Tag Archives: command line

Atop – notes

atop -a | Display only active processes
atop -g | Display general process info
atop -m | Display memory usage info
atop -n | Display network usage info
atop -d | Display Dick usage info

Alternatively you can just use atop and then key in the letters above to switch between.

atop -r | read raw data.

Use this to basically start looking at the processes from the start of the day 00:00

atop -r -b 09:00    | read raw data from 09:00 today
atop -r y           | read raw data from yesterday
atop -r yy          | read raw data from the day before yesterday
atop -r y -b 09:00  | read raw data from 09:00 yesterday
atop -r yy -b 09:00 | read raw data from 09:00 the day before yesterday
atop -r <log>       | read data from a log stored in /var/log/atop

ftp/sftp – vsftpd

# VSFTPD chroot configuration

>> Create a no-shell user
useradd -d $HOME_PATH -s /sbin/nologin $FTPUSER && passwd $FTPUSER

!!!MAKE SURE TO CHMOD 755 the parent directory!!!

yum -y install vsftpd

chkconfig vsftpd on

sed -i -e 's/IPTABLES_MODULES=""/IPTABLES_MODULES="ip_conntrack_ftp"/g' /etc/sysconfig/iptables-config

modprobe ip_conntrack_ftp

echo "rack" >> /etc/vsftpd/vsftpd.chroot_list

mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.ORIG

cat >/etc/vsftpd/vsftpd.conf <<EOF
# vsftpd.conf - PASSIVE
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
listen_port=21
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
pasv_min_port=60000
pasv_max_port=65000

# Add in /etc/vsftpd/vsftpd.chroot_list who you do *NOT* want to be chrooted
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list

# RackConnect
# pasv_enable=YES
# pasv_min_port=60000
# pasv_max_port=60100
# pasv_address=<publicRCip> (might not be required)

# Logging
xferlog_enable=YES
log_ftp_protocol=NO
syslog_enable=NO
vsftpd_log_file=/var/log/vsftpd.log
EOF

>> Make sure  to comment out "auth   required    pam_shells.so" in /etc/pam.d/vsftpd (errors in authenticate users with /bin/false shell):
sed -i 's/^\(auth.*required.*pam_shells\.so.*$\)/#\1/' /etc/pam.d/vsftpd 

>> Enable firewall ports (in Rackconnect, open the same on the physical firewall):

iptables -I INPUT -p tcp --dport 21 -m comment --comment "FTP" -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports 60000:65000 -m comment --comment "FTP passive mode ports" -j ACCEPT
/etc/init.d/iptables save

>> Restart the service
service vsfptd restart


If -> vsftpd: refusing to run with writable root inside chroot ()
=> allow_writable_chroot=YES

=======================================================

SFTP Jailed: 
!!!! remember that the users home directory must be owned by root 

groupadd sftponly

>> 1 domain managed by 1 or more users:
    useradd -d /var/www/vhosts -s /bin/false -G sftponly bob

>> 1 user managing multiple domains:
    useradd -d /var/www/vhosts -s /bin/false -G sftponly bob

SFTPUSER=bob
SFTPUSERPASS=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1)
echo "$SFTPUSERPASS" | passwd --stdin $SFTPUSER && echo -e "\nsfptuser: $SFTPUSER\npassword: $SFTPUSERPASS" 


>> /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

>> 1 domain managed by 1 or more users:
Match Group sftponly
   ChrootDirectory %h
   X11Forwarding no
   AllowTCPForwarding no
   ForceCommand internal-sftp

>> 1 user managing multiple domains:
    Match Group sftponly
         ChrootDirectory /var/www/vhosts/%u
         X11Forwarding no
         AllowTCPForwarding no
         ForceCommand internal-sftp

sshd -t
service sshd restart 

>> Set correct permissions!!!
chmod 755 /var/www/
chown root:root /var/www
chown -R root:sftponly /var/www/*
find /var/www/ -type d | xargs chmod 2775
find /var/www/ -type f | xargs chmod 644

One liners to automatic creation of username and passwords

Automatic creation of users/passwords (FTP)

Manually create list.txt with user:doc_root
e.g.:

mydomain.com:/var/www/vhost/mydomain.com
example.com:/var/www/vhost/example.com

Get commands to create FTP users

cat list.txt | awk -F: '{print "useradd -d ",$2, "-s /bin/false -c TICKET_NUMBER ",$1 }'

Get commands to set FTP permissions (if doc_root exists already)

cat list.txt | awk -F: '{print "chown -R",$1, $2 }'

Generate and Assign random passwords to the users.

# for USER in $(awk -F: '{print $1}' list.txt) ; do PASS=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1) ; echo $PASS | passwd --stdin $USER ; echo -e "username: $USER\npassword: $PASS\n" | tee -a pass.txt ; done ; echo -e "\n========================\nHere the credentials:" ; cat pass.txt

Create a list of vhosts’ paths: vhosts.txt

Example with only .com domains:
/var/www/domain1.com
/var/www/domain2.com
/var/www/domain3.com

Use a regex for sed to extract the vhost name, removing dots (example based on the example above)
This will return a list of PATH and VHOSTNAME. We will use VHOSTNAME as USER for that path

for i in `cat vhosts.txt` ; do echo "$i" | tr '\n' ' ' ; echo "$i" | sed 's/^.*www\/\(.*\)com.*$/\1/' | sed 's/\.//g' ; done >> list.txt

Print out the commands to run to add FTP users (no SSH)
Once checked the output, run these lines

cat list.txt | awk '{print "useradd -d ",$1, "-s /bin/false -c COMMENT_HERE ",$2 }'

(for sftp only):

cat list.txt | awk '{print "useradd -d ",$1, "-s /bin/false -G sftponly -cCOMMENT_HERE ",$2 }'

This will print out commands to run to assign user:apache_group to the vhosts’ paths

cat list.txt | awk '{print "chown -R ",$2 ":www-data ",$1 }'

(for sftp only):

cat list.txt | awk '{print "chown root:root",$1 }'
cat list.txt | awk '{print "chown -R ",$2":"$2 ,$1"/*"}'

Set g+s on vhosts to preserve directory owner
[TO CHECK]

for i in `cat list.txt` ; do echo "chmod g+s $i" ; done

[THIS EXECUTE]

for i in `cat list.txt` ; do chmod g+s "$i" ; done

Create list of random passwords using pwgen

for i in `cat list.txt` ; do p=$(pwgen -s -B 16 1) ; echo "$i:$p" ; done > list_u_p.txt

Create list of random passwords using openssl

for i in `cat list.txt` ; do p=$(openssl rand -base64 12) ; echo "$i:$p" ; done > list_u_p.txt

Apply these passwords automatically

for i in `cat list_u_p.txt` ; do USER=`echo "$i" | awk -F":" '{print $1}'` ; PASS=`echo "$i" | awk -F":" '{print $2}'` ; echo -e "$PASS\n$PASS" | passwd "$USER" ; done

Print output for reference

hostname ; cat list_u_p.txt | awk -F":" '{print "\nusername:", $1, "\npassword:", $2}'

cat: create/write file

Create file without replacing variables:

cat <<'EOF' > /path/file
============================
My name is ${0}
I was input via user data
============================
EOF

If you check /path/file you will see exactly the content above.
Create file REPLACING the variables while creating:

cat <<EOF > /path/file
============================
My name is ${0}
I was input via user data
============================
EOF

In this example, the variable ${0} will be replaced during the creation of the file, hence the content will display your username.

Verify that private key and SSL certificate are matching via command line

# openssl rsa -modulus -noout -in private_key.key | openssl md5
(stdin)= b650539so2020gwoge778b6981a38c

# openssl x509 -modulus -noout -in mysite_certificate.crt | openssl md5
(stdin)= b650539so2020gwoge778b6981a38c

the outputs must match 🙂

Send attachment via command line in Linux

You can do that using mpack

mpack -s "This is the subject" -d body.txt attachment.zip [email protected]

GIT basic commands

Check branch

git branch <name new branch>

Show changes after your last commit

git diff

rollback to previous change (specific file) to the latest commit

git checkout -- testfile

Delete branch

git branch -D <branch name>

Push new branch to the origin (my ‘git space’)

git push -u origin <branch name>

Restore file from upstream

git checkout upstream/master -- <filename>

Commit changes in one single line

git commit -a -m "comment"

If you want to merge the recent changes committed on the master branch into your dev branch

git checkout dev      # gets you "on branch dev"
git fetch origin        # gets you up to date with origin
git merge origin/master

If you want to reset ALL from the version ‘on the web’

git fetch origin
git reset --hard origin/<branch>

Source: http://rogerdudler.github.io/git-guide/

Docker basic commands

Check containers

# docker ps -a

Connect to a container

# docker start <ID>
# docker attach <ID>

Exit from a container

-> type 'exit'

Remove all of Docker containers:

docker stop $(docker ps -a -q)
docker rm $(docker ps -a -q)

SSL – Check if a certificate matches with its public key

# openssl rsa -modulus -noout -in private_key.key | openssl md5
(stdin)= jhg557dd83jdlki93de778b69ojg536

# openssl x509 -modulus -noout -in certificate.crt | openssl md5
(stdin)= jhg557dd83jdlki93de778b69ojg536

Mac tricks – command line

Strange wake up of your Mac
To disable Bonjour (mDNSResponder – NoMulticastAdvertisements ):

sudo defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder ProgramArguments -array-add "-NoMulticastAdvertisements"

To re-enable Bonjour:

sudo defaults write /System/Library/LaunchDaemons/com.apple.mDNSResponder ProgramArguments -array "/usr/sbin/mDNSResponder" "-launchd"

Disable Creation of Metadata Files on Network Volumes

defaults write com.apple.desktopservices DSDontWriteNetworkStores -bool true

Re-enable:

defaults write com.apple.desktopservices DSDontWriteUSBStores -bool true

Save to Disk by Default and not on Cloud products

defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false

Power off memory during standy
hibernatemode supports values of 0, 3, or 25. Whether or not a hiberna-
tion image gets written is also dependent on the values of standby and
autopoweroff

For example, on desktops that support standby a hibernation image will be
written after the specified standbydelay time. To disable hibernation
images completely, ensure hibernatemode standby and autopoweroff are all
set to 0.

hibernatemode = 0 by default on desktops. The system will not back memory
up to persistent storage. The system must wake from the contents of mem-
ory; the system will lose context on power loss. This is, historically,
plain old sleep.

hibernatemode = 3 by default on portables. The system will store a copy
of memory to persistent storage (the disk), and will power memory during
sleep. The system will wake from memory, unless a power loss forces it to
restore from hibernate image.

hibernatemode = 25 is only settable via pmset. The system will store a
copy of memory to persistent storage (the disk), and will remove power to
memory. The system will restore from disk image. If you want “hiberna-
tion” – slower sleeps, slower wakes, and better battery life, you should
use this setting.

It is suggested to power off memory at stand-by with the following command:

sudo pmset hibernatemode 25

Source: http://docs.hardentheworld.org/OS/OSX_10.11_El_Capitan/

My notepad

Chris' IT notes…