unix toolboxenderunix.org/docs/unixtoolbox.pdf · proxy web server, database). the default limits...
TRANSCRIPT
23
ON
LI
NE
H
EL
P
23
.1D
oc
um
en
ta
tio
n
Lin
ux D
ocum
enta
tion
en.t
ldp.o
rg
Lin
ux M
an P
ages
ww
w.lin
uxm
anpages.c
om
Lin
ux c
om
mands d
irecto
ryw
ww
.ore
illy
net.
com
/lin
ux/c
md
Lin
ux d
oc m
an h
ow
tos
linux.d
ie.n
et
Fre
eBSD
Handbook
ww
w.f
reebsd.o
rg/h
andbook
Fre
eBSD
Man P
ages
ww
w.f
reebsd.o
rg/c
gi/
man.c
gi
Fre
eBSD
user
wik
iw
ww
.fre
ebsdw
iki.net
Sola
ris M
an P
ages
docs.s
un.c
om
/app/d
ocs/c
oll/4
0.1
0
23
.2O
th
er U
nix
/L
inu
x r
efe
re
nc
es
Rosett
a S
tone for
Unix
bham
i.com
/rosett
a.h
tml (a
Unix
com
mand t
ransla
tor)
Unix
guid
e c
ross r
efe
rence
unix
guid
e.n
et/
unix
guid
e.s
htm
l
Lin
ux c
om
mands lin
e lis
tw
ww
.lin
uxguid
e.it/
com
mands_list.
php
Short
Lin
ux r
efe
rence
ww
w.p
ixelb
eat.
org
/cm
dline.h
tml
Little c
om
mand lin
e g
oodie
sw
ww
.shell-f
u.o
rg
That's a
ll folk
s!
This
docum
ent:
"Unix
Toolb
ox
revis
ion
13"
islicensed
under
aCre
ative
Com
mons
Lic
ence
[Att
ribution -
Share
Alike].
©Colin B
ars
chel2007-2
008.
Som
e r
ights
reserv
ed.
— O
nline H
elp
—
56
UN
IX
T
OO
LB
OX
This
docum
ent
isa
collection
of
Unix
/Lin
ux/B
SD
com
mands
and
tasks
whic
hare
usefu
lfo
rIT
work
or
for
advanced
users
.This
isa
pra
ctical
guid
ew
ith
concis
eexpla
nations,
how
ever
the
reader
is s
upposed t
o k
now
what
s/h
e is d
oin
g.
1.
Syste
m .
.
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
.
2
2.
Pro
cesses
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
7
3.
File S
yste
m .
.
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
.
9
4.
Netw
ork
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. 1
4
5.
SSH
SCP
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
22
6.
VPN
with S
SH
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
25
7.
RSYN
C .
.
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. 2
7
8.
SU
DO
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
28
9.
Encry
pt
Files
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
29
10.
Encry
pt
Part
itio
ns
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
31
11.
SSL C
ert
ific
ate
s .
.
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. 3
3
12.
CVS .
.
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. 3
5
13.
SVN
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
37
14.
Usefu
l Com
mands
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
39
15.
Insta
ll S
oft
ware
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. 4
4
16.
Convert
Media
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
45
17.
Printing
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. 4
6
18.
Data
bases .
.
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
46
19.
Dis
k Q
uota
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. 4
8
20.
Shells .
.
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
49
21.
Scripting
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
51
22.
Pro
gra
mm
ing
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
53
23.
Online H
elp
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. 5
6
Unix
Toolb
ox r
evis
ion 1
3The
late
st
vers
ion
of
this
docum
ent
can
be
found
at
htt
p:/
/cb.v
u/u
nix
toolb
ox.x
htm
l.Repla
ce
.xhtm
lon
the
link
with
for
the
PD
Fvers
ion
and
with
.book.p
df
for
the
bookle
tvers
ion.
On
aduple
x p
rinte
r th
e b
ookle
t w
ill cre
ate
a s
mall b
ook r
eady t
o b
ind.
See a
lso t
he
about
page.
Err
or
report
s a
nd c
om
ments
are
most
welc
om
e -
c@
cb.v
uColin B
ars
chel.
1S
YS
TE
M
Hard
ware
(p2)
|Sta
tistic
s(p
2)
|U
sers
(p3)
|Lim
its(p
3)
|Runle
vels
(p4)
|ro
ot
passw
ord
(p5)
|Com
pile
kern
el(p
6)
Runnin
g k
ern
el a
nd s
yste
m in
form
atio
n
# uname -a
# Get the kernel version (and BSD version)
# lsb_release -a
# Full release info of any LSB distribution
# cat /etc/SuSE-release
# Get SuSE version
# cat /etc/debian_version
# Get Debian version
Use
/etc
/DISTR-re
lease
with
DISTR=
lsb
(Ubuntu
),re
dhat,
gento
o,
mandra
ke,
sun
(Sola
ris),
and
so o
n. S
ee a
lso/etc/issue.
# uptime
# Show how long the system has been running + load
# hostname
# system's host name
# hostname -i
# Display the IP address of the host. (Linux only)
# man hier
# Description of the file system hierarchy
# last reboot
# Show system reboot history
1.1
Ha
rd
wa
re
In
fo
rm
atio
ns
Kern
el d
ete
cte
d h
ard
ware
# dmesg
# Detected hardware and boot messages
# lsdev
# information about installed hardware
# dd if=/dev/mem bs=1k skip=768 count=256 2>/dev/null | strings -n 8
# Read BIOS
Lin
ux
# cat /proc/cpuinfo
# CPU model
# cat /proc/meminfo
# Hardware memory
# grep MemTotal /proc/meminfo
# Display the physical memory
# watch -n1 'cat /proc/interrupts'
# Watch changeable interrupts continuously
# free -m
# Used and free memory (-m for MB)
# cat /proc/devices
# Configured devices
# lspci -tv
# Show PCI devices
# lsusb -tv
# Show USB devices
# lshal
# Show a list of all devices with their properties
# dmidecode
# Show DMI/SMBIOS: hw info from the BIOS
Fre
eB
SD
# sysctl hw.model
# CPU model
# sysctl hw
# Gives a lot of hardware information
# sysctl vm
# Memory usage
# dmesg | grep "real mem"
# Hardware memory
# sysctl -a | grep mem
# Kernel memory settings and info
# sysctl dev
# Configured devices
# pciconf -l -cv
# Show PCI devices
# usbdevs -v
# Show USB devices
# atacontrol list
# Show ATA devices
# camcontrol devlist -v
# Show SCSI devices
1.2
Lo
ad
, sta
tis
tic
s a
nd
me
ss
ag
es
The fo
llow
ing c
om
mands a
re u
sefu
l to fin
d o
ut w
hat is
goin
g o
n o
n th
e s
yste
m.
# top
# display and update the top cpu processes
# mpstat 1
# display processors related statistics
# vmstat 2
# display virtual memory statistics
# iostat 2
# display I/O statistics (2 s intervals)
# systat -vmstat 1
# BSD summary of system statistics (1 s intervals)
# systat -tcp 1
# BSD tcp connections (try also -ip)
— S
yste
m —
2
IPv4
.cpp:
#include
"IPv4.h"
#include
<string>
#include
<sstream>
using
namespace
std;
// use the namespaces
using
namespace
GenericUtils;
IPv4::IPv4() {}
// default constructor/destructor
IPv4::~IPv4() {}
string IPv4::IPint_to_IPquad(unsigned
long
ip) {
// member implementation
ostringstream ipstr;
// use a stringstream
ipstr << ((ip &0xff000000) >> 24)
// Bitwise right shift
<< "." << ((ip &0x00ff0000) >> 16)
<< "." << ((ip &0x0000ff00) >> 8)
<< "." << ((ip &0x000000ff));
return
ipstr.str();
}Th
e p
ro
gra
m s
imp
lecp
p.c
pp
#include
"IPv4.h"
#include
<iostream>
#include
<string>
using
namespace
std;
int
main (int
argc,
char* argv[]) {
string ipstr;
// define variables
unsigned
long
ipint = 1347861486;
// The IP in integer form
GenericUtils::IPv4 iputils;
// create an object of the class
ipstr = iputils.IPint_to_IPquad(ipint);
// call the class member
cout << ipint << " = " << ipstr << endl;
// print the result
return
0;
}Com
pile
and e
xecute
with
:
# g++ -c IPv4.cpp simplecpp.cpp
# Compile in objects
# g++ IPv4.o simplecpp.o -o simplecpp.exe
# Link the objects to final executable
# ./simplecpp.exe
1347861486 = 80.86.187.238
Useldd
tocheck
whic
hlib
rarie
sare
used
by
the
executa
ble
and
where
they
are
locate
d.
This
com
mand is
als
o u
sed to
check if a
share
d lib
rary
is m
issin
g o
r if the e
xecuta
ble
is s
tatic
.
# ldd /sbin/ifconfig
22
.5S
imp
le M
ak
efile
The
corre
spondin
gm
inim
alM
akefile
for
the
multi-s
ourc
epro
gra
mis
show
nbelo
w.
The
lines
with
instru
ctio
ns
must b
egin
with
a ta
b! T
he b
ack s
lash "\" c
an b
e u
sed to
cut lo
ng lin
es.
CC
= g++
CFLAGS
= -O
OBJS
= IPv4.o simplecpp.o
simplecpp: ${OBJS}
${CC} -o simplecpp ${CFLAGS} ${OBJS}
clean:
rm -f ${TARGET} ${OBJS}
— P
rogra
mm
ing —
55
22
.2C
ex
am
ple
A m
inim
al c p
rogra
m s
imple
.c:
#include
<stdio.h>
main() {
int
number=42;
printf("The answer is %i\n", number);
} Com
pile w
ith:
# gcc simple.c -o simple
# ./simple
The answer is 42
22
.3C
++
ba
sic
s
*pointer
// Object pointed to by pointer
&obj
// Address of object obj
obj.x
// Member x of class obj (object obj)
pobj->x
// Member x of class pointed to by pobj
// (*pobj).x and pobj->x are the same
22
.4C
++
ex
am
ple
As
aslightly
more
realistic
pro
gra
min
C+
+,
let's
cre
ate
acla
ss
inits
ow
nheader
(IPv4.h
)and
imple
menta
tion
(IPv4.c
pp)
and
cre
ate
apro
gra
mw
hic
huses
the
cla
ss
functionality
.The
cla
ss
has
am
em
ber
toconvert
an
IPaddre
ss
inin
teger
form
at
toth
eknow
nquad
form
at.
This
isa
min
imal c+
+ p
rogra
m w
ith a
cla
ss a
nd m
ulti-
sourc
e c
om
pile.
IP
v4
cla
ss
IPv4
.h:
#ifndef
IPV4_H
#define
IPV4_H
#include
<string>
namespace
GenericUtils {
// create a namespace
class
IPv4 {
// class definition
public:
IPv4();
~IPv4();
std::string IPint_to_IPquad(unsigned
long
ip);// member interface
};}
//namespace GenericUtils
#endif
// IPV4_H
— P
rogra
mm
ing —
54
# systat -netstat 1
# BSD active network connections
# systat -ifstat 1
# BSD network traffic through active interfaces
# systat -iostat 1
# BSD CPU and and disk throughput
# tail -n 500 /var/log/messages
# Last 500 kernel/syslog messages
# tail /var/log/warn
# System warnings messages see syslog.conf
1.3
Us
ers
# id
# Show the active user id with login and group
# last
# Show last logins on the system
# who
# Show who is logged on the system
# groupadd admin
# Add group "admin" and user colin (Linux/Solaris)
# useradd -c "Colin Barschel" -g admin -m colin
# usermod -a -G <group> <user>
# Add existing user to group (Debian)
# groupmod -A <user> <group>
# Add existing user to group (SuSE)
# userdel colin
# Delete user colin (Linux/Solaris)
# adduser joe
# FreeBSD add user joe (interactive)
# rmuser joe
# FreeBSD delete user joe (interactive)
# pw groupadd admin
# Use pw on FreeBSD
# pw groupmod admin -m newmember
# Add a new member to a group
# pw useradd colin -c "Colin Barschel" -g admin -m -s /bin/tcsh
# pw userdel colin; pw groupdel admin
Encry
pte
dpassw
ord
sare
sto
red
in/e
tc/s
hadow
for
Lin
ux
and
Sola
ris
and
/etc
/maste
r.passw
don
Fre
eBSD
.If
the
maste
r.passw
dis
modifie
dm
anually
(say
todele
tea
passw
ord
),ru
n#
pwd_mkdb
-p master.passwd
to r
ebuild t
he d
ata
base.
To
tem
pora
rily
pre
vent
login
ssyste
mw
ide
(for
all
users
but
root)
use
nolo
gin
.The
message
innolo
gin
will be d
ispla
yed (
mig
ht
not
work
with s
sh p
re-s
hare
d k
eys).
# echo "Sorry no login now" > /etc/nologin
# (Linux)
# echo "Sorry no login now" > /var/run/nologin
# (FreeBSD)
1.4
Lim
its
Som
eapplication
require
hig
her
lim
its
on
open
file
sand
sockets
(lik
ea
pro
xy
web
serv
er,
data
base).
The d
efa
ult lim
its a
re u
sually t
oo low
.
Lin
ux
Per s
hell/scrip
t
The
shell
lim
its
are
govern
ed
byulimit.
The
sta
tus
ischecked
withulimit
-a.
For
exam
ple
to
change t
he o
pen files lim
it fro
m 1
024 t
o 1
0240 d
o:
# ulimit -n 10240
# This is only valid within the shell
Theulimit
com
mand c
an b
e u
sed in a
script
to c
hange t
he lim
its for
the s
cript
only
.
Per u
ser/process
Login
users
and a
pplications c
an b
e c
onfigure
d in/etc/security/limits.conf.
For
exam
ple
:
# cat /etc/security/limits.conf
* hard nproc 250
# Limit user processes
asterisk hard nofile 409600
# Limit application open files
Syste
m w
ide
Kern
el lim
its a
re s
et
with s
ysctl.
Perm
anent
lim
its a
re s
et
in/etc/sysctl.conf.
# sysctl -a
# View all system limits
# sysctl fs.file-max
# View max open files limit
# sysctl fs.file-max=102400
# Change max open files limit
# echo "1024 50000" > /proc/sys/net/ipv4/ip_local_port_range
# port range
# cat /etc/sysctl.conf
— S
yste
m —
3
fs.file-max=102400
# Permanent entry in sysctl.conf
# cat /proc/sys/fs/file-nr
# How many file descriptors are in use
Fre
eB
SD
Per s
hell/
scrip
t
Use th
e c
om
mandlimits
in c
sh o
r tcsh o
r as in
Lin
ux, u
seulimit
in a
n s
h o
r bash s
hell.
Per u
ser/process
The
defa
ult
limits
on
login
are
set
in/etc/login.conf.
An
unlim
ited
valu
eis
still
limite
dby
the
syste
m m
axim
al v
alu
e.
Syste
m w
ide
Kern
el
limits
are
als
oset
with
sysctl.
Perm
anent
limits
are
set
in/etc/sysctl.conf
or/boot/
loader.conf. T
he s
ynta
x is
the s
am
e a
s L
inux b
ut th
e k
eys a
re d
iffere
nt.
# sysctl -a
# View all system limits
# sysctl kern.maxfiles=XXXX
# maximum number of file descriptors
kern.ipc.nmbclusters=32768
# Permanent entry in /etc/sysctl.conf
kern.maxfiles=65536
# Typical values for Squid
kern.maxfilesperproc=32768
kern.ipc.somaxconn=8192
# TCP queue. Better for apache/sendmail
# sysctl kern.openfiles
# How many file descriptors are in use
# sysctl kern.ipc.numopensockets
# How many open sockets are in use
# sysctl -w net.inet.ip.portrange.last=50000
# Default is 1024-5000
# netstat -m
# network memory buffers statistics
See T
he
Fre
eBSD
handbook C
hapte
r 11
1fo
r deta
ils.
So
laris
The fo
llow
ing v
alu
es in
/etc/system
will in
cre
ase th
e m
axim
um
file d
escrip
tors
per p
roc:
set rlim_fd_max = 4096
# Hard limit on file descriptors for a single proc
set rlim_fd_cur = 1024
# Soft limit on file descriptors for a single proc
1.5
Ru
nle
ve
ls
Lin
ux
Once
boote
d,
the
kern
el
sta
rtsinit
whic
hth
en
sta
rtsrc
whic
hsta
rtsall
scrip
tsbelo
ngin
gto
a
runle
vel.
The
scrip
tsare
sto
red
in/e
tc/in
it.dand
are
linked
into
/etc
/rc.d
/rcN
.dw
ithN
the
runle
vel n
um
ber.
The d
efa
ult ru
nle
vel is
config
ure
d in
/etc
/initta
b. It is
usually
3 o
r 5:
# grep default: /etc/inittab
id:3:initdefault:
The
actu
alru
nle
vel(th
elis
tis
show
nbelo
w)
can
be
changed
with
init.
For
exam
ple
togo
from
3
to 5
:
# init 5
# Enters runlevel 5
0Shutd
ow
n a
nd h
alt
1Sin
gle
-User m
ode (a
lso S
)2
Multi-u
ser w
ithout n
etw
ork
3M
ulti-u
ser w
ith n
etw
ork
5M
ulti-u
ser w
ith X
6Reboot
Usechkconfig
to c
onfig
ure
the p
rogra
ms th
at w
ill be s
tarte
d a
t boot in
a ru
nle
vel.
# chkconfig --list
# List all init scripts
# chkconfig --list sshd
# Report the status of sshd
1.h
ttp://w
ww
.freebsd.o
rg/h
andbook/c
onfig
tunin
g-k
ern
el-lim
its.h
tml
— S
yste
m —
4
sed '/ *#/d; /^ *$/d'
# Remove comments and blank lines
sed 's/[ \t]*$//'
# Remove trailing spaces (use tab as \t)
sed 's/^[ \t]*//;s/[ \t]*$//'
# Remove leading and trailing spaces
sed 's/[^*]/[&]/'
# Enclose first char with [] top->[t]op
sed = file | sed 'N;s/\n/\t/' > file.num
# Number lines on a file
21
.4R
eg
ula
r E
xp
re
ss
ion
s
Som
e b
asic
regula
r expre
ssio
n u
sefu
l for s
ed to
o. S
ee
Basic
Regex S
ynta
x26
for a
good p
rimer.
[\^$.|?*+()
# special characters any other will match themselves
\# escapes special characters and treat as literal
*# repeat the previous item zero or more times
.# single character except line break characters
.*
# match zero or more characters
^# match at the start of a line/string
$# match at the end of a line/string
.$
# match a single character at the end of line/string
^ $
# match line with a single space
[^A-Z]
# match any line beginning with any char from A to Z
21
.5S
om
e u
se
fu
l co
mm
an
ds
The fo
llow
ing c
om
mands a
re u
sefu
l to in
clu
de in
a s
crip
t or a
s o
ne lin
ers
.
sort -t. -k1,1n -k2,2n -k3,3n -k4,4n
# Sort IPv4 ip addresses
echo 'Test' | tr '[:lower:]' '[:upper:]'
# Case conversion
echo foo.bar | cut -d . -f 1
# Returns foo
PID=$(ps | grep script.sh | grep bin | awk '{print $1}')
# PID of a running script
PID=$(ps axww | grep [p]ing | awk '{print $1}')
# PID of ping (w/o grep pid)
IP=$(ifconfig $INTERFACE | sed '/.*inet addr:/!d;s///;s/ .*//')
# Linux
IP=$(ifconfig $INTERFACE | sed '/.*inet /!d;s///;s/ .*//')
# FreeBSD
if [ `diff file1 file2 | wc -l` != 0 ]; then [...] fi
# File changed?
cat /etc/master.passwd | grep -v root | grep -v \*: | awk -F":" \
# Create http passwd
'{ printf("%s:%s\n", $1, $2) }' > /usr/local/etc/apache2/passwd
testuser=$(cat /usr/local/etc/apache2/passwd | grep -v \
# Check user in passwd
root | grep -v \*: | awk -F":" '{ printf("%s\n", $1) }' | grep ^user$)
:(){ :|:& };:
# bash fork bomb. Will kill your machine
tail +2 file > file2
# remove the first line from file
Iuse
this
littletric
kto
change
the
fileexte
nsio
nfo
rm
any
files
at
once.
For
exam
ple
from
.cxx
to.c
pp.
Test
itfirs
tw
ithout
the|
sh
at
the
end.
You
can
als
odo
this
with
the
com
mandrename
if
insta
lled. O
r with
bash b
uiltin
s.
# ls *.cxx | awk -F. '{print "mv "$0" "$1".cpp"}' | sh
# ls *.c | sed "s/.*/cp & &.$(date "+%Y%m%d")/" | sh
# e.g. copy *.c to *.c.20080401
# rename .cxx .cpp *.cxx
# Rename all .cxx to cpp
# for i in *.cxx; do mv $i ${i%%.cxx}.cpp; done
# with bash builtins
22
PR
OG
RA
MM
IN
G
22
.1C
ba
sic
s
strcpy(newstr,str)
/* copy str to newstr */
expr1 ? expr2 : expr3
/* if (expr1) expr2 else expr3 */
x = (y > z) ? y : z;
/* if (y > z) x = y; else x = z; */
int a[]={0,1,2};
/* Initialized array (or a[3]={0,1,2}; */
int a[2][3]={{1,2,3},{4,5,6}};
/* Array of array of ints */
int i = 12345;
/* Convert in i to char str */
char str[10];
sprintf(str, "%d", i);
26.h
ttp://w
ww
.regula
r-expre
ssio
ns.in
fo/re
fere
nce.h
tml
— P
rogra
mm
ing —
53
Co
nstru
cts
for
file
in `ls`
do
echo $file
done
count=0
while
[ $count
-lt 5 ];
do
echo $count
sleep 1
count=$(($count
+ 1))
done
myfunction() {
find . -type f -name "*.$1" -print
# $1 is first argument of the function
} myfunction "txt"
Generate
a f
ile
MYHOME=/home/colin
cat > testhome.sh << _EOF
# All of this goes into the file testhome.sh
if
[ -d "$MYHOME" ] ;
then
echo $MYHOME
exists
elseecho $MYHOME
does not exist
fi_EOF
sh testhome.sh
21
.2B
ou
rn
e s
crip
t e
xa
mp
le
As a
sm
all e
xam
ple
, th
e s
cript
used t
o c
reate
a P
DF b
ookle
t fr
om
this
xhtm
l docum
ent:
#!/bin/sh
# This script creates a book in pdf format ready to print on a duplex printer
if
[ $#
-ne
1 ];
then
# Check the argument
echo 1>&2 "Usage: $0 HtmlFile"
exit
1# non zero exit if error
fi
file=$1
# Assign the filename
fname=${file%.*}
# Get the name of the file only
fext=${file#*.}
# Get the extension of the file
prince $file
-o $fname.pdf
# from www.princexml.com
pdftops -paper A4 -noshrink $fname.pdf $fname.ps
# create postscript booklet
cat $fname.ps |psbook|psnup -Pa4 -2 |pstops -b "2:0,1U(21cm,29.7cm)" > $fname.book.ps
ps2pdf13 -sPAPERSIZE=a4 -sAutoRotatePages=None $fname.book.ps $fname.book.pdf
# use #a4 and #None on Windows!
exit
0# exit 0 means successful
21
.3S
om
e s
ed
co
mm
an
ds
Here
is
the o
ne lin
er
gold
min
e24.
And a
good
intr
oduction a
nd t
uto
rial to
sed
25.
sed 's/string1/string2/g'
# Replace string1 with string2
sed -i 's/wroong/wrong/g' *.txt
# Replace a recurring word with g
sed 's/\(.*\)1/\12/g'
# Modify anystring1 to anystring2
sed '/<p>/,/<\/p>/d' t.xhtml
# Delete lines that start with <p>
# and end with </p>
24.h
ttp:/
/stu
dent.
nort
hpark
.edu/p
em
ente
/sed/s
ed1line.t
xt
25.h
ttp:/
/ww
w.g
rym
oire.c
om
/Unix
/Sed.h
tml
— S
cripting —
52
# chkconfig sshd --level 35 on
# Configure sshd for levels 3 and 5
# chkconfig sshd off
# Disable sshd for all runlevels
Debia
nand
Debia
nbased
dis
trib
utions
like
Ubuntu
or
Knoppix
use
the
com
mandupdate-rc.d
to
manage t
he r
unle
vels
scripts
. D
efa
ult is t
o s
tart
in 2
,3,4
and 5
and s
hutd
ow
n in 0
,1 a
nd 6
.
# update-rc.d sshd defaults
# Activate sshd with the default runlevels
# update-rc.d sshd start 20 2 3 4 5 . stop 20 0 1 6 .
# With explicit arguments
# update-rc.d -f sshd remove
# Disable sshd for all runlevels
# shutdown -h now (or # poweroff)
# Shutdown and halt the system
Fre
eB
SD
The
BSD
boot
appro
ach
isdiffe
rent
from
the
SysV,
there
are
no
runle
vels
.The
final
boot
sta
te(s
ingle
user,
with
or
without
X)
isconfigure
din
/etc/ttys.
All
OS
scripts
are
locate
din
/etc/
rc.d/
and
in/usr/local/etc/rc.d/
for
third-p
art
yapplications.
The
activation
of
the
serv
ice
is
configure
din
/etc/rc.conf
and
/etc/rc.conf.local.
The
defa
ult
behavio
ris
configure
din
/etc/defaults/rc.conf.
The s
cripts
responds a
t le
ast
to s
tart
|sto
p|s
tatu
s.
# /etc/rc.d/sshd status
sshd is running as pid 552.
# shutdown now
# Go into single-user mode
# exit
# Go back to multi-user mode
# shutdown -p now
# Shutdown and halt the system
# shutdown -r now
# Reboot
The
pro
cessinit
can
als
obe
used
tore
ach
one
of
the
follow
ing
sta
tes
level.
For
exam
ple
#init
6fo
r re
boot.
0H
alt a
nd t
urn
the p
ow
er
off (
sig
nalUSR2)
1G
o t
o s
ingle
-user
mode (
sig
nalTERM)
6Reboot
the m
achin
e (
sig
nalINT)
cBlo
ck furt
her
login
s (
sig
nalTSTP)
qRescan t
he t
tys(5
) file
(sig
nalHUP)
1.6
Re
se
t r
oo
t p
as
sw
ord
Lin
ux
me
th
od
1
At
the b
oot
loader
(lilo o
r gru
b),
ente
r th
e follow
ing b
oot
option:
init=/bin/sh
The
kern
el
will
mount
the
root
part
itio
nandinit
will
sta
rtth
ebourn
eshell
inste
ad
ofrc
and
then
aru
nle
vel.
Use
the
com
mand
passwd
at
the
pro
mpt
tochange
the
passw
ord
and
then
reboot.
Forg
et
the s
ingle
user
mode a
s y
ou n
eed t
he p
assw
ord
for
that.
If,
aft
er
booting,
the r
oot
part
itio
n is m
ounte
d r
ead o
nly
, re
mount
it r
w:
# mount -o remount,rw /
# passwd
# or delete the root password (/etc/shadow)
# sync; mount -o remount,ro /
# sync before to remount read only
# reboot
Fre
eB
SD
me
th
od
1
On
Fre
eBSD
,boot
insin
gle
user
mode,
rem
ount
/rw
and
use
passw
d.
You
can
sele
ct
the
sin
gle
user
mode
on
the
boot
menu
(option
4)
whic
his
dis
pla
yed
for
10
seconds
at
sta
rtup.
The
sin
gle
user
mode w
ill giv
e y
ou a
root
shell o
n t
he /
part
itio
n.
# mount -u /; mount -a
# will mount / rw
# passwd
# reboot
— S
yste
m —
5
Un
ixe
s a
nd
Fre
eB
SD
an
d L
inu
x m
eth
od
2
Oth
er
Unix
es
mig
ht
not
let
you
go
aw
ay
with
the
sim
ple
init
trick.
The
solu
tion
isto
mount
the
root p
artitio
n fro
m a
n o
ther O
S (lik
e a
rescue C
D) a
nd c
hange th
e p
assw
ord
on th
e d
isk.
•Boot a
live C
D o
r insta
llatio
n C
D in
to a
rescue m
ode w
hic
h w
ill giv
e y
ou a
shell.
•Fin
d th
e ro
ot p
artitio
n w
ith fd
isk e
.g. fd
isk /d
ev/s
da
•M
ount it a
nd u
se c
hro
ot:
# mount -o rw /dev/ad4s3a /mnt
# chroot /mnt
# chroot into /mnt
# passwd
# reboot
1.7
Ke
rn
el m
od
ule
s
Lin
ux
# lsmod
# List all modules loaded in the kernel
# modprobe isdn
# To load a module (here isdn)
Fre
eB
SD
# kldstat
# List all modules loaded in the kernel
# kldload crypto
# To load a module (here crypto)
1.8
Co
mp
ile K
ern
el
Lin
ux
# cd /usr/src/linux
# make mrproper
# Clean everything, including config files
# make oldconfig
# Reuse the old .config if existent
# make menuconfig
# or xconfig (Qt) or gconfig (GTK)
# make
# Create a compressed kernel image
# make modules
# Compile the modules
# make modules_install
# Install the modules
# make install
# Install the kernel
# reboot
Fre
eB
SD
Optio
nally
update
the s
ourc
e tre
e (in
/usr/src) w
ith c
sup (a
s o
f Fre
eBSD
6.2
or la
ter):
# csup <supfile>
I use th
e fo
llow
ing s
upfile
:
*default host=cvsup5.FreeBSD.org # www.freebsd.org/handbook/cvsup.html#CVSUP-MIRRORS
*default prefix=/usr
*default base=/var/db
*default release=cvs delete tag=RELENG_7
src-all
To
modify
and
rebuild
the
kern
el,
copy
the
generic
config
ura
tion
fileto
anew
nam
eand
edit
itas
needed
(you
can
als
oedit
the
fileGENERIC
dire
ctly
).To
resta
rtth
ebuild
afte
ran
inte
ruptio
n,
add
the o
ptio
nNO_CLEAN=YES
to th
e m
ake c
om
mand to
avoid
cle
anin
g th
e o
bje
cts
alre
ady b
uild
.
# cd /usr/src/sys/i386/conf/
# cp GENERIC MYKERNEL
# cd /usr/src
# make buildkernel KERNCONF=MYKERNEL
# make installkernel KERNCONF=MYKERNEL
To re
build
the fu
ll OS:
# make buildworld
# Build the full OS but not the kernel
# make buildkernel
# Use KERNCONF as above if appropriate
— S
yste
m —
6
# Bindkey and colors
bindkey -e Select Emacs bindings
# Use emacs keys to edit the command prompt
bindkey -k up history-search-backward
# Use up and down arrow to search
bindkey -k down history-search-forward
setenv CLICOLOR 1
# Use colors (if possible)
setenv LSCOLORS ExGxFxdxCxDxDxBxBxExEx
The
em
acs
mode
enable
sto
use
the
em
acs
keys
shortc
uts
tom
odify
the
com
mand
pro
mpt
line.
This
is e
xtre
mely
usefu
l (not o
nly
for e
macs u
sers
). The m
ost u
sed c
om
mands a
re:
C-a
Move c
urs
or to
begin
nin
g o
f line
C-e
Move c
urs
or to
end o
f line
M-b
Move c
urs
or b
ack o
ne w
ord
M-f
Move c
urs
or fo
rward
one w
ord
M-d
Cut th
e n
ext w
ord
C-w
Cut th
e la
st w
ord
C-u
Cut e
very
thin
g b
efo
re th
e c
urs
or
C-k
Cut e
very
thin
g a
fter th
e c
urs
or (re
st o
f the lin
e)
C-y
Paste
the la
st th
ing to
be c
ut (s
imply
paste
)C-_
Undo
Note
:C- =
hold
contro
l, M- =
hold
meta
(whic
h is
usually
the a
lt or e
scape k
ey).
21
SC
RI
PT
IN
G
Basic
s(p
51)
|Scrip
texam
ple
(p52)
|sed
(p52)
|Regula
rExpre
ssio
ns
(p53)
|usefu
lcom
mands
(p53)
The
Bourn
eshell
(/bin
/sh)
ispre
sent
on
all
Unix
insta
llatio
ns
and
scrip
tsw
ritten
inth
isla
nguage
are
(quite
) porta
ble
;man 1 sh
is a
good re
fere
nce.
21
.1B
as
ics
Va
ria
ble
s a
nd
arg
um
en
ts
Assig
n w
ith v
aria
ble
=valu
e a
nd g
et c
onte
nt w
ith $
varia
ble
MESSAGE="Hello World"
# Assign a string
PI=3.1415
# Assign a decimal number
N=8
TWON=`expr $N * 2`
# Arithmetic expression (only integers)
TWON=$(($N * 2))
# Other syntax
TWOPI=`echo "$PI * 2" | bc -l`
# Use bc for floating point operations
ZERO=`echo "c($PI/4)-sqrt(2)/2" | bc -l`
The c
om
mand lin
e a
rgum
ents
are
$0, $1, $2, ...
# $0 is the command itself
$#
# The number of arguments
$*
# All arguments (also $@)
Sp
ecia
l Va
ria
ble
s
$$
# The current process ID
$?
# exit status of last command
command
if
[ $?
!= 0 ];
then
echo "command failed"
fi
mypath=`pwd`
mypath=${mypath}/file.txt
echo ${mypath##*/}
# Display the filename only
echo ${mypath%%.*}
# Full path without extention
var2=${var:=string}
# Use var if set, otherwise use string
# assign string to var and then to var2.
— S
crip
ting —
51
sort
Sort
alp
habetically o
r num
erically
uniq
Rem
ove d
uplicate
lin
es fro
m a
file
For
exam
ple
used a
ll a
t once:
# ifconfig | sed 's/ / /g' | cut -d" " -f1 | uniq | grep -E "[a-z0-9]+" | sort -r
# ifconfig | sed '/.*inet addr:/!d;s///;s/ .*//'|sort -t. -k1,1n -k2,2n -k3,3n -k4,4n
The first
chara
cte
r in
the s
ed p
att
ern
is a
tab.
To w
rite
a t
ab o
n t
he c
onsole
, use c
trl-
v c
trl-
tab.
20
.1b
as
h
Redirects
and p
ipes for
bash a
nd s
h:
# cmd 1> file
# Redirect stdout to file.
# cmd 2> file
# Redirect stderr to file.
# cmd 1>> file
# Redirect and append stdout to file.
# cmd &> file
# Redirect both stdout and stderr to file.
# cmd >file 2>&1
# Redirects stderr to stdout and then to file.
# cmd1 | cmd2
# pipe stdout to cmd2
# cmd1 2>&1 | cmd2
# pipe stdout and stderr to cmd2
Modify
your
configura
tion
in~
/.bashrc
(it
can
als
obe
~/.
bash_pro
file
).The
follow
ing
entr
ies
are
usefu
l, r
elo
ad w
ith "
. .b
ashrc
".
# in .bashrc
bind '"\e[A"':history-search-backward
# Use up and down arrow to search
bind '"\e[B"':history-search-forward
# the history. Invaluable!
set -o emacs
# Set emacs mode in bash (see below)
set bell-style visible
# Do not beep, inverse colors
# Set a nice prompt like [user@host]/path/todir>
PS1="\[\033[1;30m\][\[\033[1;34m\]\u\[\033[1;30m\]"
PS1="$PS1@\[\033[0;33m\]\h\[\033[1;30m\]]\[\033[0;37m\]"
PS1="$PS1\w\[\033[1;30m\]>\[\033[0m\]"
# To check the currently active aliases, simply type alias
alias ls='ls -aF'
# Append indicator (one of */=>@|)
alias ll='ls -aFls'
# Listing
alias la='ls -all'
alias ..='cd ..'
alias ...='cd ../..'
export HISTFILESIZE=5000
# Larger history
export CLICOLOR=1
# Use colors (if possible)
export LSCOLORS=ExGxFxdxCxDxDxBxBxExEx
20
.2tc
sh
Redirects
and p
ipes for
tcsh a
nd c
sh (
sim
ple
> a
nd >
> a
re t
he s
am
e a
s s
h):
# cmd >& file
# Redirect both stdout and stderr to file.
# cmd >>& file
# Append both stdout and stderr to file.
# cmd1 | cmd2
# pipe stdout to cmd2
# cmd1 |& cmd2
# pipe stdout and stderr to cmd2
The s
ett
ings for
csh/t
csh a
re s
et
in~/.cshrc,
relo
ad w
ith "
sourc
e .
cshrc
". E
xam
ple
s:
# in .cshrc
alias ls 'ls -aF'
alias ll 'ls -aFls'
alias la 'ls -all'
alias .. 'cd ..'
alias ... 'cd ../..'
set prompt = "%B%n%b@%B%m%b%/> "
# like user@host/path/todir>
set history = 5000
set savehist = ( 6000 merge )
set autolist
# Report possible completions with tab
set visiblebell
# Do not beep, inverse colors
— S
hells —
50
# make installkernel
# reboot
# mergemaster -p
# Compares only files known to be essential
# make installworld
# mergemaster -i -U
# Update all configuration and other files
# reboot
For
sm
all
changes
inth
esourc
eyou
can
use
NO
_CLEAN
=yes
toavoid
rebuildin
gth
ew
hole
tree.
But
use w
ith c
are
.
# make buildworld NO_CLEAN=yes
# Don't delete the old objects
# make buildkernel KERNCONF=MYKERNEL NO_CLEAN=yes
2P
RO
CE
SS
ES
Lis
ting
(p7)
|Priority
(p7)
|Backgro
und/F
ore
gro
und
(p8)
|Top
(p8)
|Kill(p
8)
2.1
Lis
tin
g a
nd
PID
s
Each p
rocess h
as a
uniq
ue n
um
ber,
the P
ID.
A lis
t of all r
unnin
g p
rocess is r
etr
ieved w
ithps.
# ps -auxefw
# Extensive list of all running process
How
ever
more
typic
al usage is w
ith a
pip
e o
r w
ithpgrep:
# ps axww | grep cron
586 ?? Is 0:01.48 /usr/sbin/cron -s
# ps aux | grep 'ss[h]'
# Find all ssh pids without the grep pid
# pgrep -l sshd
# Find the PIDs of processes by (part of) name
# echo $$
# The PID of your shell
# fuser -va 22/tcp
# List processes using port 22 (Linux)
# fuser -va /home
# List processes accessing the /home partiton
# strace df
# Trace system calls and signals
# truss df
# same as above on FreeBSD/Solaris/Unixware
# history | tail -50
# Display the last 50 used commands
2.2
Prio
rit
y
Change
the
priority
of
aru
nnin
gpro
cess
withrenice.
Negative
num
bers
have
ahig
her
priority
,
the low
est
is -
20 a
nd "
nic
e"
have a
positiv
e v
alu
e.
# renice -5 586
# Stronger priority
586: old priority 0, new priority -5
Sta
rtth
epro
cess
with
adefined
priority
withnice.
Positiv
eis
"nic
e"
or
weak,
negative
isstr
ong
scheduling
priority
.M
ake
sure
you
know
if/usr/bin/nice
or
the
shell
built-
inis
used
(check
with# which nice).
# nice -n -5 top
# Stronger priority (/usr/bin/nice)
# nice -n 5 top
# Weaker priority (/usr/bin/nice)
# nice +5 top
# tcsh builtin nice (same as above!)
While
nic
echanges
the
CPU
schedule
r,an
oth
er
usefu
lcom
mandionice
will
schedule
the
dis
k
IO.
This
isvery
usefu
lfo
rin
tensiv
eIO
application
whic
hcan
bring
am
achin
eto
its
knees
while
still
ina
low
er
priority
.The
com
mand
isonly
available
on
Lin
ux
(AFAIK
).You
can
sele
ct
acla
ss
(idle
- b
est
effort
- r
eal tim
e),
the m
an p
age is s
hort
and w
ell e
xpla
ined.
# ionice c3 -p123
# set idle class for pid 123
# ionice -c2 -n0 firefox
# Run firefox with best effort and high priority
# ionice -c3 -p$$
# Set the actual shell to idle priority
For
exam
ple
last
com
mand
isvery
usefu
lto
com
pile
(or
debug)
ala
rge
pro
ject.
Every
com
mand
launched
from
this
shell
willhave
alo
ver
priority
and
willnot
dis
turb
the
syste
m.
$$
isyour
shell
pid
(tr
y e
cho $
$).
— P
rocesses —
7
2.3
Ba
ck
gro
un
d/
Fo
re
gro
un
d
When
sta
rted
from
ashell,
pro
cesses
can
be
bro
ught
inth
ebackgro
und
and
back
toth
efo
regro
und
with
[Ctrl]-[Z
](^
Z),
bg
andfg.
For
exam
ple
sta
rttw
opro
cesses,
brin
gth
em
inth
e
backgro
und, lis
t the p
rocesses w
ithjobs
and b
ring o
ne in
the fo
regro
und.
# ping cb.vu > ping.log
^Z
# ping is suspended (stopped) with [Ctrl]-[Z]
# bg
# put in background and continues running
# jobs -l
# List processes in background
[1] - 36232 Running ping cb.vu > ping.log
[2] + 36233 Suspended (tty output) top
# fg %2
# Bring process 2 back in foreground
Usenohup
tosta
rta
pro
cess
whic
hhas
tokeep
runnin
gw
hen
the
shell
isclo
sed
(imm
une
to
hangups).
# nohup ping -i 60 > ping.log &
2.4
To
p
The
pro
gra
mtop
dis
pla
ys
runnin
gin
form
atio
nof
pro
cesses.
The
pro
gra
mhtop
from
hto
p.s
ourc
efo
rge.n
et
isa
very
nic
ealte
rnativ
eand
am
ore
pow
erfu
lvers
ion
of
top.
Runs
on
Lin
ux
and F
reeBSD
(ports/sysutils/htop/).
# top
While
top is
runnin
g p
ress th
e k
ey h
for a
help
overv
iew
. Usefu
l keys a
re:
•u
[u
ser
nam
e]
To
dis
pla
yonly
the
pro
cesses
belo
ngin
gto
the
user.
Use
+or
bla
nk
tosee a
ll users
•k [
pid
]Kill th
e p
rocess w
ith p
id.
•1
To d
ispla
y a
ll pro
cessors
sta
tistic
s (L
inux o
nly
)•
RToggle
norm
al/re
vers
e s
ort.
2.5
Sig
na
ls/
Kill
Term
inate
or s
end a
sig
nal w
ithkill
orkillall.
# ping -i 60 cb.vu > ping.log &
[1] 4712
# kill -s TERM 4712
# same as kill -15 4712
# killall -1 httpd
# Kill HUP processes by exact name
# pkill -9 http
# Kill TERM processes by (part of) name
# pkill -TERM -u www
# Kill TERM processes owned by www
# fuser -k -TERM -m /home
# Kill every process accessing /home (to umount)
Importa
nt s
ignals
are
:1
HUP
(hang u
p)
2INT
(inte
rrupt)
3QUIT
(quit)
9KILL
(non-c
atc
hable
, non-ig
nora
ble
kill)
15
TERM
(softw
are
term
inatio
n s
ignal)
— P
rocesses —
8
19
.2F
re
eB
SD
se
tu
p
The
quota
tools
are
part
of
the
base
syste
m,
how
ever
the
kern
elneeds
the
optio
nquota
.If
itis
not th
ere
, add it a
nd
recom
pile
the k
ern
el.
options QUOTA
As w
ith L
inux, a
dd th
e q
uota
to th
e fs
tab o
ptio
ns (u
serq
uota
, not u
srq
uota
):
/dev/ad0s1d /home ufs rw,noatime,userquota 2 2
# mount /home
# To remount the partition
Enable
dis
k q
uota
s in
/etc
/rc.c
onf a
nd s
tart th
e q
uota
.
# grep quotas /etc/rc.conf
enable_quotas="YES"
# turn on quotas on startup (or NO).
check_quotas="YES"
# Check quotas on startup (or NO).
# /etc/rc.d/quota start
19
.3A
ss
ign
qu
ota
limit
s
The
quota
sare
not
limite
dper
defa
ult
(set
to0).
The
limits
are
set
with
edquota
for
sin
gle
users
.
Aquota
can
be
als
oduplic
ate
dto
many
users
.The
filestru
ctu
reis
diffe
rent
betw
een
the
quota
imple
menta
tions,
but
the
prin
cip
leis
the
sam
e:
the
valu
es
of
blo
cks
and
inodes
can
be
limite
d.
Only
change
the
valu
es
of
soft
and
hard
.If
not
specifie
d,
the
blo
cks
are
1k.
The
gra
ce
perio
dis
set w
ithedquota -t. F
or e
xam
ple
:
# edquota -u colin
Lin
ux
Disk quotas for user colin (uid 1007):
Filesystem blocks soft hard inodes soft hard
/dev/sda8 108 1000 2000 1 0 0
Fre
eB
SD
Quotas for user colin:
/home: kbytes in use: 504184, limits (soft = 700000, hard = 800000)
inodes in use: 1792, limits (soft = 0, hard = 0)
Fo
r m
an
y u
se
rs
The
com
mandedquota
-p
isused
toduplic
ate
aquota
tooth
er
users
.For
exam
ple
toduplic
ate
a
refe
rence q
uota
to a
ll users
:
# edquota -p refuser `awk -F: '$3 > 499 {print $1}' /etc/passwd`
# edquota -p refuser user1 user2
# Duplicate to 2 users
Ch
eck
s
Users
can
check
their
quota
by
sim
ply
typin
gquota
(the
filequota
.user
must
be
readable
).Root
can c
heck a
ll quota
s.
# quota -u colin
# Check quota for a user
# repquota /home
# Full report for the partition for all users
20
SH
EL
LS
Most
Lin
ux
dis
tributio
ns
use
the
bash
shell
while
the
BSD
suse
tcsh,
the
bourn
eshell
isonly
used
for s
crip
ts. F
ilters
are
very
usefu
l and c
an b
e p
iped:
grep
Patte
rn m
atc
hin
g
sed
Searc
h a
nd R
epla
ce s
trings o
r chara
cte
rs
cut
Prin
t specific
colu
mns fro
m a
mark
er
— S
hells
—
49
Ba
ck
up
an
d r
esto
re
Backup a
nd r
esto
re a
sin
gle
data
base:
# mysqldump -u root -psecret --add-drop-database dbname > dbname_sql.dump
# mysql -u root -psecret -D dbname < dbname_sql.dump
Backup a
nd r
esto
re a
ll d
ata
bases:
# mysqldump -u root -psecret --add-drop-database --all-databases > full.dump
# mysql -u root -psecret < full.dump
Here
is"s
ecre
t"th
em
ysqlro
ot
passw
ord
,th
ere
isno
space
aft
er
-p.
When
the
-poption
isused
alo
ne (
w/o
passw
ord
), t
he p
assw
ord
is a
sked a
t th
e c
om
mand p
rom
pt.
18
.3S
QL
ite
SQ
Lite
23
is a
sm
all p
ow
erf
ull s
elf-c
ontined,
serv
erless,
zero
-configura
tion S
QL d
ata
base.
Du
mp
an
d r
esto
re
Itcan
be
usefu
lto
dum
pand
resto
rean
SQ
Lite
data
base.
For
exam
ple
you
can
edit
the
dum
pfile
tochange
acolu
mn
att
ribute
or
type
and
then
resto
reth
edata
base.
This
iseasie
rth
an
messin
gw
ith S
QL c
om
mands.
Use t
he c
om
mandsqlite3
for
a 3
.x d
ata
base.
# sqlite database.db .dump > dump.sql
# dump
# sqlite database.db < dump.sql
# restore
Co
nv
ert 2
.x t
o 3
.x d
ata
ba
se
sqlite database_v2.db .dump | sqlite3 database_v3.db
19
DI
SK
Q
UO
TA
Adis
kquota
allow
sto
lim
itth
eam
ount
of
dis
kspace
and/o
rth
enum
ber
of
file
sa
user
or
(or
mem
ber
of
gro
up)
can
use.
The
quota
sare
allocate
don
aper-
file
syste
mbasis
and
are
enfo
rced
by t
he k
ern
el.
19
.1L
inu
x s
etu
p
The q
uota
tools
package u
sually n
eeds t
o b
e insta
lled,
it c
onta
ins t
he c
om
mand lin
e t
ools
.Activate
the
user
quota
inth
efs
tab
and
rem
ount
the
part
itio
n.
Ifth
epart
itio
nis
busy,
either
all
locked
file
sm
ust
be
clo
sed,
or
the
syste
mm
ust
be
reboote
d.
Addusrquota
toth
efs
tab
mount
options,
for
exam
ple
:
/dev/sda2 /home reiserfs rw,acl,user_xattr,usrquota 1 1
# mount -o remount /home
# mount
# Check if usrquota is active, otherwise reboot
Initia
lize t
he q
uota
.user
file
withquotacheck.
# quotacheck -vum /home
# chmod 644 /home/aquota.user
# To let the users check their own quota
Activate
the
quota
either
with
the
pro
vid
ed
script
(e.g
./e
tc/i
nit.d
/quota
don
SuSE)
or
with
quotaon:
quotaon -vu /home
Check t
hat
the q
uota
is a
ctive w
ith:
quota -v
23.h
ttp:/
/ww
w.s
qlite
.org
— D
isk Q
uota
—
48
3F
IL
E S
YS
TE
M
Dis
kin
fo(p
9)
|Boot
(p9)
|D
isk
usage
(p9)
|O
pened
file
s(p
9)
|M
ount/
rem
ount
(p10)
|M
ount
SM
B(p
11)
|M
ount
image
(p12)
|Burn
ISO
(p12)
|Cre
ate
image
(p13)
|M
em
ory
dis
k(p
14)
|D
isk p
erf
orm
ance
(p14)
3.1
Pe
rm
iss
ion
s
Change
perm
issio
nand
ow
ners
hip
withchmod
andchown.
The
defa
ult
um
ask
can
be
changed
for
all
users
in/e
tc/p
rofile
for
Lin
ux
or
/etc
/login
.conf
for
Fre
eBSD
.The
defa
ult
um
ask
isusually
022.
The u
mask is s
ubtr
acte
d fro
m 7
77,
thus u
mask 0
22 r
esults in a
perm
issio
n 0
f 755.
1 --x execute
# Mode 764 = exec/read/write | read/write | read
2 -w- write
# For: |-- Owner --| |- Group-| |Oth|
4 r-- read
ugo=a
u=user, g=group, o=others, a=everyone
# chmod [OPTION] MODE[,MODE] FILE
# MODE is of the form [ugoa]*([-+=]([rwxXst]))
# chmod 640 /var/log/maillog
# Restrict the log -rw-r-----
# chmod u=rw,g=r,o= /var/log/maillog
# Same as above
# chmod -R o-r /home/*
# Recursive remove other readable for all users
# chmod u+s /path/to/prog
# Set SUID bit on executable (know what you do!)
# find / -perm -u+s -print
# Find all programs with the SUID bit
# chown user:group /path/to/file
# Change the user and group ownership of a file
# chgrp group /path/to/file
# Change the group ownership of a file
# chmod 640 `find ./ -type f -print`
# Change permissions to 640 for all files
# chmod 751 `find ./ -type d -print`
# Change permissions to 751 for all directories
3.2
Dis
k i
nfo
rm
atio
n
# diskinfo -v /dev/ad2
# information about disk (sector/size) FreeBSD
# hdparm -I /dev/sda
# information about the IDE/ATA disk (Linux)
# fdisk /dev/ad2
# Display and manipulate the partition table
# smartctl -a /dev/ad2
# Display the disk SMART info
3.3
Bo
ot
Fre
eB
SD
To b
oot
an o
ld k
ern
el if t
he n
ew
kern
el doesn't b
oot,
sto
p t
he b
oot
at
during t
he c
ount
dow
n.
# unload
# load kernel.old
# boot
3.4
Sy
ste
m m
ou
nt p
oin
ts
/D
isk
us
ag
e
# mount | column -t
# Show mounted file-systems on the system
# df
# display free disk space and mounted devices
# cat /proc/partitions
# Show all registered partitions (Linux)
Dis
k u
sa
ge
# du -sh *
# Directory sizes as listing
# du -csh
# Total directory size of the current directory
# du -ks * | sort -n -r
# Sort everything by size in kilobytes
# ls -lSr
# Show files, biggest last
3.5
Wh
o h
as
wh
ich
fil
es
op
en
ed
This
isusefu
lto
find
out
whic
hfile
isblo
ckin
ga
part
itio
nw
hic
hhas
tobe
unm
ounte
dand
giv
es
aty
pic
al err
or
of:
— F
ile S
yste
m —
9
# umount /home/
umount: unmount of /home
# umount impossible because a file is locking home
failed: Device busy
Fre
eB
SD
an
d m
ost U
nix
es
# fstat -f /home
# for a mount point
# fstat -p PID
# for an application with PID
# fstat -u user
# for a user name
Fin
d o
pened lo
g file
(or o
ther o
pened file
s), s
ay fo
r Xorg
:
# ps ax | grep Xorg | awk '{print $1}'
1252
# fstat -p 1252
USER CMD PID FD MOUNT INUM MODE SZ|DV R/W
root Xorg 1252 root / 2 drwxr-xr-x 512 r
root Xorg 1252 text /usr 216016 -rws--x--x 1679848 r
root Xorg 1252 0 /var 212042 -rw-r--r-- 56987 w
The file
with
inum
212042 is
the o
nly
file in
/var:
# find -x /var -inum 212042
/var/log/Xorg.0.log
Lin
ux
Fin
d o
pened file
s o
n a
mount p
oin
t with
fuser
orlsof:
# fuser -m /home
# List processes accessing /home
# lsof /home
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
tcsh 29029 eedcoba cwd DIR 0,18 12288 1048587 /home/eedcoba (guam:/home)
lsof 29140 eedcoba cwd DIR 0,18 12288 1048587 /home/eedcoba (guam:/home)
About a
n a
pplic
atio
n:
ps ax | grep Xorg | awk '{print $1}'
3324
# lsof -p 3324
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Xorg 3324 root 0w REG 8,6 56296 12492 /var/log/Xorg.0.log
About a
sin
gle
file:
# lsof /var/log/Xorg.0.log
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Xorg 3324 root 0w REG 8,6 56296 12492 /var/log/Xorg.0.log
3.6
Mo
un
t/
re
mo
un
t a
file
sy
ste
m
For e
xam
ple
the c
dro
m. If lis
ted in
/etc
/fsta
b:
# mount /cdrom
Or fin
d th
e d
evic
e in
/dev/ o
r with
dm
esg
Fre
eB
SD
# mount -v -t cd9660 /dev/cd0c /mnt
# cdrom
# mount_cd9660 /dev/wcd0c /cdrom
# other method
# mount -v -t msdos /dev/fd0c /mnt
# floppy
Entry
in /e
tc/fs
tab:
# Device Mountpoint FStype Options Dump Pass#
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
To le
t users
do it:
# sysctl vfs.usermount=1
# Or insert the line "vfs.usermount=1" in /etc/sysctl.conf
— F
ile S
yste
m —
10
Gra
nt r
em
ote
acce
ss
The
file$PGSQL_DATA_D/postgresql.conf
specifie
sth
eaddre
ss
tobin
dto
.Typic
ally
listen_addresses = '*'
for P
ostg
res 8
.x.
The file
$PGSQL_DATA_D/pg_hba.conf
defin
es th
e a
ccess c
ontro
l. Exam
ple
s:
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
host bobdb bob 212.117.81.42 255.255.255.255 password
host all all 0.0.0.0/0 password
Ba
ck
up
an
d r
esto
re
The
backups
and
resto
reare
done
with
the
user
pgsql
or
postg
res.
Backup
and
resto
rea
sin
gle
data
base:
# pg_dump --clean dbname > dbname_sql.dump
# psql dbname < dbname_sql.dump
Backup a
nd re
sto
re a
ll data
bases (in
clu
din
g u
sers
):
# pg_dumpall --clean > full.dump
# psql -f full.dump postgres
Inth
iscase
the
resto
reis
sta
rted
with
the
data
base
postg
res
whic
his
bette
rw
hen
relo
adin
gan
em
pty
clu
ste
r.
18
.2M
yS
QL
Ch
an
ge
my
sq
l ro
ot o
r u
se
rn
am
e p
assw
ord
Meth
od 1
# /etc/init.d/mysql stop
or
# killall mysqld
# mysqld --skip-grant-tables
# mysqladmin -u root password 'newpasswd'
# /etc/init.d/mysql start
Meth
od 2
# mysql -u root mysql
mysql>
UPDATE USER SET PASSWORD=PASSWORD("newpassword") where user='root';
mysql>
FLUSH PRIVILEGES;
# Use username instead of "root"
mysql>
quit
Cre
ate
use
r a
nd
da
ta
ba
se
# mysql -u root mysql
mysql>
CREATE DATABASE bobdb;
mysql>
GRANT ALL ON *.* TO 'bob'@'%' IDENTIFIED BY 'pwd';
# Use localhost instead of %
# to restrict the network access
mysql>
DROP DATABASE bobdb;
# Delete database
mysql>
DROP USER bob;
# Delete user
mysql>
DELETE FROM mysql.user WHERE user='bob and host='hostname';
# Alt. command
mysql>
FLUSH PRIVILEGES;
Gra
nt r
em
ote
acce
ss
Rem
ote
access
isty
pic
ally
perm
itted
for
adata
base,
and
not
all
data
bases.
The
file/etc/my.cnf
conta
ins th
e IP
addre
ss to
bin
d to
. Typic
ally
com
ment th
e lin
ebind-address =
out.
# mysql -u root mysql
mysql>
GRANT ALL ON bobdb.* TO bob@'xxx.xxx.xxx.xxx' IDENTIFIED BY 'PASSWORD';
mysql>
REVOKE GRANT OPTION ON foo.* FROM bar@'xxx.xxx.xxx.xxx';
mysql>
FLUSH PRIVILEGES;
# Use 'hostname' or also '%' for full access
— D
ata
bases —
47
# mencoder -o videoout.avi -oac mp3lame -ovc lavc -srate 11025 \
-channels 1 -af-adv force=1 -lameopts preset=medium -lavcopts \
vcodec=msmpeg4v2:vbitrate=600 -mc 0 vidoein.AVI
See
sox
for
sound p
rocessin
g.
16
.5C
op
y a
n a
ud
io c
d
The
pro
gra
mcdparanoia
22
can
save
the
audio
tracks
(Fre
eBSD
port
inaudio
/cdpara
noia
/),
oggenc
can e
ncode in O
gg V
orb
is form
at,lame
convert
s t
o m
p3.
# cdparanoia -B
# Copy the tracks to wav files in current dir
# lame -b 256 in.wav out.mp3
# Encode in mp3 256 kb/s
# for i in *.wav; do lame -b 256 $i `basename $i .wav`.mp3; done
# oggenc in.wav -b 256 out.ogg
# Encode in Ogg Vorbis 256 kb/s
17
PR
IN
TI
NG
17
.1P
rin
t w
ith
lp
r
# lpr unixtoolbox.ps
# Print on default printer
# export PRINTER=hp4600
# Change the default printer
# lpr -Php4500 #2 unixtoolbox.ps
# Use printer hp4500 and print 2 copies
# lpr -o Duplex=DuplexNoTumble ...
# Print duplex along the long side
# lpr -o PageSize=A4,Duplex=DuplexNoTumble ...
# lpq
# Check the queue on default printer
# lpq -l -Php4500
# Queue on printer hp4500 with verbose
# lprm -
# Remove all users jobs on default printer
# lprm -Php4500 3186
# Remove job 3186. Find job nbr with lpq
# lpc status
# List all available printers
# lpc status hp4500
# Check if printer is online and queue length
Som
edevic
es
are
not
posts
cript
and
will
garb
age
when
fed
with
apdf
file
.This
mig
ht
be
solv
ed w
ith:
# gs -dSAFER -dNOPAUSE -sDEVICE=deskjet -sOutputFile=\|lpr file.pdf
18
DA
TA
BA
SE
S
18
.1P
os
tg
re
SQ
L
Ch
an
ge
ro
ot o
r a
use
rn
am
e p
assw
ord
# psql -d template1 -U pgsql
> alter user pgsql with password 'pgsql_password';
# Use username instead of "pgsql"
Cre
ate
use
r a
nd
da
ta
ba
se
The
com
mands
createuser,
dropuser,
createdb
and
dropdb
are
convenie
nt
short
cuts
equiv
ale
nt
toth
eSQ
Lcom
mands.
The
new
user
isbob
with
data
base
bobdb
;use
as
root
with
pgsql th
e d
ata
base s
uper
user:
# createuser -U pgsql -P bob
# -P will ask for password
# createdb -U pgsql -O bob bobdb
# new bobdb is owned by bob
# dropdb bobdb
# Delete database bobdb
# dropuser bob
# Delete user bob
The g
enera
l data
base a
uth
entication m
echanis
m is c
onfigure
d in p
g_hba.c
onf
22.h
ttp:/
/xip
h.o
rg/p
ara
noia
/
— P
rinting —
46
Lin
ux
# mount -t auto /dev/cdrom /mnt/cdrom
# typical cdrom mount command
# mount /dev/hdc -t iso9660 -r /cdrom
# typical IDE
# mount /dev/scd0 -t iso9660 -r /cdrom
# typical SCSI cdrom
# mount /dev/sdc0 -t ntfs-3g /windows
# typical SCSI
Entr
y in /
etc
/fsta
b:
/dev/cdrom /media/cdrom subfs noauto,fs=cdfss,ro,procuid,nosuid,nodev,exec 0 0
Mount
a F
reeB
SD
parti
tion w
ith L
inux
Fin
dth
epart
itio
nnum
ber
conta
inin
gw
ith
fdis
k,
this
isusually
the
root
part
itio
n,
but
itcould
be
an
oth
er
BSD
slice
too.
Ifth
eFre
eBSD
has
many
slices,
they
are
the
one
not
liste
din
the
fdis
kta
ble
, but
vis
ible
in /
dev/s
da* o
r /d
ev/h
da*.
# fdisk /dev/sda
# Find the FreeBSD partition
/dev/sda3 * 5357 7905 20474842+ a5 FreeBSD
# mount -t ufs -o ufstype=ufs2,ro /dev/sda3 /mnt
/dev/sda10 = /tmp; /dev/sda11 /usr
# The other slices
Re
mo
un
t
Rem
ount
a d
evic
e w
ithout
unm
ounting it.
Necessary
for
fsck for
exam
ple
# mount -o remount,ro /
# Linux
# mount -o ro /
# FreeBSD
Copy t
he r
aw
data
fro
m a
cdro
m into
an iso im
age:
# dd if=/dev/cd0c of=file.iso
3.7
Ad
d s
wa
p o
n-th
e-fly
Suppose y
ou n
eed m
ore
sw
ap (
right
now
), s
ay a
2G
B file /
sw
ap2gb (
Lin
ux o
nly
).
# dd if=/dev/zero of=/swap2gb bs=1024k count=2000
# mkswap /swap2gb
# create the swap area
# swapon /swap2gb
# activate the swap. It now in use
# swapoff /swap2gb
# when done deactivate the swap
# rm /swap2gb
3.8
Mo
un
t a
n S
MB
sh
are
Suppose
we
want
toaccess
the
SM
Bshare
myshare
on
the
com
pute
rsm
bserv
er,
the
addre
ss
as
typed
on
aW
indow
sPC
is\\
sm
bserv
er\
myshare
\.W
em
ount
on
/mnt/
sm
bshare
.W
arn
ing>
cifs
wants
an I
P o
r D
NS n
am
e,
not
a W
indow
s n
am
e.
Lin
ux
# smbclient -U user -I 192.168.16.229 -L //smbshare/
# List the shares
# mount -t smbfs -o username=winuser //smbserver/myshare /mnt/smbshare
# mount -t cifs -o username=winuser,password=winpwd //192.168.16.229/myshare /mnt/share
Additio
nally
with
the
package
mount.
cifs
itis
possib
leto
sto
reth
ecre
dentials
ina
file
,fo
rexam
ple
/home/user/.smb:
username=winuser
password=winpwd
And m
ount
as follow
:
# mount -t cifs -o credentials=/home/user/.smb //192.168.16.229/myshare /mnt/smbshare
Fre
eB
SD
Use -
I to
giv
e t
he I
P (
or
DN
S n
am
e);
sm
bserv
er
is t
he W
indow
s n
am
e.
— F
ile S
yste
m —
11
# smbutil view -I 192.168.16.229 //winuser@smbserver
# List the shares
# mount_smbfs -I 192.168.16.229 //winuser@smbserver/myshare /mnt/smbshare
3.9
Mo
un
t a
n im
ag
e
Lin
ux
loo
p-b
ack
# mount -t iso9660 -o loop file.iso /mnt
# Mount a CD image
# mount -t ext3 -o loop file.img /mnt
# Mount an image with ext3 fs
Fre
eB
SD
With
mem
ory
devic
e (d
o #
kld
load m
d.k
o if n
ecessary
):
# mdconfig -a -t vnode -f file.iso -u 0
# mount -t cd9660 /dev/md0 /mnt
# umount /mnt; mdconfig -d -u 0
# Cleanup the md device
Or w
ith v
irtual n
ode:
# vnconfig /dev/vn0c file.iso; mount -t cd9660 /dev/vn0c /mnt
# umount /mnt; vnconfig -u /dev/vn0c
# Cleanup the vn device
So
laris
an
d F
re
eB
SD
with
loop-b
ack file
inte
rface o
r lofi:
# lofiadm -a file.iso
# mount -F hsfs -o ro /dev/lofi/1 /mnt
# umount /mnt; lofiadm -d /dev/lofi/1
# Cleanup the lofi device
3.1
0C
re
ate
an
d b
urn
an
IS
O im
ag
e
This
will
copy
the
cd
or
DVD
secto
rfo
rsecto
r.W
ithoutconv=notrunc,
the
image
will
be
sm
alle
rif
there
is le
ss c
onte
nt o
n th
e c
d. S
ee b
elo
w a
nd th
edd e
xam
ple
s(p
age 4
1).
# dd if=/dev/hdc of=/tmp/mycd.iso bs=2048 conv=notrunc
Use
mkis
ofs
tocre
ate
aCD
/DVD
image
from
files
ina
dire
cto
ry.
To
overc
om
eth
efile
nam
es
restric
tions:
-renable
sth
eRock
Rid
ge
exte
nsio
ns
com
mon
toU
NIX
syste
ms,
-Jenable
sJo
liet
exte
nsio
ns u
sed b
y M
icro
soft s
yste
ms. -L
allo
ws IS
O9660 file
nam
es to
begin
with
a p
erio
d.
# mkisofs -J -L -r -V TITLE -o imagefile.iso /path/to/dir
On F
reeBSD
, mkis
ofs
is fo
und in
the p
orts
in s
ysutils
/cdrto
ols
.
Bu
rn
a C
D/
DV
D I
SO
ima
ge
FreeB
SD
Fre
eBSD
does
not
enable
DM
Aon
ATAPI
driv
es
by
defa
ult.
DM
Ais
enable
dw
ithth
esysctl
com
mand a
nd th
e a
rgum
ents
belo
w, o
r with
/boot/lo
ader.c
onf w
ith th
e fo
llow
ing e
ntrie
s:
hw.ata.ata_dma="1"
hw.ata.atapi_dma="1"
Useburncd
with
an
ATAPI
devic
e(burncd
ispart
of
the
base
syste
m)
andcdrecord
(insysutils
/
cdrto
ols
) with
a S
CSI d
rive.
# burncd -f /dev/acd0 data imagefile.iso fixate
# For ATAPI drive
# cdrecord -scanbus
# To find the burner device (like 1,0,0)
# cdrecord dev=1,0,0 imagefile.iso
Lin
ux
Als
ousecdrecord
with
Lin
ux
as
describ
ed
above.
Additio
nally
itis
possib
leto
use
the
nativ
e
ATAPI in
terfa
ce w
hic
h is
found w
ith:
# cdrecord dev=ATAPI -scanbus
— F
ile S
yste
m —
12
# cd /usr/ports/net/rsync/
# Select the package to install
# make install distclean
# Install and cleanup (also see man ports)
# make package
# Make a binary package for the port
15
.3L
ibra
ry
pa
th
Due
tocom
ple
xdependencie
sand
runtim
elin
kin
g,
pro
gra
ms
are
diffic
ult
tocopy
toan
oth
er
syste
mor
dis
tributio
n.
How
ever
for
sm
all
pro
gra
ms
with
littledependencie
s,
the
mis
sin
glib
rarie
scan
be
copie
dover.
The
runtim
elib
rarie
s(a
nd
the
mis
sin
gone)
are
checked
with
ldd
and
managed w
ithldconfig.
# ldd /usr/bin/rsync
# List all needed runtime libraries
# ldconfig -n /path/to/libs/
# Add a path to the shared libraries directories
# ldconfig -m /path/to/libs/
# FreeBSD
# LD_LIBRARY_PATH
# The variable set the link library path
16
CO
NV
ER
T M
ED
IA
Som
etim
es o
ne s
imply
need to
convert a
vid
eo, a
udio
file o
r docum
ent to
anoth
er fo
rmat.
16
.1T
ex
t e
nc
od
ing
Text
encodin
gcan
get
tota
llyw
rong,
specia
llyw
hen
the
language
require
sspecia
lchara
cte
rslik
eàäç. T
he c
om
mandiconv
can c
onvert fro
m o
ne e
ncodin
g to
an o
ther.
# iconv -f <from_encoding> -t <to_encoding> <input_file>
# iconv -f ISO8859-1 -t UTF-8 -o file.input > file_utf8
# iconv -l
# List known coded character sets
With
out
the
-foptio
n,
iconv
will
use
the
local
char-s
et,
whic
his
usually
fine
ifth
edocum
ent
dis
pla
ys w
ell.
16
.2U
nix
- D
OS
ne
wlin
es
Convert
DO
S(C
R/L
F)
toU
nix
(LF)
new
lines
with
ina
Unix
shell.
See
als
odos2unix
andunix2dos
if you h
ave th
em
.
# sed 's/.$//' dosfile.txt > unixfile.txt
Convert U
nix
to D
OS n
ew
lines w
ithin
a W
indow
s e
nviro
nm
ent. U
se s
ed fro
m m
ingw
or c
ygw
in.
# sed -n p unixfile.txt > dosfile.txt
16
.3P
DF
to
Jp
eg
an
d c
on
ca
te
na
te
PD
F f
iles
Convert
aPD
Fdocum
ent
with
gs
(GhostS
crip
t)to
jpeg
(or
png)
images
for
each
page.
Als
om
uch
shorte
r with
convert
(from
ImageM
agic
k o
r Gra
phic
sM
agic
k).
# gs -dBATCH -dNOPAUSE -sDEVICE=jpeg -r150 -dTextAlphaBits=4 -dGraphicsAlphaBits=4 \
-dMaxStripSize=8192 -sOutputFile=unixtoolbox_%d.jpg unixtoolbox.pdf
# convert unixtoolbox.pdf unixtoolbox-%03d.png
# convert *.jpeg images.pdf
# Create a simple PDF with all pictures
Ghosts
crip
tcan
als
oconcate
nate
multip
lepdf
files
into
asin
gle
one.
This
only
work
sw
ell
ifth
ePD
F file
s a
re "w
ell b
ehaved".
# gs -q -sPAPERSIZE=a4 -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=all.pdf \
file1.pdf file2.pdf ...
# On Windows use '#' instead of '='
16
.4C
on
ve
rt v
ide
o
Com
pre
ss th
e C
anon d
igic
am
vid
eo w
ith a
n m
peg4 c
odec a
nd re
pair th
e c
rappy s
ound.
— C
onvert M
edia
—
45
Check
file
hashes
with
openssl.
This
isa
nic
ealtern
ative
toth
ecom
mandsmd5sum
orsha1sum
(Fre
eBSD
usesmd5
andsha1)
whic
h a
re n
ot
alw
ays insta
lled.
# openssl md5 file.tar.gz
# Generate an md5 checksum from file
# openssl sha1 file.tar.gz
# Generate an sha1 checksum from file
# openssl rmd160 file.tar.gz
# Generate a RIPEMD-160 checksum from file
15
IN
ST
AL
L S
OF
TW
AR
E
15
.1L
ist i
ns
ta
lle
d p
ac
ka
ge
s
# rpm -qa
# List installed packages (RH, SuSE, RPM based)
# dpkg -l
# Debian, Ubuntu
# pkg_info
# FreeBSD list all installed packages
# pkg_info -W smbd
# FreeBSD show which package smbd belongs to
# pkginfo
# Solaris
15
.2A
dd
/re
mo
ve
so
ftw
are
Fro
nt
ends:
yast2
/yast
for
SuSE,
redhat-
config-p
ackages for
Red H
at.
# rpm -i pkgname.rpm
# install the package (RH, SuSE, RPM based)
# rpm -e pkgname
# Remove package
De
bia
n
# apt-get update
# First update the package lists
# apt-get install emacs
# Install the package emacs
# dpkg --remove emacs
# Remove the package emacs
# dpkg -S file
# find what package a file belongs to
Ge
nto
o
Gento
o u
ses e
merg
e a
s t
he h
eart
of its "
Port
age"
package m
anagem
ent
syste
m.
# emerge --sync
# First sync the local portage tree
# emerge -u packagename
# Install or upgrade a package
# emerge -C packagename
# Remove the package
# revdep-rebuild
# Repair dependencies
So
laris
The <
cdro
m>
path
is u
sually/cdrom/cdrom0.
# pkgadd -d <cdrom>/Solaris_9/Product SUNWgtar
# pkgadd -d SUNWgtar
# Add downloaded package (bunzip2 first)
# pkgrm SUNWgtar
# Remove the package
Fre
eB
SD
# pkg_add -r rsync
# Fetch and install rsync.
# pkg_delete /var/db/pkg/rsync-xx
# Delete the rsync package
Set
where
the p
ackages a
re fetc
hed fro
m w
ith t
hePACKAGESITE
variable
. For
exam
ple
:
# export PACKAGESITE=ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages/Latest/
# or ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/
Fre
eB
SD
po
rts
The
port
tree/usr/ports/
isa
collection
of
soft
ware
ready
tocom
pile
and
insta
ll.
The
port
sare
update
d w
ith t
he p
rogra
mportsnap.
# portsnap fetch extract
# Create the tree when running the first time
# portsnap fetch update
# Update the port tree
— I
nsta
ll S
oft
ware
—
44
And b
urn
the C
D/D
VD
as a
bove.
dvd+
rw
-to
ols
The
dvd+
rw-t
ools
package
(Fre
eBSD
:port
s/s
ysutils
/dvd+
rw-t
ools
)can
do
itall
and
inclu
des
growisofs
toburn
CD
sor
DVD
s.
The
exam
ple
sre
fere
toth
edvd
devic
eas/dev/dvd
whic
hcould
be
asym
link
to/dev/scd0
(typic
alscsion
Lin
ux)
or/dev/cd0
(typic
alFre
eBSD
)or/dev/rcd0c
(typic
al
NetB
SD
/OpenBSD
chara
cte
rSCSI)
or
/dev/rdsk/c0t1d0s2
(Sola
ris
exam
ple
of
a
chara
cte
rSCSI/
ATAPI
CD
-RO
Mdevic
e).
There
isa
nic
edocum
enta
tion
with
exam
ple
son
the
Fre
eBSD
handbook c
hapte
r 18.7
2.
# -dvd-compat closes the disk
# growisofs -dvd-compat -Z /dev/dvd=imagefile.iso
# Burn existing iso image
# growisofs -dvd-compat -Z /dev/dvd -J -R /p/to/data
# Burn directly
Co
nv
ert a
Ne
ro
.n
rg
fil
e t
o .
iso
Nero
sim
ply
adds a
300Kb h
eader
to a
norm
al is
o im
age.
This
can b
e t
rim
med w
ith d
d.
# dd bs=1k if=imagefile.nrg of=imagefile.iso skip=300
Co
nv
ert a
bin
/cu
e i
ma
ge
to
.is
o
The littlebchunk
pro
gra
m3
can d
o t
his
. It
is in t
he F
reeBSD
port
s in s
ysutils
/bchunk.
# bchunk imagefile.bin imagefile.cue imagefile.iso
3.1
1C
re
ate
a f
ile
ba
se
d i
ma
ge
For
exam
ple
apart
itio
nof
1G
Busin
gth
efile
/usr/
vdis
k.im
g.
Here
we
use
the
vnode
0,
but
itcould
als
o b
e 1
.
Fre
eB
SD
# dd if=/dev/random of=/usr/vdisk.img bs=1K count=1M
# mdconfig -a -t vnode -f /usr/vdisk.img -u 0
# Creates device /dev/md1
# bsdlabel -w /dev/md0
# newfs /dev/md0c
# mount /dev/md0c /mnt
# umount /mnt; mdconfig -d -u 0; rm /usr/vdisk.img
# Cleanup the md device
The
file
based
image
can
be
auto
matically
mounte
dduring
boot
with
an
entr
yin
/etc
/rc.c
onf
and
/etc
/fsta
b.
Test
your
setu
pw
ith#
/etc/rc.d/mdconfig
start
(first
dele
teth
em
d0
devic
ew
ith
# mdconfig -d -u 0).
Note
how
ever
that
this
auto
matic
setu
pw
ill
only
work
ifth
efile
image
isN
OT
on
the
root
part
itio
n.
The
reason
isth
at
the
/etc
/rc.d
/mdconfig
script
isexecute
dvery
early
buring
boot
and
the
root
part
itio
nis
still
read-o
nly
.Im
ages
locate
douts
ide
the
root
part
itio
nw
illbe
mounte
dla
ter
with t
he s
cript
/etc
/rc.d
/mdconfig2.
/boot/
loader.
conf:
md_load="YES"
/etc
/rc.c
onf:
# mdconfig_md0="-t vnode -f /usr/vdisk.img"
# /usr is not on the root partition
/etc
/fsta
b:
(The
00
at
the
end
isim
port
ant,
itte
llfs
ck
toig
nore
this
devic
e,
as
isdoes
not
exis
tyet)
/dev/md0 /usr/vdisk ufs rw 0 0
It is a
lso p
ossib
le t
o incre
ase t
he s
ize o
f th
e im
age a
fterw
ard
, say for
exam
ple
300 M
B larg
er.
# umount /mnt; mdconfig -d -u 0
# dd if=/dev/zero bs=1m count=300 >> /usr/vdisk.img
# mdconfig -a -t vnode -f /usr/vdisk.img -u 0
2.h
ttp:/
/ww
w.f
reebsd.o
rg/h
andbook/c
reating-d
vds.h
tml
3.h
ttp:/
/fre
shm
eat.
net/
pro
jects
/bchunk/
— F
ile S
yste
m —
13
# growfs /dev/md0
# mount /dev/md0c /mnt
# File partition is now 300 MB larger
Lin
ux
# dd if=/dev/zero of=/usr/vdisk.img bs=1024k count=1024
# mkfs.ext3 /usr/vdisk.img
# mount -o loop /usr/vdisk.img /mnt
# umount /mnt; rm /usr/vdisk.img
# Cleanup
Lin
ux
wit
h lo
se
tu
p
/dev/zero
is m
uch fa
ste
r thanurandom, b
ut le
ss s
ecure
for e
ncry
ptio
n.
# dd if=/dev/urandom of=/usr/vdisk.img bs=1024k count=1024
# losetup /dev/loop0 /usr/vdisk.img
# Creates and associates /dev/loop0
# mkfs.ext3 /dev/loop0
# mount /dev/loop0 /mnt
# losetup -a
# Check used loops
# umount /mnt
# losetup -d /dev/loop0
# Detach
# rm /usr/vdisk.img
3.1
2C
re
ate
a m
em
ory
file
sy
ste
m
Am
em
ory
based
filesyste
mis
very
fast
for
heavy
IOapplic
atio
n.
How
tocre
ate
a64
MB
partitio
n m
ounte
d o
n /m
em
dis
k:
Fre
eB
SD
# mount_mfs -o rw -s 64M md /memdisk
# umount /memdisk; mdconfig -d -u 0
# Cleanup the md device
md /memdisk mfs rw,-s64M 0 0
# /etc/fstab entry
Lin
ux
# mount -t tmpfs -osize=64m tmpfs /memdisk
3.1
3D
isk
pe
rfo
rm
an
ce
Read a
nd w
rite a
1 G
B file
on p
artitio
n a
d4s3c (/h
om
e)
# time dd if=/dev/ad4s3c of=/dev/null bs=1024k count=1000
# time dd if=/dev/zero bs=1024k count=1000 of=/home/1Gb.file
# hdparm -tT /dev/hda
# Linux only
4N
ET
WO
RK
Routin
g(p
15)
|Additio
nal
IP(p
15)
|Change
MAC
(p16)
|Ports
(p16)
|Fire
wall
(p16)
|IP
Forw
ard
(p17)
|N
AT
(p17)
|D
NS
(p18)
|D
HCP
(p19)
|Tra
ffic(p
19)
|Q
oS
(p20)
|N
IS(p
21)
|N
etc
at
(p22)
4.1
De
bu
gg
ing
(S
ee
als
oT
ra
ffic
an
aly
sis
)(p
ag
e 1
9)
Lin
ux
# ethtool eth0
# Show the ethernet status (replaces mii-diag)
# ethtool -s eth0 speed 100 duplex full
# Force 100Mbit Full duplex
# ethtool -s eth0 autoneg off
# Disable auto negotiation
# ethtool -p eth1
# Blink the ethernet led - very useful when supported
# ip link show
# Display all interfaces on Linux (similar to ifconfig)
# ip link set eth0 up
# Bring device up (or down). Same as "ifconfig eth0 up"
— N
etw
ork
—
14
•C
trl-a
ato
cle
ar a
mis
sed C
trl-a•
Ctr
l-a C
trl-d
to d
isconnect a
nd le
ave th
e s
essio
n ru
nnin
g in
the b
ackgro
und
•C
trl-a
xlo
ck th
e s
cre
en te
rmin
al w
ith a
passw
ord
The
scre
en
sessio
nis
term
inate
dw
hen
the
pro
gra
mw
ithin
the
runnin
gte
rmin
alis
clo
sed
and
you
logout fro
m th
e te
rmin
al.
14
.7F
ind
Som
e im
porta
nt o
ptio
ns:
-x
(on B
SD
)-xdev
(on L
inux)
Sta
y o
n th
e s
am
e file
syste
m (d
ev in
fsta
b).
-exec cmd {} \;
Execute
the c
om
mand a
nd re
pla
ce {
} w
ith th
e fu
ll path
-iname
Lik
e -n
am
e b
ut is
case in
sensitiv
e
-ls
Dis
pla
y in
form
atio
n a
bout th
e file
(like ls
-la)
-size n
n is
+-n
(k M
G T
P)
-cmin n
File
's s
tatu
s w
as la
st c
hanged n
min
ute
s a
go.
# find . -type f ! -perm -444
# Find files not readable by all
# find . -type d ! -perm -111
# Find dirs not accessible by all
# find /home/user/ -cmin 10 -print
# Files created or modified in the last 10 min.
# find . -name '*.[ch]' | xargs grep -E 'expr'
# Search 'expr' in this dir and below.
# find / -name "*.core" | xargs rm
# Find core dumps and delete them (also try core.*)
# find / -name "*.core" -print -exec rm {} \;
# Other syntax
# Find images and create an archive, iname is not case sensitive. -r for append
# find . \( -iname "*.png" -o -iname "*.jpg" \) -print -exec tar -rf images.tar {} \;
# find . -type f -name "*.txt" ! -name README.txt -print
# Exclude README.txt files
# find /var/ -size +10M -exec ls -lh {} \;
# Find large files > 10 MB
# find /var/ -size +10M -ls
# This is simpler
# find . -size +10M -size -50M -print
# find /usr/ports/ -name work -type d -print -exec rm -rf {} \;
# Clean the ports
# Find files with SUID; those file are vulnerable and must be kept secure
# find / -type f -user root -perm -4000 -exec ls -l {} \;
Be
care
fulw
ithxarg
or
exec
as
itm
ight
or
mig
ht
not
honor
quotin
gs
and
can
retu
rnw
rong
results
when
files
or
dire
cto
ries
conta
inspaces.
Indoubt
use
"-prin
t0|
xarg
s-0
"in
ste
ad
of
"|xarg
s".
The o
ptio
n -p
rint0
must b
e th
e la
st in
the fin
d c
om
mand. S
ee th
is n
ice
min
i tuto
rial fo
r find
21.
# find . -type f | xargs ls -l
# Will not work with spaces in names
# find . -type f -print0 | xargs -0 ls -l
# Will work with spaces in names
# find . -type f -exec ls -l '{}' \;
# Or use quotes '{}' with -exec
14
.8M
isc
ella
ne
ou
s
# which command
# Show full path name of command
# time command
# See how long a command takes to execute
# time cat
# Use time as stopwatch. Ctrl-c to stop
# set | grep $USER
# List the current environment
# cal -3
# Display a three month calendar
# date [-u|--utc|--universal] [MMDDhhmm[[CC]YY][.ss]]
# date 10022155
# Set date and time
# whatis grep
# Display a short info on the command or word
# whereis java
# Search path and standard directories for word
# setenv varname value
# Set env. variable varname to value (csh/tcsh)
# export varname="value"
# set env. variable varname to value (sh/ksh/bash)
# pwd
# Print working directory
# mkdir -p /path/to/dir
# no error if existing, make parent dirs as needed
# mkdir -p project/{bin,src,obj,doc/{html,man,pdf},debug/some/more/dirs}
# rmdir /path/to/dir
# Remove directory
# rm -rf /path/to/dir
# Remove directory and its content (force)
# cp -la /dir1 /dir2
# Archive and hard link files instead of copy
# cp -lpR /dir1 /dir2
# Same for FreeBSD
# cp unixtoolbox.xhtml{,.bak}
# Short way to copy the file with a new extension
# mv /dir1 /dir2
# Rename a directory
21.h
ttp://w
ww
.hccfl.e
du/p
ollo
ck/U
nix
/Fin
dCm
d.h
tm
— U
sefu
l Com
mands —
43
conte
nt
toa
new
dis
k.
With
the
optionnoerror,
dd
will
skip
the
bad
secto
rsand
write
zero
s
inste
ad,
thus o
nly
the d
ata
conta
ined in t
he b
ad s
ecto
rs w
ill be lost.
# dd if=/dev/hda of=/dev/null bs=1m
# Check for bad blocks
# dd bs=1k if=/dev/hda1 conv=sync,noerror,notrunc | gzip | ssh \
# Send to remote
root@fry 'dd of=hda1.gz bs=1k'
# dd bs=1k if=/dev/hda1 conv=sync,noerror,notrunc of=hda1.img
# Store into an image
# mount -o loop /hda1.img /mnt
#Mount the image
(page 13)
# rsync -ax /mnt/ /newdisk/
# Copy on a new disk
# dd if=/dev/hda of=/dev/hda
# Refresh the magnetic state
# The above is useful to refresh a disk. It is perfectly safe, but must be unmounted.
De
lete
# dd if=/dev/zero of=/dev/hdc
# Delete full disk
# dd if=/dev/urandom of=/dev/hdc
# Delete full disk better
# kill -USR1 PID
# View dd progress (Linux)
# kill -INFO PID
# View dd progress (FreeBSD)
MB
R t
ric
ks
The
MBR
conta
ins
the
boot
loader
and
the
part
itio
nta
ble
and
is512
byte
ssm
all.
The
firs
t446
are
for
the b
oot
loader,
the b
yte
s 4
46 t
o 5
12 a
re for
the p
art
itio
n t
able
.
# dd if=/dev/sda of=/mbr_sda.bak bs=512 count=1
# Backup the full MBR
# dd if=/dev/zero of=/dev/sda bs=512 count=1
# Delete MBR and partiton table
# dd if=/mbr_sda.bak of=/dev/sda bs=512 count=1
# Restore the full MBR
# dd if=/mbr_sda.bak of=/dev/sda bs=446 count=1
# Restore only the boot loader
# dd if=/mbr_sda.bak of=/dev/sda bs=1 count=64 skip=446 seek=446
# Restore partition table
14
.6s
cre
en
Scre
en h
as t
wo m
ain
functionalities:
•Run m
ultip
le t
erm
inal sessio
n w
ithin
a s
ingle
term
inal.
•A
sta
rted
pro
gra
mis
decouple
dfr
om
the
real
term
inal
and
can
thus
run
inth
ebackgro
und.
The r
eal te
rmin
al can b
e c
losed a
nd r
eatt
ached late
r.
Sh
ort s
ta
rt e
xa
mp
le
sta
rt s
cre
en w
ith:
# screen
Within
the
scre
en
sessio
nw
ecan
sta
rta
long
lasting
pro
gra
m(l
ike
top).
Deta
ch
the
term
inaland
reatt
ach t
he s
am
e t
erm
inal fr
om
an o
ther
machin
e (
over
ssh for
exam
ple
).
# top
Now
deta
ch w
ith
Ctr
l-a C
trl-
d.
Reatt
ach t
he t
erm
inal w
ith
# screen -r
or
bett
er:
# screen -R -D
Att
ach
here
and
now
.In
deta
ilth
ism
eans:
Ifa
sessio
nis
runnin
g,
then
reatt
ach.
Ifnecessary
deta
ch a
nd logout
rem
ote
ly first.
If it w
as n
ot
runnin
g c
reate
it
and n
otify
the u
ser.
Scre
en
co
mm
an
ds (
wit
hin
scre
en
)
All s
cre
en c
om
mands s
tart
with
Ctr
l-a.
•C
trl-
a ?
help
and s
um
mary
of fu
nctions
•C
trl-
a c
cre
ate
an n
ew
win
dow
(te
rmin
al)
•C
trl-
aC
trl-
nan
dC
trl-
aC
trl-
pto
sw
itch
toth
enext
or
pre
vio
us
win
dow
inth
elist,
by
num
ber.
•C
trl-
a C
trl-
Nw
here
N is a
num
ber
from
0 t
o 9
, to
sw
itch t
o t
he c
orr
espondin
g w
indow
.•
Ctr
l-a "
to g
et
a n
avig
able
lis
t of ru
nnin
g w
indow
s
— U
sefu
l Com
mands —
42
# ip addr show
# Display all IP addresses on Linux (similar to ifconfig)
# ip neigh show
# Similar to arp -a
Oth
er O
Se
s
# ifconfig fxp0
# Check the "media" field on FreeBSD
# arp -a
# Check the router (or host) ARP entry (all OS)
# ping cb.vu
# The first thing to try...
# traceroute cb.vu
# Print the route path to destination
# ifconfig fxp0 media 100baseTX mediaopt full-duplex
# 100Mbit full duplex (FreeBSD)
# netstat -s
# System-wide statistics for each network protocol
Additio
nal com
mands w
hic
h a
re n
ot
alw
ays insta
lled p
er
defa
ult b
ut
easy t
o fin
d:
# arping 192.168.16.254
# Ping on ethernet layer
# tcptraceroute -f 5 cb.vu
# uses tcp instead of icmp to trace throught firewalls
4.2
Ro
utin
g
Prin
t r
ou
tin
g t
ab
le
# route -n
# Linux or use "ip route"
# netstat -rn
# Linux, BSD and UNIX
# route print
# Windows
Ad
d a
nd
de
lete
a r
ou
te
FreeB
SD
# route add 212.117.0.0/16 192.168.1.1
# route delete 212.117.0.0/16
# route add default 192.168.1.1
Add t
he r
oute
perm
anently in /
etc
/rc.c
onf
static_routes="myroute"
route_myroute="-net 212.117.0.0/16 192.168.1.1"
Lin
ux
# route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.16.254
# ip route add 192.168.20.0/24 via 192.168.16.254
# same as above with ip route
# route add -net 192.168.20.0 netmask 255.255.255.0 dev eth0
# route add default gw 192.168.51.254
# ip route add default via 192.168.51.254 dev eth0
# same as above with ip route
# route delete -net 192.168.20.0 netmask 255.255.255.0
Sola
ris
# route add -net 192.168.20.0 -netmask 255.255.255.0 192.168.16.254
# route add default 192.168.51.254 1
# 1 = hops to the next gateway
# route change default 192.168.50.254 1
Perm
anent
entr
ies a
re s
et
in e
ntr
y in/etc/defaultrouter.
Win
dow
s
# Route add 192.168.50.0 mask 255.255.255.0 192.168.51.253
# Route add 0.0.0.0 mask 0.0.0.0 192.168.51.254
Use a
dd -
p t
o m
ake t
he r
oute
pers
iste
nt.
4.3
Co
nfig
ure
ad
dit
ion
al
IP
ad
dre
ss
es
Lin
ux
# ifconfig eth0 192.168.50.254 netmask 255.255.255.0
# First IP
# ifconfig eth0:0 192.168.51.254 netmask 255.255.255.0
# Second IP
— N
etw
ork
—
15
# ip addr add 192.168.50.254/24 dev eth0
# Equivalent ip commands
# ip addr add 192.168.51.254/24 dev eth0 label eth0:1
Fre
eB
SD
# ifconfig fxp0 inet 192.168.50.254/24
# First IP
# ifconfig fxp0 alias 192.168.51.254 netmask 255.255.255.0
# Second IP
# ifconfig fxp0 -alias 192.168.51.254
# Remove second IP alias
Perm
anent e
ntrie
s in
/etc
/rc.c
onf
ifconfig_fxp0="inet 192.168.50.254 netmask 255.255.255.0"
ifconfig_fxp0_alias0="192.168.51.254 netmask 255.255.255.0"
So
laris
Check th
e s
ettin
gs w
ithifconfig -a
# ifconfig hme0 plumb
# Enable the network card
# ifconfig hme0 192.168.50.254 netmask 255.255.255.0 up
# First IP
# ifconfig hme0:1 192.168.51.254 netmask 255.255.255.0 up
# Second IP
4.4
Ch
an
ge
MA
C a
dd
re
ss
Norm
ally
you
have
tobrin
gth
ein
terfa
ce
dow
nbefo
reth
echange.
Don't
tell
me
why
you
want
tochange th
e M
AC a
ddre
ss...
# ifconfig eth0 down
# ifconfig eth0 hw ether 00:01:02:03:04:05
# Linux
# ifconfig fxp0 link 00:01:02:03:04:05
# FreeBSD
# ifconfig hme0 ether 00:01:02:03:04:05
# Solaris
# sudo ifconfig en0 ether 00:01:02:03:04:05
# Mac OS X Tiger
# sudo ifconfig en0 lladdr 00:01:02:03:04:05
# Mac OS X Leopard
Many to
ols
exis
t for W
indow
s. F
or e
xam
ple
eth
erc
hange
4. Or lo
ok fo
r "Mac M
akeup", "s
mac".
4.5
Po
rts
in u
se
Lis
tenin
g o
pen p
orts
:
# netstat -an | grep LISTEN
# lsof -i
# Linux list all Internet connections
# socklist
# Linux display list of open sockets
# sockstat -4
# FreeBSD application listing
# netstat -anp --udp --tcp | grep LISTEN
# Linux
# netstat -tup
# List active connections to/from system (Linux)
# netstat -tupl
# List listening ports from system (Linux)
# netstat -ano
# Windows
4.6
Fir
ew
all
Check if a
firew
all is
runnin
g (ty
pic
al c
onfig
ura
tion o
nly
):
Lin
ux
# iptables -L -n -v
# For status
Open the iptables firewall
# iptables -P INPUT ACCEPT
# Open everything
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -Z
# Zero the packet and byte counters in all chains
# iptables -F
# Flush all chains
# iptables -X
# Delete all chains
4.h
ttp://n
tsecurity
.nu/to
olb
ox/e
therc
hange
— N
etw
ork
—
16
Cre
ate
# cd /
# tar -cf home.tar home/
# archive the whole /home directory (c for create)
# tar -czf home.tgz home/
# same with zip compression
# tar -cjf home.tbz home/
# same with bzip2 compression
Only
inclu
de
one
(or
two)
dire
cto
ries
from
atre
e,
but
keep
the
rela
tive
stru
ctu
re.
For
exam
ple
arc
hiv
e /u
sr/lo
cal/e
tc a
nd /u
sr/lo
cal/w
ww
and th
e firs
t dire
cto
ry in
the a
rchiv
e s
hould
be lo
cal/.
# tar -C /usr -czf local.tgz local/etc local/www
# tar -C /usr -xzf local.tgz
# To untar the local dir into /usr
# cd /usr; tar -xzf local.tgz
# Is the same as above
Ex
tra
ct
# tar -tzf home.tgz
# look inside the archive without extracting (list)
# tar -xf home.tar
# extract the archive here (x for extract)
# tar -xzf home.tgz
# same with zip compression
# tar -xjf home.tgz
# same with bzip2 compression
# tar -xjf home.tgz home/colin/file.txt
# Restore a single file
Mo
re
ad
va
nce
d
# tar c dir/ | gzip | ssh user@remote 'dd of=dir.tgz'
# arch dir/ and store remotely.
# tar cvf - `find . -print` > backup.tar
# arch the current directory.
# tar -cf - -C /etc . | tar xpf - -C /backup/etc
# Copy directories
# tar -cf - -C /etc . | ssh user@remote tar xpf - -C /backup/etc
# Remote copy.
# tar -czf home.tgz --exclude '*.o' --exclude 'tmp/' home/
14
.5d
d
The
pro
gra
mdd
(dis
kdum
por
destro
ydis
kor
see
the
meanin
gof
dd)
isused
tocopy
partitio
ns
and d
isks a
nd fo
r oth
er c
opy tric
ks. T
ypic
al u
sage:
# dd if=<source> of=<target> bs=<byte size> conv=<conversion>
Importa
nt c
onv o
ptio
ns:
notrunc
do n
ot tru
ncate
the o
utp
ut file
, all z
ero
s w
ill be w
ritten a
s z
ero
s.
noerror
contin
ue a
fter re
ad e
rrors
(e.g
. bad b
locks)
sync
pad e
very
input b
lock w
ith N
ulls
to ib
s-s
ize
The
defa
ult
byte
siz
eis
512
(one
blo
ck).
The
MBR,
where
the
partito
nta
ble
islo
cate
d,
ison
the
first
blo
ck,
the
first
63
blo
cks
of
adis
kare
em
pty
.Larg
er
byte
siz
es
are
faste
rto
copy
but
require
als
o m
ore
mem
ory
.
Ba
ck
up
an
d r
esto
re
# dd if=/dev/hda of=/dev/hdc bs=16065b
# Copy disk to disk (same size)
# dd if=/dev/sda7 of /home/root.img bs=4096 conv=notrunc,noerror
# Backup /
# dd if /home/root.img of=/dev/sda7 bs=4096 conv=notrunc,noerror
# Restore /
# dd bs=1M if=/dev/ad4s3e | gzip -c > ad4s3e.gz
# Zip the backup
# gunzip -dc ad4s3e.gz | dd of=/dev/ad0s3e bs=1M
# Restore the zip
# dd bs=1M if=/dev/ad4s3e | gzip | ssh eedcoba@fry 'dd of=ad4s3e.gz'
# also remote
# gunzip -dc ad4s3e.gz | ssh eedcoba@host 'dd of=/dev/ad0s3e bs=1M'
# dd if=/dev/ad0 of=/dev/ad2 skip=1 seek=1 bs=4k conv=noerror
# Skip MBR
# This is necessary if the destination (ad2) is smaller.
Re
co
ve
r
The
com
mand
dd
will
read
every
sin
gle
blo
ck
of
the
partito
n,
even
the
blo
cks.
Incase
of
pro
ble
ms
itis
bette
rto
use
the
optio
nconv=sync,noerror
so
dd
will
skip
the
bad
blo
ck
and
write
zero
sat
the
destin
atio
n.
Accord
ingly
itis
importa
nt
toset
the
blo
ck
siz
eequalor
sm
alle
rth
an
the
dis
kblo
ck
siz
e.
A1k
siz
eseem
ssafe
,set
itw
ithbs=1k.
Ifa
dis
khas
bad
secto
rsand
the
data
should
be
recovere
dfro
ma
partito
n,
cre
ate
an
image
filew
ithdd,
mount
the
image
and
copy
the
— U
sefu
l Com
mands —
41
14
.2v
i
Viis
pre
sent
on
AN
YLin
ux/U
nix
insta
llation
(not
gento
o?)
and
itis
there
fore
usefu
lto
know
som
ebasic
com
mands.
There
are
two
modes:
com
mand
mode
and
insert
ion
mode.
The
com
mands
mode is a
ccessed w
ith
[ES
C],
the insert
ion m
ode w
ith
i. U
se: help
if y
ou a
re lost.
The e
ditors
nano
andpico
are
usually a
vailable
too a
nd a
re e
asie
r (I
MH
O)
to u
se.
Qu
it
:wnew
file
nam
esave t
he file t
o n
ew
file
nam
e:w
q o
r :
xsave a
nd q
uit
:q!
quit w
ithout
savin
g
Se
arch
an
d m
ov
e
/str
ing
Searc
h forw
ard
for
str
ing
?str
ing
Searc
h b
ack for
str
ing
nSearc
h for
next
insta
nce o
f str
ing
NSearc
h for
pre
vio
us insta
nce o
f str
ing
{M
ove a
para
gra
ph b
ack
}M
ove a
para
gra
ph forw
ard
1G
Move t
o t
he first
line o
f th
e file
nG
Move t
o t
he n
th lin
e o
f th
e file
GM
ove t
o t
he last
line o
f th
e file
:%s/
OLD
/N
EW
/g
Searc
h a
nd r
epla
ce e
very
occurr
ence
De
lete
te
xt
dd
dele
te c
urr
ent
line
DD
ele
te t
o t
he e
nd o
f th
e lin
ed
wD
ele
te w
ord
xD
ele
te c
hara
cte
ru
Undo last
UU
ndo a
ll c
hanges t
o c
urr
ent
line
14
.3m
ail
Themail
com
mand
isa
basic
application
tore
ad
and
send
em
ail,
itis
usually
insta
lled.
To
send
an
em
ail
sim
ply
type
user@
dom
ain
".The
firs
tline
isth
esubje
ct,
then
the
conte
nt.
Term
inate
and s
end t
he e
mail w
ith a
sin
gle
dot
(.)
in a
new
lin
e.
Exam
ple
:
# mail [email protected]
Subject: Your text is full of typos
"For a moment, nothing happened. Then, after a second or so,
nothing continued to happen."
. EOT
# This
is a
lso w
ork
ing w
ith a
pip
e:
# echo "This is the mail body" | mail [email protected]
This
is a
lso a
sim
ple
way t
o t
est
the m
ail s
erv
er.
14
.4ta
r
The
com
mand
tar
(tape
arc
hiv
e)
cre
ate
sand
extr
acts
arc
hiv
es
of
file
and
directo
ries.
The
arc
hiv
e.t
ar
isuncom
pre
ssed,
acom
pre
ssed
arc
hiv
ehas
the
exte
nsio
n.t
gz
or
.tar.
gz
(zip
)or
.tbz
(bzip
2).
Do
not
use
absolu
tepath
when
cre
ating
an
arc
hiv
e,
you
pro
bably
want
tounpack
itsom
ew
here
els
e.
Som
e t
ypic
al com
mands a
re:
— U
sefu
l Com
mands —
40
Fre
eB
SD
# ipfw show
# For status
# ipfw list 65535
# if answer is "65535 deny ip from any to any" the fw is disabled
# sysctl net.inet.ip.fw.enable=0
# Disable
# sysctl net.inet.ip.fw.enable=1
# Enable
4.7
IP
Fo
rw
ard
fo
r r
ou
tin
g
Lin
ux
Check a
nd t
hen e
nable
IP forw
ard
with:
# cat /proc/sys/net/ipv4/ip_forward
# Check IP forward 0=off, 1=on
# echo 1 > /proc/sys/net/ipv4/ip_forward
or
edit /
etc
/sysctl.c
onf w
ith:
net.ipv4.ip_forward = 1
Fre
eB
SD
Check a
nd e
nable
with:
# sysctl net.inet.ip.forwarding
# Check IP forward 0=off, 1=on
# sysctl net.inet.ip.forwarding=1
# sysctl net.inet.ip.fastforwarding=1
# For dedicated router or firewall
Permanent with entry in /etc/rc.conf:
gateway_enable="YES"
# Set to YES if this host will be a gateway.
So
laris
# ndd -set /dev/ip ip_forwarding 1
# Set IP forward 0=off, 1=on
4.8
NA
T N
etw
ork
Ad
dre
ss
Tra
ns
latio
n
Lin
ux
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# to activate NAT
# iptables -t nat -A PREROUTING -p tcp -d 78.31.70.238 --dport 20022 -j DNAT \
--to 192.168.16.44:22
# Port forward 20022 to internal IP port ssh
# iptables -t nat -A PREROUTING -p tcp -d 78.31.70.238 --dport 993:995 -j DNAT \
--to 192.168.16.254:993-995
# Port forward of range 993-995
# ip route flush cache
# iptables -L -t nat
# Check NAT status
Dele
te t
he p
ort
forw
ard
with -
D inste
ad o
f -A
.
Fre
eB
SD
# natd -s -m -u -dynamic -f /etc/natd.conf -n fxp0
Or edit /etc/rc.conf with:
firewall_enable="YES"
# Set to YES to enable firewall functionality
firewall_type="open"
# Firewall type (see /etc/rc.firewall)
natd_enable="YES"
# Enable natd (if firewall_enable == YES).
natd_interface="tun0"
# Public interface or IP address to use.
natd_flags="-s -m -u -dynamic -f /etc/natd.conf"
Port
forw
ard
with:
# cat /etc/natd.conf
same_ports yes
use_sockets yes
unregistered_only
# redirect_port tcp insideIP:2300-2399 3300-3399
# port range
redirect_port udp 192.168.51.103:7777 7777
— N
etw
ork
—
17
4.9
DN
S
On
Unix
the
DN
Sentrie
sare
valid
for
all
inte
rfaces
and
are
sto
red
in/e
tc/re
solv
.conf.
The
dom
ain
to w
hic
h th
e h
ost b
elo
ngs is
als
o s
tore
d in
this
file. A
min
imal c
onfig
ura
tion is
:
nameserver 78.31.70.238
search sleepyowl.net intern.lab
domain sleepyowl.net
Check th
e s
yste
m d
om
ain
nam
e w
ith:
# hostname -d
# Same as dnsdomainname
Win
do
ws
On
Win
dow
sth
eD
NS
are
config
ure
dper
inte
rface.
To
dis
pla
yth
econfig
ure
dD
NS
and
toflu
sh
the
DN
S c
ache u
se:
# ipconfig /?
# Display help
# ipconfig /all
# See all information including DNS
# ipconfig /flushdns
# Flush the DNS cache
Fo
rw
ard
qu
erie
s
Dig
isyou
friend
tote
st
the
DN
Ssettin
gs.
For
exam
ple
the
public
DN
Sserv
er213.133.105.2
ns.second-ns.de
can
be
used
for
testin
g.
See
from
whic
hserv
er
the
clie
nt
receiv
es
the
answ
er
(sim
plifie
d a
nsw
er).
# dig sleepyowl.net
sleepyowl.net. 600 IN A 78.31.70.238
;; SERVER: 192.168.51.254#53(192.168.51.254)
The
route
r192.1
68.5
1.2
54
answ
ere
dand
the
response
isth
eA
entry
.Any
entry
can
be
querie
dand th
e D
NS s
erv
er c
an b
e s
ele
cte
d w
ith @
:
# dig MX google.com
# dig @127.0.0.1 NS sun.com
# To test the local server
# dig @204.97.212.10 NS MX heise.de
# Query an external server
# dig AXFR @ns1.xname.org cb.vu
# Get the full zone (zone transfer)
The p
rogra
m h
ost is
als
o p
ow
erfu
l.
# host -t MX cb.vu
# Get the mail MX entry
# host -t NS -T sun.com
# Get the NS record over a TCP connection
# host -a sleepyowl.net
# Get everything
Re
ve
rse
qu
erie
s
Fin
dth
enam
ebelo
ngin
gto
an
IPaddre
ss
(in-a
ddr.a
rpa.).
This
can
be
done
with
dig,host
and
nslookup:
# dig -x 78.31.70.238
# host 78.31.70.238
# nslookup 78.31.70.238
/e
tc/
ho
sts
Sin
gle
hosts
can
be
config
ure
din
the
file/e
tc/h
osts
inste
ad
of
runnin
gnamed
locally
tore
solv
e
the h
ostn
am
e q
uerie
s. T
he fo
rmat is
sim
ple
, for e
xam
ple
:
78.31.70.238 sleepyowl.net sleepyowl
The
prio
ritybetw
een
hosts
and
adns
query
,th
at
isth
enam
ere
solu
tion
ord
er,
can
be
config
ure
din
/etc/nsswitch.conf
AN
D /e
tc/h
ost.c
onf. T
he file
als
o e
xis
ts o
n W
indow
s, it is
usually
in:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC
— N
etw
ork
—
18
Access c
ontr
ol s
vn.a
cl e
xam
ple
# Default it read access. "* =" would be default no access
[/]
* = r
[groups]
project1-developers = joe, jack, jane
# Give write access to the developers
[project1:]
@project1-developers = rw
13
.2S
VN
co
mm
an
ds
an
d u
sa
ge
See a
lso th
eSubvers
ion Q
uic
k R
efe
rence C
ard
19.
Torto
ise S
VN
20
is a
nic
e W
indow
s in
terfa
ce.
Im
po
rt
Anew
pro
ject,
that
isa
dire
cto
ryw
ithsom
efile
s,
isim
porte
din
toth
ere
posito
ryw
ithth
eimport
com
mand. Im
port is
als
o u
sed to
add a
dire
cto
ry w
ith its
conte
nt to
an e
xis
ting p
roje
ct.
# svn help import
# Get help for any command
# Add a new directory (with content) into the src dir on project1
# svn import /project1/newdir http://host.url/svn/project1/trunk/src -m 'add newdir'
Ty
pic
al S
VN
co
mm
an
ds
# svn co http://host.url/svn/project1/trunk
# Checkout the most recent version
# Tags and branches are created by copying
# svn mkdir http://host.url/svn/project1/tags/
# Create the tags directory
# svn copy -m "Tag rc1 rel." http://host.url/svn/project1/trunk \
http://host.url/svn/project1/tags/1.0rc1
# svn status [--verbose]
# Check files status into working dir
# svn add src/file.h src/file.cpp
# Add two files
# svn commit -m 'Added new class file'
# Commit the changes with a message
# svn ls http://host.url/svn/project1/tags/
# List all tags
# svn move foo.c bar.c
# Move (rename) files
# svn delete some_old_file
# Delete files
14
US
EF
UL
C
OM
MA
ND
S
less
(p39)
|vi
(p40)
|m
ail
(p40)
|ta
r(p
40)
|dd
(p41)
|scre
en
(p42)
|fin
d(p
43)
|M
iscella
neous
(p43)
14
.1le
ss
Theless
com
mand d
ispla
ys a
text d
ocum
ent o
n th
e c
onsole
. It is p
resent o
n m
ost in
sta
llatio
n.
# less unixtoolbox.xhtml
Som
e im
porta
nt c
om
mands a
re (^
N s
tands fo
r [contro
l]-[N]):
h H
good h
elp
on d
ispla
yf ^
F ^
V S
PA
CE
Forw
ard
one w
indow
(or N
lines).
b ^
B E
SC
-vBackw
ard
one w
indow
(or N
lines).
FForw
ard
fore
ver; lik
e "ta
il -f"./
patte
rn
Searc
h fo
rward
for (N
-th) m
atc
hin
g lin
e.
?p
atte
rn
Searc
h b
ackw
ard
for (N
-th) m
atc
hin
g lin
e.
nRepeat p
revio
us s
earc
h (fo
r N-th
occurre
nce).
NRepeat p
revio
us s
earc
h in
revers
e d
irectio
n.
qquit
19.h
ttp://w
ww
.cs.p
ut.p
oznan.p
l/csobanie
c/P
apers
/svn-re
fcard
20.h
ttp://to
rtois
esvn.tig
ris.o
rg
— U
sefu
l Com
mands —
39
13
.1S
erv
er s
etu
p
The initia
tion o
f th
e r
epository
is fairly
sim
ple
(here
for
exam
ple
/home/svn/
must
exis
t):
# svnadmin create --fs-type fsfs /home/svn/project1
Now
the a
ccess t
o t
he r
epository
is m
ade p
ossib
le w
ith:
•file://
Direct
file
syste
maccess
with
the
svn
client
with.
This
requires
localperm
issio
ns
on t
he file s
yste
m.
•svn://
orsvn+ssh://
Rem
ote
access
with
the
svnserv
eserv
er
(als
oover
SSH
).This
requires local perm
issio
ns o
n t
he file s
yste
m.
•http://
Rem
ote
access
with
webdav
usin
gapache.
No
localusers
are
necessary
for
this
meth
od.
Usin
gth
elo
cal
file
syste
m,
itis
now
possib
leto
import
and
then
check
out
an
exis
ting
pro
ject.
Unlike w
ith C
VS it
is n
ot
necessary
to c
d into
the p
roje
ct
directo
ry,
sim
ply
giv
e t
he full p
ath
:
# svn import /project1/ file:///home/svn/project1/trunk -m 'Initial import'
# svn checkout file:///home/svn/project1
The n
ew
directo
ry "
trunk"
is o
nly
a c
onvention,
this
is n
ot
required.
Re
mo
te
acce
ss w
ith
ssh
No
specia
lsetu
pis
required
toaccess
the
repository
via
ssh,
sim
ply
repla
ce
file://
with
svn+ssh/hostname.
For
exam
ple
:
# svn checkout svn+ssh://hostname/home/svn/project1
As
with
the
localfile
access,
every
user
needs
an
ssh
access
toth
eserv
er
(with
alo
calaccount)
and
als
ore
ad/w
rite
access.
This
meth
od
mig
ht
be
suitable
for
asm
all
gro
up.
All
users
could
belo
ng t
o a
subvers
ion g
roup w
hic
h o
wns t
he r
epository
, fo
r exam
ple
:
# groupadd subversion
# groupmod -A user1 subversion
# chown -R root:subversion /home/svn
# chmod -R 770 /home/svn
Re
mo
te
acce
ss w
ith
http
(a
pa
ch
e)
Rem
ote
access
over
htt
p(h
ttps)
isth
eonly
good
solu
tion
for
ala
rger
user
gro
up.
This
meth
od
uses
the
apache
auth
entication,
not
the
local
accounts
.This
isa
typic
al
but
sm
all
apache
configura
tion:
LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
# Only for access control
<Location /svn>
DAV svn
# any "/svn/foo" URL will map to a repository /home/svn/foo
SVNParentPath /home/svn
AuthType Basic
AuthName "Subversion repository"
AuthzSVNAccessFile /etc/apache2/svn.acl
AuthUserFile /etc/apache2/svn-passwd
Require valid-user
</Location>
The a
pache s
erv
er
needs full a
ccess t
o t
he r
epository
:
# chown -R www:www /home/svn
Cre
ate
a u
ser
with h
tpassw
d2:
# htpasswd -c /etc/svn-passwd user1
# -c creates the file
18.h
ttp:/
/svnbook.r
ed-b
ean.c
om
/en/1
.4/
— S
VN
—
38
4.1
0D
HC
P
Lin
ux
Som
e d
istr
ibutions (
SuSE)
use d
hcpcd a
s c
lient.
The d
efa
ult inte
rface is e
th0.
# dhcpcd -n eth0
# Trigger a renew (does not always work)
# dhcpcd -k eth0
# release and shutdown
The lease w
ith t
he full info
rmation is s
tore
d in:
/var/lib/dhcpcd/dhcpcd-eth0.info
Fre
eB
SD
Fre
eBSD
(and D
ebia
n)
uses d
hclient.
To c
onfigure
an inte
rface (
for
exam
ple
bge0)
run:
# dhclient bge0
The lease w
ith t
he full info
rmation is s
tore
d in:
/var/db/dhclient.leases.bge0
Use
/etc/dhclient.conf
to p
repend o
ptions o
r fo
rce d
iffe
rent
options:
# cat /etc/dhclient.conf
interface "rl0" {
prepend domain-name-servers 127.0.0.1;
default domain-name "sleepyowl.net";
supersede domain-name "sleepyowl.net";
} Win
do
ws
The d
hcp lease c
an b
e r
enew
ed w
ithipconfig:
# ipconfig /renew
# renew all adapters
# ipconfig /renew LAN
# renew the adapter named "LAN"
# ipconfig /release WLAN
# release the adapter named "WLAN"
Yes it
is a
good idea t
o r
enam
e y
ou a
dapte
r w
ith s
imple
nam
es!
4.1
1T
ra
ffic
an
aly
sis
Bm
on
5is
a s
mall c
onsole
bandw
idth
monitor
and c
an d
ispla
y t
he flo
w o
n d
iffe
rent
inte
rfaces.
Sn
iff w
ith
tcp
du
mp
# tcpdump -nl -i bge0 not port ssh and src \(192.168.16.121 or 192.168.16.54\)
# tcpdump -n -i eth1 net 192.168.16.121
# select to/from a single IP
# tcpdump -n -i eth1 net 192.168.16.0/24
# select traffic to/from a network
# tcpdump -l > dump && tail -f dump
# Buffered output
# tcpdump -i rl0 -w traffic.rl0
# Write traffic headers in binary file
# tcpdump -i rl0 -s 0 -w traffic.rl0
# Write traffic + payload in binary file
# tcpdump -r traffic.rl0
# Read from file (also for ethereal
# tcpdump port 80
# The two classic commands
# tcpdump host google.com
# tcpdump -i eth0 -X port \(110 or 143\)
# Check if pop or imap is secure
# tcpdump -n -i eth0 icmp
# Only catch pings
# tcpdump -i eth0 -s 0 -A port 80 | grep GET
# -s 0 for full packet -A for ASCII
Additio
nal im
port
ant
options:
-A
each p
ackets
in c
lear
text
(without
header)
-X
packets
in h
ex a
nd A
SCII
-l
Make s
tdout
line b
uffere
d
5.h
ttp:/
/people
.suug.c
h/~
tgr/
bm
on/
— N
etw
ork
—
19
-D
Prin
t all in
terfa
ces a
vaila
ble
On W
indow
s u
se w
indum
p fro
mw
ww
.win
pcap.o
rg. U
se w
indum
p -D
to lis
t the in
terfa
ces.
Sca
n w
ith
nm
ap
Nm
ap
6is
aport
scanner
with
OS
dete
ctio
n,
itis
usually
insta
lled
on
most
dis
tributio
ns
and
isals
oavaila
ble
for W
indow
s. If y
ou d
on't s
can y
our s
erv
ers
, hackers
do it fo
r you...
# nmap cb.vu
# scans all reserved TCP ports on the host
# nmap -sP 192.168.16.0/24
# Find out which IP are used and by which host on 0/24
# nmap -sS -sV -O cb.vu
# Do a stealth SYN scan with version and OS detection
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.8.1p1 FreeBSD-20060930 (protocol 2.0)
25/tcp open smtp Sendmail smtpd 8.13.6/8.13.6
80/tcp open http Apache httpd 2.0.59 ((FreeBSD) DAV/2 PHP/4.
[...]
Running: FreeBSD 5.X
Uptime 33.120 days (since Fri Aug 31 11:41:04 2007)
Oth
er
non
sta
ndard
but
usefu
lto
ols
are
hping
(ww
w.h
pin
g.o
rg)
an
IPpacket
assem
ble
r/analy
zer
andfping
(fpin
g.s
ourc
efo
rge.n
et). fp
ing c
an c
heck m
ultip
le h
osts
in a
round-ro
bin
fashio
n.
4.1
2T
ra
ffic
co
ntro
l (Q
oS
)
Tra
fficcontro
lm
anages
the
queuin
g,
polic
ing,
schedulin
g,
and
oth
er
traffic
para
mete
rsfo
ra
netw
ork
.The
follo
win
gexam
ple
sare
sim
ple
pra
ctic
aluses
of
the
Lin
ux
and
Fre
eBSD
capabilitie
sto
bette
r use th
e a
vaila
ble
bandw
idth
.
Lim
it u
plo
ad
DSL
or
cable
modem
shave
alo
ng
queue
toim
pro
ve
the
uplo
ad
thro
ughput.
How
ever
filling
the
queue
with
afa
st
devic
e(e
.g.
eth
ern
et)
will
dra
matic
ally
decre
ase
the
inte
ractiv
ity.
Itis
there
fore
usefu
lto
limit
the
devic
euplo
ad
rate
tom
atc
hth
ephysic
al
capacity
of
the
modem
,th
isshould
gre
atly
impro
ve th
e in
tera
ctiv
ity. S
et to
about 9
0%
of th
e m
odem
maxim
al (c
able
) speed.
Lin
ux
For a
512 K
bit u
plo
ad m
odem
.
# tc qdisc add dev eth0 root tbf rate 480kbit latency 50ms burst 1540
# tc -s qdisc ls dev eth0
# Status
# tc qdisc del dev eth0 root
# Delete the queue
# tc qdisc change dev eth0 root tbf rate 220kbit latency 50ms burst 1540
FreeB
SD
Fre
eBSD
uses
thedummynet
traffic
shaper
whic
his
config
ure
dw
ithip
fw.
Pip
es
are
used
toset
limits
the
bandw
idth
inunits
of
[K|M
]{bit/s
|Byte
/s},
0m
eans
unlim
ited
bandw
idth
.U
sin
gth
esam
e p
ipe n
um
ber w
ill reconfig
ure
it. For e
xam
ple
limit th
e u
plo
ad b
andw
idth
to 5
00 K
bit.
# kldload dummynet
# load the module if necessary
# ipfw pipe 1 config bw 500Kbit/s
# create a pipe with limited bandwidth
# ipfw add pipe 1 ip from me to any
# divert the full upload into the pipe
Qu
alit
y o
f s
erv
ice
Lin
ux
Prio
rityqueuin
gw
ithtc
tooptim
ize
VoIP
.See
the
full
exam
ple
on
voip
-info
.org
or
ww
w.h
ow
tofo
rge.c
om
.Suppose
VoIP
uses
udp
on
ports
10000:1
1024
and
devic
eeth
0(c
ould
als
obe
ppp0
or
so).
The
follo
win
gcom
mands
defin
eth
eQ
oS
toth
ree
queues
and
forc
eth
eVoIP
traffic
toqueue
1w
ithQ
oS0x1e
(all
bits
set).
The
defa
ult
traffic
flow
sin
toqueue
3and
QoS
Min
imiz
e-D
ela
yflo
ws in
to q
ueue 2
.
6.h
ttp://in
secure
.org
/nm
ap/
— N
etw
ork
—
20
# ssh -L2401:localhost:2401 colin@cvs_server
# Connect directly to the CVS server. Or:
# ssh -L2401:cvs_server:2401 colin@gateway
# Use a gateway to reach the CVS
on s
hell 2
:
# setenv CVSROOT :pserver:colin@localhost:/usr/local/cvs
# cvs login
Logging in to :pserver:colin@localhost:2401/usr/local/cvs
CVS password:
# cvs checkout MyProject/src
12
.4C
VS
co
mm
an
ds
an
d u
sa
ge
Im
po
rt
The
import
com
mand
isused
toadd
aw
hole
dire
cto
ry,
itm
ust
be
run
from
with
inth
edire
cto
ryto
be
importe
d.
Say
the
dire
cto
ry/d
evel/
conta
ins
all
files
and
subdire
cto
ries
tobe
importe
d.
The
dire
cto
ry n
am
e o
n th
e C
VS (th
e m
odule
) will b
e c
alle
d "m
yapp".
# cvs import [options] directory-name vendor-tag release-tag
# cd /devel
# Must be inside the project to import it
# cvs import myapp Company R1_0
# Release tag can be anything in one word
Afte
r a w
hile
a n
ew
dire
cto
ry "/d
evel/to
ols
/" was a
dded a
nd it h
as to
be im
porte
d to
o.
# cd /devel/tools
# cvs import myapp/tools Company R1_0
Ch
eck
ou
t u
pd
ate
ad
d c
om
mit
# cvs co myapp/tools
# Will only checkout the directory tools
# cvs co -r R1_1 myapp
# Checkout myapp at release R1_1 (is sticky)
# cvs -q -d update -P
# A typical CVS update
# cvs update -A
# Reset any sticky tag (or date, option)
# cvs add newfile
# Add a new file
# cvs add -kb newfile
# Add a new binary file
# cvs commit file1 file2
# Commit the two files only
# cvs commit -m "message"
# Commit all changes done with a message
Cre
ate
a p
atch
Itis
best
tocre
ate
and
apply
apatc
hfro
mth
ew
ork
ing
develo
pm
ent
dire
cto
ryre
late
dto
the
pro
ject, o
r from
with
in th
e s
ourc
e d
irecto
ry.
# cd /devel/project
# diff -Naur olddir newdir > patchfile
# Create a patch from a directory or a file
# diff -Naur oldfile newfile > patchfile
Ap
ply
a p
atch
Som
etim
es
itis
necessary
tostrip
adire
cto
ryle
vel
from
the
patc
h,
dependin
ghow
itw
as
cre
ate
d. In
case o
f diffic
ultie
s, s
imply
look a
t the firs
t lines o
f the p
atc
h a
nd try
-p0, -p
1 o
r -p2.
# cd /devel/project
# patch --dry-run -p0 < patchfile
# Test the path without applying it
# patch -p0 < patchfile
# patch -p1 < patchfile
# strip off the 1st level from the path
13
SV
N
Serv
er s
etu
p(p
38)
|SVN
+SSH
(p38)
|SVN
over h
ttp(p
38)
|SVN
usage
(p39)
Subvers
ion
(SVN
)17
isa
vers
ion
contro
lsyste
mdesig
ned
tobe
the
successor
of
CVS
(Concurre
nt
Vers
ions
Syste
m).
The
concept
issim
ilar
toCVS,
but
many
shortc
om
ings
where
impro
ved.
See
als
o th
eSVN
book
18.
17.h
ttp://s
ubvers
ion.tig
ris.o
rg/
— S
VN
—
37
Se
pa
ra
te
au
th
en
tic
atio
n
Itis
possib
leto
have
cvs
users
whic
hare
not
part
of
the
OS
(no
local
users
).This
isactu
ally
pro
bably
wante
dto
ofr
om
the
security
poin
tof
vie
w.
Sim
ply
add
afile
nam
ed
passw
d(i
nth
eCVSRO
OT
directo
ry)
conta
inin
gth
eusers
login
and
passw
ord
inth
ecry
pt
form
at.
This
iscan
be
done w
ith t
he a
pache h
tpassw
d t
ool.
Note
:This
passw
dfile
isth
eonly
file
whic
hhas
tobe
edited
directly
inth
eCVSRO
OT
directo
ry.
Als
o it
won't b
e c
hecked o
ut.
More
info
with h
tpassw
d -
-help
# htpasswd -cb passwd user1 password1
# -c creates the file
# htpasswd -b passwd user2 password2
Now
add
:cvs
at
the
end
of
each
line
tote
llth
ecvs
serv
er
tochange
the
user
tocvs
(or
whate
ver
your
cvs s
erv
er
is r
unnin
g u
nder)
. It
looks lik
e t
his
:
# cat passwd
user1:xsFjhU22u8Fuo:cvs
user2:vnefJOsnnvToM:cvs
12
.2T
es
t i
t
Test
the login
as n
orm
al user
(for
exam
ple
here
me)
# cvs -d :pserver:[email protected]:/usr/local/cvs login
Logging in to :pserver:[email protected]:2401/usr/local/cvs
CVS password:
CV
SR
OO
T v
aria
ble
This
isan
environm
ent
variable
used
tospecify
the
location
of
the
repository
we're
doin
gopera
tions
on.
For
localuse,
itcan
be
just
set
toth
edirecto
ryof
the
repository
.For
use
over
the
netw
ork
,th
etr
ansport
pro
tocol
must
be
specifie
d.
Set
the
CVSRO
OT
variable
with
setenv
CVSROOT string
on a
csh,
tcsh s
hell,
or
withexport CVSROOT=string
on a
sh,
bash s
hell.
# setenv CVSROOT :pserver:<username>@<host>:/cvsdirectory
For example:
# setenv CVSROOT /usr/local/cvs
# Used locally only
# setenv CVSROOT :local:/usr/local/cvs
# Same as above
# setenv CVSROOT :ext:user@cvsserver:/usr/local/cvs
# Direct access with SSH
# setenv CVS_RSH ssh
# for the ext access
# setenv CVSROOT :pserver:[email protected]:/usr/local/cvs
# network with pserver
When
the
login
succeeded
one
can
import
anew
pro
ject
into
the
repository
:cd
into
your
pro
ject
root
directo
ry
cvs import <module name> <vendor tag> <initial tag>
cvs -d :pserver:[email protected]:/usr/local/cvs import MyProject MyCompany START
Where
MyPro
ject
isth
enam
eof
the
new
pro
ject
inth
ere
pository
(used
late
rto
checkout)
.Cvs
will im
port
the c
urr
ent
directo
ry c
onte
nt
into
the n
ew
pro
ject.
To c
heckout:
# cvs -d :pserver:[email protected]:/usr/local/cvs checkout MyProject
or
# setenv CVSROOT :pserver:[email protected]:/usr/local/cvs
# cvs checkout MyProject
12
.3S
SH
tu
nn
eli
ng
fo
r C
VS
We
need
2shells
for
this
.O
nth
efirs
tshell
we
connect
toth
ecvs
serv
er
with
ssh
and
port
-fo
rward
the
cvs
connection.
On
the
second
shell
we
use
the
cvs
norm
ally
as
ifit
where
runnin
glo
cally.
on s
hell 1
:
— C
VS —
36
# tc qdisc add dev eth0 root handle 1: prio priomap 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 0
# tc qdisc add dev eth0 parent 1:1 handle 10: sfq
# tc qdisc add dev eth0 parent 1:2 handle 20: sfq
# tc qdisc add dev eth0 parent 1:3 handle 30: sfq
# tc filter add dev eth0 protocol ip parent 1: prio 1 u32 \
match ip dport 10000 0x3C00 flowid 1:1
# use server port range
match ip dst 123.23.0.1 flowid 1:1
# or/and use server IP
Sta
tus a
nd r
em
ove w
ith
# tc -s qdisc ls dev eth0
# queue status
# tc qdisc del dev eth0 root
# delete all QoS
Calc
ula
te p
ort
range a
nd m
ask
The
tcfilter
defines
the
port
range
with
port
and
mask
whic
hyou
have
tocalc
ula
te.
Fin
dth
e2^
Nendin
gof
the
port
range,
deduce
the
range
and
convert
toH
EX.
This
isyour
mask.
Exam
ple
for
10000 -
> 1
1024,
the r
ange is 1
024.
# 2^13 (8192) < 10000 < 2^14 (16384)
# ending is 2^14 = 16384
# echo "obase=16;(2^14)-1024" | bc
# mask is 0x3C00
FreeB
SD
The
max
link
bandw
idth
is500Kbit/s
and
we
define
3queues
with
priority
100:1
0:1
for
VoIP
:ssh:a
ll t
he r
est.
# ipfw pipe 1 config bw 500Kbit/s
# ipfw queue 1 config pipe 1 weight 100
# ipfw queue 2 config pipe 1 weight 10
# ipfw queue 3 config pipe 1 weight 1
# ipfw add 10 queue 1 proto udp dst-port 10000-11024
# ipfw add 11 queue 1 proto udp dst-ip 123.23.0.1
# or/and use server IP
# ipfw add 20 queue 2 dsp-port ssh
# ipfw add 30 queue 3 from me to any
# all the rest
Sta
tus a
nd r
em
ove w
ith
# ipfw list
# rules status
# ipfw pipe list
# pipe status
# ipfw flush
# deletes all rules but default
4.1
3N
IS
De
bu
gg
ing
Som
e c
om
mands w
hic
h s
hould
work
on a
well c
onfigure
d N
IS c
lient:
# ypwhich
# get the connected NIS server name
# domainname
# The NIS domain name as configured
# ypcat group
# should display the group from the NIS server
# cd /var/yp && make
# Rebuild the yp database
Is y
pbin
d r
unnin
g?
# ps auxww | grep ypbind
/usr/sbin/ypbind -s -m -S servername1,servername2
# FreeBSD
/usr/sbin/ypbind
# Linux
# yppoll passwd.byname
Map passwd.byname has order number 1190635041. Mon Sep 24 13:57:21 2007
The master server is servername.domain.net.
Lin
ux
# cat /etc/yp.conf
ypserver servername
domain domain.net broadcast
— N
etw
ork
—
21
4.1
4N
etc
at
Netc
at7
(nc)
isbette
rknow
nas
the
"netw
ork
Sw
iss
Arm
yKnife
",it
can
manip
ula
te,
cre
ate
or
read/w
riteTCP/IP
connectio
ns.
Here
som
eusefu
lexam
ple
s,
there
are
many
more
on
the
net,
for
exam
ple
g-lo
aded.e
u[...]
8and
here
9.You m
ight n
eed to
use th
e c
om
mandnetcat
inste
ad o
fnc. A
lso s
ee th
e s
imila
r com
mand
socat.
File
tra
nsfe
r
Copy
ala
rge
fold
er
over
ara
wtc
pconnectio
n.
The
transfe
ris
very
quic
k(n
opro
tocoloverh
ead)
and
you
don't
need
tom
ess
up
with
NFS
or
SM
Bor
FTP
or
so,
sim
ply
make
the
fileavaila
ble
on
the s
erv
er, a
nd g
et it fro
m th
e c
lient. H
ere
192.1
68.1
.1 is
the s
erv
er IP
addre
ss.
server#
tar -cf - -C VIDEO_TS . | nc -l -p 4444
# Serve tar folder on port 4444
client#
nc 192.168.1.1 4444 | tar xpf - -C VIDEO_TS
# Pull the file on port 4444
server#
cat largefile | nc -l 5678
# Server a single file
client#
nc 192.168.1.1 5678 > largefile
# Pull the single file
server#
dd if=/dev/da0 | nc -l 4444
# Server partition image
client#
nc 192.168.1.1 4444 | dd of=/dev/da0
# Pull partition to clone
client#
nc 192.168.1.1 4444 | dd of=da0.img
# Pull partition to file
Oth
er h
ack
s
Specia
lly h
ere
, you m
ust k
now
what y
ou a
re d
oin
g.
Rem
ote
shell
Optio
n -e
only
on th
e W
indow
s v
ers
ion? O
r use
nc 1
.10.
# nc -lp 4444 -e /bin/bash
# Provide a remote shell (server backdoor)
# nc -lp 4444 -e cmd.exe
# remote shell for Windows
Em
ergency w
eb s
erver
Serv
e a
sin
gle
file o
n p
ort 8
0 in
a lo
op.
# while true; do nc -l -p 80 < unixtoolbox.xhtml; done
Chat
Alic
e a
nd B
ob c
an c
hat o
ver a
sim
ple
TCP s
ocket. T
he te
xt is
transfe
rred w
ith th
e e
nte
r key.
alice#
nc -lp 4444
bob #
nc 192.168.1.1 4444
5S
SH
S
CP
Public
key
(p22)
|Fin
gerp
rint
(p23)
|SCP
(p23)
|Tunnelin
g(p
24)
5.1
Pu
blic
ke
y a
uth
en
tic
atio
n
Connect
toa
host
with
out
passw
ord
usin
gpublic
key
auth
entic
atio
n.
The
idea
isto
append
your
public
key
toth
eauth
oriz
ed_keys2
fileon
the
rem
ote
host.
For
this
exam
ple
let's
co
nn
ecthost-
client
tohost-server, th
e k
ey is
genera
ted o
n th
e c
lient.
•U
se
ssh-k
eygen
togenera
tea
key
pair.
~/.ssh/id_dsa
isth
epriv
ate
key,~/.ssh/
id_dsa.pub
is th
e p
ublic
key.
•Copy
only
the
public
key
toth
eserv
er
and
append
itto
the
file~/.ssh/
authorized_keys2
on y
our h
om
e o
n th
e s
erv
er.
# ssh-keygen -t dsa -N ''
# cat ~/.ssh/id_dsa.pub | ssh you@host-server "cat - >> ~/.ssh/authorized_keys2"
7.h
ttp://n
etc
at.s
ourc
efo
rge.n
et
8.h
ttp://w
ww
.g-lo
aded.e
u/2
006/1
1/0
6/n
etc
at-a
-couple
-of-u
sefu
l-exam
ple
s9.h
ttp://w
ww
.term
inally
-incohere
nt.c
om
/blo
g/2
007/0
8/0
7/fe
w-u
sefu
l-netc
at-tric
ks
— S
SH
SCP —
22
11
.7V
iew
ce
rtif
ica
te
info
rm
atio
n
To v
iew
the c
ertific
ate
info
rmatio
n s
imply
do:
# openssl x509 -text -in servernamecert.pem
# View the certificate info
# openssl req -noout -text -in server.csr
# View the request info
# openssl s_client -connect cb.vu:443
# Check a web server certificate
12
CV
S
Serv
er s
etu
p(p
35)
|CVS te
st
(p36)
|SSH
tunnelin
g(p
36)
|CVS u
sage
(p37)
12
.1S
erv
er s
etu
p
In
itia
te
th
e C
VS
Decid
ew
here
the
main
reposito
ryw
illre
st
and
cre
ate
aro
ot
cvs.
For
exam
ple
/usr/lo
cal/c
vs
(as
root):
# mkdir -p /usr/local/cvs
# setenv CVSROOT /usr/local/cvs
# Set CVSROOT to the new location (local)
# cvs init
# Creates all internal CVS config files
# cd /root
# cvs checkout CVSROOT
# Checkout the config files to modify them
# cd CVSROOT
edit config ( fine as it is)
# cvs commit config
cat >> writers
# Create a writers file (optionally also readers)
colin
^D
# Use [Control][D] to quit the edit
# cvs add writers
# Add the file writers into the repository
# cvs edit checkoutlist
# cat >> checkoutlist
writers
^D
# Use [Control][D] to quit the edit
# cvs commit
# Commit all the configuration changes
Add
aread
ers
fileif
you
want
todiffe
rentia
tere
ad
and
write
perm
issio
ns
Note
:D
onot
(ever)
edit
files
dire
ctly
into
the
main
cvs,
but
rath
er
checkout
the
file,
modify
itand
check
itin
.W
edid
this
with
the file
write
rs
to d
efin
e th
e w
rite a
ccess.
There
are
thre
epopula
rw
ays
toaccess
the
CVS
at
this
poin
t.The
first
two
don't
need
any
furth
er
config
ura
tion. S
ee th
e e
xam
ple
s o
nCVSRO
OT
belo
w fo
r how
to u
se th
em
:•
Dire
ct
localaccess
toth
efile
syste
m.
The
user(s
)need
suffic
ient
fileperm
issio
nto
access
the
CS
dire
ctly
and
there
isno
furth
er
auth
entic
atio
nin
additio
nto
the
OS
login
.H
ow
ever
this
is o
nly
usefu
l if the re
posito
ry is
local.
•Rem
ote
access
with
ssh
with
the
ext
pro
tocol.
Any
use
with
an
ssh
shell
account
and
read/w
riteperm
issio
ns
on
the
CVS
serv
er
can
access
the
CVS
dire
ctly
with
ext
over
ssh
with
out
any
additio
nal
tunnel.
There
isno
serv
er
pro
cess
runnin
gon
the
CVS
for
this
tow
ork
. The s
sh lo
gin
does th
e a
uth
entic
atio
n.
•Rem
ote
access
with
pserv
er.
This
isth
epre
ferre
duse
for
larg
er
user
base
as
the
users
are
auth
entic
ate
dby
the
CVS
pserv
er
with
adedic
ate
dpassw
ord
data
base,
there
isth
ere
fore
no n
eed fo
r local u
sers
accounts
. This
setu
p is
expla
ined b
elo
w.
Ne
tw
ork
se
tu
p w
ith
ine
td
The
CVS
can
be
run
locally
only
ifa
netw
ork
access
isnot
needed.
For
are
mote
access,
the
daem
on
inetd
can
sta
rtth
epserv
er
with
the
follo
win
glin
ein
/etc
/inetd
.conf
(/etc
/xin
etd
.d/c
vs
on
SuSE):
cvspserver stream tcp nowait cvs /usr/bin/cvs cvs \
--allow-root=/usr/local/cvs pserver
Itis
agood
idea
toblo
ck
the
cvs
port
from
the
Inte
rnet
with
the
firew
all
and
use
an
ssh
tunnelto
access th
e re
posito
ry re
mote
ly.
— C
VS —
35
# mkdir -p /usr/local/certs/CA
# cd /usr/local/certs/CA
# mkdir certs crl newcerts private
# echo "01" > serial
# Only if serial does not exist
# touch index.txt
11
.3C
re
ate
a c
ertif
ica
te
au
th
orit
y
Ifyou
do
not
have
acert
ific
ate
auth
ority
from
avendor,
you'llhave
tocre
ate
your
ow
n.
This
ste
pis
not
necessary
ifone
inte
nd
touse
avendor
tosig
nth
ere
quest.
To
make
acert
ific
ate
auth
ority
(CA):
# openssl req -new -x509 -days 730 -config /etc/ssl/openssl.cnf \
-keyout CA/private/cakey.pem -out CA/cacert.pem
11
.4C
re
ate
a c
ertif
ica
te
sig
nin
g r
eq
ue
st
To
make
anew
cert
ific
ate
(for
serv
er
or
web
serv
er
for
exam
ple
),firs
tcre
ate
are
quest
cert
ific
ate
with
its
private
key.
Ifyour
application
do
not
support
encry
pte
dprivate
key
(for
exam
ple
UW
-IM
AP d
oes n
ot)
, th
en d
isable
encry
ption w
ith-nodes.
# openssl req -new -keyout newkey.pem -out newreq.pem \
-config /etc/ssl/openssl.cnf
# openssl req -nodes -new -keyout newkey.pem -out newreq.pem \
-config /etc/ssl/openssl.cnf
# No encryption for the key
11
.5S
ign
th
e c
ertif
ica
te
The
cert
ific
ate
request
has
tobe
sig
ned
by
the
CA
tobe
valid,
this
ste
pis
usually
done
by
the
vendor.
Note
: re
pla
ce "
serv
ern
am
e"
with t
he n
am
e o
f your
serv
er
in t
he n
ext
com
mands.
# cat newreq.pem newkey.pem > new.pem
# openssl ca -policy policy_anything -out servernamecert.pem \
-config /etc/ssl/openssl.cnf -infiles new.pem
# mv newkey.pem servernamekey.pem
Now
serv
ern
am
ekey.p
em
is t
he p
rivate
key a
nd s
erv
ern
am
ecert
.pem
is t
he s
erv
er
cert
ific
ate
.
11
.6C
re
ate
un
ite
d c
ertif
ica
te
The
IMAP
serv
er
wants
tohave
both
private
key
and
serv
er
cert
ific
ate
inth
esam
efile
.And
ingenera
l,th
isis
als
oeasie
rto
handle
,but
the
file
has
tobe
kept
secure
ly!.
Apache
als
ocan
deal
with it
well.
Cre
ate
a file s
erv
ern
am
e.p
em
conta
inin
g b
oth
the c
ert
ific
ate
and k
ey.
•O
pen
the
private
key
(serv
ern
am
ekey.p
em
)w
ith
ate
xt
editor
and
copy
the
private
key
into
the "
serv
ern
am
e.p
em
" file
.•
Do t
he s
am
e w
ith t
he s
erv
er
cert
ific
ate
(serv
ern
am
ecert
.pem
).The fin
al serv
ern
am
e.p
em
file s
hould
look lik
e t
his
:
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDutWy+o/XZ/[...]qK5LqQgT3c9dU6fcR+WuSs6aejdEDDqBRQ
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIERzCCA7CgAwIBAgIBBDANB[...]iG9w0BAQQFADCBxTELMAkGA1UEBhMCREUx
-----END CERTIFICATE-----
What
we h
ave n
ow
in t
he d
irecto
ry /
usr/
local/
cert
s/:
CA/p
rivate
/cakey.p
em
(CA s
erv
er
private
key)
CA/c
acert
.pem
(CA s
erv
er
public k
ey)
cert
s/s
erv
ern
am
ekey.p
em
(serv
er
private
key)
cert
s/s
erv
ern
am
ecert
.pem
(serv
er
sig
ned c
ert
ific
ate
)cert
s/s
erv
ern
am
e.p
em
(serv
er
cert
ific
ate
with p
rivate
key)
Keep t
he p
rivate
key s
ecure
!
— S
SL C
ert
ific
ate
s —
34
Usin
g t
he
Win
do
ws c
lie
nt f
ro
m s
sh
.co
m
The
non
com
merc
ial
vers
ion
of
the
ssh.c
om
client
can
be
dow
nlo
aded
the
main
ftp
site:
ftp.s
sh.c
om
/pub/s
sh/.
Keys
genera
ted
by
the
ssh.c
om
client
need
tobe
convert
ed
for
the
OpenSSH
serv
er.
This
can b
e d
one w
ith t
he s
sh-k
eygen c
om
mand.
•Cre
ate
akey
pair
with
the
ssh.c
om
client:
Sett
ings
-U
ser
Auth
entication
-G
enera
teN
ew
....
•I
use K
ey t
ype D
SA;
key length
2048.
•Copy t
he p
ublic k
ey g
enera
ted b
y t
he s
sh.c
om
client
to t
he s
erv
er
into
the ~
/.ssh fold
er.
•The
keys
are
inC:\
Docum
ents
and
Sett
ings\%
USERN
AM
E%
\Application
Data
\SSH
\UserK
eys.
•U
se t
he s
sh-k
eygen c
om
mand o
n t
he s
erv
er
to c
onvert
the k
ey:
# cd ~/.ssh
# ssh-keygen -i -f keyfilename.pub >> authorized_keys2
Notice:
We u
sed a
DSA k
ey,
RSA is a
lso p
ossib
le.
The k
ey is n
ot
pro
tecte
d b
y a
passw
ord
.
Usin
g p
utty
fo
r W
ind
ow
s
Putt
y10
is a
sim
ple
and fre
e s
sh c
lient
for
Win
dow
s.
•Cre
ate
a k
ey p
air w
ith t
he p
uTTYgen p
rogra
m.
•Save
the
public
and
private
keys
(for
exam
ple
into
C:\
Docum
ents
and
Sett
ings\%
USERN
AM
E%
\.ssh).
•Copy t
he p
ublic k
ey t
o t
he s
erv
er
into
the ~
/.ssh fold
er:
# scp .ssh/puttykey.pub [email protected]:.ssh/
•U
se t
he s
sh-k
eygen c
om
mand o
n t
he s
erv
er
to c
onvert
the k
ey for
OpenSSH
:
# cd ~/.ssh
# ssh-keygen -i -f puttykey.pub >> authorized_keys2
•Poin
t th
e p
rivate
key location in t
he p
utt
y s
ett
ings:
Connection -
SSH
- A
uth
5.2
Ch
ec
k f
ing
erp
rin
t
At
the
firs
tlo
gin
,ssh
will
ask
ifth
eunknow
nhost
with
the
fingerp
rint
has
tobe
sto
red
inth
eknow
nhosts
.To
avoid
am
an-i
n-t
he-m
iddle
att
ack
the
adm
inis
trato
rof
the
serv
er
can
send
you
the
serv
er
fingerp
rint
whic
his
then
com
pare
don
the
firs
tlo
gin
.U
sessh-keygen
-l
toget
the
fingerp
rint
(on t
he s
erv
er)
:
# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
# For RSA key
2048 61:33:be:9b:ae:6c:36:31:fd:83:98:b7:99:2d:9f:cd /etc/ssh/ssh_host_rsa_key.pub
# ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
# For DSA key (default)
2048 14:4a:aa:d9:73:25:46:6d:0a:48:35:c7:f4:16:d4:ee /etc/ssh/ssh_host_dsa_key.pub
Now
the c
lient
connecting t
o t
his
serv
er
can v
erify
that
he is c
onnecting t
o t
he r
ight
serv
er:
# ssh linda
The authenticity of host 'linda (192.168.16.54)' can't be established.
DSA key fingerprint is 14:4a:aa:d9:73:25:46:6d:0a:48:35:c7:f4:16:d4:ee.
Are you sure you want to continue connecting (yes/no)? yes
5.3
Se
cu
re
fil
e t
ra
ns
fe
r
Som
e s
imple
com
mands:
# scp file.txt host-two:/tmp
# scp joe@host-two:/www/*.html /www/tmp
# scp -r joe@host-two:/www /www/tmp
InKonquero
ror
Mid
nig
ht
Com
mander
itis
possib
leto
access
are
mote
file
syste
mw
ith
the
addre
ss
fish
://
user@
gate
. H
ow
ever
the im
ple
menta
tion is v
ery
slo
w.
Furt
herm
ore
itis
possib
leto
mount
are
mote
fold
er
with
ssh
fsa
file
syste
mclient
based
on
SCP.
See fuse s
shfs
11.
10.h
ttp:/
/ww
w.c
hia
rk.g
reenend.o
rg.u
k/~
sgta
tham
/putt
y/d
ow
nlo
ad.h
tml
— S
SH
SCP —
23
5.4
Tu
nn
elin
g
SSH
tunnelin
gallo
ws
tofo
rward
or
revers
efo
rward
aport
over
the
SSH
connectio
n,
thus
securin
gth
etra
fficand
accessin
gports
whic
hw
ould
oth
erw
ise
be
blo
cked.
This
only
work
sw
ithTCP. T
he g
enera
l nom
encla
ture
for fo
rward
and re
vers
e is
(see a
lso
ssh a
nd N
AT e
xam
ple
):
# ssh -L localport:desthost:destport user@gate
# desthost as seen from the gate
# ssh -R destport:desthost:localport user@gate
# forwards your localport to destination
# ssh -X user@gate
# To force X forwarding
This
will
connect
togate
and
forw
ard
the
localport
toth
ehost
desth
ost:d
estp
ort.
Note
desth
ost
isth
edestin
atio
nhost
as
seen
by
the
gate
,so
ifth
econnectio
nis
toth
egate
,th
en
desth
ost
islo
calh
ost. M
ore
than o
ne p
ort fo
rward
is p
ossib
le.
Dir
ect f
orw
ard
on
th
e g
ate
Let
say
we
want
toaccess
the
CVS
(port
2401)
and
http
(port
80)
whic
hare
runnin
gon
the
gate
.This
isth
esim
ple
st
exam
ple
,desth
ost
isth
us
localh
ost,
and
we
use
the
port
8080
locally
inste
ad
of
80
so
we
don't
need
tobe
root.
Once
the
ssh
sessio
nis
open,
both
serv
ices
are
accessib
leon
the lo
cal p
orts
.
# ssh -L 2401:localhost:2401 -L 8080:localhost:80 user@gate
Ne
tb
ios a
nd
re
mo
te
de
sk
to
p f
orw
ard
to
a s
eco
nd
se
rv
er
Let
say
aW
indow
ssm
bserv
er
isbehin
dth
egate
and
isnot
runnin
gssh.
We
need
access
toth
esm
b s
hare
and a
lso re
mote
deskto
p to
the s
erv
er.
# ssh -L 139:smbserver:139 -L 3388:smbserver:3389 user@gate
The
sm
bshare
can
now
be
accessed
with
\\127.0
.0.1
\,but
only
ifth
elo
cal
share
isdis
able
d,
because
the lo
cal s
hare
is lis
tenin
g o
n p
ort 1
39.
Itis
possib
leto
keep
the
localshare
enable
d,
for
this
we
need
tocre
ate
anew
virtu
aldevic
ew
itha
new
IPaddre
ss
for
the
tunnel,
the
sm
bshare
will
be
connecte
dover
this
addre
ss.
Furth
erm
ore
the
localRD
Pis
alre
ady
liste
nin
gon
3389,
so
we
choose
3388.
For
this
exam
ple
let's
use
avirtu
al
IP o
f 10.1
.1.1
.•
With
putty
use
Sourc
eport=
10.1
.1.1
:139.
Itis
possib
leto
cre
ate
multip
lelo
op
devic
es
and
tunnel.
On
Win
dow
s2000,
only
putty
work
ed
for
me.
On
Win
dow
sVis
taals
ofo
rward
the
port
445
inadditio
nto
the
port
139.
Als
oon
Vis
tath
epatc
hKB942624
pre
vents
the
port 4
45 to
be fo
rward
ed, s
o I h
ad to
unin
sta
ll this
path
in V
ista
.•
With
the
ssh.c
om
clie
nt,
dis
able
"Allo
wlo
calconnectio
ns
only
".Sin
ce
ssh.c
om
will
bin
dto
all a
ddre
sses, o
nly
a s
ingle
share
can b
e c
onnecte
d.
Now
cre
ate
the lo
opback in
terfa
ce w
ith IP
10.1
.1.1
:•
#Syste
m->
Contro
lPanel->
Add
Hard
ware
#Yes,
Hard
ware
isalre
ady
connecte
d#
Add
anew
hard
ware
devic
e (a
t botto
m).
•#
Insta
llth
ehard
ware
that
Im
anually
sele
ct
#N
etw
ork
adapte
rs#
Mic
rosoft
,M
icro
soft
Loopback A
dapte
r.•
Config
ure
the IP
addre
ss o
f the fa
ke d
evic
e to
10.1
.1.1
mask 2
55.2
55.2
55.0
, no g
ate
way.
•advanced->
WIN
S, E
nable
LM
Hosts
Lookup; D
isable
NetB
IOS o
ver T
CP/IP
.•
#Enable
Clie
nt
for
Mic
rosoft
Netw
ork
s.
#D
isable
File
and
Prin
ter
Sharin
gfo
rM
icro
soft
Netw
ork
s.
IH
AD
tore
boot
for
this
tow
ork
.N
ow
connect
toth
esm
bshare
with
\\10.1
.1.1
and
rem
ote
deskto
p to
10.1
.1.1
:3388.
Debug
If it is n
ot w
ork
ing:
•Are
the p
orts
forw
ard
ed: n
ets
tat -a
n? L
ook a
t 0.0
.0.0
:139 o
r 10.1
.1.1
:139
•D
oes te
lnet 1
0.1
.1.1
139 c
onnect?
•You n
eed th
e c
heckbox "L
ocal p
orts
accept c
onnectio
ns fro
m o
ther h
osts
".•
Is "F
ile a
nd P
rinte
r Sharin
g fo
r Mic
rosoft N
etw
ork
s" d
isable
d o
n th
e lo
opback in
terfa
ce?
11.h
ttp://fu
se.s
ourc
efo
rge.n
et/s
shfs
.htm
l
— S
SH
SCP —
24
/etc
/fs
tab
The
encry
pte
dpartitio
ncan
be
config
ure
dto
be
mounte
dw
ith/e
tc/fs
tab.
The
passw
ord
will
be
pro
mpte
d w
hen b
ootin
g. T
he fo
llow
ing s
ettin
gs a
re re
quire
d fo
r this
exam
ple
:
# grep geli /etc/rc.conf
geli_devices="ad1"
geli_ad1_flags="-k /root/ad1.key"
# grep geli /etc/fstab
/dev/ad1.eli /home/private ufs rw 0 0
Use
pa
ssw
ord
on
ly
Itis
more
convenie
nt
toencry
pt
aU
SB
stic
kor
filebased
image
with
apassphra
se
only
and
no
key.
Inth
iscase
itis
not
necessary
tocarry
the
additio
nalkey
filearo
und.
The
pro
cedure
isvery
much
the
sam
eas
above,
sim
ply
with
out
the
key
file.
Let's
encry
pt
afile
based
image
/cryptedfile
of 1
GB.
# dd if=/dev/zero of=/cryptedfile bs=1M count=1000
# 1 GB file
# mdconfig -at vnode -f /cryptedfile
# geli init /dev/md0
# encrypts with password only
# geli attach /dev/md0
# newfs -U -m 0 /dev/md0.eli
# mount /dev/md0.eli /mnt
# umount /dev/md0.eli
# geli detach md0.eli
It is n
ow
possib
le to
mount th
is im
age o
n a
n o
ther s
yste
m w
ith th
e p
assw
ord
only
.
# mdconfig -at vnode -f /cryptedfile
# geli attach /dev/md0
# mount /dev/md0.eli /mnt
11
SS
L C
ER
TI
FI
CA
TE
S
So
calle
dSSL/T
LS
certific
ate
sare
cry
pto
gra
phic
public
key
certific
ate
sand
are
com
posed
of
apublic
and
apriv
ate
key.
The
certific
ate
sare
used
toauth
entic
ate
the
endpoin
tsand
encry
pt
the
data
. They a
re u
sed fo
r exam
ple
on a
web s
erv
er (h
ttps) o
r mail s
erv
er (im
aps).
11
.1P
ro
ce
du
re
•W
eneed
acertific
ate
auth
ority
tosig
nour
certific
ate
.This
ste
pis
usually
pro
vid
ed
by
avendor lik
e T
haw
te, V
eris
ign, e
tc., h
ow
ever w
e c
an a
lso c
reate
our o
wn.
•Cre
ate
acertific
ate
sig
nin
gre
quest.
This
request
islik
ean
unsig
ned
certific
ate
(the
public
part)
and
alre
ady
conta
ins
all
necessary
info
rmatio
n.
The
certific
ate
request
isnorm
ally
sent
toth
eauth
ority
vendor
for
sig
nin
g.
This
ste
pals
ocre
ate
sth
epriv
ate
key
on
the
local m
achin
e.
•Sig
n th
e c
ertific
ate
with
the c
ertific
ate
auth
ority
.•
Ifnecessary
join
the
certific
ate
and
the
key
ina
sin
gle
fileto
be
used
by
the
applic
atio
n(w
eb s
erv
er, m
ail s
erv
er e
tc.).
11
.2C
on
fig
ure
Op
en
SS
L
We
use
/usr/lo
cal/c
erts
as
dire
cto
ryfo
rth
isexam
ple
check
or
edit
/etc
/ssl/o
penssl.c
nf
accord
ingly
toyour
settin
gs
so
you
know
where
the
files
will
be
cre
ate
d.
Here
are
the
rele
vant
part o
f openssl.c
nf:
[ CA_default ]
dir = /usr/local/certs/CA
# Where everything is kept
certs = $dir/certs
# Where the issued certs are kept
crl_dir = $dir/crl
# Where the issued crl are kept
database = $dir/index.txt
# database index file.
Make s
ure
the d
irecto
ries e
xis
t or c
reate
them
— S
SL C
ertific
ate
s —
33
# mount -t ext3 /dev/mapper/sdc1 /mnt
# umount /mnt
# cryptsetup luksClose sdc1
# Detach the encrypted partition
Att
ach
# cryptsetup luksOpen /dev/sdc1 sdc1
# mount -t ext3 /dev/mapper/sdc1 /mnt
Deta
ch
# umount /mnt
# cryptsetup luksClose sdc1
dm
-cry
pt w
ith
ou
t L
UK
S
# cryptsetup -y create sdc1 /dev/sdc1
# or any other partition like /dev/loop0
# dmsetup ls
# check it, will display: sdc1 (254, 0)
# mkfs.ext3 /dev/mapper/sdc1
# This is done only the first time!
# mount -t ext3 /dev/mapper/sdc1 /mnt
# umount /mnt/
# cryptsetup remove sdc1
# Detach the encrypted partition
Do
exactly
the
sam
e(w
ithout
the
mkfs
part
!)to
re-a
ttach
the
part
itio
n.
Ifth
epassw
ord
isnot
corr
ect,
the
mount
com
mand
will
fail.
Inth
iscase
sim
ply
rem
ove
the
map
sdc1
(cryptsetup
remove sdc1)
and c
reate
it
again
.
10
.2F
re
eB
SD
The
two
popula
rFre
eBSD
dis
kencry
ption
module
sare
gbde
andgeli.
Inow
use
geli
because
it
isfa
ste
rand
als
ouses
the
cry
pto
devic
efo
rhard
ware
accele
ration.
See
The
Fre
eBSD
handbook
Chapte
r 18.6
16
for
all t
he d
eta
ils.
The g
eli m
odule
must
be loaded o
r com
piled into
the k
ern
el:
options GEOM_ELI
device crypto
# or as module:
# echo 'geom_eli_load="YES"' >> /boot/loader.conf
# or do: kldload geom_eli
Use
pa
ssw
ord
an
d k
ey
Iuse
those
sett
ings
for
aty
pic
aldis
kencry
ption,
ituses
apassphra
se
AN
Da
key
toencry
pt
the
maste
rkey.
That
isyou
need
both
the
passw
ord
and
the
genera
ted
key/root/ad1.key
toatt
ach
the
part
itio
n.
The
maste
rkey
issto
red
insid
eth
epart
itio
nand
isnot
vis
ible
.See
belo
wfo
rty
pic
al
USB o
r file
based im
age.
Create
encrypte
d p
arti
tion
# dd if=/dev/random of=/root/ad1.key bs=64 count=1
# this key encrypts the mater key
# geli init -s 4096 -K /root/ad1.key /dev/ad1
# -s 8192 is also OK for disks
# geli attach -k /root/ad1.key /dev/ad1
# DO make a backup of /root/ad1.key
# dd if=/dev/random of=/dev/ad1.eli bs=1m
# Optional and takes a long time
# newfs /dev/ad1.eli
# Create file system
# mount /dev/ad1.eli /mnt
Att
ach
# geli attach -k /root/ad1.key /dev/ad1
# fsck -ny -t ffs /dev/ad1.eli
# In doubt check the file system
# mount /dev/ad1.eli /mnt
Deta
ch
The d
eta
ch p
rocedure
is d
one a
uto
matically o
n s
hutd
ow
n.
# umount /mnt
# geli detach /dev/ad1.eli
16.h
ttp:/
/ww
w.f
reebsd.o
rg/h
andbook/d
isks-e
ncry
pting.h
tml
— E
ncry
pt
Part
itio
ns —
32
Co
nn
ect t
wo
cli
en
ts b
eh
ind
NA
T
Suppose
two
clients
are
behin
da
NAT
gate
way
and
client
cliadm
inhas
toconnect
toclient
cliuser
(the
destination),
both
can
login
toth
egate
with
ssh
and
are
runnin
gLin
ux
with
sshd.
You
don't
need
root
access
anyw
here
as
long
as
the
port
son
gate
are
above
1024.
We
use
2022
on
gate
.Als
o s
ince t
he g
ate
is u
sed locally,
the o
ption G
ate
wayPort
s is n
ot
necessary
.O
n c
lient
cliuser
(fro
m d
estination t
o g
ate
):
# ssh -R 2022:localhost:22 user@gate
# forwards client 22 to gate:2022
On c
lient
cliadm
in (
from
host
to g
ate
):
# ssh -L 3022:localhost:2022 admin@gate
# forwards client 3022 to gate:2022
Now
the a
dm
in c
an c
onnect
directly t
o t
he c
lient
cliuser
with:
# ssh -p 3022 admin@localhost
# local:3022 -> gate:2022 -> client:22
Co
nn
ect t
o V
NC
be
hin
d N
AT
Suppose
aW
indow
sclient
with
VN
Cliste
nin
gon
port
5900
has
tobe
accessed
from
behin
dN
AT.
On c
lient
cliw
in t
o g
ate
:
# ssh -R 15900:localhost:5900 user@gate
On c
lient
cliadm
in (
from
host
to g
ate
):
# ssh -L 5900:localhost:15900 admin@gate
Now
the a
dm
in c
an c
onnect
directly t
o t
he c
lient
VN
C w
ith:
# vncconnect -display :0 localhost
Dig
a m
ult
i-h
op
ssh
tu
nn
el
Suppose
you
can
not
reach
aserv
er
directly
with
ssh,
but
only
via
multip
lein
term
edia
tehosts
(for
exam
ple
because
of
routing
issues).
Som
etim
es
itis
still
necessary
toget
adirect
client
-serv
er
connection,
for
exam
ple
tocopy
file
sw
ith
scp,
or
forw
ard
oth
er
port
slike
sm
bor
vnc.
One
way
todo
this
isto
chain
tunnels
togeth
er
tofo
rward
aport
toth
eserv
er
alo
ng
the
hops.
This
"carr
ier"
port
only
reaches its
fin
al destination o
n t
he last
connection t
o t
he s
erv
er.
Suppose
we
want
tofo
rward
the
ssh
port
from
aclient
toa
serv
er
over
two
hops.
Once
the
tunnel
isbuild,
itis
possib
leto
connect
toth
eserv
er
directly
from
the
client
(and
als
oadd
an
oth
er
port
forw
ard
).
Create
tunnel
in o
ne s
hell
client
-> h
ost1
->
host2
->
serv
er
and d
ig t
unnel 5678
client># ssh -L5678:localhost:5678 host1
# 5678 is an arbitrary port for the tunnel
host_1># ssh -L5678:localhost:5678 host2
# chain 5678 from host1 to host2
host_2># ssh -L5678:localhost:22 server
# end the tunnel on port 22 on the server
Use t
unnel
wit
h a
n o
ther s
hell
client
-> s
erv
er
usin
g t
unnel 5678
# ssh -p 5678 localhost
# connect directly from client to server
# scp -P 5678 myfile localhost:/tmp/
# or copy a file directly using the tunnel
# rsync -e 'ssh -p 5678' myfile localhost:/tmp/
# or rsync a file directly to the server
6V
PN
W
IT
H S
SH
As
of
vers
ion
4.3
,O
penSSH
can
use
the
tun/t
ap
devic
eto
encry
pt
atu
nnel.
This
isvery
sim
ilar
tooth
er
TLS
based
VPN
solu
tions
like
OpenVPN
.O
ne
advanta
ge
with
SSH
isth
at
there
isno
need
toin
sta
lland
configure
additio
nalsoft
ware
.Additio
nally
the
tunneluses
the
SSH
auth
entication
like
pre
share
dkeys.
The
dra
wback
isth
at
the
encapsula
tion
isdone
over
TCP
whic
hm
ight
result
inpoor
perf
orm
ance
on
aslo
wlink.
Als
oth
etu
nnel
isre
lyin
gon
asin
gle
(fra
gile)
TCP
connection.
This
techniq
ue
isvery
usefu
lfo
ra
quic
kIP
based
VPN
setu
p.
There
isno
lim
itation
as
with
the
— V
PN
with S
SH
—
25
sin
gle
TCP
port
forw
ard
,all
layer
3/4
pro
tocols
like
ICM
P,
TCP/U
DP,
etc
.are
forw
ard
ed
over
the
VPN
. In a
ny c
ase, th
e fo
llow
ing o
ptio
ns a
re n
eeded in
the s
shd_conf file
:
PermitRootLogin yes
PermitTunnel yes
6.1
Sin
gle
P2
P c
on
ne
ctio
n
Here
we
are
connectin
gtw
ohosts
,hclie
nt
and
hserv
er
with
apeer
topeer
tunnel.
The
connectio
nis
sta
rted
from
hclie
nt
tohserv
er
and
isdone
as
root.
The
tunnelend
poin
tsare
10.0
.1.1
(serv
er)
and
10.0
.1.2
(clie
nt)
and
we
cre
ate
adevic
etu
n5
(this
could
als
obe
an
oth
er
num
ber).
The
pro
cedure
is v
ery
sim
ple
:•
Connect w
ith S
SH
usin
g th
e tu
nnel o
ptio
n -w
•Config
ure
the IP
addre
sses o
f the tu
nnel. O
nce o
n th
e s
erv
er a
nd o
nce o
n th
e c
lient.
Co
nn
ect t
o t
he
se
rv
er
Connectio
n s
tarte
d o
n th
e c
lient a
nd c
om
mands a
re e
xecute
d o
n th
e s
erv
er.
Server is
on L
inux
cli>#
ssh -w5:5 root@hserver
srv>#
ifconfig tun5 10.0.1.1 netmask 255.255.255.252
# Executed on the server shell
Server is
on F
reeB
SD
cli>#
ssh -w5:5 root@hserver
srv>#
ifconfig tun5 10.0.1.1 10.0.1.2
# Executed on the server shell
Co
nfig
ure
th
e c
lien
t
Com
mands e
xecute
d o
n th
e c
lient:
cli>#
ifconfig tun5 10.0.1.2 netmask 255.255.255.252
# Client is on Linux
cli>#
ifconfig tun5 10.0.1.2 10.0.1.1
# Client is on FreeBSD
The
two
hosts
are
now
connecte
dand
can
transpare
ntly
com
munic
ate
with
any
layer
3/4
pro
tocol
usin
g th
e tu
nnel IP
addre
sses.
6.2
Co
nn
ec
t t
wo
ne
tw
ork
s
Inadditio
nto
the
p2p
setu
pabove,
itis
more
usefu
lto
connect
two
priv
ate
netw
ork
sw
ithan
SSH
VPN
usin
gtw
ogate
s.
Suppose
for
the
exam
ple
,netA
is192.1
68.5
1.0
/24
and
netB
192.1
68.1
6.0
/24.
The
pro
cedure
issim
ilar
as
above,
we
only
need
toadd
the
routin
g.
NAT
must
be
activ
ate
don
the
priv
ate
inte
rface
only
ifth
egate
sare
not
the
sam
eas
the
defa
ult
gate
way
of
their n
etw
ork
.192.1
68.5
1.0
/24 (n
etA
)|gate
A <
-> g
ate
B|1
92.1
68.1
6.0
/24 (n
etB
)•
Connect w
ith S
SH
usin
g th
e tu
nnel o
ptio
n -w
.•
Config
ure
the IP
addre
sses o
f the tu
nnel. O
nce o
n th
e s
erv
er a
nd o
nce o
n th
e c
lient.
•Add th
e ro
utin
g fo
r the tw
o n
etw
ork
s.
•If n
ecessary
, activ
ate
NAT o
n th
e p
rivate
inte
rface o
f the g
ate
.The s
etu
p is
sta
rted fro
m g
ate
A in
netA
.
Co
nn
ect f
ro
m g
ate
A t
o g
ate
B
Connectio
n is
sta
rted fro
m g
ate
A a
nd c
om
mands a
re e
xecute
d o
n g
ate
B.
gate
B is
on L
inux
gateA>#
ssh -w5:5 root@gateB
gateB>#
ifconfig tun5 10.0.1.1 netmask 255.255.255.252
# Executed on the gateB shell
gateB>#
route add -net 192.168.51.0 netmask 255.255.255.0 dev tun5
gateB>#
echo 1 > /proc/sys/net/ipv4/ip_forward
# Only needed if not default gw
gateB>#
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
— V
PN
with
SSH
—
26
# gpg -e -r 'Your Name' file
# Encrypt with your public key
# gpg -o file -d file.gpg
# Decrypt. Use -o or it goes to stdout
En
cry
pt -
De
cry
pt w
ith
ke
ys
Firs
tyou
need
toexport
your
public
key
for
som
eone
els
eto
use
it.And
you
need
toim
port
the
public
say
from
Alic
eto
encry
pt
afile
for
her.
You
can
eith
er
handle
the
keys
insim
ple
ascii
files
or u
se a
public
key s
erv
er.
For
exam
ple
Alic
eexport
her
public
key
and
you
import
it,you
can
then
encry
pt
afile
for
her.
That is
only
Alic
e w
ill be a
ble
to d
ecry
pt it.
# gpg -a -o alicekey.asc --export 'Alice'
# Alice exported her key in ascii file.
# gpg --send-keys --keyserver subkeys.pgp.net KEYID
# Alice put her key on a server.
# gpg --import alicekey.asc
# You import her key into your pubring.
# gpg --search-keys --keyserver subkeys.pgp.net 'Alice'
# or get her key from a server.
Once th
e k
eys a
re im
porte
d it is
very
easy to
encry
pt o
r decry
pt a
file:
# gpg -e -r 'Alice' file
# Encrypt the file for Alice.
# gpg -d file.gpg -o file
# Decrypt a file encrypted by Alice for you.
Ke
y a
dm
inis
tra
tio
n
# gpg --list-keys
# list public keys and see the KEYIDS
The KEYID follows the '/' e.g. for: pub 1024D/D12B77CE the KEYID is D12B77CE
# gpg --gen-revoke 'Your Name'
# generate revocation certificate
# gpg --list-secret-keys
# list private keys
# gpg --delete-keys NAME
# delete a public key from local key ring
# gpg --delete-secret-key NAME
# delete a secret key from local key ring
# gpg --fingerprint KEYID
# Show the fingerprint of the key
# gpg --edit-key KEYID
# Edit key (e.g sign or add/del email)
10
EN
CR
YP
T P
AR
TI
TI
ON
S
Lin
ux w
ith L
UKS
(p31)
|Lin
ux d
m-c
rypt o
nly
(p32)
|Fre
eBSD
GELI
(p32)
|FBSD
pw
d o
nly
(p33)
There
are
(many)
oth
er
alte
rnativ
em
eth
ods
toencry
pt
dis
ks,
Ionly
show
here
the
meth
ods
Iknow
and
use.
Keep
inm
ind
that
the
security
isonly
good
as
long
the
OS
has
not
been
tem
pere
dw
ith.
An
intru
der
could
easily
record
the
passw
ord
from
the
keyboard
events
.Furth
erm
ore
the
data
isfre
ely
accessib
lew
hen
the
partitio
nis
atta
ched
and
will
not
pre
vent
an
intru
der
tohave
access to
it in th
is s
tate
.
10
.1L
inu
x
Those in
stru
ctio
ns u
se th
e L
inuxdm-crypt
(devic
e-m
apper) fa
cility
availa
ble
on th
e 2
.6 k
ern
el. In
this
exam
ple
,le
tsencry
pt
the
partitio
n/dev/sdc1,
itcould
be
how
ever
any
oth
er
partitio
nor
dis
k,
or
USB
or
afile
based
partitio
ncre
ate
dw
ithlosetup.
Inth
iscase
we
would
use/dev/
loop0.
See
fileim
age
partitio
n.
The
devic
em
apper
uses
labels
toid
entify
apartitio
n.
We
use
sdc1
in th
is e
xam
ple
, but it c
ould
be a
ny s
tring.
dm
-cry
pt w
ith
LU
KS
LU
KS
with
dm
-cry
pt
has
bette
rencry
ptio
nand
makes
itpossib
leto
have
multip
lepassphra
se
for
the
sam
epartitio
nor
tochange
the
passw
ord
easily
.To
test
ifLU
KS
isavaila
ble
,sim
ply
type#
cryptsetup
--help,
ifnoth
ing
about
LU
KS
show
sup,
use
the
instru
ctio
ns
belo
wW
ithout
LU
KS.
Firs
t cre
ate
a p
artitio
n if n
ecessary
:fdisk /dev/sdc.
Create
encrypte
d p
artitio
n
# dd if=/dev/urandom of=/dev/sdc1
# Optional. For paranoids only (takes days)
# cryptsetup -y luksFormat /dev/sdc1
# This destroys any data on sdc1
# cryptsetup luksOpen /dev/sdc1 sdc1
# mkfs.ext3 /dev/mapper/sdc1
# create ext3 file system
— E
ncry
pt P
artitio
ns —
31
ta
r z
ip a
nd
en
cry
pt a
wh
ole
dir
ecto
ry
# tar -zcf - directory | openssl aes-128-cbc -salt -out directory.tar.gz.aes
# Encrypt
# openssl aes-128-cbc -d -salt -in directory.tar.gz.aes | tar -xz
# Decrypt
•U
se
-km
ysecre
tpassw
ord
aft
er
aes-1
28-c
bc
toavoid
the
inte
ractive
passw
ord
request.
How
ever
note
that
this
is h
ighly
insecure
.•
Use
aes-2
56
-cb
cin
ste
ad
of
aes-1
28
-cb
cto
get
even
str
onger
encry
ption.
This
uses
als
o m
ore
CPU
.
9.2
GP
G
GnuPG
isw
ell
know
nto
encry
pt
and
sig
nem
ails
or
any
data
.Furt
herm
ore
gpg
and
als
opro
vid
es
an
advanced
key
managem
ent
syste
m.
This
section
only
covers
file
sencry
ption,
not
em
ail
usage,
sig
nin
g o
r th
e W
eb-O
f-Tru
st.
The
sim
ple
st
encry
ption
isw
ith
asym
metr
iccip
her.
Inth
iscase
the
file
isencry
pte
dw
ith
apassw
ord
and
anyone
who
know
sth
epassw
ord
can
decry
pt
it,
thus
the
keys
are
not
needed.
Gpg a
dds a
n e
xte
ntion "
.gpg"
to t
he e
ncry
pte
d file n
am
es.
# gpg -c file
# Encrypt file with password
# gpg file.gpg
# Decrypt file (optionally -o otherfile)
Usin
g k
ey
s
For
more
deta
ils
see
GPG
Quic
kSta
rt13
and
GPG
/PG
PBasic
s14
and
the
gnupg
docum
enta
tion
15
am
ong o
thers
.The
private
and
public
keys
are
the
heart
of
asym
metr
iccry
pto
gra
phy.
What
isim
port
ant
tore
mem
ber:
•Your
public
key
isused
by
oth
ers
toencry
pt
file
sth
at
only
you
as
the
receiv
er
can
decry
pt
(not
even
the
one
who
encry
pte
dth
efile
can
decry
pt
it).
The
public
key
isth
us
meant
to b
e d
istr
ibute
d.
•Your
private
key
isencry
pte
dw
ith
your
passphra
se
and
isused
todecry
pt
file
sw
hic
hw
ere
encry
pte
dw
ith
your
public
key.
The
private
key
must
be
kept
secu
re.
Als
oif
the
key o
r passphra
se is lost,
so a
re a
ll t
he files e
ncry
pte
d w
ith y
our
public k
ey.
•The k
ey files a
re c
alled k
eyrings a
s t
hey c
an c
onta
in m
ore
than o
ne k
ey.
First
genera
tea
key
pair.
The
defa
ults
are
fine,
how
ever
you
willhave
toente
rat
least
your
full
nam
eand
em
ail
and
optionally
acom
ment.
The
com
ment
isusefu
lto
cre
ate
more
than
one
key
with t
he s
am
e n
am
e a
nd e
mail.
Als
o y
ou s
hould
use a
"passphra
se",
not
a s
imple
passw
ord
.
# gpg --gen-key
# This can take a long time
The k
eys a
re s
tore
d in ~
/.gnupg/
on U
nix
, on W
indow
s t
hey a
re t
ypic
ally s
tore
d in
C:/
Docum
ents
and S
ett
ings/%
USERN
AM
E%
/Application D
ata
/gnupg/.
~/.gnupg/pubring.gpg
# Contains your public keys and all others imported
~/.gnupg/secring.gpg
# Can contain more than one private key
Short
rem
inder
on m
ost
used o
ptions:
-eencry
pt
data
-ddecry
pt
data
-rN
AM
E e
ncry
pt
for
recip
ient
NAM
E (
or
'Full N
am
e' or
'em
ail@
dom
ain
')-a
cre
ate
ascii a
rmore
d o
utp
ut
of a k
ey
-ouse a
s o
utp
ut
file
The
exam
ple
suse
'Your
Nam
e'and
'Alice'as
the
keys
are
refe
rred
toby
the
em
ail
or
full
nam
eor
part
ial
nam
e.
For
exam
ple
Ican
use
'Colin'
or
'c@
cb.v
u'
for
my
key
[Colin
Bars
chel
(cb.v
u)
<c@
cb.v
u>
].
En
cry
pt f
or p
erso
na
l u
se
on
ly
No n
eed t
o e
xport
/im
port
any k
ey for
this
. You h
ave b
oth
already.
13.h
ttp:/
/ww
w.m
adboa.c
om
/geek/g
pg-q
uic
ksta
rt14.h
ttp:/
/apla
wre
nce.c
om
/Basic
s/g
pg.h
tml
15.h
ttp:/
/gnupg.o
rg/d
ocum
enta
tion
— E
ncry
pt
Files —
30
gate
B i
s o
n F
reeB
SD
gateA>#
ssh -w5:5 root@gateB
# Creates the tun5 devices
gateB>#
ifconfig tun5 10.0.1.1 10.0.1.2
# Executed on the gateB shell
gateB>#
route add 192.168.51.0/24 10.0.1.2
gateB>#
sysctl net.inet.ip.forwarding=1
# Only needed if not default gw
gateB>#
natd -s -m -u -dynamic -n fxp0
# see
NAT
(page 17)
gateA>#
sysctl net.inet.ip.fw.enable=1
Co
nfig
ure
ga
te
A
Com
mands e
xecute
d o
n g
ate
A:
gate
A i
s o
n L
inux
gateA>#
ifconfig tun5 10.0.1.2 netmask 255.255.255.252
gateA>#
route add -net 192.168.16.0 netmask 255.255.255.0 dev tun5
gateA>#
echo 1 > /proc/sys/net/ipv4/ip_forward
gateA>#
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
gate
A i
s o
n F
reeB
SD
gateA>#
ifconfig tun5 10.0.1.2 10.0.1.1
gateA>#
route add 192.168.16.0/24 10.0.1.2
gateA>#
sysctl net.inet.ip.forwarding=1
gateA>#
natd -s -m -u -dynamic -n fxp0
# see
NAT
(page 17)
gateA>#
sysctl net.inet.ip.fw.enable=1
The
two
private
netw
ork
sare
now
transpare
ntly
connecte
dvia
the
SSH
VPN
.The
IPfo
rward
and
NAT
sett
ings
are
only
necessary
ifth
egate
sare
not
the
defa
ult
gate
ways.
Inth
iscase
the
clients
would
not
know
where
to forw
ard
the r
esponse,
and n
at
must
be a
ctivate
d.
7R
SY
NC
Rsync
can
alm
ost
com
ple
tely
repla
ce
cp
and
scp,
furt
herm
ore
inte
rrupte
dtr
ansfe
rsare
effic
iently
resta
rted.
Atr
ailin
gsla
sh
(and
the
absence
there
of)
has
diffe
rent
meanin
gs,
the
man
page
isgood..
. H
ere
som
e e
xam
ple
s:
Copy t
he d
irecto
ries w
ith full c
onte
nt:
# rsync -a /home/colin/ /backup/colin/
# rsync -a /var/ /var_bak/
# rsync -aR --delete-during /home/user/ /backup/
# use relative (see below)
Sam
eas
befo
rebut
over
the
netw
ork
and
with
com
pre
ssio
n.
Rsync
uses
SSH
for
the
transport
per
defa
ult a
nd w
ill use t
he s
sh k
ey if th
ey a
re s
et.
Use "
:" a
s w
ith S
CP.
A t
ypic
al re
mote
copy:
# rsync -axSRzv /home/user/ user@server:/backup/user/
Exclu
de
any
directo
rytm
pw
ithin
/hom
e/u
ser/
and
keep
the
rela
tive
fold
ers
hie
rarc
hy,
that
isth
ere
mote
directo
ry w
ill have t
he s
tructu
re /
backup/h
om
e/u
ser/
. This
is t
ypic
ally u
sed for
backups.
# rsync -azR --exclude /tmp/ /home/user/ user@server:/backup/
Use p
ort
20022 for
the s
sh c
onnection:
# rsync -az -e 'ssh -p 20022' /home/colin/ user@server:/backup/colin/
Usin
gth
ers
ync
daem
on
(used
with
"::"
)is
much
faste
r,but
not
encry
pte
dover
ssh.
The
location
of
/backup
isdefined
by
the
configura
tion
in/e
tc/r
syncd.c
onf.
The
variable
RSYN
C_PASSW
ORD
can b
e s
et
to a
void
the n
eed t
o e
nte
r th
e p
assw
ord
manually.
# rsync -axSRz /home/ ruser@hostname::rmodule/backup/
# rsync -axSRz ruser@hostname::rmodule/backup/ /home/
# To copy back
Som
e im
port
ant
options:
-a, --archive
arc
hiv
e m
ode;
sam
e a
s -
rlptg
oD
(no -
H)
-r, --recursive
recurs
e into
directo
ries
-R, --relative
use r
ela
tive p
ath
nam
es
— R
SYN
C —
27
-H, --hard-links
pre
serv
e h
ard
links
-S, --sparse
handle
spars
e file
s e
fficie
ntly
-x, --one-file-system
don't c
ross file
syste
m b
oundarie
s
--exclude=PATTERN
exclu
de file
s m
atc
hin
g P
ATTERN
--delete-during
receiv
er d
ele
tes d
urin
g x
fer, n
ot b
efo
re
--delete-after
receiv
er d
ele
tes a
fter tra
nsfe
r, not b
efo
re
7.1
Rs
yn
c o
n W
ind
ow
s
Rsync
isavaila
ble
for
Win
dow
sth
rough
cygw
inor
as
sta
nd-a
lone
packaged
incw
rsync
12.
This
isvery
convenie
nt
for
auto
mate
dbackups.
Insta
llone
of
them
(not
both
)and
add
the
path
toth
eW
indow
ssyste
mvaria
ble
s:
#Contro
lPanel
->Syste
m->
tab
Advanced,
butto
nEnviro
nm
ent
Varia
ble
s.
Edit
the
"Path
"syste
mvaria
ble
and
add
the
full
path
toth
ein
sta
lled
rsync,
e.g
.C:\P
rogra
mFile
s\c
wRsync\b
inor
C:\c
ygw
in\b
in.
This
way
the
com
mandsrsync
and
ssh
are
availa
ble
in a
Win
dow
s c
om
mand s
hell.
Pu
blic
ke
y a
uth
en
tic
atio
n
Rsync
isauto
matic
ally
tunnele
dover
SSH
and
thus
uses
the
SSH
auth
entic
atio
non
the
serv
er.
Auto
matic
backups
have
toavoid
auser
inte
ractio
n,
for
this
the
SSH
public
key
auth
entic
atio
ncan b
e u
sed a
nd th
e rs
ync c
om
mand w
ill run w
ithout a
passw
ord
.All
the
follo
win
gcom
mands
are
execute
dw
ithin
aW
indow
sconsole
.In
aconsole
(Sta
rt->
Run
->
cm
d)
cre
ate
and
uplo
ad
the
key
as
describ
ed
inSSH
,change
"user"
and
"serv
er"
as
appro
pria
te.
Ifth
efile
auth
oriz
ed_keys2
does
not
exis
tyet,
sim
ply
copy
id_dsa.p
ub
toauth
oriz
ed_keys2 a
nd u
plo
ad it.
# ssh-keygen -t dsa -N ''
# Creates a public and a private key
# rsync user@server:.ssh/authorized_keys2 .
# Copy the file locally from the server
# cat id_dsa.pub >> authorized_keys2
# Or use an editor to add the key
# rsync authorized_keys2 user@server:.ssh/
# Copy the file back to the server
# del authorized_keys2
# Remove the local copy
Now
test it w
ith (in
one lin
e):
rsync -rv "/cygdrive/c/Documents and Settings/%USERNAME%/My Documents/" \
'user@server:My\ Documents/'
Au
to
ma
tic
ba
ck
up
Use
abatc
hfile
toauto
mate
the
backup
and
add
the
filein
the
schedule
dta
sks
(Pro
gra
ms
->Accessorie
s->
Syste
mTools
->Schedule
dTasks).
For
exam
ple
cre
ate
the
filebackup.b
at
and
repla
ce u
ser@
serv
er.
@ECHO OFF
REM rsync the directory My Documents
SETLOCAL
SET CWRSYNCHOME=C:\PROGRAM FILES\CWRSYNC
SET CYGWIN=nontsec
SET CWOLDPATH=%PATH%
REM uncomment the next line when using cygwin
SET PATH=%CWRSYNCHOME%\BIN;%PATH%
echo Press Control-C to abort
rsync -av "/cygdrive/c/Documents and Settings/%USERNAME%/My Documents/" \
'user@server:My\ Documents/'
pause
8S
UD
O
Sudo
isa
sta
ndard
way
togiv
eusers
som
eadm
inis
trativ
erig
hts
with
out
giv
ing
out
the
root
passw
ord
.Sudo
isvery
usefu
lin
am
ulti
user
enviro
nm
ent
with
am
ixof
serv
er
and
work
sta
tions.
Sim
ply
call th
e c
om
mand w
ith s
udo:
12.h
ttp://s
ourc
efo
rge.n
et/p
roje
cts
/sere
ds
— S
UD
O —
28
# sudo /etc/init.d/dhcpd restart
# Run the rc script as root
# sudo -u sysadmin whoami
# Run cmd as an other user
8.1
Co
nfig
ura
tio
n
Sudo
isconfig
ure
din
/etc/sudoers
and
must
only
be
edite
dw
ithvisudo.
The
basic
synta
xis
(the lis
ts a
re c
om
ma s
epara
ted):
user hosts = (runas) commands
# In /etc/sudoers
users
one o
r more
users
or %
gro
up (lik
e %
wheel) to
gain
the rig
hts
hosts
list o
f hosts
(or A
LL)
runas
list o
f users
(or A
LL) th
at th
e c
om
mand ru
le c
an b
e ru
n a
s. It is
enclo
sed in
( )!
commands
list o
f com
mands (o
r ALL) th
at w
ill be ru
n a
s ro
ot o
r as (ru
nas)
Additio
nally
those
keyw
ord
scan
be
defin
ed
as
alia
s,
they
are
calle
dU
ser_
Alia
s,
Host_
Alia
s,
Runas_Alia
s a
nd C
mnd_Alia
s. T
his
is u
sefu
l for la
rger s
etu
ps. H
ere
a s
udoers
exam
ple
:
# cat /etc/sudoers
# Host aliases are subnets or hostnames.
Host_Alias DMZ = 212.118.81.40/28
Host_Alias DESKTOP = work1, work2
# User aliases are a list of users which can have the same rights
User_Alias ADMINS = colin, luca, admin
User_Alias DEVEL = joe, jack, julia
Runas_Alias DBA = oracle,pgsql
# Command aliases define the full path of a list of commands
Cmnd_Alias SYSTEM = /sbin/reboot,/usr/bin/kill,/sbin/halt,/sbin/shutdown,/etc/init.d/
Cmnd_Alias PW = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
# Not root pwd!
Cmnd_Alias DEBUG = /usr/sbin/tcpdump,/usr/bin/wireshark,/usr/bin/nmap
# The actual rules
root,ADMINS ALL = (ALL) NOPASSWD: ALL
# ADMINS can do anything w/o a password.
DEVEL DESKTOP = (ALL) NOPASSWD: ALL
# Developers have full right on desktops
DEVEL DMZ = (ALL) NOPASSWD: DEBUG
# Developers can debug the DMZ servers.
# User sysadmin can mess around in the DMZ servers with some commands.
sysadmin DMZ = (ALL) NOPASSWD: SYSTEM,PW,DEBUG
sysadmin ALL,!DMZ = (ALL) NOPASSWD: ALL
# Can do anything outside the DMZ.
%dba ALL = (DBA) ALL
# Group dba can run as database user.
# anyone can mount/unmount a cd-rom on the desktop machines
ALL DESKTOP = NOPASSWD: /sbin/mount /cdrom,/sbin/umount /cdrom
9E
NC
RY
PT
F
IL
ES
9.1
Op
en
SS
L
A s
ing
le f
ile
Encry
pt a
nd d
ecry
pt:
# openssl aes-128-cbc -salt -in file -out file.aes
# openssl aes-128-cbc -d -salt -in file.aes -out file
Note
that th
e file
can o
f cours
e b
e a
tar a
rchiv
e.
ta
r a
nd
en
cry
pt a
wh
ole
dir
ecto
ry
# tar -cf - directory | openssl aes-128-cbc -salt -out directory.tar.aes
# Encrypt
# openssl aes-128-cbc -d -salt -in directory.tar.aes | tar -x
# Decrypt
— E
ncry
pt F
iles —
29