- 2. Common Linux commands
- 2.1. UFW
- 2.1.1. Verify UFW Status
- 2.1.1 Enable UFW
- 2.1.2. Disable UFW
- 2.1.3. Block an IP address
- 2.1.4. Block a subnet
- 2.1.5. Block Incoming Connections to a Network Interface
- 2.1.6. Allow an Ip address
- 2.1.7. Allow Incoming Connections to a Network Interface
- 2.1.7. Delete UFW Rule
- 2.1.8. List Available Application Profiles
- 2.1.9. Enable Application Profile
- 2.1.10. Allow Nginx HTTP / HTTPS
- 2.2. SSH
- 2.3. netcat
- 2.4. lsb_release
- 2.5 nmap
- 2.6 stdout, stdin, stderr
- 2.7 find
- 2.8 xxd creating hexdump or reversing
- 2.10 gzip bzip2 tar
- 2.1. UFW
- 3. permissions
- 4. Vim
- 5. Supervisor And Systemd
- 6. Special Files In Linux
- 7. Ansible Commands
- 8. Poetry
- 9. Teleport
- 10. AWS
- 11. WSL
- References
w - show who is logged and what they are doing
22:40:33 up 45 min, 2 users, load average: 0.00, 0.03, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
souldiv pts/1 - 21:55 45:11 0.00s 0.00s -bash
root pts/3 - 22:34 6:07 0.00s 0.00s -bash
who - show who is logged on
souldiv pts/1 2023-09-27 21:55
root pts/3 2023-09-27 22:34
uptime - tell how long system has been running
su - run a command with sub user and group id
Uncomplicated firewall setup, works at the OS level if using with security groups which work at the instance level in aws. Requires sudo access.
sudo ufw status
The output will indicate if your firewall is active or not.
sudo ufw enable
You’ll see output like this:
Output
Firewall is active and enabled on system startup.
sudo ufw disable
Be aware that this command will fully disable the firewall service on your system.
sudo ufw deny from 203.0.113.100
In this example, from 203.0.113.100 specifies a source IP address of “203.0.113.100”.
If you run sudo ufw status now, you’ll see the specified IP address listed as denied:
Output
Status: active
To Action From
-- ------ ----
Anywhere DENY 203.0.113.100
If you need to block a full subnet, you may use the subnet address as from parameter on the ufw deny command. This would block all IP addresses in the example subnet 203.0.113.0/24.
sudo ufw deny from 203.0.113.0/24
To block incoming connections from a specific IP address to a specific network interface, run the following command, replacing the highlighted IP address with the IP address you want to block:
sudo ufw deny in on eth0 from 203.0.113.100
The in parameter tells ufw to apply the rule only for incoming connections, and the on eth0 parameter specifies that the rule applies only for the eth0 interface. This might be useful if you have a system with several network interfaces (including virtual ones) and you need to block external access to some of these interfaces, but not all.
sudo ufw allow from 203.0.113.101
sudo ufw allow in on eth0 from 203.0.113.102
The in parameter tells ufw to apply the rule only for incoming connections, and the on eth0 parameter specifies that the rule applies only for the eth0 interface.
If you run sudo ufw status now, you’ll see output similar to this:
Output
Status: active
To Action From
-- ------ ----
...
Anywhere on eth0 ALLOW 203.0.113.102
To delete a rule that you previously set up within UFW, use ufw delete followed by the rule (allow or deny) and the target specification. The following example would delete a rule previously set to allow all connections from an IP address of 203.0.113.101:
sudo ufw delete allow from 203.0.113.101
Upon installation, applications that rely on network communications will typically set up a UFW profile that you can use to allow connection from external addresses. This is often the same as running ufw allow from, with the advantage of providing a shortcut that abstracts the specific port numbers a service uses and provides a user-friendly nomenclature to referenced services.
To list which profiles are currently available, run the following:
sudo ufw app list
To enable a UFW application profile, run ufw allow followed by the name of the application profile you want to enable, which you can obtain with a sudo ufw app list command. In the following example, we’re enabling the OpenSSH profile, which will allow all incoming SSH connections on the default SSH port.
sudo ufw allow "OpenSSH"
Upon installation, the Nginx web server sets up a few different UFW profiles within the server. Once you have Nginx installed and enabled as a service, run the following command to identify which profiles are available:
sudo ufw app list | grep Nginx
Output
Nginx Full
Nginx HTTP
Nginx HTTPS
To enable both HTTP and HTTPS traffic, choose Nginx Full. Otherwise, choose either Nginx HTTP to allow only HTTP or Nginx HTTPS to allow only HTTPS.
The following command will allow both HTTP and HTTPS traffic on the server (ports 80 and 443):
sudo ufw allow "Nginx Full"
Secure Shell - used for establishing connection to a remote shell securely
SSH used for encrypted communication. Consists of a private key and a public key. private key needs to be secure, public key is used for sharing. public key is used for encrypting and private key is used for decrypting.public key can be generated from the private key but not the other way around. Private key is your unique identity.
copy your public key to remote server to establish communication
ssh-keygen -t ed25519 -C "youremail@example.com"
generate new ssh keys with your desired algorithm.
Netcat is a utility that is able to write and read data across TCP and UDP network connections. If you are responsible for network or system security it essential that you understand the capabilities of Netcat. Netcat can be used as port scanner, a backdoor, a port redirector, a port listener and lots of other cool things too.
nc -v -w 2 -z <target_ip> <port/range of port>
nc localhost 30000
print distribution specific information
lsb_release -a
Scan an entire network using nmap with verbose flags
-sn disable port scan
nmap -sn 172.19.206.239/20 -vvvv
nmap -p 30000 localhost
The -sV flag lets us do a service/version detection scan.
nmap -sV localhost -p 31000-32000
Use redirection operator > to echo into a text file
echo Hello World > test.txt
Use the redirection operator >> for not overwriting the text file
echo Hello World >> test.txt
Use < for redirecting stream into stdin
A file descriptor is a non-negative number that is used to access a file or stream. We will go in depth about this later, but for now know that the file descriptor for stdin, stdout and stderr is 0, 1, and 2 respectively.
ls /fake/directory 2>
Find a file in the current directory which is readable and size 1033 bytes and exec file command on the file
find . -type f -size 1033c ! -executable -exec file {} +
reverse hexdump
xxd -r <hexdump_file>
you need gzip files to have .gz suffix, no such requirement for bzip2, and for tar you need files to be of .tar file
gzip -d data.gz
bunzip2 data.bin
tar -xf data.tar
$ ls -l
drwxr-xr-x. 4 root root 68 Jun 13 20:25 tuned
-rw-r--r--. 1 root root 4017 Feb 24 2022 vimrcThe first field of the ls -l output is a group of metadata that includes the permissions on each file. Here are the components of the vimrc listing:
- File type: -
- Permission settings:
rw-r--r-- - Extended attributes:
dot (.) - User owner:
root - Group owner:
root
This article is about the permission settings on a file. The interesting permissions from the vimrc listing are:
rw-r--r–
This string is actually an expression of three different sets of permissions:
- rw-
- r--
- r--
The first set of permissions applies to the owner of the file. The second set of permissions applies to the user group that owns the file. The third set of permissions is generally referred to as "others." All Linux files belong to an owner and a group. When permissions and users are represented by letters, that is called symbolic mode.
When Linux file permissions are represented by numbers, it's called numeric mode. In numeric mode, a three-digit value represents specific file permissions (for example, 744.) These are called octal values. The first digit is for owner permissions, the second digit is for group permissions, and the third is for other users. Each permission has a numeric value assigned to it:
r (read): 4 w (write): 2 x (execute): 1
create ~/.vimrc and put config for vim in there
In each window that should scroll simultaneously, enter the command:
:set scrollbind
You can enter scb as an abbreviation for scrollbind, and the ! flag causes :Set to toggle a boolean option
:set scb!
systemd is a system and service manager for Linux operating systems. It is designed to be backward compatible with SysV init scripts, and provides a number of features such as on-demand starting of daemons, system state snapshots, process tracking, and more.
- Built-in with the OS: Since systemd is built into most modern Linux distributions, there are no additional dependencies required to manage services.
- Ease of use: systemd is straightforward to use and manage. Services can be managed just like system services, making it easy to start, stop enable or disable services.
- No learning curve: If you’re already familiar with Linux, you’ll find managing processes with systemd to be intuitive.
- Requires superuser privileges: To manage processes with systemd, you need superuser privileges. This might not be ideal in environments where you want to limit the use of superuser privileges.
- No web interface: Unlike Supervisor, systemd does not provide a web interface for managing processes.
sudo systemctl --list-units
sudo systemctl status <service-name>
Supervisor is a client/server system that allows its users to monitor and control a number of processes on UNIX-like operating systems. It provides a flexible and robust way of managing processes.
- User-level process management: With Supervisor, any user can manage processes, eliminating the need for superuser privileges.
- Web interface: Supervisor provides a web interface for easy process management. This can be a significant advantage if you prefer a GUI over command-line interfaces.
- Cross-distribution compatibility: Supervisor works on any Linux distribution, providing flexibility and preventing vendor lock-in.
- Process grouping and priority setting: Supervisor offers more flexibility in managing processes, such as grouping related processes together and setting process priorities.
- Additional dependency: Unlike systemd, Supervisor is not built into the operating system and needs to be installed separately.
- Learning curve: If you’re not familiar with Supervisor, there might be a learning curve to understand and use it effectively
To learn more about this file click here
souldiv:x:1000:1000:,,,:/home/souldiv:/bin/bash
1:2:3:4:5:6:7
- Username: It is used when user logs in. It should be between 1 and 32 characters in length.
- Password: An x character indicates that encrypted password is stored in /etc/shadow file. Please note that you need to use the passwd command to computes the hash of a password typed at the CLI or to store/update the hash of the password in /etc/shadow file.
- User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
- Group ID (GID): The primary group ID (stored in /etc/group file)
- User ID Info (GECOS): The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
- Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
- Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell. For example, sysadmin can use the nologin shell, which acts as a replacement shell for the user accounts. If shell set to /sbin/nologin and the user tries to log in to the Linux system directly, the /sbin/nologin shell closes the connection.
Used for looking up information on ansible modules and roles.
ansible-doc shell
Inventory File Example: staging.yml
[vm]
node1 ansible_host=172.30.14.44
[cloud]
ec2_ubuntu ansible_host=13.239.117.98
command for running playbook for staging inventory but running for cloud group
ansible-playbook -i staging -l cloud playbooks/example.yml --key-file <private/pubkey>
-l - Flag for selecting the group (like cloud or vm)
-i - Flag for selecting the inventory file
poetry init <name-of-project>
poetry add <name-of-library>
poetry remove <name-of-library
poetry env list
Run command within directory
poetry shell
Run command anywhere
exit or deactivate
tsh login --proxy=teleport.example.com --user=a-teleport-user
Create a file ansible.cfg:
[defaults]
host_key_checking = True
inventory=./hosts
remote_tmp=/tmp
[ssh_connection]
scp_if_ssh = True
ssh_args = -F ./ssh.cfg
create ssh config to use ansible over tsh
tsh config > ssh.cfg
lets say you have inventory called staging and you want to create a group called teleport to add a host, the host should be written in the following format.
Inside staging:
[teleport] # group name
instance_host_name.cluster_name # instance host name
aws sts get-caller-identity
aws ec2 describe-images --owners self
VHD is for Hyper-V VMDK for Vmware
aws ec2 export-image --image-id ami-id --disk-image-format VMDK --s3-export-location S3Bucket=my-export-bucket,S3Prefix=exports/
For more information click here Required permissions for VM import/export is here
get export-image-task-ids from the previous command.
aws ec2 describe-export-image-tasks --export-image-task-ids export-ami
Or Describe all export image tasks
aws ec2 describe-export-image-tasks
aws s3 ls
aws s3 presign s3://conductor-vms/vms/export.vhd
The wsl.conf and .wslconfig files are used to configure advanced settings options, on a per-distribution basis (wsl.conf) and globally across all WSL 2 distributions (.wslconfig).
Learn more about it here here