moop's blog

SysAdmin & Security Unix Commands Vol 1.

Keywords: sysadmin security unix linux ubuntu

I don't anticipate a lot of traffic here, but I wanted to post a collection of some of my most used SysAdmin commands anyway -- if for no one else, at least I'll have a nice place to reference!

Get External IP command:

    $ curl

    On the job, for whatever reason, I find myself on different boxes all the time -- I end up using this more than I want to admit.

List all Packages (Ubuntu)

    $ dpkg --get-selections | grep -v deinstall

    A bit of a catch all, but you can append another grep on that sucker to widdle down what you are looking for

Find Files - Older/Newer than Date

    $ find /path/to/dir -type f -mtime +100

    Change the +100 to the amount of days you would like -- i.e finding all files older than 50 days:

    $ find /path/to/dir -type f -mtime +50

    Find Files - Newer than Date

    $ find /path/to/dir -type f -mtime -100

    Just add the '-' symbol before the number of days instead of the '+'

Compress Files by Date

    $ find /path/to/dir -mtime -30 -type f -print0  | cpio --create --null --format=ustar | gzip > myTarBall.tar.gz

    This will create a tar ball of all the files newer than 30 days. cpio --format=ustar is the setting for tar

    I believe it may take issue with super long file names, but I have not done extensive tests

CPU Timing Breakdown

    $ mpstat -P ALL 1

    So if you already do not have it installed:

    This command prints CPU time breakdowns per CPU, which can be used to check for an imbalance. A single hot CPU can be evidence of a single-threaded application. 2

Finding Large Files & Directories

    While there are more native approaches, I really enjoy ncdu

    So if you already do not have it installed:

    $ sudo apt-get install ncdu

    There is a bunch of stuff you can do3 but mainly I enjoy just going into the root of the directory structure I am curious about and typing:

    $ ncdu

Security Focused

DDoS Check (kinda)

    $ netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    'Kinda' only because this checks for current concurrent connections.1 Which, more often than not, can be a great indicator of DDoS attacks -- but certainly not the end all be all.

    This will enable you to continuously monitor the connections as they happen:

    $ netstat -nputwc

    drop the c if you just want a snapshot

Add up all connections to your access log

    $ cat access.log | awk '{print $1}' | sort | uniq -c | sort -n

    Without Count & Tailed (I use it if I just want an exportable list of IP's)

    $ cat access.log | awk '{print $1}' | sort | uniq -c | sort -n | awk '{print $NF}' | tail

    Mind you this obviously isn't very practical for enterprise servers, but for smaller operations it can be a neat command to understand what is hitting your server a lot. Of course, these commands will need tweaking depending on log output, but the foundation is there

Ban IP

    $ iptables -A INPUT -s [IP-ADDRESS] -j DROP

    $ iptables -A OUTPUT -d [IP-ADDRESS] -j DROP

    The Iptables method for Banning IPs

All CronJobs For All Users

    $ cat /etc/passwd | sed 's/^\([^:]*\):.*$/crontab -u \1 -l 2>\&1/' | grep -v "no crontab for" | sh

    If someone asks me to inspect a suspect server, this is usually a great starting point. Most 'automated hacks' end up putting something in cron -- and even if they are better than that, you can't tell me you wouldn't at least the cronjobs regardless.

Enable Unattended Security Updates

    $ sudo dpkg-reconfigure --priority=low unattended-upgrades

    In addition you can edit /etc/apt/apt.conf.d/50unattended-upgrades to set the types of updates, but unless you know what you are doing, I strongly suggest to leave it as security updates only -- lest you break your production server with incompatible updates!

Deleting History (including 'exit')

    $ cat /dev/null > ~/.bash_history && history -c && exit

    Couple notes on this one: First, adding the null is kind of unnecessary, but it doesn't hurt anything. Second, this just eliminates the current profile history, it does not stop future logging and/or delete any other logs!

Shredding all files in directory

    $ sudo find /path/to -type f -exec shred {} \;

    It's super simple once you think about it -- but before knowing about adding -exec commands to find, you can find yourself wondering how to do a bunch of neat things

Randomize MAC Address

    $ sudo openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig [iface] ether

    This one might require some tweaking, but the idea is simple. If you don't know what I mean when I write [iface] it is the network interface you want to change the MAC on -- i.e. eth0.

Clearly, thats a short, random, & not too advanced list. For now, I just wanted to post a small list of some simple commands I like & use often. More to come, but in the meantime I hope you can find this a little bit useful -- might reorganize in the future.

  1. mother fucking word-smith lyrical genius voice of a generation