Linux
Table of contents
- Setup
- Tips & Tricks
- Security
- Recover
- KVM - Virtual Machines
Please note: I mainly use Ubuntu Server, so your mileage may vary with other distros.
Setup
- On a laptop: disable standby on lid close: in
/etc/systemd/logind.conf
, uncomment and changeHandleLidSwitch=ignore
Setup SSH
- Config lives in
/etc/ssh/sshd_config
PermitRootLogin no
to deny root to log inAllowUsers toto
to only allow toto to log insudo systemctl restart ssh
to restart the service
Connect to SSH via Cloudflare Tunnel
- In the Cloudflare Zero Trust dashboard
- Set up an Access Application with an associated access rule
- Set up an SSH Tunnel to the Linux server
- On the target client
- Grab the latest release of cloudlared
- Set up a local proxy connected to your hostname
cloudflared-windows-amd64.exe access ssh --hostname example.com --url localhost:1234
- Connect with your favorite SSH client to
[email protected]:1234
Install Firewall
- A good tutorial here
- Install
sudo apt install ufw
- Configuration
- Check status & list configuration
sudo ufw status
- Set default incoming to deny
ufw default deny incoming
andufw default allow outgoing
for instance - Allow a port
sudo ufw allow PORT
- Remove an allowance
sudo ufw delete allow PORT
orsudo ufw delete RULE_NUMBER
- Rate limit a port (>6 connections within 30 sec)
sudo ufw limit PORT
PORT
can be replaced with a known app likeSSH
or specific protocol likePORT/tcp
- Enable
sudo ufw enable
- On alpine
rc-update add ufw default
- Check status & list configuration
- Verify
- Check added rules
sudo ufw show added
- Check existing rules with numbers
sudo ufw status numbered
- Check added rules
- Enable
sudo ufw enable
Install FTP server
sudo apt install vsftpd
sudo nano /etc/vsftpd.conf
to edit configurationsudo ufw allow 21
sudo systemctl restart vsftpd
Cron - Job scheduler
- Edit cron of a user
sudo crontab -e -u USER
(-u
to edit specific user) - Check if the cron expression is correct: crontab guru
- Useful commands:
@reboot COMMAND
Cockpit - Remote administration of server
sudo apt-get install cockpit
and with:cockpit-machines
for KVMcockpit-docker
for Docker
sudo ufw allow 9090
sudo systemctl restart cockpit.socket
- If you cannot update packages,
network manager
may be in use, check withnmcli d
sudo systemctl disable network-manager.service
sudo systemctl stop network-manager.service
Advanced configuration
- See this guide to change port. Create file and directory if needed.
- Configuration file is
/etc/cockpit/cockpit.conf
, not created by default - see reference - Setup with Cloudflare Tunnel - Based on this blog post.
- Setup a Let’s Encrypt certificate below
- Setup a copy script - See example in Nextcloud
#!/bin/sh FQDN="DOMAIN.COM" echo "SSL certificates renewed" cp /etc/letsencrypt/live/$FQDN/fullchain.pem /etc/cockpit/ws-certs.d/$FQDN.crt cp /etc/letsencrypt/live/$FQDN/privkey.pem /etc/cockpit/ws-certs.d/$FQDN.key chown cockpit-ws:cockpit-ws /etc/cockpit/ws-certs.d/$FQDN.crt /etc/cockpit/ws-certs.d/$FQDN.key echo "Restarting Cockpit" systemctl restart cockpit
- Setup
/etc/cockpit/cockpit.conf
[WebService] Origins = https://URL:PORT #ProtocolHeader = X-Forwarded-Proto AllowUnencrypted = false [Session] IdleTimeout = 10
- Setup Cloudflare Tunnel and Access
Install on VirtualBox
- Install
gcc make perl
packages - Install Guest addition
- Disable animations
gsettings set org.gnome.desktop.interface enable-animations false
- Allow user to access Shared Folder
sudo adduser $USER vboxsf
Tips & Tricks
- Date & Time
timedatectl
to checksudo timedatectl set-timezone TZ
Command-line kung-fu
less
to redirect output to a pagerwatch
to watch regularly an output| grep x
to pipe to grep which is going to select lines withx
clear
to clear the command line- Check this Ars introduction about redirection,
grep
,sed
,awk
.
Screen Terminal Multiplexer
- Start
screen
- List sessions ID
screen -ls
- In a session - Hotkey
CTRL+A
then:d
: Detach[
: Copy mode- Page-Up to scroll up, Page-Down to scroll down
- Space to start selection and Space again to stop it
]
: Paste mode:sessionname <Your_session_name>
: Rename
- Detach
screen -d session_ID
- Reattach
screen -r session_ID
Vi Text Editor
- Command mode:
ESC
, then all commands starts with:
:w
: save:x
: save and quit:q
: quit:q!
: quit and discard changes
- Text insert
i
: insert before cursora
: append after cursor
- Text delete
x
: delete character to the right of the cursorX
: delete character to the left of the cursor
CPU & Processes
- Check system stats
htop
for processesnmon
for the whole system
- Health
- Check CPU frequency
cat /proc/cpuinfo
- Check CPU frequency
- System information
dmidecode
Services with systemctl
- Service management
sudo systemctl restart SERVICE
sudo systemctl start SERVICE
sudo systemctl stop SERVICE
sudo systemctl kill SERVICE
- Service enable/disable
sudo systemctl enable SERVICE
sudo systemctl disable SERVICE
sudo systemctl is-enabled SERVICE
- Services mask/unmask
sudo systemctl unmask SERVICE
sudo systemctl mask SERVICE
- Service status
sudo systemctl list-timers
sudo systemctl status SERVICE
Disk & Data
- Check free disk space
df -h
- Tree file & folder with space taken
ncdu
- Check for partition corruption
fsck /dev/sdaXX00
- Stop a disk
- Unmount
sudo umount /dev/sdXX
- Spin down
sudo hdparm -Y /dev/sdXX
- Unmount
- Erase a disk
sudo dd if=/dev/urandom of=/dev/sdXX bs=10M
- Source
View SMART disk data
- Install
smartmontools
- View SMART data & status
sudo smartctl -i /dev/sdXX
- Find estimate & current SMART test
sudo smartctl -c /dev/sdXX
- Launch a test:
sudo smartctl -t short /dev/sdXX
- Possible options instead of
short
: long
conveyance
(after transport) for ATA disks-
If the HDD go to sleep (especially true for USB ones), try the following:
while true; do dd if=/dev/sdXX iflag=direct count=1 of=/dev/null sleep 60 done
- Possible options instead of
- Read the result
sudo smartctl -l selftest /dev/sdXX
Test read/write speed
sync; dd if=/dev/zero of=tempfile bs=1M count=256; sync
: write to tempfile 256 Mbsudo /sbin/sysctl -w vm.drop_caches=3
: clear the cachedd if=tempfile of=/dev/null bs=1M count=256
: read tempfile
Format & mount a USB stick
- Several options to see devices
sudo blkid
to locate block devicessudo lsblk
to list mounted block devicesls /dev
to check where the USB stick is mounted
sudo fdisk /dev/sdXX
p
to list existing partitiong
to create a new GPT partition table oro
for a DOS partition tablen
to create a new partitionw
write to disk and exit
sudo mkfs.ext4 /dev/sdXX00
to create an ext4 partitionsudo mkdir /media/usbdrive
to create a directory that will host the partition- Choose
/mnt
for temporary mounts - Choose
/media
for automatics mounts
- Choose
sudo mount /dev/sdXX00 /media/usbdrive -o umask=000
to mount the USB key with all user accesssudo umount /dev/sdXX00
to unmount- If you want to make it permanent
- Edit
sudo nano /etc/fstab
- Add a line
/dev/sdXX00 /media/usbdrive ext4 defaults 0 0
- (Check how fstab works here)
- Edit
Files
zip -r directoryname.zip ./
to zip current directorytar -xvf file.tar.gz
to extract tarball and zip (x
for extract,v
for verbose,f
for file)find / -name filename
to find filename in entire system (/) or active folder (.), andsudo
to avoid permissions problems
Virtual Systems: Mount QCoW2
sudo apt install libguestfs-tools
to install required toolsudo guestmount -a /var/lib/libvirt/images/IMAGE.qcow2 -m DEVICE --ro /mnt/FOLDER
DEVICE
being the partition within this image. Make it bogus so a list will be shown--ro
if you only want read-only
sudo guestunmount /mnt
Network & Internet
- View current information (IP, netmask, …)
ifconfig
- Assign an IP to a network
sudo ifconfig wlan0 192.168.65.1 netmask 255.255.255.0 up
for instance
- Assign an IP to a network
- Edit network configuration
- with netplan
/etc/netplan/00-installer-config.yaml
- with netplan
-
Disable IPv6 - Source
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1 sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1 sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=1
- Check Wi-Fi adapter status:
rfkill list wlan
to list statusrfkill unblock wlan
to unblock
Set up Let’s Encrypt with Cloudflare DNS
- Source
- See this documentation on Cloudflare certbot
cloudflare.ini
can be placed in/etc/cloudflared
- Define proper permission with
chmod 400
- Steps
sudo snap install --classic certbot certbot-dns-cloudflare
You may need to proceed with additional commands as explained in the consolesudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d <EXAMPLE.COM>
- Automated renewal should be set up by the snap, check
systemctl list-timers
Users & Groups
- Users
useradd -m USERNAME
add a new user with a Home directory (-m
)passwd USERNAME
define a passwordid $user
to get user PUID & GUID
- Groups
usermod -a -G GROUP $USER
to add self to GROUPcat /etc/group
to list all groups
- Setup SFTP for without Shell: nice tutorial from Digital Ocean
OS-related
- Know which OS, flavor or version you are running
cat /etc/os-release
- Install fonts, check package
fonts-liberation
- can help you to fixFontconfig error: Cannot load default config file
Hardware-related
- Sometime
reboot
is not accessible … then usesystemctl reboot
Power & Battery
- Check system temperature
sudo apt install lm-sensors
sudo apt-get install lm-sensors
sudo /etc/init.d/kmod start
sensors
- Check status & stats about battery
- List paths
upower -e
- Get status
upower -i <path>
- List paths
- Plan a reboot:
shutdown -r 0:00
to restart at midnight for instance
BIOS
- Check BIOS version
sudo dmidecode | less
Security
Source:OVH, DigitalOcean, DigitalOcean
- Change all account passwords
- Regarding SSH
- Regarding network
- Configure firewall like
ufw
- Configure fail2ban
- Configure an Intrusion Detection System - Example
- Configure firewall like
- Disable unneeded services - Example,
sudo ss -atpu
- Implement unattended upgrades and livepatch - Example
- Regularly
- Update software
- Check logs
- Check for malware - Example:
maldet
- Make backups
Recover
Check logs
- System messages:
cat /var/log/messages | tail -n 50
Bootloader
Try Super Grub2 Disk
KVM - Virtual Machines
Setup KVM
Based on this great tutorial by OSTechnix.
- Install QEMU and some other libs
sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils
systemctl status libvirtd
- must be enabled and started
- Configure network bridge
ip a
list existing network, includingvirbr
which is the preinstalled bridge- Disable netfilter on bridge
-
Create
/etc/sysctl.d/bridge.conf
and add the followingnet.bridge.bridge-nf-call-ip6tables=0 net.bridge.bridge-nf-call-iptables=0 net.bridge.bridge-nf-call-arptables=0
-
Create
/etc/udev/rules.d/99-bridge.rules
and addACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", RUN+="/sbin/sysctl -p /etc/sysctl.d/bridge.conf"
-
- Remove default KVM bridge
virsh net-destroy default
virsh net-undefine default
ip link
check thatvirbr
interfaces are gone
- Edit
/etc/netplan/00-installer-config.yaml
- Backup first
-
Add a new section under defined interface - Careful about the indentation
network: ethernets: enp0sXYZ: #config bridges: br0: interfaces: [ enp0s3 ] addresses: [192.168.225.52/24] gateway4: 192.168.225.1 mtu: 1500 nameservers: addresses: [8.8.8.8,8.8.4.4] parameters: stp: true forward-delay: 4 dhcp4: no dhcp6: no version: 2
sudo netplan --debug apply
applyip a
to check, alsobrctl show br0
- Configure KVM to use this bridge
-
Edit
host-bridge.xml
somewhere and add:<network> <name>host-bridge</name> <forward mode="bridge"/> <bridge name="br0"/> </network>
virsh net-define host-bridge.xml
virsh net-start host-bridge
virsh net-autostart host-bridge
virsh net-list --all
to check
-
Manage VM
virt-install
to create a Virtual Machinesudo virsh --all
…list
to list VM- Status
start ID/Name
reboot ID/Name
suspend ID/Name
shutdown ID/Name
- To edit a VM
edit ID/Name
- To delete a VM
undefine ID/Name
sudo virsh destroy ID/Name