SECURITY WARNING–EXTREMELY IMPORTANT PART OF LINUX CULTURE


As a general rule, we should not log into the terminal or console directly as “root.” The more secure way to do it is to log in as “thrasher” or “moleski” or some other username created the same way these two were.

To act as root (which is often necessary and very helpful), type su - and press enter. The computer will then ask you for the SuperUser (root) password:

$ su -
Enter password:

After you enter the correct root password, the last character in the command prompt will change from $ (ordinary user) to # (superuser). It's a small reminder that the commands you give when logged in as root can totally destroy the entire system.

handy linux commands

These commands are all meant to be used in the linux terminal (also known as the Console if you're using Slicehost).

Each line in this section is a single linux command.

linux commands are (sigh) case-sensitive. Or Case-SensiTive, if you prefer. :o(

command interpretaton
cat conf.d | more display contents of a file
cat /etc/passwd list all users on the system
cat /etc/passwd | cut -d: -f1 another method to show all users
cat /etc/group |cut -d: -f1 and show all groups
chmod 775 somefile change the permissions on one file
chmod 774 somefolder change permissions on a folder
chmod -R 644 somefolder change permissions on everything in a folder
chown owner.group somefile change ownership of a file
chown -R mysql.mysql /var/run/mysqld change ownership of a folder
chown -R mysql.mysql /var/lib/mysql
cp -a copy all files and folders?
cp -rf * destination-dir force copy of all files and directories to destination
cp -R dirtocopy/ newdir/ copy full directory
capital R is no different from “r”
cp -R dokuwiki/* test/ seemed to do what I wanted it to do
df -h view disk space
find / -perm 0777
find / -type f -perm 0777
find 777 files
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -printfind directories with sticky bit set
ifconfig find out about IP address, etc.
grep Usually used as part of a command.
grep "(g)ets (re)gular ex(p)ressions.
It searches a text file and only returns
lines that match the pattern given.
Regular expressions are ridiculously powerful.
history
history -c
  • use up/down arrows to get back history lines
  • edit a line with home, end, DEL, BS
  • press enter when you think you've got it right
  • find out how to mark, copy, and paste to and
  • from command lines. It saves a world of hurt!
httpd The basic command that controls the Apache web (page) server.
ls -l list files with ownership and permissions shown
lsmod | less See what modules are loaded and active.
netstat look at ports
netstat -ln | grep mysql find the mysql socket
netstat -tap
netstat -an
netstat -an | grep LISTEN
netstat -lutwn will show all the listening internet ports.
nmap localhost another way of looking at the open ports.
printenv show environment variables
ps aux find out what processes are active
ps -ef same as ps aux
ps -ef | grep apache find out what apache processes are running
rm -rf somedirectory remove a directory and all its contents
rpm -qa | grep httpd find out what version of apache is installed
rpm -qa ask what packages are installed on the system; same as yum list installed
shutdown -r now reboots the computer NOW! reboot also works.
SIGHUP some kind of kill/restart signal …
su - log in as root user with root's environment loaded
uname -a show all system information–version of linux
uname -r show just the kernel ID
updatedb update database used by locate
yum tool to install, remove, reconfigure programs
yum list installed tells what yum has installed on the system
yum update updates all yum-managed packages
yum install httpd “Dear Yum, please install the Apache web server for us.”
“A rose by any other name …”
hostname
hostname –fqdn give fully qualified domain name
hostname show or set the system's host name
domainname show or set the system's NIS/YP domain name
dnsdomainname show the system's DNS domain name
nisdomainname show or set system's NIS/YP domain name
ypdomainname show or set the system's NIS/YP domain name

User management

adding ssh/sftp users

useradd -D
useradd -c "Firstname Lastname" -g apache username
useradd -c "Firstname Lastname" 

passwd username	# set password for username

cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4

Add users to a group

usermod -G username newgroup

Add tony to a secondary group, ftp.

usermod -a -G ftp tony

Change tony's primary group to www:

usermod -g www tony

Removing a user

userdel -r username

Finding files by user

find /var/www/html -user username

Show all users/groups

cat /etc/passwd |cut -d: -f1 | sort
cat /etc/group |cut -d: -f1 | sort

special users

No login, no home directory.

groupadd mailman
useradd -M -d /nohome -s /bin/false  -g mailman -c 'GNU Mailman' mailman
useradd -M -d /nohome -s /bin/false -c 'Dovecot user' dovecot

File management

Finding files by name

find / -name 'mypage.htm'
find / -name 'sess_*'
find / -name 'phpqmLDf7'
find /var/www/html -name '*bak'
find / -name up2*

Process management

Kill a process

1. ps aux | grep processname

	result: pidof processname

OR use "pidof processname"

"pidof" means "process ID of ..."

2. "kill processID#"

If the pidof is 2874, then:

	kill 2874

	kill -9 2874  # a more effective kill?

CHKCONFIG -- set things to be run on bootup

chkconfig --list			# find out what runs at various levels
chkconfig httpd --add	# put some new line in for httpd (Apache)
chkconfig --level 2345 httpd on		# run Apache at levels 2345

RPCbind

Maps the name of a service to a port number. Old, strange. Works on port 111.

rpcbind

rpcinfo

Edit text

The @#$%*&! vi editor

Start vi by giving it the name of a file that you intend to damage beyond repair.

vi /etc/system/most_important_system_file.conf

vi will then display the contents of the file.

Navigate with arrow keys. Then press i or a to insert or append at that spot.

i: insert at cursor

a: append at cursor

When you're done making a total hash out of the contents of the file, it's time to go back to command mode.

^[ means “press the escape key first, child”

^[ gets vi into command mode

^[ZZ # exit and write

^[:q! # exit and don't write

nano editor

To edit a file: nano filename

Look at the bottom of the screen. Read carefully. Obey instructions. Fare well!

end of line problems

Text file formats


End-of-line markers differ from system to system:

  Mac: $0D
linux: $0A
  DOS: $0D $0A

http://www.websiterepairguy.com/articles/os/crlf.html

tar files

tar -jxvf filename.tar.bz2 # BZ2 extract all folders and files
tar xvfz filename.tar.gz
tar xvfz filename.tgz
tar xvf filename.tar

Stop/Restart Terminal

  • CTRL-S stops all interaction with the terminal.
  • CTRL-Q (theoretically) restarts it.

CTRL-S in other contexts means “save”. When working in the linux shell, it means “screw up the poor luser who forgot where he was and what he was doing.”

Sticky bits

Linux permissions.

  • uid = user id
  • gid = group id
Generic Effect on files Effect on directories
0setuid, setgid, sticky bits are cleared
1sticky bit is setprotects against deletion of file
2setgid bit is setinherits rights of group on execution newly created files belong to group
3setgid and sticky bits are setinherits rights of groupnewly created files belong to group
4setuid bit is setinherits rights of user
5setuid and sticky bits are set
6setuid and setgid bits are setinherits rights of user and group newly created files belong to group
7setuid, setgid, sticky bits are setall effectsnewly created files belong to group


For example: chmod 7711 something-or-other

.htaccess

Create a password associated with somename for use with .htaccess:

htpasswd -c .htpasswd somename

port 5353

Test whether the port is open:

nmap -p 5353 -sU -P0 tighar.org

Drop ALL udp services:

iptables -A OUTPUT -s 173.45.236.139 -p udp -j DROP

To remove zeroconf, I added this line to /etc/sysconfig/network:

NOZEROCONF=yes

No joy. I used “yum remove avahi” to get rid of zeroconf altogether. It seems to have worked with no ill side effects.

Disable ICMP requests

The first line alone did not do it. Ping still worked. When I added the second line, I got the desired effect (I guess).

iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP

Enabling ICMP requests

-A INPUT -p icmp -m state --state NEW -j DROP 
-A INPUT -p icmp -m state --state NEW -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -p icmp -j DROP 
-A OUTPUT -p icmp -j DROP 

backup file extensions

.1
bak
copy
old
tmp
~1~
~

Protect a directory

"Password Protect Folder / Directory ...":

"Authentication, Authorization and Access Control"

Step 1 - Create .htaccess file in folder you want to protect, copy the code and paste the code below, and then set server path to the file

AuthUserFile /path/to/.htpasswd
AuthName "Restricted Area"
AuthType Basic
Require valid-user


Step 2 - Open Terminal, go to the directory you want to protect, and enter the following (changing the username to whatever you want). Enter the password upon prompting.

htpasswd -c .htpasswd username

APC cache

  • I had to use the beta version of APC in order to get it to work with PHP 5.3.
  • Specifying the location of the module helped. It wouldn't load otherwise:
;Add APC cache
extension=/opt/php5/include/php/ext/apc/apc.so
apc.enabled=1
apc.shm_size = 48
 
tighar/console.txt · Last modified: 2017/07/13 20:33 (external edit)
 
Recent changes RSS feed Creative Commons License Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki