-not-exist-in-bash

FILE=/home/javier/wopper.txt
[ -b "$FILE" ] = Block special file
[ -c "$FILE" ] = Special character file
[ -d "$FILE" ] = If directory exists
[ -e "$FILE" ] = Check for file existence, regardless of type (node, directory, socket, etc.)
[ -f "$FILE" ] = Check for regular file existence not a directory
[ -G "$FILE" ] = Check if file exists and is owned by effective group ID
[ -G "$FILE" ] = set-group-id - True if file exists and is set-group-id
[ -k "$FILE" ] = Sticky bit
[ -L "$FILE" ] = Symbolic link
[ -O "$FILE" ] = True if file exists and is owned by the effective user id
[ -r "$FILE" ] = Check if file is a readable
[ -S "$FILE" ] = Check if file is socket
[ -s "$FILE" ] = Check if file is nonzero size
[ -u "$FILE" ] = Check if file set-user-id bit is set
[ -w "$FILE" ] = Check if file is writable
[ -x "$FILE" ] = Check if file is executable

FOLDER=/home/javier/
[ -d "$FOLDER" ] = If directory exists
</pre>

== Common syntax ==
=== for ===
<syntaxhighlight lang='bash'>
# Execute a command for all objects within this folder and all subdirectories
for i in *; do du -h "$i" ; done

# Execute a command x amount of times based on $i
for((i=1;i<=5;++i)); do dd if=/dev/zero of=myshare/file-$i bs=1M count=1; done

# Shell script version - Execute a command x amount of times based on $i
for((i=1;i<=5;++i)) do
echo $i
done
</syntaxhighlight>

=== if ===
==== Examples ====
<syntaxhighlight lang='bash'>
FILE=~/todo.txt
if [ -f "$FILE" ]; then
cat "~/todo.txt"
else
echo "You don't have the file, so you should make it."
fi
</syntaxhighlight>

<syntaxhighlight lang='bash'>
USER=$(whoami)
FILE=~/todo.txt

if [ "$USER" != "root" -a -f "$FILE" ]; then
echo "You're a normal user, you do have the file and this is its output:"
cat "$FILE"
elif [ "$USER" != "root" -a ! -f "$FILE" ]; then
echo "You're a normal user, you don't have the file, so you should make it."
fi
</syntaxhighlight>

== Scripts ==
=== SSH ===
==== centos-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./centos-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
useradd -m ${USER} -G wheel

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

==== ubuntu-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./ubuntu-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
adduser ${USER} --disabled-password

echo "Adding ${USER} to the sudo group"
usermod -aG sudo ${USER}

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

=== Mail ===
==== Automatic sendmail ====
<syntaxhighlight lang="bash">
#!/bin/bash
#requires: date,sendmail
function fappend {
echo "$2">>$1;
}
YYYYMMDD=`date +%Y%m%d`

# CHANGE THESE
TOEMAIL="ADMINISTRATOR@MYDOMAIN.COM";
FREMAIL="FROMNOREPLY@MYDOMAIN.com";
SUBJECT="E-mail Subject";
MSGBODY=$(Command);

# DON'T CHANGE ANYTHING BELOW
TMP=`mktemp`

rm -rf $TMP;
fappend $TMP "From: $FREMAIL";
fappend $TMP "To: $TOEMAIL";
fappend $TMP "Reply-To: $FREMAIL";
fappend $TMP "Subject: $SUBJECT";
fappend $TMP "";
fappend $TMP "$MSGBODY";
fappend $TMP "";
fappend $TMP "";
cat $TMP|/usr/sbin/sendmail -t;
rm $TMP;
</syntaxhighlight>

Linux:Scripts

2026-01-02T16:55:54Z

Patrick: /* Testing - [] */

[[Category:Cheatsheet]]

== Pointers ==
* Lowercase or and Upper+lowercase variables only - all BASH variables use uppercase, so don't get in their way!

== Template ==
Script with a single passed variable, description and common exit-protocols.

<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -eq 0 ]] ; then
echo ""
echo 'Usage: myscript.sh value1

This is the description of my script.
'
exit
echo ""
fi
</syntaxhighlight>

== Testing - [] ==
<syntaxhighlight lang='bash'>
# Use the test functionality [] to compare values and types, using expressions
man test
if [ -d "$MyDirectoryVariable" ]
</syntaxhighlight>

<pre>
https://stackoverflow.com/questions/638975/how-do-i-tell-if-a-file-does-not-exist-in-bash

FILE=/home/javier/wopper.txt
[ -b "$FILE" ] = Block special file
[ -c "$FILE" ] = Special character file
[ -d "$FILE" ] = If directory exists
[ -e "$FILE" ] = Check for file existence, regardless of type (node, directory, socket, etc.)
[ -f "$FILE" ] = Check for regular file existence not a directory
[ -G "$FILE" ] = Check if file exists and is owned by effective group ID
[ -G "$FILE" ] = set-group-id - True if file exists and is set-group-id
[ -k "$FILE" ] = Sticky bit
[ -L "$FILE" ] = Symbolic link
[ -O "$FILE" ] = True if file exists and is owned by the effective user id
[ -r "$FILE" ] = Check if file is a readable
[ -S "$FILE" ] = Check if file is socket
[ -s "$FILE" ] = Check if file is nonzero size
[ -u "$FILE" ] = Check if file set-user-id bit is set
[ -w "$FILE" ] = Check if file is writable
[ -x "$FILE" ] = Check if file is executable

FOLDER=/home/javier/
[ -d "$FOLDER" ] = If directory exists
</pre>

== Common syntax ==
=== for ===
<syntaxhighlight lang='bash'>
# Execute a command for all objects within this folder and all subdirectories
for i in *; do du -h "$i" ; done

# Execute a command x amount of times based on $i
for((i=1;i<=5;++i)); do dd if=/dev/zero of=myshare/file-$i bs=1M count=1; done

# Shell script version - Execute a command x amount of times based on $i
for((i=1;i<=5;++i)) do
echo $i
done
</syntaxhighlight>

=== if ===
==== Examples ====
<syntaxhighlight lang='bash'>
FILE=~/todo.txt
if [ -f "$FILE" ]; then
cat "~/todo.txt"
else
echo "You don't have the file, so you should make it."
fi
</syntaxhighlight>

<syntaxhighlight lang='bash'>
USER=$(whoami)
FILE=~/todo.txt

if [ "$USER" != "root" -a -f "$FILE" ]; then
echo "You're a normal user, you do have the file and this is its output:"
cat "$FILE"
elif [ "$USER" != "root" -a ! -f "$FILE" ]; then
echo "You're a normal user, you don't have the file, so you should make it."
fi
</syntaxhighlight>

== Scripts ==
=== SSH ===
==== centos-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./centos-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
useradd -m ${USER} -G wheel

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

==== ubuntu-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./ubuntu-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
adduser ${USER} --disabled-password

echo "Adding ${USER} to the sudo group"
usermod -aG sudo ${USER}

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

=== Mail ===
==== Automatic sendmail ====
<syntaxhighlight lang="bash">
#!/bin/bash
#requires: date,sendmail
function fappend {
echo "$2">>$1;
}
YYYYMMDD=`date +%Y%m%d`

# CHANGE THESE
TOEMAIL="ADMINISTRATOR@MYDOMAIN.COM";
FREMAIL="FROMNOREPLY@MYDOMAIN.com";
SUBJECT="E-mail Subject";
MSGBODY=$(Command);

# DON'T CHANGE ANYTHING BELOW
TMP=`mktemp`

rm -rf $TMP;
fappend $TMP "From: $FREMAIL";
fappend $TMP "To: $TOEMAIL";
fappend $TMP "Reply-To: $FREMAIL";
fappend $TMP "Subject: $SUBJECT";
fappend $TMP "";
fappend $TMP "$MSGBODY";
fappend $TMP "";
fappend $TMP "";
cat $TMP|/usr/sbin/sendmail -t;
rm $TMP;
</syntaxhighlight>

Linux:Scripts

2026-01-02T15:08:59Z

Patrick:

[[Category:Cheatsheet]]

== Pointers ==
* Lowercase or and Upper+lowercase variables only - all BASH variables use uppercase, so don't get in their way!

== Template ==
Script with a single passed variable, description and common exit-protocols.

<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -eq 0 ]] ; then
echo ""
echo 'Usage: myscript.sh value1

This is the description of my script.
'
exit
echo ""
fi
</syntaxhighlight>

== Testing - [] ==
<syntaxhighlight lang='bash'>
# Use the test functionality [] to compare values and types, using expressions
man test
if [ -d "$MyDirectoryVariable" ]
</syntaxhighlight>

<pre>
https://stackoverflow.com/questions/638975/how-do-i-tell-if-a-file-does-not-exist-in-bash

FILE=/home/javier/wopper.txt
[ -b "$FILE" ] = Block special file
[ -c "$FILE" ] = Special character file
[ -d "$FILE" ] = If file exists
[ -e "$FILE" ] = Check for file existence, regardless of type (node, directory, socket, etc.)
[ -f "$FILE" ] = Check for regular file existence not a directory
[ -G "$FILE" ] = Check if file exists and is owned by effective group ID
[ -G "$FILE" ] = set-group-id - True if file exists and is set-group-id
[ -k "$FILE" ] = Sticky bit
[ -L "$FILE" ] = Symbolic link
[ -O "$FILE" ] = True if file exists and is owned by the effective user id
[ -r "$FILE" ] = Check if file is a readable
[ -S "$FILE" ] = Check if file is socket
[ -s "$FILE" ] = Check if file is nonzero size
[ -u "$FILE" ] = Check if file set-user-id bit is set
[ -w "$FILE" ] = Check if file is writable
[ -x "$FILE" ] = Check if file is executable

FOLDER=/home/javier/
[ -f "$FOLDER" ] = If directory exists
</pre>

== Common syntax ==
=== for ===
<syntaxhighlight lang='bash'>
# Execute a command for all objects within this folder and all subdirectories
for i in *; do du -h "$i" ; done

# Execute a command x amount of times based on $i
for((i=1;i<=5;++i)); do dd if=/dev/zero of=myshare/file-$i bs=1M count=1; done

# Shell script version - Execute a command x amount of times based on $i
for((i=1;i<=5;++i)) do
echo $i
done
</syntaxhighlight>

=== if ===
==== Examples ====
<syntaxhighlight lang='bash'>
FILE=~/todo.txt
if [ -f "$FILE" ]; then
cat "~/todo.txt"
else
echo "You don't have the file, so you should make it."
fi
</syntaxhighlight>

<syntaxhighlight lang='bash'>
USER=$(whoami)
FILE=~/todo.txt

if [ "$USER" != "root" -a -f "$FILE" ]; then
echo "You're a normal user, you do have the file and this is its output:"
cat "$FILE"
elif [ "$USER" != "root" -a ! -f "$FILE" ]; then
echo "You're a normal user, you don't have the file, so you should make it."
fi
</syntaxhighlight>

== Scripts ==
=== SSH ===
==== centos-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./centos-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
useradd -m ${USER} -G wheel

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

==== ubuntu-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./ubuntu-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
adduser ${USER} --disabled-password

echo "Adding ${USER} to the sudo group"
usermod -aG sudo ${USER}

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

=== Mail ===
==== Automatic sendmail ====
<syntaxhighlight lang="bash">
#!/bin/bash
#requires: date,sendmail
function fappend {
echo "$2">>$1;
}
YYYYMMDD=`date +%Y%m%d`

# CHANGE THESE
TOEMAIL="ADMINISTRATOR@MYDOMAIN.COM";
FREMAIL="FROMNOREPLY@MYDOMAIN.com";
SUBJECT="E-mail Subject";
MSGBODY=$(Command);

# DON'T CHANGE ANYTHING BELOW
TMP=`mktemp`

rm -rf $TMP;
fappend $TMP "From: $FREMAIL";
fappend $TMP "To: $TOEMAIL";
fappend $TMP "Reply-To: $FREMAIL";
fappend $TMP "Subject: $SUBJECT";
fappend $TMP "";
fappend $TMP "$MSGBODY";
fappend $TMP "";
fappend $TMP "";
cat $TMP|/usr/sbin/sendmail -t;
rm $TMP;
</syntaxhighlight>

Linux:Scripts

2026-01-02T15:08:50Z

Patrick:

[[Category:Cheatsheet]]

== Pointers ==
* Lowercaseor or and Upper+lowercase variables only - all BASH variables use uppercase, so don't get in their way!

== Template ==
Script with a single passed variable, description and common exit-protocols.

<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -eq 0 ]] ; then
echo ""
echo 'Usage: myscript.sh value1

This is the description of my script.
'
exit
echo ""
fi
</syntaxhighlight>

== Testing - [] ==
<syntaxhighlight lang='bash'>
# Use the test functionality [] to compare values and types, using expressions
man test
if [ -d "$MyDirectoryVariable" ]
</syntaxhighlight>

<pre>
https://stackoverflow.com/questions/638975/how-do-i-tell-if-a-file-does-not-exist-in-bash

FILE=/home/javier/wopper.txt
[ -b "$FILE" ] = Block special file
[ -c "$FILE" ] = Special character file
[ -d "$FILE" ] = If file exists
[ -e "$FILE" ] = Check for file existence, regardless of type (node, directory, socket, etc.)
[ -f "$FILE" ] = Check for regular file existence not a directory
[ -G "$FILE" ] = Check if file exists and is owned by effective group ID
[ -G "$FILE" ] = set-group-id - True if file exists and is set-group-id
[ -k "$FILE" ] = Sticky bit
[ -L "$FILE" ] = Symbolic link
[ -O "$FILE" ] = True if file exists and is owned by the effective user id
[ -r "$FILE" ] = Check if file is a readable
[ -S "$FILE" ] = Check if file is socket
[ -s "$FILE" ] = Check if file is nonzero size
[ -u "$FILE" ] = Check if file set-user-id bit is set
[ -w "$FILE" ] = Check if file is writable
[ -x "$FILE" ] = Check if file is executable

FOLDER=/home/javier/
[ -f "$FOLDER" ] = If directory exists
</pre>

== Common syntax ==
=== for ===
<syntaxhighlight lang='bash'>
# Execute a command for all objects within this folder and all subdirectories
for i in *; do du -h "$i" ; done

# Execute a command x amount of times based on $i
for((i=1;i<=5;++i)); do dd if=/dev/zero of=myshare/file-$i bs=1M count=1; done

# Shell script version - Execute a command x amount of times based on $i
for((i=1;i<=5;++i)) do
echo $i
done
</syntaxhighlight>

=== if ===
==== Examples ====
<syntaxhighlight lang='bash'>
FILE=~/todo.txt
if [ -f "$FILE" ]; then
cat "~/todo.txt"
else
echo "You don't have the file, so you should make it."
fi
</syntaxhighlight>

<syntaxhighlight lang='bash'>
USER=$(whoami)
FILE=~/todo.txt

if [ "$USER" != "root" -a -f "$FILE" ]; then
echo "You're a normal user, you do have the file and this is its output:"
cat "$FILE"
elif [ "$USER" != "root" -a ! -f "$FILE" ]; then
echo "You're a normal user, you don't have the file, so you should make it."
fi
</syntaxhighlight>

== Scripts ==
=== SSH ===
==== centos-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./centos-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
useradd -m ${USER} -G wheel

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

==== ubuntu-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./ubuntu-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
adduser ${USER} --disabled-password

echo "Adding ${USER} to the sudo group"
usermod -aG sudo ${USER}

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

=== Mail ===
==== Automatic sendmail ====
<syntaxhighlight lang="bash">
#!/bin/bash
#requires: date,sendmail
function fappend {
echo "$2">>$1;
}
YYYYMMDD=`date +%Y%m%d`

# CHANGE THESE
TOEMAIL="ADMINISTRATOR@MYDOMAIN.COM";
FREMAIL="FROMNOREPLY@MYDOMAIN.com";
SUBJECT="E-mail Subject";
MSGBODY=$(Command);

# DON'T CHANGE ANYTHING BELOW
TMP=`mktemp`

rm -rf $TMP;
fappend $TMP "From: $FREMAIL";
fappend $TMP "To: $TOEMAIL";
fappend $TMP "Reply-To: $FREMAIL";
fappend $TMP "Subject: $SUBJECT";
fappend $TMP "";
fappend $TMP "$MSGBODY";
fappend $TMP "";
fappend $TMP "";
cat $TMP|/usr/sbin/sendmail -t;
rm $TMP;
</syntaxhighlight>

Linux:Scripts

2026-01-02T12:59:35Z

Patrick: /* Template */

[[Category:Cheatsheet]]

== Template ==
Script with a single passed variable, description and common exit-protocols.

<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -eq 0 ]] ; then
echo ""
echo 'Usage: myscript.sh value1

This is the description of my script.
'
exit
echo ""
fi
</syntaxhighlight>

== Testing - [] ==
<syntaxhighlight lang='bash'>
# Use the test functionality [] to compare values and types, using expressions
man test
if [ -d "$MyDirectoryVariable" ]
</syntaxhighlight>

<pre>
https://stackoverflow.com/questions/638975/how-do-i-tell-if-a-file-does-not-exist-in-bash

FILE=/home/javier/wopper.txt
[ -b "$FILE" ] = Block special file
[ -c "$FILE" ] = Special character file
[ -d "$FILE" ] = If file exists
[ -e "$FILE" ] = Check for file existence, regardless of type (node, directory, socket, etc.)
[ -f "$FILE" ] = Check for regular file existence not a directory
[ -G "$FILE" ] = Check if file exists and is owned by effective group ID
[ -G "$FILE" ] = set-group-id - True if file exists and is set-group-id
[ -k "$FILE" ] = Sticky bit
[ -L "$FILE" ] = Symbolic link
[ -O "$FILE" ] = True if file exists and is owned by the effective user id
[ -r "$FILE" ] = Check if file is a readable
[ -S "$FILE" ] = Check if file is socket
[ -s "$FILE" ] = Check if file is nonzero size
[ -u "$FILE" ] = Check if file set-user-id bit is set
[ -w "$FILE" ] = Check if file is writable
[ -x "$FILE" ] = Check if file is executable

FOLDER=/home/javier/
[ -f "$FOLDER" ] = If directory exists
</pre>

== Common syntax ==
=== for ===
<syntaxhighlight lang='bash'>
# Execute a command for all objects within this folder and all subdirectories
for i in *; do du -h "$i" ; done

# Execute a command x amount of times based on $i
for((i=1;i<=5;++i)); do dd if=/dev/zero of=myshare/file-$i bs=1M count=1; done

# Shell script version - Execute a command x amount of times based on $i
for((i=1;i<=5;++i)) do
echo $i
done
</syntaxhighlight>

=== if ===
==== Examples ====
<syntaxhighlight lang='bash'>
FILE=~/todo.txt
if [ -f "$FILE" ]; then
cat "~/todo.txt"
else
echo "You don't have the file, so you should make it."
fi
</syntaxhighlight>

<syntaxhighlight lang='bash'>
USER=$(whoami)
FILE=~/todo.txt

if [ "$USER" != "root" -a -f "$FILE" ]; then
echo "You're a normal user, you do have the file and this is its output:"
cat "$FILE"
elif [ "$USER" != "root" -a ! -f "$FILE" ]; then
echo "You're a normal user, you don't have the file, so you should make it."
fi
</syntaxhighlight>

== Scripts ==
=== SSH ===
==== centos-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./centos-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
useradd -m ${USER} -G wheel

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

==== ubuntu-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./ubuntu-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
adduser ${USER} --disabled-password

echo "Adding ${USER} to the sudo group"
usermod -aG sudo ${USER}

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

=== Mail ===
==== Automatic sendmail ====
<syntaxhighlight lang="bash">
#!/bin/bash
#requires: date,sendmail
function fappend {
echo "$2">>$1;
}
YYYYMMDD=`date +%Y%m%d`

# CHANGE THESE
TOEMAIL="ADMINISTRATOR@MYDOMAIN.COM";
FREMAIL="FROMNOREPLY@MYDOMAIN.com";
SUBJECT="E-mail Subject";
MSGBODY=$(Command);

# DON'T CHANGE ANYTHING BELOW
TMP=`mktemp`

rm -rf $TMP;
fappend $TMP "From: $FREMAIL";
fappend $TMP "To: $TOEMAIL";
fappend $TMP "Reply-To: $FREMAIL";
fappend $TMP "Subject: $SUBJECT";
fappend $TMP "";
fappend $TMP "$MSGBODY";
fappend $TMP "";
fappend $TMP "";
cat $TMP|/usr/sbin/sendmail -t;
rm $TMP;
</syntaxhighlight>

Linux:Scripts

2026-01-02T12:59:15Z

Patrick: /* Template */

[[Category:Cheatsheet]]

== Template ==
<syntaxhighlight lang='bash'>
#!/usr/bin/env bash

set -o errexit # Exit on error, do not continue running the script
set -o nounset # Trying to access a variable that has not been set generates an error
set -o pipefail # When a pipe fails generate an error

if [[ "${1-}" =~ ^-*h(elp)?$ ]] || [[ "$#" -eq 0 ]] ; then
echo ""
echo 'Usage: myscript.sh value1

This is the description of my script.
'
exit
echo ""
fi
</syntaxhighlight>

== Testing - [] ==
<syntaxhighlight lang='bash'>
# Use the test functionality [] to compare values and types, using expressions
man test
if [ -d "$MyDirectoryVariable" ]
</syntaxhighlight>

<pre>
https://stackoverflow.com/questions/638975/how-do-i-tell-if-a-file-does-not-exist-in-bash

FILE=/home/javier/wopper.txt
[ -b "$FILE" ] = Block special file
[ -c "$FILE" ] = Special character file
[ -d "$FILE" ] = If file exists
[ -e "$FILE" ] = Check for file existence, regardless of type (node, directory, socket, etc.)
[ -f "$FILE" ] = Check for regular file existence not a directory
[ -G "$FILE" ] = Check if file exists and is owned by effective group ID
[ -G "$FILE" ] = set-group-id - True if file exists and is set-group-id
[ -k "$FILE" ] = Sticky bit
[ -L "$FILE" ] = Symbolic link
[ -O "$FILE" ] = True if file exists and is owned by the effective user id
[ -r "$FILE" ] = Check if file is a readable
[ -S "$FILE" ] = Check if file is socket
[ -s "$FILE" ] = Check if file is nonzero size
[ -u "$FILE" ] = Check if file set-user-id bit is set
[ -w "$FILE" ] = Check if file is writable
[ -x "$FILE" ] = Check if file is executable

FOLDER=/home/javier/
[ -f "$FOLDER" ] = If directory exists
</pre>

== Common syntax ==
=== for ===
<syntaxhighlight lang='bash'>
# Execute a command for all objects within this folder and all subdirectories
for i in *; do du -h "$i" ; done

# Execute a command x amount of times based on $i
for((i=1;i<=5;++i)); do dd if=/dev/zero of=myshare/file-$i bs=1M count=1; done

# Shell script version - Execute a command x amount of times based on $i
for((i=1;i<=5;++i)) do
echo $i
done
</syntaxhighlight>

=== if ===
==== Examples ====
<syntaxhighlight lang='bash'>
FILE=~/todo.txt
if [ -f "$FILE" ]; then
cat "~/todo.txt"
else
echo "You don't have the file, so you should make it."
fi
</syntaxhighlight>

<syntaxhighlight lang='bash'>
USER=$(whoami)
FILE=~/todo.txt

if [ "$USER" != "root" -a -f "$FILE" ]; then
echo "You're a normal user, you do have the file and this is its output:"
cat "$FILE"
elif [ "$USER" != "root" -a ! -f "$FILE" ]; then
echo "You're a normal user, you don't have the file, so you should make it."
fi
</syntaxhighlight>

== Scripts ==
=== SSH ===
==== centos-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./centos-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
useradd -m ${USER} -G wheel

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

==== ubuntu-create-user.sh ====
<syntaxhighlight lang="bash">
#!/bin/bash
# Execute as root
# Usage: ./ubuntu-create-user.sh USER

USER="$1"

echo "Creating user ${USER}"
adduser ${USER} --disabled-password

echo "Adding ${USER} to the sudo group"
usermod -aG sudo ${USER}

echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/${USER}/.ssh

cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
# PUT ANY KEYS IN HERE
# KEY-1
# KEY-2
# KEY-3
EOF

chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys

# EOF
</syntaxhighlight>

=== Mail ===
==== Automatic sendmail ====
<syntaxhighlight lang="bash">
#!/bin/bash
#requires: date,sendmail
function fappend {
echo "$2">>$1;
}
YYYYMMDD=`date +%Y%m%d`

# CHANGE THESE
TOEMAIL="ADMINISTRATOR@MYDOMAIN.COM";
FREMAIL="FROMNOREPLY@MYDOMAIN.com";
SUBJECT="E-mail Subject";
MSGBODY=$(Command);

# DON'T CHANGE ANYTHING BELOW
TMP=`mktemp`

rm -rf $TMP;
fappend $TMP "From: $FREMAIL";
fappend $TMP "To: $TOEMAIL";
fappend $TMP "Reply-To: $FREMAIL";
fappend $TMP "Subject: $SUBJECT";
fappend $TMP "";
fappend $TMP "$MSGBODY";
fappend $TMP "";
fappend $TMP "";
cat $TMP|/usr/sbin/sendmail -t;
rm $TMP;
</syntaxhighlight>

Linux:Services

2025-11-20T15:18:02Z

Patrick: /* smbd / Samba / CIFS */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

* https://www.rsyslog.com/doc/reference/templates/templates-reserved-names.html#ref-templates-reserved-names
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates

==== Legacy ====
Send all logs to a rsyslog server and specify a port, @ is equal to using UDP. @@ is equal to TCP
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf
*.* @10.77.0.1:514
</syntaxhighlight>

Custom template where hostname is defined, then sent to the syslog server - include the priority number as first extra variable
<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
$template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"

*.warning @10.77.0.1;SendHostname
</syntaxhighlight>

Send messages to a syslog server, using a template aligned to IETF protocol 23
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/61-qwe.conf
*.* @10.77.0.1;RSYSLOG_SyslogProtocol23Format
</syntaxhighlight>

Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
$template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

*.* @10.77.0.1;custom_IETFprotocol_23
</syntaxhighlight>

Log to the local server with a static hostname, using a custom structure
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/62-asd.conf
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

An alternative to the contents above, specifying different/more fields
<syntaxhighlight lang="bash">
## /etc/rsyslog.d/65-customtemplate.conf
# https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template
$template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n"

*.* /var/log/wazanda.txt;mynewtemplate
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

Write all local messages to a specific file
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
action(type="omfile" file="/var/log/isaidhey.txt")
</syntaxhighlight>

Send message to a syslog server using IETF protocol 23
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
template(name="RSYSLOG_SyslogProtocol23Format" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

# Send all logs to the target server
action(type="omfwd" Target="192.168.5.21" Template="RSYSLOG_SyslogProtocol23Format" Port="514" Protocol="udp")
</syntaxhighlight>

Define a template aligned to IETF protocol 23 but specify a hostname to send as:
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/71-local-to-rsyslog-server.conf
template(name="SendHostname" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% myhost.mydomain.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

# Send all logs to target syslog server and port
action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request DHCP addresses where applicable
dhclient

# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v

# Release a DHCP lease
dhclient -r
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Checks ====
<syntaxhighlight lang="bash">
# List available shares on an IP or host
smbclient -L //172.17.0.2

# Samba status checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Services

2025-10-29T13:33:55Z

Patrick: /* dhclient */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

* https://www.rsyslog.com/doc/reference/templates/templates-reserved-names.html#ref-templates-reserved-names
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates

==== Legacy ====
Send all logs to a rsyslog server and specify a port, @ is equal to using UDP. @@ is equal to TCP
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf
*.* @10.77.0.1:514
</syntaxhighlight>

Custom template where hostname is defined, then sent to the syslog server - include the priority number as first extra variable
<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
$template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"

*.warning @10.77.0.1;SendHostname
</syntaxhighlight>

Send messages to a syslog server, using a template aligned to IETF protocol 23
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/61-qwe.conf
*.* @10.77.0.1;RSYSLOG_SyslogProtocol23Format
</syntaxhighlight>

Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
$template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

*.* @10.77.0.1;custom_IETFprotocol_23
</syntaxhighlight>

Log to the local server with a static hostname, using a custom structure
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/62-asd.conf
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

An alternative to the contents above, specifying different/more fields
<syntaxhighlight lang="bash">
## /etc/rsyslog.d/65-customtemplate.conf
# https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template
$template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n"

*.* /var/log/wazanda.txt;mynewtemplate
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

Write all local messages to a specific file
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
action(type="omfile" file="/var/log/isaidhey.txt")
</syntaxhighlight>

Send message to a syslog server using IETF protocol 23
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
template(name="RSYSLOG_SyslogProtocol23Format" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

# Send all logs to the target server
action(type="omfwd" Target="192.168.5.21" Template="RSYSLOG_SyslogProtocol23Format" Port="514" Protocol="udp")
</syntaxhighlight>

Define a template aligned to IETF protocol 23 but specify a hostname to send as:
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/71-local-to-rsyslog-server.conf
template(name="SendHostname" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% myhost.mydomain.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

# Send all logs to target syslog server and port
action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request DHCP addresses where applicable
dhclient

# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v

# Release a DHCP lease
dhclient -r
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux

2025-10-28T15:39:32Z

Patrick: /* Create users and SSH access */

[[Category:Cheatsheet]]

This page is or will soon be an amalgamation of content from other pages
* [[Linux:Filesystems]]
* [[Linux:Services]]

* [[Linux:Bash]]
* [[Linux:Scripting]]
* [[Linux:Network]]
* [[Linux:Tools]]

== Basics ==
{{#lst:Linux:Bash|bashbasics}}

[[:Linux:Bash#Shortcuts]]

== Common checks ==
=== Monitoring ===
<syntaxhighlight lang="bash">
# See CPU + RAM usage, system stats and open processes
top

# Only list processes making active use of the CPU
top -i

# Only list processes making active use of the CPU, and include the entire command being instead of just the tool-name
top -ci

# Prettier version of top that can be customized
htop

# Reimagined version of top, includes network and disk usage by default
btop

# Reimagined version of top that shows DISK READ and WRITE
iotop

# List all running processes
ps aux
</syntaxhighlight>

=== Systemd ===
<syntaxhighlight lang="bash">
# Open journalctl at the beginning
journalctl -b

# Open journalctl at the end
journalctl -e

# Open journalctl but include service information
journalctl -x

# Show journalctl logs for the sshd service, starting from the end
journalctl -u sshd -e

# Output contents directly to the shell
journalctl --no-pager
</syntaxhighlight>

=== OS & Distribution ===
<syntaxhighlight lang="bash">
# Print OS and host information
hostnamectl

# Show OS and distribution information
cat /proc/version

# Show OS and distribution information
cat /etc/os-release

# Print distribution-specific information
lsb_release -a
</syntaxhighlight>

=== Hardware & kernel ===
<syntaxhighlight lang="bash">
# List installed kernel modules
lsmod

# Print Kernel messages
dmesg

# Print Kernel messages with humanized timestamps
dmesg -T

# SCSI hardware information
cat /proc/scsi/scsi

# Print hardware/BIOS information
dmidecode

# Print hardware/BIOS information of a specific type
dmidecode -t 1

# List all connected hardware
lshw

# List physical network hardware
lshw -short -class network

# List physical memory hardware
lshw -class memory

# Show PCI information
lspci

# Show verbose PCI information
lspci -v

# Show GPU info
lshw -C display

# List all block/filesystem devices
lsblk

# List block devices and partition tables
fdisk -l
</syntaxhighlight>

=== Pacemaker ===
<syntaxhighlight lang="bash">
# Show status of the pacemaker cluster
pcs cluster status

# Show status of the pacemaker service
pcs status

# Show configured pacemaker resources
pcs resource config

# Show a specific configured resource
pcs resource show ResourceNameHere
</syntaxhighlight>

== Services ==
{{#lst:Linux:Services#Services|linuxservices}}
[[:Linux:Services]]

== Filesystems ==
{{#lst:Linux:Filesystems|linuxfilesystems}}
[[:Linux:Filesystems]]

== User management ==
<syntaxhighlight lang="bash">
# Create the books group
groupadd books

# Make myrthe part of the "philosophy" and "books" groups
usermod myrthe -aG philosophy,books

# See the groups myrthe is part of
groups myrthe

# The owner gains full control, group and everyone may: read, write and execute
chmod 755 /home/ring/gollum.txt

# Make ballrog the owner of the /data/sf4/cup folder
chown ballrog:ballrog /data/sf4/cup

# Make all files located anywhere within the .ssh, owned by the stalin user and soviet group
chown -R stalin:soviet /home/stalin/.ssh

# Delete the simba user and include his home folder and mail spool
userdel -r simba
</syntaxhighlight>

=== Create users and SSH access ===
==== Useradd ====
===== Variant #1 - RHEL =====
<syntaxhighlight lang="bash">
USER="danielle"

# Create user with a home-folder and add him to the wheel group
useradd -m -G wheel --shell /bin/bash ${USER}

# Create an SSH folder
mkdir -p /home/${USER}/.ssh

# Add a public key
cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
ssh-ed25519 123980idfas89132hadsckjh871234
EOF

# Set proper permissions for the .ssh folder and authorized_keys
chown -R ${USER}:${USER} /home/${USER}/.ssh
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys
</syntaxhighlight>

===== Variant #2 - UBUNTU =====
<syntaxhighlight lang="bash">
USER="dylan"

# Create the admin group if it does not exist already
groupadd admin

# Create a group that is the same as the username
groupadd ${USER}

# Create user with a home-folder, set the primary group to his own group and add him to the admin group in addition, set default shell to /bin/bash
useradd -m -g ${USER} -G admin --shell /bin/bash ${USER}

# Create an SSH folder
mkdir -p /home/${USER}/.ssh

# Add the public key
cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
ssh-ed25519 AAAqhwekhakdhslsh8712398 keyname
EOF

# Set proper permissions for user and .ssh folder and authorized_keys
chown -R ${USER}:${USER} /home/${USER}/
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys
</syntaxhighlight>

===== Adduser variant - Ubuntu =====
Create regular user and configure/add SSH public key:
<syntaxhighlight lang="bash">
USER="dylan"

# Create user and homefolder with a disabled password
adduser --disabled-password ${USER}

# Give the user sudo rights, do mind that you disabled his password in the previous command
usermod -aG sudo ${USER}

# Create an SSH folder
mkdir -p /home/${USER}/.ssh

# Add a public key
cat << 'EOF' >> /home/${USER}/.ssh/authorized_keys
ssh-ed25519 123980idfas89132hadsckjh871234
EOF

# Set proper permissions for user and .ssh folder and authorized_keys
chown -R ${USER}:${USER} /home/${USER}/
chmod 700 /home/${USER}/.ssh
chmod 600 /home/${USER}/.ssh/authorized_keys
</syntaxhighlight>

==== Add Root user SSH keys ====
Add/configure SSH public key for root user, assuming no .ssh folder/file exists
<syntaxhighlight lang="bash">
# Add SSH-keys for root user
echo "Creating authorized keys file and setting rights for root user"
mkdir -p /root/.ssh

# Add the following SSH keys to root
cat << 'EOF' >> /root/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1askdjasdsadsad mykeyname
EOF

chown -R root:root /root/.ssh
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys
</syntaxhighlight>

==== Add regular user SSH keys ====
Add/configure SSH public key for a regular user, assuming no .ssh folder/file exists
<syntaxhighlight lang="bash">
USER="greed"

# Add SSH-keys to the defined user
echo "Creating authorized keys file and settings rights for ${USER} user"
mkdir -p /home/$USER/.ssh

# Add normal user SSH keys
cat << 'EOF' >> /home/$USER/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1askdjasdsadsad mykeyname
EOF

chown -R ${USER}:${USER} /home/$USER/.ssh
chmod 700 /home/$USER/.ssh
chmod 600 /home/$USER/.ssh/authorized_keys
</syntaxhighlight>

=== Sudoers ===
* https://www.networkworld.com/article/3237946/building-command-groups-with-sudo.html

Concerns '''/etc/sudoers'''

<syntaxhighlight lang="bash">
# Allow user jabami to execute any command, without specifying a passwd
jabami ALL=(ALL) NOPASSWD: ALL

# Allow user "chris" to perform the 2 given commands with sudo, no password.
## Define user and associate the command group variable "UPDATE_CMDS"
chris ALL=(ALL) NOPASSWD: UPDATE_CMDS

## Define commands for the "UPDATE_CMDS" and "UPDATE_CMDS2" variables
Cmnd_Alias UPDATE_CMDS = /usr/bin/apt-get update, /usr/bin/apt-get upgrade
Cmnd_Alias UPDATE_CMDS2 = /usr/bin/apt-get update, /usr/bin/apt-get upgrade

# Allow members of the group "researchers" to perform the commands in "UPDATE_CMDS2" with sudo rights, no password.
## User alias specification
%researchers ALL=(ALL) NOPASSWD: UPDATE_CMDS2
</syntaxhighlight>

== Other ==
=== Performance tests ===
=== Network bandwidth & throughput ===
<syntaxhighlight lang="bash">
# Test bandwidth throughput with iperf
# Listen on server-A on port 5101
iperf3 -s -p 5101

# Connect to server-A from server-B
iperf3 -c 192.168.0.1 -p 5101
</syntaxhighlight>

=== Filesystem ===
<syntaxhighlight lang="bash">
# Testing disk/share throughput
# Create "testfile" of size 1710x1M in current folder
time dd if=/dev/zero of=testfile bs=1M count=1710

# Create "'testfile2" of size 5x1G in current folder
time dd if=/dev/zero of=testfile2 bs=1G count=5

# Show copy-time of "testfile" to disk or share
time cp testfile /mnt/btfrs/data/<LOCATION>/

# Methods of testing disk or share throughput
# show read-time from the mount to null
time cat /mnt/btfrs/data/<FILE> > /dev/null

# show copy-time from the mount to null
time dd if=/mnt/btfrs/data/<FILE> of=/dev/null bs=1M

# show copy-time from the mount to the current folder
time cp /mnt/btfrs/data/<FILE> .

# Copy one folder to another with rsync while showing progress
rsync -avhW --no-compress --progress <source>/ <destination>/
</syntaxhighlight>

=== Create different temp folder ===
<syntaxhighlight lang="bash">
# Create a temporary TMP folder
mkdir -p /scratch/tmp/

# Activate temporary TMP folder
export TMPDIR=/scratch/tmp
</syntaxhighlight>

== Links ==
* https://devhints.io/
* https://github.com/arm-on/linux-essentials
* https://thediligentdeveloper.com/30-interesting-shell-commands

Vrp

2025-10-07T10:22:04Z

Patrick: Redirected page to Huawei:VRP

#REDIRECT [[Huawei:VRP]]

Linux:Filesystems

2025-10-06T08:14:42Z

Patrick: /* RBD-NBD */

[[Category:Cheatsheet]]

== Filesystems ==
<section begin="linuxfilesystems"/>

<syntaxhighlight lang="bash">
# List clients connected to local mounts
showmount
</syntaxhighlight>

=== NFS ===
==== Checks ====
* https://www.ibm.com/docs/en/aix/7.2?topic=troubleshooting-identifying-nfs-problems

<syntaxhighlight lang="bash">
# NFS
nfsstat

# Detailed RPC and package information
nfsstat -o all

# Every RPC "program" is bound to a specific NFS version. Use NFS/CTDB logs in combination with the program ID to identify the failing component
rpcinfo -p
</syntaxhighlight>

==== Common ====
===== Exports =====
Use file /etc/exports to define exports to cliënts. </br>

<syntaxhighlight lang="bash">
# Create the folders before exporting them
mkdir -p /data/exports/customer1000/finance
mkdir -p /data/exports/customer1001/backup
</syntaxhighlight>

'''NFSv3''' example:
<syntaxhighlight lang="bash">
#////////////////////////////////////////////////////////////////////////////////////////////
# Customer1000
/data/exports/customer1000/finance 192.168.20.1(rw,no_root_squash,sync) 192.168.20.2(rw,sync)
#////////////////////////////////////////////////////////////////////////////////////////////
# Customer1001
/data/exports/customer1001/backup 192.168.30.1(rw,no_root_squash) 192.168.30.1(rw,no_root_squash,sync)
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload the NFS server to apply changes within /etc/exports
systemctl reload nfs-server
</syntaxhighlight>

===== Client mount =====
<syntaxhighlight lang="bash">
# Install NFS cliënt (Ubuntu)
apt install nfs-common

# Install NFS cliënt (RHEL)
yum install nfs-utils

# Mount NFS share located on server 192.168.20.1 on path /data/exports/customer1000/finance, to local server /mnt/nfs/
mount -v -t nfs 192.168.20.1:/data/exports/customer1000/finance /mnt/nfs/
</syntaxhighlight>

==== Optimizations ====
Change these values depending on your usage and the available resources on your server.

<syntaxhighlight lang="bash">
# /etc/sysctl.d/nfs-tuning.conf
net.core.rmem_max=1048576
net.core.rmem_default=1048576
net.core.wmem_max=1048576
net.core.wmem_default=1048576
net.ipv4.tcp_rmem=4096 1048576 134217728
net.ipv4.tcp_wmem=4096 1048576 134217728
vm.min_free_kbytes=8388608
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload above optimization
sysctl -p /etc/sysctl.d/nfs-tuning.conf
</syntaxhighlight>

Raise the number of NFS threads
<syntaxhighlight lang="bash">
# /etc/sysconfig/nfs

# Number of nfs server processes to be started.
# The default is 8.
#RPCNFSDCOUNT=16
RPCNFSDCOUNT=128
</syntaxhighlight>

Activate NFSD count on the fly
<syntaxhighlight lang="bash">
rpc.nfsd 64

# Check amount of threads
/proc/fs/nfsd/threads
</syntaxhighlight>

=== Ceph ===
* https://sabaini.at/pages/ceph-cheatsheet.html

==== Checks ====
<syntaxhighlight lang="bash">
# Display the running Ceph version
ceph -v

# Check the clusters' health and status
ceph -s

# Watch the clusters' health and status in real time
ceph -w

# Show detailed logs relating to cluster health
ceph health detail

# List configurations for a lot of stuff
cephadm ls

# List configurations for a lot of stuff
ceph config dump

# List all Ceph 'containers' and OSDs
ceph orch ls

# Lists all hosts, labels and basic host resource information
ceph orch host ls --detail

# List available storage devices
ceph orch device ls

# List all Ceph daemons
ceph orch ps

# List Ceph daemons of a specific type
ceph orch ps --daemon_type=mgr

# Show logs for a specific service
ceph orch ls --service_name osd.all-available-devices --format yaml

# Re-check the status of a host
ceph cephadm check-host storage-3

# Check the current number of operations on a primary Ceph node
ceph daemon /var/run/ceph/ceph-mds.xxxxxxxx.vxokby.asok dump_ops_in_flight
</syntaxhighlight>

'''OSDs'''
<syntaxhighlight lang="bash">
# List all pools
ceph osd lspools

# See the status of all OSDs
ceph osd stat

# List all OSDs
ceph osd tree

# List all OSDs and related information in detail
ceph osd df tree
</syntaxhighlight>

'''PGs'''
<syntaxhighlight lang="bash">
# List all Placement Groups
ceph pg dump

# Check the status of Ceph PGs
ceph pg stat
</syntaxhighlight>

'''Authentication'''
<syntaxhighlight lang="bash">
# List all created clients and their permissions
ceph auth ls

# List permissions for a specific client
ceph auth get client.cinder
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the Ceph shell (single cluster)
cephadm shell

# Enter the Ceph shell for a specific cluster
sudo /usr/sbin/cephadm shell --fsid asdjwqe-asjd324-asdki321-821asd-asd241-asdn1234- -c /etc/ceph/ceph.conf -k /etc/ceph/ceph.client.admin2.keyring

# Give node storage-4, which is already a cluster member, the admin tag
ceph orch host label add storage-4 _admin
</syntaxhighlight>

==== Installation (Quincy) ====
Using Cephadm: https://docs.ceph.com/en/quincy/cephadm/install/

===== Cephadm =====
<syntaxhighlight lang="bash">
# Create a folder for the cephadm tool
mkdir cephadm
cd cephadm/

# Download cephadm (Quincy)
curl --silent --remote-name --location https://github.com/ceph/ceph/raw/quincy/src/cephadm/cephadm
chmod +x cephadm

# Output help
./cephadm -h

# Install cephadm (Quincy) release
./cephadm add-repo --release quincy
./cephadm install

# Check if cephadm is properly installed
which cephadm
</syntaxhighlight>

===== Bootstrap =====
<syntaxhighlight lang="bash">
# Bootstrap node and install Ceph
cephadm bootstrap --mon-ip 192.168.100.11

# Check the status of the cluster
cephadm shell -- ceph -s
docker ps

## Optional
# Enter the Ceph shell (single cluster)
cephadm shell

# Exit the Ceph shell
exit

# Install common Ceph packages/tools
cephadm install ceph-common

# Display the Ceph version
ceph -v
</syntaxhighlight>

===== Add additional hosts =====
<syntaxhighlight lang="bash">
# On your bootstrapped node create a key for SSH-access to the other hosts.
ssh-keygen
cat .ssh/id_rsa.pub

# Add the newly generated key to the authorized_keys file for the relevant user, on the other hosts.

# Copy the Ceph clusters' public key to the other nodes
ssh-copy-id -f -i /etc/ceph/ceph.pub root@storage-2
ssh-copy-id -f -i /etc/ceph/ceph.pub root@storage-3

# Add the other nodes to the cluster, and assign them the admin role
ceph orch host add storage-2 10.4.20.2 _admin
ceph orch host add storage-3 10.4.20.3 _admin
</syntaxhighlight>

==== Configuration ====
===== OSD creation =====
* https://github.com/rook/rook/issues/7519
If you've installed ceph-osd on your host, this step will fail horribly with errors such as:
<syntaxhighlight lang="bash">
-1 bluestore(/var/lib/ceph/osd/ceph-1//block) _read_bdev_label failed to open /var/lib/ceph/osd/ceph-1//block: (13) Permission denied
-1 bdev(0x5571d5f69400 /var/lib/ceph/osd/ceph-1//block) open open got: (13) Permission denied
-1 OSD::mkfs: ObjectStore::mkfs failed with error (13) Permission denied
-1 ESC[0;31m ** ERROR: error creating empty object store in /var/lib/ceph/osd/ceph-0/: (13) Permission deniedESC[0m
OSD, will rollback changes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Configure all available storage to be used as OSD storage
ceph orch apply osd --all-available-devices

# Check for OSD problems
watch ceph -s
watch ceph osd tree
</syntaxhighlight>

==== Delete pool ====
<syntaxhighlight lang="bash">
# Set ability to remove pools to true
ceph config set mon mon_allow_pool_delete true

# Remove the pool
ceph osd pool rm tester tester --yes-i-really-really-mean-it

# Set ability to remove pools to false
ceph config set mon mon_allow_pool_delete false
</syntaxhighlight>

==== Upgrade ====
Make sure your cluster status is healthy first!

<syntaxhighlight lang="bash">
# Upgrade Ceph to a specific version
ceph orch upgrade start --ceph-version 17.2.0

# Check the status of the Ceph upgrade
ceph orch upgrade status

# Stop the Ceph upgrade
ceph orch upgrade stop
</syntaxhighlight>

==== Ceph client ====
===== Via Kernel =====
Mount a Ceph filesystem share using the kernel, Cephx and 3 mon hosts:
<syntaxhighlight lang="bash">
# Install common Ceph package for your distribution
apt-get install ceph-common

# Create and fill the ceph.conf file, mind the enter in the end
cat << 'EOF' >> /etc/ceph/ceph.conf
# minimal ceph.conf for 492f528f-90ae-49e0-b622-ae58b85e8cf0
[global]
fsid = 492f528f-90ae-49e0-b622-ae58b85e8cf0
mon_host = [v2:192.168.0.11:3300/0,v1:192.168.0.11:6789/0] [v2:192.168.0.12:3300/0,v1:192.168.0.12:6789/0] [v2:192.168.0.13:3300/0,v1:192.168.0.13:6789/0]
EOF

# Add the Cephx used by your user
cat << 'EOF' >> /etc/ceph/ceph.client.sofie.keyring
[client.sofie]
key = AIAOIWmaskjhqweASKhqwekjhASD==
EOF

# Mount your Ceph share by referring to the Ceph mons, the share on the Ceph mons, where you want to mount the share, and the userdata you use to connect to said share respectively.
mount -t ceph 192.168.0.11:6789,192.168:6789.0.12,192.168.0.13:6789:/shares/mycustomer/asd8asd8-as8d83-df4mjvjdf /mnt/ceph/mylocalsharelocation -o name=sofie
</syntaxhighlight>

===== Ceph-fuse =====
<syntaxhighlight lang="bash">
# Mount a Ceph filesystem using the ceph-fuse client
apt install ceph-fuse
mkdir myshare/

nano sofie.keyring
[client.sofie]
key = AQCHc7tlvEUqOBasjdHASJD9Lma84nASDJqwe==

nano ceph.conf
[client]
client quota = true
mon host = 192.168.10.1:6789, 192.168.10.2:6789, 192.168.10.3:6789

sudo ceph-fuse ~/myshare \
--id=sofie \
--conf=./ceph.conf \
--keyring=./sofie.keyring \
--client-mountpoint=/volumes/_nogroup/6e99687f-asd2-47b0-8ba1-asduoiqwe/12398asnjd-0126-4cb3-9242-asduio1q23

# Debugmode in case of shit
sudo ceph-fuse ~/myshare \
--id=sofie \
--conf=./ceph.conf \
--keyring=./sofie.keyring \
--client-mountpoint=/volumes/_nogroup/6e99687f-asd2-47b0-8ba1-asduoiqwe/12398asnjd-0126-4cb3-9242-asduio1q23 -d -o debug
</syntaxhighlight>

==== RBD-NBD ====
<syntaxhighlight lang="bash">
# List available volumes within the openstackvolumes pool
rbd ls openstackhdd

# List all available snapshots for object volume-asd9p12o3-90b2-1238-1209-as980d7213hs, which reside in pool openstackhdd
rbd snap ls openstackhdd/volume-asd9p12o3-90b2-1238-1209-as980d7213hs

# Map the volume-object to the local filesystem
rbd-nbd map openstackhdd/volume-asd9p12o3-90b2-1238-1209-as980d7213hs

# Map the volume-object as read-only to the local filesystem
rbd-nbd map --read-only openstackhdd/volume-asd9p12o3-90b2-1238-1209-as980d7213hs

# List currently mapped objects
rbd-nbd list-mapped

# Check what filesystem and partition the device contains
fdisk -l /dev/nbd1

# Mount the device to a local folder
mount /dev/nbd1p1 /mnt/storage

# Unmount the device from the local folder
umount /mnt/storage

# 2 methods to unmap
# Unmap the mapped object
rbd-nbd unmap /dev/nbd2

# Unmap the mapped object
rbd-nbd unmap volume-asd9p12o3-90b2-1238-1209-as980d7213hs
</syntaxhighlight>

==== Remove node ====
<syntaxhighlight lang="bash">
# Remove running daemons
ceph orch host drain storage-3

# Remove host from the cluster
ceph orch host rm storage-3

# In storage-3, restart the node
shutdown -r now
</syntaxhighlight>

===== Destroy node =====
'''Scorched earth''' </br>
Only execute if you want to '''annihilate''' your '''node and or cluster'''.

<syntaxhighlight lang="bash">
# Kill and destroy OSD 0
ceph osd down 0 && ceph osd destroy 0 --force

# Stop Ceph services
systemctl stop ceph-asd82asd-asd8-as92-a889-po89xc732cmn@mon.host-1.service
systemctl stop ceph-asd82asd-asd8-as92-a889-po89xc732cmn@crash.host-1.service
systemctl stop ceph-asd82asd-asd8-as92-a889-po89xc732cmn@mgr.host-1.xmatqa.service
systemctl stop ceph-asd82asd-asd8-as92-a889-po89xc732cmn@mon.host-1.service
systemctl stop ceph-asd82asd-asd8-as92-a889-po89xc732cmn@node-exporter.host-1.service
systemctl stop ceph-asd82asd-asd8-as92-a889-po89xc732cmn@prometheus.host-1.service
systemctl stop ceph-asd82asd-asd8-as92-a889-po89xc732cmn.target

# Disable Ceph services
systemctl disable ceph-asd82asd-asd8-as92-a889-po89xc732cmn@mon.host-1.service
systemctl disable ceph-asd82asd-asd8-as92-a889-po89xc732cmn@crash.host-1.service
systemctl disable ceph-asd82asd-asd8-as92-a889-po89xc732cmn@mgr.host-1.xmatqa.service
systemctl disable ceph-asd82asd-asd8-as92-a889-po89xc732cmn@mon.host-1.service
systemctl disable ceph-asd82asd-asd8-as92-a889-po89xc732cmn@node-exporter.host-1.service
systemctl disable ceph-asd82asd-asd8-as92-a889-po89xc732cmn@prometheus.host-1.service
systemctl disable ceph-asd82asd-asd8-as92-a889-po89xc732cmn.target

# Destroy everything (packages, containers, configuration)
ceph-deploy uninstall host-1
ceph-deploy purge host-1
rm -rf /var/lib/ceph

# Check for failed services
systemctl | grep ceph

# Reset them so they disable properly
systemctl reset-failed ceph-asd82asd-asd8-as92-a889-po89xc732cmn@prometheus.host-1.service

# reboot
shutdown -r now
</syntaxhighlight>

=== BTRFS ===
* https://vitux.com/how-to-format-a-harddisk-partition-with-btrfs-on-ubuntu-20-04/

'''Using LVM'''

<syntaxhighlight lang="bash">
# Install LVM creation tools depending on your OS
yum install lvm2
apt install lvm2

# Check and note the disk you need
fdisk -l

# Format /dev/vdb as BTRFS
echo -e "n\np\n1\n\n\nt\n8E\np\nw" | fdisk /dev/vdb

# Create LVM
pvcreate /dev/vdb1
vgcreate vdb_vg /dev/vdb1
lvcreate -l 100%FREE -n btrfs vdb_vg

# Check
pvs
vgs

# Create the BTRFS filesystem
mkfs.btrfs /dev/vdb_vg/btrfs

# Create a folder for the BTRFS mount
mkdir -p /mnt/btrfs1

# Mount the BTRFS filesystem
mount -t btrfs /dev/vdb_vg/btrfs /mnt/btrfs1/

# Modify fstab so the filesystem get mounted automatically on boot
cat << 'EOF' >> /etc/fstab
/dev/mapper/vdb_vg-btrfs /mnt/btrfs1 btrfs defaults 0 0
EOF
</syntaxhighlight>

<section end="linuxfilesystems"/>

Linux:Services

2025-10-01T11:59:51Z

Patrick: /* Rainerscript */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

* https://www.rsyslog.com/doc/reference/templates/templates-reserved-names.html#ref-templates-reserved-names
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates

==== Legacy ====
Send all logs to a rsyslog server and specify a port, @ is equal to using UDP. @@ is equal to TCP
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf
*.* @10.77.0.1:514
</syntaxhighlight>

Custom template where hostname is defined, then sent to the syslog server - include the priority number as first extra variable
<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
$template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"

*.warning @10.77.0.1;SendHostname
</syntaxhighlight>

Send messages to a syslog server, using a template aligned to IETF protocol 23
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/61-qwe.conf
*.* @10.77.0.1;RSYSLOG_SyslogProtocol23Format
</syntaxhighlight>

Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
$template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

*.* @10.77.0.1;custom_IETFprotocol_23
</syntaxhighlight>

Log to the local server with a static hostname, using a custom structure
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/62-asd.conf
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

An alternative to the contents above, specifying different/more fields
<syntaxhighlight lang="bash">
## /etc/rsyslog.d/65-customtemplate.conf
# https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template
$template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n"

*.* /var/log/wazanda.txt;mynewtemplate
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

Write all local messages to a specific file
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
action(type="omfile" file="/var/log/isaidhey.txt")
</syntaxhighlight>

Send message to a syslog server using IETF protocol 23
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
template(name="RSYSLOG_SyslogProtocol23Format" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

# Send all logs to the target server
action(type="omfwd" Target="192.168.5.21" Template="RSYSLOG_SyslogProtocol23Format" Port="514" Protocol="udp")
</syntaxhighlight>

Define a template aligned to IETF protocol 23 but specify a hostname to send as:
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/71-local-to-rsyslog-server.conf
template(name="SendHostname" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% myhost.mydomain.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

# Send all logs to target syslog server and port
action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Services

2025-10-01T11:59:32Z

Patrick: /* Rainerscript */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

* https://www.rsyslog.com/doc/reference/templates/templates-reserved-names.html#ref-templates-reserved-names
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates

==== Legacy ====
Send all logs to a rsyslog server and specify a port, @ is equal to using UDP. @@ is equal to TCP
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf
*.* @10.77.0.1:514
</syntaxhighlight>

Custom template where hostname is defined, then sent to the syslog server - include the priority number as first extra variable
<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
$template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"

*.warning @10.77.0.1;SendHostname
</syntaxhighlight>

Send messages to a syslog server, using a template aligned to IETF protocol 23
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/61-qwe.conf
*.* @10.77.0.1;RSYSLOG_SyslogProtocol23Format
</syntaxhighlight>

Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
$template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

*.* @10.77.0.1;custom_IETFprotocol_23
</syntaxhighlight>

Log to the local server with a static hostname, using a custom structure
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/62-asd.conf
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

An alternative to the contents above, specifying different/more fields
<syntaxhighlight lang="bash">
## /etc/rsyslog.d/65-customtemplate.conf
# https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template
$template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n"

*.* /var/log/wazanda.txt;mynewtemplate
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

Write all local messages to a specific file
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
action(type="omfile" file="/var/log/isaidhey.txt")
</syntaxhighlight>

Send message to a syslog server using IETF protocol 23
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
template(name="RSYSLOG_SyslogProtocol23Format" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

# Send all logs to the target server
action(type="omfwd" Target="192.168.5.21" Template="RSYSLOG_SyslogProtocol23Format" Port="514" Protocol="udp")
</syntaxhighlight>

Define a template aligned to IETF protocol 23 and specify a hostname to send as:
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/71-local-to-rsyslog-server.conf
template(name="SendHostname" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% myhost.mydomain.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

# Send all logs to target syslog server and port
action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Services

2025-10-01T11:59:13Z

Patrick: /* Rainerscript */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

* https://www.rsyslog.com/doc/reference/templates/templates-reserved-names.html#ref-templates-reserved-names
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates

==== Legacy ====
Send all logs to a rsyslog server and specify a port, @ is equal to using UDP. @@ is equal to TCP
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf
*.* @10.77.0.1:514
</syntaxhighlight>

Custom template where hostname is defined, then sent to the syslog server - include the priority number as first extra variable
<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
$template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"

*.warning @10.77.0.1;SendHostname
</syntaxhighlight>

Send messages to a syslog server, using a template aligned to IETF protocol 23
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/61-qwe.conf
*.* @10.77.0.1;RSYSLOG_SyslogProtocol23Format
</syntaxhighlight>

Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
$template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

*.* @10.77.0.1;custom_IETFprotocol_23
</syntaxhighlight>

Log to the local server with a static hostname, using a custom structure
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/62-asd.conf
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

An alternative to the contents above, specifying different/more fields
<syntaxhighlight lang="bash">
## /etc/rsyslog.d/65-customtemplate.conf
# https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template
$template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n"

*.* /var/log/wazanda.txt;mynewtemplate
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

Write all messages to
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
action(type="omfile" file="/var/log/isaidhey.txt")
</syntaxhighlight>

Send message to a syslog server using IETF protocol 23
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
template(name="RSYSLOG_SyslogProtocol23Format" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

# Send all logs to the target server
action(type="omfwd" Target="192.168.5.21" Template="RSYSLOG_SyslogProtocol23Format" Port="514" Protocol="udp")
</syntaxhighlight>

Define a template aligned to IETF protocol 23 and specify a hostname to send as:
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/71-local-to-rsyslog-server.conf
template(name="SendHostname" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% myhost.mydomain.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

# Send all logs to target syslog server and port
action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Services

2025-10-01T11:55:49Z

Patrick: /* Rainerscript */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

* https://www.rsyslog.com/doc/reference/templates/templates-reserved-names.html#ref-templates-reserved-names
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates

==== Legacy ====
Send all logs to a rsyslog server and specify a port, @ is equal to using UDP. @@ is equal to TCP
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf
*.* @10.77.0.1:514
</syntaxhighlight>

Custom template where hostname is defined, then sent to the syslog server - include the priority number as first extra variable
<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
$template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"

*.warning @10.77.0.1;SendHostname
</syntaxhighlight>

Send messages to a syslog server, using a template aligned to IETF protocol 23
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/61-qwe.conf
*.* @10.77.0.1;RSYSLOG_SyslogProtocol23Format
</syntaxhighlight>

Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
$template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

*.* @10.77.0.1;custom_IETFprotocol_23
</syntaxhighlight>

Log to the local server with a static hostname, using a custom structure
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/62-asd.conf
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

An alternative to the contents above, specifying different/more fields
<syntaxhighlight lang="bash">
## /etc/rsyslog.d/65-customtemplate.conf
# https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template
$template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n"

*.* /var/log/wazanda.txt;mynewtemplate
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

Send message to a syslog server using IETF protocol 23
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
template(name="RSYSLOG_SyslogProtocol23Format" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

*.* action(type="omfwd" Target="192.168.5.21" Template="RSYSLOG_SyslogProtocol23Format" Port="514" Protocol="udp")
</syntaxhighlight>

Define a template aligned to IETF protocol 23 and specify a hostname to send as:
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/71-local-to-rsyslog-server.conf
template(name="SendHostname" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% myhost.mydomain.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

# Send logs to target syslog server and port
*.* action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Services

2025-10-01T11:55:04Z

Patrick: /* Legacy */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

* https://www.rsyslog.com/doc/reference/templates/templates-reserved-names.html#ref-templates-reserved-names
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates

==== Legacy ====
Send all logs to a rsyslog server and specify a port, @ is equal to using UDP. @@ is equal to TCP
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf
*.* @10.77.0.1:514
</syntaxhighlight>

Custom template where hostname is defined, then sent to the syslog server - include the priority number as first extra variable
<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
$template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"

*.warning @10.77.0.1;SendHostname
</syntaxhighlight>

Send messages to a syslog server, using a template aligned to IETF protocol 23
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/61-qwe.conf
*.* @10.77.0.1;RSYSLOG_SyslogProtocol23Format
</syntaxhighlight>

Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
$template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

*.* @10.77.0.1;custom_IETFprotocol_23
</syntaxhighlight>

Log to the local server with a static hostname, using a custom structure
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/62-asd.conf
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

An alternative to the contents above, specifying different/more fields
<syntaxhighlight lang="bash">
## /etc/rsyslog.d/65-customtemplate.conf
# https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template
$template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n"

*.* /var/log/wazanda.txt;mynewtemplate
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Send message to a syslog server using IETF protocol 23
template(name="RSYSLOG_SyslogProtocol23Format" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

*.* action(type="omfwd" Target="192.168.5.21" Template="RSYSLOG_SyslogProtocol23Format" Port="514" Protocol="udp")
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/71-local-to-rsyslog-server.conf
# Define a template aligned to IETF protocol 23 and specify a hostname to send as:
template(name="SendHostname" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% myhost.mydomain.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

# Send logs to target syslog server and port
*.* action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Services

2025-10-01T11:54:19Z

Patrick: /* rsyslog */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

* https://www.rsyslog.com/doc/reference/templates/templates-reserved-names.html#ref-templates-reserved-names
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates

==== Legacy ====
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf
# Send all logs to a rsyslog server and specify a port, @ is equal to using UDP. @@ is equl to TCP
*.* @10.77.0.1:514
</syntaxhighlight>

<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Custom template where hostname is defined, then sent to the syslog server - include the priority number as first extra variable
$template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"

*.warning @10.77.0.1;SendHostname
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/61-qwe.conf
# Send messages to a syslog server, using a template aligned to IETF protocol 23
*.* @10.77.0.1;RSYSLOG_SyslogProtocol23Format
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
# Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname
$template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

*.* @10.77.0.1;custom_IETFprotocol_23
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/62-asd.conf
# Log to the local server with a static hostname, using a custom structure
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

<syntaxhighlight lang="bash">
## /etc/rsyslog.d/65-customtemplate.conf
# https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template
# An alternative to the contents above, specifying different/more fields
$template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n"

*.* /var/log/wazanda.txt;mynewtemplate
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Send message to a syslog server using IETF protocol 23
template(name="RSYSLOG_SyslogProtocol23Format" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

*.* action(type="omfwd" Target="192.168.5.21" Template="RSYSLOG_SyslogProtocol23Format" Port="514" Protocol="udp")
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/71-local-to-rsyslog-server.conf
# Define a template aligned to IETF protocol 23 and specify a hostname to send as:
template(name="SendHostname" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% myhost.mydomain.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

# Send logs to target syslog server and port
*.* action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Services

2025-10-01T11:50:56Z

Patrick: /* rsyslog */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

* https://www.rsyslog.com/doc/reference/templates/templates-reserved-names.html#ref-templates-reserved-names
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates

==== Legacy ====
<syntaxhighlight lang="bash">
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf
# Send all logs to a rsyslog server and specify a port, @ is equal to using UDP. @@ is equl to TCP
*.* @10.77.0.1:514
</syntaxhighlight>

<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Custom template where hostname is defined, then sent to the syslog server - include the priority number as first extra variable
$template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"

*.warning @10.77.0.1;SendHostname
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
# Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname
$template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

*.* @10.77.0.1;custom_IETFprotocol_23
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/62-asd.conf
# Log to the local server with a static hostname, using a custom structure
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

<syntaxhighlight lang="bash">
## /etc/rsyslog.d/65-customtemplate.conf
# https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template
# An alternative to the contents above, specifying different/more fields
$template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n"

*.* /var/log/wazanda.txt;mynewtemplate
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Send message to a syslog server using IETF protocol 23
template(name="RSYSLOG_SyslogProtocol23Format" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

*.* action(type="omfwd" Target="192.168.5.21" Template="RSYSLOG_SyslogProtocol23Format" Port="514" Protocol="udp")
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/71-local-to-rsyslog-server.conf
# Define a template aligned to IETF protocol 23 and specify a hostname to send as:
template(name="SendHostname" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% myhost.mydomain.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

# Send logs to target syslog server and port
*.* action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Services

2025-10-01T11:48:15Z

Patrick: /* Rainerscript */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

==== Legacy ====
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf
# Send all logs to a rsyslog server
*.* @10.77.0.1
</syntaxhighlight>

<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Custom template where hostname is defined, then sent to the syslog server - include the priority number as first extra variable
$template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"

*.warning @10.77.0.1;SendHostname
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
# Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname
$template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

*.* @10.77.0.1;custom_IETFprotocol_23
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/62-asd.conf
# Log to the local server with a static hostname, using a custom structure
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

<syntaxhighlight lang="bash">
## /etc/rsyslog.d/65-customtemplate.conf
# https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template
# An alternative to the contents above, specifying different/more fields
$template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n"

*.* /var/log/wazanda.txt;mynewtemplate
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Send message to a syslog server using IETF protocol 23
template(name="RSYSLOG_SyslogProtocol23Format" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

*.* action(type="omfwd" Target="192.168.5.21" Template="RSYSLOG_SyslogProtocol23Format" Port="514" Protocol="udp")
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/71-local-to-rsyslog-server.conf
# Define a template aligned to IETF protocol 23 and specify a hostname to send as:
template(name="SendHostname" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% myhost.mydomain.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

# Send logs to target syslog server and port
*.* action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Services

2025-10-01T11:25:42Z

Patrick: /* Legacy */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

==== Legacy ====
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf
# Send all logs to a rsyslog server
*.* @10.77.0.1
</syntaxhighlight>

<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Custom template where hostname is defined, then sent to the syslog server - include the priority number as first extra variable
$template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"

*.warning @10.77.0.1;SendHostname
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
# Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname
$template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

*.* @10.77.0.1;custom_IETFprotocol_23
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/62-asd.conf
# Log to the local server with a static hostname, using a custom structure
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

<syntaxhighlight lang="bash">
## /etc/rsyslog.d/65-customtemplate.conf
# https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template
# An alternative to the contents above, specifying different/more fields
$template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n"

*.* /var/log/wazanda.txt;mynewtemplate
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define a template and specify a hostname to send as:
template(name="SendHostname" type="string"
string="%timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"
)

# Send logs to target syslog server and port
*.warning action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Services

2025-10-01T11:25:09Z

Patrick: /* Legacy */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

==== Legacy ====
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf
# Send all logs to a rsyslog server
*.* @10.77.0.1
</syntaxhighlight>

<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define the hostname to send to the syslog server, include the priority number as first extra variable
$template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"

*.warning @10.77.0.1;SendHostname
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
# Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname
$template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

*.* @10.77.0.1;custom_IETFprotocol_23
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/62-asd.conf
# Log to the local server with a static hostname, using a custom structure
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

<syntaxhighlight lang="bash">
## /etc/rsyslog.d/65-customtemplate.conf
# https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template
# An alternative to the contents above, specifying different/more fields
$template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n"

*.* /var/log/wazanda.txt;mynewtemplate
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define a template and specify a hostname to send as:
template(name="SendHostname" type="string"
string="%timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"
)

# Send logs to target syslog server and port
*.warning action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Services

2025-10-01T11:24:47Z

Patrick: /* Legacy */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

==== Legacy ====
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf
# Send all logs to a rsyslog server
*.* @10.77.0.1
</syntaxhighlight>

<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define the hostname to send to the syslog server, include the priority number as first extra variable
$template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"

*.warning @10.77.0.1;SendHostname
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
# Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname
$template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

*.* @10.77.0.1;custom_IETFprotocol_23
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
# Log to the local server with a static hostname, using a custom structure
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

<syntaxhighlight lang="bash">
## /etc/rsyslog.d/65-customtemplate.conf
# https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template
# An alternative to the contents above, specifying different/more fields
$template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n"

*.* /var/log/wazanda.txt;mynewtemplate
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define a template and specify a hostname to send as:
template(name="SendHostname" type="string"
string="%timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"
)

# Send logs to target syslog server and port
*.warning action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Services

2025-10-01T11:12:16Z

Patrick: /* Legacy */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

==== Legacy ====
<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define the hostname to send to the syslog server, include the priority number as first extra variable
$template SendHostname, "<%pri%> %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"

*.warning @10.77.0.1;SendHostname
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
# Log to the local server with a static hostname, same structure as regular syslog
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

<syntaxhighlight lang="bash">
# https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template
# An alternative to the contents above, specifying different/more fields
$template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n"

*.* /var/log/wazanda.txt;mynewtemplate
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define a template and specify a hostname to send as:
template(name="SendHostname" type="string"
string="%timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"
)

# Send logs to target syslog server and port
*.warning action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Services

2025-10-01T11:05:19Z

Patrick: /* Legacy */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

==== Legacy ====
<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define the hostname to send to the syslog server, include the priority number as first extra variable
$template SendHostname, "<%pri%> %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"

*.warning @10.77.0.1;SendHostname
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
# Log to the local server with a static hostname, same structure as regular syslog
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define a template and specify a hostname to send as:
template(name="SendHostname" type="string"
string="%timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"
)

# Send logs to target syslog server and port
*.warning action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Services

2025-10-01T10:32:58Z

Patrick: /* Legacy */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

==== Legacy ====
<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define the hostname to send to the syslog server, include the priority number as first extra variable
$template SendHostname, "<%pri%> %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"
$ActionForwardDefaultTemplate SendHostname

*.warning @10.77.0.1
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/60-asd.conf
# Log to the local server with a static hostname, same structure as regular syslog
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n"

*.* /var/log/wewuzerrors.txt;NewHostname
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define a template and specify a hostname to send as:
template(name="SendHostname" type="string"
string="%timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"
)

# Send logs to target syslog server and port
*.warning action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Tools

2025-09-30T07:42:58Z

Patrick: /* cron */

[[Category:Cheatsheet]]

== Commands ==
=== Quick access ===
<syntaxhighlight lang="bash">
# Scroll through a file with less
less -s myfile.txt

# Select line 5 from the output
cat example.txt | sel -e '5'

# Select lines from the output, starting from the top
cat example.txt | head -5

# Select lines from the output, starting from the bottom
cat example.txt | tail -5
</syntaxhighlight>

=== Commands ===
<syntaxhighlight lang="bash">
# Display the full path of a file(assuming the syslog file is available in the current folder)
readlink -f syslog

# Unzip a file
gunzip /var/log/messages.2.gz
</syntaxhighlight>

=== Uncommon commands ===
* https://ngelinux.com/what-is-proc-sysrq-trigger-in-linux-and-how-to-use-sysrq-kernel-feature/

<syntaxhighlight lang="bash">
# CrASHing THIs SERVer, WiTH no SurVIvORS!
echo c > /proc/sysrq-trigger
</syntaxhighlight>

== Network ==
=== ping ===
Troubleshooting MTU: https://access.redhat.com/solutions/2440411

<syntaxhighlight lang="bash">
# Ping with an interval of 5 seconds
ping -i 5 192.168.0.1

# Ping 192.168.10.5 using a specific interface
ping -I bond0 192.168.10.5

# Ping 8.8.8.8 for 20 times
ping -c 20 8.8.8.8

# Ping google.com using IPv4
ping -4 google.com

# Ping google.com using IPv6
ping -6 google.com

# Ping using packets of size 264
ping -s 264 1.1.1.1

# Test an MTU-size of 9000 by sending non-fragmented packages of size 8972 (28 bytes left for the headers)
ping -M do -s 8972 192.168.77.88
</syntaxhighlight>

=== traceroute ===
Package '''mtr''' (My traceroute) is also very good

* https://web.archive.org/web/20110101100046/https://www.exit109.com/~jeremy/news/providers/traceroute.html
* [https://en.wikipedia.org/wiki/Traceroute UDP ports 33434 to 33534 are used by traceroute by default.]

<syntaxhighlight lang="bash">
# Show the traversed hops towards google.com using IPv4
traceroute -4 google.com

# Show the traversed hops towards google.com using IPv6
traceroute -6 google.com

# Does the same as "traceroute -6 google.com"
traceroute6 google.com

# Use ICMP for checking hops
traceroute -4 -I brammerloo.nl
</syntaxhighlight>

=== route ===
<syntaxhighlight lang="bash">
# List configured routes
route

# List routes but display IPs instead of hostnames
route -n

# Delete default route
ip route del 0.0.0.0/0 via 192.168.10.1 dev ens3

# Delete default route (explicit)
ip route del default via 192.168.0.1 dev eth0 proto static metric 100

# Add a default route via a specific IP and interface
ip route add default via 192.168.0.1 dev eth0 proto static metric 90

# Add route for a network via gateway on an interface
ip route add 10.0.100.0/24 via 10.0.100.254 dev ens5

# Add default route met een specifieke metric
ip route add default via 10.0.180.1 dev ens7 proto static metric 90
</syntaxhighlight>

=== netstat ===
<syntaxhighlight lang='bash'>
# Display network connections and current states
netstat

# Check listening ports, connected remote IPs, processes, states and more
netstat -taupen

# Check listening ports and IPs of the local server
netstat -tulpn

# List the routing table
netstat -r

# List verbose common TCP and ICMP information
netstat -s
</syntaxhighlight>

=== ss ===
Replacement for netstat
<syntaxhighlight lang='bash'>
# Check open ports, connected IPs, processes, states and more
ss -taupen
</syntaxhighlight>

=== tcpdump ===
<syntaxhighlight lang='bash'>
# Listen on interface eth0 for traffic coming from host 172.16.0.11
tcpdump -i eth0 host 172.16.0.11

# Listen on interface eno2 for traffic coming from host 172.16.1.20, going to port 443
tcpdump -i en02 host 172.16.1.20 port 443
</syntaxhighlight>

=== uuidgen ===
<syntaxhighlight lang="bash">
# Generate a unique UUID (for an interface)
uuidgen eth0
7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
</syntaxhighlight>

=== ip ===
<syntaxhighlight lang="bash">
# Show network information
ip address
ip a

# Show all configured routes
ip r show

# Display statistics for all interfaces
ip -s link

# Display detailed statistics for all interfaces
ip -s -s link

# Execute the ifconfig command within a specific router
ip netns exec qrouter-asdwe49-as8d7-asd2-ert0-cvb7klj2 "ifconfig"
</syntaxhighlight>

=== DNS | dig & nslookup ===
* https://intodns.com/

<syntaxhighlight lang="bash">
# Lookup reverse DNS host information
dig -x 10.0.2.15

# Lookup the nameservers of google.com, by asking nameserver 1.1.1.1
dig google.com @1.1.1.1 NS

# Lookup reverse DNS host information
host 10.0.2.15

# Lookup DNS host information
nslookup 10.0.2.15

# Lookup host information for google.com while using DNS-server 8.8.8.8
nslookup google.com 8.8.8.8
</syntaxhighlight>

== Package managers ==
=== apt ===
<syntaxhighlight lang="bash">
# Check for updates
apt update

# List packages that can be upgraded
apt list --upgradable

# Installed available updates
apt upgrade

# List installed packages
apt list --installed

# List package details and description
apt show net-tools

# Search inside all package descriptions for your keyword
apt-cache search ssh
</syntaxhighlight>

=== rpm ===
<syntaxhighlight lang="bash">
# List all local RPM packages
rpm -qa

# Query for a specific installed rpm package
rpm -qi nginx
</syntaxhighlight>

=== yum ===
<syntaxhighlight lang="bash">
# Search for all available packages that include string "nginx"
yum search nginx

# Install the package named Nginx
yum install nginx

# List installed packages
yum list installed
</syntaxhighlight>

=== dnf ===
<syntaxhighlight lang="bash">
# Upgrade and install updates
dnf upgrade

# Remove the podman package
dnf remove podman

# Show information about the zlib package
dnf info zlib

# Show mandatory/optional/default packages within the Networking Tools group
dnf group info "Networking Tools"
</syntaxhighlight>

== Filesystem ==
=== fdisk ===
'''cfdisk''' is also nice

==== Checks ====
<syntaxhighlight lang="bash">
# Check your disks and partitions
fdisk -l

# Enter fdisk interactive mode
fdisk /dev/nvme0n2p1

# List available partition types
l
</syntaxhighlight>

==== Configuration ====
<syntaxhighlight lang="bash">
# Format /dev/vdb as BTRFS
echo -e "n\np\n1\n\n\nt\n8E\np\nw" | fdisk /dev/vdb
</syntaxhighlight>

== Other ==
=== man + mandb ===
<syntaxhighlight lang="bash">
# Open the manual for the man tool
man man

# Open the manual for the ls tool
man ls

# 'Update' mandb by purging and or processing manuals
mandb

# Purge everything and regenerate manuals
mandb --create
</syntaxhighlight>

=== ls ===
<syntaxhighlight lang="bash">
# List folders sorted by modified date
ls -trol

# List folder contents recursively
ls -alsR myfolder/

# List folder contents sorted by time, newest first and reverse order
ls -latr myfolder
</syntaxhighlight>

=== grep ===
<syntaxhighlight lang="bash">
# Search for any occurences of "inet_interface" in a file
grep inet_interface /etc/postfix/main.cf

# Search for pattern "audit" in file /var/log/syslog
grep -e "audit" /var/log/syslog

# Search for text "started" in everything in /var/log/, and list the filename for each occurence
grep -H "started" /var/log/*

# Search for any mention of "md" within a file, by piping to grep
cat /var/log/messages | grep md

# Search for any of text "test" within the /etc folder recursively, also shows filename by default
grep -r "test" /etc

# Recursively search for any mention of "audit" in each file within the specified directory, display linenumber and ignore low/upper case
grep -rni audit /var/log/
</syntaxhighlight>

=== lsof ===
<syntaxhighlight lang="bash">
# List what has files opened on the directory/mount
lsof /data/mount/lustre-01

# List processes listening on port 443
lsof -i :443
</syntaxhighlight>

=== awk ===
<syntaxhighlight lang="bash">
# List the first column of the output generated by docker ps
docker ps | awk '{print $1}'

# Print 9th column of folder contents
ll /mnt/btrfs/share1/ | awk '{print $9}'
</syntaxhighlight>

=== tar ===
<syntaxhighlight lang="bash">
# Compress the destination directory and keep the source path within the zipped file
tar -czvf name-of-archive.tar.gz /path/to/directory-or-file

# Compress the destination directory, but put the folder contents into the . within the zipped file
tar -czvf name-of-archive.tar.gz -C /path/to/directory-or-file .

# Extract a tar.gz file to the current folder
tar -xzvf name-of-archive.tar.gz
</syntaxhighlight>

=== find ===
<syntaxhighlight lang="bash">
# Basic find command
find / -name name-to-search-for

# Search the current folder for all files
find . -name \*

# Search the current folder for all files and count them
find . -name \* | wc -l

# Find all files with the SUID bit set
find / -name "*" -perm /u+s

# Find the current folder for files that were modified in the last 15 minutes
find . -mmin -15 -type f -name "*"

# Search for all modified files between 2023-01-01 and 2023-12-30
find /var/log/ -type f -name "*" -newermt 2023-01-01 ! -newermt 2023-12-30

# Search for all modified folders between 2022-01-01 and 2022-02-10, limited to a single folders' depth
find /data/research001/ -maxdepth 1 -type d -newermt 2022-01-01 ! -newermt 2022-02-10

# Search the current folder for all .log files and search & output any line containing string "error"
find . -name \*.log -exec grep -H error {} \;

# Screwing around
for i in $(find URL* -name "*.report" | sort); do echo "$i" && cat "$i" | grep TOTAL_SIZE ; done
for i in $(find URL* -name "*.report"); do basename "$i" | sort && cat "$i" | grep TOTAL_SIZE ; done
for i in $(find URL* -name "*.report"); do basename "$i" | sort && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
for i in $(find URL* -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
ll URL* | awk '{print $9}' | grep "*.report" | sort | for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
ll URL* | awk '{print $9}' | grep .report | sort | for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE

find URL1 -name \*.report -exec grep -H TOTAL_SIZE {} \; | LC_ALL=C awk -M 'BEGIN{FS=OFS="\t"} {printf("%s\t%.02f\n", $1, $2/(1024*1024*1024))}' | sed -e 's~^.*/~~' -e 's~\..*SIZE~~' | sort
</syntaxhighlight>

=== less ===
<pre>
25 = Go to line 25
g = Go to top of file
G = Go to bottom of file
/ = Activate search mode
/Error = Search for "Error"
n = Move to next search result
N = Move to previous search result
</pre>

<syntaxhighlight lang="bash">
# Don't wrap long lines to the current screen (move left or right to see non-truncated line)
less -S /var/log/syslog

# Output a file's contents and read it with less
cat /etc/snmpd/snmp.conf | less -S

# Number the lines when viewing
less -N /var/log/messages

# Open less at the first search result for "error". (Do not use space between the -p parameter and your search query)
less -p"Error" /var/log/messages
</syntaxhighlight>

=== ssh ===
* https://man.openbsd.org/ssh.1
* https://www.openssh.com/legacy.html

<syntaxhighlight lang="bash">
# Stolen from https://www.openssh.com/legacy.html
ssh -Q cipher # List supported ciphers
ssh -Q mac # List supported MACs
ssh -Q key # List supported public key types
ssh -Q kex # List supported key exchange algorithms
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Connect to a server using a specific user
ssh mirelurk@192.168.0.1

# Connect to a server using a specific RSA private key
ssh 192.168.0.1 -i /home/john/.ssh/id_rsa_key-5

# Connect to a server using a specific SSH port
ssh 192.168.0.1 -p 1111

# Show verbose information when connecting to a server
ssh -v 192.168.0.1

# Connect using an ancient algorithm and keytype
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc admin@10.50.10.50

# Execute 'ls' on a remote server and output the result to your shell session
echo 'ls' | ssh -T user@10.0.20.75

# Execute a command on a remote server and output the result to a local file
echo 'ls' | ssh -T user@10.0.20.75 > <filename>.log

# Log in by providing a password in the CLI
sshpass 'MyPassword' ssh -XY root@10.100.25.1

# Copy a local file to another server
scp /home/root/myfiletocopy ubuntu@192.168.0.10:/home/ubuntu
</syntaxhighlight>

=== vim ===
<pre>
Esc Switches between input/command mode

o Create a new line below the current cursor position and switch to input mode
:wq Save (write) and quit the file
:q! Quit immediately without applying any changes

j Move the cursor one line downwards
</pre>

<syntaxhighlight lang="bash">
# Enter the Vim tutorial
vimtutor
</syntaxhighlight>

=== rsync ===
Also see rclone for enterprise storage enviroments.

<syntaxhighlight lang="bash">
# Copy contents of source /mnt/science/data/ to target /home/garyon/backup/science/ recursively
rsync -a /mnt/science/data/ /home/garyon/backup/science/

# Copy everything: symlinks, hardlinks, extended attributes, modified times, files, folders, etc
rsync -avHXS --progress /mnt/science/data/ /home/mayra/backup/science/

# Show progress during a transfer
rsync -avHXS --progress /mnt/science/data/ /home/stefanie/backup/science/

# rsync is additive by default
# After an initial rsync, delete files in the target that were deleted in the source
rsync --delete -avHXS /mnt/science/data/ /home/bob/backup/science/

# Sync using SSH
rsync -avrS --delete /data/cardio/ 192.168.0.15:/backup/cardio/

# Sync using a specific SSH port
rsync -avrS --rsh='ssh -p2020' --delete /data/science/ 192.168.0.20:/backup/science/
</syntaxhighlight>

=== cron ===
Run tasks at specific intervals.

* https://crontab.guru/

<syntaxhighlight lang="bash">
# List cron jobs for the current user
crontab -l

# Modify cron jobs for the current user
crontab -eq

# Run the "ls" command every 5 minutes
*/5 * * * * ps aux
</syntaxhighlight>

=== screen ===
Create virtual sessions on the server you're connected to.

<syntaxhighlight lang="bash">
# List all current sessions
screen -list

# Create new session "mynewsession"
screen -S mynewsession

# Detach current session
CTRL + A + D

# Attach session "mynewssion"
screen -r mynewsession
</syntaxhighlight>

=== ldapsearch ===
<pre>
DC = Domain Component
The values that identify the domain in which the object is located, may contain subdomains too i.e. "DC=customer,DC=amazon,DC=com"

OU = Organization Unit
A container/folder in which objects or users are stored. Actively used in Microsoft Active Directory's i.e. "OU=janitors,DC=customer,DC=amazon,DC=com"

CN = Canonical Name
The name of the group you're searching for or in i.e. "CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"

UID = User Identifier
The unique identifier to find a user with, usually the username i.e. "uid=magicmike,CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"

DN = Distinguished Name
The entire path to an object, consisting of a combination of above values, at least the DCs and a CN or UID, i.e. "uid=magicmike,CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"
</pre>

The following assumes domain "brammerloo.nl", based on usage for FreeIPA
<syntaxhighlight lang="bash">
# Search and show attributes for user tonberry in group users in group accounts in domain brammerloo.nl, using the admin user to authenticatie
ldapsearch -W -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify LDAP-server ipa01.brammerloo.nl to send the query to
ldapsearch -W -H ldap://ipa01.brammerloo.nl -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify a specific port
ldapsearch -W -H ldap://ipa01.brammerloo.nl:389 -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Use the "elastic" user to query for attributes of the "elastic-users" group which itself is a member of the "groups" group
ldapsearch -W -b "cn=elastic-users,cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=elastic,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify you only want the member attribute
ldapsearch -W -b "cn=elastic-users,cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl" member

# Show all groups of which tonberry is a member of by searching for the memberOf attribute
ldapsearch -W -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl" memberOf

# List attributes for all groups in the group "groups"
ldapsearch -W -b "cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"
</syntaxhighlight>

=== git ===
==== Checks ====
<syntaxhighlight lang="bash">
# List your current branch and situation
git status

# List all branches and your current one
git branch --all

# List all available tags
git tag

# List the current selected tag
git describe
git describe --tags

# Compare changes in the current working directory to the committed tree, and list what files have been changed
git diff-files

# Compare changes in the current working directory to the committed tree, and list what has changed
git diff-files -p

# Compare the committed tree to the current working directory, and list what has changed
git diff HEAD
</syntaxhighlight>

==== Common ====
<syntaxhighlight lang="bash">
# Create a folder and initialize it for use by git
mkdir gitrepo1; cd gitrepo1; git init

# Switch to another branch
git checkout stable/zed

# Switch to a specific tag
git checkout tags/14.11.0

# Fetch data from the current upstream branch
git pull

# Pull data from a specific branch
git pull origin unmaintained/yoga
</syntaxhighlight>

=== rclone ===
* https://rclone.org/

==== Installation ====
<syntaxhighlight lang='bash'>
# Install the latest version from the website
curl https://rclone.org/install.sh | sudo bash
</syntaxhighlight>

==== Configuration ====
Example configuration based on OpenStack swift. Config should be in the homefolder of your user .config/rclone/rclone.conf:
<syntaxhighlight lang='bash'>
[swift-ssd]
type = swift
user = patrick
key = <PASSWORD>
auth = https://openstack.brammerloo.nl:5000/v3
region = Rotterdam
domain = Default
tenant = patrickproject
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang='bash'>
# List all containers, buckets and or folders of container "swift-ssd"
rclone lsd "swift-ssd:"
20 2025-02-10 09:46:00 2 ssd-container
0 2025-02-10 09:46:00 1 swift-ssd
0 2025-02-10 09:46:00 1 swift-ssd2

rclone lsd "swift-ssd:ssd-container"
0 2025-02-10 09:48:02 -1 mystorage

# List contents, files, folders of bucket "ssd-container", within container "swift-ssd"
rclone ls "swift-ssd:ssd-container"

# List the contents of file "asd"
rclone cat "swift-ssd:ssd-container/asd"

# Mount an object storage to local folder /mnt/object-ssd/
rclone mount swift-ssd:ssd-container /mnt/object-ssd

# Synchronize a local folder to a destination folder inside a bucket, in interactive mode
rclone sync -i /etc/rsyslog.d swift-ssd:ssd-container/mystorage/
</syntaxhighlight>

=== mdtest ===
This chapter was mostly written and contributed by Ivo Palli.

==== General ====
mdtest is part of the ior performance test package.

==== RHEL Installation ====
<syntaxhighlight lang='bash'>
wget https://github.com/hpc/ior/releases/download/3.3.0/ior-3.3.0.tar.bz2
tar xjf ior-*.tar.bz2
cd ior-*/

yum install openmpi-devel environment-modules
# Relog your shell so 'module' is available
module load mpi
module list
./configure
make -j4
make install
</syntaxhighlight>

==== Ubuntu Installation ====
* https://gist.github.com/hokiegeek2/3057f8bb3beb519ae9b556e41824be30
* https://ior.readthedocs.io/en/latest/userDoc/install.html

<syntaxhighlight lang='bash'>
VERSION=4.0.0
wget https://github.com/hpc/ior/releases/download/$VERSION/ior-$VERSION.tar.gz
tar -xzvf ior-$VERSION.tar.gz
cd ior-$VERSION/

apt install libopenmpi-dev environment-modules openmpi-bin openmpi-common libgtk2.0-dev -y
./configure

make -j4
make install
</syntaxhighlight>

===== Usage =====
Note: Number of items should be a multiple of depth x branching factor
<syntaxhighlight lang='bash'>
module load mpi

# Run command "mdtest -n 2000 -z 5 -b 2 -d /mnt/ssd/" 10 times in a row
mpirun --oversubscribe --allow-run-as-root -n 10 mdtest -n 2000 -z 5 -b 2 -d /mnt/nfs
</syntaxhighlight>

===== Links =====
* https://github.com/hpc/ior
* https://www.glennklockwood.com/benchmarks/mdtest.html Guide

Linux:Tools

2025-09-30T07:41:41Z

Patrick: /* ldapsearch */

[[Category:Cheatsheet]]

== Commands ==
=== Quick access ===
<syntaxhighlight lang="bash">
# Scroll through a file with less
less -s myfile.txt

# Select line 5 from the output
cat example.txt | sel -e '5'

# Select lines from the output, starting from the top
cat example.txt | head -5

# Select lines from the output, starting from the bottom
cat example.txt | tail -5
</syntaxhighlight>

=== Commands ===
<syntaxhighlight lang="bash">
# Display the full path of a file(assuming the syslog file is available in the current folder)
readlink -f syslog

# Unzip a file
gunzip /var/log/messages.2.gz
</syntaxhighlight>

=== Uncommon commands ===
* https://ngelinux.com/what-is-proc-sysrq-trigger-in-linux-and-how-to-use-sysrq-kernel-feature/

<syntaxhighlight lang="bash">
# CrASHing THIs SERVer, WiTH no SurVIvORS!
echo c > /proc/sysrq-trigger
</syntaxhighlight>

== Network ==
=== ping ===
Troubleshooting MTU: https://access.redhat.com/solutions/2440411

<syntaxhighlight lang="bash">
# Ping with an interval of 5 seconds
ping -i 5 192.168.0.1

# Ping 192.168.10.5 using a specific interface
ping -I bond0 192.168.10.5

# Ping 8.8.8.8 for 20 times
ping -c 20 8.8.8.8

# Ping google.com using IPv4
ping -4 google.com

# Ping google.com using IPv6
ping -6 google.com

# Ping using packets of size 264
ping -s 264 1.1.1.1

# Test an MTU-size of 9000 by sending non-fragmented packages of size 8972 (28 bytes left for the headers)
ping -M do -s 8972 192.168.77.88
</syntaxhighlight>

=== traceroute ===
Package '''mtr''' (My traceroute) is also very good

* https://web.archive.org/web/20110101100046/https://www.exit109.com/~jeremy/news/providers/traceroute.html
* [https://en.wikipedia.org/wiki/Traceroute UDP ports 33434 to 33534 are used by traceroute by default.]

<syntaxhighlight lang="bash">
# Show the traversed hops towards google.com using IPv4
traceroute -4 google.com

# Show the traversed hops towards google.com using IPv6
traceroute -6 google.com

# Does the same as "traceroute -6 google.com"
traceroute6 google.com

# Use ICMP for checking hops
traceroute -4 -I brammerloo.nl
</syntaxhighlight>

=== route ===
<syntaxhighlight lang="bash">
# List configured routes
route

# List routes but display IPs instead of hostnames
route -n

# Delete default route
ip route del 0.0.0.0/0 via 192.168.10.1 dev ens3

# Delete default route (explicit)
ip route del default via 192.168.0.1 dev eth0 proto static metric 100

# Add a default route via a specific IP and interface
ip route add default via 192.168.0.1 dev eth0 proto static metric 90

# Add route for a network via gateway on an interface
ip route add 10.0.100.0/24 via 10.0.100.254 dev ens5

# Add default route met een specifieke metric
ip route add default via 10.0.180.1 dev ens7 proto static metric 90
</syntaxhighlight>

=== netstat ===
<syntaxhighlight lang='bash'>
# Display network connections and current states
netstat

# Check listening ports, connected remote IPs, processes, states and more
netstat -taupen

# Check listening ports and IPs of the local server
netstat -tulpn

# List the routing table
netstat -r

# List verbose common TCP and ICMP information
netstat -s
</syntaxhighlight>

=== ss ===
Replacement for netstat
<syntaxhighlight lang='bash'>
# Check open ports, connected IPs, processes, states and more
ss -taupen
</syntaxhighlight>

=== tcpdump ===
<syntaxhighlight lang='bash'>
# Listen on interface eth0 for traffic coming from host 172.16.0.11
tcpdump -i eth0 host 172.16.0.11

# Listen on interface eno2 for traffic coming from host 172.16.1.20, going to port 443
tcpdump -i en02 host 172.16.1.20 port 443
</syntaxhighlight>

=== uuidgen ===
<syntaxhighlight lang="bash">
# Generate a unique UUID (for an interface)
uuidgen eth0
7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
</syntaxhighlight>

=== ip ===
<syntaxhighlight lang="bash">
# Show network information
ip address
ip a

# Show all configured routes
ip r show

# Display statistics for all interfaces
ip -s link

# Display detailed statistics for all interfaces
ip -s -s link

# Execute the ifconfig command within a specific router
ip netns exec qrouter-asdwe49-as8d7-asd2-ert0-cvb7klj2 "ifconfig"
</syntaxhighlight>

=== DNS | dig & nslookup ===
* https://intodns.com/

<syntaxhighlight lang="bash">
# Lookup reverse DNS host information
dig -x 10.0.2.15

# Lookup the nameservers of google.com, by asking nameserver 1.1.1.1
dig google.com @1.1.1.1 NS

# Lookup reverse DNS host information
host 10.0.2.15

# Lookup DNS host information
nslookup 10.0.2.15

# Lookup host information for google.com while using DNS-server 8.8.8.8
nslookup google.com 8.8.8.8
</syntaxhighlight>

== Package managers ==
=== apt ===
<syntaxhighlight lang="bash">
# Check for updates
apt update

# List packages that can be upgraded
apt list --upgradable

# Installed available updates
apt upgrade

# List installed packages
apt list --installed

# List package details and description
apt show net-tools

# Search inside all package descriptions for your keyword
apt-cache search ssh
</syntaxhighlight>

=== rpm ===
<syntaxhighlight lang="bash">
# List all local RPM packages
rpm -qa

# Query for a specific installed rpm package
rpm -qi nginx
</syntaxhighlight>

=== yum ===
<syntaxhighlight lang="bash">
# Search for all available packages that include string "nginx"
yum search nginx

# Install the package named Nginx
yum install nginx

# List installed packages
yum list installed
</syntaxhighlight>

=== dnf ===
<syntaxhighlight lang="bash">
# Upgrade and install updates
dnf upgrade

# Remove the podman package
dnf remove podman

# Show information about the zlib package
dnf info zlib

# Show mandatory/optional/default packages within the Networking Tools group
dnf group info "Networking Tools"
</syntaxhighlight>

== Filesystem ==
=== fdisk ===
'''cfdisk''' is also nice

==== Checks ====
<syntaxhighlight lang="bash">
# Check your disks and partitions
fdisk -l

# Enter fdisk interactive mode
fdisk /dev/nvme0n2p1

# List available partition types
l
</syntaxhighlight>

==== Configuration ====
<syntaxhighlight lang="bash">
# Format /dev/vdb as BTRFS
echo -e "n\np\n1\n\n\nt\n8E\np\nw" | fdisk /dev/vdb
</syntaxhighlight>

== Other ==
=== man + mandb ===
<syntaxhighlight lang="bash">
# Open the manual for the man tool
man man

# Open the manual for the ls tool
man ls

# 'Update' mandb by purging and or processing manuals
mandb

# Purge everything and regenerate manuals
mandb --create
</syntaxhighlight>

=== ls ===
<syntaxhighlight lang="bash">
# List folders sorted by modified date
ls -trol

# List folder contents recursively
ls -alsR myfolder/

# List folder contents sorted by time, newest first and reverse order
ls -latr myfolder
</syntaxhighlight>

=== grep ===
<syntaxhighlight lang="bash">
# Search for any occurences of "inet_interface" in a file
grep inet_interface /etc/postfix/main.cf

# Search for pattern "audit" in file /var/log/syslog
grep -e "audit" /var/log/syslog

# Search for text "started" in everything in /var/log/, and list the filename for each occurence
grep -H "started" /var/log/*

# Search for any mention of "md" within a file, by piping to grep
cat /var/log/messages | grep md

# Search for any of text "test" within the /etc folder recursively, also shows filename by default
grep -r "test" /etc

# Recursively search for any mention of "audit" in each file within the specified directory, display linenumber and ignore low/upper case
grep -rni audit /var/log/
</syntaxhighlight>

=== lsof ===
<syntaxhighlight lang="bash">
# List what has files opened on the directory/mount
lsof /data/mount/lustre-01

# List processes listening on port 443
lsof -i :443
</syntaxhighlight>

=== awk ===
<syntaxhighlight lang="bash">
# List the first column of the output generated by docker ps
docker ps | awk '{print $1}'

# Print 9th column of folder contents
ll /mnt/btrfs/share1/ | awk '{print $9}'
</syntaxhighlight>

=== tar ===
<syntaxhighlight lang="bash">
# Compress the destination directory and keep the source path within the zipped file
tar -czvf name-of-archive.tar.gz /path/to/directory-or-file

# Compress the destination directory, but put the folder contents into the . within the zipped file
tar -czvf name-of-archive.tar.gz -C /path/to/directory-or-file .

# Extract a tar.gz file to the current folder
tar -xzvf name-of-archive.tar.gz
</syntaxhighlight>

=== find ===
<syntaxhighlight lang="bash">
# Basic find command
find / -name name-to-search-for

# Search the current folder for all files
find . -name \*

# Search the current folder for all files and count them
find . -name \* | wc -l

# Find all files with the SUID bit set
find / -name "*" -perm /u+s

# Find the current folder for files that were modified in the last 15 minutes
find . -mmin -15 -type f -name "*"

# Search for all modified files between 2023-01-01 and 2023-12-30
find /var/log/ -type f -name "*" -newermt 2023-01-01 ! -newermt 2023-12-30

# Search for all modified folders between 2022-01-01 and 2022-02-10, limited to a single folders' depth
find /data/research001/ -maxdepth 1 -type d -newermt 2022-01-01 ! -newermt 2022-02-10

# Search the current folder for all .log files and search & output any line containing string "error"
find . -name \*.log -exec grep -H error {} \;

# Screwing around
for i in $(find URL* -name "*.report" | sort); do echo "$i" && cat "$i" | grep TOTAL_SIZE ; done
for i in $(find URL* -name "*.report"); do basename "$i" | sort && cat "$i" | grep TOTAL_SIZE ; done
for i in $(find URL* -name "*.report"); do basename "$i" | sort && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
for i in $(find URL* -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
ll URL* | awk '{print $9}' | grep "*.report" | sort | for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
ll URL* | awk '{print $9}' | grep .report | sort | for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE

find URL1 -name \*.report -exec grep -H TOTAL_SIZE {} \; | LC_ALL=C awk -M 'BEGIN{FS=OFS="\t"} {printf("%s\t%.02f\n", $1, $2/(1024*1024*1024))}' | sed -e 's~^.*/~~' -e 's~\..*SIZE~~' | sort
</syntaxhighlight>

=== less ===
<pre>
25 = Go to line 25
g = Go to top of file
G = Go to bottom of file
/ = Activate search mode
/Error = Search for "Error"
n = Move to next search result
N = Move to previous search result
</pre>

<syntaxhighlight lang="bash">
# Don't wrap long lines to the current screen (move left or right to see non-truncated line)
less -S /var/log/syslog

# Output a file's contents and read it with less
cat /etc/snmpd/snmp.conf | less -S

# Number the lines when viewing
less -N /var/log/messages

# Open less at the first search result for "error". (Do not use space between the -p parameter and your search query)
less -p"Error" /var/log/messages
</syntaxhighlight>

=== ssh ===
* https://man.openbsd.org/ssh.1
* https://www.openssh.com/legacy.html

<syntaxhighlight lang="bash">
# Stolen from https://www.openssh.com/legacy.html
ssh -Q cipher # List supported ciphers
ssh -Q mac # List supported MACs
ssh -Q key # List supported public key types
ssh -Q kex # List supported key exchange algorithms
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Connect to a server using a specific user
ssh mirelurk@192.168.0.1

# Connect to a server using a specific RSA private key
ssh 192.168.0.1 -i /home/john/.ssh/id_rsa_key-5

# Connect to a server using a specific SSH port
ssh 192.168.0.1 -p 1111

# Show verbose information when connecting to a server
ssh -v 192.168.0.1

# Connect using an ancient algorithm and keytype
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc admin@10.50.10.50

# Execute 'ls' on a remote server and output the result to your shell session
echo 'ls' | ssh -T user@10.0.20.75

# Execute a command on a remote server and output the result to a local file
echo 'ls' | ssh -T user@10.0.20.75 > <filename>.log

# Log in by providing a password in the CLI
sshpass 'MyPassword' ssh -XY root@10.100.25.1

# Copy a local file to another server
scp /home/root/myfiletocopy ubuntu@192.168.0.10:/home/ubuntu
</syntaxhighlight>

=== vim ===
<pre>
Esc Switches between input/command mode

o Create a new line below the current cursor position and switch to input mode
:wq Save (write) and quit the file
:q! Quit immediately without applying any changes

j Move the cursor one line downwards
</pre>

<syntaxhighlight lang="bash">
# Enter the Vim tutorial
vimtutor
</syntaxhighlight>

=== rsync ===
Also see rclone for enterprise storage enviroments.

<syntaxhighlight lang="bash">
# Copy contents of source /mnt/science/data/ to target /home/garyon/backup/science/ recursively
rsync -a /mnt/science/data/ /home/garyon/backup/science/

# Copy everything: symlinks, hardlinks, extended attributes, modified times, files, folders, etc
rsync -avHXS --progress /mnt/science/data/ /home/mayra/backup/science/

# Show progress during a transfer
rsync -avHXS --progress /mnt/science/data/ /home/stefanie/backup/science/

# rsync is additive by default
# After an initial rsync, delete files in the target that were deleted in the source
rsync --delete -avHXS /mnt/science/data/ /home/bob/backup/science/

# Sync using SSH
rsync -avrS --delete /data/cardio/ 192.168.0.15:/backup/cardio/

# Sync using a specific SSH port
rsync -avrS --rsh='ssh -p2020' --delete /data/science/ 192.168.0.20:/backup/science/
</syntaxhighlight>

=== cron ===
* https://crontab.guru/

<syntaxhighlight lang="bash">
# List cron jobs for the current user
crontab -l

# Modify cron jobs for the current user
crontab -eq

# Run the "ls" command every 5 minutes
*/5 * * * * ps aux
</syntaxhighlight>

=== ldapsearch ===
<pre>
DC = Domain Component
The values that identify the domain in which the object is located, may contain subdomains too i.e. "DC=customer,DC=amazon,DC=com"

OU = Organization Unit
A container/folder in which objects or users are stored. Actively used in Microsoft Active Directory's i.e. "OU=janitors,DC=customer,DC=amazon,DC=com"

CN = Canonical Name
The name of the group you're searching for or in i.e. "CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"

UID = User Identifier
The unique identifier to find a user with, usually the username i.e. "uid=magicmike,CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"

DN = Distinguished Name
The entire path to an object, consisting of a combination of above values, at least the DCs and a CN or UID, i.e. "uid=magicmike,CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"
</pre>

The following assumes domain "brammerloo.nl", based on usage for FreeIPA
<syntaxhighlight lang="bash">
# Search and show attributes for user tonberry in group users in group accounts in domain brammerloo.nl, using the admin user to authenticatie
ldapsearch -W -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify LDAP-server ipa01.brammerloo.nl to send the query to
ldapsearch -W -H ldap://ipa01.brammerloo.nl -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify a specific port
ldapsearch -W -H ldap://ipa01.brammerloo.nl:389 -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Use the "elastic" user to query for attributes of the "elastic-users" group which itself is a member of the "groups" group
ldapsearch -W -b "cn=elastic-users,cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=elastic,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify you only want the member attribute
ldapsearch -W -b "cn=elastic-users,cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl" member

# Show all groups of which tonberry is a member of by searching for the memberOf attribute
ldapsearch -W -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl" memberOf

# List attributes for all groups in the group "groups"
ldapsearch -W -b "cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"
</syntaxhighlight>

=== git ===
==== Checks ====
<syntaxhighlight lang="bash">
# List your current branch and situation
git status

# List all branches and your current one
git branch --all

# List all available tags
git tag

# List the current selected tag
git describe
git describe --tags

# Compare changes in the current working directory to the committed tree, and list what files have been changed
git diff-files

# Compare changes in the current working directory to the committed tree, and list what has changed
git diff-files -p

# Compare the committed tree to the current working directory, and list what has changed
git diff HEAD
</syntaxhighlight>

==== Common ====
<syntaxhighlight lang="bash">
# Create a folder and initialize it for use by git
mkdir gitrepo1; cd gitrepo1; git init

# Switch to another branch
git checkout stable/zed

# Switch to a specific tag
git checkout tags/14.11.0

# Fetch data from the current upstream branch
git pull

# Pull data from a specific branch
git pull origin unmaintained/yoga
</syntaxhighlight>

=== rclone ===
* https://rclone.org/

==== Installation ====
<syntaxhighlight lang='bash'>
# Install the latest version from the website
curl https://rclone.org/install.sh | sudo bash
</syntaxhighlight>

==== Configuration ====
Example configuration based on OpenStack swift. Config should be in the homefolder of your user .config/rclone/rclone.conf:
<syntaxhighlight lang='bash'>
[swift-ssd]
type = swift
user = patrick
key = <PASSWORD>
auth = https://openstack.brammerloo.nl:5000/v3
region = Rotterdam
domain = Default
tenant = patrickproject
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang='bash'>
# List all containers, buckets and or folders of container "swift-ssd"
rclone lsd "swift-ssd:"
20 2025-02-10 09:46:00 2 ssd-container
0 2025-02-10 09:46:00 1 swift-ssd
0 2025-02-10 09:46:00 1 swift-ssd2

rclone lsd "swift-ssd:ssd-container"
0 2025-02-10 09:48:02 -1 mystorage

# List contents, files, folders of bucket "ssd-container", within container "swift-ssd"
rclone ls "swift-ssd:ssd-container"

# List the contents of file "asd"
rclone cat "swift-ssd:ssd-container/asd"

# Mount an object storage to local folder /mnt/object-ssd/
rclone mount swift-ssd:ssd-container /mnt/object-ssd

# Synchronize a local folder to a destination folder inside a bucket, in interactive mode
rclone sync -i /etc/rsyslog.d swift-ssd:ssd-container/mystorage/
</syntaxhighlight>

=== mdtest ===
This chapter was mostly written and contributed by Ivo Palli.

==== General ====
mdtest is part of the ior performance test package.

==== RHEL Installation ====
<syntaxhighlight lang='bash'>
wget https://github.com/hpc/ior/releases/download/3.3.0/ior-3.3.0.tar.bz2
tar xjf ior-*.tar.bz2
cd ior-*/

yum install openmpi-devel environment-modules
# Relog your shell so 'module' is available
module load mpi
module list
./configure
make -j4
make install
</syntaxhighlight>

==== Ubuntu Installation ====
* https://gist.github.com/hokiegeek2/3057f8bb3beb519ae9b556e41824be30
* https://ior.readthedocs.io/en/latest/userDoc/install.html

<syntaxhighlight lang='bash'>
VERSION=4.0.0
wget https://github.com/hpc/ior/releases/download/$VERSION/ior-$VERSION.tar.gz
tar -xzvf ior-$VERSION.tar.gz
cd ior-$VERSION/

apt install libopenmpi-dev environment-modules openmpi-bin openmpi-common libgtk2.0-dev -y
./configure

make -j4
make install
</syntaxhighlight>

===== Usage =====
Note: Number of items should be a multiple of depth x branching factor
<syntaxhighlight lang='bash'>
module load mpi

# Run command "mdtest -n 2000 -z 5 -b 2 -d /mnt/ssd/" 10 times in a row
mpirun --oversubscribe --allow-run-as-root -n 10 mdtest -n 2000 -z 5 -b 2 -d /mnt/nfs
</syntaxhighlight>

===== Links =====
* https://github.com/hpc/ior
* https://www.glennklockwood.com/benchmarks/mdtest.html Guide

Linux:Network

2025-09-25T12:55:33Z

Patrick: /* nmcli */

[[Category:Cheatsheet]]

* https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

== Checks ==
=== Common ===
<syntaxhighlight lang="bash">
# List route table
route -n

# Display network connections and current states
netstat

# Check listening ports, connected remote IPs, processes, states and more
netstat -taupen

# Check listening ports and IPs of the local server
netstat -tulpn

# List the routing table
netstat -r

# List verbose common TCP and ICMP information
netstat -s

# List iptable rules (Nftables)
iptables -nvL

# List iptable rules (Legacy iptables)
iptables-legacy -nvL

# Test specific IP and port combination for connectivity
telnet 172.16.2.1 22

# Wireshark on a specific interface to a file, listening on a local port and for a remote IP
tshark -p -i bond0 -w file.pcap -f "port 443 and host 172.16.16.25"

# List available routers
ip netns

# Show interfaces with an IPv4 address
ip -4 a

# Show interfaces with an IPv6 address
ip -6 a
</syntaxhighlight>

== Network ==
=== NetworkManager ===
'''nmtui''' is a GUI-tool for managing NetworkManager connections.

==== Checks ====
<syntaxhighlight lang='bash'>
# Show all active network connections
nmcli connection show

# Show connection information for interface ens5
nmcli connection show ens5

# Show active and unactive network connections
nmcli dev status
</syntaxhighlight>

==== nmcli ====
<syntaxhighlight lang='bash'>
# Bring logical interface ens6 up
nmcli device up ens6

# Turn off DHCP
nmcli con mod ens6 ipv4.method manual
nmcli con mod ens6 connection.autoconnect yes

# Add an IP-address to interface ens6
nmcli connection modify ens6 ipv4.address "192.168.0.10/24"

# Add DNS-servers to interface ens6
nmcli connection modify ens6 ipv4.dns "8.8.8.8,1.1.1.1,196.168.0.1"

# Add a gateway to interface ens6
nmcli con mod ens6 ipv4.gateway "192.168.0.1"

# Add a default route to interface ens160
nmcli connection modify ens160 +ipv4.routes "0.0.0.0/0 192.168.3.100"

# Remove an IP-address from interface ens6
nmcli con mod ens6 -ipv4.addresses 192.168.0.11/24

# Apply changes to interface ens
nmcli device reapply ens6
</syntaxhighlight>

=== RHEL ===
==== Generic Interface ====
<code> BOOTPROTO=static </code> for static address </br>
<code> BOOTPROTO=dhcp </code> for DHCP

<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-ens128
DEVICE=ens128
NAME=ens128
HWADDR=ab:cd:ef:gh:ij:kl
UUID=0a8d3485-d512-46da-8225-19f4721813c1
BOOTPROTO=static
STARTMODE=auto
ONBOOT=yes
IPADDR=192.168.10.2
NETMASK=255.255.255.0
GATEWAY=192.168.10.1
</syntaxhighlight>

==== Generic VLAN Interface ====
<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-eno2.100
VLAN=yes
TYPE=Vlan
PHYSDEV=eno2
VLAN_ID=100
NAME=eno2.100
BOOTPROTO=static
HWADDR=ab:cd:ef:gh:ij:kl
IPADDR=192.168.100.217
NETMASK=255.255.255.0
STARTMODE=auto
UUID=689cff6f-c750-4db7-936c-234fb80b6018
GATEWAY=192.168.100.1
</syntaxhighlight>

==== VLAN Bond interface configuration ====
===== Virtual Bond Master =====
<syntaxhighlight lang='bash'>
BONDING_OPTS="mode=802.3ad miimon=100"
TYPE=Bond
BONDING_MASTER=yes
PROXY_METHOD=none
BROWSER_ONLY=no
IPV6INIT=no
NAME=bond0
UUID=7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
DEVICE=bond0
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
AUTOCONNECT_SLAVES=yes
MTU=1500
</syntaxhighlight>

===== Physical bond Slaves =====
<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-ens1
TYPE=Ethernet
NAME=ens1
UUID=c6a4da43-b84a-44f4-b49f-4bdc717d4238
DEVICE=ens1
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
MASTER_UUID=7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
MASTER=bond0
SLAVE=yes
</syntaxhighlight>

<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-ens2
TYPE=Ethernet
NAME=ens2
UUID=ca09a126-a082-4620-a920-be45269e5d8a
DEVICE=ens2
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
MASTER_UUID=7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
MASTER=bond0
SLAVE=yes
</syntaxhighlight>

===== VLAN 100 Interface =====
<syntaxhighlight lang='bash'>
# /etc/sysconfig/network-scripts/ifcfg-vlan-bond0.100
VLAN=yes
TYPE=Vlan
PHYSDEV=bond0
VLAN_ID=100
REORDER_HDR=yes
GVRP=no
MVRP=no
HWADDR=
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
IPADDR=192.168.100.10
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=vlan-bond0.100
UUID=83b0e31c-9a9f-47da-9dc6-645796bc47aa
ONBOOT=yes
AUTOCONNECT_PRIORITY=9
AUTOCONNECT_RETRIES=0
GATEWAY=192.168.100.1
</syntaxhighlight>

=== Ubuntu/Debian ===
==== Netplan ====
<syntaxhighlight lang='bash'>
# Apply the configuration, but if the dialogue is left unconfirmed, the configuration will be reverted.
netplan try

# Apply the configuration
netplan apply
</syntaxhighlight>

===== Generic DCHP interface =====
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
ens4:
# Some info about the Interface/why does it exist
dhcp4: true
match:
macaddress: fa:16:3e:aa:bb:cc
set-name: ens4
</syntaxhighlight>

Generic DHCP Interfaces, but while ignoring the routes for an Interface and disabling DHCP on the other.
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
ens4:
# Some info about the Interface/why does it exist
dhcp4: true
dhcp4-overrides:
use-routes: false
match:
macaddress: fa:16:3e:aa:bb:cc
set-name: ens4
ens5:
# Some info about the Interface/why does it exist
dhcp4: no
match:
macaddress: fa:16:cc:dd:ee
set-name: ens5
</syntaxhighlight>

===== Generic static interface =====
You may have to disable automatic network-configuration:
<syntaxhighlight lang='yaml'>
sudo bash -c 'echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg'
</syntaxhighlight>

<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
ens7:
addresses:
- 192.168.0.23/24
match:
macaddress: ab:cd:ef:gh:ij:kl
mtu: 1500
set-name: ens7
nameservers:
addresses: [1.1.1.1, 8.8.8.8]
routes:
- to: default
via: 192.168.0.1
</syntaxhighlight>

===== VLAN Interface =====
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
eno1: {}
vlans:
eno1.10:
id: 10
link: eno1
addresses: [192.168.1.1/24]
eno1.20:
id: 20
link: eno1
addresses: [192.168.2.1/24]
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
search: []
routes:
- to: default
via: 192.168.2.1
eno1.30:
id: 30
link: eno1
addresses: [192.168.3.1/24]
</syntaxhighlight>

===== Empty Interface =====
<syntaxhighlight lang='yaml'>
network:
version: 2
ethernets:
eno2:
dhcp4: false
dhcp6: false
</syntaxhighlight>

==== Interface files ====
Classic <code>/etc/network/interfaces.d</code> files i.e. <code> /etc/network/interfaces.d/ens200.conf </code>
Otherwise use <code>/etc/network/interfaces </code>

===== Generic IPv4 =====
<syntaxhighlight lang='bash'>
# /etc/network/interfaces.d/ens160.conf
auto ens160
iface ens160 inet static
address 192.168.23.7
netmask 255.255.255.0
gateway 192.168.23.1
</syntaxhighlight>

===== Generic IPv6 =====
<syntaxhighlight lang='bash'>
# /etc/network/interfaces.d/ens3.conf
iface ens3 inet6 static
address abcd:defg:0:1234:5123:abcd:abcd:1234
netmask 48
gateway abcd:defg::1
</syntaxhighlight>

===== Bond =====
<syntaxhighlight lang='bash'>
auto eno1
iface eno1 inet manual

auto eno2
iface eno2 inet manual

auto bond0
iface bond0 inet static
address 192.168.39.245
gateway 192.168.39.254
network 255.255.255.0
bond-slaves eno1 eno2
bond-miimon 100
bond-mode 802.3ad
bond-xmit-hash-policy layer2+3
</syntaxhighlight>

Linux:Services

2025-09-25T12:28:32Z

Patrick: /* Checks */

[[Category:Cheatsheet|Cheatsheets]]

== Services ==
<section begin="linuxservices"/>

=== Common ===
==== systemctl ====
<syntaxhighlight lang="bash">
# List all services that are running or exited
systemctl

# List all services, running or otherwise
systemctl --all

# List all failed services
systemctl --state=failed

# Reset the failed service "nginx"
systemctl reset-failed nginx

# View the status of the "nfs-server" service
systemctl status nfs-server

# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog

# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd

# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx

# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha

# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha

# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb

# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb

# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
</syntaxhighlight>

=== NTP ===
==== Timedatectl ====
<syntaxhighlight lang="bash">
# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status
</syntaxhighlight>

=== SNMP ===
==== V3 client installation ====
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

<syntaxhighlight lang="bash">
apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/snmp/snmpd.conf
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact Me <me@example.org>
agentaddress 192.168.0.10
</syntaxhighlight>

<syntaxhighlight lang="bash">
systemctl start snmpd
systemctl enable snmpd
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Test
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
</syntaxhighlight>

=== CTDB ===
==== Checks ====
<syntaxhighlight lang="bash">
# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue
</syntaxhighlight>

=== Firewalls ===
==== UFW ====
===== Checks =====
<syntaxhighlight lang="bash">
# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low
</syntaxhighlight>

==== Firewalld ====
===== SNMP access =====
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

<syntaxhighlight lang="bash">
# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SNMP</short>
<description>SNMP protocol</description>
<port protocol="udp" port="161"/>
</service>
</syntaxhighlight>

<syntaxhighlight lang="bash">
firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload
</syntaxhighlight>

===== Firewall-cmd =====
====== Checks ======
<syntaxhighlight lang="bash">
# List all available commands
firewall-cmd -h

# Check the configuration file of the firewall for errors
firewall-cmd --check-config

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all services you can potentially enable
firewall-cmd --get-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

# List all opened ports
firewall-cmd --list-ports

# List kernel ruleset generated for nftables(?)
nft list ruleset
</syntaxhighlight>

====== Commands ======
<syntaxhighlight lang="bash">
# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

# Add current configuration to configuration permanently
firewall-cmd –runtime-to-permanent
</syntaxhighlight>

'''DANGEROUS'''
<syntaxhighlight lang="bash">
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS
firewall-cmd --panic-on

# ACCEPT PACKETS AGAIN
firewall-cmd --panic-off
</syntaxhighlight>

==== CSF ====
ConfigServer Security and Firewall

===== General =====
* Common configuration: /etc/csf/csf.conf
* Blacklist: /etc/csf/csf.deny
* Whitelist: /etc/csf/csf.allow

===== Installation =====
From the official instructions: https://download.configserver.com/csf/install.txt

====== Prerequisites ======
<syntaxhighlight lang="bash">
Perl Modules
============
While most should be installed on a standard perl installation the following
may need to be installed manually:

# On rpm based systems:
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph

# On APT based systems:
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
</syntaxhighlight>

====== Install ======
<syntaxhighlight lang="bash">
cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

# Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
</syntaxhighlight>

===== Checks =====
<syntaxhighlight lang="bash">
# Check the running status of csf
csf status
</syntaxhighlight>

===== Commands =====
<syntaxhighlight lang="bash">
# Commit config changes by restarting csf
csf -r
</syntaxhighlight>

===== csf.conf =====
Some common changes within the configuration file

<syntaxhighlight lang="bash">
# Set testing to 0 when your CSF configuration is 'production' ready
TESTING = "0"

# Allow access to any service you're hosting locally, for example https
TCP_IN = "443"
UDP_IN = ""

# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update
TCP_OUT = "80,443"

# Allow outgoing traceroute
UDP_OUT = "33434:33523"

# Allow your server to be pinged
ICMP_IN = "0"
</syntaxhighlight>

===== Formatting =====
The varying styles of formatting used in allow.conf
<syntaxhighlight lang="bash">
# Allow anything relating to the following IPs/ranges
192.168.10.0/24 # Our application breaks without this range
192.168.1.1 # Our gateway or something

# Detailed entries based on Transport protocol, direction, Application protocol and IP
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN
udp:in:d=161:s=10.11.12.100 # SNMP Access
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443

# Allow sending Syslog messages to our Syslog server
udp|out|d=514|d=192.168.20.5 # UDP syslog server
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server

# Allow sending queries to some DNS servers
tcp|out|s=53|d=8.8.8.8
udp|out|s=53|d=1.1.1.1
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server

# Include an external configuration file
Include /etc/csf/csf.custom-config
</syntaxhighlight>

=== rsyslog ===
<section begin="linuxsyslog"/>

==== Legacy ====
<syntaxhighlight lang="bash">
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define the hostname to send to the syslog server
$template SendHostname, "<%pri%> %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"
$ActionForwardDefaultTemplate SendHostname

*.warning @10.77.0.1
</syntaxhighlight>

==== Rainerscript ====
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

<syntaxhighlight lang="bash">
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define a template and specify a hostname to send as:
template(name="SendHostname" type="string"
string="%timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"
)

# Send logs to target syslog server and port
*.warning action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
</syntaxhighlight>

==== Testing ====
<syntaxhighlight lang="bash">
# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'
</syntaxhighlight>

<section end="linuxsyslog"/>

=== named ===
==== Checks ====
<syntaxhighlight lang="bash">
# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl
</syntaxhighlight>

==== Configuration ====
Basic configuration for the options field in '''/etc/named.conf'''
<syntaxhighlight lang="bash">
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};

recursion yes;
dnssec-validation no;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
</syntaxhighlight>

Zone defnitions: '''/etc/named.rfc1912.zones'''
<syntaxhighlight lang="bash">
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
</syntaxhighlight>

Zone file for Reverse lookup: '''/var/named/192.168.1.0'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
</syntaxhighlight>

Zone file for domain: '''/var/named/brammerloo.nl'''
<syntaxhighlight lang="bash">
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
</syntaxhighlight>

=== dhcpd ===
==== dhclient ====
<syntaxhighlight lang="bash">
# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v
</syntaxhighlight>

==== Configuration ====
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file
<syntaxhighlight lang="bash">
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
</syntaxhighlight>

=== smbd / Samba / CIFS ===
https://linuxconfig.org/install-samba-on-redhat-8

==== Basic configuration ====
<syntaxhighlight lang="bash">
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Create a client-user to authenticate with
sudo useradd samba-user

# Give the user a password to authenticate with
sudo smbpasswd -a samba-user

# Create a group to associate with the samba share
sudo groupadd sambagroup

# Add the user to the group we will be configuring for the share
sudo usermod -a -G sambagroup samba-user

# Create the folder we will be sharing
sudo mkdir /var/shares/myshare

# Apply proper permission
sudo chown -R samba-user:sambagroup /var/shares/myshare/
sudo chmod -R 0770 /var/shares/myshare/

# Apply proper permission for SELinux
sudo chcon -t samba_share_t /var/shares/myshare/

# Backup the default config
cp /etc/samba/smb.conf /etc/samba/smb.conf~
</syntaxhighlight>

<syntaxhighlight lang="bash">
# /etc/samba/smb.conf
[global]
workgroup = <DOMAIN-OR-WORKGROUP>
server string = Samba Server %v
netbios name = <SERVER-HOSTNAME>
security = user
map to guest = bad user
dns proxy = no

#==================== Share Definitions ======================
[share001]
path = /var/shares/myshare
valid users = @sambagroup
guest ok = no
writable = yes
browsable = yes
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Reload Samba services
systemctl reload {smb,nmb}

# Mount in Windows
\\<SERVER-IP>\share001
</syntaxhighlight>

<pre>
user: samba-user
pass: <Whatever password you filled in with smbpasswd -a
</pre>

==== Checks ====
<syntaxhighlight lang="bash">
# Samba checks
smbstatus
smbstatus -S
smbstatus -b

# Samba set debug mode
smbcontrol smbd debug 1
</syntaxhighlight>

=== Docker ===
==== Checks ====
<syntaxhighlight lang="bash">
# List Docker containers
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang="bash">
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
</syntaxhighlight>

=== PowerDNS ===
* https://doc.powerdns.com/authoritative/index.html
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

==== Checks ====
<syntaxhighlight>
# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check
</syntaxhighlight>

<syntaxhighlight>
# List available commands
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys
</syntaxhighlight>

==== Commands ====
<syntaxhighlight>
# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary
</syntaxhighlight>

=== MAAS ===
==== Checks ====
<pre>
Logs in either place:
/var/log/maas/
/var/snap/maas/common/log
</pre>

<syntaxhighlight lang="bash">
# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help
</syntaxhighlight>

<section end="linuxservices"/>

Linux:Tools

2025-09-23T13:01:50Z

Patrick: /* rclone */

[[Category:Cheatsheet]]

== Commands ==
=== Quick access ===
<syntaxhighlight lang="bash">
# Scroll through a file with less
less -s myfile.txt

# Select line 5 from the output
cat example.txt | sel -e '5'

# Select lines from the output, starting from the top
cat example.txt | head -5

# Select lines from the output, starting from the bottom
cat example.txt | tail -5
</syntaxhighlight>

=== Commands ===
<syntaxhighlight lang="bash">
# Display the full path of a file(assuming the syslog file is available in the current folder)
readlink -f syslog

# Unzip a file
gunzip /var/log/messages.2.gz
</syntaxhighlight>

=== Uncommon commands ===
* https://ngelinux.com/what-is-proc-sysrq-trigger-in-linux-and-how-to-use-sysrq-kernel-feature/

<syntaxhighlight lang="bash">
# CrASHing THIs SERVer, WiTH no SurVIvORS!
echo c > /proc/sysrq-trigger
</syntaxhighlight>

== Network ==
=== ping ===
Troubleshooting MTU: https://access.redhat.com/solutions/2440411

<syntaxhighlight lang="bash">
# Ping with an interval of 5 seconds
ping -i 5 192.168.0.1

# Ping 192.168.10.5 using a specific interface
ping -I bond0 192.168.10.5

# Ping 8.8.8.8 for 20 times
ping -c 20 8.8.8.8

# Ping google.com using IPv4
ping -4 google.com

# Ping google.com using IPv6
ping -6 google.com

# Ping using packets of size 264
ping -s 264 1.1.1.1

# Test an MTU-size of 9000 by sending non-fragmented packages of size 8972 (28 bytes left for the headers)
ping -M do -s 8972 192.168.77.88
</syntaxhighlight>

=== traceroute ===
Package '''mtr''' (My traceroute) is also very good

* https://web.archive.org/web/20110101100046/https://www.exit109.com/~jeremy/news/providers/traceroute.html
* [https://en.wikipedia.org/wiki/Traceroute UDP ports 33434 to 33534 are used by traceroute by default.]

<syntaxhighlight lang="bash">
# Show the traversed hops towards google.com using IPv4
traceroute -4 google.com

# Show the traversed hops towards google.com using IPv6
traceroute -6 google.com

# Does the same as "traceroute -6 google.com"
traceroute6 google.com

# Use ICMP for checking hops
traceroute -4 -I brammerloo.nl
</syntaxhighlight>

=== route ===
<syntaxhighlight lang="bash">
# List configured routes
route

# List routes but display IPs instead of hostnames
route -n

# Delete default route
ip route del 0.0.0.0/0 via 192.168.10.1 dev ens3

# Delete default route (explicit)
ip route del default via 192.168.0.1 dev eth0 proto static metric 100

# Add a default route via a specific IP and interface
ip route add default via 192.168.0.1 dev eth0 proto static metric 90

# Add route for a network via gateway on an interface
ip route add 10.0.100.0/24 via 10.0.100.254 dev ens5

# Add default route met een specifieke metric
ip route add default via 10.0.180.1 dev ens7 proto static metric 90
</syntaxhighlight>

=== netstat ===
<syntaxhighlight lang='bash'>
# Display network connections and current states
netstat

# Check listening ports, connected remote IPs, processes, states and more
netstat -taupen

# Check listening ports and IPs of the local server
netstat -tulpn

# List the routing table
netstat -r

# List verbose common TCP and ICMP information
netstat -s
</syntaxhighlight>

=== ss ===
Replacement for netstat
<syntaxhighlight lang='bash'>
# Check open ports, connected IPs, processes, states and more
ss -taupen
</syntaxhighlight>

=== tcpdump ===
<syntaxhighlight lang='bash'>
# Listen on interface eth0 for traffic coming from host 172.16.0.11
tcpdump -i eth0 host 172.16.0.11

# Listen on interface eno2 for traffic coming from host 172.16.1.20, going to port 443
tcpdump -i en02 host 172.16.1.20 port 443
</syntaxhighlight>

=== uuidgen ===
<syntaxhighlight lang="bash">
# Generate a unique UUID (for an interface)
uuidgen eth0
7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
</syntaxhighlight>

=== ip ===
<syntaxhighlight lang="bash">
# Show network information
ip address
ip a

# Show all configured routes
ip r show

# Display statistics for all interfaces
ip -s link

# Display detailed statistics for all interfaces
ip -s -s link

# Execute the ifconfig command within a specific router
ip netns exec qrouter-asdwe49-as8d7-asd2-ert0-cvb7klj2 "ifconfig"
</syntaxhighlight>

=== DNS | dig & nslookup ===
* https://intodns.com/

<syntaxhighlight lang="bash">
# Lookup reverse DNS host information
dig -x 10.0.2.15

# Lookup the nameservers of google.com, by asking nameserver 1.1.1.1
dig google.com @1.1.1.1 NS

# Lookup reverse DNS host information
host 10.0.2.15

# Lookup DNS host information
nslookup 10.0.2.15

# Lookup host information for google.com while using DNS-server 8.8.8.8
nslookup google.com 8.8.8.8
</syntaxhighlight>

== Package managers ==
=== apt ===
<syntaxhighlight lang="bash">
# Check for updates
apt update

# List packages that can be upgraded
apt list --upgradable

# Installed available updates
apt upgrade

# List installed packages
apt list --installed

# List package details and description
apt show net-tools

# Search inside all package descriptions for your keyword
apt-cache search ssh
</syntaxhighlight>

=== rpm ===
<syntaxhighlight lang="bash">
# List all local RPM packages
rpm -qa

# Query for a specific installed rpm package
rpm -qi nginx
</syntaxhighlight>

=== yum ===
<syntaxhighlight lang="bash">
# Search for all available packages that include string "nginx"
yum search nginx

# Install the package named Nginx
yum install nginx

# List installed packages
yum list installed
</syntaxhighlight>

=== dnf ===
<syntaxhighlight lang="bash">
# Upgrade and install updates
dnf upgrade

# Remove the podman package
dnf remove podman

# Show information about the zlib package
dnf info zlib

# Show mandatory/optional/default packages within the Networking Tools group
dnf group info "Networking Tools"
</syntaxhighlight>

== Filesystem ==
=== fdisk ===
'''cfdisk''' is also nice

==== Checks ====
<syntaxhighlight lang="bash">
# Check your disks and partitions
fdisk -l

# Enter fdisk interactive mode
fdisk /dev/nvme0n2p1

# List available partition types
l
</syntaxhighlight>

==== Configuration ====
<syntaxhighlight lang="bash">
# Format /dev/vdb as BTRFS
echo -e "n\np\n1\n\n\nt\n8E\np\nw" | fdisk /dev/vdb
</syntaxhighlight>

== Other ==
=== man + mandb ===
<syntaxhighlight lang="bash">
# Open the manual for the man tool
man man

# Open the manual for the ls tool
man ls

# 'Update' mandb by purging and or processing manuals
mandb

# Purge everything and regenerate manuals
mandb --create
</syntaxhighlight>

=== ls ===
<syntaxhighlight lang="bash">
# List folders sorted by modified date
ls -trol

# List folder contents recursively
ls -alsR myfolder/

# List folder contents sorted by time, newest first and reverse order
ls -latr myfolder
</syntaxhighlight>

=== grep ===
<syntaxhighlight lang="bash">
# Search for any occurences of "inet_interface" in a file
grep inet_interface /etc/postfix/main.cf

# Search for pattern "audit" in file /var/log/syslog
grep -e "audit" /var/log/syslog

# Search for text "started" in everything in /var/log/, and list the filename for each occurence
grep -H "started" /var/log/*

# Search for any mention of "md" within a file, by piping to grep
cat /var/log/messages | grep md

# Search for any of text "test" within the /etc folder recursively, also shows filename by default
grep -r "test" /etc

# Recursively search for any mention of "audit" in each file within the specified directory, display linenumber and ignore low/upper case
grep -rni audit /var/log/
</syntaxhighlight>

=== lsof ===
<syntaxhighlight lang="bash">
# List what has files opened on the directory/mount
lsof /data/mount/lustre-01

# List processes listening on port 443
lsof -i :443
</syntaxhighlight>

=== awk ===
<syntaxhighlight lang="bash">
# List the first column of the output generated by docker ps
docker ps | awk '{print $1}'

# Print 9th column of folder contents
ll /mnt/btrfs/share1/ | awk '{print $9}'
</syntaxhighlight>

=== tar ===
<syntaxhighlight lang="bash">
# Compress the destination directory and keep the source path within the zipped file
tar -czvf name-of-archive.tar.gz /path/to/directory-or-file

# Compress the destination directory, but put the folder contents into the . within the zipped file
tar -czvf name-of-archive.tar.gz -C /path/to/directory-or-file .

# Extract a tar.gz file to the current folder
tar -xzvf name-of-archive.tar.gz
</syntaxhighlight>

=== find ===
<syntaxhighlight lang="bash">
# Basic find command
find / -name name-to-search-for

# Search the current folder for all files
find . -name \*

# Search the current folder for all files and count them
find . -name \* | wc -l

# Find all files with the SUID bit set
find / -name "*" -perm /u+s

# Find the current folder for files that were modified in the last 15 minutes
find . -mmin -15 -type f -name "*"

# Search for all modified files between 2023-01-01 and 2023-12-30
find /var/log/ -type f -name "*" -newermt 2023-01-01 ! -newermt 2023-12-30

# Search for all modified folders between 2022-01-01 and 2022-02-10, limited to a single folders' depth
find /data/research001/ -maxdepth 1 -type d -newermt 2022-01-01 ! -newermt 2022-02-10

# Search the current folder for all .log files and search & output any line containing string "error"
find . -name \*.log -exec grep -H error {} \;

# Screwing around
for i in $(find URL* -name "*.report" | sort); do echo "$i" && cat "$i" | grep TOTAL_SIZE ; done
for i in $(find URL* -name "*.report"); do basename "$i" | sort && cat "$i" | grep TOTAL_SIZE ; done
for i in $(find URL* -name "*.report"); do basename "$i" | sort && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
for i in $(find URL* -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
ll URL* | awk '{print $9}' | grep "*.report" | sort | for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
ll URL* | awk '{print $9}' | grep .report | sort | for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE

find URL1 -name \*.report -exec grep -H TOTAL_SIZE {} \; | LC_ALL=C awk -M 'BEGIN{FS=OFS="\t"} {printf("%s\t%.02f\n", $1, $2/(1024*1024*1024))}' | sed -e 's~^.*/~~' -e 's~\..*SIZE~~' | sort
</syntaxhighlight>

=== less ===
<pre>
25 = Go to line 25
g = Go to top of file
G = Go to bottom of file
/ = Activate search mode
/Error = Search for "Error"
n = Move to next search result
N = Move to previous search result
</pre>

<syntaxhighlight lang="bash">
# Don't wrap long lines to the current screen (move left or right to see non-truncated line)
less -S /var/log/syslog

# Output a file's contents and read it with less
cat /etc/snmpd/snmp.conf | less -S

# Number the lines when viewing
less -N /var/log/messages

# Open less at the first search result for "error". (Do not use space between the -p parameter and your search query)
less -p"Error" /var/log/messages
</syntaxhighlight>

=== ssh ===
* https://man.openbsd.org/ssh.1
* https://www.openssh.com/legacy.html

<syntaxhighlight lang="bash">
# Stolen from https://www.openssh.com/legacy.html
ssh -Q cipher # List supported ciphers
ssh -Q mac # List supported MACs
ssh -Q key # List supported public key types
ssh -Q kex # List supported key exchange algorithms
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Connect to a server using a specific user
ssh mirelurk@192.168.0.1

# Connect to a server using a specific RSA private key
ssh 192.168.0.1 -i /home/john/.ssh/id_rsa_key-5

# Connect to a server using a specific SSH port
ssh 192.168.0.1 -p 1111

# Show verbose information when connecting to a server
ssh -v 192.168.0.1

# Connect using an ancient algorithm and keytype
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc admin@10.50.10.50

# Execute 'ls' on a remote server and output the result to your shell session
echo 'ls' | ssh -T user@10.0.20.75

# Execute a command on a remote server and output the result to a local file
echo 'ls' | ssh -T user@10.0.20.75 > <filename>.log

# Log in by providing a password in the CLI
sshpass 'MyPassword' ssh -XY root@10.100.25.1

# Copy a local file to another server
scp /home/root/myfiletocopy ubuntu@192.168.0.10:/home/ubuntu
</syntaxhighlight>

=== vim ===
<pre>
Esc Switches between input/command mode

o Create a new line below the current cursor position and switch to input mode
:wq Save (write) and quit the file
:q! Quit immediately without applying any changes

j Move the cursor one line downwards
</pre>

<syntaxhighlight lang="bash">
# Enter the Vim tutorial
vimtutor
</syntaxhighlight>

=== rsync ===
Also see rclone for enterprise storage enviroments.

<syntaxhighlight lang="bash">
# Copy contents of source /mnt/science/data/ to target /home/garyon/backup/science/ recursively
rsync -a /mnt/science/data/ /home/garyon/backup/science/

# Copy everything: symlinks, hardlinks, extended attributes, modified times, files, folders, etc
rsync -avHXS --progress /mnt/science/data/ /home/mayra/backup/science/

# Show progress during a transfer
rsync -avHXS --progress /mnt/science/data/ /home/stefanie/backup/science/

# rsync is additive by default
# After an initial rsync, delete files in the target that were deleted in the source
rsync --delete -avHXS /mnt/science/data/ /home/bob/backup/science/

# Sync using SSH
rsync -avrS --delete /data/cardio/ 192.168.0.15:/backup/cardio/

# Sync using a specific SSH port
rsync -avrS --rsh='ssh -p2020' --delete /data/science/ 192.168.0.20:/backup/science/
</syntaxhighlight>

=== cron ===
* https://crontab.guru/

<syntaxhighlight lang="bash">
# List cron jobs for the current user
crontab -l

# Modify cron jobs for the current user
crontab -eq

# Run the "ls" command every 5 minutes
*/5 * * * * ps aux
</syntaxhighlight>

=== ldapsearch ===
<pre>
DC = Domain Component
The values that identify the domain in which the object is located, may contain subdomains too i.e. "DC=customer,DC=amazon,DC=com"

OU = Organization Unit
A container/folder in which objects or users are stored. Actively used in Microsoft Active Directory's i.e. "OU=janitors,DC=customer,DC=amazon,DC=com"

CN = Canonical Name
The name of the group you're searching for or in i.e. "CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"

UID = User Identifier
The unique identifier to find a user with, usually the username i.e. "uid=magicmike,CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"

DN = Distinguished Name
The entire path to an object, consisting of a combination of above values, at least the DCs and a CN or UID, i.e. "uid=magicmike,CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"
</pre>

The following assumes domain "brammerloo.nl", based on usage for FreeIPA
<syntaxhighlight lang="bash">
# Search and show attributes for user tonberry in group users in group accounts in domain brammerloo.nl, using the admin user to authenticatie
ldapsearch -W -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify LDAP-server ipa01.brammerloo.nl to send the query to
ldapsearch -W -H ldap://ipa01.brammerloo.nl -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify a specific port
ldapsearch -W -H ldap://ipa01.brammerloo.nl:389 -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Use the "elastic" user to query for attributes of the "elastic-users" group which itself is a member of the "groups" group
ldapsearch -W -b "cn=elastic-users,cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=elastic,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but this this specify you only want the member attribute
ldapsearch -W -b "cn=elastic-users,cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl" member

# Show all groups of which tonberry is a member of by searching for the memberOf attribute
ldapsearch -W -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl" memberOf

# List attributes for all groups in the group "groups"
ldapsearch -W -b "cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"
</syntaxhighlight>

=== git ===
==== Checks ====
<syntaxhighlight lang="bash">
# List your current branch and situation
git status

# List all branches and your current one
git branch --all

# List all available tags
git tag

# List the current selected tag
git describe
git describe --tags

# Compare changes in the current working directory to the committed tree, and list what files have been changed
git diff-files

# Compare changes in the current working directory to the committed tree, and list what has changed
git diff-files -p

# Compare the committed tree to the current working directory, and list what has changed
git diff HEAD
</syntaxhighlight>

==== Common ====
<syntaxhighlight lang="bash">
# Create a folder and initialize it for use by git
mkdir gitrepo1; cd gitrepo1; git init

# Switch to another branch
git checkout stable/zed

# Switch to a specific tag
git checkout tags/14.11.0

# Fetch data from the current upstream branch
git pull

# Pull data from a specific branch
git pull origin unmaintained/yoga
</syntaxhighlight>

=== rclone ===
* https://rclone.org/

==== Installation ====
<syntaxhighlight lang='bash'>
# Install the latest version from the website
curl https://rclone.org/install.sh | sudo bash
</syntaxhighlight>

==== Configuration ====
Example configuration based on OpenStack swift. Config should be in the homefolder of your user .config/rclone/rclone.conf:
<syntaxhighlight lang='bash'>
[swift-ssd]
type = swift
user = patrick
key = <PASSWORD>
auth = https://openstack.brammerloo.nl:5000/v3
region = Rotterdam
domain = Default
tenant = patrickproject
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang='bash'>
# List all containers, buckets and or folders of container "swift-ssd"
rclone lsd "swift-ssd:"
20 2025-02-10 09:46:00 2 ssd-container
0 2025-02-10 09:46:00 1 swift-ssd
0 2025-02-10 09:46:00 1 swift-ssd2

rclone lsd "swift-ssd:ssd-container"
0 2025-02-10 09:48:02 -1 mystorage

# List contents, files, folders of bucket "ssd-container", within container "swift-ssd"
rclone ls "swift-ssd:ssd-container"

# List the contents of file "asd"
rclone cat "swift-ssd:ssd-container/asd"

# Mount an object storage to local folder /mnt/object-ssd/
rclone mount swift-ssd:ssd-container /mnt/object-ssd

# Synchronize a local folder to a destination folder inside a bucket, in interactive mode
rclone sync -i /etc/rsyslog.d swift-ssd:ssd-container/mystorage/
</syntaxhighlight>

=== mdtest ===
This chapter was mostly written and contributed by Ivo Palli.

==== General ====
mdtest is part of the ior performance test package.

==== RHEL Installation ====
<syntaxhighlight lang='bash'>
wget https://github.com/hpc/ior/releases/download/3.3.0/ior-3.3.0.tar.bz2
tar xjf ior-*.tar.bz2
cd ior-*/

yum install openmpi-devel environment-modules
# Relog your shell so 'module' is available
module load mpi
module list
./configure
make -j4
make install
</syntaxhighlight>

==== Ubuntu Installation ====
* https://gist.github.com/hokiegeek2/3057f8bb3beb519ae9b556e41824be30
* https://ior.readthedocs.io/en/latest/userDoc/install.html

<syntaxhighlight lang='bash'>
VERSION=4.0.0
wget https://github.com/hpc/ior/releases/download/$VERSION/ior-$VERSION.tar.gz
tar -xzvf ior-$VERSION.tar.gz
cd ior-$VERSION/

apt install libopenmpi-dev environment-modules openmpi-bin openmpi-common libgtk2.0-dev -y
./configure

make -j4
make install
</syntaxhighlight>

===== Usage =====
Note: Number of items should be a multiple of depth x branching factor
<syntaxhighlight lang='bash'>
module load mpi

# Run command "mdtest -n 2000 -z 5 -b 2 -d /mnt/ssd/" 10 times in a row
mpirun --oversubscribe --allow-run-as-root -n 10 mdtest -n 2000 -z 5 -b 2 -d /mnt/nfs
</syntaxhighlight>

===== Links =====
* https://github.com/hpc/ior
* https://www.glennklockwood.com/benchmarks/mdtest.html Guide

Linux:Tools

2025-09-23T13:00:22Z

Patrick: /* Ubuntu Installation */

[[Category:Cheatsheet]]

== Commands ==
=== Quick access ===
<syntaxhighlight lang="bash">
# Scroll through a file with less
less -s myfile.txt

# Select line 5 from the output
cat example.txt | sel -e '5'

# Select lines from the output, starting from the top
cat example.txt | head -5

# Select lines from the output, starting from the bottom
cat example.txt | tail -5
</syntaxhighlight>

=== Commands ===
<syntaxhighlight lang="bash">
# Display the full path of a file(assuming the syslog file is available in the current folder)
readlink -f syslog

# Unzip a file
gunzip /var/log/messages.2.gz
</syntaxhighlight>

=== Uncommon commands ===
* https://ngelinux.com/what-is-proc-sysrq-trigger-in-linux-and-how-to-use-sysrq-kernel-feature/

<syntaxhighlight lang="bash">
# CrASHing THIs SERVer, WiTH no SurVIvORS!
echo c > /proc/sysrq-trigger
</syntaxhighlight>

== Network ==
=== ping ===
Troubleshooting MTU: https://access.redhat.com/solutions/2440411

<syntaxhighlight lang="bash">
# Ping with an interval of 5 seconds
ping -i 5 192.168.0.1

# Ping 192.168.10.5 using a specific interface
ping -I bond0 192.168.10.5

# Ping 8.8.8.8 for 20 times
ping -c 20 8.8.8.8

# Ping google.com using IPv4
ping -4 google.com

# Ping google.com using IPv6
ping -6 google.com

# Ping using packets of size 264
ping -s 264 1.1.1.1

# Test an MTU-size of 9000 by sending non-fragmented packages of size 8972 (28 bytes left for the headers)
ping -M do -s 8972 192.168.77.88
</syntaxhighlight>

=== traceroute ===
Package '''mtr''' (My traceroute) is also very good

* https://web.archive.org/web/20110101100046/https://www.exit109.com/~jeremy/news/providers/traceroute.html
* [https://en.wikipedia.org/wiki/Traceroute UDP ports 33434 to 33534 are used by traceroute by default.]

<syntaxhighlight lang="bash">
# Show the traversed hops towards google.com using IPv4
traceroute -4 google.com

# Show the traversed hops towards google.com using IPv6
traceroute -6 google.com

# Does the same as "traceroute -6 google.com"
traceroute6 google.com

# Use ICMP for checking hops
traceroute -4 -I brammerloo.nl
</syntaxhighlight>

=== route ===
<syntaxhighlight lang="bash">
# List configured routes
route

# List routes but display IPs instead of hostnames
route -n

# Delete default route
ip route del 0.0.0.0/0 via 192.168.10.1 dev ens3

# Delete default route (explicit)
ip route del default via 192.168.0.1 dev eth0 proto static metric 100

# Add a default route via a specific IP and interface
ip route add default via 192.168.0.1 dev eth0 proto static metric 90

# Add route for a network via gateway on an interface
ip route add 10.0.100.0/24 via 10.0.100.254 dev ens5

# Add default route met een specifieke metric
ip route add default via 10.0.180.1 dev ens7 proto static metric 90
</syntaxhighlight>

=== netstat ===
<syntaxhighlight lang='bash'>
# Display network connections and current states
netstat

# Check listening ports, connected remote IPs, processes, states and more
netstat -taupen

# Check listening ports and IPs of the local server
netstat -tulpn

# List the routing table
netstat -r

# List verbose common TCP and ICMP information
netstat -s
</syntaxhighlight>

=== ss ===
Replacement for netstat
<syntaxhighlight lang='bash'>
# Check open ports, connected IPs, processes, states and more
ss -taupen
</syntaxhighlight>

=== tcpdump ===
<syntaxhighlight lang='bash'>
# Listen on interface eth0 for traffic coming from host 172.16.0.11
tcpdump -i eth0 host 172.16.0.11

# Listen on interface eno2 for traffic coming from host 172.16.1.20, going to port 443
tcpdump -i en02 host 172.16.1.20 port 443
</syntaxhighlight>

=== uuidgen ===
<syntaxhighlight lang="bash">
# Generate a unique UUID (for an interface)
uuidgen eth0
7bb91614-6ffe-4bdc-9b37-c6e9d37f6987
</syntaxhighlight>

=== ip ===
<syntaxhighlight lang="bash">
# Show network information
ip address
ip a

# Show all configured routes
ip r show

# Display statistics for all interfaces
ip -s link

# Display detailed statistics for all interfaces
ip -s -s link

# Execute the ifconfig command within a specific router
ip netns exec qrouter-asdwe49-as8d7-asd2-ert0-cvb7klj2 "ifconfig"
</syntaxhighlight>

=== DNS | dig & nslookup ===
* https://intodns.com/

<syntaxhighlight lang="bash">
# Lookup reverse DNS host information
dig -x 10.0.2.15

# Lookup the nameservers of google.com, by asking nameserver 1.1.1.1
dig google.com @1.1.1.1 NS

# Lookup reverse DNS host information
host 10.0.2.15

# Lookup DNS host information
nslookup 10.0.2.15

# Lookup host information for google.com while using DNS-server 8.8.8.8
nslookup google.com 8.8.8.8
</syntaxhighlight>

== Package managers ==
=== apt ===
<syntaxhighlight lang="bash">
# Check for updates
apt update

# List packages that can be upgraded
apt list --upgradable

# Installed available updates
apt upgrade

# List installed packages
apt list --installed

# List package details and description
apt show net-tools

# Search inside all package descriptions for your keyword
apt-cache search ssh
</syntaxhighlight>

=== rpm ===
<syntaxhighlight lang="bash">
# List all local RPM packages
rpm -qa

# Query for a specific installed rpm package
rpm -qi nginx
</syntaxhighlight>

=== yum ===
<syntaxhighlight lang="bash">
# Search for all available packages that include string "nginx"
yum search nginx

# Install the package named Nginx
yum install nginx

# List installed packages
yum list installed
</syntaxhighlight>

=== dnf ===
<syntaxhighlight lang="bash">
# Upgrade and install updates
dnf upgrade

# Remove the podman package
dnf remove podman

# Show information about the zlib package
dnf info zlib

# Show mandatory/optional/default packages within the Networking Tools group
dnf group info "Networking Tools"
</syntaxhighlight>

== Filesystem ==
=== fdisk ===
'''cfdisk''' is also nice

==== Checks ====
<syntaxhighlight lang="bash">
# Check your disks and partitions
fdisk -l

# Enter fdisk interactive mode
fdisk /dev/nvme0n2p1

# List available partition types
l
</syntaxhighlight>

==== Configuration ====
<syntaxhighlight lang="bash">
# Format /dev/vdb as BTRFS
echo -e "n\np\n1\n\n\nt\n8E\np\nw" | fdisk /dev/vdb
</syntaxhighlight>

== Other ==
=== man + mandb ===
<syntaxhighlight lang="bash">
# Open the manual for the man tool
man man

# Open the manual for the ls tool
man ls

# 'Update' mandb by purging and or processing manuals
mandb

# Purge everything and regenerate manuals
mandb --create
</syntaxhighlight>

=== ls ===
<syntaxhighlight lang="bash">
# List folders sorted by modified date
ls -trol

# List folder contents recursively
ls -alsR myfolder/

# List folder contents sorted by time, newest first and reverse order
ls -latr myfolder
</syntaxhighlight>

=== grep ===
<syntaxhighlight lang="bash">
# Search for any occurences of "inet_interface" in a file
grep inet_interface /etc/postfix/main.cf

# Search for pattern "audit" in file /var/log/syslog
grep -e "audit" /var/log/syslog

# Search for text "started" in everything in /var/log/, and list the filename for each occurence
grep -H "started" /var/log/*

# Search for any mention of "md" within a file, by piping to grep
cat /var/log/messages | grep md

# Search for any of text "test" within the /etc folder recursively, also shows filename by default
grep -r "test" /etc

# Recursively search for any mention of "audit" in each file within the specified directory, display linenumber and ignore low/upper case
grep -rni audit /var/log/
</syntaxhighlight>

=== lsof ===
<syntaxhighlight lang="bash">
# List what has files opened on the directory/mount
lsof /data/mount/lustre-01

# List processes listening on port 443
lsof -i :443
</syntaxhighlight>

=== awk ===
<syntaxhighlight lang="bash">
# List the first column of the output generated by docker ps
docker ps | awk '{print $1}'

# Print 9th column of folder contents
ll /mnt/btrfs/share1/ | awk '{print $9}'
</syntaxhighlight>

=== tar ===
<syntaxhighlight lang="bash">
# Compress the destination directory and keep the source path within the zipped file
tar -czvf name-of-archive.tar.gz /path/to/directory-or-file

# Compress the destination directory, but put the folder contents into the . within the zipped file
tar -czvf name-of-archive.tar.gz -C /path/to/directory-or-file .

# Extract a tar.gz file to the current folder
tar -xzvf name-of-archive.tar.gz
</syntaxhighlight>

=== find ===
<syntaxhighlight lang="bash">
# Basic find command
find / -name name-to-search-for

# Search the current folder for all files
find . -name \*

# Search the current folder for all files and count them
find . -name \* | wc -l

# Find all files with the SUID bit set
find / -name "*" -perm /u+s

# Find the current folder for files that were modified in the last 15 minutes
find . -mmin -15 -type f -name "*"

# Search for all modified files between 2023-01-01 and 2023-12-30
find /var/log/ -type f -name "*" -newermt 2023-01-01 ! -newermt 2023-12-30

# Search for all modified folders between 2022-01-01 and 2022-02-10, limited to a single folders' depth
find /data/research001/ -maxdepth 1 -type d -newermt 2022-01-01 ! -newermt 2022-02-10

# Search the current folder for all .log files and search & output any line containing string "error"
find . -name \*.log -exec grep -H error {} \;

# Screwing around
for i in $(find URL* -name "*.report" | sort); do echo "$i" && cat "$i" | grep TOTAL_SIZE ; done
for i in $(find URL* -name "*.report"); do basename "$i" | sort && cat "$i" | grep TOTAL_SIZE ; done
for i in $(find URL* -name "*.report"); do basename "$i" | sort && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
for i in $(find URL* -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
ll URL* | awk '{print $9}' | grep "*.report" | sort | for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE | awk '{print $2}'; done
ll URL* | awk '{print $9}' | grep .report | sort | for i in $(find * -name "*.report"); do basename "$i" && cat "$i" | grep TOTAL_SIZE

find URL1 -name \*.report -exec grep -H TOTAL_SIZE {} \; | LC_ALL=C awk -M 'BEGIN{FS=OFS="\t"} {printf("%s\t%.02f\n", $1, $2/(1024*1024*1024))}' | sed -e 's~^.*/~~' -e 's~\..*SIZE~~' | sort
</syntaxhighlight>

=== less ===
<pre>
25 = Go to line 25
g = Go to top of file
G = Go to bottom of file
/ = Activate search mode
/Error = Search for "Error"
n = Move to next search result
N = Move to previous search result
</pre>

<syntaxhighlight lang="bash">
# Don't wrap long lines to the current screen (move left or right to see non-truncated line)
less -S /var/log/syslog

# Output a file's contents and read it with less
cat /etc/snmpd/snmp.conf | less -S

# Number the lines when viewing
less -N /var/log/messages

# Open less at the first search result for "error". (Do not use space between the -p parameter and your search query)
less -p"Error" /var/log/messages
</syntaxhighlight>

=== ssh ===
* https://man.openbsd.org/ssh.1
* https://www.openssh.com/legacy.html

<syntaxhighlight lang="bash">
# Stolen from https://www.openssh.com/legacy.html
ssh -Q cipher # List supported ciphers
ssh -Q mac # List supported MACs
ssh -Q key # List supported public key types
ssh -Q kex # List supported key exchange algorithms
</syntaxhighlight>

<syntaxhighlight lang="bash">
# Connect to a server using a specific user
ssh mirelurk@192.168.0.1

# Connect to a server using a specific RSA private key
ssh 192.168.0.1 -i /home/john/.ssh/id_rsa_key-5

# Connect to a server using a specific SSH port
ssh 192.168.0.1 -p 1111

# Show verbose information when connecting to a server
ssh -v 192.168.0.1

# Connect using an ancient algorithm and keytype
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc admin@10.50.10.50

# Execute 'ls' on a remote server and output the result to your shell session
echo 'ls' | ssh -T user@10.0.20.75

# Execute a command on a remote server and output the result to a local file
echo 'ls' | ssh -T user@10.0.20.75 > <filename>.log

# Log in by providing a password in the CLI
sshpass 'MyPassword' ssh -XY root@10.100.25.1

# Copy a local file to another server
scp /home/root/myfiletocopy ubuntu@192.168.0.10:/home/ubuntu
</syntaxhighlight>

=== vim ===
<pre>
Esc Switches between input/command mode

o Create a new line below the current cursor position and switch to input mode
:wq Save (write) and quit the file
:q! Quit immediately without applying any changes

j Move the cursor one line downwards
</pre>

<syntaxhighlight lang="bash">
# Enter the Vim tutorial
vimtutor
</syntaxhighlight>

=== rsync ===
Also see rclone for enterprise storage enviroments.

<syntaxhighlight lang="bash">
# Copy contents of source /mnt/science/data/ to target /home/garyon/backup/science/ recursively
rsync -a /mnt/science/data/ /home/garyon/backup/science/

# Copy everything: symlinks, hardlinks, extended attributes, modified times, files, folders, etc
rsync -avHXS --progress /mnt/science/data/ /home/mayra/backup/science/

# Show progress during a transfer
rsync -avHXS --progress /mnt/science/data/ /home/stefanie/backup/science/

# rsync is additive by default
# After an initial rsync, delete files in the target that were deleted in the source
rsync --delete -avHXS /mnt/science/data/ /home/bob/backup/science/

# Sync using SSH
rsync -avrS --delete /data/cardio/ 192.168.0.15:/backup/cardio/

# Sync using a specific SSH port
rsync -avrS --rsh='ssh -p2020' --delete /data/science/ 192.168.0.20:/backup/science/
</syntaxhighlight>

=== cron ===
* https://crontab.guru/

<syntaxhighlight lang="bash">
# List cron jobs for the current user
crontab -l

# Modify cron jobs for the current user
crontab -eq

# Run the "ls" command every 5 minutes
*/5 * * * * ps aux
</syntaxhighlight>

=== ldapsearch ===
<pre>
DC = Domain Component
The values that identify the domain in which the object is located, may contain subdomains too i.e. "DC=customer,DC=amazon,DC=com"

OU = Organization Unit
A container/folder in which objects or users are stored. Actively used in Microsoft Active Directory's i.e. "OU=janitors,DC=customer,DC=amazon,DC=com"

CN = Canonical Name
The name of the group you're searching for or in i.e. "CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"

UID = User Identifier
The unique identifier to find a user with, usually the username i.e. "uid=magicmike,CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"

DN = Distinguished Name
The entire path to an object, consisting of a combination of above values, at least the DCs and a CN or UID, i.e. "uid=magicmike,CN=fullprivilege,OU=janitors,DC=customer,DC=amazon,DC=com"
</pre>

The following assumes domain "brammerloo.nl", based on usage for FreeIPA
<syntaxhighlight lang="bash">
# Search and show attributes for user tonberry in group users in group accounts in domain brammerloo.nl, using the admin user to authenticatie
ldapsearch -W -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify LDAP-server ipa01.brammerloo.nl to send the query to
ldapsearch -W -H ldap://ipa01.brammerloo.nl -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but specify a specific port
ldapsearch -W -H ldap://ipa01.brammerloo.nl:389 -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Use the "elastic" user to query for attributes of the "elastic-users" group which itself is a member of the "groups" group
ldapsearch -W -b "cn=elastic-users,cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=elastic,cn=users,cn=accounts,dc=brammerloo,dc=nl"

# Do the same as above, but this this specify you only want the member attribute
ldapsearch -W -b "cn=elastic-users,cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl" member

# Show all groups of which tonberry is a member of by searching for the memberOf attribute
ldapsearch -W -b "uid=tonberry,cn=users,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl" memberOf

# List attributes for all groups in the group "groups"
ldapsearch -W -b "cn=groups,cn=accounts,dc=brammerloo,dc=nl" -D "uid=admin,cn=users,cn=accounts,dc=brammerloo,dc=nl"
</syntaxhighlight>

=== git ===
==== Checks ====
<syntaxhighlight lang="bash">
# List your current branch and situation
git status

# List all branches and your current one
git branch --all

# List all available tags
git tag

# List the current selected tag
git describe
git describe --tags

# Compare changes in the current working directory to the committed tree, and list what files have been changed
git diff-files

# Compare changes in the current working directory to the committed tree, and list what has changed
git diff-files -p

# Compare the committed tree to the current working directory, and list what has changed
git diff HEAD
</syntaxhighlight>

==== Common ====
<syntaxhighlight lang="bash">
# Create a folder and initialize it for use by git
mkdir gitrepo1; cd gitrepo1; git init

# Switch to another branch
git checkout stable/zed

# Switch to a specific tag
git checkout tags/14.11.0

# Fetch data from the current upstream branch
git pull

# Pull data from a specific branch
git pull origin unmaintained/yoga
</syntaxhighlight>

=== rclone ===
* https://rclone.org/

==== Configuration ====
Example configuration based on OpenStack swift. Config should be in the homefolder of your user .config/rclone/rclone.conf:
<syntaxhighlight lang='bash'>
[swift-ssd]
type = swift
user = patrick
key = <PASSWORD>
auth = https://openstack.brammerloo.nl:5000/v3
region = Rotterdam
domain = Default
tenant = patrickproject
</syntaxhighlight>

==== Commands ====
<syntaxhighlight lang='bash'>
# List all containers, buckets and or folders of container "swift-ssd"
rclone lsd "swift-ssd:"
20 2025-02-10 09:46:00 2 ssd-container
0 2025-02-10 09:46:00 1 swift-ssd
0 2025-02-10 09:46:00 1 swift-ssd2

rclone lsd "swift-ssd:ssd-container"
0 2025-02-10 09:48:02 -1 mystorage

# List contents, files, folders of bucket "ssd-container", within container "swift-ssd"
rclone ls "swift-ssd:ssd-container"

# List the contents of file "asd"
rclone cat "swift-ssd:ssd-container/asd"

# Mount an object storage to local folder /mnt/object-ssd/
rclone mount swift-ssd:ssd-container /mnt/object-ssd

# Synchronize a local folder to a destination folder inside a bucket, in interactive mode
rclone sync -i /etc/rsyslog.d swift-ssd:ssd-container/mystorage/
</syntaxhighlight>

=== mdtest ===
This chapter was mostly written and contributed by Ivo Palli.

==== General ====
mdtest is part of the ior performance test package.

==== RHEL Installation ====
<syntaxhighlight lang='bash'>
wget https://github.com/hpc/ior/releases/download/3.3.0/ior-3.3.0.tar.bz2
tar xjf ior-*.tar.bz2
cd ior-*/

yum install openmpi-devel environment-modules
# Relog your shell so 'module' is available
module load mpi
module list
./configure
make -j4
make install
</syntaxhighlight>

==== Ubuntu Installation ====
* https://gist.github.com/hokiegeek2/3057f8bb3beb519ae9b556e41824be30
* https://ior.readthedocs.io/en/latest/userDoc/install.html

<syntaxhighlight lang='bash'>
VERSION=4.0.0
wget https://github.com/hpc/ior/releases/download/$VERSION/ior-$VERSION.tar.gz
tar -xzvf ior-$VERSION.tar.gz
cd ior-$VERSION/

apt install libopenmpi-dev environment-modules openmpi-bin openmpi-common libgtk2.0-dev -y
./configure

make -j4
make install
</syntaxhighlight>

===== Usage =====
Note: Number of items should be a multiple of depth x branching factor
<syntaxhighlight lang='bash'>
module load mpi

# Run command "mdtest -n 2000 -z 5 -b 2 -d /mnt/ssd/" 10 times in a row
mpirun --oversubscribe --allow-run-as-root -n 10 mdtest -n 2000 -z 5 -b 2 -d /mnt/nfs
</syntaxhighlight>

===== Links =====
* https://github.com/hpc/ior
* https://www.glennklockwood.com/benchmarks/mdtest.html Guide