Linux Administration 校時與時區設定 Tutorials How to Sync Linux Time With NTP Server - Make Tech Easier Chrony Built-in on CentOS/RedHat CHAPTER 18. CONFIGURING NTP USING THE CHRONY SUITE CentOS / RHEL 7 : Configuring NTP using chrony How do I check Linux system’s current NTP configuration Install yum install chrony Config: /etc/chrony.conf # NTP Public Servers for Taiwan server tw.pool.ntp.org server time.stdtime.gov.tw server clock.stdtime.gov.tw server jp.pool.ntp.org # Allow NTP client access from local network. #allow 192.168.0.0/16 Starting systemctl start chronyd Verify [root@localhost ~]# chronyc tracking Reference ID : 7A75FDF6 (static.home.twn.sciuridae.cloud) Stratum : 3 Ref time (UTC) : Sun Aug 16 03:35:36 2020 System time : 0.000073180 seconds slow of NTP time Last offset : -0.001259724 seconds RMS offset : 0.001259724 seconds Frequency : 21.057 ppm slow Residual freq : -0.000 ppm Skew : 28.166 ppm Root delay : 0.032856792 seconds Root dispersion : 0.002069760 seconds Update interval : 64.3 seconds Leap status : Normal <=== [root@tpemimtst99 ~]# timedatectl Local time: Tue 2021-05-25 09:09:09 CST Universal time: Tue 2021-05-25 01:09:09 UTC RTC time: Tue 2021-05-25 01:09:09 Time zone: Asia/Taipei (CST, +0800) System clock synchronized: yes <=== NTP service: active RTC in local TZ: no [root@tpemimtst99 ~]# chronyc sources 210 Number of sources = 1 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* 192.168.21.86 3 10 377 754 +1543ns[+4123ns] +/- 63ms systemd-timesyncd Build-in on Ubuntu Control your computer time and date with systemd Installation sudo apt install systemd-timesyncd The configuration file for systemd-timesyncd is /etc/systemd/timesyncd.conf . [Time] #NTP= #FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org #RootDistanceMaxSec=5 #PollIntervalMinSec=32 #PollIntervalMaxSec=2048 Specify the time server as follows NTP= Start timesync systemctl enable systemd-timesyncd.service systemctl start systemd-timesyncd.service timedatectl # See the information of the datetime sudo timedatectl Local time: Mon 2021-11-01 14:37:09 UTC Universal time: Mon 2021-11-01 14:37:09 UTC RTC time: Mon 2021-11-01 14:37:10 Time zone: UTC (UTC, +0000) System clock synchronized: yes NTP service: active <==== RTC in local TZ: no # List timezones supported sudo timedatectl list-timezones # Change the system’s timezone sudo timedatectl set-timezone Asia/Taipei # Check the status sudo timedatectl timesync-status Server: 91.189.91.157 (ntp.ubuntu.com) Poll interval: 17min 4s (min: 32s; max 34min 8s) Leap: normal Version: 4 Stratum: 2 Reference: 11FD227B Precision: 1us (-24) Root distance: 72.295ms (max: 5s) Offset: +5.311ms Delay: 67.290ms Jitter: 2.211ms Packet count: 6 Frequency: +17.421ppm ntpd Install # Ubuntu sudo apt install ntp vi /etc/ntp.conf #pool 0.ubuntu.pool.ntp.org iburst #pool 1.ubuntu.pool.ntp.org iburst #pool 2.ubuntu.pool.ntp.org iburst #pool 3.ubuntu.pool.ntp.org iburst # Use Ubuntu's ntp server as a fallback. #pool ntp.ubuntu.com # Added the local time server server 192.168.21.86 prefer iburst Restart the ntpd # Ubuntu 16.04 systemctl stop ntp systemctl start ntp # Check the timeserver ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== 0.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.000 1.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.000 2.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.000 3.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.000 ntp.ubuntu.com .POOL. 16 p - 64 0 0.000 0.000 0.000 +eterna.binary.n 216.218.192.202 2 u 32 64 3 45.986 -0.081 0.021 +pacific.latt.ne 193.187.181.6 3 u 30 64 3 8.205 1.151 0.026 -mis.wci.com 216.218.192.202 2 u 32 64 3 37.928 4.692 0.176 -europa.ellipse. 209.180.247.49 2 u 31 64 3 51.792 4.175 0.027 #38.229.56.9 172.16.21.35 2 u 30 64 3 68.917 -4.451 0.190 #time.richiemcin 97.183.206.88 2 u 29 64 3 69.281 -3.073 0.248 *t1.time.gq1.yah 208.71.46.33 2 u 30 64 3 31.630 -0.081 0.011 -lofn.fancube.co 220.181.254.66 2 u 30 64 3 37.871 -1.088 0.009 #2606:6680:8:1:: 107.46.198.112 2 u 26 64 3 198.284 66.201 0.061 -titan.crash-ove 129.7.1.66 2 u 30 64 3 32.708 -1.474 0.200 -2620:1d5:100:43 47.187.174.51 2 u 29 64 3 70.418 0.592 0.197 2001:67c:1560:8 17.253.34.123 2 u 32 64 3 133.490 -2.818 0.030 #38.229.57.9 172.16.21.35 2 u 30 64 3 177.896 4.081 6.291 #ntp2i.versadns. 217.180.209.214 2 u 28 64 3 62.795 -2.897 0.017 -104.194.8.227 192.12.19.20 2 u 25 64 3 0.979 -0.737 0.029 -pacific.latt.ne 193.187.181.6 3 u 26 64 3 8.770 1.212 0.050 2001:67c:1560:8 17.253.34.123 2 u 33 64 3 133.602 -2.792 0.007 Change Timezone RedHat 7+ timedatectl timedatectl list-timezones timedatectl set-timezone Asia/Taipei CentOS 6 # List of timezone ls /usr/share/zoneinfo # Check the current timezone set cat /etc/sysconfig/clock Edit: /etc/sysconfig/clock ZONE="Asia/Taipei" UTC=true Localtime mv /etc/localtime /etc/localtime.bak ln -sf /usr/share/zoneinfo/Asia/Taipei /etc/localtime Debian 13 sudo timedatectl set-timezone Asia/Taipei Manually Set the date-time date -s "6 April 2023 15:11:00" 系統管理技巧 Home 目錄 完整複製 Home 目錄 由於 User 的 Home 目錄內有許多隱藏檔,若要完整複製它們,有兩個方法: 方法一:可以複製成一個新目錄 cd /home cp -a user1/ user1_new/ 方法二:複製到一個現有目錄內 cd /home cp -a user1/.[^.]* user1_new/ 手動建立一個新的 Home 目錄 sudo mkhomedir_helper bob 或 cp -r /etc/skel /home/bob chown -R bob.bob /home/bob chmod 0700 /home/bob 為什麼 /home 目錄權限有一個點 Answer: 有(點)的權限目錄表示有在 SELinux 監控清單,既使關閉了 SELinux ,權限也不會變更。 # ls -ld /home drwxr-xr-x. 2 root root 4096 Mar 28 2017 /home # ls -Zd /home drwxr-xr-x. root root system_u:object_r:home_root_t:s0 /home 多帳號共用目錄 在共用目錄下 share_test,群組 team 的所有帳號都可以互相編輯修改 groupadd team mkdir /worktmp/share_test chgrp team /worktmp/share_test chmod 2775 /worktmp/share_test usermod -aG team i04181 自訂 PATH PATH 新增一個客制 bin 目錄 ~/.bashrc : # Custom PATH case :$PATH: in *:/home/$USER/bin:*) ;; *) PATH=/home/$USER/bin:$PATH ;; esac [ -z "$(sed -n '\@/usr/local/bin@p' <<< $PATH)" ] && PATH=/usr/local/bin:$PATH Custom Prompt # Kali-like Custom PROMPT PS1="\[\033[38;5;209m\]┌──[\[\033[38;5;141m\]\u\[\033[38;5;209m\]@\[\033[38;5;105m\]\h\[\033[38;5;231m\]:\w\[\033[38;5;209m\]]\[\033[33m\]\$(GIT_PS1_SHOWUNTRACKEDFILES=1 GIT_PS1_SHOWDIRTYSTATE=1 __git_ps1)\[\033[00m\]\n\[\033[38;5;209m\]└─\\[\033[38;5;209m\]$\[\033[37m\] " Solution: __git_ps1 command not found curl -o ~/.git-prompt.sh https://raw.githubusercontent.com/git/git/master/contrib/completion/git-prompt.sh echo 'source ~/.git-prompt.sh' >> ~/.bashrc 清除 Zombie 程序(defunct) One may deal with zombie processes in any one of the following ways: Fix the parent process to make it execute wait(2) on child process exit Kill the parent process of the zombie Reboot system Ignore it 列出 zombie processes ps aux |grep "defunct" ps aux |grep Z # How many Zombie process running on your server ps aux | awk {'print $8'}|grep -c Z # List the PID of Zombie ps aux | awk '{ print $8 " " $2 }' | grep -w Z Kill zombie process # find the parent process list pstree -paul kill -9 RHEL Documents: What_is_a_zombie_(defunct)_process.pdf How_to_kill_Zombie_Defunct_process.pdf 資安 & Auditing 相關 # Parse /var/log/secure grep "authentication failure" /var/log/secure | awk '{ print $13 }' | cut -b7- | sort | uniq -c # Login failed attempts lastb -F lastb -F Check Linux Login History #!/bin/bash #Filename: intruder_detect.sh #Description: Check Linux Login History AUTHLOG=/var/log/secure if [[ -n $1 ]]; then AUTHLOG=$1 echo Using Log file : $AUTHLOG fi # Collect the failed login attempts FAILED_LOG=/tmp/failed.$$.log egrep "Failed pass" $AUTHLOG > $FAILED_LOG # Collect the successful login attempts SUCCESS_LOG=/tmp/success.$$.log egrep "Accepted password|Accepted publickey|keyboard-interactive" $AUTHLOG > $SUCCESS_LOG # extract the users who failed failed_users=$(cat $FAILED_LOG | awk '{ print $(NF-5) }' | sort | uniq) # extract the users who successfully logged in success_users=$(cat $SUCCESS_LOG | awk '{ print $(NF-5) }' | sort | uniq) # extract the IP Addresses of successful and failed login attempts failed_ip_list="$(egrep -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" $FAILED_LOG | sort | uniq)" success_ip_list="$(egrep -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" $SUCCESS_LOG | sort | uniq)" # Print the heading printf "%-10s|%-10s|%-10s|%-15s|%-15s|%s\n" "Status" "User" "Attempts" "IP address" "Host" "Time range" # Loop through IPs and Users who failed. for ip in $failed_ip_list; do for user in $failed_users; do # Count failed login attempts by this user from this IP attempts=`grep $ip $FAILED_LOG | grep " $user " | wc -l` if [ $attempts -ne 0 ] then first_time=`grep $ip $FAILED_LOG | grep " $user " | head -1 | cut -c-16` time="$first_time" if [ $attempts -gt 1 ] then last_time=`grep $ip $FAILED_LOG | grep " $user " | tail -1 | cut -c-16` time="$first_time -> $last_time" fi HOST=$(host $ip 8.8.8.8 | tail -1 | awk '{ print $NF }' ) printf "%-10s|%-10s|%-10s|%-15s|%-15s|%-s\n" "Failed" "$user" "$attempts" "$ip" "$HOST" "$time"; fi done done for ip in $success_ip_list; do for user in $success_users; do # Count successful login attempts by this user from this IP attempts=`grep $ip $SUCCESS_LOG | grep " $user " | wc -l` if [ $attempts -ne 0 ] then first_time=`grep $ip $SUCCESS_LOG | grep " $user " | head -1 | cut -c-16` time="$first_time" if [ $attempts -gt 1 ] then last_time=`grep $ip $SUCCESS_LOG | grep " $user " | tail -1 | cut -c-16` time="$first_time -> $last_time" fi HOST=$(host $ip 8.8.8.8 | tail -1 | awk '{ print $NF }' ) printf "%-10s|%-10s|%-10s|%-15s|%-15s|%-s\n" "Success" "$user" "$attempts" "$ip" "$HOST" "$time"; fi done done rm -f $FAILED_LOG rm -f $SUCCESS_LOG System Audit # Install Audit yum install audit systemctl start auditd # Authentication Report # To get authentication report for all the attempts which was made aureport -au -i | more # To get authentication report for all the success attempts which was made aureport -au -i --success | more # To get authentication report for all the failed attempts which was made aureport -au -i --failed | more # To get success login information aureport -l --success | more # To get failed login information aureport -l --failed | more # To get success login summary report for all the success attempts which was made aureport -l --success --summary -i | more Check if a RHEL system is vulnerable to a specific CVE # rpm -q --changelog [package-name] | grep [CVE-NUMBER] rpm -q --changelog openssl | grep CVE-2021-3450 rpm -q --changelog openssl | grep CVE rpm -q --changelog openssl | grep CVE-2021 # Using yum command yum install yum-plugin-security yum update yum yum updateinfo info --cve CVE-2021-3445 Auditd AUDITD RECOMMENDED CONFIGURATION ON REDHAT OR CENTOS LINUX FOR SYSTEM AUDITING Linux 設定 pam_tty_audit 記錄 SSH 使用者操作指令教學與範例 Adultd:Linux 系統稽核工具使用教學與範例 The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa. Auditing tool for UNIX/Linux like - Lynis https://cisofy.com/   How to Do Security Auditing of Linux System Using Lynis Tool rsh rsh server # install on CentOS 6/7 yum install rsh-server # Startup the service on CentOS 6 chkconfig rsh on chkconfig rlogin on service xinetd reload # Startup the service on CentOS 7 systemctl start rsh.socket systemctl start rlogin.socket systemctl start rexec.socket systemctl enable rsh.socket systemctl enable rlogin.socket systemctl enable rexec.socket strace 程式除錯 # Trace the command strace df -h # Trace the process ID strace -p 33259 # Get Summary of Linux Process strace -c -p 3569 # Print Instruction Pointer During System Call strace -i df -h # Show Time of Day For Each Trace Output Line strace -t df -h # Print Command Time Spent in System Calls strace -T df -h # Trace Only Specific System Calls strace -e trace=write df -h strace -p 3569 -e poll 停用 suspend, hibernation # disable the following systemd targets sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target sudo systemctl restart systemd-logind.service # Then reboot the system and log in again # Verify if the changes have been effected using the command sudo systemctl status sleep.target suspend.target hibernate.target hybrid-sleep.target # To re-enable the suspend and hibernation modes, run the command sudo systemctl unmask sleep.target suspend.target hibernate.target hybrid-sleep.target To prevent the system from going into suspend state upon closing the lid, edit the /etc/systemd/logind.conf file. [Login] HandleLidSwitch=ignore HandleLidSwitchDocked=ignore 磁碟裝置與磁區 lsblk # Check the disks lsblk nvme0n1 259:0 0 465.8G 0 disk ├─nvme0n1p1 259:1 0 512M 0 part /boot/efi └─nvme0n1p2 259:2 0 465.3G 0 part / nvme1n1 259:3 0 953.9G 0 disk /media/alang/AlangsData # Check the disks for the details lsblk --fs NAME FSTYPE LABEL UUID MOUNTPOINT sda ├─sda1 xfs 7a72d0ab-c234-4ad6-82dd-aa53edff7c78 /boot └─sda2 LVM2_mem VqfMLI-x1MU-Ui0R-w2UI-3Qaq-na31-FoNKfL ├─rootvg-root xfs 18817b75-3bd9-4ea7-b1b8-1d71b790ac45 / ├─rootvg-swap swap efc1e891-3ad9-4f18-8f03-a0d70f26c181 [SWAP] └─rootvg-worktmp xfs 2be7fb38-c1cf-4ce0-b4ee-11975ef745b2 /worktmp sdb LVM2_mem kqHzI1-y8GI-SEkr-jhQn-BYAy-x2Tg-e1jdF3 ├─dbvg-db2_home xfs f333bfb2-7a82-4bbe-aa20-325efc2febf8 /db2_home ├─dbvg-db2_vol xfs 5702a9cd-a70e-4f48-9c5d-c29858dbaca2 /db2_vol └─dbvg-dbtmp xfs 9dcd5abd-ae6b-428b-b326-cf0c56d534a1 /dbtmp sr0 # List UUID of disk lsblk -l -o NAME,FSTYPE,MOUNTPOINT,UUID NAME FSTYPE MOUNTPOINT UUID sda sda1 ext4 /boot f830a3fa-1f94-42f4-9dca-5b5c077eab66 sda2 ext4 / dcbdf18c-2fb4-426c-9dac-d13a45b7ebba sda3 swap [SWAP] 6f40f01b-e9ed-4092-9c65-1445d92ec9da sda4 ext4 6df9a3a6-052e-41f3-b15a-cb258db0267f OVM_SYS_REPO_PART_3600508b1001cbe65c99583659f085b36 (dm-0) ext4 6df9a3a6-052e-41f3-b15a-cb258db0267f sr0 # Check the filesystem for the specified disk lsblk --fs /dev/sdb NAME FSTYPE LABEL UUID MOUNTPOINT sdb LVM2_mem kqHzI1-y8GI-SEkr-jhQn-BYAy-x2Tg-e1jdF3 ├─dbvg-db2_home xfs f333bfb2-7a82-4bbe-aa20-325efc2febf8 /db2_home ├─dbvg-db2_vol xfs 5702a9cd-a70e-4f48-9c5d-c29858dbaca2 /db2_vol └─dbvg-dbtmp xfs 9dcd5abd-ae6b-428b-b326-cf0c56d534a1 /dbtmp lshw sudo lshw -short -class disk,volume H/W path Device Class Description ==================================================================== /0/100/14/0/3/4/0.0.0 /dev/sda disk Mass-Storage /0/100/14/0/3/4/0.0.0/0 /dev/sda disk 抹除磁碟 wipefs -a / last # To check the last ten login attempts, you can pipe it with "head" last | head -n 10 # using complete usernames and hostnames last -w # find the device used by the user tty # To find the last login by date, last --since last --until last --since -2days # find the last bad login attempts sudo lastb tail -f -n 100 /var/log/auth.log | grep -i failed # find the last SSH logins tail -f -n 100 /var/log/auth.log | grep -i sshd sudo journalctl -r -u ssh | grep -i failed # find last login times for all users lastlog lastlog -u 檢測虛擬平台類型 dmidecode -s system-manufacturer systemd-detec-virt virt-what UEFI Firmware # Method 1: Using systemD systemctl reboot --firmware-setup # Method 2: From the GRUB Bootloader # Choose UEFI Firmware Settings from the GRUB menu instead of your Linux distro and press Enter. # Method 3: Using the GRUB Command Line # Press Esc in the GRUB menu to access the GRUB command-line interface (also known as GRUB shell). > fwsetup 硬體資訊 sudo lshw -short H/W path Device Class Description ==================================================================== system NUC8i7HVK /0 bus NUC8i7HVB /0/0 memory 64KiB BIOS /0/2f memory 16GiB System Memory /0/2f/0 memory 8GiB SODIMM DDR4 Synchronous Unbuffered (Unregistered) /0/2f/1 memory 8GiB SODIMM DDR4 Synchronous Unbuffered (Unregistered) /0/34 memory 256KiB L1 cache /0/35 memory 1MiB L2 cache /0/36 memory 8MiB L3 cache /0/37 processor Intel(R) Core(TM) i7-8809G CPU @ 3.10GHz /0/100 bridge Xeon E3-1200 v6/7th Gen Core Processor Host Bridge/DRA /0/100/1 bridge Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor PCIe /0/100/1/0 /dev/fb0 display Polaris 22 [Radeon RX Vega M GH] /0/100/1/0.1 multimedia Advanced Micro Devices, Inc. [AMD/ATI] /0/100/1.1 bridge Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor PCIe /0/100/1.1/0 bus ASMedia Technology Inc. /0/100/1.1/0/0 usb3 bus xHCI Host Controller /0/100/1.1/0/1 usb4 bus xHCI Host Controller ... # sudo lshw -html > HardwareSummary.html Finding Number of Ram Slots sudo dmidecode -t memory sudo lshw -class memory 主機板型號 sudo dmidecode -t 1 sudo dmidecode -t 2 BIOS version sudo dmidecode -s bios-version Secure Boot Mode mokutil --sb-state More options sudo lshw -C