Here is a list of useful Linux commands. Some of the commands are distribution specific, but most of them work regardless of the distribution.
General Commands #
help & man #
# Print the help documentation of a command
command --help
# Print the manual documentation of a command
man command
Terminal Commands #
apt install bash-completion |
Install tab complete |
Tab |
Tab Complete |
Tab Tab |
List possible files or directories |
clear |
Clear Terminal |
Strg + l |
Clear Terminal |
Strg + a |
Move curser to beginning of the line |
Strg + e |
Move curser to end of the line |
Alt + f |
Move one word forward |
Alt + b |
Move one word backward |
Strg + u |
Delete from cursor to beginning of the line |
Strg + k |
Delete from cursor to end of the line |
reset |
Reset stuck terminal / enter several times |
Command in Background #
Command & |
Run Command in Background |
jobs |
List commands running in Background |
fg |
Bring command in foreground |
Strg + z |
Suspend command (in forground) |
bg |
Bring suspended command in background |
Miscellaneous Commands #
& |
Run in background |
&& |
Combine commands |
!! |
Run last command again |
Bash History #
# List bash history: For current user
history
# Remove entry from history: Define entry number
history -d 1234
# Show Date (current session)
HISTTIMEFORMAT="%F "
# Show Date and Time (current session)
HISTTIMEFORMAT="%F %T "
# Show Date and Time (permanent)
echo 'HISTTIMEFORMAT="%F %T "' >> ~/.bashrc
Disable Bash History recoring #
# Temporarily turn off the recording of commands in the bash history
bash +o history
# Turn the recording of commands in the bash history back on
bash -o history
Record Shell #
Save the shell inputs into a file.
script ~/session.log |
Record shell to session.log in Home dir |
Strg + d |
Stop recording |
cat ~/session.log |
List session.log |
File History #
stat filename |
Last modification date (filesystem may no save birth date) |
Environment Variables #
echo $SHELL |
Output actual shell |
echo $HOME |
Output user directory |
echo $HOSTNAME |
Output hostname |
echo $LANG |
Output language |
echo $PATH |
List colon seperated directories that are searched when a command is run |
Redirect #
> |
Redirect |
>> |
Redirect and add |
1> |
Redirect only output sent to standard output and not to the error message handler |
2> |
Redirect only output sent to error message handler |
Tmux #
apt install tmux |
Install tmux |
tmux |
Start nameless tmux session |
Strg + b , d |
Detache from tmux session |
Strg + b , q , y |
Quit tmux session |
Strg + b , x , y |
Delete tmux session |
tmux a |
Attach to last tmux session |
tmux ls |
List tmux sessions |
tmux new -s name |
Start named session |
tmux attach -t name |
Attach to named session |
tmux kill-session -t name |
Delete named session |
tmux kill-server |
Delete all sessions |
lsof #
List Open Files #
The following command will list files opened by processes belonging to a specific user:
# List all files currently open by specific user
sudo lsof -u username
# List all files currently open by specific user: Only regular files
sudo lsof -u username | grep REG
List Open Network Connections #
# List incoming and outgoing SSH connections: Default SSH port 22
lsof -i TCP:22
# List all network connections
sudo lsof -i
Files, Folder, Text & Editors #
pwd |
Path of current directory |
~ |
Shortcut for home-directory |
- |
Previously used directory |
. |
Currenty directory |
./file |
Run file in current dir |
../file |
Run file in parent dir |
ls #
ls -lah |
List files and folder |
ls file* |
List only entries beginning with file |
ls *.txt |
List only entries ending with .txt |
-l |
long format: permissions, owner, group, size… |
-a |
all files: include hidden |
-h |
human: KB, MB, or GB format |
touch #
touch file1 |
Create file1 (empty) |
touch file1 file2 |
Create file1 and file2 |
mkdir #
mkdir dir1 |
Create dir1 |
mkdir dir1 dir2 |
Create dir1 and dir2 |
mkdir new\ dir |
Create “new dir” |
mkdir -p /dir1/subdir1 |
Create subdir1 and dir1 if it does not yet exist |
cp #
cp file1 file2 dir1 |
Copy file1 and file2 into dir1 |
cp file1 ../ |
Copy file1 into one directory below |
cp -r dir1 dir2 |
Copy dir1 with content into dir2 |
cp dir1/* dir2 |
Copy the content of dir1 into dir2 |
cp -p … |
Keep permissions |
cp -u … |
Only newer files & files that don’t exist in destination |
mv #
mv file1 file2 |
Rename file1 to file2 |
mv file1 dir1 |
Move file1 into dir1 |
mv -v /dir1 /dir2 |
Move dir1 into dir2 (verbose output) |
rm #
rm file1 |
Remove file1 |
rm file1 file2 |
Remove file1 and file2 |
rm *.txt |
Remove all .txt file (wildcard) |
rm -r dir1 |
Remove dir1 and it’s content |
rm -rf * |
Remove all files and folder |
Data Usage #
du -sh /* |
List data usage |
du -h / --max-depth=1 | sort -hr |
High to low / first level sub dirs |
du -ah /* | sort -hr | head -n 10 |
High to low / include hidden files / 10 biggest entries |
du -ah --exclude=/mnt /* | sort -hr | head -n 10 |
Exclude directory |
df -h |
Disk space usage of file systems |
diff #
diff dir1 dir2 |
Compare directories |
diff -r dir1 dir2 |
Compare directories with subdirectories |
zip #
# Compress and archive file
zip -r filezip file
# Compress and archive folder
zip -r folder.zip folder
# List files in archive
unzip -l file.zip
# List files in archive: More details
unzip -lv file.zip
# Unzip archive
unzip file.zip
gzip #
gzip file |
Compress / create file.gz, orig gets deleted |
gunzip file.gz |
Uncompress gz archive, .gz file gets deleted |
tar #
tar -cf file.tar path/to/dir |
Archive dir and content |
tar -czvf file.tar.gz path/to/dir |
Archive and compress with gzip |
-c |
Create new archive |
-z |
Compress archive |
-v |
Verbose: list files being processed |
-f |
File |
tar -xzf file.tar.gz |
Extract and uncompress files |
mkdir folder |
Create folder for extraction |
tar -xzf file.tar.gz -C folder |
Extract files into folder |
tar -xzvf file.tar.gz --same-owner -C /path/ |
Extract & preserve ownership of files |
-x |
Extraction |
GPG Encryption #
It’s necessary to provide pw for encryption and decryption | |
gpg --output filename.enc --symmetric --cipher-algo AES256 filename |
Encrypt file / create file.enc |
gpg --output filename --decrypt filename.enc |
Decrypt file from file.enc |
split #
# Split file into 5MB parts
split -b 5MB filename.exe
# List files
ls
# Shell output:
filename.exe xaa xab xac xad
# Restore original file
cat xaa xab xac xad > file.exe
# Split file into 5MB parts: Add prefix to fileparts
split -b 5MB filename.exe 'part-'
# List files
ls
# Shell output:
filename.exe part-aa part-ab part-ac part-ad
# Split file into 10 pieces of equal size
split -n 10 filename.exe 'part-'
find #
# Find files and folders: Current directory (and subdirectories)
find . -name docker-compose.yml
# Find files: Specific directory (/home)
find /home -name "docker-compose" -type f
# Find folders: Specific directory (/home)
find /home -name "folder" -type d
# Find symbolic link
find / -name "file" -type l
# Find (all) files: Filenames include "kernel"
find /var | grep kernel
# Find (all) files: Save output into file
find /var > var-files.txt
less #
# Open file in less
less filename
# Displays line numbers alongside the text
less -N /var/log/syslog
# Pipe output to less
cat /var/log/syslog | less -N
# Quit less
q
Useful find and ls options #
# List files modified in the last 30 days
find -mtime -30
# List files and folder with data usage
du --max-depth=1 -x -h
# List files with detailed timestamp
`ls -l --time-style="+%d %b %Y"`
# Save output to file
`ls -l --time-style="+%d %b %Y" > output.txt`
# List .log files with detailed timestamp
`find . -maxdepth 1 -type f -name "*.log" -exec ls -l --time-style="+%d %b %Y" {} \;`
# Copy .log files
`find . -type f -name "*.log" -exec cp {} /path/to/destination \;`
# Find files that contain specific text
find /opt/* -type f -iname "*" -exec grep -i -n "specific-text" {} +
grep #
# Find word in file (Outputs whole line)
grep word file.txt
-
-i
Igore uppercase & lowercase -
-v
Invert: List entries that do not match the searched pattern
# Find files that contain specific text
sudo grep -ri "specific-text" /opt/*
awk #
ls -la | awk '{print $9, $5}' |
Filter specific columns |
tree #
sudo apt install tree |
Install tree |
tree -dL 3 |
Show folder structure, e.g. 3 subfolders |
word count #
wc -w filename |
Count words in file |
wc -l filename |
Count lines in file |
ls /var | wc -w |
Count folder and files in directory |
grep -o 'word' file | wc -w |
List how often word appears in file |
Wildcards #
* |
Matches any characters |
? |
Matches any single character |
[abc] |
Eighter a, b or c |
Examples | |
Data??? |
“Data” followed by three characters |
Log[0-9][0-9][0-9] |
“Log” followed by three numerals |
which #
# List the location of one or several executable files
which ls grep
# List all matching pathnames of each argument
which -a ls grep
Hard & Softlinks #
# Create hard link of file
ln file file_hardlink
# Create symbolic / soft link of file
ln -s file file_softlink
# -i parameter lists inode of file
ls -li
Hard Links Points to same Inode on the disk, behaves like two seperate files, but if an edit is made to the content of the file, both files change. If original file gets deleted, the hardlink is still valid.
Soft or Symbolic Links Points to the file it’s made of instead of the Inode on the disk. If original files gets deleted, the softlink points at nowhere.
realpath #
# List the full path of a file: Syntax
realpath filename
# List the full path of a file: Example
realpath /etc/apache2/sites-enabled/000-default.conf
# Shell output:
/etc/apache2/sites-available/000-default.conf
File Owner: User & Group #
Change Owner: User | |
chown newuser filename |
Set new owner |
chown -R newuser foldername |
Set new owner recursive |
Change Owner: Group | |
chgrp newgroup filename |
Set new group owner, user must belong to group. Use super user privileges to change the group to any group on the system |
chown :newgroup filename |
Same function |
chgrp -R newgroup foldername |
Set new group owner recursive |
Change Owner: User & Group | |
chown user:group filename |
Set new owner |
chown -R user:group foldername |
Set new owner recursive |
File Permissions #
Chmod: symbolic mode | |
chmod +x filename |
Make file executable |
chmod g-w filename |
Remove write permission from group |
chmod ug=rwx filename |
Change user and group permissions in single command |
u |
User |
g |
Group |
o |
Others |
a |
All |
r |
Read |
w |
Write |
x |
Execute |
+ |
Add Permission |
- |
Remove permission |
= |
Set as the only permission |
Chmod: octal mode | |
chmod 777 filename |
All permissions: user,group & others |
chmod 700 filename |
All permissions: user only |
Octal Value | Permission | Meaning |
0 |
- - - | no permissions |
1 |
- - x | execute only |
2 |
- w - | Write only |
3 |
- w x | Write and execute |
4 |
r - - | read only |
5 |
r - x | read and execute |
6 |
r w - | read and write |
7 |
r w x | read, write, and execute |
Echo Command #
This command will write a line of text into a file. If the file already exists,
the command will overwrite its contents with the new line of text.
echo "Line of text" > filename
Add another line of text to the file
echo "Another line of text" >> filename
Cat Command #
The cat > filename
command creates a file (if it does not exist) and writes (overwrites content if file already exists) into it from terminal.
Example:
cat > filename
enter your text
and use enter to create a paragraph
Strg + d
Stop the cat command
cat filename
List file content
Use the cat >> filename
command to add more content to a file without overwriting already existing text.
Again use Strg + d
to stop the cat command.
cat logfile |
Show content of file |
tail logfile |
Show last 10 lines of file |
tail n -15 logfile |
Show last 15 lines of file |
tail -f logfile |
Follow file (used for log files) |
tail -f logfile & |
Follow file in background |
Change Standard Editor #
Change the standard editor
sudo update-alternatives --config editor
Change the standard editor (including crontab)
select-editor
or manually change sudo vi ~/.selected_editor
and
set to SELECTED_EDITOR="/usr/bin/vim.basic"
VIM Commands #
i |
Insert modus |
Esc |
End insert modus |
:q! |
Quit document without saving |
:wq |
Quit and save document |
(Quit insert modus first) | |
Search | |
/word + Enter |
Search forward in document |
n |
Next occurrence |
N |
Previous occurrence |
?word + Enter |
Search backward in document |
N |
Next occurrence |
n |
Previous occurrence |
Move | |
gg |
Jump to top of file |
shift + g |
Jump to end of file |
:3 :4 :5 |
Jumpt to row 3,4,5… |
Edit | |
u |
Undo |
yyp |
Duplicate row |
dd |
Delete row |
:%d |
Delete all text |
2dd 3dd 4dd .. |
Delete several rows |
End | End Line Break |
Nano Commands #
Strg + x |
Exit Nano |
n |
Don’t save |
Not a Nano fan ;)
MD5 Checksum #
# Calculate MD5 checksum
md5sum filename
System #
OS & Kernel #
# List Linux distribution
cat /etc/*-release
# List Kernel Version
uname -r
# Output how long the server is running
uptime
# Check for outdated processes
needrestart
CPU Information & Usage #
# List CPU details
cat /proc/cpuinf
# List CPU details
lscpu
# Install sysstat
sudo apt install sysstat -y
# List CPU usage (all CPUs)
mpstat -P ALL
# List average CPU usage
mpstat | awk '/all/ {print 100 - $NF"%"}'
RAM & Swap Usage #
# List RAM and Swap usage
free -h
# List total RAM on system
grep MemTotal /proc/meminfo
Disk #
# List services reading / writing on disk
iotop
# Quit iotop
q
Hostname #
# List Hostname
cat /etc/hostname
# Change Hostname
sudo hostnamectl set-hostname newname
# Also change here
/etc/hosts
Hardware details #
dmidecode #
Desktop Management Interface (DMI)
# List Hardware Specs, e.g Mainboard
sudo dmidecode
# List the valid types for dmidecode
sudo dmidecode --type
# List dmidecode details for bios
sudo dmidecode --type bios
# List dmidecode details for system
sudo dmidecode --type system
lshw #
# Install lshw
sudo apt install lshw -y
# List system details
sudo lshw -c system
Date, Time & Timezone #
Network Time Protocol (NTP) is a networking protocol for time synchronization between computer systems. It runs on port 123.
List & set Time & Date #
# List system date and time
date
# List system date and time: 24-hour format
date +"%H:%M"
# Set system date
date -s "2023-05-28"
# Set system time
date -s "10:00:00"
# Set date & time
date -s "2023-05-28 10:00:00"
List & change Timezone #
# List current timezone
timedatectl
# Check time & timezone
date
# List all available timezones
timedatectl list-timezones
# List timezones for europe
timedatectl list-timezones | grep Europe
# Change current timezone: To Vienna
sudo timedatectl set-timezone Europe/Vienna
NTP #
Systemd-Timesyncd #
Systemd-Timesyncd is used on Debian 12 and Ubuntu 22.
# Check status
sudo systemctl status systemd-timesyncd
# Check status: More details
sudo timedatectl timesync-status
Change time server:
# Open timesyncd.conf
sudo vi /etc/systemd/timesyncd.conf
# Define time server: For example "ntp.ubuntu.com"
[Time]
NTP=ntp.ubuntu.com
# Restart ystemd-timesyncd service
sudo systemctl restart systemd-timesyncd
Chrony #
Chrony is used by RHEL Linux distributions
# Check status
sudo systemctl status chronyd
# List NTP source server
chronyc sources
# Compare "Ref time" and "System time"
chronyc tracking
Change time server:
# Open chrony.conf
sudo vi /etc/chrony.conf
# Restart service
sudo systemctl start chronyd
Setup Chrony NTP server #
In this tutorial I’m using two Rocky Linux 9.3 servers. Server 1 “192.168.30.110” is the NTP server, server 2 “192.168.30.111” is the client.
Server 1 - NTP server:
# Allow the "192.168.30.0/24" network to sync the time
sudo tee --append /etc/chrony.conf << HERE
allow 192.168.30.0/24
HERE
# Restart service
sudo systemctl restart chronyd
Server 2 - NTP client:
# Uncomment defined servers or server pools:
sudo sed -i 's/server/#server/g' /etc/chrony.conf
sudo sed -i 's/pool/#pool/g' /etc/chrony.conf
# Define NTP server
sudo tee --append /etc/chrony.conf << HERE
server 192.168.30.110 iburst
allow 192.168.30.110
HERE
# Restart service
sudo systemctl restart chronyd
Check NTP Traffic #
# Install tcpdump
sudo apt install tcpdump
# Check NTP traffic: Define ethernet port
sudo tcpdump port 123 -i ens33
Cron #
User based Crons
# List Crontab from current user
crontab -l
# List Crontab from specific user
crontab -u username -l
# Edit Crontab from current user
crontab -e
# User specific Crontabs are located in the following directory
/var/spool/cron/crontabs
# For example: root
cat /var/spool/cron/crontabs/root
System based Crontab
# System Wide Crontab
cat /etc/crontab
# Individual cron files, often used by system packages like MDADM
cd /etc/cron.d/
# Other Cron directories
/etc/cron.hourly/
/etc/cron.daily/
/etc/cron.weekly/
/etc/cron.monthly/
Processes & Process IDs #
List Processes #
Process ID: pid
Parent Process ID: ppid
# List processes: Static
ps aux
# List processes: Real-time
top
# List processes: Real-time, modify / kill processes
htop
# Quit htop
q
List Processes: User Specific
# List processes: From specific user
ps -u username
# List processes: From specific user, format output
ps -u ubuntu -o pid,ppid,%cpu,%mem,command
Tree:
# Process trees
pstree
# Process trees with ID's
pstree -p
Search Processes #
# Find ID of running process
pgrep processname
# Also search command line associated with process
pgrep -f processname
# Also works with running scripts
pgrep -f script.sh
Terminate Processes #
# Terminate process: Define process ID
sudo kill ID
# Terminate process: Define process name
sudo pkill name
# Terminate process: Define process name, example "vi"
sudo pkill vi
# Terminate process: Owned by specific user
sudo pkill vi -u username
# Terminate all processes running under the specified username "username"
kill -9 $(lsof -t -u username)
Troubleshooting: Strace #
# Trace system calls made by process: For example df -h (Check which mountpoint is stuck)
strace df -h
# Output summary instead of full output
strace -c df -h
# Save output to file
strace -o strace.txt df -h
# Trace already running process: Replace PID with process ID
strace -p PID
Ulimit #
Ulimit is used to control the resources available to the shell and to processes started by it.
# Displays all the current ulimit settings
ulimit -a
# Set the maximum number of processes available to a single user
ulimit -u [number]
# Sets the maximum number of user processes to unlimited
ulimit -u unlimited
Systemd #
Systemctl #
Systemctl is a command-line utility that is used to control and manage systemd services and units.
# Enable service at boot
sudo systemctl enable servicename
# Disable service at boot
sudo systemctl disable servicename
# Start service
sudo systemctl start servicename
# Stop service
sudo systemctl stop servicename
# Restart service
sudo systemctl restart servicename
# Reload service without interrupting normal functionality
sudo systemctl reload servicename
# Service status
sudo systemctl status servicename
# View the systemd journal logs
journalctl -xeu servicename
Journalctl #
# List all journal log entries: Starting at the oldest entry
journalctl
# List journal log entries from the current boot
journalctl -b
# List journal log entries from the current boot: Start with newest entry
journalctl -b -e
# List journal log entries: Kernel only
journalctl -k
# List journal log entries: Kernel only, from the current boot, start with newest entry
journalctl -k -b -e
# List journal log entries for unit / service
journalctl -u nginx
# List journal log entries for unit / service: Current boot
journalctl -b -u nginx.service
# List journal log entries for unit / service: Current boot, add explanatory text & start at end
journalctl -xeu servicename
# Move through journalctl: Line by line
arrow up / down
# Move through journalctl: A page at the time
bild(page) up / down
Systemd Units #
# List services and units that are enabled to start at boot
sudo systemctl list-unit-files
# List currently loaded / active units: All currently loaded units that systemd has active or has attempted to start
sudo systemctl list-units
# List units the are active, inactive or in a failed state
sudo systemctl list-units --all
# List contents of a unit file
sudo systemctl cat nginx
# List dependency tree of a unit: Units systemd will attempt to activate when starting the unit
sudo systemctl list-dependencies nginx
# Modify unit file: Add snippet, changes are kept separate from the original file
sudo systemctl edit nginx
# Modify unit file: Edit entire file
sudo systemctl edit --full nginx
# Reload systemd after modifying a unit file
sudo systemctl daemon-reload
Systemd Targets #
# List all active targets
sudo systemctl list-units --type=target
# List all available targets
sudo systemctl list-unit-files --type=target
Note: The combination of these active targets defines the current state of your system.
# List default target that the system is configured to use at boot
sudo systemctl get-default
# Set default target
sudo systemctl set-default target-name
# Swtich to different Target (Immediately)
sudo systemctl isolate target-name
Note: Services and units that are part of other active targets but not required by the new target will be stopped. The isolate command changes the current state of the system but does not alter the default target that the system boots into.
-
poweroff.target
Runlevel 0: shutdown -
rescue.target
Runlevel 1: single-user mode: Minimal troubleshooting environment -
emergency.target
Even more minimal than rescue.target, for critical troubleshooting -
multi-user.target
Runlevel 3: multi-user mode without networking -
graphical.target
Runlevel 5: multi-user mode with networking
Masking and Unmasking #
Masking and unmasking a service are operations that respectively disable and enable a service in a very specific way.
- Masking
Masking a service means linking the service unit file to /dev/null, making it impossible to start the service, either manually or as part of the system startup process. It is typically used for services that should not be started accidentally.
- Unmasking
Unmasking a service reverses the masking process. It removes the symlink to /dev/null and restores the service’s ability to be started manually or automatically.
- Commands
# Mask service
sudo systemctl mask service_name.service
# Unmask service
sudo systemctl unmask service_name.service
Init.d #
Commands #
- Disable service
# Disable service after boot
sudo update-rc.d servicename disable
- Enable service
# Remove service from the system's startup sequence
sudo update-rc.d -f nginx remove
# Enable service after boot
sudo update-rc.d servicename defaults
- Start, Stop & Restart
# Start service
sudo service servicename start
# Stop service
sudo service servicename stop
# Restart service
sudo service servicename restart
# Reload service
sudo service servicename reload
- Status
# Service status
sudo service servicename status
Scripts #
# Init.d scripts directory
/etc/init.d/
- Start service directly from script
# Start service script
sudo /etc/init.d/servicename start
# Stop service script
sudo /etc/init.d/servicename stop
# Restart service script
sudo /etc/init.d/servicename restart
# Reload service script
sudo /etc/init.d/servicename reload
Runlevels #
# Display the previous and current runlevel
runlevel
# Shell output:
N 2
Note: N
(none) indicates the system did not change runlevels since it was booted.
# Change runlevel: Change to runlevel 1
sudo init 1
# or
telinit 1
Common runlevels:
0
Shutdown1
Single-user mode3
Multi-user mode without networking5
Multi-user mode with networking6
Reboot
System Shutdown & Reboot #
Needrestart #
# Install needrestart
sudo apt install needrestart
# Check if a reboot is necessary
needrestart
Shutdown #
# Shut down
sudo shutdown now
# Shut down: Older distributions
sudo shutdown -h now
# Systemctl command
sudo systemctl poweroff
Reboot #
# Reboot
sudo shutdown now -r
# or
sudo reboot
# Cancel reboot
sudo shutdown -c
# Systemctl command
sudo systemctl reboot
Boot into Rescue Mode #
sudo systemctl rescue
Motd #
It’s a good practive to backup an existing script before modifying it.
cd /etc/update-motd.d |
Motd Scripts path |
cp 00-header 01-header |
Backup script |
sudo chmod -x script_name |
Disable script |
sudo chmod +x script_name |
Enable script |
sudo run-parts /etc/update-motd.d |
Run motd |
If you want to print several lines of static text, it’s helpful to
put the text in an external file and use the cat
command to print it.
#!/bin/sh
printf "\n$(cat /etc/update-motd.d/mytext.asc)\n"
YaST (SUSE) #
Yet another Setup Tool
# Open YaST GUI
sudo yast
SELinux #
# Check status
sestatus
- Passive Mode
# Enable SELinux passive mode: Log policy violations but don't enforce them
sudo setenforce 0
# Reenable SELinux back to enforcing mode
sudo setenforce 1
- Disable / Enable SELinux
# Open SELinux configuration
sudo vi /etc/selinux/config
# Disable SELinux
SELINUX=disabled
# Enable SELinux
SELINUX=enforcing
# Reboot
sudo reboot
Kdump #
Kdump provides a mechanism for capturing and saving kernel crash dumps when a system experiences a kernel panic or a critical system error.
Start & Enable #
# Start Kdump
sudo systemctl start kdump
# Stop Kdump
sudo systemctl stop kdump
# Check status
sudo systemctl status kdump
# Enable service after boot
sudo systemctl enable kdump
# Disbale service after boot
sudo systemctl disable kdump
Configuration & Paths #
# Kdump configuration
sudo vi /etc/kdump.conf
# Default default crash dump location
/var/crash
# Crash dump will be save into a sub directory with hostname and date:
/var/crash/127.0.0.1-2023-12-26-13:39:35
Kernel Panic #
# Switch to root user
sudo su
# Intentionally initiate a kernel panic and capture a crash dump: For debugging and testing purposes
echo c > /proc/sysrq-trigger
Note: The system will go through a reboot process automatically.
View & Analyze Crash Dumps #
# Install crash package
sudo dnf install crash
# Manual
crash -h
Note: Enterprise repositories are necessary to proceed with the analysation of crashdumps.
Package Manager #
Dpkg (Debian package) #
Dpkg is a package management command-line tool for Debian-based Linux distributions.
# List installed packages:
dpkg -l
# List details of specific package
dpkg -l | grep apache2
# Shell output:
rc apache2 2.4.52-1ubuntu4.7 amd64 Apache HTTP Server
Desired Action: The action desired for the package, which is usually an installation or removal.
i
“Install”r
“Remove”p
“Purge”
Package Status: The current status of the package, such as whether it’s installed, not installed, or in an error state.
i
“Installed”c
“Config-files” (only the config files are present)n
“Not-installed”
APT (Advanced Package Tool) #
Commands #
# Update package index
sudo apt update
# List upgradeable packages
apt list --upgradable
# Upgrade installed packages
sudo apt upgrade
# Upgrade installed packages, dependencies & kernel: Install & remove packages
sudo apt dist-upgrade
# Install package
sudo apt install packagename
# Reinstall package
sudo apt install --reinstall packagename
# Remove package but not the data and configuration files
sudo apt remove packagename
# Remove software package and the related data and configuration files
sudo apt purge packagename
# Remove dependency packages that are not required any more
sudo apt autoremove
Note: The apt autoremove
command will check for all packages that are marked as dependencies and no
longer required / remove them.
# Package version, size, installed size, dependencies
sudo apt info packagename
# List package version in repository
sudo apt show packagename
# List of software repositories
sudo vi /etc/apt/sources.list
# Unattended upgrades configuration
sudo vi /etc/apt/apt.conf.d/50unattended-upgrades
# Check configuration
sudo unattended-upgrade --dry-run
# Enable unattended-upgrades after reboot
sudo systemctl enable unattended-upgrades
# Start unattended-upgrades service
sudo systemctl start unattended-upgrades
Remove APT key #
List APT GPG Keys:
# List GPG keys
sudo apt-key list
# Shell output:
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub rsa4096 2015-09-15 [SC]
08B7 3419 AC32 B4E9 66C1 A330 E84A C2C0 460F 3994
uid [ unknown] Ceph.com (release key) <security@ceph.com>
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
------------------------------------------------------
pub rsa4096 2012-05-11 [SC]
8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
/etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
------------------------------------------------------
pub rsa4096 2018-09-17 [SC]
F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C
uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>
Remove APT GPG Key:
Use the last eight characters of the fingerprint:
# Remove APT GPG key: For example Ceph key
sudo apt-key del 460F3994
Nala (Apt extension) #
Nala is an alternative frontend to apt, that has some cool history features.
# Install Nala
sudo apt install nala -y
# Nala command overview
nala -h
# Find fastest mirror / update mirrors
sudo nala fetch
# Update package index
sudo nala update
# List upgradeable packages
nala list --upgradable
# Upgrade packages
sudo nala upgrade
# Install package
sudo nala install packagename
# Remove package but not the data and configuration files
sudo nala remove packagename
# Remove software package and the related data and configuration files
sudo nala purge packagename
# Remove dependency packages that are not required any more
sudo nala autoremove
- Nala History
# List recently run nala commands
nala history
# Shell outpuit:
ubuntu@ubuntu:~$ nala history
ID Command Date and Time Altered Requested-By
1 install nginx 2023-12-30 12:07:22 UTC 20 ubuntu (1000)
2 upgrade cryptsetup cryptsetup-bin cryptsetup-initramfs libcryptsetup12 libssh-4 openssh-client openssh-server openssh-sftp-serv… 2023-12-30 12:11:54 UTC 14 ubuntu (1000)
# Details about a history event
nala history info 1
# Undo history element (upgrade / install)
sudo nala history undo 1
Snap #
# Install snap
sudo apt install snapd
# Check snap version
snap --version
# Upgrade package
sudo snap refresh packagename
# Upgrade all installed snap packages
sudo refresh
# Install package
sudo snap install packagename
# Uninstall package
sudo snap remove packagename
# Info for snap package
sudo nap find packagename
# Find available packages to install
sudo snap find packagename
# List installed packages
snap list
# List installed and disabled packages
snap list --all
Flatpak #
The primary use case for Flatpak is to distribute desktop applications.
- Install Flatpak
# Update & upgrade
sudo apt update && sudo apt upgrade -y
# Install flatpak
sudo apt install flatpak -y
# Add the Flathub repository
sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
# Optional: Reboot the system
sudo reboot
# Verify installation / check version
flatpak --version
- Install Package
# Search for package
sudo flatpak search packagename
# Install package
flatpak install flathub application-id -y
# Start & run package
flatpak run <application-id>
Dnf / Yum #
# Update package index
sudo dnf makecache
# List upgradeable packages
sudo dnf check-update
# or
sudo dnf list updates
# Upgrade packages
sudo dnf update
# Upgrade specific package
sudo dnf update httpd
# Install package
sudo dnf install packagename
# Uninstall package
sudo dnf remove packagename
# List enabled repositories
sudo dnf repolist
# List available repositories
sudo dnf repolist --all
# Enable repository
sudo dnf config-manager --enable reponame
# Disable repository
sudo dnf config-manager --disable reponame
# Add repository from URL
sudo dnf config-manager --add-repo="URL"
Release Upgrade #
Install upgrades first.
# Upgrade to newer OS release
sudo do-release-upgrade
Compiling From Source #
Example htop #
# Install prerequisites
sudo apt install unzip wget -y
# Change directory
cd /usr/local/src
- Option 1: Download archive
# Download source code: tar or zip
wget https://github.com/htop-dev/htop/archive/refs/tags/3.3.0.zip
# Unpack: tar
tar -xvzf 3.3.0.tar.gz
# Unpack: zip
sudo unzip 3.3.0.zip
- Option 2: git clone
# Download source code
git clone https://github.com/htop-dev/htop.git
- Change directory
# Change owner
sudo chown -R `whoami`:`whoami` htop/
# Change directory
cd htop
- Readme
The readme file should list the dependencies that are necessary to install, alternative the dependencies should also
be available in the official documentation on the GitHub page: https://github.com/htop-dev/htop
# Open readme file
less README
- Installation
# Install htop dependencies
sudo apt install libncursesw5-dev autotools-dev autoconf automake build-essential
# Compile the package from source
./autogen.sh && ./configure && make
# Install package: In "/usr/local" directory
sudo make install
- Test installation
# Run htop
htop
Users #
Create User #
Debian / Ubuntu
# Create User
sudo adduser username
# Create User: Without PW
sudo adduser --disabled-password username
RedHat / CentOS
# Create User: Without PW
sudo adduser username && sudo passwd -d username
Switch User #
# Switch user
sudo su username
# Exit user session
exit
# Change password of actual user
passwd
# Output username
whoami
Delete User #
- Ubuntu
# Delete user without home directory
sudo deluser username
# Delete user and home directory
sudo deluser --remove-home username
- CentOS
# Delete user without home directory
sudo userdel username
# Delete user and home directory
sudo userdel -r username
Block User #
Passwd #
# Lock / Deactivate User:
sudo passwd -l username
# Unlock / Reactivate
sudo passwd -u username
# Shell Output: (Lock and unlock)
passwd: password expiry information changed
#Check User Status:
passwd -S username
- P or PS: password is set (user is unlocked)
- L or LK: User is locked
- N or NP: No password is needed by the user
Note: The locked user will still be able to log in via SSH keys (if login via SSH key is set).
Chage #
# Expire account immediately
sudo chage -E 0 username
# Account never expires
sudo chage -E -1 username
# Display Current Expiry Information
sudo chage -l username
Sudo, Sudoers & Visudo #
Overview #
# Switch to sudo: Maintain current shell environment
su
# Switch to sudo: Invokes login shell
su -
# Install Sudo (Debian)
apt install sudo
Sudoers File #
# Edit sudoers file
sudo visudo
# Sudoers Path: Edit with visudo
/etc/sudoers
User specific Sudoers File #
# Create a user specific sudoers file
vi /etc/sudoers.d/username
# Change permissions
chmod 440 /etc/sudoers.d/username
Sudoers Entry #
# Run any command as any user, including root: Password required
username ALL=(ALL) ALL
# Run any command as any user, including root: No password required
username ALL=(ALL) NOPASSWD:ALL
Sudo sbin Path #
# Open .bashrc of current user
cd && vi .bashrc
# Add "sbin" & "/usr/sbin" to search system administration utilities when using sudo
PATH=$PATH:/usr/sbin:/sbin
Combine sudo commands #
# Run several Commands as sudo
sudo sh -c 'command1 && command2 >> file'
Groups & IDs #
Groups | |
sudo groupadd groupname |
Create new group |
sudo usermod -aG sudo username |
Add user to sudo group (Ubuntu) |
sudo usermod -aG wheel username |
Add user to wheel group (Red Hat) |
ID’s | |
id |
List user & group ID, and groups from actual user |
id username |
List … from specific user |
cat /etc/passwd |
User ID related data |
vipw |
Used to modify passwd file! |
Group ID’s | |
cat /etc/group |
Group related data |
vigr |
Used to modigy group file! |
SSH #
Create SSH Key #
# Create RSA Key: 4096 bit
ssh-keygen -t rsa -b 4096
# Create RSA Key: With comment
ssh-keygen -t rsa -b 4096 -C "user1"
# Create RSA Key: With custom file name
ssh-keygen -t rsa -b 4096 -f ~/.ssh/keyname
Open Connection #
# Connect to Server
ssh user@IP
# Connect to Server: Custom port
ssh -p 2222 user@IP
# Connect to Server: Define specific SSH Key
ssh -i /path/to/private_key user@IP`
# Connect to Server: Verbose for debugging
ssh -v -i /path/to/private_key user@IP
# Connect to Server: Define Encryption Key
ssh -v -i /path/to/private_key -o PubkeyAcceptedKeyTypes=ssh-rsa user@IP
Connect without SSH Key #
# Connect to a remote Server without SSH Key
ssh -o PasswordAuthentication=yes -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no user@IP
Copy Key to Server #
# Copy SSH Key to Server
ssh-copy-id -i ~/.ssh/keyename user@IP
Manually add Key & Permissions #
# Create directory
mkdir ~/.ssh
# Change permission
chmod 700 ~/.ssh
# Manually add SSH Keys
vi .ssh/authorized_keys
# Change permission
chmod 600 ~/.ssh/authorized_keys
# Change permission of SSH Key (in case the key was copied)
chmod 400 ~/.ssh/keyname
Custom SSH Port for Host #
To define a custom port for a specific server permanent, open the ~/.ssh/config
file
and ad the following entry:
# Define specific SSH port for host: Syntax
Host DNS or IP
Port 2222
# Define specific SSH port for host: Example
Host 192.168.30.70
Port 2222
# Define specific SSH port & oint to a specific SSH Key
Host DNS or IP
Preferredauthentications publickey
IdentityFile ~/.ssh/id_rsa
Port 2222
Change Server SSH Port #
Define a custom SSH port for a server:
# Open the SSH daemon configuration
sudo vi /etc/ssh/sshd_config
# Define the port
Port 2280
# Restart sshd service
sudo systemctl restart sshd
SSH Agent #
eval `ssh-agent` |
Start SSH Agent |
ssh-add |
Add key to the agent (go to .ssh directory) |
ssh-add ~/.ssh/id_rsa |
Add specific key to agent |
ssh-add -l |
list private keys currently accessible to the agent |
ssh-add -D |
Delete all cached keys from agent |
SSH Agent Autostart #
The SSH Agent should start automatically, if not - for instance some centos server add the following script
to .bashrc
in your Home directory:
# Check if SSH Agent is running
if [[ "$SSH_AUTH_SOCK" = "" ]]; then
# Start SSH Agent
exec ssh-agent bash
else
# Add SSH Keys
ssh-add
fi
Install OpenSSH #
sudo apt update |
Update package manager |
sudo apt install openssh-server |
Install SSH service |
sudo systemctl enable ssh |
Enable SSH service (Should be auto on Ubuntu) |
sudo systemctl start ssh |
Start SSH service |
sudo systemctl status ssh |
Check SSH servis status |
Allow SSH root login #
Allow a SSH Connection with root user (not recommanded)
sudo vi /etc/ssh/sshd_config
# Allow SSH root login: Only Key Authentication
PermitRootLogin prohibit-password
# Allow SSH root login: Allow Passowrd
PermitRootLogin yes
# Disable SSH root login
PermitRootLogin no
# Reload SSH Service
sudo systemctl reload ssh
Host Keys #
When connecting via SSH, the server’s identity is verified using a “host key” to ensure that it’s the intended server and not a malicious one. The purpose is to protect against man-in-the-middle attacks. Upon the first connection, SSH prompts to accept the host key, and once accepted, this key is stored in the known_hosts file.
# Check known_hosts file
cat ~/.ssh/known_hosts
# Host keys directory
/etc/ssh
Note: There are typically several host keys, one for each cryptographic algorithm supported by the SSH server, such as RSA, ECDSA, and ED25519.
Rotate Host Keys #
Optional: Backup the existing host keys
# Create backup directory
sudo mkdir /etc/ssh/backup_keys_$(date +%F)
# Backup the existing host keys
sudo cp /etc/ssh/ssh_host_* /etc/ssh/backup_keys_$(date +%F)/
- Rotate Host Keys
# Remove the old host keys
sudo rm /etc/ssh/ssh_host_*
# Create new host keys: For all key types for which host keys do not already exist
sudo ssh-keygen -A
# Restart SSH service (Should not be necessary)
sudo systemctl restart ssh
Remove Host Key #
- Remove server host key from host
After the host key on a server (for example 192.168.30.60) was rotated, it is necessary to remove the host key on hosts that have already saved the host key of the server. Otherwise the following error appears:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# Remove host key: Current user
ssh-keygen -R 192.168.30.60
# Remove host key: Specific user
ssh-keygen -f "/home/debian/.ssh/known_hosts" -R "192.168.30.60"
Jump Hosts #
SSH jump hosts, also known as SSH bastion hosts or SSH gateways, are intermediary servers through which a user can connect to another server that is not directly accessible from the public network.
Command Line Method #
# Connect to target host: Syntax
ssh -J jumpuser@jump-host targetuser@target-host
# Verbose Mode
ssh -v -J jumpuser@jump-host targetuser@target-host
# Connect to target host: Example
ssh -J debian@192.168.30.61 debian@192.168.30.62
# Shell output:
debian@192.168.30.61's password:
debian@192.168.30.62's password:
Regarding the server setup, the connection may prompts to accept host keys and also asks for a password.
Options:
-
-v
Provides detailed output about the connection process -
-J
Specifies the jump host through which the SSH client will tunnel the connection to the target host
SSH Config File Method #
vi ~/.ssh/config
# Define jump host
Host jump-host
HostName 192.168.30.61
User debian
# Define final target host using the jump host
Host target-host
HostName 192.168.30.62
User debian
ProxyJump jump-host
# Connect to target host: The connection will automatically be routed through jump-host
ssh target-host
# Verbose Mode
ssh -v target-host
SOCKS Proxy #
A SOCKS proxy using SSH is a feature that allows to securely tunnel internet traffic through a remote server.
In this example I have two debian servers, server 1 “192.168.30.60” will use server 2 “192.168.30.61” as proxy. To test the connection I’m running an apache server on port 80 on server 2.
Establish Socks Proxy #
# Establish Socks Proxy connection: Permanent
ssh -fN -D 9999 debian@192.168.30.61
# Establish Socks Proxy connection: 2 minutes
ssh -f -D 9999 debian@192.168.30.61 sleep 120
# Test the connection
all_proxy="socks5://127.0.0.1:9999" curl 127.0.0.1:80
Options:
-
-f
SSH in background -
-N
Instructs SSH not to execute a remote command
Terminate Socks Proxy #
# List SSH processes
ps aux | grep ssh
# Shell output:
debian 22892 0.0 0.0 14284 5264 ? Ss 20:00 0:00 ssh -f -D9999 debian@192.168.30.61 sleep 120
# Terminalte process
kill 22892
Firewall rules #
UFW (Ubuntu) | |
sudo ufw status |
Firewall status |
sudo ufw allow ssh |
Open ssh port |
sudo ufw allow 22/tcp |
Allow port 22 |
Firewalld (CenOS) | |
sudo systemctl status firewalld |
Firewall status |
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp |
Open SSH port |
sudo firewall-cmd --reload |
Reload Firewalld |
Troubleshooting #
In case the SSH service runs on a different port then 22 use the following commands to
check on which port the service runs:
sudo ss -tulpn | grep ssh
or sudo netstat -ltnp | grep sshd
on Debian based distributions.
KVM & QEMU #
Setup #
# Install cpu-checker / kvm-ok utility
sudo apt install cpu-checker -y
# check if KVM virtualization is supported
kvm-ok
# Shell output
INFO: /dev/kvm exists
KVM acceleration can be used
# Install packages
sudo apt install qemu-kvm virt-manager virtinst libvirt-clients bridge-utils libvirt-daemon-system -y
# Add user to groups
sudo usermod -aG libvirt ubuntu
sudo usermod -aG kvm ubuntu
Virt Manager #
# Start Virt Manager
virt-manager
Start & Stop VMs #
# List running VMs
virsh list
# List running & stopped VMs
virsh list --all
# Start VM
virsh start vmname
# Stop VM
virsh shutdown vmname
# Shutdown VM
virsh destroy vmname
VM Logs #
# VM logs
cat /var/log/libvirt/qemu/vm-name.log
Define & Undefine VMs #
# Define VM: Create VM from XML file
virsh define file.xml
# Undefine VM: XML file will not be deleted
virsh undefine vmname
Edit XML #
# Edit undefined XML file
vi vmname.XML
# Edit defined XML file
virsh edit vmname
VM Details #
# List VM details
virsh dominfo vmname
# List VM details: List XML details
virsh dumpxml vmname
# List VM details: Save XML details into file
virsh dumpxml vmname > filename.txt
Default Paths #
# Default XML path
/etc/libvirt/qemu
# Default qcow2 path
/var/lib/libvirt/images/
# Grep for "source"
virsh dumpxml vmname | grep source
# Or grep for "qcow"
virsh dumpxml vmname | grep qcow
QCOW Size #
# Open qcow dir
cd /path/to/qcow_files
# List reserved storage of qcow file
ls -alh
# List actual storage used for qcow file
du -alh
Expand & Shrink qcow file #
# Expand qcow file (Stop VM first)
sudo qemu-img resize /path/to/vmname.qcow2 +10G
# Check disk size with fdisk
sudo fdisk -l /path/to/vmname.qcow2
# Shrink qcow file (Stop VM first): New size = 100G
qemu-img resize --shrink /path/to/vmname.qcow2 100G
# Note: the VM partition must first be shrinked from within the VM
Qemu-img: Qcow2 to vmdk convertion #
Qemu-img is a cmd tool for convertig disk images.
# Convert qcow2 image to vmdk image
qemu-img convert -p -f qcow2 -O inputfile.qcow2 outputfile.vmdk
-p
Show progress-f
Input format / file-O
Output format / file
Paths & Logs #
Logs | |
/var/log/syslog |
Default Log location (Debian / Ubuntu) |
/var/log/messages |
Default Log location (CentOS / Red Hat) |
journalctl -f |
Follow syslog / messages |
Strg + c |
Quit syslog / messages |
journalctl --since=15:00 --until=16:00 |
Logs from specific time |
journalctl -k --no-pager | head -n8 |
Last 10 lines from kernel log |
grep CRON /var/log/syslog |
Grep from syslog e.g., CRON |
/var/log/auth.log |
Login attempts, pw changes, user/group management |
grep sudo /var/log/auth.log |
Sudo usage |
/var/log/kern.log |
Hardware, driver, system error |
System | |
who |
Users (with IP) currently logged in |
last |
Login history |
last | grep username |
Login history specific user |
last reboot |
Reboot history |
Script Paths | |
/etc/profile.d |
Scripts run for all users at login |
~/.bashrc |
Runs at login (bash shell) |
~/.profile |
Runs at login (other shells) |
Networking #
Ethernet Port Naming #
Here’s what each part of “enp1s0f1” means:
en
Stands for “Ethernet”p1
Stands for “PCI bus 1”s0
Indicates the device is in slot number 0 on that PCI busf1
This part of the name refers to the function number of the network interface. A single network card can provide multiple virtual network interfaces that share the same physical connection, and these are differentiated by their function numbers.
General Commands #
# Help
ip help
Interfaces #
# List interfaces: With IP Addresses
ip a
# List interfaces / colored output
ip -c a
# List interface: Only IPv4 Addresses
ip -c -4 a
# List interfaces: Show status up/down
ip link # or
ip link show
# Check specific interface status
ip link show eth0
# Set interface status: Up
ip link set dev eth0 up
ip link set dev eth0 down
# List physical interfaces
sudo lshw -class network
# List details of physical interface
sudo ethtool -k eth0
Manually assign IP #
# Assign IP address (till reboot)
ip addr add dev eth0 192.198.30.15/24
# Check IP for eth0
ip addr list eth0
DHCP #
# Release current DHCP lease
dhclient -r
# Request a new DHCP lease
dhclient
Routing #
# List routing tables
ip route show
# List specific routing table
sudo ip route show table 101
# Add entry to routing table: Set up Default Gateway
ip route add default via 192.168.0.1
# Add entry to routing table: Route IP range through specific interface
ip route add 192.0.2.0/24 via 192.168.0.2 dev eth1
ARP Tables #
# Install package
apt install net-tools -y
# List ARP tables: Use DNS names
arp
# List ARP tables: Use IP
arp -n
Networkctl #
# List all network interfaces and their status
networkctl
# List detailed information about interface
networkctl status br30
Netplan (Ubuntu) #
# Path to Netplan Configuration Files
/etc/netplan/
# Default Configuration File
sudo vi /etc/netplan/00-installer-config.yaml
# Apply Netplan Changes (Reboot after severe changes)
sudo netplan apply
DHCP Configuration #
network:
ethernets:
ens33:
dhcp4: true
version: 2
DHCP with Custom DNS #
network:
renderer: networkd
ethernets:
ens33:
dhcp4: true
dhcp4-overrides:
use-dns: false
nameservers:
addresses:
- "1.1.1.1"
- "8.8.8.8"
version: 2
Static IPv4 Configuration #
network:
ethernets:
eno1:
addresses:
- 192.168.10.80/24 # Define IPv4
nameservers:
addresses:
- 1.1.1.1 # Primary DNS Server
- 8.8.8.8 # Secondary DNS Server
search: []
routes:
- to: default
via: 192.168.10.1 # Default Gateway
version: 2
VLAN Config Prerequisites #
# Install VLAN package: Necessary to create and manage VLANs in Ubuntu
sudo apt install vlan -y
# Load 8021q Kernel Module: Responsible for VLAN tagging in the Linux kernel
sudo modprobe 8021q
# Load Kernel Module: After reboot
echo "8021q" | sudo tee -a /etc/modules
# VLANs from switch
192.168.10.0/24 Untagged
192.168.30.0/24 Tagged
192.168.70.0/24 Tagged
VLAN DHCP Configuration #
network:
ethernets:
eno1:
addresses:
- 192.168.10.80/24
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
routes:
- to: default
via: 192.168.10.1
vlans:
eno1.30: # VLAN 1
id: 30
link: eno1
dhcp4: true
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
eno1.70: # VLAN 2
id: 70
link: eno1
dhcp4: true
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
version: 2
VLAN Static IPv4 Configuration #
network:
ethernets:
eno1:
addresses:
- 192.168.10.80/24
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
search: []
routes:
- to: default
via: 192.168.10.1
vlans:
eno1.30: # VLAN 1
id: 30
link: eno1
addresses:
- 192.168.30.80/24 # Define IP address
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
eno1.70: # VLAN 2
id: 70
link: eno1
addresses:
- 192.168.70.80/24 # Define IP address
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
version: 2
Check Interfaces
# List network interfaces with their IPv4 addresses
ip -4 a
# Shell output:
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
altname enp0s31f6
inet 192.168.10.80/24 brd 192.168.10.255 scope global eno1
valid_lft forever preferred_lft forever
4: eno1.30@eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.30.80/24 brd 192.168.30.255 scope global eno1.30
valid_lft forever preferred_lft forever
5: eno1.70@eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.70.80/24 brd 192.168.70.255 scope global eno1.70
valid_lft forever preferred_lft forever
VLAN Bridge without IP #
Used for virtualization.
network:
ethernets:
eno1:
addresses:
- 192.168.10.80/24
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
routes:
- to: default
via: 192.168.10.1
vlans:
eno1.30: # VLAN 1
id: 30
link: eno1
eno1.70: # VLAN 2
id: 70
link: eno1
bridges:
br30: # Bridge 1
interfaces: [eno1.30]
dhcp4: true
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
parameters:
forward-delay: 0
stp: true
br70: # Bridge 2
interfaces: [eno1.70]
dhcp4: true
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
parameters:
forward-delay: 0
stp: true
version: 2
VLAN Bridge with static IPv4 #
network:
ethernets:
eno1:
addresses:
- 192.168.10.80/24
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
routes:
- to: default
via: 192.168.10.1
vlans:
eno1.30: # VLAN 1
id: 30
link: eno1
eno1.70: # VLAN 2
id: 70
link: eno1
bridges:
br30: # Bridge 1
interfaces: [eno1.30]
addresses:
- 192.168.30.80/24 # Define IP address
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
parameters:
forward-delay: 0
stp: true
br70: # Bridge 2
interfaces: [eno1.70]
addresses:
- 192.168.70.80/24 # Define IP address
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
parameters:
forward-delay: 0
stp: true
version: 2
Interfaces (Debian) #
Commands
# List all available Network Interfaces
ip link show
# Path to Network Configuration
vi /etc/network/interfaces
# Apply Changes to Network Interface
ifdown enp1s0 && ifup enp1s0
# Reinitialize network configuration (After fundamental changes)
systemctl restart networking
# Check status
systemctl status networking
# It's better to reboot after compley network changes!
reboot
Default Network Configuration: #
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug enp2s0
iface enp2s0 inet dhcp
DHCP Configuration #
# The primary network interface
auto enp2s0 # Auto up after boot
allow-hotplug enp2s0
iface enp2s0 inet dhcp
Static IPv4 Configuration #
# The primary network interface
auto enp2s0
iface enp2s0 inet static
address 192.168.30.10/24
gateway 192.168.30.1 # Define gateway to WAN
dns-nameservers 1.1.1.1 8.8.8.8 # Define DNS server
Add onother Interface #
# The primary network interface
auto enp2s0
iface enp2s0 inet static
address 192.168.70.20/24
gateway 192.168.70.1
# Second network interface
auto enp1s0f1
iface enp1s0f1 inet static
address 192.168.30.20/24
Bridge Prerequisites #
# Install bridge-utils
sudo apt install bridge-utils
Bridge with DHCP #
## DHCP ip config file for br0 ##
auto vmbr1
# Bridge setup
iface vmbr1 inet dhcp
bridge_ports enp2s0
Bride with static IPv4 #
# The primary network interface
auto enp2s0
iface enp2s0 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.30.10/24
gateway 192.168.30.10
bridge-ports enp1s0 # Define ports
bridge-stp off # Panning Tree Protocol (STP) off
bridge-fd 0 # Sets bridge forwarding delay to 0
Add another Bridge #
# The primary network interface
auto enp2s0
iface enp2s0 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.70.20/24
gateway 192.168.70.1
bridge_ports enp2s0
bridge_stp off
bridge_fd 0
# Second network interface
auto enp1s0f1
iface enp1s0f1 inet manual
auto vmbr1
iface vmbr1 inet static
address 192.168.30.20/24
bridge_ports enp1s0f1
bridge_stp off
bridge_fd 0
VLAN Prerequisites #
# Install VLAN package
apt install vlan -y
# Load VLAN module & enable startup
modprobe 8021q && echo "8021q" >> /etc/modules
# Delete VLAN interface
ip link set eno1.50 down
ip link delete eno1.50
VLAN DHCP Configuration #
# Default untagged network
auto eno1
iface eno1 inet static
address 192.168.30.40/24
gateway 192.168.30.1
# VLAN 1: (Tagged) DHCP
auto eno1.50
iface eno1.50 inet dhcp
# VLAN 2: (Tagged) DHCP
auto eno1.70
iface eno1.70 inet dhcp
VLAN Static IPv4 Configuration #
# Default untagged network
auto eno1
iface eno1 inet static
address 192.168.30.40/24
gateway 192.168.30.1
# VLAN 1: (Tagged) Static IPv4
auto eno1.50
iface eno1.50 inet static
address 192.168.50.40/24
# VLAN 2: (Tagged) Static IPv4
auto eno1.70
iface eno1.70 inet static
address 192.168.70.40/24
Wicked (SUSE) #
Tested on openSUSE 15.5
# Edit network configuration
sudo vi /etc/sysconfig/network/ifcfg-eth0
# Apply new configuration
sudo systemctl restart wicked
# Interface up
sudo wicked ifup eth0
# Interface down
sudo wicked ifdown eth0
# Interface status: All interfaces
sudo wicked ifstatus all
# Interface status: Specific interface
sudo wicked ifstatus eth0
# Shell output:
eth0 up
link: #2, state up, mtu 1500
type: ethernet, hwaddr 00:0c:29:36:84:e3
config: compat:suse:/etc/sysconfig/network/ifcfg-eth0 # Path to interface config
leases: ipv4 static granted
addr: ipv4 192.168.30.85/24 [static]
DHCP Configuration #
BOOTPROTO='dhcp'
STARTMODE='auto'
ZONE=public
Static IPv4 Configuration #
BOOTPROTO='static'
STARTMODE='auto'
ZONE=public
IPADDR='192.168.30.85'
NETMASK='255.255.255.0'
BROADCAST='192.168.30.255'
GATEWAY='192.168.30.1'
NMCLI (RHEL, SUSE) #
Tested on Rocky Linux 9.2
Interface status #
# List network interfaces / status
nmcli dev status
# Shell output:
DEVICE TYPE STATE CONNECTION
ens160 ethernet connected ens160
lo loopback connected (externally) lo
# List inferface details (IP, Gateway,...): All interfaces
nmcli con show
# List inferface details (IP, Gateway,...): Specific interface
nmcli con show ens160
Sart & Stop interface #
- Start & stop interface (connection-profile)
# Start interfaces
sudo nmcli con up id ens160
# Stop interfaces
sudo nmcli con down id ens160
Modify Interface #
- Modify interface (connection-profile)
# Set to static IPv4
sudo nmcli con modify ens160 ipv4.method manual
# Set to DHCP
sudo nmcli con modify ens160 ipv4.method auto
# Define IPv4 address
sudo nmcli con modify ens160 ipv4.address 192.168.30.85/24
# Define default gateway
sudo nmcli con mod ens160 ipv4.gateway 192.168.30.1
# Define DNS server
sudo nmcli con mod ens160 ipv4.dns "1.1.1.1 8.8.8.8"
# Set static IPv4 configuration: Define IPv4 address & gateway
nmcli con modify ens160 ipv4.method manual ipv4.address 192.168.30.85/24 ipv4.gateway 192.168.30.1
Add connection-profile
# Add Connection-Profile
nmcli con add con-name ens160-con2 type ethernet ifname ens160 ipv4.method auto
# Delete Connection-Profile
nmcli con del ens160-con2
# Enable Connection-Profile
nmcli con up id ens160
NetworkManager will deactivate the current active connection on the same interface, because each physical interface can have only one active NetworkManager connection at a time. Therefore, activating a new connection on an interface that already has an active connection will cause the current connection to be deactivated.
Connection directory
New connection profiles are save in the system-connections directory.
# Configuration directory
cd /etc/NetworkManager/system-connections/
# Open configuration:
sudo vi /etc/NetworkManager/system-connections/ens160.nmconnection
Apply Changes #
# Apply changes
sudo systemctl restart NetworkManager
# Alternative: Reboot to apply the settings
sudo reboot
VLAN #
Tested on Raspberry Pi 5
# Create a VLAN interface eth0.99 on top of eth0 with VLAN ID 99
sudo nmcli con add type vlan con-name eth0.99 ifname eth0.99 dev eth0 id 99
# Configure the IP Address
sudo nmcli con mod eth0.99 ipv4.addresses 10.10.99.11/24 ipv4.gateway 10.10.99.1 ipv4.dns "1.1.1.1,8.8.8.8" ipv4.method manual
# Enable the interface
sudo nmcli con up eth0.99
# Delete VLAN interface
sudo nmcli connection delete eth0.99
NMTUI (RHEL, SUSE) #
Tested on openSUSE 15.5
Install
# Install NetworkManager package
sudo zypper install NetworkManager-tui
# Status
sudo systemctl status NetworkManager
# Start NetworkManager
sudo systemctl start NetworkManager
# Enable NetworkManager
sudo systemctl enable NetworkManager
# Start network editor (GUI)
sudo nmtui
# Apply the new configuration
sudo service network restart
# Saved NetworkManager configuration
sudo vi /etc/NetworkManager/system-connections/eth0.nmconnection
DHCP Configuration #
[connection]
id=eth0
uuid=6e19a7c4-bea3-4bc1-b9bd-bc2b0c1b8853
type=ethernet
autoconnect=false
interface-name=eth0
timestamp=1694360823
[ethernet]
mac-address=00:0C:29:36:84:E3
[ipv4]
method=auto
[ipv6]
addr-gen-mode=stable-privacy
method=link-local
[proxy]
Static IPv4 Configuration #
[connection]
id=eth0
uuid=6e19a7c4-bea3-4bc1-b9bd-bc2b0c1b8853
type=ethernet
autoconnect=false
interface-name=eth0
timestamp=1694360823
[ethernet]
mac-address=00:0C:29:36:84:E3
[ipv4]
address1=192.168.30.85/24,192.168.30.1
dns=1.1.1.1;8.8.8.8;
method=manual
[ipv6]
addr-gen-mode=stable-privacy
method=link-local
[proxy]
DNS #
Current DNS server #
# Output current DNS server
cat /etc/resolv.conf
# Output current DNS server
resolvectl status
DNS Resolution #
nslookup: (Bypasses the hosts file)
# Resolve DNS to IP
nslookup hostname.com
# Resolve DNS to IP: Define DNS server
nslookup hostname.com 192.168.70.1
# Resolve IP to DNS
nslookup IP
# Resolve IP to DNS: Define DNS server
nslookup IP 192.168.70.1
gtent: (Includes thehosts file)
# Verify the DNS resolution
getent hosts hostname.com
# Test DNS resolution from specific DNS server: Define DNS server IP after the @
dig @192.168.70.1 example.com
Flush DNS #
# Flush DNS resolver cache: Older version
sudo systemd-resolve --flush-caches
# Flush DNS resolver cache: Newer version
sudo resolvectl flush-caches
Useful tools #
Traceroute #
# Install traceroute package
sudo apt install inetutils-traceroute
# trace a route
traceroute 192.168.30.91
Netstat & lsof: Check Port Usage #
# Install netstat
sudo apt install net-tools
# Display all the listening ports
sudo netstat -l -n -p
# Grap for specific port: For example 8086
sudo netstat -l -n -p | grep 8086
# List process that is using a port : For example 8086
sudo lsof -i :8086
-
-l
Only listening sockets -
-n
Numerical IP addresses instead of resolving hostnames -
-p
Show the process ID and name to which each socket belongs
Nmap #
(Only use in own network) | |
sudo apt install nmap |
Install nmap |
nmap 192.168.30.1/24 |
Scan IP range for devices |
Options | |
-A |
OS detection, version detection, script scanning & traceroute |
-v |
Increase verbosity level |
-vv |
Increase verbosity level |
nmap -v -A 192.168.30.1/24 |
Example |
Tcpdump #
sudo apt install tcpdump |
Install tcpdump |
tcpdump --help |
Help |
tcpdump -i eth0 -v host 192.168.30.10 |
Traffic from or to IP |
tcpdump -i eth0 -v src 192.168.30.10 |
Traffic from IP |
tcpdump -i eth0 -v dst 192.168.30.10 |
Traffic to IP |
tcpdump -i eth0 -v net 192.168.30.0/24 |
Traffic from or to CIDR Range |
sudo tcpdump -i eth0 'tcp and net 192.168.30.0/24' |
Only TCP |
sudo tcpdump -i eth0 'udp and net 192.168.30.0/24' |
Only UDP |
tcpdump -i eth0 -v port 80 |
To port |
tcpdump -i eth0 -v port 80 -w /file/path |
Write to file |
Private IP Ranges #
IP Range | CIDR | Type |
10.0.0.0 - 10.255.255.255 |
10.0.0.0/8 |
Class A |
172.16.0.0 - 172.31.255.255 |
172.16.0.0/12 |
Class B |
192.168.0.0 - 192.168.255.255 |
192.168.0.0/16 |
Class C |
Firewalls #
UFW (Ubuntu) #
man ufw |
Manual |
ufw status |
Status |
ufw enable |
Enable Firewall |
ufw disable |
Disable Firewall |
ufw reload |
Reload Firewall |
ufw reset |
Reset to default / rules are backed up |
Status & delte rules | |
ufw status verbose |
Status verbose |
ufw status numbered |
List IDs of rules (to delete) |
ufw delete ID |
Delte ufw entry |
ufw show added |
Check added rules before starting firewall |
Default | |
ufw default allow |
Default setting for whole traffic |
ufw default deny |
Default setting for whole traffic |
Allow / Deny Examples | |
ufw deny portnumber |
Deny port |
ufw allow portnumber |
Allow tcp and udp to port, any address |
ufw allow portnumber/tcp |
Allow tcp to port, any address |
ufw allow 1050:5000/tcp |
Allow port range, tcp, any address |
IP examples | |
ufw deny from 203.0.113.100 |
Deny all ports, specific IP |
ufw allow from 192.168.30.150 |
Allow all ports, specific IP |
ufw allow from 192.168.30.150 to any port 137 proto udp |
Allow port, specific IP |
ufw allow from 192.168.30.0/24 |
Allow all ports for entire Subnet |
Firewalld (RHEL, SUSE) #
Tested on openSUSE 15.5
Start & Enable #
# Start / Stop firewalld
sudo systemctl start firewalld
sudo systemctl stop firewalld
# Enable / disable startup
sudo systemctl enable firewalld
sudo systemctl disable firewalld
Check Status #
# Systemd status
sudo systemctl status firewalld
# Status (Output: running / not running)
sudo firewall-cmd --state
Zones #
# List active / running zones
sudo firewall-cmd --get-active-zones
# List default zones
sudo firewall-cmd --get-default-zone
# List all available zones
sudo firewall-cmd --get-zones
# Set default zone (public)
sudo firewall-cmd --set-default-zone=public
Add Network Interface to Zone #
# Check network interface assignment
sudo firewall-cmd --get-active-zones
# Shell output:
docker # Zone name
interfaces: br-11ed3a51c756 docker0 br-aa67244c4dde
# Add network interface to zone (ens33)
sudo firewall-cmd --zone=public --add-interface=ens33 --permanent
# Apply changes
sudo firewall-cmd --reload
# Verify / check network interface assignment
sudo firewall-cmd --get-active-zones
# Shell output:
docker # Zone name
interfaces: br-11ed3a51c756 docker0 br-aa67244c4dde
public # Zone name
interfaces: ens33
Drop Zone #
This sets the “drop” zone as the default zone for firewalld, but it does not change the settings of other zones.
# Block all incoming traffic by default
sudo firewall-cmd --set-default-zone=drop
# Apply changes
sudo firewall-cmd --reload
# Verify the settings
sudo firewall-cmd --get-default-zone
# Shell output:
drop
Services & Port Rules #
# List the firewall rules from a "public" zone
sudo firewall-cmd --list-all --zone=public
# List the firewall rules for the "docker" zone
sudo firewall-cmd --list-all --zone=docker
Open a service:
# Add a service to a zone: Temporarily (immediately affects the runtime configuration but lost after reboot)
sudo firewall-cmd --zone=public --add-service=ssh
sudo firewall-cmd --zone=public --add-service=apache2
sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --zone=public --add-service=https
# Add a service to a zone: Permanent
sudo firewall-cmd --zone=public --add-service=ssh --permanent
# Remove a service from a zone: Permanent
sudo firewall-cmd --zone=public --remove-service=apache2 --permanent
# Apply the changes
sudo firewall-cmd --reload
Open a port:
# Open a port: Temporarily
firewall-cmd --zone=public --add-port=80/tcp
firewall-cmd --zone=public --add-port=443/tcp
# Open a port: Permanently
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
# Close a port: Temporarily
firewall-cmd --zone=public --remove-port=80/tcp
firewall-cmd --zone=public --remove-port=443/tcp
# Close a port: Permanently
firewall-cmd --zone=public --remove-port=80/tcp --permanent
# Apply the changes
sudo firewall-cmd --reload
Block specific port:
# Block port with a rich rule
sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" port port="80" protocol="tcp" drop' --permanent
# Apply the changes
sudo firewall-cmd --reload
# Verify the rules
sudo firewall-cmd --zone=public --list-rich-rules
# Shell output:
rule family="ipv4" port port="80" protocol="tcp" drop
# Remove the rich rule
sudo firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" port port="80" protocol="tcp" drop' --permanent
Save Rules & Reload
# Save all changes in the current runtime firewall rules to the permanent configuration
sudo firewall-cmd --runtime-to-permanent
# Save / Reload: Apply changes while keeping current connections intact (actives permanent configuration)
sudo firewall-cmd --reload
# Reload: Remove all runtime settings, including any active connections (remove temporary services and ports)
sudo firewall-cmd --complete-reload
Firewall Rules: Details #
# List the firewall rules for the "docker" zone
sudo firewall-cmd --zone=public --list-all
# shell output:
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: br-11ed3a51c756 br-aa67244c4dde docker0
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
-
target: ACCEPT
Default action for the traffic (the traffic it will be allowed through) not explicitly matched by any other rule in this zone -
interfaces
Network interfaces assigned to this zone -
forward: yes
This allows forwarding of traffic between different network interfaces in this zone -
masquerade: no
Masquerading would hide the machine’s IP address behind the firewall when making outgoing connections.
Firewall Rules: Examples #
Change the Target Policy to DROP
or REJECT
:
# To set the target to DROP (silently discards packets)
sudo firewall-cmd --zone=public --set-target=DROP --permanent
# To set the target to REJECT (actively refuse the connection with an error message)
sudo firewall-cmd --zone=public --set-target=REJECT --permanent
Open only specific ports: (80 and 443)
# Allow port 80 & 443
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
Apply the changes:
# Apply the changes
sudo firewall-cmd --reload
# Verify the rules
sudo firewall-cmd --zone=public --list-all
# Shell output:
public (active)
target: DROP
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh
ports: 80/tcp 443/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
Explanation #
-
Runtime: Changes are temporary & removed when firewall restarts
-
Permanent: Changes are stored in configuration files
MySQL & MariaDB #
Install SQL Server #
- MySQL
# Install MySQL server
sudo apt install mysql-server -y
# Check status
sudo systemctl status mysql
# Error log
sudo tail /var/log/mysql/error.log
- MariaDB
# Install MariaDB server
sudo apt install mariadb-server -y
# Check status
sudo systemctl status mariadb
- Secure Installation
# Run secure installation script
sudo mysql_secure_installation
Install SQL Client #
- Debian / Ubuntu
# Install mysql client
sudo apt install mysql-client -y
- Alpine Linux
# Update package index
apk update
# Install mysql client
apk add mysql-client
# Check version
mysql --version
Connect to Server #
# Connect to server: Localhost, define user (prompt for pw)
mysql -u root -p
# Connect to server: Define IP, port & user (prompt for pw)
mysql -h IP -P 3306 -u root -p
# Connect to server: Define IP, port & user (provide pw)
mysql -h IP -P 3306 -u root -psqlpassword
# Close the connection
exit
# or
quit
Users #
# List all users
SELECT User, Host FROM mysql.user;
# Shell output:
+-------------+-----------+
| User | Host |
+-------------+-----------+
| root | % |
# List all hosts from which the specified user is allowed to connect
SELECT Host FROM mysql.user WHERE User='root';
# Shell output:
------+
| Host |
+------+
| % |
+------+
# Create new user
CREATE USER 'newuser'@'%' IDENTIFIED by 'password';
# Grant all privileges on all tables in the DB
GRANT ALL PRIVILEGES ON dbname.* TO 'newuser'@'%';
# Change password
ALTER USER 'username'@'%' IDENTIFIED BY 'newpw';
Database & Tables #
# List databases
SHOW DATABASES;
# Switch to a specific database
USE database_name;
# List tables in the current database
SHOW TABLES;
# Create dataabse
CREATE DATABASE database_name;
# Delete database
DROP DATABASE database_name;
Database Backup #
- Syntax
# SQLdump Syntax
mysqldump -h [server_ip] -P [port] -u [username] -p[password] [database_name] > [backup_file.sql]
- Example: Bookstack DB
# Create Backup: Provide PW
mysqldump -h 172.19.0.2 -P 3306 -u root -prootpw bookstackapp > bookstackapp_backup.sql
# Create Backup: Prompt for PW (Recommended)
mysqldump -h 172.19.0.2 -P 3306 -u root -p bookstackapp > bookstackapp_backup.sql
# Shell output:
-- Warning: column statistics not supported by the server.
Note: This warning relates to the column statistics feature which is not supported by all versions of MySQL or MariaDB servers. It’s a relatively new feature and mainly affects how the optimizer chooses query plans. This warning is typically not a concern for a standard database backup and can be safely ignored for most use cases.
Restore Database #
Create Database #
# Log into the MySQL shell: Provide PW
mysql -h 172.19.0.2 -P 3306 -u root -prootpw
# Log into the MySQL shell: Prompts for PW (Recommended)
mysql -h 172.19.0.2 -P 3306 -u root -p
# Create database
CREATE DATABASE bookstackapp;
# Exit SQL client
EXIT;
Restore DB #
- Syntax
# Syntax
mysql -h [server_ip] -u [username] -p[password] [database_name] < [backup_file.sql]
- Example: Bookstack DB
# Restore database from backup: Provide PW
mysql -h 172.19.0.2 -u root -prootpw bookstackapp < bookstackapp_backup.sql
# Create Backup: Prompt for PW (Recommended)
mysql -h 172.19.0.2 -u root -p bookstackapp < bookstackapp_backup.sql
PostgreSQL #
Install SQL Server #
# Install PostgreSQL
sudo apt install postgresql -y
# Check status
sudo systemctl status postgresql
Install SQL Client #
# Update package index
sudo apt update
# Install PostgreSQL client
sudo apt install postgresql-client -y
Connect to Server #
Note: The default superuser for PostgrSQL is postgres
, the default database is postgres
.
# Connect to SQL server: Localhost, define user
psql -U postgres
# Connect to SQL server: Localhost, define user & db
psql -U postgres db_name
# Connect to SQL server, define IP, port, user & db: Prompt for PW
psql -h 172.18.0.2 -p 5432 -U postgres postgres
# Connect to SQL server, define IP, port, user & db: Provide PW
PGPASSWORD=postgres-pw psql -h 172.18.0.2 -p 5432 -U postgres postgres
# Connect to SQL server: Dockerized, define user
docker exec -it -u postgres container-name psql
# Exit
\q
Users #
# List all users
\du
# Create new user
CREATE ROLE username WITH LOGIN PASSWORD 'password';
# Grant all available privileges on a database(depending on permissions of user who runs command)
GRANT ALL PRIVILEGES ON DATABASE db-name TO user-name;
# Revoke all available privileges
REVOKE ALL PRIVILEGES ON DATABASE db-name FROM user-name;
# Delete user
DROP USER username;
Database & Tables #
# Help
\?
# List all databases
\l
# Connect / switch to database
\c db-name
# List all tables
\dt
# Create database
CREATE DATABASE database_name;
# Delete database
DROP DATABASE database_name;
# Delete database: Terminate all connections to the database (PostgreSQL 13 & later)
DROP DATABASE database_name WITH (FORCE);
Terminate DB Connections #
# Terminate all active connections to the specified database
SELECT pg_terminate_backend(pg_stat_activity.pid)
FROM pg_stat_activity
WHERE pg_stat_activity.datname = 'database-name'
AND pid <> pg_backend_pid();
Replace database-name
with the actual name of the database.
Database Backup #
- Syntax
# Local Syntax
pg_dump -U [username] [database_name] > [outputfile.sql]
# Syntax: Define IP & Port
pg_dump -h [server_ip] -p [port] -U [username] [database_name] > [outputfile.sql]
- Example: Mattermost DB
# Create Backup: Provide PW
PGPASSWORD=postgres-pw pg_dump -h 172.18.0.2 -p 5432 -U mmuser mattermost > db-backup.sql
# Create Backup: Prompt for PW (Recommended)
pg_dump -h 172.18.0.2 -p 5432 -U mmuser mattermost > db-backup.sql
Custom Format #
- Syntax
# Syntax: Define IP & Port
pg_dump -h [server_ip] -p [port] -U [username] -F c [database_name] > [outputfile.dump]
- Example: Mattermost
# Create Backup: Prompt for PW
pg_dump -h 172.18.0.2 -p 5432 -U mmuser -F c mattermost > cf-db-backup.sql
-
-F
Specifies the format of the output file -
c
Custom format allows for features like partial restoration of specific database objects
Restore Database #
Create Database #
# Log into the PostgreSQL shell: Provide PW
PGPASSWORD=postgres-pw psql -h 172.18.0.2 -p 5432 -U mmuser postgres
# Log into the PostgreSQL shell: Prompt for PW (Recommended)
psql -h 172.18.0.2 -p 5432 -U mmuser postgres
# Create database
CREATE DATABASE mattermost;
# Exit
\q
Restore DB #
- Syntax
# Restore a database from a plain-text backup
psql -U [username] [database_name] < [backupfile.sql]
# Restore a database from a custom format backup
pg_restore -U [username] -d [database_name] [backupfile.dump]
- Example: Mattermost
# Restore Database: Provide PW
PGPASSWORD=postgres-pw psql -h 172.18.0.2 -p 5432 -U mmuser mattermost < db-backup.sql
# Restore Database: Prompt for PW (Recommended)
psql -h 172.18.0.2 -p 5432 -U mmuser mattermost < db-backup.sql
Custom Format #
- Syntax
# Restore a database from a custom format backup
pg_restore -U [username] -d [database_name] [backupfile.dump]
- Example: Mattermost
# Restore Database: Prompt for PW
pg_restore -h 172.18.0.2 -p 5432 -U mmuser -d mattermost < cf-db-backup.sql
SQL Commands #
# List all rows and columns from table
SELECT * FROM table-name;
# List all rows and specific columns from table
SELECT id, username, password FROM table-name;
# List all rows and specific columns from table: WHERE (specific value)
SELECT id, username, password FROM table-name WHERE username = 'user1';
# List all rows and specific columns from table: WHERE (wildcard)
SELECT id, username, password FROM table-name WHERE username LIKE 'user%';
# Update value `username` for table `table-name` in row `2`
UPDATE table-name SET username='new-value' where id=2;
LAMP & LEMP #
LAMP Stack Packages #
# Install Apache, MySQL server, PHP
sudo apt install apache2 mysql-server php libapache2-mod-php php-mysql -y
-
libapache2-mod-php
Allows Apache to interpret and execute PHP files -
php-mysql
Allows PHP to communicate with MySQL databases
LEMP Stack Packages #
# Install Nginx, MySQL server, PHP
sudo apt install nginx mysql-server php-fpm php-mysql -y
-
php-fpm
FastCGI Process Manager: Nginx does not process PHP natively -
php-mysql
Allows PHP to communicate with MySQL databases
PHP #
# check php version
php -v
# Find php.ini path: Command line
php --ini | grep 'Loaded Configuration File'
# Shell output:
Loaded Configuration File: /etc/php/8.1/cli/php.ini
- php.ini paths
# php.ini path: Command line (Settings in this file are optimized for CLI usage)
sudo vi /etc/php/8.1/cli/php.ini
# php.ini path: Apche
sudo vi /etc/php/8.1/apache2/php.ini
LDAP & LDAPS #
Test Connection #
# Check if port is open and accepting connections
telnet 192.168.70.2 636
# Shell output:
Trying 192.168.70.2...
Connected to 192.168.70.2.
Escape character is '^]'.
# Check SSL Certificate on Active Directory Server
openssl s_client -connect win2022-1.jklug.local:636
# Install LDAP-Utils package
sudo apt install ldap-utils
# Test Connection: Verbose Output
ldapsearch -H ldaps://win2022-1.jklug.local:636 -D "CN=Administrator,OU=Users,DC=jklug,DC=local" -W -d1
Certificates #
Add Root Certificate #
# Convert certificate from .cer to .crt
openssl x509 -inform PEM -in jklug-WIN2022-1-CA.cer -out jklug-WIN2022-1-CA.crt
# Copy .crt certificate in ca-certificates directory
sudo cp *.crt /usr/share/ca-certificates
# Install / uninstall certificate: Start wizard
sudo dpkg-reconfigure ca-certificates
# Check
ls -la /etc/ssl/certs | grep jklug.local
Certificate Details #
# List certificate details: .crt, .cer, .pem
openssl x509 -text -noout -in jklug-WIN2022-1-CA.crt
# List certificate details: URL
echo | openssl s_client -connect jklug.work:443 | openssl x509 -noout -text
# List certificate expiration date
openssl x509 -enddate -noout -in jklug-WIN2022-1-CA.crt