Skip to content

Instantly share code, notes, and snippets.

@nicolasramy

nicolasramy/iptables.md

Last active December 14, 2015 11:59
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save nicolasramy/5083377 to your computer and use it in GitHub Desktop.
Save nicolasramy/5083377 to your computer and use it in GitHub Desktop.
Download ZIP
Tips for Debian System Administration - Installation, Configuration, Useful commands and Tools
Raw
iptables.md

IP Tables

Block IP

Block a specific IP

iptables -A INPUT -s 31.2.41.8 -j DROP

Block a range (31.2.41.*)

iptables -A INPUT -s 31.2.41.0/24 -j DROP

Block a range (31.2..)

iptables -A INPUT -s 31.2.0.0/16 -j DROP

Block a range (31...*)

iptables -A INPUT -s 31.0.0.0/8 -j DROP

Unblock

iptables -D INPUT -s 1.2.3.4 -j DROP

List IP rules

iptables -L INPUT -v -n

iptables -L INPUT -v -n | less
Raw
tips-debian-sysadmin-commands.md

Debian System Administration - Useful commands

APT-GET

apt-get is the command-line tool for handling packages, and may be considered the user's "back-end" to other tools using the APT library. Several "front-end" interfaces exist, such as dselect(1), aptitude(8), synaptic(8) and wajig(1).

Install

apt-get install <packageName>

Add key

cd /tmp
wget http://hostname/keyname.gpg
cat keyname.gpg | apt-key add -
apt-get update

TAR

Compress

tar -pczf [file_name].tar.gz [folder_or_file_name]

Uncompress

tar -xvzf [file_name].tar.gz

DPKG

List installed packages

dpkg --get-selections

Find if specific package is installed

dpkg --get-selections | grep [package_name]

Remove "deinstall" packages

dpkg --get-selections | grep deinstall | sed 's/deinstall/\lpurge/' | dpkg --set-selections; dpkg -Pa

Retrieve version of the current package

dpkg -s <package> | grep Version

APT

Show the installed and the remote version (install candidate) of a package.

apt-cache policy <package>

Xclip - Manage Clipboard from Terminal

Reads from standard in, or from one or more files, and makes the data available as an X selection for pasting into X applications. Prints current X selection to standard out.

Installation

apt-get install xclip

Send information in primary clipboard

echo "Hello World" | xclip
echo "Hello World" | xclip -selection p

Send information in the second clipboard

echo "Hello World" | xclip -selection c

Users

Add user

useradd {options} [username]
  options:
    -d : home dir
    -g : initial group
    -G : groups
    -p : password
    -s : shell
    -M : do not create user's home directory

Add user without shell access

echo "/usr/sbin/nologin" >> /etc/shells
useradd -s /sbin/nologin [username]

Add user with limited shell (rbash)

useradd -s /bin/rbash [username]

Edit user properties

usermod {options} [username]
  options:
    -d : home dir
    -g : initial group
    -G : groups
    -p : password
    -s : shell
    -M : do not create user's home directory

Change user password

passwd [username]

Delete user

userdel {options} [username]
  options:
    -r : recursive home directory delete

List all users

cat /etc/passwd | cut -d: -f1

List all groups

cat /etc/group | cut -d: -f1

SSH

Generate key

# RSA
ssh-keygen -t rsa

# DSA
ssh-keygen -t dsa

Copy key to server on default port

# RSA
ssh-copy-id -i ~/.ssh/id_rsa.pub <username>@<hostname>

# DSA
ssh-copy-id -i ~/.ssh/id_dsa.pub <username>@<hostname>

Copy key to server on specific port

# RSA
ssh-copy-id -i ~/.ssh/id_rsa.pub "<username>@<hostname> -p <port_number>"

# DSA
ssh-copy-id -i ~/.ssh/id_dsa.pub "<username>@<hostname> -p <port_number>"

Copy key to server if authentification with password is denied

# RSA
ssh username@hostname "echo $(cat ~/.ssh/id_rsa.pub) >> .ssh/authorized_keys"

# DSA
ssh username@hostname "echo $(cat ~/.ssh/id_dsa.pub) >> .ssh/authorized_keys"

Fix SSH passphrase once

ssh-agent bash

This creates a new bash process that allows you to add private keys. When adding a new private key you will be prompted for the passphrase once and only once.

ssh-add ~/.ssh/id_rsa

DU

Summarize disk usage of each FILE, recursively for directories

Estimate file space usage of current directory

du -sh

Grep

grep searches the named input FILEs (or standard input if no files are named, or if a single hyphen-minus (-) is given as file name) for lines containing a match to the given PATTERN. By default, grep prints the matching lines.

In addition, three variant programs egrep, fgrep and rgrep are available. egrep is the same as grep -E. fgrep is the same as grep -F. rgrep is the same as grep -r. Direct invocation as either egrep or fgrep is deprecated, but is provided to allow historical applications that rely on them to run unmodified.

Find string in different files

grep -Hin {{needed}} ./*

chmod

Change the mode of each FILE to MODE

Default usage

chmod [OPTION]... MODE[,MODE]... FILE...

Recursively give directories read&execute privileges

find /path/to/base/dir -type d -exec chmod 755 {} +

Recursively give files read privileges

/path/to/base/dir -type f -exec chmod 644 {} +

Other tools (doc in progress)

apt-get install mtr iotop siege nmap multitail
Raw
tips-debian-sysadmin-config.md

Debian System Administration - Configuration

Apache

httpd.conf

ServerName localhost

Vhosts

default

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
	ServerName localhost

	DocumentRoot /var/www

	<Directory /var/www/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>


	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Adminer

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
	ServerName adminer.local

	DocumentRoot /var/www/webtools/adminer

	<Directory /var/www/webtools/adminer/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/webtools/adminer/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/webtools/adminer/access.log combined

</VirtualHost>

Magento

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
	ServerName magento.gists.local

	DocumentRoot /var/www/workspace/gists/magento

	<Directory /var/www/workspace/gists/magento/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all

		SetEnv MAGE_IS_DEVELOPER_MODE "True"
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/workspace/gists/magento/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/workspace/gists/magento/access.log combined

</VirtualHost>

Magento + SSL support

Raw
tips-debian-sysadmin-install.md

Debian System Administration - Installation

First steps

After install

apt-get update
apt-get upgrade

Useful software to install

apt-get install vim
apt-get install htop
apt-get install iftop
apt-get install tree
apt-get install screen
apt-get install git

Can be launch in 1-line

apt-get install vim htop iftop tree screen git

Add dotdeb repositories

Edit the sources.list file

vim /etc/apt/sources.list

Add this on the end of file (for Debian Wheezy)

## Dotdeb repositories
deb http://packages.dotdeb.org wheezy all
deb-src http://packages.dotdeb.org wheezy all

Get the dotdeb key and get started to envoy Dotdeb's repositories

cd /tmp
wget http://www.dotdeb.org/dotdeb.gpg
cat dotdeb.gpg | apt-key add -
apt-get update

If you need more information, take a look here

Install Web Servers

Nginx

apt-get install nginx

Apache2

apt-get install apache2

Install Web Servers + PHP5

Nginx + PHP5-FPM

apt-get install nginx php5-common php5-curl php5-fpm php5-gd php5-imap php5-mcrypt php5-mysql php5-suhosin

Apache2 + PHP5 (mod_php5)

apt-get install apache2 libapache2-mod-php5 php5-common php5-curl php5-gd php5-imap php5-mcrypt php5-mysql php5-suhosin

Install Cache

PHP-APC

apt-get install php-apc

or

apt-get install php5-dev php-pear
pecl install apc

Install Database Servers

MySQL Server

apt-get install mysql-server

MariaDB - 10.0 Alpha

Update /etc/apt/sources.list

# MariaDB 10.0 repository list
deb http://ftp.igh.cnrs.fr/pub/mariadb/repo/10.0/debian squeeze main
deb-src http://ftp.igh.cnrs.fr/pub/mariadb/repo/10.0/debian squeeze main

Execute this commands

apt-get update
apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xcbcb082a1bb943db
apt-get install mariadb-server

MariaDB - 5.5 Stable

Update /etc/apt/sources.list

# MariaDB 10.0 repository list
deb http://ftp.igh.cnrs.fr/pub/mariadb/repo/5.5/debian squeeze main
deb-src http://ftp.igh.cnrs.fr/pub/mariadb/repo/5.5/debian squeeze main

Execute this commands

apt-get update
apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xcbcb082a1bb943db
apt-get install mariadb-server

CouchDB

apt-get install couchdb

Security

Fail2Ban

apt-get install fail2ban

To prevent brute force SSH login, you have to update this files /etc/fail2ban/jail.conf

# SSH
# 3 retry ? > Ban for 15 minutes
 
[ssh]
enabled = true
port = ssh
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
maxretry = 3
bantime = 900

Mount

SSHFS

apt-get install sshfs

To mount a distant folder through SSH

sshfs server:/remote/folder/to/mount /local/mount/point -o nonempty

More information: http://manpages.ubuntu.com/manpages/karmic/en/man1/sshfs.1.html

Raw
tips-debian-sysadmin-tools.md

Debian System Administration - Tools

Misc

  • htop
  • iotop
  • pidstat
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment