Linux:Services: Difference between revisions
From Cheatsheet
Jump to navigationJump to search
(→CSF) |
|||
| Line 253: | Line 253: | ||
perl /usr/local/csf/bin/csftest.pl | perl /usr/local/csf/bin/csftest.pl | ||
Don't worry if you cannot run all the features, so long as the script doesn't | Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors | ||
report any FATAL errors | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 09:16, 8 December 2023
Services
Common
systemctl
# List all services that are running or exited systemctl # List all services, running or otherwise systemctl --all # View the status of the "nfs-server" service systemctl status nfs-server # Restart the "sshd" service, terminating established connections and re-parsing the configuration systemctl restart sshd # Reload the "nginx" service so that it only re-parses the configuration systemctl reload nginx # Stop the "nfs-ganesha" service so that it stops being run systemctl stop nfs-ganesha # Start the "nfs-ganesha" service so that it starts being run again systemctl start nfs-ganesha # Disable the "mariadb" service so that it doesn't start after the next boot systemctl disable mariadb # Enable the "mariadb" service so that it starts after the next boot. systemctl enable mariadb
NTP
Timedatectl
# Show the current status of timedatectl timedatectl # List available timezones timedatectl list-timezones # Set the timezone to Amsterdam timedatectl set-timezone Europe/Amsterdam # Show verbose sync information timedatectl timesync-status
SNMP
V3 client installation
apt install snmpd snmp libsnmp-dev cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak systemctl stop snmpd net-snmp-create-v3-user -ro -X <CRYPTO-PASSWORD> -a SHA -X <PASSWORD> -x AES <USERNAME>
# /etc/snmp/snmpd.conf sysLocation NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack sysContact Me <me@example.org> agentaddress 192.168.0.10
systemctl start snmpd systemctl enable snmpd
# Test snmpwalk -v3 -a SHA -A "CRYPTO" -x AES -X "PASSWORD" -l authPriv -u "USER" localhost | head
CTDB
Checks
# Verify CTDB cluster status ctdb status # Show the allocated IP addresses and to which nodes they're bound ctdb ip # See the status of all CTDB-scripts ctdb scriptstatus ctdb event status # Show the time of the last failover the duration it took to recover ctdb uptime # See various statistics and data ctdb statistics # Use the onnode command to execute a command on all cluster nodes onnode all ctdb status
Commands
# Stop a ctdb cluster member ctdb stop # Start a stopped ctdb cluster member ctdb continue
Firewalls
UFW
Checks
# Show summary of UFW status ufw status # Show verbose UFW status ufw status verbose # Show UFW rules numbered ufw status numbered
Commands
# Allow access from a specific IP to a port and add a comment that show in the status ufw allow from 10.0.0.253 to any port 22 proto tcp comment 'Allow SSH access from XYZ location' # Delete numbered Firewall rule 56 ufw delete 56 # Disable UFW logging (prevent syslog spam) ufw logging off # Set UFW logging back to the default ufw logging low
Firewalld
SNMP access
# /etc/firewalld/services/snmp.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>SNMP</short> <description>SNMP protocol</description> <port protocol="udp" port="161"/> </service>
firewall-cmd --reload firewall-cmd --zone=public --add-service snmp --permanent firewall-cmd --reload
Firewall-cmd
Checks
# List all available commands firewall-cmd -h # Display the current state of firewall-cmd (running/shutdown) firewall-cmd --state # Display all available zones firewall-cmd --get-zones # List all whitelisted services firewall-cmd --list-services # List all added or enabled services and ports in more detail firewall-cmd --list-all # List verbose information for all zones firewall-cmd --list-all-zones # List verbose information for the public zone firewall-cmd --list-all --zone=public # See what port(s) are associated with the dns service firewall-cmd --info-service dns
Commands
# Reload the firewall firewall-cmd --reload # Whitelist the dns service, persistently even after reboot firewall-cmd --add-service=dns ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload # Whitelist the http service, persistently even after reboot firewall-cmd --add-service=http ; sudo firewall-cmd --runtime-to-permanent; firewall-cmd --reload # Remove the http service from the whitelist firewall-cmd --remove-service=http # Add port 1234 (tcp) to the whitelist firewall-cmd --add-port=1234/tcp # Remove port 1234 (tcp) from the whitelist firewall-cmd --remove-port=1234/tcp # Add port 2345 (udp) to the whitelist in zone external firewall-cmd --zone=external --add-port=2345/udp # Remove port 2345 (udp) from the whitelist for zone external firewall-cmd --zone=external --add-port=2345/udp
CSF
General
ConfigServer Security and Firewall
- Common configuration: /etc/csf/csf.conf
- Blacklist: /etc/csf/csf.deny
- Whitelist: /etc/csf/csf.allow
Installation
From the official instructions: https://download.configserver.com/csf/install.txt
Prerequisites
Perl Modules ============ While most should be installed on a standard perl installation the following may need to be installed manually: # On rpm based systems: yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch perl-GDGraph # On APT based systems: apt-get install libwww-perl liblwp-protocol-https-perl libgd-graph-perl
Install
cd /usr/src rm -fv csf.tgz wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf sh install.sh # Next, test whether you have the required iptables modules: perl /usr/local/csf/bin/csftest.pl Don't worry if you cannot run all the features, so long as the script doesn't report any FATAL errors
Checks
# Check the running status of csf csf status
Commands
# Commit config changes by restarting csf csf -r
csf.conf
Some common changes within the configuration file
# Set testing to 0 when your CSF configuration is 'production' ready TESTING = "0" # Allow access to any service you're hosting locally, for example https TCP_IN = "443" UDP_IN = "" # Allow all outwards HTTP/HTTPS traffic so you can yum/apt update TCP_OUT = "80,443" # Allow outgoing traceroute UDP_OUT = "33434:33523" # Allow your server to be pinged ICMP_IN = "0"
Formatting
The varying styles of formatting used in allow.conf
# Allow anything relating to the following IPs/ranges 192.168.10.0/24 # Our application breaks without this range 192.168.1.1 # Our gateway or something # Detailed entries based on Transport protocol, direction, Application protocol and IP tcp:in:d=22:s=7.7.7.7 # SSH access from our VPN udp:in:d=161:s=10.11.12.100 # SNMP Access tcp|in|d=22|s=fe80::1:/16 # IPV6 SSH access from our jumpgateway udp|in|d=3389|s=10.1.0.0/24 # RDP Access from our entire office range # Allow sending Syslog messages to our Syslog server udp|out|d=514|d=192.168.20.5 # UDP syslog server tcp|out|d=10514|d=192.168.20.5 # UDP syslog server # Allow sending queries to some DNS servers tcp|out|s=53|d=8.8.8.8 udp|out|s=53|d=1.1.1.1 udp|out|s=53|d=2606:4700:4700::1111 # Cloudflare IPv6 DNS Server # Include an external configuration file Include /etc/csf/csf.custom-config
rsyslog
Legacy
#/etc/rsyslog.d/70-local-to-rsyslog-server.conf # Define the hostname to send to the syslog server $template SendHostname, "<%pri%> %timestamp% myhost.mydomain.nl %syslogtag% %msg%\n" $ActionForwardDefaultTemplate SendHostname *.warning @10.77.0.1
Rainerscript
Rainerscript: https://rsyslog.readthedocs.io/en/latest/rainerscript/control_structures.html
# /etc/rsyslog.d/70-local-to-rsyslog-server.conf # Define a template and specify a hostname to send as: template(name="SendHostname" type="string" string="%timestamp% myhost.mydomain.nl %syslogtag% %msg%\n" ) # Send logs to target syslog server and port *.warning action(type="omfwd" Target="10.0.33.10" Template="SendHostname" Port="514" Protocol="udp")
Testing
# Use the logger tool to test syslog server reception logger -p local0.error 'Hello World!'
named
Checks
# Perform a test load of all primary zones within named.conf, as the named user sudo -u named named-checkconf -z # Check zone file 192.168.77.0 defined in the 77.168.192.in-addr.arpa zone named-checkzone 77.168.192.in-addr.arpa 192.168.77.0 # Check zone file brammerloo.nl defined in the brammerloo.nl zone named-checkzone brammerloo.nl brammerloo.nl
Configuration
Basic configuration for the options field in /etc/named.conf
options {
# Define on what IP to listen on, for port 53
listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.1.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
# Only allow DNS queries from specific local subnets
# To allow from anything use: allow query { any; };
allow-query { localhost; 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; };
# If the server can't resolve an address locally, use the following DNS servers for help
forwarders {
8.8.8.8;
1.1.1.1;
};
recursion yes;
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
Zone defnitions: /etc/named.rfc1912.zones
# Define zones to listen for
zone "brammerloo.nl" IN {
type master;
file "brammerloo.nl";
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0";
allow-update { none; };
};
Zone file for Reverse lookup: /var/named/192.168.1.0
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101102 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
; PTR Records
11 IN PTR node1.
21 IN PTR server1.
Zone file for domain: /var/named/brammerloo.nl
$TTL 300
@ IN SOA ns1.brammerloo.nl. admin.brammerloo.nl. (
2023101306 ; serial
180 ; refresh
60 ; retry
108000 ; expire
60 ) ; minimum
IN NS ns1.brammerloo.nl.
@ IN A 192.168.1.6 ; domain brammerloo.nl is me!
ns1.brammerloo.nl. IN A 192.168.78.31 ; FQDN for my domain
node1 IN A 192.168.78.31 ; Basic A-record
www IN CNAME node1 ; Point my website to my node1 A-record
dhcpd
dhclient
# Request an IPv4 adres from a DHCP server dhclient -4 # Show verbose information when requesting an IPv4 adres from a DHCP server dhclient -4 -v
Configuration
Basic configuration options in the /etc/dhcp/dhcpd.conf file
# Set the domain clients should use when resolving hostnames (equivalent to search domain)
option domain-name "brammerloo.nl";
# Set the domain name servers for DHCP clients
option domain-name-servers ns1.brammerloo.nl, 8.8.8.8;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
# Best practice = define any connected subnets, but don't configure DHCP for them
subnet 192.168.1.0 netmask 255.255.255.0 {
}
# Basic DHCP for a subnet configuration
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.150;
option routers 192.168.0.1;
}
smbd / Samba / CIFS
https://linuxconfig.org/install-samba-on-redhat-8
Basic configuration
# Install and enable
dnf install samba samba-client
systemctl enable --now {smb,nmb}
# Create a client-user to authenticate with sudo useradd samba-user # Give the user a password to authenticate with sudo smbpasswd -a samba-user # Create a group to associate with the samba share sudo groupadd sambagroup # Add the user to the group we will be configuring for the share sudo usermod -a -G sambagroup samba-user # Create the folder we will be sharing sudo mkdir /var/shares/myshare # Apply proper permission sudo chown -R samba-user:sambagroup /var/shares/myshare/ sudo chmod -R 0770 /var/shares/myshare/ # Apply proper permission for SELinux sudo chcon -t samba_share_t /var/shares/myshare/ # Backup the default config cp /etc/samba/smb.conf /etc/samba/smb.conf~
# /etc/samba/smb.conf [global] workgroup = <DOMAIN-OR-WORKGROUP> server string = Samba Server %v netbios name = <SERVER-HOSTNAME> security = user map to guest = bad user dns proxy = no #==================== Share Definitions ====================== [share001] path = /var/shares/myshare valid users = @sambagroup guest ok = no writable = yes browsable = yes
# Reload Samba services
systemctl reload {smb,nmb}
# Mount in Windows
\\<SERVER-IP>\share001
user: samba-user pass: <Whatever password you filled in with smbpasswd -a
Checks
# Samba checks smbstatus smbstatus -S smbstatus -b # Samba set debug mode smbcontrol smbd debug 1
Docker
Checks
# List Docker containers docker ps # List all Docker container IDs docker ps -aq # List logs for container 987sdh3qrasdhj docker logs 987sdh3qrasdhj # List RAM/CPU usage for Docker container asdlkasd67k docker stats asdlkasd67k # Show verbose container information such as commands run, network, ID, etc docker inspect oiu2398sda87
Commands
# Enter the shell inside a docker container
docker exec -ti a89sd98sa7d /bin/bash
# Execute a command inside a container as a specific user, root in this case
docker exec -it -u root asd87289hasdadz tail /var/log/nginx/access.log
docker exec -u 0 -it as892asnj2as /bin/bash
# Restart docker container yoga
docker restart yoga
# Restart the 3 given containers
docker restart 79f71c7f4d91 bbb3d3f5c3b1 b0a3204d4098
# Start this container
docker start as9823nzxc0
# Stop this container
docker stop as9823nzxc0
# Restart all unhealthy Docker containers
for i in $(docker ps | grep unhealthy | awk '{print $1}'); do docker restart "$i"; done;
PowerDNS
- https://doc.powerdns.com/authoritative/index.html
- https://doc.powerdns.com/authoritative/manpages/pdns_server.1.html
- https://doc.powerdns.com/authoritative/manpages/pdnsutil.1.html
Checks
# List commands pdns_server --help # Check config and parse for errors pdns_server --config=check
# List available commands pdnsutil --help # Check config and parse for errors pdnsutil --config=check # List all available zones pdnsutil list-all-zones # List all domains in the primary zone pdnsutil list-all-zones primary # See zone information for a specific domain pdnsutil show-zone mydomain.com pdnsutil show-zone 77.5.10.in-addr.arpa # Check zone for errors pdnsutil check-zone mydomain.com # List all created TSIG keys pdnsutil list-tsig-keys
Commands
# Activate TSIG key for domain "myexample.com" in the primary zone pdnsutil " myexample.com transfer primary
MAAS
Checks
Logs in either place: /var/log/maas/ /var/snap/maas/common/log
# List status of MAAS services maas status # List MAAS commands maas --help # List available arguments for the init command maas init --help
