Skip to main content

Linux Commands: General Commands, System Configuration, Package Manager, Network & VLAN Configuration & Firewalls, SSH & Host Keys, Certificates, KVM & SQL

11912 words·
Linux Bash Commands
Table of Contents

Here is a list of useful Linux commands. Some of the commands are distribution specific, but most of them work regardless of the distribution.

General Commands
#

help & man
#

# Print the help documentation of a command
command --help

# Print the manual documentation of a command
man command

Terminal Commands
#

apt install bash-completion Install tab complete
Tab Tab Complete
Tab Tab List possible files or directories
clear Clear Terminal
Strg + l Clear Terminal
Strg + a Move curser to beginning of the line
Strg + e Move curser to end of the line
Alt + f Move one word forward
Alt + b Move one word backward
Strg + u Delete from cursor to beginning of the line
Strg + k Delete from cursor to end of the line
reset Reset stuck terminal / enter several times

Command in Background
#

Command & Run Command in Background
jobs List commands running in Background
fg Bring command in foreground
Strg + z Suspend command (in forground)
bg Bring suspended command in background

Miscellaneous Commands
#

& Run in background
&& Combine commands
!! Run last command again

Bash History
#

# List bash history: For current user
history

# Remove entry from history: Define entry number
history -d 1234
# Show Date (current session)
HISTTIMEFORMAT="%F "

# Show Date and Time (current session)
HISTTIMEFORMAT="%F %T "

# Show Date and Time (permanent)
echo 'HISTTIMEFORMAT="%F %T "' >>  ~/.bashrc

Disable Bash History recoring
#

# Temporarily turn off the recording of commands in the bash history
bash +o history

# Turn the recording of commands in the bash history back on
bash -o history

Record Shell
#

Save the shell inputs into a file.

script ~/session.log Record shell to session.log in Home dir
Strg + d Stop recording
cat ~/session.log List session.log

File History
#

stat filename Last modification date (filesystem may no save birth date)

Environment Variables
#

echo $SHELL Output actual shell
echo $HOME Output user directory
echo $HOSTNAME Output hostname
echo $LANG Output language
echo $PATH List colon seperated directories that are searched when a command is run

Redirect
#

> Redirect
>> Redirect and add
1> Redirect only output sent to standard output and not to the error message handler
2> Redirect only output sent to error message handler

Tmux
#

apt install tmux Install tmux
tmux Start nameless tmux session
Strg + b, d Detache from tmux session
Strg + b, q, y Quit tmux session
Strg + b, x, y Delete tmux session
tmux a Attach to last tmux session
tmux ls List tmux sessions
tmux new -s name Start named session
tmux attach -t name Attach to named session
tmux kill-session -t name Delete named session
tmux kill-server Delete all sessions

lsof
#

List Open Files
#

The following command will list files opened by processes belonging to a specific user:

# List all files currently open by specific user
sudo lsof -u username

# List all files currently open by specific user: Only regular files 
sudo lsof -u username | grep REG

List Open Network Connections
#

# List incoming and outgoing SSH connections: Default SSH port 22
lsof -i TCP:22

# List all network connections
sudo lsof -i

Files, Folder, Text & Editors
#

pwd Path of current directory
~ Shortcut for home-directory
- Previously used directory
. Currenty directory
./file Run file in current dir
../file Run file in parent dir

ls
#

ls -lah List files and folder
ls file* List only entries beginning with file
ls *.txt List only entries ending with .txt
-l long format: permissions, owner, group, size…
-a all files: include hidden
-h human: KB, MB, or GB format

touch
#

touch file1 Create file1 (empty)
touch file1 file2 Create file1 and file2

mkdir
#

mkdir dir1 Create dir1
mkdir dir1 dir2 Create dir1 and dir2
mkdir new\ dir Create “new dir”
mkdir -p /dir1/subdir1 Create subdir1 and dir1 if it does not yet exist

cp
#

cp file1 file2 dir1 Copy file1 and file2 into dir1
cp file1 ../ Copy file1 into one directory below
cp -r dir1 dir2 Copy dir1 with content into dir2
cp dir1/* dir2 Copy the content of dir1 into dir2
cp -p Keep permissions
cp -u Only newer files & files that don’t exist in destination

mv
#

mv file1 file2 Rename file1 to file2
mv file1 dir1 Move file1 into dir1
mv -v /dir1 /dir2 Move dir1 into dir2 (verbose output)

rm
#

rm file1 Remove file1
rm file1 file2 Remove file1 and file2
rm *.txt Remove all .txt file (wildcard)
rm -r dir1 Remove dir1 and it’s content
rm -rf * Remove all files and folder

Data Usage
#

du -sh /* List data usage
du -h / --max-depth=1 | sort -hr High to low / first level sub dirs
du -ah /* | sort -hr | head -n 10 High to low / include hidden files / 10 biggest entries
du -ah --exclude=/mnt /* | sort -hr | head -n 10 Exclude directory
df -h Disk space usage of file systems

diff
#

diff dir1 dir2 Compare directories
diff -r dir1 dir2 Compare directories with subdirectories

zip
#

# Compress and archive file
zip -r filezip file

# Compress and archive folder
zip -r folder.zip folder
# List files in archive
unzip -l file.zip

# List files in archive: More details
unzip -lv file.zip
# Unzip archive
unzip file.zip

gzip
#

gzip file Compress / create file.gz, orig gets deleted
gunzip file.gz Uncompress gz archive, .gz file gets deleted

tar
#

tar -cf file.tar path/to/dir Archive dir and content
tar -czvf file.tar.gz path/to/dir Archive and compress with gzip
-c Create new archive
-z Compress archive
-v Verbose: list files being processed
-f File
tar -xzf file.tar.gz Extract and uncompress files
mkdir folder Create folder for extraction
tar -xzf file.tar.gz -C folder Extract files into folder
tar -xzvf file.tar.gz --same-owner -C /path/ Extract & preserve ownership of files
-x Extraction

GPG Encryption
#

It’s necessary to provide pw for encryption and decryption
gpg --output filename.enc --symmetric --cipher-algo AES256 filename Encrypt file / create file.enc
gpg --output filename --decrypt filename.enc Decrypt file from file.enc

split
#

# Split file into 5MB parts
split -b 5MB filename.exe

# List files
ls

# Shell output:
filename.exe  xaa  xab  xac  xad

# Restore original file
cat  xaa  xab  xac  xad > file.exe
# Split file into 5MB parts: Add prefix to fileparts
split -b 5MB filename.exe 'part-'

# List files
ls

# Shell output:
filename.exe   part-aa  part-ab  part-ac  part-ad
# Split file into 10 pieces of equal size
split -n 10 filename.exe 'part-'

find
#

# Find files and folders: Current directory (and subdirectories)
find . -name docker-compose.yml

# Find files: Specific directory (/home)
find /home -name "docker-compose" -type f

# Find folders: Specific directory (/home)
find /home -name "folder" -type d

# Find symbolic link
find / -name "file" -type l


# Find (all) files: Filenames include "kernel"
find /var | grep kernel

# Find (all) files: Save output into file
find /var > var-files.txt

less
#

# Open file in less
less filename

# Displays line numbers alongside the text
less -N /var/log/syslog

# Pipe output to less
cat /var/log/syslog | less -N

# Quit less
q

Useful find and ls options
#

# List files modified in the last 30 days
find -mtime -30

# List files and folder with data usage
du --max-depth=1 -x -h

# List files with detailed timestamp
`ls -l --time-style="+%d %b %Y"`

# Save output to file
`ls -l --time-style="+%d %b %Y" > output.txt`

# List .log files with detailed timestamp
`find . -maxdepth 1 -type f -name "*.log" -exec ls -l --time-style="+%d %b %Y" {} \;`

# Copy .log files
`find . -type f -name "*.log" -exec cp {} /path/to/destination \;`
# Find files that contain specific text
find /opt/* -type f -iname "*" -exec grep -i -n "specific-text" {} +

grep
#

# Find word in file (Outputs whole line)
grep word file.txt
  • -i Igore uppercase & lowercase

  • -v Invert: List entries that do not match the searched pattern

# Find files that contain specific text
sudo grep -ri "specific-text" /opt/*

awk
#

ls -la | awk '{print $9, $5}' Filter specific columns

tree
#

sudo apt install tree Install tree
tree -dL 3 Show folder structure, e.g. 3 subfolders

word count
#

wc -w filename Count words in file
wc -l filename Count lines in file
ls /var | wc -w Count folder and files in directory
grep -o 'word' file | wc -w List how often word appears in file

Wildcards
#

* Matches any characters
? Matches any single character
[abc] Eighter a, b or c
Examples
Data??? “Data” followed by three characters
Log[0-9][0-9][0-9] “Log” followed by three numerals

which
#

# List the location of one or several executable files
which ls grep

# List all matching pathnames of each argument
which -a ls grep

Hard & Softlinks #

# Create hard link of file
ln file file_hardlink

# Create symbolic / soft link of file
ln -s file file_softlink

# -i parameter lists inode of file
ls -li

Hard Links Points to same Inode on the disk, behaves like two seperate files, but if an edit is made to the content of the file, both files change. If original file gets deleted, the hardlink is still valid.

Soft or Symbolic Links Points to the file it’s made of instead of the Inode on the disk. If original files gets deleted, the softlink points at nowhere.

realpath
#

# List the full path of a file: Syntax
realpath filename

# List the full path of a file: Example
realpath /etc/apache2/sites-enabled/000-default.conf

# Shell output:
/etc/apache2/sites-available/000-default.conf

File Owner: User & Group
#

Change Owner: User
chown newuser filename Set new owner
chown -R newuser foldername Set new owner recursive
Change Owner: Group
chgrp newgroup filename Set new group owner, user must belong to group. Use super user privileges to change the group to any group on the system
chown :newgroup filename Same function
chgrp -R newgroup foldername Set new group owner recursive
Change Owner: User & Group
chown user:group filename Set new owner
chown -R user:group foldername Set new owner recursive

File Permissions
#

Chmod: symbolic mode
chmod +x filename Make file executable
chmod g-w filename Remove write permission from group
chmod ug=rwx filename Change user and group permissions in single command
u User
g Group
o Others
a All
r Read
w Write
x Execute
+ Add Permission
- Remove permission
= Set as the only permission
Chmod: octal mode
chmod 777 filename All permissions: user,group & others
chmod 700 filename All permissions: user only
Octal Value Permission Meaning
0 - - - no permissions
1 - - x execute only
2 - w - Write only
3 - w x Write and execute
4 r - - read only
5 r - x read and execute
6 r w - read and write
7 r w x read, write, and execute

Echo Command
#

This command will write a line of text into a file. If the file already exists, the command will overwrite its contents with the new line of text.
echo "Line of text" > filename

Add another line of text to the file
echo "Another line of text" >> filename

Cat Command
#

The cat > filename command creates a file (if it does not exist) and writes (overwrites content if file already exists) into it from terminal.
Example:

cat > filename
enter your text
and use enter to create a paragraph
Strg + d Stop the cat command


cat filename List file content

Use the cat >> filename command to add more content to a file without overwriting already existing text. Again use Strg + d to stop the cat command.


cat logfile Show content of file
tail logfile Show last 10 lines of file
tail n -15 logfile Show last 15 lines of file
tail -f logfile Follow file (used for log files)
tail -f logfile & Follow file in background

Change Standard Editor
#

Change the standard editor
sudo update-alternatives --config editor

Change the standard editor (including crontab)
select-editor or manually change sudo vi ~/.selected_editor and set to SELECTED_EDITOR="/usr/bin/vim.basic"

VIM Commands
#

i Insert modus
Esc End insert modus
:q! Quit document without saving
:wq Quit and save document
(Quit insert modus first)
Search
/word + Enter Search forward in document
n Next occurrence
N Previous occurrence
?word + Enter Search backward in document
N Next occurrence
n Previous occurrence
Move
gg Jump to top of file
shift + g Jump to end of file
:3 :4 :5 Jumpt to row 3,4,5…
Edit
u Undo
yyp Duplicate row
dd Delete row
:%d Delete all text
2dd 3dd 4dd .. Delete several rows
End End Line Break

Nano Commands
#

Strg + x Exit Nano
n Don’t save

Not a Nano fan ;)

MD5 Checksum
#

# Calculate MD5 checksum
md5sum filename

System
#

OS & Kernel
#

# List Linux distribution
cat /etc/*-release

# List Kernel Version
uname -r

# Output how long the server is running
uptime

# Check for outdated processes
needrestart

CPU Information & Usage
#

# List CPU details
cat /proc/cpuinf

# List CPU details
lscpu
# Install sysstat
sudo apt install sysstat -y

# List CPU usage (all CPUs)
mpstat -P ALL

# List average CPU usage
mpstat | awk '/all/ {print 100 - $NF"%"}'

RAM & Swap Usage
#

# List RAM and Swap usage
free -h

# List total RAM on system
grep MemTotal /proc/meminfo

Disk
#

# List services reading / writing on disk
iotop

# Quit iotop
q

Hostname
#

# List Hostname
cat /etc/hostname

# Change Hostname
sudo hostnamectl set-hostname newname

# Also change here
/etc/hosts

Hardware details
#

dmidecode
#

Desktop Management Interface (DMI)

# List Hardware Specs, e.g Mainboard
sudo dmidecode

# List the valid types for dmidecode
sudo dmidecode --type

# List dmidecode details for bios
sudo dmidecode --type bios

# List dmidecode details for system
sudo dmidecode --type system

lshw
#

# Install lshw
sudo apt install lshw -y

# List system details
sudo lshw -c system

Date, Time & Timezone
#

Network Time Protocol (NTP) is a networking protocol for time synchronization between computer systems. It runs on port 123.

List & set Time & Date
#

# List system date and time
date

# List system date and time: 24-hour format
date +"%H:%M"
# Set system date
date -s "2023-05-28"

# Set system time
date -s "10:00:00"

# Set date & time
date -s "2023-05-28 10:00:00"

List & change Timezone
#

# List current timezone
timedatectl

# Check time & timezone
date
# List all available timezones
timedatectl list-timezones

# List timezones for europe
timedatectl list-timezones | grep Europe
# Change current timezone: To Vienna
sudo timedatectl set-timezone Europe/Vienna

NTP
#

Systemd-Timesyncd
#

Systemd-Timesyncd is used on Debian 12 and Ubuntu 22.

# Check status 
sudo systemctl status systemd-timesyncd

# Check status: More details
sudo timedatectl timesync-status 

Change time server:

# Open timesyncd.conf
sudo vi /etc/systemd/timesyncd.conf

# Define time server: For example "ntp.ubuntu.com"
[Time]
NTP=ntp.ubuntu.com
# Restart ystemd-timesyncd service
sudo systemctl restart systemd-timesyncd

Chrony
#

Chrony is used by RHEL Linux distributions

# Check status
sudo systemctl status chronyd

# List NTP source server
chronyc sources

# Compare "Ref time" and "System time"
chronyc tracking

Change time server:

# Open chrony.conf
sudo vi /etc/chrony.conf

# Restart service
sudo systemctl start chronyd

Setup Chrony NTP server
#

In this tutorial I’m using two Rocky Linux 9.3 servers. Server 1 “192.168.30.110” is the NTP server, server 2 “192.168.30.111” is the client.

Server 1 - NTP server:

# Allow the "192.168.30.0/24" network to sync the time
sudo tee --append /etc/chrony.conf << HERE
allow 192.168.30.0/24
HERE

# Restart service
sudo systemctl restart chronyd

Server 2 - NTP client:

# Uncomment defined servers or server pools:
sudo sed -i 's/server/#server/g' /etc/chrony.conf
sudo sed -i 's/pool/#pool/g' /etc/chrony.conf

# Define NTP server
sudo tee --append /etc/chrony.conf << HERE
server 192.168.30.110 iburst
allow 192.168.30.110
HERE

# Restart service
sudo systemctl restart chronyd

Check NTP Traffic
#

# Install tcpdump
sudo apt install tcpdump

# Check NTP traffic: Define ethernet port
sudo tcpdump port 123 -i ens33

Cron
#

User based Crons

# List Crontab from current user
crontab -l

# List Crontab from specific user
crontab -u username -l

# Edit Crontab from current user
crontab -e


# User specific Crontabs are located in the following directory
/var/spool/cron/crontabs

# For example: root
cat /var/spool/cron/crontabs/root

System based Crontab

# System Wide Crontab
cat /etc/crontab

# Individual cron files, often used by system packages like MDADM
cd /etc/cron.d/

# Other Cron directories
/etc/cron.hourly/
/etc/cron.daily/
/etc/cron.weekly/
/etc/cron.monthly/

Processes & Process IDs
#

List Processes
#

Process ID: pid
Parent Process ID: ppid

# List processes: Static
ps aux

# List processes: Real-time
top
# List processes: Real-time, modify / kill processes
htop

# Quit htop
q

List Processes: User Specific

# List processes: From specific user
ps -u username

# List processes: From specific user, format output
ps -u ubuntu -o pid,ppid,%cpu,%mem,command

Tree:

# Process trees
pstree

# Process trees with ID's
pstree -p

Search Processes
#

# Find ID of running process
pgrep processname

# Also search command line associated with process
pgrep -f processname

# Also works with running scripts
pgrep -f script.sh

Terminate Processes
#

# Terminate process: Define process ID
sudo kill ID
# Terminate process: Define process name
sudo pkill name

# Terminate process: Define process name, example "vi"
sudo pkill vi

# Terminate process: Owned by specific user
sudo pkill vi -u username
# Terminate all processes running under the specified username "username"
kill -9 $(lsof -t -u username)

Troubleshooting: Strace
#

# Trace system calls made by process: For example df -h (Check which mountpoint is stuck)
strace df -h

# Output summary instead of full output
strace -c df -h

# Save output to file
strace -o strace.txt df -h

# Trace already running process: Replace PID with process ID
strace -p PID

Ulimit
#

Ulimit is used to control the resources available to the shell and to processes started by it.

# Displays all the current ulimit settings
ulimit -a
# Set the maximum number of processes available to a single user
ulimit -u [number]

# Sets the maximum number of user processes to unlimited
ulimit -u unlimited

Systemd
#

Systemctl
#

Systemctl is a command-line utility that is used to control and manage systemd services and units.

# Enable service at boot
sudo systemctl enable servicename

# Disable service at boot
sudo systemctl disable servicename
# Start service
sudo systemctl start servicename

# Stop service
sudo systemctl stop servicename

# Restart service
sudo systemctl restart servicename

# Reload service without interrupting normal functionality
sudo systemctl reload servicename
# Service status
sudo systemctl status servicename

# View the systemd journal logs
journalctl -xeu servicename

Journalctl
#

# List all journal log entries: Starting at the oldest entry
journalctl

# List journal log entries from the current boot
journalctl -b

# List journal log entries from the current boot: Start with newest entry
journalctl -b -e
# List journal log entries: Kernel only
journalctl -k

# List journal log entries: Kernel only, from the current boot, start with newest entry
journalctl -k -b -e
# List journal log entries for unit / service
journalctl -u nginx

# List journal log entries for unit / service: Current boot
journalctl -b -u nginx.service

# List journal log entries for unit / service: Current boot, add explanatory text & start at end
journalctl -xeu servicename
# Move through journalctl: Line by line
arrow up / down

# Move through journalctl: A page at the time
bild(page) up / down

Systemd Units
#

# List services and units that are enabled to start at boot
sudo systemctl list-unit-files

# List currently loaded / active units: All currently loaded units that systemd has active or has attempted to start
sudo systemctl list-units

# List units the are active, inactive or in a failed state
sudo systemctl list-units --all
# List contents of a unit file
sudo systemctl cat nginx

# List dependency tree of a unit: Units systemd will attempt to activate when starting the unit
sudo systemctl list-dependencies nginx
# Modify unit file: Add snippet, changes are kept separate from the original file
sudo systemctl edit nginx

# Modify unit file: Edit entire file
sudo systemctl edit --full nginx

# Reload systemd after modifying a unit file
sudo systemctl daemon-reload

Systemd Targets
#

# List all active targets
sudo systemctl list-units --type=target

# List all available targets
sudo systemctl list-unit-files --type=target

Note: The combination of these active targets defines the current state of your system.

# List default target that the system is configured to use at boot
sudo systemctl get-default

# Set default target
sudo systemctl set-default target-name
# Swtich to different Target (Immediately)
sudo systemctl isolate target-name

Note: Services and units that are part of other active targets but not required by the new target will be stopped. The isolate command changes the current state of the system but does not alter the default target that the system boots into.

  • poweroff.target Runlevel 0: shutdown

  • rescue.target Runlevel 1: single-user mode: Minimal troubleshooting environment

  • emergency.target Even more minimal than rescue.target, for critical troubleshooting

  • multi-user.target Runlevel 3: multi-user mode without networking

  • graphical.target Runlevel 5: multi-user mode with networking


Masking and Unmasking
#

Masking and unmasking a service are operations that respectively disable and enable a service in a very specific way.

  • Masking

Masking a service means linking the service unit file to /dev/null, making it impossible to start the service, either manually or as part of the system startup process. It is typically used for services that should not be started accidentally.

  • Unmasking

Unmasking a service reverses the masking process. It removes the symlink to /dev/null and restores the service’s ability to be started manually or automatically.

  • Commands
# Mask service
sudo systemctl mask service_name.service

# Unmask service
sudo systemctl unmask service_name.service

Init.d
#

Commands
#

  • Disable service
# Disable service after boot
sudo update-rc.d servicename disable
  • Enable service
# Remove service from the system's startup sequence
sudo update-rc.d -f nginx remove

# Enable service after boot
sudo update-rc.d servicename defaults
  • Start, Stop & Restart
# Start service
sudo service servicename start

# Stop service
sudo service servicename stop

# Restart service
sudo service servicename restart

# Reload service
sudo service servicename reload
  • Status
# Service status
sudo service servicename status

Scripts
#

# Init.d scripts directory
/etc/init.d/
  • Start service directly from script
# Start service script
sudo /etc/init.d/servicename start

# Stop service script
sudo /etc/init.d/servicename stop

# Restart service script
sudo /etc/init.d/servicename restart

# Reload service script
sudo /etc/init.d/servicename reload

Runlevels
#

# Display the previous and current runlevel
runlevel

# Shell output:
N 2

Note: N (none) indicates the system did not change runlevels since it was booted.

# Change runlevel: Change to runlevel 1
sudo init 1

# or
telinit 1

Common runlevels:

  • 0 Shutdown
  • 1 Single-user mode
  • 3 Multi-user mode without networking
  • 5 Multi-user mode with networking
  • 6 Reboot

System Shutdown & Reboot
#

Needrestart
#

# Install needrestart
sudo apt install needrestart

# Check if a reboot is necessary
needrestart

Shutdown
#

# Shut down
sudo shutdown now

# Shut down: Older distributions
sudo shutdown -h now

# Systemctl command
sudo systemctl poweroff

Reboot
#

# Reboot
sudo shutdown now -r
# or
sudo reboot

# Cancel reboot
sudo shutdown -c


# Systemctl command
sudo systemctl reboot

Boot into Rescue Mode
#

sudo systemctl rescue

Motd
#

It’s a good practive to backup an existing script before modifying it.

cd /etc/update-motd.d Motd Scripts path
cp 00-header 01-header Backup script
sudo chmod -x script_name Disable script
sudo chmod +x script_name Enable script
sudo run-parts /etc/update-motd.d Run motd

If you want to print several lines of static text, it’s helpful to put the text in an external file and use the cat command to print it.

#!/bin/sh
printf "\n$(cat /etc/update-motd.d/mytext.asc)\n"

YaST (SUSE)
#

Yet another Setup Tool

# Open YaST GUI
sudo yast

SELinux
#

# Check status
sestatus
  • Passive Mode
# Enable SELinux passive mode: Log policy violations but don't enforce them
sudo setenforce 0

# Reenable SELinux back to enforcing mode
sudo setenforce 1
  • Disable / Enable SELinux
# Open SELinux configuration
sudo vi /etc/selinux/config

# Disable SELinux
SELINUX=disabled

# Enable SELinux
SELINUX=enforcing

# Reboot
sudo reboot

Kdump
#

Kdump provides a mechanism for capturing and saving kernel crash dumps when a system experiences a kernel panic or a critical system error.

Start & Enable
#

# Start Kdump
sudo systemctl start kdump

# Stop Kdump
sudo systemctl stop kdump

# Check status
sudo systemctl status kdump
# Enable service after boot
sudo systemctl enable kdump

# Disbale service after boot
sudo systemctl disable kdump

Configuration & Paths
#

# Kdump configuration
sudo vi /etc/kdump.conf
# Default default crash dump location
/var/crash

# Crash dump will be save into a sub directory with hostname and date:
/var/crash/127.0.0.1-2023-12-26-13:39:35

Kernel Panic
#

# Switch to root user
sudo su

# Intentionally initiate a kernel panic and capture a crash dump: For debugging and testing purposes
echo c > /proc/sysrq-trigger

Note: The system will go through a reboot process automatically.

View & Analyze Crash Dumps
#

# Install crash package
sudo dnf install crash

# Manual
crash -h

Note: Enterprise repositories are necessary to proceed with the analysation of crashdumps.


Package Manager
#

Dpkg (Debian package)
#

Dpkg is a package management command-line tool for Debian-based Linux distributions.

# List installed packages:
dpkg -l


# List details of specific package
dpkg -l | grep apache2

# Shell output:
rc  apache2                               2.4.52-1ubuntu4.7                       amd64        Apache HTTP Server

Desired Action: The action desired for the package, which is usually an installation or removal.

  • i “Install”
  • r “Remove”
  • p “Purge”

Package Status: The current status of the package, such as whether it’s installed, not installed, or in an error state.

  • i “Installed”
  • c “Config-files” (only the config files are present)
  • n “Not-installed”

APT (Advanced Package Tool)
#

Commands
#

# Update package index
sudo apt update

# List upgradeable packages
apt list --upgradable

# Upgrade installed packages
sudo apt upgrade

# Upgrade installed packages, dependencies & kernel: Install & remove packages
sudo apt dist-upgrade
# Install package
sudo apt install packagename

# Reinstall package
sudo apt install --reinstall packagename

# Remove package but not the data and configuration files
sudo apt remove packagename

# Remove software package and the related data and configuration files
sudo apt purge packagename

# Remove dependency packages that are not required any more
sudo apt autoremove

Note: The apt autoremove command will check for all packages that are marked as dependencies and no longer required / remove them.

# Package version, size, installed size, dependencies
sudo apt info packagename

# List package version in repository
sudo apt show packagename
# List of software repositories
sudo vi /etc/apt/sources.list
# Unattended upgrades configuration
sudo vi /etc/apt/apt.conf.d/50unattended-upgrades

# Check configuration
sudo unattended-upgrade --dry-run

# Enable unattended-upgrades after reboot
sudo systemctl enable unattended-upgrades

# Start unattended-upgrades service
sudo systemctl start unattended-upgrades

Remove APT key
#

List APT GPG Keys:

# List GPG keys
sudo apt-key list

# Shell output:
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2015-09-15 [SC]
      08B7 3419 AC32 B4E9 66C1  A330 E84A C2C0 460F 3994
uid           [ unknown] Ceph.com (release key) <security@ceph.com>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub   rsa4096 2012-05-11 [SC]
      8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
uid           [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>

/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub   rsa4096 2018-09-17 [SC]
      F6EC B376 2474 EDA9 D21B  7022 8719 20D1 991B C93C
uid           [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>

Remove APT GPG Key:

Use the last eight characters of the fingerprint:

# Remove APT GPG key: For example Ceph key
sudo apt-key del 460F3994

Nala (Apt extension)
#

Nala is an alternative frontend to apt, that has some cool history features.

# Install Nala
sudo apt install nala -y

# Nala command overview
nala -h
# Find fastest mirror / update mirrors
sudo nala fetch

# Update package index
sudo nala update

# List upgradeable packages
nala list --upgradable

# Upgrade packages
sudo nala upgrade
# Install package 
sudo nala install packagename

# Remove package but not the data and configuration files
sudo nala remove packagename

# Remove software package and the related data and configuration files
sudo nala purge packagename

# Remove dependency packages that are not required any more
sudo nala autoremove
  • Nala History
# List recently run nala commands
nala history

# Shell outpuit:
ubuntu@ubuntu:~$ nala history
  ID    Command                                                                                                                             Date and Time              Altered    Requested-By
  1     install nginx                                                                                                                       2023-12-30 12:07:22 UTC         20    ubuntu (1000)
  2     upgrade cryptsetup cryptsetup-bin cryptsetup-initramfs libcryptsetup12 libssh-4 openssh-client openssh-server openssh-sftp-serv…    2023-12-30 12:11:54 UTC         14    ubuntu (1000)


# Details about a history event
nala history info 1

# Undo history element (upgrade / install)
sudo nala history undo 1

Snap
#

# Install snap
sudo apt install snapd

# Check snap version
snap --version
# Upgrade package
sudo snap refresh packagename

# Upgrade all installed snap packages
sudo refresh
# Install package
sudo snap install packagename

# Uninstall package
sudo snap remove packagename

# Info for snap package
sudo nap find packagename

# Find available packages to install
sudo snap find packagename
# List installed packages
snap list

# List installed and disabled packages
snap list --all

Flatpak
#

The primary use case for Flatpak is to distribute desktop applications.

  • Install Flatpak
# Update & upgrade
sudo apt update && sudo apt upgrade -y

# Install flatpak
sudo apt install flatpak -y

# Add the Flathub repository
sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

# Optional: Reboot the system
sudo reboot

# Verify installation / check version
flatpak --version
  • Install Package
# Search for package
sudo flatpak search packagename

# Install package
flatpak install flathub application-id -y
# Start & run package
flatpak run <application-id>

Dnf / Yum
#

# Update package index
sudo dnf makecache

# List upgradeable packages
sudo dnf check-update
# or
sudo dnf list updates

# Upgrade packages
sudo dnf update

# Upgrade specific package
sudo dnf update httpd
# Install package
sudo dnf install packagename

# Uninstall package
sudo dnf remove packagename
# List enabled repositories
sudo dnf repolist

# List available repositories
sudo dnf repolist --all

# Enable repository
sudo dnf config-manager --enable reponame

# Disable repository
sudo dnf config-manager --disable reponame

# Add repository from URL
sudo dnf config-manager --add-repo="URL"

Release Upgrade
#

Install upgrades first.

# Upgrade to newer OS release 
sudo do-release-upgrade

Compiling From Source
#

Example htop
#

# Install prerequisites
sudo apt install unzip wget -y

# Change directory
cd /usr/local/src
  • Option 1: Download archive
# Download source code: tar or zip
wget https://github.com/htop-dev/htop/archive/refs/tags/3.3.0.zip

# Unpack: tar
tar -xvzf 3.3.0.tar.gz

# Unpack: zip
sudo unzip 3.3.0.zip
  • Option 2: git clone
# Download source code
git clone https://github.com/htop-dev/htop.git
  • Change directory
# Change owner
sudo chown -R `whoami`:`whoami` htop/

# Change directory
cd htop
  • Readme

The readme file should list the dependencies that are necessary to install, alternative the dependencies should also be available in the official documentation on the GitHub page: https://github.com/htop-dev/htop

# Open readme file
less README
  • Installation
# Install htop dependencies
sudo apt install libncursesw5-dev autotools-dev autoconf automake build-essential
# Compile the package from source
./autogen.sh && ./configure && make
# Install package: In "/usr/local" directory
sudo make install
  • Test installation
# Run htop
htop

Users
#

Create User
#

Debian / Ubuntu

# Create User
sudo adduser username

# Create User: Without PW
sudo adduser --disabled-password  username

RedHat / CentOS

# Create User: Without PW
sudo adduser username && sudo passwd -d username

Switch User
#

# Switch user
sudo su username

# Exit user session
exit

# Change password of actual user
passwd

# Output username
whoami

Delete User
#

  • Ubuntu
# Delete user without home directory
sudo deluser username

# Delete user and home directory
sudo deluser --remove-home username
  • CentOS
# Delete user without home directory
sudo userdel username

# Delete user and home directory
sudo userdel -r username

Block User
#

Passwd
#

# Lock / Deactivate User:
sudo passwd -l username

# Unlock / Reactivate
sudo passwd -u username

# Shell Output: (Lock and unlock)
passwd: password expiry information changed


#Check User Status:
passwd -S username
  • P or PS: password is set (user is unlocked)
  • L or LK: User is locked
  • N or NP: No password is needed by the user

Note: The locked user will still be able to log in via SSH keys (if login via SSH key is set).

Chage
#

# Expire account immediately
sudo chage -E 0 username

# Account never expires
sudo chage -E -1 username


# Display Current Expiry Information
sudo chage -l username

Sudo, Sudoers & Visudo
#

Overview
#

# Switch to sudo: Maintain current shell environment
su

# Switch to sudo: Invokes login shell 
su -

# Install Sudo (Debian)
apt install sudo

Sudoers File
#

# Edit sudoers file
sudo visudo

# Sudoers Path: Edit with visudo
/etc/sudoers

User specific Sudoers File
#

# Create a user specific sudoers file
vi /etc/sudoers.d/username

# Change permissions
chmod 440 /etc/sudoers.d/username

Sudoers Entry
#

# Run any command as any user, including root: Password required
username ALL=(ALL) ALL

# Run any command as any user, including root: No password required
username ALL=(ALL) NOPASSWD:ALL

Sudo sbin Path
#

# Open .bashrc of current user
cd && vi .bashrc

# Add "sbin" & "/usr/sbin" to search system administration utilities when using sudo
PATH=$PATH:/usr/sbin:/sbin

Combine sudo commands
#

# Run several Commands as sudo
sudo sh -c 'command1 && command2 >> file'

Groups & IDs
#

Groups
sudo groupadd groupname Create new group
sudo usermod -aG sudo username Add user to sudo group (Ubuntu)
sudo usermod -aG wheel username Add user to wheel group (Red Hat)
ID’s
id List user & group ID, and groups from actual user
id username List … from specific user
cat /etc/passwd User ID related data
vipw Used to modify passwd file!
Group ID’s
cat /etc/group Group related data
vigr Used to modigy group file!

SSH
#

Create SSH Key
#

# Create RSA Key: 4096 bit
ssh-keygen -t rsa -b 4096

# Create RSA Key: With comment
ssh-keygen -t rsa -b 4096 -C "user1"

# Create RSA Key: With custom file name
ssh-keygen -t rsa -b 4096 -f ~/.ssh/keyname

Open Connection
#

# Connect to Server
ssh user@IP

# Connect to Server: Custom port
ssh -p 2222 user@IP
# Connect to Server: Define specific SSH Key
ssh -i /path/to/private_key user@IP`

# Connect to Server: Verbose for debugging
ssh -v -i /path/to/private_key user@IP

# Connect to Server: Define Encryption Key
ssh -v -i /path/to/private_key -o PubkeyAcceptedKeyTypes=ssh-rsa user@IP

Connect without SSH Key
#

# Connect to a remote Server without SSH Key
ssh -o PasswordAuthentication=yes -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no user@IP

Copy Key to Server
#

# Copy SSH Key to Server
ssh-copy-id -i ~/.ssh/keyename user@IP

Manually add Key & Permissions
#

# Create directory
mkdir ~/.ssh

# Change permission
chmod 700 ~/.ssh

# Manually add SSH Keys
vi .ssh/authorized_keys

# Change permission
chmod 600 ~/.ssh/authorized_keys


# Change permission of SSH Key (in case the key was copied)
chmod 400 ~/.ssh/keyname

Custom SSH Port for Host
#

To define a custom port for a specific server permanent, open the ~/.ssh/config file and ad the following entry:

# Define specific SSH port for host: Syntax
Host DNS or IP
  Port 2222

# Define specific SSH port for host: Example
Host 192.168.30.70
  Port 2222
# Define specific SSH port & oint to a specific SSH Key
Host DNS or IP
  Preferredauthentications publickey
  IdentityFile ~/.ssh/id_rsa
  Port 2222

Change Server SSH Port
#

Define a custom SSH port for a server:

# Open the SSH daemon configuration
sudo vi /etc/ssh/sshd_config

# Define the port
Port 2280
# Restart sshd service
sudo systemctl restart sshd

SSH Agent
#

eval `ssh-agent` Start SSH Agent
ssh-add Add key to the agent (go to .ssh directory)
ssh-add ~/.ssh/id_rsa Add specific key to agent
ssh-add -l list private keys currently accessible to the agent
ssh-add -D Delete all cached keys from agent

SSH Agent Autostart
#

The SSH Agent should start automatically, if not - for instance some centos server add the following script to .bashrc in your Home directory:

    # Check if SSH Agent is running
if [[ "$SSH_AUTH_SOCK" = "" ]]; then
    # Start SSH Agent
    exec ssh-agent bash
else
    # Add SSH Keys
    ssh-add
fi

Install OpenSSH
#

sudo apt update Update package manager
sudo apt install openssh-server Install SSH service
sudo systemctl enable ssh Enable SSH service (Should be auto on Ubuntu)
sudo systemctl start ssh Start SSH service
sudo systemctl status ssh Check SSH servis status

Allow SSH root login
#

Allow a SSH Connection with root user (not recommanded)

sudo vi /etc/ssh/sshd_config

# Allow SSH root login: Only Key Authentication 
PermitRootLogin prohibit-password

# Allow SSH root login: Allow Passowrd
PermitRootLogin yes

# Disable SSH root login
PermitRootLogin no

# Reload SSH Service
sudo systemctl reload ssh

Host Keys
#

When connecting via SSH, the server’s identity is verified using a “host key” to ensure that it’s the intended server and not a malicious one. The purpose is to protect against man-in-the-middle attacks. Upon the first connection, SSH prompts to accept the host key, and once accepted, this key is stored in the known_hosts file.

# Check known_hosts file
cat ~/.ssh/known_hosts

# Host keys directory
/etc/ssh

Note: There are typically several host keys, one for each cryptographic algorithm supported by the SSH server, such as RSA, ECDSA, and ED25519.

Rotate Host Keys
#

Optional: Backup the existing host keys

# Create backup directory
sudo mkdir /etc/ssh/backup_keys_$(date +%F)

# Backup the existing host keys
sudo cp /etc/ssh/ssh_host_* /etc/ssh/backup_keys_$(date +%F)/
  • Rotate Host Keys
# Remove the old host keys
sudo rm /etc/ssh/ssh_host_*

# Create new host keys: For all key types for which host keys do not already exist
sudo ssh-keygen -A

# Restart SSH service (Should not be necessary)
sudo systemctl restart ssh

Remove Host Key
#

  • Remove server host key from host

After the host key on a server (for example 192.168.30.60) was rotated, it is necessary to remove the host key on hosts that have already saved the host key of the server. Otherwise the following error appears:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# Remove host key: Current user
ssh-keygen -R 192.168.30.60

# Remove host key: Specific user
ssh-keygen -f "/home/debian/.ssh/known_hosts" -R "192.168.30.60"

Jump Hosts
#

SSH jump hosts, also known as SSH bastion hosts or SSH gateways, are intermediary servers through which a user can connect to another server that is not directly accessible from the public network.

Command Line Method
#

# Connect to target host: Syntax
ssh -J jumpuser@jump-host targetuser@target-host

# Verbose Mode
ssh -v -J jumpuser@jump-host targetuser@target-host
# Connect to target host: Example
ssh -J debian@192.168.30.61 debian@192.168.30.62

# Shell output:
debian@192.168.30.61's password:
debian@192.168.30.62's password:

Regarding the server setup, the connection may prompts to accept host keys and also asks for a password.

Options:

  • -v Provides detailed output about the connection process

  • -J Specifies the jump host through which the SSH client will tunnel the connection to the target host


SSH Config File Method
#

vi ~/.ssh/config
# Define jump host
Host jump-host
  HostName 192.168.30.61
  User debian

# Define final target host using the jump host
Host target-host
  HostName 192.168.30.62
  User debian
  ProxyJump jump-host
# Connect to target host: The connection will automatically be routed through jump-host
ssh target-host

# Verbose Mode
ssh -v target-host

SOCKS Proxy
#

A SOCKS proxy using SSH is a feature that allows to securely tunnel internet traffic through a remote server.

In this example I have two debian servers, server 1 “192.168.30.60” will use server 2 “192.168.30.61” as proxy. To test the connection I’m running an apache server on port 80 on server 2.

Establish Socks Proxy
#

# Establish Socks Proxy connection: Permanent
ssh -fN -D 9999 debian@192.168.30.61

# Establish Socks Proxy connection: 2 minutes
ssh -f -D 9999 debian@192.168.30.61 sleep 120
# Test the connection
all_proxy="socks5://127.0.0.1:9999" curl 127.0.0.1:80

Options:

  • -f SSH in background

  • -N Instructs SSH not to execute a remote command

Terminate Socks Proxy
#

# List SSH processes
ps aux | grep ssh

# Shell output:
debian     22892  0.0  0.0  14284  5264 ?        Ss   20:00   0:00 ssh -f -D9999 debian@192.168.30.61 sleep 120

# Terminalte process
kill 22892

Firewall rules
#

UFW (Ubuntu)
sudo ufw status Firewall status
sudo ufw allow ssh Open ssh port
sudo ufw allow 22/tcp Allow port 22
Firewalld (CenOS)
sudo systemctl status firewalld Firewall status
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp Open SSH port
sudo firewall-cmd --reload Reload Firewalld

Troubleshooting
#

In case the SSH service runs on a different port then 22 use the following commands to check on which port the service runs:
sudo ss -tulpn | grep ssh or sudo netstat -ltnp | grep sshd on Debian based distributions.


KVM & QEMU
#

Setup
#

# Install cpu-checker / kvm-ok utility
sudo apt install cpu-checker -y

# check if KVM virtualization is supported
kvm-ok

# Shell output
INFO: /dev/kvm exists
KVM acceleration can be used
# Install packages
sudo apt install qemu-kvm virt-manager virtinst libvirt-clients bridge-utils libvirt-daemon-system -y

# Add user to groups
sudo usermod -aG libvirt ubuntu
sudo usermod -aG kvm ubuntu

Virt Manager
#

# Start Virt Manager
virt-manager

Start & Stop VMs
#

# List running VMs
virsh list

# List running & stopped VMs
virsh list --all

# Start VM
virsh start vmname

# Stop VM
virsh shutdown vmname

# Shutdown VM
virsh destroy vmname

VM Logs
#

# VM logs
cat /var/log/libvirt/qemu/vm-name.log

Define & Undefine VMs
#

# Define VM: Create VM from XML file
virsh define file.xml

# Undefine VM: XML file will not be deleted
virsh undefine vmname

Edit XML
#

# Edit undefined XML file
vi vmname.XML

# Edit defined XML file
virsh edit vmname

VM Details
#

# List VM details
virsh dominfo vmname

# List VM details: List XML details
virsh dumpxml vmname

# List VM details: Save XML details into file
virsh dumpxml vmname > filename.txt

Default Paths
#

# Default XML path
/etc/libvirt/qemu

# Default qcow2 path
/var/lib/libvirt/images/


# Grep for "source"
virsh dumpxml vmname | grep source

# Or grep for "qcow"
virsh dumpxml vmname | grep qcow

QCOW Size
#

# Open qcow dir
cd /path/to/qcow_files

# List reserved storage of qcow file
ls -alh

# List actual storage used for qcow file
du -alh

Expand & Shrink qcow file
#

# Expand qcow file (Stop VM first)
sudo qemu-img resize /path/to/vmname.qcow2 +10G

# Check disk size with fdisk
sudo fdisk -l /path/to/vmname.qcow2
# Shrink qcow file (Stop VM first): New size = 100G
qemu-img resize --shrink /path/to/vmname.qcow2 100G

# Note: the VM partition must first be shrinked from within the VM

Qemu-img: Qcow2 to vmdk convertion
#

Qemu-img is a cmd tool for convertig disk images.

# Convert qcow2 image to vmdk image
qemu-img convert -p -f qcow2 -O inputfile.qcow2 outputfile.vmdk
  • -p Show progress
  • -f Input format / file
  • -O Output format / file

Paths & Logs
#

Logs
/var/log/syslog Default Log location (Debian / Ubuntu)
/var/log/messages Default Log location (CentOS / Red Hat)
journalctl -f Follow syslog / messages
Strg + c Quit syslog / messages
journalctl --since=15:00 --until=16:00 Logs from specific time
journalctl -k --no-pager | head -n8 Last 10 lines from kernel log
grep CRON /var/log/syslog Grep from syslog e.g., CRON
/var/log/auth.log Login attempts, pw changes, user/group management
grep sudo /var/log/auth.log Sudo usage
/var/log/kern.log Hardware, driver, system error
System
who Users (with IP) currently logged in
last Login history
last | grep username Login history specific user
last reboot Reboot history
Script Paths
/etc/profile.d Scripts run for all users at login
~/.bashrc Runs at login (bash shell)
~/.profile Runs at login (other shells)

Networking
#

Ethernet Port Naming
#

Here’s what each part of “enp1s0f1” means:

  • en Stands for “Ethernet”
  • p1 Stands for “PCI bus 1”
  • s0 Indicates the device is in slot number 0 on that PCI bus
  • f1 This part of the name refers to the function number of the network interface. A single network card can provide multiple virtual network interfaces that share the same physical connection, and these are differentiated by their function numbers.

General Commands
#

# Help
ip help

Interfaces
#

# List interfaces: With IP Addresses
ip a
# List interfaces / colored output
ip -c a
# List interface: Only IPv4 Addresses
ip -c -4 a


# List interfaces: Show status up/down
ip link # or
ip link show

# Check specific interface status
ip link show eth0


# Set interface status: Up
ip link set dev eth0 up
ip link set dev eth0 down


# List physical interfaces
sudo lshw -class network


# List details of physical interface
sudo ethtool -k eth0

Manually assign IP
#

#  Assign IP address (till reboot)
ip addr add dev eth0 192.198.30.15/24

# Check IP for eth0 
ip addr list eth0

DHCP
#

# Release current DHCP lease
dhclient -r

# Request a new DHCP lease
dhclient

Routing
#

# List routing tables 
ip route show

# List specific routing table
sudo ip route show table 101


# Add entry to routing table: Set up Default Gateway
ip route add default via 192.168.0.1

# Add entry to routing table: Route IP range through specific interface
ip route add 192.0.2.0/24 via 192.168.0.2 dev eth1

ARP Tables
#

# Install package
apt install net-tools -y
# List ARP tables: Use DNS names
arp

# List ARP tables: Use IP
arp -n

Networkctl
#

# List all network interfaces and their status
networkctl

# List detailed information about interface
networkctl status br30

Netplan (Ubuntu)
#

# Path to Netplan Configuration Files
/etc/netplan/

# Default Configuration File
sudo vi /etc/netplan/00-installer-config.yaml

# Apply Netplan Changes (Reboot after severe changes)
sudo netplan apply

DHCP Configuration
#

network:
  ethernets:
    ens33:
      dhcp4: true
  version: 2

DHCP with Custom DNS
#

network:
  renderer: networkd
  ethernets:
    ens33:
      dhcp4: true
      dhcp4-overrides:
        use-dns: false
      nameservers:
        addresses:
          - "1.1.1.1"
          - "8.8.8.8"
  version: 2

Static IPv4 Configuration
#

network:
  ethernets:
    eno1:
      addresses:
      - 192.168.10.80/24 # Define IPv4
      nameservers:
        addresses:
        - 1.1.1.1 # Primary DNS Server
        - 8.8.8.8 # Secondary DNS Server
        search: []
      routes:
      - to: default
        via: 192.168.10.1 # Default Gateway
  version: 2

VLAN Config Prerequisites
#

# Install VLAN package:  Necessary to create and manage VLANs in Ubuntu
sudo apt install vlan -y

# Load 8021q Kernel Module: Responsible for VLAN tagging in the Linux kernel
sudo modprobe 8021q

# Load Kernel Module: After reboot
echo "8021q" | sudo tee -a /etc/modules
# VLANs from switch
192.168.10.0/24 Untagged
192.168.30.0/24 Tagged
192.168.70.0/24 Tagged

VLAN DHCP Configuration
#

network:
  ethernets:
    eno1:
      addresses:
      - 192.168.10.80/24
      nameservers:
        addresses:
        - 1.1.1.1
        - 8.8.8.8
      routes:
      - to: default
        via: 192.168.10.1
  vlans:
    eno1.30: # VLAN 1
      id: 30
      link: eno1
      dhcp4: true
      nameservers:
        addresses:
        - 1.1.1.1
        - 8.8.8.8
    eno1.70: # VLAN 2
      id: 70
      link: eno1
      dhcp4: true
      nameservers:
        addresses:
        - 1.1.1.1
        - 8.8.8.8
  version: 2

VLAN Static IPv4 Configuration
#

network:
  ethernets:
    eno1:
      addresses:
      - 192.168.10.80/24
      nameservers:
        addresses:
        - 1.1.1.1
        - 8.8.8.8
        search: []
      routes:
      - to: default
        via: 192.168.10.1
  vlans:
    eno1.30: # VLAN 1
      id: 30
      link: eno1
      addresses:
        - 192.168.30.80/24 # Define IP address
      nameservers:
        addresses:
          - 1.1.1.1
          - 8.8.8.8
    eno1.70: # VLAN 2
      id: 70
      link: eno1
      addresses:
        - 192.168.70.80/24 # Define IP address
      nameservers:
        addresses:
          - 1.1.1.1
          - 8.8.8.8
  version: 2

Check Interfaces

# List network interfaces with their IPv4 addresses
ip -4 a

# Shell output:
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    altname enp0s31f6
    inet 192.168.10.80/24 brd 192.168.10.255 scope global eno1
       valid_lft forever preferred_lft forever
4: eno1.30@eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.30.80/24 brd 192.168.30.255 scope global eno1.30
       valid_lft forever preferred_lft forever
5: eno1.70@eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.70.80/24 brd 192.168.70.255 scope global eno1.70
       valid_lft forever preferred_lft forever

VLAN Bridge without IP
#

Used for virtualization.

network:
  ethernets:
    eno1:
      addresses:
      - 192.168.10.80/24
      nameservers:
        addresses:
        - 1.1.1.1
        - 8.8.8.8
      routes:
      - to: default
        via: 192.168.10.1
  vlans:
    eno1.30: # VLAN 1
      id: 30
      link: eno1
    eno1.70: # VLAN 2
      id: 70
      link: eno1
  bridges:
    br30: # Bridge 1
      interfaces: [eno1.30]
      dhcp4: true
      nameservers:
        addresses:
        - 1.1.1.1
        - 8.8.8.8
      parameters:
        forward-delay: 0
        stp: true
    br70: # Bridge 2
      interfaces: [eno1.70]
      dhcp4: true
      nameservers:
        addresses:
        - 1.1.1.1
        - 8.8.8.8
      parameters:
        forward-delay: 0
        stp: true
  version: 2

VLAN Bridge with static IPv4
#

network:
  ethernets:
    eno1:
      addresses:
      - 192.168.10.80/24
      nameservers:
        addresses:
        - 1.1.1.1
        - 8.8.8.8
      routes:
      - to: default
        via: 192.168.10.1
  vlans:
    eno1.30: # VLAN 1
      id: 30
      link: eno1
    eno1.70: # VLAN 2
      id: 70
      link: eno1
  bridges:
    br30: # Bridge 1
      interfaces: [eno1.30]
      addresses:
        - 192.168.30.80/24 # Define IP address
      nameservers:
        addresses:
        - 1.1.1.1
        - 8.8.8.8
      parameters:
        forward-delay: 0
        stp: true
    br70: # Bridge 2
      interfaces: [eno1.70]
      addresses:
        - 192.168.70.80/24 # Define IP address
      nameservers:
        addresses:
        - 1.1.1.1
        - 8.8.8.8
      parameters:
        forward-delay: 0
        stp: true
  version: 2

Interfaces (Debian)
#

Commands

# List all available Network Interfaces
ip link show

# Path to Network Configuration
vi /etc/network/interfaces

# Apply Changes to Network Interface
ifdown enp1s0 && ifup enp1s0

# Reinitialize network configuration (After fundamental changes)
systemctl restart networking

# Check status
systemctl status networking

# It's better to reboot after compley network changes!
reboot

Default Network Configuration:
#

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug enp2s0
iface enp2s0 inet dhcp

DHCP Configuration
#

# The primary network interface
auto enp2s0 # Auto up after boot
allow-hotplug enp2s0
iface enp2s0 inet dhcp

Static IPv4 Configuration
#

# The primary network interface
auto enp2s0
iface enp2s0 inet static
    address 192.168.30.10/24
    gateway 192.168.30.1 # Define gateway to WAN
    dns-nameservers 1.1.1.1 8.8.8.8 # Define DNS server

Add onother Interface
#

# The primary network interface
auto enp2s0
iface enp2s0 inet static
    address 192.168.70.20/24
    gateway 192.168.70.1

# Second network interface
auto enp1s0f1
iface enp1s0f1 inet static
    address 192.168.30.20/24

Bridge Prerequisites
#

# Install bridge-utils
sudo apt install bridge-utils

Bridge with DHCP
#

## DHCP ip config file for br0 ##
auto vmbr1
 
# Bridge setup
iface vmbr1 inet dhcp
    bridge_ports enp2s0

Bride with static IPv4
#

# The primary network interface
auto enp2s0
iface enp2s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.30.10/24
        gateway 192.168.30.10
        bridge-ports enp1s0 # Define ports
        bridge-stp off # Panning Tree Protocol (STP) off
        bridge-fd 0 # Sets bridge forwarding delay to 0

Add another Bridge
#

# The primary network interface
auto enp2s0
iface enp2s0 inet manual

auto vmbr0
iface vmbr0 inet static
    address 192.168.70.20/24
    gateway 192.168.70.1
    bridge_ports enp2s0
    bridge_stp off
    bridge_fd 0

# Second network interface
auto enp1s0f1
iface enp1s0f1 inet manual

auto vmbr1
iface vmbr1 inet static
    address 192.168.30.20/24
    bridge_ports enp1s0f1
    bridge_stp off
    bridge_fd 0

VLAN Prerequisites
#

# Install VLAN package
apt install vlan -y

# Load VLAN module & enable startup
modprobe 8021q && echo "8021q" >> /etc/modules
# Delete VLAN interface
ip link set eno1.50 down
ip link delete eno1.50

VLAN DHCP Configuration
#

# Default untagged network
auto eno1
iface eno1 inet static
    address 192.168.30.40/24
    gateway 192.168.30.1

# VLAN 1: (Tagged) DHCP
auto eno1.50
iface eno1.50 inet dhcp

# VLAN 2: (Tagged) DHCP
auto eno1.70
iface eno1.70 inet dhcp

VLAN Static IPv4 Configuration
#

# Default untagged network
auto eno1
iface eno1 inet static
    address 192.168.30.40/24
    gateway 192.168.30.1

# VLAN 1: (Tagged) Static IPv4
auto eno1.50
iface eno1.50 inet static
    address 192.168.50.40/24

# VLAN 2: (Tagged) Static IPv4
auto eno1.70
iface eno1.70 inet static
    address 192.168.70.40/24

Wicked (SUSE)
#

Tested on openSUSE 15.5

# Edit network configuration
sudo vi /etc/sysconfig/network/ifcfg-eth0

# Apply new configuration
sudo systemctl restart wicked
# Interface up
sudo wicked ifup eth0

# Interface down
sudo wicked ifdown eth0

# Interface status: All interfaces
sudo wicked ifstatus all

# Interface status: Specific interface
sudo wicked ifstatus eth0

# Shell output:
eth0            up
      link:     #2, state up, mtu 1500
      type:     ethernet, hwaddr 00:0c:29:36:84:e3
      config:   compat:suse:/etc/sysconfig/network/ifcfg-eth0 # Path to interface config
      leases:   ipv4 static granted
      addr:     ipv4 192.168.30.85/24 [static]

DHCP Configuration
#

BOOTPROTO='dhcp'
STARTMODE='auto'
ZONE=public

Static IPv4 Configuration
#

BOOTPROTO='static'
STARTMODE='auto'
ZONE=public
IPADDR='192.168.30.85'
NETMASK='255.255.255.0'
BROADCAST='192.168.30.255'
GATEWAY='192.168.30.1'

NMCLI (RHEL, SUSE)
#

Tested on Rocky Linux 9.2

Interface status
#

# List network interfaces / status
nmcli dev status

# Shell output:
DEVICE  TYPE      STATE                   CONNECTION
ens160  ethernet  connected               ens160
lo      loopback  connected (externally)  lo


# List inferface details (IP, Gateway,...): All interfaces
nmcli con show 

# List inferface details (IP, Gateway,...): Specific interface
nmcli con show ens160

Sart & Stop interface
#

  • Start & stop interface (connection-profile)
# Start interfaces
sudo nmcli con up id ens160

# Stop interfaces
sudo nmcli con down id ens160

Modify Interface
#

  • Modify interface (connection-profile)
# Set to static IPv4
sudo nmcli con modify ens160 ipv4.method manual
# Set to DHCP
sudo nmcli con modify ens160 ipv4.method auto


# Define IPv4 address
sudo nmcli con modify ens160 ipv4.address 192.168.30.85/24

# Define default gateway
sudo nmcli con mod ens160 ipv4.gateway 192.168.30.1

# Define DNS server
sudo nmcli con mod ens160 ipv4.dns "1.1.1.1 8.8.8.8"
# Set static IPv4 configuration: Define IPv4 address & gateway
nmcli con modify ens160 ipv4.method manual ipv4.address 192.168.30.85/24 ipv4.gateway 192.168.30.1

Add connection-profile

# Add Connection-Profile
nmcli con add con-name ens160-con2 type ethernet ifname ens160 ipv4.method auto

# Delete Connection-Profile
nmcli con del ens160-con2
# Enable Connection-Profile
nmcli con up id ens160

NetworkManager will deactivate the current active connection on the same interface, because each physical interface can have only one active NetworkManager connection at a time. Therefore, activating a new connection on an interface that already has an active connection will cause the current connection to be deactivated.

Connection directory

New connection profiles are save in the system-connections directory.

# Configuration directory
cd /etc/NetworkManager/system-connections/

# Open configuration: 
sudo vi /etc/NetworkManager/system-connections/ens160.nmconnection

Apply Changes
#

# Apply changes
sudo systemctl restart NetworkManager

# Alternative: Reboot to apply the settings
sudo reboot

VLAN
#

Tested on Raspberry Pi 5

# Create a VLAN interface eth0.99 on top of eth0 with VLAN ID 99
sudo nmcli con add type vlan con-name eth0.99 ifname eth0.99 dev eth0 id 99

# Configure the IP Address
sudo nmcli con mod eth0.99 ipv4.addresses 10.10.99.11/24 ipv4.gateway 10.10.99.1 ipv4.dns "1.1.1.1,8.8.8.8" ipv4.method manual

# Enable the interface
sudo nmcli con up eth0.99
# Delete VLAN interface
sudo nmcli connection delete eth0.99

NMTUI (RHEL, SUSE)
#

Tested on openSUSE 15.5

Install

# Install NetworkManager package
sudo zypper install NetworkManager-tui
# Status
sudo systemctl status NetworkManager

# Start NetworkManager
sudo systemctl start NetworkManager

# Enable NetworkManager
sudo systemctl enable NetworkManager


# Start network editor (GUI)
sudo nmtui

# Apply the new configuration
sudo service network restart
# Saved NetworkManager configuration
sudo vi /etc/NetworkManager/system-connections/eth0.nmconnection

DHCP Configuration
#

[connection]
id=eth0
uuid=6e19a7c4-bea3-4bc1-b9bd-bc2b0c1b8853
type=ethernet
autoconnect=false
interface-name=eth0
timestamp=1694360823

[ethernet]
mac-address=00:0C:29:36:84:E3

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=link-local

[proxy]

Static IPv4 Configuration
#

[connection]
id=eth0
uuid=6e19a7c4-bea3-4bc1-b9bd-bc2b0c1b8853
type=ethernet
autoconnect=false
interface-name=eth0
timestamp=1694360823

[ethernet]
mac-address=00:0C:29:36:84:E3

[ipv4]
address1=192.168.30.85/24,192.168.30.1
dns=1.1.1.1;8.8.8.8;
method=manual

[ipv6]
addr-gen-mode=stable-privacy
method=link-local

[proxy]

DNS
#

Current DNS server
#

# Output current DNS server
cat /etc/resolv.conf

# Output current DNS server
resolvectl status

DNS Resolution
#

nslookup: (Bypasses the hosts file)

# Resolve DNS to IP
nslookup hostname.com

# Resolve DNS to IP: Define DNS server
nslookup hostname.com 192.168.70.1


# Resolve IP to DNS
nslookup IP

# Resolve IP to DNS: Define DNS server
nslookup IP 192.168.70.1

gtent: (Includes thehosts file)

# Verify the DNS resolution 
getent hosts hostname.com
# Test DNS resolution from specific DNS server: Define DNS server IP after the @
dig @192.168.70.1 example.com

Flush DNS
#

# Flush DNS resolver cache: Older version
sudo systemd-resolve --flush-caches

# Flush DNS resolver cache: Newer version
sudo resolvectl flush-caches

Useful tools
#

Traceroute
#

# Install traceroute package
sudo apt install inetutils-traceroute

# trace a route
traceroute 192.168.30.91

Netstat & lsof: Check Port Usage
#

# Install netstat
sudo apt install net-tools

# Display all the listening ports
sudo netstat -l -n -p


# Grap for specific port: For example 8086
sudo netstat -l -n -p | grep 8086

# List process that is using a port : For example 8086
sudo lsof -i :8086
  • -l Only listening sockets

  • -n Numerical IP addresses instead of resolving hostnames

  • -p Show the process ID and name to which each socket belongs


Nmap
#

(Only use in own network)
sudo apt install nmap Install nmap
nmap 192.168.30.1/24 Scan IP range for devices
Options
-A OS detection, version detection, script scanning & traceroute
-v Increase verbosity level
-vv Increase verbosity level
nmap -v -A 192.168.30.1/24 Example

Tcpdump
#

sudo apt install tcpdump Install tcpdump
tcpdump --help Help
tcpdump -i eth0 -v host 192.168.30.10 Traffic from or to IP
tcpdump -i eth0 -v src 192.168.30.10 Traffic from IP
tcpdump -i eth0 -v dst 192.168.30.10 Traffic to IP
tcpdump -i eth0 -v net 192.168.30.0/24 Traffic from or to CIDR Range
sudo tcpdump -i eth0 'tcp and net 192.168.30.0/24' Only TCP
sudo tcpdump -i eth0 'udp and net 192.168.30.0/24' Only UDP
tcpdump -i eth0 -v port 80 To port
tcpdump -i eth0 -v port 80 -w /file/path Write to file

Private IP Ranges
#

IP Range CIDR Type
10.0.0.0 - 10.255.255.255 10.0.0.0/8 Class A
172.16.0.0 - 172.31.255.255 172.16.0.0/12 Class B
192.168.0.0 - 192.168.255.255 192.168.0.0/16 Class C

Firewalls
#

UFW (Ubuntu)
#

man ufw Manual
ufw status Status
ufw enable Enable Firewall
ufw disable Disable Firewall
ufw reload Reload Firewall
ufw reset Reset to default / rules are backed up
Status & delte rules
ufw status verbose Status verbose
ufw status numbered List IDs of rules (to delete)
ufw delete ID Delte ufw entry
ufw show added Check added rules before starting firewall
Default
ufw default allow Default setting for whole traffic
ufw default deny Default setting for whole traffic
Allow / Deny Examples
ufw deny portnumber Deny port
ufw allow portnumber Allow tcp and udp to port, any address
ufw allow portnumber/tcp Allow tcp to port, any address
ufw allow 1050:5000/tcp Allow port range, tcp, any address
IP examples
ufw deny from 203.0.113.100 Deny all ports, specific IP
ufw allow from 192.168.30.150 Allow all ports, specific IP
ufw allow from 192.168.30.150 to any port 137 proto udp Allow port, specific IP
ufw allow from 192.168.30.0/24 Allow all ports for entire Subnet

Firewalld (RHEL, SUSE)
#

Tested on openSUSE 15.5

Start & Enable
#

# Start / Stop firewalld
sudo systemctl start firewalld
sudo systemctl stop firewalld

# Enable / disable startup
sudo systemctl enable firewalld
sudo systemctl disable firewalld

Check Status
#

# Systemd status
sudo systemctl status firewalld

# Status (Output: running / not running)
sudo firewall-cmd --state

Zones
#

# List active / running zones
sudo firewall-cmd --get-active-zones

# List default zones
sudo firewall-cmd --get-default-zone

# List all available zones
sudo firewall-cmd --get-zones


# Set default zone (public)
sudo firewall-cmd --set-default-zone=public

Add Network Interface to Zone
#

# Check network interface assignment
sudo firewall-cmd --get-active-zones

# Shell output:
docker # Zone name
  interfaces: br-11ed3a51c756 docker0 br-aa67244c4dde
# Add network interface to zone (ens33)
sudo firewall-cmd --zone=public --add-interface=ens33 --permanent

# Apply changes
sudo firewall-cmd --reload

# Verify  / check network interface assignment
sudo firewall-cmd --get-active-zones

# Shell output:
docker # Zone name
  interfaces: br-11ed3a51c756 docker0 br-aa67244c4dde
public # Zone name
  interfaces: ens33

Drop Zone
#

This sets the “drop” zone as the default zone for firewalld, but it does not change the settings of other zones.

# Block all incoming traffic by default
sudo firewall-cmd --set-default-zone=drop

# Apply changes
sudo firewall-cmd --reload

# Verify the settings
sudo firewall-cmd --get-default-zone

# Shell output:
drop

Services & Port Rules
#

# List the firewall rules from a "public" zone
sudo firewall-cmd --list-all --zone=public

# List the firewall rules for the "docker" zone
sudo firewall-cmd --list-all --zone=docker

Open a service:

# Add a service to a zone: Temporarily (immediately affects the runtime configuration but lost after reboot)
sudo firewall-cmd --zone=public --add-service=ssh
sudo firewall-cmd --zone=public --add-service=apache2
sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --zone=public --add-service=https

# Add a service to a zone: Permanent
sudo firewall-cmd --zone=public --add-service=ssh --permanent

# Remove a service from a zone: Permanent
sudo firewall-cmd --zone=public --remove-service=apache2 --permanent


# Apply the changes
sudo firewall-cmd --reload

Open a port:

# Open a port: Temporarily
firewall-cmd --zone=public --add-port=80/tcp
firewall-cmd --zone=public --add-port=443/tcp

# Open a port: Permanently
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent

# Close a port: Temporarily
firewall-cmd --zone=public --remove-port=80/tcp
firewall-cmd --zone=public --remove-port=443/tcp

# Close a port: Permanently
firewall-cmd --zone=public --remove-port=80/tcp --permanent


# Apply the changes
sudo firewall-cmd --reload

Block specific port:

# Block port with a rich rule
sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" port port="80" protocol="tcp" drop' --permanent

# Apply the changes
sudo firewall-cmd --reload

# Verify the rules
sudo firewall-cmd --zone=public --list-rich-rules

# Shell output:
rule family="ipv4" port port="80" protocol="tcp" drop
# Remove the rich rule
sudo firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" port port="80" protocol="tcp" drop' --permanent

Save Rules & Reload

# Save all changes in the current runtime firewall rules to the permanent configuration
sudo firewall-cmd --runtime-to-permanent


# Save / Reload: Apply changes while keeping current connections intact (actives permanent configuration) 
sudo firewall-cmd --reload

# Reload: Remove all runtime settings, including any active connections (remove temporary services and ports)
sudo firewall-cmd --complete-reload

Firewall Rules: Details
#

# List the firewall rules for the "docker" zone
sudo firewall-cmd --zone=public --list-all

# shell output:
docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br-11ed3a51c756 br-aa67244c4dde docker0
  sources:
  services:
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
  • target: ACCEPT Default action for the traffic (the traffic it will be allowed through) not explicitly matched by any other rule in this zone

  • interfaces Network interfaces assigned to this zone

  • forward: yes This allows forwarding of traffic between different network interfaces in this zone

  • masquerade: no Masquerading would hide the machine’s IP address behind the firewall when making outgoing connections.

Firewall Rules: Examples
#

Change the Target Policy to DROP or REJECT:

# To set the target to DROP (silently discards packets)
sudo firewall-cmd --zone=public --set-target=DROP --permanent

# To set the target to REJECT (actively refuse the connection with an error message)
sudo firewall-cmd --zone=public --set-target=REJECT --permanent

Open only specific ports: (80 and 443)

# Allow port 80 & 443
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent

Apply the changes:

# Apply the changes
sudo firewall-cmd --reload
# Verify the rules
sudo firewall-cmd --zone=public --list-all

# Shell output:
public (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: ssh
  ports: 80/tcp 443/tcp
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:

Explanation
#

  • Runtime: Changes are temporary & removed when firewall restarts

  • Permanent: Changes are stored in configuration files


MySQL & MariaDB
#

Install SQL Server
#

  • MySQL
# Install MySQL server
sudo apt install mysql-server -y

# Check status
sudo systemctl status mysql
# Error log
sudo tail /var/log/mysql/error.log
  • MariaDB
# Install MariaDB server
sudo apt install mariadb-server -y

# Check status
sudo systemctl status mariadb
  • Secure Installation
# Run secure installation script
sudo mysql_secure_installation

Install SQL Client
#

  • Debian / Ubuntu
# Install mysql client
sudo apt install mysql-client -y
  • Alpine Linux
# Update package index
apk update

# Install mysql client
apk add mysql-client
# Check version
mysql --version

Connect to Server
#

# Connect to server: Localhost, define user (prompt for pw)
mysql -u root -p

# Connect to server: Define IP, port & user (prompt for pw)
mysql -h IP -P 3306 -u root -p

# Connect to server: Define IP, port & user (provide pw)
mysql -h IP -P 3306 -u root -psqlpassword


# Close the connection
exit
# or
quit

Users
#

# List all users
SELECT User, Host FROM mysql.user;

# Shell output:
+-------------+-----------+
| User        | Host      |
+-------------+-----------+
| root        | %         |


# List all hosts from which the specified user is allowed to connect
SELECT Host FROM mysql.user WHERE User='root';

# Shell output:
------+
| Host |
+------+
| %    |
+------+
# Create new user
CREATE USER 'newuser'@'%' IDENTIFIED by 'password';

# Grant all privileges on all tables in the DB
GRANT ALL PRIVILEGES ON dbname.* TO 'newuser'@'%';
# Change password
ALTER USER 'username'@'%' IDENTIFIED BY 'newpw';

Database & Tables
#

# List databases
SHOW DATABASES;

# Switch to a specific database
USE database_name;

# List tables in the current database
SHOW TABLES;
# Create dataabse
CREATE DATABASE database_name;

# Delete database
DROP DATABASE database_name;

Database Backup
#

  • Syntax
# SQLdump Syntax
mysqldump -h [server_ip] -P [port] -u [username] -p[password] [database_name] > [backup_file.sql]
  • Example: Bookstack DB
# Create Backup: Provide PW
mysqldump -h 172.19.0.2 -P 3306 -u root -prootpw bookstackapp > bookstackapp_backup.sql

# Create Backup: Prompt for PW (Recommended)
mysqldump -h 172.19.0.2 -P 3306 -u root -p bookstackapp > bookstackapp_backup.sql
# Shell output:
-- Warning: column statistics not supported by the server.

Note: This warning relates to the column statistics feature which is not supported by all versions of MySQL or MariaDB servers. It’s a relatively new feature and mainly affects how the optimizer chooses query plans. This warning is typically not a concern for a standard database backup and can be safely ignored for most use cases.

Restore Database
#

Create Database
#

# Log into the MySQL shell: Provide PW
mysql -h 172.19.0.2 -P 3306 -u root -prootpw

# Log into the MySQL shell: Prompts for PW (Recommended)
mysql -h 172.19.0.2 -P 3306 -u root -p

# Create database
CREATE DATABASE bookstackapp;

# Exit SQL client
EXIT;

Restore DB
#

  • Syntax
# Syntax
mysql -h [server_ip] -u [username] -p[password] [database_name] < [backup_file.sql]
  • Example: Bookstack DB
# Restore database from backup: Provide PW
mysql -h 172.19.0.2 -u root -prootpw bookstackapp < bookstackapp_backup.sql

# Create Backup: Prompt for PW (Recommended)
mysql -h 172.19.0.2 -u root -p bookstackapp < bookstackapp_backup.sql

PostgreSQL
#

Install SQL Server
#

# Install PostgreSQL
sudo apt install postgresql -y

# Check status
sudo systemctl status postgresql

Install SQL Client
#

# Update package index
sudo apt update

# Install PostgreSQL client
sudo apt install postgresql-client -y

Connect to Server
#

Note: The default superuser for PostgrSQL is postgres, the default database is postgres.

# Connect to SQL server: Localhost, define user
psql -U postgres

# Connect to SQL server: Localhost, define user & db
psql -U postgres db_name


# Connect to SQL server, define IP, port, user & db: Prompt for PW
psql -h 172.18.0.2 -p 5432 -U postgres postgres

# Connect to SQL server, define IP, port, user & db: Provide PW
PGPASSWORD=postgres-pw psql -h 172.18.0.2 -p 5432 -U postgres postgres


# Connect to SQL server: Dockerized, define user
docker exec -it -u postgres container-name psql


# Exit
\q

Users
#

# List all users
\du


# Create new user
CREATE ROLE username WITH LOGIN PASSWORD 'password';

# Grant all available privileges on a database(depending on permissions of user who runs command)
GRANT ALL PRIVILEGES ON DATABASE db-name TO user-name;

# Revoke all available privileges
REVOKE ALL PRIVILEGES ON DATABASE db-name FROM user-name;


# Delete user
DROP USER username;

Database & Tables
#

# Help
\?

# List all databases
\l

# Connect / switch to database
\c db-name

# List all tables
\dt
# Create database
CREATE DATABASE database_name;

# Delete database
DROP DATABASE database_name;

# Delete database: Terminate all connections to the database (PostgreSQL 13 & later)
DROP DATABASE database_name WITH (FORCE);

Terminate DB Connections
#

# Terminate all active connections to the specified database
SELECT pg_terminate_backend(pg_stat_activity.pid)
FROM pg_stat_activity
WHERE pg_stat_activity.datname = 'database-name'
AND pid <> pg_backend_pid();

Replace database-name with the actual name of the database.

Database Backup
#

  • Syntax
# Local Syntax
pg_dump -U [username] [database_name] > [outputfile.sql]

# Syntax: Define IP & Port
pg_dump -h [server_ip] -p [port] -U [username] [database_name] > [outputfile.sql]
  • Example: Mattermost DB
# Create Backup: Provide PW
PGPASSWORD=postgres-pw pg_dump -h 172.18.0.2 -p 5432 -U mmuser mattermost > db-backup.sql

# Create Backup: Prompt for PW (Recommended)
pg_dump -h 172.18.0.2 -p 5432 -U mmuser mattermost > db-backup.sql

Custom Format
#

  • Syntax
# Syntax: Define IP & Port
pg_dump -h [server_ip] -p [port] -U [username] -F c [database_name] > [outputfile.dump]
  • Example: Mattermost
# Create Backup: Prompt for PW
pg_dump -h 172.18.0.2 -p 5432 -U mmuser -F c mattermost > cf-db-backup.sql
  • -F Specifies the format of the output file

  • c Custom format allows for features like partial restoration of specific database objects

Restore Database
#

Create Database
#

# Log into the PostgreSQL shell: Provide PW
PGPASSWORD=postgres-pw psql -h 172.18.0.2 -p 5432 -U mmuser postgres

# Log into the PostgreSQL shell: Prompt for PW (Recommended)
psql -h 172.18.0.2 -p 5432 -U mmuser postgres
# Create database
CREATE DATABASE mattermost;

# Exit
\q

Restore DB
#

  • Syntax
# Restore a database from a plain-text backup
psql -U [username] [database_name] < [backupfile.sql]

# Restore a database from a custom format backup
pg_restore -U [username] -d [database_name] [backupfile.dump]
  • Example: Mattermost
# Restore Database: Provide PW
PGPASSWORD=postgres-pw psql -h 172.18.0.2 -p 5432 -U mmuser mattermost < db-backup.sql

# Restore Database: Prompt for PW (Recommended)
psql -h 172.18.0.2 -p 5432 -U mmuser mattermost < db-backup.sql

Custom Format
#

  • Syntax
# Restore a database from a custom format backup
pg_restore -U [username] -d [database_name] [backupfile.dump]
  • Example: Mattermost
# Restore Database: Prompt for PW
pg_restore -h 172.18.0.2 -p 5432 -U mmuser -d mattermost < cf-db-backup.sql

SQL Commands
#

# List all rows and columns from table
SELECT * FROM table-name;

# List all rows and specific columns from table
SELECT id, username, password FROM table-name;


# List all rows and specific columns from table: WHERE (specific value)
SELECT id, username, password FROM table-name WHERE username = 'user1';

# List all rows and specific columns from table: WHERE (wildcard)
SELECT id, username, password FROM table-name WHERE username LIKE 'user%';


# Update  value `username` for table `table-name` in row `2`
UPDATE table-name SET username='new-value' where id=2;

LAMP & LEMP
#

LAMP Stack Packages
#

# Install Apache, MySQL server, PHP
sudo apt install apache2 mysql-server php libapache2-mod-php php-mysql -y
  • libapache2-mod-php Allows Apache to interpret and execute PHP files

  • php-mysql Allows PHP to communicate with MySQL databases


LEMP Stack Packages
#

# Install Nginx, MySQL server, PHP
sudo apt install nginx mysql-server php-fpm php-mysql -y
  • php-fpm FastCGI Process Manager: Nginx does not process PHP natively

  • php-mysql Allows PHP to communicate with MySQL databases

PHP
#

# check php version
php -v
# Find php.ini path: Command line
php --ini | grep 'Loaded Configuration File'

# Shell output:
Loaded Configuration File:         /etc/php/8.1/cli/php.ini
  • php.ini paths
# php.ini path: Command line (Settings in this file are optimized for CLI usage)
sudo vi /etc/php/8.1/cli/php.ini

# php.ini path: Apche
sudo vi /etc/php/8.1/apache2/php.ini

LDAP & LDAPS
#

Test Connection
#

# Check if port is open and accepting connections
telnet 192.168.70.2 636

# Shell output:
Trying 192.168.70.2...
Connected to 192.168.70.2.
Escape character is '^]'.
# Check SSL Certificate on Active Directory Server
openssl s_client -connect win2022-1.jklug.local:636


# Install LDAP-Utils package
sudo apt install ldap-utils

# Test Connection: Verbose Output
ldapsearch -H ldaps://win2022-1.jklug.local:636 -D "CN=Administrator,OU=Users,DC=jklug,DC=local" -W -d1

Certificates
#

Add Root Certificate
#

# Convert certificate from .cer to .crt
openssl x509 -inform PEM -in jklug-WIN2022-1-CA.cer -out jklug-WIN2022-1-CA.crt

# Copy .crt certificate in ca-certificates directory
sudo cp *.crt /usr/share/ca-certificates

# Install / uninstall certificate: Start wizard
sudo dpkg-reconfigure ca-certificates

# Check
ls -la /etc/ssl/certs | grep jklug.local

Certificate Details
#

# List certificate details: .crt, .cer, .pem
openssl x509 -text -noout -in jklug-WIN2022-1-CA.crt

# List certificate details: URL
echo | openssl s_client -connect jklug.work:443 | openssl x509 -noout -text


# List certificate expiration date
openssl x509 -enddate -noout -in jklug-WIN2022-1-CA.crt