2. operating-systems
  3. linux

    Linux

    Secure

    1. Secure OpenSSH
    2. Configure Umask
    3. Auto security updates
    4. (optional) install and configure Fail2ban (if publicly exposed)

    OpenSSH

    • regenerate default keys
    • no password authentication PasswordAuthentication no. Be sure to add a key before
    • change default port
    • AllowUsers user1 user2
    • restrict defaults ciphers

    Umask

    Configure default mask to 027

    /etc/login.defs:

    UMASK 027

    Distribution information (version)

    lsb_release -a

    If lsb_release it nos available, especially in VM/containers, you can check: cat /etc/issue or cat /proc/version

    Hardware informations

    dmidecode # show all
dmidecode -t 2 # Motherboard
dmidecode -t 4 # CPU
dmidecode -t 7 # Memory

    Looking-for a command

    To know his path: whereis CMD

    To find a command with a keyword: apropos CMD

    Brief information about a command: whatis CMD

    Check if a program is installed (POSIX): command -v CMD

    Manually change a password

    (redommended) Mounted volume or Linux filesystem

    Use chroot /mnt/path if its a mounted linux volume. Then just do a passwd <user>, and exit

    Hard way

    Otherwise, you edit /etc/shadow by generating a password with the following commands:

    # mkpasswd
mkpasswd --method=SHA-512 --stdin

# or with openssl
openssl passwd -6 -salt xyz  yourpass

    source

    Command line

    overall-view

    Signals

    List linux signal (sigkill, sigterm) and corresponding number

    man 7 signal

    Erase all data on a device

    Overwrite the device with random data over multiple pass

    shred /dev/sdX

    If you do not have confidential data and it is not an hard drive, dd could be enough:

    dd if=/dev/zero of=/dev/sdX status=progress

    Note: erase data on ssd is a different process source

    kill -l

    Check IO with devices

    iostat -x 1

    Note: package sysstat source

    Burn DVD ISO

    First find device: wodim --devices

    Then, two ways to do it:

    • wodim -v dev=/dev/DEVICE speed=10 -eject FILE.ISO
    • growisofs -dvd-compat -Z /dev/DEVICE=FILE.ISO

    Notice:

    • Sometime it doesn't work to write directly on device, you'll need to use an alternative something like ''/dev/dvdrw'' to recognize better the device.
    • In graphical mode you could use ''K3B''

    Create specified size file

    dd if=/dev/zero of=output_file bs=1000 count=10

    Make file of 10 block of 1000 octet : equivalent of 10Ko.

    Sudoers break file

    pkexec visudo

    Date of file

    stat -c %y file.txt #return someting like : 2004-02-20 14:10:37.000000000 -0500

    Note: %y for the year

    Check Battery

    upower -e
#/org/freedesktop/UPower/devices/line_power_AC # result
#/org/freedesktop/UPower/devices/battery_BAT0 # result
#/org/freedesktop/UPower/devices/battery_BAT1 # result
upower -i /org/freedesktop/UPower/devices/battery_BAT1 # check second battery

    Printers

    List installed printers

    lpstat -p | awk '{print $2}'

    To get the associated ip: lpoptions -p 'PRINTER_NAME' | awk '{for (i=1; i<=NF; i++) {if ($i ~ /device-uri/) {print $i}}}'

    Tips

    Intercept system calls and signals (interruptions)

    See strace

    Articles, tutorials