**SECURITY WARNING--EXTREMELY IMPORTANT PART OF LINUX CULTURE**
----
As a general rule, we should not log into the terminal or console directly as "root." The more secure way to do it is to log in as "thrasher" or "moleski" or some other username created the same way these two were.
To act as root (which is often necessary and very helpful), type su - and press enter. The computer will then ask you for the SuperUser (root) password:
$ su -
Enter password:
After you enter the correct root password, the last character in the command prompt will change from **$** (ordinary user) to **#** (superuser). It's a small reminder that the commands you give when logged in as root can totally destroy the entire system.
====== handy linux commands ======
These commands are all meant to be used in the linux terminal (also known as the Console if you're using Slicehost).
Each line in this section is a single linux command.
linux commands are (sigh) case-sensitive. Or %%Case-SensiTive%%, if you prefer. :o(
^ command ^ interpretaton ^
|cat conf.d %%|%% more| display contents of a file|
|cat /etc/passwd| list all users on the system|
|cat /etc/passwd %%|%% cut -d: -f1| another method to show all users|
|cat /etc/group %%|%%cut -d: -f1 | and show all groups|
^ ^ ^
|chmod 775 somefile| change the permissions on one file|
|chmod 774 somefolder | change permissions on a folder|
|chmod -R 644 somefolder | change permissions on everything in a folder|
^ ^ ^
|chown owner.group somefile | change ownership of a file|
|chown -R mysql.mysql /var/run/mysqld| change ownership of a folder|
|chown -R mysql.mysql /var/lib/mysql|
^ ^ ^
|cp -a |copy all files and folders?|
|cp -rf * destination-dir |force copy of all files and directories to destination|
|cp -R dirtocopy/ newdir/ |copy full directory\\ capital R is no different from "r"|
|cp -R dokuwiki/* test/ |seemed to do what I wanted it to do|
^ ^ ^
|df -h| view disk space|
^ ^ ^
|find / -perm 0777
find / -type f -perm 0777|find 777 files|
|find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print|find directories with sticky bit set|
^ ^ ^
|ifconfig | find out about IP address, etc.|
^ ^ ^
|grep | Usually used as part of a command.
grep "(g)ets (re)gular ex(p)ressions.
It searches a text file and only returns
lines that match the pattern given.
Regular expressions are ridiculously powerful.|
^ ^ ^
|history|
|history -c|
| |
- use up/down arrows to get back history lines
- edit a line with home, end, DEL, BS
- press enter when you think you've got it right
- find out how to mark, copy, and paste to and
from command lines. It saves a world of hurt!
|
^ ^ ^
|httpd| The basic command that controls the Apache web (page) server.|
^ ^ ^
|ls -l| list files with ownership and permissions shown|
|lsmod %%|%% less| See what modules are loaded and active.|
^ ^ ^
|netstat| look at ports|
|netstat -ln %%|%% grep mysql | find the mysql socket|
|netstat -tap| |
|netstat -an| |
|netstat -an %%|%% grep LISTEN| |
|netstat -lutwn | will show all the listening internet ports.|
^ ^ ^
|nmap localhost| another way of looking at the open ports.|
^ ^ ^
|printenv | show environment variables|
^ ^ ^
|ps aux | find out what processes are active|
|ps -ef | same as ps aux|
|ps -ef %%|%% grep apache | find out what apache processes are running|
^ ^ ^
|rm -rf somedirectory| remove a directory and all its contents|
|rpm -qa %%|%% grep httpd | find out what version of apache is installed|
|rpm -qa |ask what packages are installed on the system; same as ''yum list installed''|
^ ^ ^
|shutdown -r now | reboots the computer NOW! ''reboot'' also works.|
|SIGHUP | some kind of kill/restart signal ...|
|su -| log in as root user with root's environment loaded|
^ ^ ^
|uname -a| show all system information--version of linux|
|uname -r| show just the kernel ID|
^ ^ ^
|updatedb | update database used by locate|
^ ^ ^
|yum| tool to install, remove, reconfigure programs|
|yum list installed | tells what yum has installed on the system|
|yum update| updates all yum-managed packages|
|yum install httpd| "Dear Yum, please install the Apache web server for us."|
^ ^ ^
^ ^ "A rose by any other name ..." ^
|hostname| |
|hostname --fqdn | give fully qualified domain name|
|hostname | show or set the system's host name|
|domainname | show or set the system's NIS/YP domain name|
|dnsdomainname | show the system's DNS domain name|
|nisdomainname | show or set system's NIS/YP domain name|
|ypdomainname | show or set the system's NIS/YP domain name|
====== User management ======
===== adding ssh/sftp users =====
useradd -D
useradd -c "Firstname Lastname" -g apache username
useradd -c "Firstname Lastname"
passwd username # set password for username
cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4
===== Add users to a group =====
* [[http://www.cyberciti.biz/faq/howto-linux-add-user-to-group/|How to add users to groups]]
usermod -G username newgroup
Add tony to a secondary group, ftp.
usermod -a -G ftp tony
Change tony's primary group to www:
usermod -g www tony
===== Removing a user =====
userdel -r username
===== Finding files by user =====
find /var/www/html -user username
===== Show all users/groups =====
cat /etc/passwd |cut -d: -f1 | sort
cat /etc/group |cut -d: -f1 | sort
===== special users =====
No login, no home directory.
groupadd mailman
useradd -M -d /nohome -s /bin/false -g mailman -c 'GNU Mailman' mailman
useradd -M -d /nohome -s /bin/false -c 'Dovecot user' dovecot
====== File management ======
===== Finding files by name =====
find / -name 'mypage.htm'
find / -name 'sess_*'
find / -name 'phpqmLDf7'
find /var/www/html -name '*bak'
find / -name up2*
====== Process management ======
===== Kill a process =====
1. ps aux | grep processname
result: pidof processname
OR use "pidof processname"
"pidof" means "process ID of ..."
2. "kill processID#"
If the pidof is 2874, then:
kill 2874
kill -9 2874 # a more effective kill?
===== CHKCONFIG -- set things to be run on bootup =====
chkconfig --list # find out what runs at various levels
chkconfig httpd --add # put some new line in for httpd (Apache)
chkconfig --level 2345 httpd on # run Apache at levels 2345
===== RPCbind =====
Maps the [[http://www.eits.uga.edu/wsg/sun/security/rpcbind.html|name of a service]] to a port number. Old, strange. Works on port 111.
rpcbind
rpcinfo
====== Edit text ======
===== The @#$%*&! vi editor =====
Start vi by giving it the name of a file that you intend to damage beyond repair.
vi /etc/system/most_important_system_file.conf
vi will then display the contents of the file.
Navigate with arrow keys. Then press //i// or //a// to insert or append at that spot.
i: insert at cursor
a: append at cursor
When you're done making a total hash out of the contents of the file, it's time to go back to command mode.
**^[** means "press the escape key first, child"
**^[** gets vi into command mode
**^[ZZ ** # exit and write
**^[:q!** # exit and don't write
===== nano editor =====
To edit a file: ''nano filename''
Look at the bottom of the screen. Read carefully. Obey instructions. Fare well!
===== end of line problems =====
Text file formats
-----------------
End-of-line markers differ from system to system:
Mac: $0D
linux: $0A
DOS: $0D $0A
[[http://www.websiterepairguy.com/articles/os/crlf.html]]
====== tar files ======
tar -jxvf filename.tar.bz2 # BZ2 extract all folders and files
tar xvfz filename.tar.gz
tar xvfz filename.tgz
tar xvf filename.tar
====== Stop/Restart Terminal ======
* CTRL-S stops all interaction with the terminal.
* CTRL-Q (theoretically) restarts it.
CTRL-S in other contexts means "save". When working in the linux shell, it means "screw up the poor luser who forgot where he was and what he was doing."
====== Sticky bits ======
[[http://www.zzee.com/solutions/linux-permissions.shtml|Linux permissions.]]
* uid = user id
* gid = group id
^ ^ Generic ^ Effect on files ^ Effect on directories ^
|0|setuid, setgid, sticky bits are cleared| | |
|1|sticky bit is set|protects against deletion of file | |
|2|setgid bit is set|inherits rights of group on execution |newly created files belong to group|
|3|setgid and sticky bits are set|inherits rights of group|newly created files belong to group |
|4|setuid bit is set|inherits rights of user| |
|5|setuid and sticky bits are set| | |
|6|setuid and setgid bits are set|inherits rights of user and group |newly created files belong to group |
|7|setuid, setgid, sticky bits are set|all effects|newly created files belong to group |
\\
For example: ''chmod 7711 something-or-other''
====== .htaccess ======
Create a password associated with somename for use with .htaccess:
htpasswd -c .htpasswd somename
====== port 5353 ======
Test whether the port is open:
nmap -p 5353 -sU -P0 tighar.org
Drop **ALL** udp services:
iptables -A OUTPUT -s 173.45.236.139 -p udp -j DROP
To remove zeroconf, I added this line to /etc/sysconfig/network:
NOZEROCONF=yes
No joy. I used "yum remove avahi" to get rid of zeroconf altogether. It seems to have worked with no ill side effects.
====== Disable ICMP requests ======
The first line alone did not do it. Ping still worked. When I added the second line, I got the desired effect (I guess).
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP
===== Enabling ICMP requests ======
-A INPUT -p icmp -m state --state NEW -j DROP
-A INPUT -p icmp -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -j DROP
-A OUTPUT -p icmp -j DROP
====== backup file extensions ======
.1
bak
copy
old
tmp
~1~
~
====== Protect a directory ======
[[http://snipplr.com/view.php?codeview&id=3791|"Password Protect Folder / Directory ..."]]:
[[http://httpd.apache.org/docs/2.0/howto/auth.html|"Authentication, Authorization and Access Control"]]
Step 1 - Create .htaccess file in folder you want to protect, copy the code and paste the code below, and then set server path to the file
AuthUserFile /path/to/.htpasswd
AuthName "Restricted Area"
AuthType Basic
Require valid-user
Step 2 - Open Terminal, go to the directory you want to protect, and enter the following (changing the username to whatever you want). Enter the password upon prompting.
htpasswd -c .htpasswd username
====== APC cache ======
* [[http://2bits.com/articles/installing-php-apc-gnulinux-centos-5.html#comment-1025|Answer 'yes' for apxs question.]] 'y' doesn't work.
* I had to use the beta version of APC in order to get it to work with PHP 5.3.
* Specifying the location of the module helped. It wouldn't load otherwise:
;Add APC cache
extension=/opt/php5/include/php/ext/apc/apc.so
apc.enabled=1
apc.shm_size = 48