Linux:Services: Difference between revisions
From Cheatsheet
Jump to navigationJump to search
(Created page with "Cheatsheets == MAAS == === Checks === <pre> Logs in either place: /var/log/maas/ /var/snap/maas/common/log </pre> <syntaxhighlight lang="bash"> # List status of MAAS services maas status # List MAAS commands maas --help # List available arguments for the init command maas init --help </syntaxhighlight> == Docker == === Checks === <syntaxhighlight lang="bash"> # List docker containers docker ps </syntaxhighlight> === Commands === <syntaxhigh...") |
|||
| (72 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Category:Cheatsheet|Cheatsheets]] | [[Category:Cheatsheet|Cheatsheets]] | ||
== MAAS == | == Services == | ||
=== Checks === | <section begin="linuxservices"/> | ||
=== Common === | |||
==== systemctl ==== | |||
<syntaxhighlight lang="bash"> | |||
# List all services that are running or exited | |||
systemctl | |||
# List all services, running or otherwise | |||
systemctl --all | |||
# List all failed services | |||
systemctl --state=failed | |||
# Reset the failed service "nginx" | |||
systemctl reset-failed nginx | |||
# View the status of the "nfs-server" service | |||
systemctl status nfs-server | |||
# Output the config file of "rsyslog" to the shell | |||
systemctl cat rsyslog | |||
# Restart the "sshd" service, terminating established connections and re-parsing the configuration | |||
systemctl restart sshd | |||
# Reload the "nginx" service so that it only re-parses the configuration | |||
systemctl reload nginx | |||
# Stop the "nfs-ganesha" service so that it stops being run | |||
systemctl stop nfs-ganesha | |||
# Start the "nfs-ganesha" service so that it starts being run again | |||
systemctl start nfs-ganesha | |||
# Disable the "mariadb" service so that it doesn't start after the next boot | |||
systemctl disable mariadb | |||
# Enable the "mariadb" service so that it starts after the next boot. | |||
systemctl enable mariadb | |||
# Check the logs for all failed services | |||
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done | |||
</syntaxhighlight> | |||
=== NTP === | |||
==== Timedatectl ==== | |||
<syntaxhighlight lang="bash"> | |||
# Show the current status of timedatectl | |||
timedatectl | |||
# List available timezones | |||
timedatectl list-timezones | |||
# Set the timezone to Amsterdam | |||
timedatectl set-timezone Europe/Amsterdam | |||
# Show verbose sync information | |||
timedatectl timesync-status | |||
</syntaxhighlight> | |||
=== SNMP === | |||
==== V3 client installation ==== | |||
* https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/ | |||
<syntaxhighlight lang="bash"> | |||
apt install snmpd snmp libsnmp-dev | |||
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak | |||
systemctl stop snmpd | |||
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME> | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash"> | |||
# /etc/snmp/snmpd.conf | |||
sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack | |||
sysContact Me <me@example.org> | |||
agentaddress 192.168.0.10 | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash"> | |||
systemctl start snmpd | |||
systemctl enable snmpd | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash"> | |||
# Test | |||
snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head | |||
</syntaxhighlight> | |||
=== CTDB === | |||
==== Checks ==== | |||
<syntaxhighlight lang="bash"> | |||
# Verify CTDB cluster status | |||
ctdb status | |||
# Show the allocated IP addresses and to which nodes they're bound | |||
ctdb ip | |||
# See the status of all CTDB-scripts | |||
ctdb scriptstatus | |||
ctdb event status | |||
# Show the time of the last failover the duration it took to recover | |||
ctdb uptime | |||
# See various statistics and data | |||
ctdb statistics | |||
# Use the onnode command to execute a command on all cluster nodes | |||
onnode all ctdb status | |||
</syntaxhighlight> | |||
==== Commands ==== | |||
<syntaxhighlight lang="bash"> | |||
# Stop a ctdb cluster member | |||
ctdb stop | |||
# Start a stopped ctdb cluster member | |||
ctdb continue | |||
</syntaxhighlight> | |||
=== Firewalls === | |||
==== UFW ==== | |||
===== Checks ===== | |||
<syntaxhighlight lang="bash"> | |||
# Show summary of UFW status | |||
ufw status | |||
# Show verbose UFW status | |||
ufw status verbose | |||
# Show UFW rules numbered | |||
ufw status numbered | |||
</syntaxhighlight> | |||
===== Commands ===== | |||
<syntaxhighlight lang="bash"> | |||
# Allow access from a specific IP to a port and add a comment that show in the status | |||
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location' | |||
# Delete numbered Firewall rule 56 | |||
ufw delete 56 | |||
# Disable UFW logging (prevent syslog spam) | |||
ufw logging off | |||
# Set UFW logging back to the default | |||
ufw logging low | |||
</syntaxhighlight> | |||
==== Firewalld ==== | |||
===== SNMP access ===== | |||
* https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing | |||
<syntaxhighlight lang="bash"> | |||
# /etc/firewalld/services/snmp.xml | |||
<?xml version="1.0" encoding="utf-8"?> | |||
<service> | |||
<short>SNMP</short> | |||
<description>SNMP protocol</description> | |||
<port protocol="udp" port="161"/> | |||
</service> | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash"> | |||
firewall-cmd --reload | |||
firewall-cmd --zone=public --add-service snmp --permanent | |||
firewall-cmd --reload | |||
</syntaxhighlight> | |||
===== Firewall-cmd ===== | |||
====== Checks ====== | |||
<syntaxhighlight lang="bash"> | |||
# List all available commands | |||
firewall-cmd -h | |||
# Check the configuration file of the firewall for errors | |||
firewall-cmd --check-config | |||
# Display the current state of firewall-cmd (running/shutdown) | |||
firewall-cmd --state | |||
# Display all available zones | |||
firewall-cmd --get-zones | |||
# List all whitelisted services | |||
firewall-cmd --list-services | |||
# List all services you can potentially enable | |||
firewall-cmd --get-services | |||
# List all added or enabled services and ports in more detail | |||
firewall-cmd --list-all | |||
# List verbose information for all zones | |||
firewall-cmd --list-all-zones | |||
# List verbose information for the public zone | |||
firewall-cmd --list-all --zone=public | |||
# See what port(s) are associated with the dns service | |||
firewall-cmd --info-service dns | |||
# List all opened ports | |||
firewall-cmd --list-ports | |||
# List kernel ruleset generated for nftables(?) | |||
nft list ruleset | |||
</syntaxhighlight> | |||
====== Commands ====== | |||
<syntaxhighlight lang="bash"> | |||
# Reload the firewall | |||
firewall-cmd --reload | |||
# Whitelist the dns service, persistently even after reboot | |||
firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload | |||
# Whitelist the http service, persistently even after reboot | |||
firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload | |||
# Remove the http service from the whitelist | |||
firewall-cmd --remove-service=http | |||
# Add port 1234 (tcp) to the whitelist | |||
firewall-cmd --add-port=1234/tcp | |||
# Remove port 1234 (tcp) from the whitelist | |||
firewall-cmd --remove-port=1234/tcp | |||
# Add port 2345 (udp) to the whitelist in zone external | |||
firewall-cmd --zone=external --add-port=2345/udp | |||
# Remove port 2345 (udp) from the whitelist for zone external | |||
firewall-cmd --zone=external --add-port=2345/udp | |||
# Add current configuration to configuration permanently | |||
firewall-cmd –runtime-to-permanent | |||
</syntaxhighlight> | |||
'''DANGEROUS''' | |||
<syntaxhighlight lang="bash"> | |||
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS | |||
firewall-cmd --panic-on | |||
# ACCEPT PACKETS AGAIN | |||
firewall-cmd --panic-off | |||
</syntaxhighlight> | |||
==== CSF ==== | |||
ConfigServer Security and Firewall | |||
===== General ===== | |||
* Common configuration: /etc/csf/csf.conf | |||
* Blacklist: /etc/csf/csf.deny | |||
* Whitelist: /etc/csf/csf.allow | |||
===== Installation ===== | |||
From the official instructions: https://download.configserver.com/csf/install.txt | |||
====== Prerequisites ====== | |||
<syntaxhighlight lang="bash"> | |||
Perl Modules | |||
============ | |||
While most should be installed on a standard perl installation the following | |||
may need to be installed manually: | |||
# On rpm based systems: | |||
yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph | |||
# On APT based systems: | |||
apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl | |||
</syntaxhighlight> | |||
====== Install ====== | |||
<syntaxhighlight lang="bash"> | |||
cd /usr/src | |||
rm -fv csf.tgz | |||
wget https://download.configserver.com/csf.tgz | |||
tar -xzf csf.tgz | |||
cd csf | |||
sh install.sh | |||
# Next, test whether you have the required iptables modules: | |||
perl /usr/local/csf/bin/csftest.pl | |||
# Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors | |||
</syntaxhighlight> | |||
===== Checks ===== | |||
<syntaxhighlight lang="bash"> | |||
# Check the running status of csf | |||
csf status | |||
</syntaxhighlight> | |||
===== Commands ===== | |||
<syntaxhighlight lang="bash"> | |||
# Commit config changes by restarting csf | |||
csf -r | |||
</syntaxhighlight> | |||
===== csf.conf ===== | |||
Some common changes within the configuration file | |||
<syntaxhighlight lang="bash"> | |||
# Set testing to 0 when your CSF configuration is 'production' ready | |||
TESTING = "0" | |||
# Allow access to any service you're hosting locally, for example https | |||
TCP_IN = "443" | |||
UDP_IN = "" | |||
# Allow all outwards HTTP/HTTPS traffic so you can yum/apt update | |||
TCP_OUT = "80,443" | |||
# Allow outgoing traceroute | |||
UDP_OUT = "33434:33523" | |||
# Allow your server to be pinged | |||
ICMP_IN = "0" | |||
</syntaxhighlight> | |||
===== Formatting ===== | |||
The varying styles of formatting used in allow.conf | |||
<syntaxhighlight lang="bash"> | |||
# Allow anything relating to the following IPs/ranges | |||
192.168.10.0/24 # Our application breaks without this range | |||
192.168.1.1 # Our gateway or something | |||
# Detailed entries based on Transport protocol, direction, Application protocol and IP | |||
tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN | |||
udp:in:d=161:s=10.11.12.100 # SNMP Access | |||
tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway | |||
udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range | |||
tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443 | |||
# Allow sending Syslog messages to our Syslog server | |||
udp|out|d=514|d=192.168.20.5 # UDP syslog server | |||
tcp|out|d=10514|d=192.168.20.5 # UDP syslog server | |||
# Allow sending queries to some DNS servers | |||
tcp|out|s=53|d=8.8.8.8 | |||
udp|out|s=53|d=1.1.1.1 | |||
udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server | |||
# Include an external configuration file | |||
Include /etc/csf/csf.custom-config | |||
</syntaxhighlight> | |||
=== rsyslog === | |||
<section begin="linuxsyslog"/> | |||
* https://www.rsyslog.com/doc/reference/templates/templates-reserved-names.html#ref-templates-reserved-names | |||
* https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates | |||
==== Legacy ==== | |||
Send all logs to a rsyslog server and specify a port, @ is equal to using UDP. @@ is equal to TCP | |||
<syntaxhighlight lang="bash"> | |||
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf | |||
*.* @10.77.0.1:514 | |||
</syntaxhighlight> | |||
Custom template where hostname is defined, then sent to the syslog server - include the priority number as first extra variable | |||
<syntaxhighlight lang="bash"> | |||
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf | |||
$template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n" | |||
*.warning @10.77.0.1;SendHostname | |||
</syntaxhighlight> | |||
Send messages to a syslog server, using a template aligned to IETF protocol 23 | |||
<syntaxhighlight lang="bash"> | |||
# /etc/rsyslog.d/61-qwe.conf | |||
*.* @10.77.0.1;RSYSLOG_SyslogProtocol23Format | |||
</syntaxhighlight> | |||
Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname | |||
<syntaxhighlight lang="bash"> | |||
# /etc/rsyslog.d/60-asd.conf | |||
$template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" | |||
*.* @10.77.0.1;custom_IETFprotocol_23 | |||
</syntaxhighlight> | |||
Log to the local server with a static hostname, using a custom structure | |||
<syntaxhighlight lang="bash"> | |||
# /etc/rsyslog.d/62-asd.conf | |||
$template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n" | |||
*.* /var/log/wewuzerrors.txt;NewHostname | |||
</syntaxhighlight> | |||
An alternative to the contents above, specifying different/more fields | |||
<syntaxhighlight lang="bash"> | |||
## /etc/rsyslog.d/65-customtemplate.conf | |||
# https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template | |||
$template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n" | |||
*.* /var/log/wazanda.txt;mynewtemplate | |||
</syntaxhighlight> | |||
==== Rainerscript ==== | |||
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html | |||
Write all local messages to a specific file | |||
<syntaxhighlight lang="bash"> | |||
# /etc/rsyslog.d/60-asd.conf | |||
action(type="omfile" file="/var/log/isaidhey.txt") | |||
</syntaxhighlight> | |||
Send message to a syslog server using IETF protocol 23 | |||
<syntaxhighlight lang="bash"> | |||
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf | |||
template(name="RSYSLOG_SyslogProtocol23Format" type="string" | |||
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n") | |||
# Send all logs to the target server | |||
action(type="omfwd" Target="192.168.5.21" Template="RSYSLOG_SyslogProtocol23Format" Port="514" Protocol="udp") | |||
</syntaxhighlight> | |||
Define a template aligned to IETF protocol 23 but specify a hostname to send as: | |||
<syntaxhighlight lang="bash"> | |||
# /etc/rsyslog.d/71-local-to-rsyslog-server.conf | |||
template(name="SendHostname" type="string" | |||
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% myhost.mydomain.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n") | |||
# Send all logs to target syslog server and port | |||
action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp") | |||
</syntaxhighlight> | |||
==== Testing ==== | |||
<syntaxhighlight lang="bash"> | |||
# Use the logger tool to test syslog server reception | |||
logger -p local0.error 'Hello World!' | |||
</syntaxhighlight> | |||
<section end="linuxsyslog"/> | |||
=== named === | |||
==== Checks ==== | |||
<syntaxhighlight lang="bash"> | |||
# Perform a test load of all primary zones within named.conf, as the named user | |||
sudo -u named named-checkconf -z | |||
# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone | |||
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0 | |||
# Check zone file brammerloo.nl defined in the brammerloo.nl zone | |||
named-checkzone brammerloo.nl brammerloo.nl | |||
</syntaxhighlight> | |||
==== Configuration ==== | |||
Basic configuration for the options field in '''/etc/named.conf''' | |||
<syntaxhighlight lang="bash"> | |||
options { | |||
# Define on what IP to listen on, for port 53 | |||
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; }; | |||
directory "/var/named"; | |||
dump-file "/var/named/data/cache_dump.db"; | |||
statistics-file "/var/named/data/named_stats.txt"; | |||
memstatistics-file "/var/named/data/named_mem_stats.txt"; | |||
secroots-file "/var/named/data/named.secroots"; | |||
recursing-file "/var/named/data/named.recursing"; | |||
# Only allow DNS queries from specific local subnets | |||
# To allow from anything use: allow query { any; }; | |||
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; }; | |||
# If the server can't resolve an address locally, use the following DNS servers for help | |||
forwarders { | |||
8.8.8.8; | |||
1.1.1.1; | |||
}; | |||
recursion yes; | |||
dnssec-validation no; | |||
managed-keys-directory "/var/named/dynamic"; | |||
geoip-directory "/usr/share/GeoIP"; | |||
pid-file "/run/named/named.pid"; | |||
session-keyfile "/run/named/session.key"; | |||
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ | |||
include "/etc/crypto-policies/back-ends/bind.config"; | |||
}; | |||
</syntaxhighlight> | |||
Zone defnitions: '''/etc/named.rfc1912.zones''' | |||
<syntaxhighlight lang="bash"> | |||
# Define zones to listen for | |||
zone "brammerloo.nl" IN { | |||
type master; | |||
file "brammerloo.nl"; | |||
allow-update { none; }; | |||
}; | |||
zone "1.168.192.in-addr.arpa" IN { | |||
type master; | |||
file "192.168.1.0"; | |||
allow-update { none; }; | |||
}; | |||
</syntaxhighlight> | |||
Zone file for Reverse lookup: '''/var/named/192.168.1.0''' | |||
<syntaxhighlight lang="bash"> | |||
$TTL 300 | |||
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. ( | |||
2023101102 ; serial | |||
180 ; refresh | |||
60 ; retry | |||
108000 ; expire | |||
60 ) ; minimum | |||
IN NS ns1.brammerloo.nl. | |||
; PTR Records | |||
11 IN PTR node1. | |||
21 IN PTR server1. | |||
</syntaxhighlight> | |||
Zone file for domain: '''/var/named/brammerloo.nl''' | |||
<syntaxhighlight lang="bash"> | |||
$TTL 300 | |||
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. ( | |||
2023101306 ; serial | |||
180 ; refresh | |||
60 ; retry | |||
108000 ; expire | |||
60 ) ; minimum | |||
IN NS ns1.brammerloo.nl. | |||
@ IN A 192.168.1.6 ; domain brammerloo.nl is me! | |||
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain | |||
node1 IN A 192.168.78.31 ; Basic A-record | |||
www IN CNAME node1 ; Point my website to my node1 A-record | |||
</syntaxhighlight> | |||
=== dhcpd === | |||
==== dhclient ==== | |||
<syntaxhighlight lang="bash"> | |||
# Request DHCP addresses where applicable | |||
dhclient | |||
# Request an IPv4 adres from a DHCP server | |||
dhclient -4 | |||
# Show verbose information when requesting an IPv4 adres from a DHCP server | |||
dhclient -4 -v | |||
# Release a DHCP lease | |||
dhclient -r | |||
</syntaxhighlight> | |||
==== Configuration ==== | |||
Basic configuration options in the '''/etc/dhcp/dhcpd.conf''' file | |||
<syntaxhighlight lang="bash"> | |||
# Set the domain clients should use when resolving hostnames (equivalent to search domain) | |||
option domain-name "brammerloo.nl"; | |||
# Set the domain name servers for DHCP clients | |||
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8; | |||
default-lease-time 600; | |||
max-lease-time 7200; | |||
log-facility local7; | |||
# Best practice = define any connected subnets, but don't configure DHCP for them | |||
subnet 192.168.1.0 netmask 255.255.255.0 { | |||
} | |||
# Basic DHCP for a subnet configuration | |||
subnet 192.168.0.0 netmask 255.255.255.0 { | |||
range 192.168.0.100 192.168.0.150; | |||
option routers 192.168.0.1; | |||
} | |||
</syntaxhighlight> | |||
=== smbd / Samba / CIFS === | |||
https://linuxconfig.org/install-samba-on-redhat-8 | |||
==== Checks ==== | |||
<syntaxhighlight lang="bash"> | |||
# List available shares on an IP or host | |||
smbclient -L //172.17.0.2 | |||
# Samba status checks | |||
smbstatus | |||
smbstatus -S | |||
smbstatus -b | |||
# Samba set debug mode | |||
smbcontrol smbd debug 1 | |||
</syntaxhighlight> | |||
==== Basic configuration ==== | |||
<syntaxhighlight lang="bash"> | |||
# Install and enable | |||
dnf install samba samba-client | |||
systemctl enable --now {smb,nmb} | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash"> | |||
# Create a client-user to authenticate with | |||
sudo useradd samba-user | |||
# Give the user a password to authenticate with | |||
sudo smbpasswd -a samba-user | |||
# Create a group to associate with the samba share | |||
sudo groupadd sambagroup | |||
# Add the user to the group we will be configuring for the share | |||
sudo usermod -a -G sambagroup samba-user | |||
# Create the folder we will be sharing | |||
sudo mkdir /var/shares/myshare | |||
# Apply proper permission | |||
sudo chown -R samba-user:sambagroup /var/shares/myshare/ | |||
sudo chmod -R 0770 /var/shares/myshare/ | |||
# Apply proper permission for SELinux | |||
sudo chcon -t samba_share_t /var/shares/myshare/ | |||
# Backup the default config | |||
cp /etc/samba/smb.conf /etc/samba/smb.conf~ | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash"> | |||
# /etc/samba/smb.conf | |||
[global] | |||
workgroup = <DOMAIN-OR-WORKGROUP> | |||
server string = Samba Server %v | |||
netbios name = <SERVER-HOSTNAME> | |||
security = user | |||
map to guest = bad user | |||
dns proxy = no | |||
#==================== Share Definitions ====================== | |||
[share001] | |||
path = /var/shares/myshare | |||
valid users = @sambagroup | |||
guest ok = no | |||
writable = yes | |||
browsable = yes | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash"> | |||
# Reload Samba services | |||
systemctl reload {smb,nmb} | |||
# Mount in Windows | |||
\\<SERVER-IP>\share001 | |||
</syntaxhighlight> | |||
<pre> | |||
user: samba-user | |||
pass: <Whatever password you filled in with smbpasswd -a | |||
</pre> | |||
=== Docker === | |||
==== Checks ==== | |||
<syntaxhighlight lang="bash"> | |||
# List Docker containers | |||
docker ps | |||
# List all Docker container IDs | |||
docker ps -aq | |||
# List logs for container 987sdh3qrasdhj | |||
docker logs 987sdh3qrasdhj | |||
# List RAM/CPU usage for Docker container asdlkasd67k | |||
docker stats asdlkasd67k | |||
# Show verbose container information such as commands run, network, ID, etc | |||
docker inspect oiu2398sda87 | |||
</syntaxhighlight> | |||
==== Commands ==== | |||
<syntaxhighlight lang="bash"> | |||
# Enter the shell inside a docker container | |||
docker exec -ti a89sd98sa7d /bin/bash | |||
# Execute a command inside a container as a specific user, root in this case | |||
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log | |||
docker exec -u 0 -it as892asnj2as /bin/bash | |||
# Restart docker container yoga | |||
docker restart yoga | |||
# Restart the 3 given containers | |||
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098 | |||
# Start this container | |||
docker start as9823nzxc0 | |||
# Stop this container | |||
docker stop as9823nzxc0 | |||
# Restart all unhealthy Docker containers | |||
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done; | |||
</syntaxhighlight> | |||
=== PowerDNS === | |||
* https://doc.powerdns.com/authoritative/index.html | |||
* https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html | |||
* https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html | |||
==== Checks ==== | |||
<syntaxhighlight> | |||
# List commands | |||
pdns_server --help | |||
# Check config and parse for errors | |||
pdns_server --config=check | |||
</syntaxhighlight> | |||
<syntaxhighlight> | |||
# List available commands | |||
pdnsutil --help | |||
# Check config and parse for errors | |||
pdnsutil --config=check | |||
# List all available zones | |||
pdnsutil list-all-zones | |||
# List all domains in the primary zone | |||
pdnsutil list-all-zones primary | |||
# See zone information for a specific domain | |||
pdnsutil show-zone mydomain.com | |||
pdnsutil show-zone 77.5.10.in-addr.arpa | |||
# Check zone for errors | |||
pdnsutil check-zone mydomain.com | |||
# List all created TSIG keys | |||
pdnsutil list-tsig-keys | |||
</syntaxhighlight> | |||
==== Commands ==== | |||
<syntaxhighlight> | |||
# Activate TSIG key for domain "myexample.com" in the primary zone | |||
pdnsutil " myexample.com transfer primary | |||
</syntaxhighlight> | |||
=== MAAS === | |||
==== Checks ==== | |||
<pre> | <pre> | ||
Logs in either place: | Logs in either place: | ||
| Line 20: | Line 781: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
<section end="linuxservices"/> | |||
< | |||
Latest revision as of 16:18, 20 November 2025
Services
Common
systemctl
# List all services that are running or exited
systemctl
# List all services, running or otherwise
systemctl --all
# List all failed services
systemctl --state=failed
# Reset the failed service "nginx"
systemctl reset-failed nginx
# View the status of the "nfs-server" service
systemctl status nfs-server
# Output the config file of "rsyslog" to the shell
systemctl cat rsyslog
# Restart the "sshd" service, terminating established connections and re-parsing the configuration
systemctl restart sshd
# Reload the "nginx" service so that it only re-parses the configuration
systemctl reload nginx
# Stop the "nfs-ganesha" service so that it stops being run
systemctl stop nfs-ganesha
# Start the "nfs-ganesha" service so that it starts being run again
systemctl start nfs-ganesha
# Disable the "mariadb" service so that it doesn't start after the next boot
systemctl disable mariadb
# Enable the "mariadb" service so that it starts after the next boot.
systemctl enable mariadb
# Check the logs for all failed services
for i in $(systemctl --state=failed | head -n -4 | tail -n +2 | awk '{print $1}'); do systemctl --no-pager status "$i"; done
NTP
Timedatectl
# Show the current status of timedatectl timedatectl # List available timezones timedatectl list-timezones # Set the timezone to Amsterdam timedatectl set-timezone Europe/Amsterdam # Show verbose sync information timedatectl timesync-status
SNMP
V3 client installation
apt install snmpd snmp libsnmp-dev cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak systemctl stop snmpd net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
# /etc/snmp/snmpd.conf sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack sysContact Me <me@example.org> agentaddress 192.168.0.10
systemctl start snmpd systemctl enable snmpd
# Test snmpwalk -v3 -a SHA -A "AUTHENTICATION PASSWORD" -x AES -X "CRYPTO PASSWORD" -l authPriv -u "MYUSER" localhost | head
CTDB
Checks
# Verify CTDB cluster status ctdb status # Show the allocated IP addresses and to which nodes they're bound ctdb ip # See the status of all CTDB-scripts ctdb scriptstatus ctdb event status # Show the time of the last failover the duration it took to recover ctdb uptime # See various statistics and data ctdb statistics # Use the onnode command to execute a command on all cluster nodes onnode all ctdb status
Commands
# Stop a ctdb cluster member ctdb stop # Start a stopped ctdb cluster member ctdb continue
Firewalls
UFW
Checks
# Show summary of UFW status ufw status # Show verbose UFW status ufw status verbose # Show UFW rules numbered ufw status numbered
Commands
# Allow access from a specific IP to a port and add a comment that show in the status ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location' # Delete numbered Firewall rule 56 ufw delete 56 # Disable UFW logging (prevent syslog spam) ufw logging off # Set UFW logging back to the default ufw logging low
Firewalld
SNMP access
# /etc/firewalld/services/snmp.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>SNMP</short> <description>SNMP protocol</description> <port protocol="udp" port="161"/> </service>
firewall-cmd --reload firewall-cmd --zone=public --add-service snmp --permanent firewall-cmd --reload
Firewall-cmd
Checks
# List all available commands firewall-cmd -h # Check the configuration file of the firewall for errors firewall-cmd --check-config # Display the current state of firewall-cmd (running/shutdown) firewall-cmd --state # Display all available zones firewall-cmd --get-zones # List all whitelisted services firewall-cmd --list-services # List all services you can potentially enable firewall-cmd --get-services # List all added or enabled services and ports in more detail firewall-cmd --list-all # List verbose information for all zones firewall-cmd --list-all-zones # List verbose information for the public zone firewall-cmd --list-all --zone=public # See what port(s) are associated with the dns service firewall-cmd --info-service dns # List all opened ports firewall-cmd --list-ports # List kernel ruleset generated for nftables(?) nft list ruleset
Commands
# Reload the firewall firewall-cmd --reload # Whitelist the dns service, persistently even after reboot firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload # Whitelist the http service, persistently even after reboot firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload # Remove the http service from the whitelist firewall-cmd --remove-service=http # Add port 1234 (tcp) to the whitelist firewall-cmd --add-port=1234/tcp # Remove port 1234 (tcp) from the whitelist firewall-cmd --remove-port=1234/tcp # Add port 2345 (udp) to the whitelist in zone external firewall-cmd --zone=external --add-port=2345/udp # Remove port 2345 (udp) from the whitelist for zone external firewall-cmd --zone=external --add-port=2345/udp # Add current configuration to configuration permanently firewall-cmd –runtime-to-permanent
DANGEROUS
# SHUT IT DOWN DOC - DROP ALL PACKETS AND EXPIRE EXISTING CONNECTIONS firewall-cmd --panic-on # ACCEPT PACKETS AGAIN firewall-cmd --panic-off
CSF
ConfigServer Security and Firewall
General
- Common configuration: /etc/csf/csf.conf
- Blacklist: /etc/csf/csf.deny
- Whitelist: /etc/csf/csf.allow
Installation
From the official instructions: https://download.configserver.com/csf/install.txt
Prerequisites
Perl Modules ============ While most should be installed on a standard perl installation the following may need to be installed manually: # On rpm based systems: yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph # On APT based systems: apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
Install
cd /usr/src rm -fv csf.tgz wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf sh install.sh # Next, test whether you have the required iptables modules: perl /usr/local/csf/bin/csftest.pl # Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
Checks
# Check the running status of csf csf status
Commands
# Commit config changes by restarting csf csf -r
csf.conf
Some common changes within the configuration file
# Set testing to 0 when your CSF configuration is 'production' ready TESTING = "0" # Allow access to any service you're hosting locally, for example https TCP_IN = "443" UDP_IN = "" # Allow all outwards HTTP/HTTPS traffic so you can yum/apt update TCP_OUT = "80,443" # Allow outgoing traceroute UDP_OUT = "33434:33523" # Allow your server to be pinged ICMP_IN = "0"
Formatting
The varying styles of formatting used in allow.conf
# Allow anything relating to the following IPs/ranges 192.168.10.0/24 # Our application breaks without this range 192.168.1.1 # Our gateway or something # Detailed entries based on Transport protocol, direction, Application protocol and IP tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN udp:in:d=161:s=10.11.12.100 # SNMP Access tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range tcp|out|d=80,443|d=1.2.3.4/32 # Allow outgoing HTTP/HTTPS access via port 80 and 443 # Allow sending Syslog messages to our Syslog server udp|out|d=514|d=192.168.20.5 # UDP syslog server tcp|out|d=10514|d=192.168.20.5 # UDP syslog server # Allow sending queries to some DNS servers tcp|out|s=53|d=8.8.8.8 udp|out|s=53|d=1.1.1.1 udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server # Include an external configuration file Include /etc/csf/csf.custom-config
rsyslog
- https://www.rsyslog.com/doc/reference/templates/templates-reserved-names.html#ref-templates-reserved-names
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2-templates
Legacy
Send all logs to a rsyslog server and specify a port, @ is equal to using UDP. @@ is equal to TCP
# /etc/rsyslog.d/75-local-to-rsyslog-server.conf *.* @10.77.0.1:514
Custom template where hostname is defined, then sent to the syslog server - include the priority number as first extra variable
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf $template SendHostname, "%PRI%1 %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n" *.warning @10.77.0.1;SendHostname
Send messages to a syslog server, using a template aligned to IETF protocol 23
# /etc/rsyslog.d/61-qwe.conf *.* @10.77.0.1;RSYSLOG_SyslogProtocol23Format
Send messages to a syslog server, using a template aligned to IETF protocol 23, but specifying a custom hostname
# /etc/rsyslog.d/60-asd.conf $template custom_IETFprotocol_23,"%PRI%1 %TIMESTAMP:::date-rfc3339% prive.host.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" *.* @10.77.0.1;custom_IETFprotocol_23
Log to the local server with a static hostname, using a custom structure
# /etc/rsyslog.d/62-asd.conf $template NewHostname, "%timestamp% tester.mydomain.nl %syslogtag% %msg%\n" *.* /var/log/wewuzerrors.txt;NewHostname
An alternative to the contents above, specifying different/more fields
## /etc/rsyslog.d/65-customtemplate.conf # https://stackoverflow.com/questions/57890176/extending-rsyslogs-default-logging-template $template mynewtemplate,"%timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg%\n" *.* /var/log/wazanda.txt;mynewtemplate
Rainerscript
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html
Write all local messages to a specific file
# /etc/rsyslog.d/60-asd.conf action(type="omfile" file="/var/log/isaidhey.txt")
Send message to a syslog server using IETF protocol 23
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
template(name="RSYSLOG_SyslogProtocol23Format" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")
# Send all logs to the target server
action(type="omfwd" Target="192.168.5.21" Template="RSYSLOG_SyslogProtocol23Format" Port="514" Protocol="udp")
Define a template aligned to IETF protocol 23 but specify a hostname to send as:
# /etc/rsyslog.d/71-local-to-rsyslog-server.conf
template(name="SendHostname" type="string"
string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% myhost.mydomain.nl %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")
# Send all logs to target syslog server and port
action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
Testing
# Use the logger tool to test syslog server reception logger -p local0.error 'Hello World!'
named
Checks
# Perform a test load of all primary zones within named.conf, as the named user sudo -u named named-checkconf -z # Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone named-checkzone 77.168.192.in-addr.arpa 192.168.77.0 # Check zone file brammerloo.nl defined in the brammerloo.nl zone named-checkzone brammerloo.nl brammerloo.nl
Configuration
Basic configuration for the options field in /etc/named.conf
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };
# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};
recursion yes;
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
Zone defnitions: /etc/named.rfc1912.zones
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
Zone file for Reverse lookup: /var/named/192.168.1.0
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
Zone file for domain: /var/named/brammerloo.nl
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
dhcpd
dhclient
# Request DHCP addresses where applicable dhclient # Request an IPv4 adres from a DHCP server dhclient -4 # Show verbose information when requesting an IPv4 adres from a DHCP server dhclient -4 -v # Release a DHCP lease dhclient -r
Configuration
Basic configuration options in the /etc/dhcp/dhcpd.conf file
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";
# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}
# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
smbd / Samba / CIFS
https://linuxconfig.org/install-samba-on-redhat-8
Checks
# List available shares on an IP or host smbclient -L //172.17.0.2 # Samba status checks smbstatus smbstatus -S smbstatus -b # Samba set debug mode smbcontrol smbd debug 1
Basic configuration
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
# Create a client-user to authenticate with sudo useradd samba-user # Give the user a password to authenticate with sudo smbpasswd -a samba-user # Create a group to associate with the samba share sudo groupadd sambagroup # Add the user to the group we will be configuring for the share sudo usermod -a -G sambagroup samba-user # Create the folder we will be sharing sudo mkdir /var/shares/myshare # Apply proper permission sudo chown -R samba-user:sambagroup /var/shares/myshare/ sudo chmod -R 0770 /var/shares/myshare/ # Apply proper permission for SELinux sudo chcon -t samba_share_t /var/shares/myshare/ # Backup the default config cp /etc/samba/smb.conf /etc/samba/smb.conf~
# /etc/samba/smb.conf [global] workgroup = <DOMAIN-OR-WORKGROUP> server string = Samba Server %v netbios name = <SERVER-HOSTNAME> security = user map to guest = bad user dns proxy = no #==================== Share Definitions ====================== [share001] path = /var/shares/myshare valid users = @sambagroup guest ok = no writable = yes browsable = yes
# Reload Samba services
systemctl reload {smb,nmb}
# Mount in Windows
\\<SERVER-IP>\share001
user: samba-user pass: <Whatever password you filled in with smbpasswd -a
Docker
Checks
# List Docker containers docker ps # List all Docker container IDs docker ps -aq # List logs for container 987sdh3qrasdhj docker logs 987sdh3qrasdhj # List RAM/CPU usage for Docker container asdlkasd67k docker stats asdlkasd67k # Show verbose container information such as commands run, network, ID, etc docker inspect oiu2398sda87
Commands
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash
# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash
# Restart docker container yoga
docker restart yoga
# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098
# Start this container
docker start as9823nzxc0
# Stop this container
docker stop as9823nzxc0
# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
PowerDNS
- https://doc.powerdns.com/authoritative/index.html
- https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
- https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html
Checks
# List commands pdns_server --help # Check config and parse for errors pdns_server --config=check
# List available commands pdnsutil --help # Check config and parse for errors pdnsutil --config=check # List all available zones pdnsutil list-all-zones # List all domains in the primary zone pdnsutil list-all-zones primary # See zone information for a specific domain pdnsutil show-zone mydomain.com pdnsutil show-zone 77.5.10.in-addr.arpa # Check zone for errors pdnsutil check-zone mydomain.com # List all created TSIG keys pdnsutil list-tsig-keys
Commands
# Activate TSIG key for domain "myexample.com" in the primary zone pdnsutil " myexample.com transfer primary
MAAS
Checks
Logs in either place: /var/log/maas/ /var/snap/maas/common/log
# List status of MAAS services maas status # List MAAS commands maas --help # List available arguments for the init command maas init --help
