Linux:Services: Difference between revisions

NTP

Timedatectl

# Show the current status of timedatectl
timedatectl

# List available timezones
timedatectl list-timezones

# Set the timezone to Amsterdam
timedatectl set-timezone Europe/Amsterdam

# Show verbose sync information
timedatectl timesync-status

SNMPv3 client installation

https://kifarunix.com/quick-way-to-install-and-configure-snmp-on-ubuntu-20-04/

apt install snmpd snmp libsnmp-dev
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
systemctl stop snmpd
net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>

# /etc/snmp/snmpd.conf
sysLocation    NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
sysContact     Me <me@example.org>
agentaddress   192.168.0.10

systemctl start snmpd
systemctl enable snmpd

# Test
snmpwalk -v3 -a SHA -A "CRYPTO" -x AES -X "PASSWORD" -l authPriv -u "USER" localhost | head

CTDB

Checks

# Verify CTDB cluster status
ctdb status

# Show the allocated IP addresses and to which nodes they're bound
ctdb ip

# See the status of all CTDB-scripts
ctdb scriptstatus
ctdb event status

# Show the time of the last failover the duration it took to recover
ctdb uptime

# See various statistics and data
ctdb statistics

# Use the onnode command to execute a command on all cluster nodes
onnode all ctdb status

Commands

# Stop a ctdb cluster member
ctdb stop

# Start a stopped ctdb cluster member
ctdb continue

Firewalls

UFW

Checks

# Show summary of UFW status
ufw status

# Show verbose UFW status
ufw status verbose

# Show UFW rules numbered
ufw status numbered

Commands

# Allow access from a specific IP to a port and add a comment that show in the status
ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location'

# Delete numbered Firewall rule 56
ufw delete 56

# Disable UFW logging (prevent syslog spam)
ufw logging off

# Set UFW logging back to the default
ufw logging low

Firewalld

SNMP access

• https://unix.stackexchange.com/questions/214388/how-to-let-the-firewall-of-rhel7-the-snmp-connection-passing

# /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SNMP</short>
  <description>SNMP protocol</description>
  <port protocol="udp" port="161"/>
</service>

firewall-cmd --reload
firewall-cmd --zone=public --add-service snmp --permanent
firewall-cmd --reload

Firewall-cmd

Checks

# List all available commands
firewall-cmd -h

# Display the current state of firewall-cmd (running/shutdown)
firewall-cmd --state

# Display all available zones
firewall-cmd --get-zones

# List all whitelisted services
firewall-cmd --list-services

# List all added or enabled services and ports in more detail
firewall-cmd --list-all

# List verbose information for all zones
firewall-cmd --list-all-zones

# List verbose information for the public zone
firewall-cmd --list-all --zone=public

# See what port(s) are associated with the dns service
firewall-cmd --info-service dns

Commands

# Reload the firewall
firewall-cmd --reload

# Whitelist the dns service, persistently even after reboot
sudo firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the http service, persistently even after reboot
sudo firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Whitelist the nfs service, persistently even after reboot
sudo firewall-cmd --add-service=nfs ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload

# Remove the http service from the whitelist
firewall-cmd --remove-service=http

# Add port 1234 (tcp) to the whitelist
firewall-cmd --add-port=1234/tcp

# Remove port 1234 (tcp) from the whitelist
firewall-cmd --remove-port=1234/tcp

# Add port 2345 (udp) to the whitelist in zone external
firewall-cmd --zone=external --add-port=2345/udp

# Remove port 2345 (udp) from the whitelist for zone external
firewall-cmd --zone=external --add-port=2345/udp

rsyslog

Legacy

#/etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define the hostname to send to the syslog server
$template SendHostname, "<%pri%> %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"
$ActionForwardDefaultTemplate SendHostname

*.warning @10.77.0.1

Rainerscript

Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html

# /etc/rsyslog.d/70-local-to-rsyslog-server.conf
# Define a template and specify a hostname to send as:
template(name="SendHostname" type="string"
string="%timestamp% myhost.mydomain.nl %syslogtag% %msg%\n"
)

# Send logs to target syslog server and port
*.warning action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")

Testing

# Use the logger tool to test syslog server reception
logger -p local0.error 'Hello World!'

named

Checks

# Perform a test load of all primary zones within named.conf, as the named user
sudo -u named named-checkconf -z

# Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone
named-checkzone 77.168.192.in-addr.arpa 192.168.77.0

# Check zone file brammerloo.nl defined in the brammerloo.nl zone
named-checkzone brammerloo.nl brammerloo.nl

Configuration

Basic configuration for the options field in /etc/named.conf

options {
# Define on what IP to listen on, for port 53
        listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";

# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
        allow-query     { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };

# If the server can't resolve an address locally, use the following DNS servers for help
        forwarders {
        8.8.8.8;
        1.1.1.1;
        };

        recursion yes;
        dnssec-validation no;

        managed-keys-directory "/var/named/dynamic";
        geoip-directory "/usr/share/GeoIP";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
};

Zone defnitions: named.rfc1912.zones

# Define zones to listen for
zone "brammerloo.nl" IN {
        type master;
        file "brammerloo.nl";
        allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.1.0";
        allow-update { none; };
};

Zone file for Reverse lookup: /var/named/192.168.1.0

$TTL 300
@       IN SOA  ns1.brammerloo.nl. admin.brammerloo.nl. (
                                        2023101102 ; serial
                                        180     ; refresh
                                        60      ; retry
                                        108000  ; expire
                                        60 )    ; minimum
    IN      NS      ns1.brammerloo.nl.
; PTR Records
11    IN   PTR   node1.
21    IN   PTR   server1.

Zone file for domain: /var/named/brammerloo.nl

$TTL 300
@       IN SOA  ns1.brammerloo.nl. admin.brammerloo.nl. (
                                        2023101306 ; serial
                                        180     ; refresh
                                        60      ; retry
                                        108000  ; expire
                                        60 )    ; minimum
    IN      NS      ns1.brammerloo.nl.
@                  IN      A     192.168.1.6   ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN      A     192.168.78.31 ; FQDN for my domain
node1              IN      A     192.168.78.31 ; Basic A-record
www                IN      CNAME node1         ; Point my website to my node1 A-record

dhcpd

dhclient

# Request an IPv4 adres from a DHCP server
dhclient -4

# Show verbose information when requesting an IPv4 adres from a DHCP server
dhclient -4 -v

Configuration

Basic configuration options in the /etc/dhcp/dhcpd.conf file

# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";

# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}

# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.100 192.168.0.150;
  option routers 192.168.0.1;
}

Docker

Checks

# List Docker containers 
docker ps

# List all Docker container IDs
docker ps -aq

# List logs for container 987sdh3qrasdhj
docker logs 987sdh3qrasdhj

# List RAM/CPU usage for Docker container asdlkasd67k
docker stats asdlkasd67k

# Show verbose container information such as commands run, network, ID, etc
docker inspect oiu2398sda87

Commands

# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash

# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash

# Restart docker container yoga
docker restart yoga

# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098

# Start this container
docker start as9823nzxc0

# Stop this container
docker stop as9823nzxc0

# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;

PowerDNS

• https://doc.powerdns.com/authoritative/index.html
• https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
• https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html

Checks

# List commands
pdns_server --help

# Check config and parse for errors
pdns_server --config=check

# List available commands 
pdnsutil --help

# Check config and parse for errors
pdnsutil --config=check

# List all available zones
pdnsutil list-all-zones

# List all domains in the primary zone
pdnsutil list-all-zones primary

# See zone information for a specific domain
pdnsutil show-zone mydomain.com
pdnsutil show-zone 77.5.10.in-addr.arpa

# Check zone for errors
pdnsutil check-zone mydomain.com

# List all created TSIG keys
pdnsutil list-tsig-keys

Commands

# Activate TSIG key for domain "myexample.com" in the primary zone
pdnsutil " myexample.com transfer primary

MAAS

Checks

Logs in either place:
/var/log/maas/
/var/snap/maas/common/log

# List status of MAAS services
maas status

# List MAAS commands
maas --help

# List available arguments for the init command
maas init --help