Harnessing the Power of Linux

Linux is a powerful and stable platform that enables us to perform a variety of tasks, such as penetration testing, hosting, VPN management, and firewall configuration, which are not easily achievable on a Windows platform. In this article, I will highlight some of the most useful tools and commands you will need for managing servers or desktops effectively.

Linux offers several advantages over Windows that have made my life significantly easier:

• Stability and Performance: Linux is renowned for its stability and performance, especially when running server applications. This ensures minimal downtime and efficient resource usage.
• Security: Linux has robust security features, making it less vulnerable to malware and attacks. The open-source nature allows for quick patches and community-driven improvements.
• Flexibility and Customization: With Linux, you can customize nearly every aspect of the operating system to suit your needs, from the kernel to the desktop environment.
• Command Line Efficiency: The powerful command-line interface allows for efficient management of tasks, automation through scripting, and access to a wide range of utilities and tools.
• Cost-Effectiveness: Linux is free and open-source, reducing licensing costs and providing access to a plethora of free software and tools.

By leveraging these advantages, Linux has greatly simplified the management of my servers and desktops, streamlining workflows and enhancing productivity.

Below, I will share some of the most useful commands to make your life easier:

Useful Commands Index:

• Packages and Installation
• Resources Monitor
• Logs
• Repair
• Tweaks and Information
• Networking
• Security
• Mail Exim
• Mysql

Good Linux Flavors:

• Linux Kodachi security distribution developed by EEDS.
• Other recommended security distributions Tails, JonDo, Qubes-os, SubgraphOS, Whonix.
• Centos is best used in servers for web hosting EEDS uses CentOs 64 to host all the websites.
• Linux Mint is best to be used in desktops for daily tasks if you need to replace Windows then go for it.
• Debian is best for VPS nods where you have to host minor services such as VPN and Proxy services.
• Kali Matriux Parrot BlackArch Weaknetlabs Cyborghawk Pentoo Bugtraq Samurai is best to be used for penetration testing it has most of the tools you need. Don’t miss shygirl script which is a cool add-on for Kali – Backtrack that we have written.
• Debian can also be used for hosting OS virtual images such as Vmware and Virtualbox. If you need to combine both beauty and lightness go for Linux Mint Debian version which its based on Debian directly and not on Ubuntu.
• If you are looking for very light open-source network boot firmware with plenty of features use IPXE.

Useful Packages:

 
For CentOs where you host websites additionally, you will need the following packages:

• Htop to view system usage CPU + ram ..etc better than Linux top command.
• Mytop to view MySQL database queries.
• CSF user friendly and powerful firewall.
• CXS exploit scanner.
• CalmAv Anti virus for Linux.
• Cpanel user friendly OS management software.

Packages and Installation

To install cxs exploit scanner:

wget https://www.configserver.com/cp/cxs.html  # Get the install script from http://www.configserver.com/cp/cxs.html
tar -xzf cxsinstaller.tgz
perl cxsinstaller.pl
rm -fv cxsinstaller.*

To install prm:

wget http://www.rfxnetworks.com/downloads/prm-current.tar.gz
tar xvfz prm-current.tar.gz
cd prm-*/
./install.sh

To install csf firewall:

wget http://www.configserver.com/cp/csf.html
tar -xzf csf.tgz
cd csf
sh install.sh

To install htop:

wget https://www.rpmfind.net/linux/rpm2html/search.php?query=htop
rpm -Uvh htop-1.0.3-1.el6.rf.x86_64.rpm

To remove rpm package htop as an example:

rpm -e htop

How to install Apache + PHP + Mysql on Ubuntu box:

sudo su
apt-get install apache2 -y
apt-get install php5 libapache2-mod-php5 -y
apt-get install mysql-server mysql-client -y
/etc/init.d/apache2 restart
sudo a2enmod ssl
sudo ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl
sudo /etc/init.d/apache2 restart
cd /var/www

Update Apcache and PHP vis ssh:

/scripts/easyapache

To update Mysql:

/scripts/mysqlup

Force ftp to update via ssh if cpanel is installed:

/scripts/ftpup --force

Install ms fonts on Ubuntu or Linux Mint:

sudo apt-get install msttcorefonts

Updating ubuntu:

update Ubuntu
apt-get update
apt-get upgrade
apt-get update && apt-get dist-upgrade

Update Backtrack:

update ubuntu
apt-get update
apt-get upgrade
apt-get update && apt-get dist-upgrade
msfupdate
apt-get install libcrafter blueranger dbd inundator intersect mercury cutycapt trixd00r artemisa rifiuti2 netgear-telnetenable jboss-autopwn deblaze sakis3g voiphoney apache-users phrasendrescher kautilya manglefizz rainbowcrack rainbowcrack-mt lynis-audit spooftooph wifihoney twofi truecrack uberharvest acccheck statsprocessor iphoneanalyzer jad javasnoop mitmproxy ewizard multimac netsniff-ng smbexec websploit dnmap johnny unix-privesc-check sslcaudit dhcpig intercepter-ng u3-pwn binwalk laudanum wifite tnscmd10g bluepot dotdotpwn subterfuge jigsaw urlcrazy creddump android-sdk apktool ded dex2jar droidbox smali termineter bbqsql htexploit smartphone-pentest-framework fern-wifi-cracker powersploit webhandler

Removing old kernels to have space for new kernel installations (/boot) – CentOS:
Recommended way:

#Edit /etc/yum.conf and set the following parameter
installonly_limit=2
yum install yum-utils 
package-cleanup --oldkernels --count=2
#Done. This will erase in a good fashion the old kernels, and, keep just the last 2 of them for the next upgrades.

Old way:

uname -r
rpm -q kernel
rpm -e the-old-kernel    #example : rpm -e kernel-2.6.32-279.el6.x86_64
yum update
#check if the new kernel is there:
cat /boot/grub/grub.conf
#reboot
shutdown -r now

Install FTP server (vsftpd) for Ubuntu:

sudo apt-get install vsftpd
nano /etc/vsftpd.conf
#uncomment the follwoing:
write_enable=YES
chroot_local_user=YES 
local_enable=YES
sudo service vsftpd restart

Install Webmin For Ubuntu:

sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.650_all.deb
sudo dpkg -i webmin_1.650_all.deb
#access it via web browser 
https://yourip:10000/
#For some reasons webmin won't auto start after reboot you need to run this command to get it working again:
sudo /etc/init.d/webmin start

Install or upgrade Openssl on Centos (Compile from source):

wget http://www.openssl.org/source/openssl-1.0.0k.tar.gz
tar xvfz openssl-1.0.0k.tar.gz
cd openssl-1.0.0k 
make clean
./config shared –prefix=/usr –openssldir=/usr/local/openssl
make && make test
make install

Install or upgrade Openssl on Centos via yum:

sudo rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
yum --enablerepo=axivo update openssl
# or
yum --enablerepo=axivo install openssl

Uninstall a library in Linux opposite of make install:

make clean
make uninstall

Find if package is installed on Centos for example (openssl):

su -c 'yum list openssl'
rpm -qa | grep openssl

Instal apache + php + SSL on Debian and Ubuntu:

sudo apt-get install apache2 php5 openssl ssl-cert 
sudo a2ensite default-ssl
sudo a2enmod ssl
sudo service apache2 restart

Install liver-helper on the Debian system to create the fresh live images:

nano /etc/apt/sources.list
# Add the following
deb https://www.debian.org/CD/live/ wheezy-snapshots main contrib non-free
deb-src https://www.debian.org/CD/live/ wheezy-snapshots main contrib non-free

apt-get update
apt-get install live-build
mkdir /root/my-livecd
cd /root/my-livecd
lb clean
lb config --interactive shell   # To disable interactive shell use lb config --interactive disabled
lb build
exit
# A file called  binary-hybrid.iso will be on same folder

Create live image from current installation on Debian or Ubuntu:

wget -O - http://www.remastersys.com/debian/remastersys.gpg.key | apt-key add -
nano /etc/apt/sources.list
# Add the following:
deb http://www.remastersys.com/ wheezy main
deb-src http://www.remastersys.com/ wheezy main
# For Ubuntu use the following:
deb http://www.remastersys.com/ubuntu precise main
deb http://www.remastersys.com/ubuntu quantal main

sudo apt-get update
sudo apt-get install remastersys

# Usage sudo remastersys backup|clean|dist [cdfs|iso] [filename.iso]
# Config global settings
nano /etc/remastersys.conf
# To make a livecd/dvd backup and call the iso custom.iso with user personal folders:
sudo remastersys backup Debian-live-custom.iso 
# or 
sudo remastersys backup Ubuntu-live-custom.iso 

# To clean up temporary files of remastersys
sudo remastersys clean

To make a livecd/dvd backup and call the iso custom.iso without user personal folders:
sudo remastersys dist custom.iso

# To make a distributable livecd/dvd filesystem only
sudo remastersys dist cdfs

How to install ConfigServer ModSecurity Control:

wget http://download.configserver.com/cmc.tgz
tar -xzf cmc.tgz
cd cmc/
sh install.sh

How to install Commodo Web Application Firewall:
First you will need access from here.

wget https://waf.comodo.com/cpanel/cwaf_client_install.sh
sh cwaf_client_install.sh

To add to Commodo Web Application Firewall Cpanel ModSecurity™ Vendors you need to imort the following file:

https://waf.comodo.com/doc/meta_comodo_apache.yaml

To check all ModSecurity™ Vendors installed by Cpanel:

cat /var/cpanel/modsec_cpanel_conf_datastore

If apache won’t start due errors on CWAF rules run the following:

/usr/local/cpanel/scripts/modsec_vendor update --auto

or if problem is not fixed:

rm -rf /var/cpanel/cwaf/rules/*
/var/cpanel/cwaf/scripts/updater.pl

After upgrading WHM Perl gets updated and CWAF won’t start throwing the following error:
No response from subprocess (/usr/local/cpanel/whostmgr/docroot/cgi/addon_cwaf.cgi): The subprocess reported error number 2 when it ended.
To solve it:

cp -avr /var/cpanel/cwaf/modules/CPAN/lib/* /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib

Install FFmpeg on CentOS:

nano /etc/yum.repos.d/atrpms.repo
# paste the following:
[atrpms]name=Fedora Core $releasever - $basearch - ATrpms baseurl=http://dl.atrpms.net/el$releasever-$basearch/atrpms/stable gpgkey=http://ATrpms.net/RPM-GPG-KEY.atrpms enabled=1 gpgcheck=1 # Then run: yum update yum install ffmpeg # To check the version: ffmpeg -version

To install Elasticsearch on CentOS:

cd ~
sudo yum update
su -c "yum install java-1.8.0-openjdk"

wget https://download.elastic.co/elasticsearch/elasticsearch/elasticsearch-1.7.2.zip  
unzip elasticsearch-1.7.2.zip 
rm -f elasticsearch-1.7.2.zip
mv elasticsearch-* elasticsearch 
sudo mv elasticsearch /usr/local/share

curl -L http://github.com/elasticsearch/elasticsearch-servicewrapper/tarball/master | tar -xz
mv *servicewrapper*/service /usr/local/share/elasticsearch/bin/
rm -Rf *servicewrapper*
sudo /usr/local/share/elasticsearch/bin/service/elasticsearch install
sudo /etc/init.d/elasticsearch start

# To test
curl http://localhost:9200 

To check how many records have been stored to elasticsearch's search index:

curl -XGET 'http://localhost:9200/wcf/com_woltlab_wbb_post/_count?q=*'

To install ImageMagick:

yum install ImageMagick

To install RED5 server on a Debian node:

apt-get update
apt-get install red5-server
service red5-server start


# Ports that should be opened by now:
RTMP: 1935
Debug proxy: 1936
HTTP servlet: 5080
RTMPT: 8088

# Navigate to verify its there
http://fpus3.digi77.com:5080/

# Install Cometchat Whiteboard plugin
cd /usr/share/red5/webapps
wget http://www.cometchat.com/extra/ccred5whiteboard.tar.gz
tar -xzf ccred5whiteboard.tar.gz
mv ccred5whiteboard.tar.gz ccred5whiteboard.tar
tar xvf ccred5whiteboard.tar

# Install Cometchat Screenshare plugin
wget http://www.cometchat.com/extra/ccred5screenshare.tar.gz
tar -xzf ccred5screenshare.tar.gz
mv ccred5screenshare.tar.gz ccred5screenshare.tar
tar xvf ccred5screenshare.tar

rm -f ccred5whiteboard.tar
rm -f ccred5screenshare.tar

service red5-server restart

To disable ApacheBooster:

/scripts/manage_apacheboooster --disable

To enable ApacheBooster:

/scripts/manage_apacheboooster --enable

To update ApacheBooster:

/scripts/updateapachebooster

To install Let’s Encrypt plugin for SSL certificates and enable it on WHM Cpanel:

/scripts/install_lets_encrypt_autossl_provider

To disable and uninstall the Let’s Encrypt plugin, run the following command:

 /usr/local/cpanel/scripts/uninstall_lets_encrypt_autossl_provider

Resources Monitor

Server resources like CPU and Memory some times are overloaded trace the reason:

top -c
htop
ps -eo pcpu,pid,user,args | sort -k1 -r | head -10
ps aux | grep php

If you have prm installed usage:

prm -t 
prm -s

For Apache Web server resources you can use:

yum install apachetop
apachetop -f /var/log/apache2/access_log

To run shell script or php script on the background:

# First make sure /var/run/screen has mode 775:
chmod 775 /var/run/screen

# Then to run php script on background:
screen php searchindex.php   #or just type screen then Enter and type your command

# To view the list of all screen processes:
screen -ls

# To detach the screen:
CTRL+A followed by d 

# Or
screen -d SCREENID

# To attach the screen at anytime:
screen -r SCREENID

# To kill the screen
screen -X -S SCREENID quit

# Example:
screen -X -S 17285.pts-1.british quit

To Avoid CTRL D from logging off the user while using screen:

IGNOREEOF=4 

Here is another way but for my self I prefer screen:

# press Ctrl+Z to suspend the program
# list the current jobs    
jobs 
# resume the job that's next in the queue
fg  
# resume job [number]
fg %[number] 
# Push the next job in the queue into the background
bg  
# Push the job [number] into the background
bg %[number]
# Kill the job numbered [number]   
kill %[number] 
# Send the signal [signal] to job number [number] 
kill -[signal] %[number] 
# disown the process(no more terminal will be owner), so command will be alive even after closing the terminal.
disown %[number] 

Or you can use nohup:

nohup ./yourscript &

# Send output to a file the nohup command does not automatically put the command in background. This must be done explicitly with &.
nohup date > date.log &

How to install Sar (Sysstat) Performance Monitoring in Debian:

sudo apt-get install sysstat
# Set Enabled to ture
nano /etc/default/sysstat

# Set interval from every 10 minutes to every 2 minutes.
nano /etc/cron.d/sysstat

# Change
5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
# To
*/2 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1

# Restart the service
service sysstat restart


# Usage Examples

# System CPU statistics 3 times (with 1 second interval)
sar 1 3

# Reports run queue and load average (sar -q)
sar -q
sar -q 1 3

# Overall I/O Activities (sar -b)
sar -b 1 3

# Individual Block Device I/O Activities (sar -d)
sar -d 1 1

#Report network statistics (sar -n)
sar -n ALL
sar -n DEV
sar -n IP

# CPU Usage of ALL CPUs (sar -u)
sar -u 
sar -u  ALL

# Memory Free and Used (sar -r)
sar -r 1 3

# CPU Usage of Individual CPU or Core (sar -P)
sar -P ALL 1 1

# Swap Space Used (sar -S)
sar -S 1 3

# Display context switch per second (sar -w)
sar -w 1 3

#  Report Sar Data Using Start Time (sar -s)
sar -s

Logs

Monitor server logs:

tail -f /var/log/messages

For example only get logs related to digi77

tail -f /var/log/messages | grep digi77

Apache logs on Centos located in /etc/httpd/logs:

tail -f /etc/httpd/logs/error_log
tail -f /etc/httpd/logs/access_log

Combine Apache and server logs:

tail -f /usr/local/apache/logs/error_log and tail -f /var/log/messages

Monitor all files downloads exe from digi77:

grep CustomLog /etc/httpd/conf/httpd.conf
tail -f /usr/local/apache/domlogs/digi77.com |grep .exe

Exclude the word “file does” example:

tail -f /etc/httpd/logs/error_log |grep -i -v "file does"

To disable logs in Apache comment (ErrorLog “logs/error_log” ) in the httpd configuration file and restart Apache.

locate -s httpd.conf

If you have space problems because of Apache logs:

for i in /usr/local/apache/logs/* ; do cat /dev/null > $i ; done
for i in /usr/local/apache/domlogs/* ; do cat /dev/null > $i ; done
rm -f /usr/local/apache/logs/archive/*.gz
rm -f -r /usr/local/apache.backup  
rm -f -r /usr/local/apache.backup_archive

Apache logs on Ubuntu:

tail -f /var/log/apache2/error.log

To prevent and stop the logs on CentOS box:

#login to the box
unset HISTFILE
cat > /var/log/lastlog
CTR+D
cat > /var/log/utmp
CTR+D
cat > /var/log/wtmp
CTR+D
cat > /var/log/secure
CTR+D
# Type your commands
exit

To find and shred all server logs (Be careful):

find /var/log -type f | xargs shred -v --remove

For my sql logs you have to change the config file:

locate -s my.cnf
nano /etc/my.cnf

Then add this to it:

[mysqld]
set-variable=long_query_time=3
slow_query_log_file=/var/log/mysql/log-slow-queries.log
log-error=/var/log/mysql/errors.log

Then you need to create some files:

mkdir /var/log/mysql
touch /var/log/mysql/log-slow-queries.log
chown mysql.mysql -R /var/log/mysql
touch /var/log/mysql/errors.log
chown mysql.mysql -R /var/log/mysql

Now you are ready to view the logs:

tail -f /var/log/mysql/log-slow-queries.log
tail -f /var/log/mysql/log-slow-queries.log and /var/log/mysql/errors.log

To find list huge files +1G in general:

 find . -size +1G -printf '%s %p\n' 

To find list huge error_log – over 50 MB – files along with the size they occupy:

find /home/*/public_html/ -type f -iname error_log -size +50M -exec du -sh {} \;

To find list and DELETE! huge error_log – over 50 MB – files:

  
find /home/*/public_html/ -type f -iname error_log -size +50M -exec rm -f {} \;

Repair

Repair Mysql tables:

myisamchk -r -t=/home/oman0/tmp *.MYI     
myisamchk -m *.MYI
myisamchk -e *.MYI
myisamchk -e -r post.MYI
myisamchk -e -o post.MYI
myisamchk -A --auto-repair post.MYI

Or use:

mysql
use tabe_name:
repair table pm;
repair table pmreceipt;
repair table pmtext;
repair table post;

Rebuild Apache config file:

/scripts/rebuildhttpdconf

Repair Apache config file:

/usr/local/cpanel/bin/apache_conf_distiller --update
/usr/local/cpanel/bin/build_apache_conf

If you face a problem with yum on VPS node:

nano  /etc/yum/pluginconf.d/fastestmirror.conf
#set "enable=0"

Fix Easyapache Timeout on connect:

nano /etc/hosts
#File should look like this

127.0.0.1               localhost.localdomain localhost
216.185.115.91          saver.digi77.com saver

#or

127.0.0.1               localhost localhost4 localhost4.localdomain4
::1             localhost localhost6 localhost6.localdomain6
65.201.24.159          master.xxxx.gov.om master


/scripts/easyapache --build

Fix FastCGI Data Timeout Error (mod_fcgid read data timeout in 40 seconds):

nano /usr/local/apache/conf/includes/post_virtualhost_global.conf
#Add to the end of the file the following:

 FcgidProcessLifeTime 8200
 FcgidIOTimeout 8200
 FcgidConnectTimeout 400
 FcgidMaxRequestLen 1000000000

If Openssl causes errors while updating CENTOS update or upgrade use the following command:

yum update --exclude openssl* --skip-broken

If you can’t restore a user from Cpanel backup and you get one of this error messages:

“Cannot restore. That user already exists on this system”
“Sorry, a passwd entry for that username already exists”

/scripts/restorepkg --force username
#for example user oman0
/scripts/restorepkg --force oman0

If Apache troughs the following error:
“SecurityException in Application.cpp:188: Do not have root privileges. Executable not set-uid root?”

chmod +s /opt/suphp/sbin/suphp

Bash script to remove cpmove.psql folders from cPanel home user accounts:

# Write a short script  cpremove.sh
nano cpremove.sh

# Paste the below 
for user in `ls -A /var/cpanel/users`
do 
    rm -rf /home/$user/cpmove.psql*
done

# Run th script
. cpremove.sh

# Delete it
rm -f cpremove.sh

If a package is causing error when running yum command for example OpenSSL you have to exclude it as the following:

nano /etc/yum.conf
# Then 
exclude=bind-chroot courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* mysql* nsd* php* proftpd* pure-ftpd* ruby* spamassassin* squirrelmail* openssl*

Fix RPM Installation via WHM/Cpanel:

/usr/local/cpanel/scripts/check_cpanel_rpms --fix

To rebuild the RPM database via:

yum clear all
mkdir /root/old_rpm_dbs/
mv /var/lib/rpm/__db* /root/old_rpm_dbs/
rpm --rebuilddb

To clean up yum:

su -c 'yum clean headers'
su -c 'yum clean packages'
su -c 'yum clean metadata'

If one of the yum sources fails you will have to disable it:
Example “http://dl.atrpms.net/el6-x86_64/atrpms/stable/repodata/repomd.xml: [Errno 14] PYCURL ERROR 7 – “couldn’t connect to host”

cd /etc/yum.repos.d/
nano atrpms.repo
# Now set enable from 1 to 0
yum update

Remove package without the dependencies:

rpm -e --nodeps packakgename

Some times when you run a bash script via corn job you get the following error “sudo: sorry, you must have a tty to run sudo” to solve it use the following:

nano /etc/sudoers
# Repalce Defaults  requiretty with:
Defaults   !requiretty

Apache2 Configuration Files Location on Debian:

nano /etc/apache2/apache2.conf
# listening ports
nano /etc/apache2/ports.conf

Some times system gives you error of permission denied to .htaccess file an error message that would look like this: “Permission denied: /var/www/abc/.htaccess pcfg_openfile: unable to check htaccess file” or “Server unable to read htaccess file, denying access to be safe”

To solve it do the following:

chmod 755 Direcroty_contaning_.htacess -R
cd Direcroty_contaning_.htacess
chmod 644 .htaccess

Other issue might occur when trying to protect a directory with a password where WordPress would always show you page not found error all you have to do is add the following on WordPress .htaccess:

ErrorDocument 401 default

Tweaks and Information

Get PHP version:

php -v

Get Mysql version:

mysql -v

Get Apache version:

httpd -v

Get Openssl version:

openssl version

Get php config file location:

php --ini

Get installed php modules:

php -m

Protecting upload folder:

chmod -R 775 uploads

Set write permission to a file:

chmod -R 0755 fp.php

To switch to the new user with users profile and variables:

su - username

To continue with the current profile and variables:

su username

Ask CalmAv to scan home for viruses then output results to a file:

clamscan -r --bell -i /home/ > /home/digi77/www/v.txt

To change Linux default Editor:

export EDITOR=pico
export EDITOR=vi
export EDITOR=nano

or

export VISUAL=vi
export VISUAL=pico
export EDITOR=nano

To change file modification date:

touch -d '5 May 2013 10:22' sendmessage.php

To change the owner of a file or folder:

chown oman0.oman0 public_html/ -R

Change SSH port number:

nano /etc/ssh/sshd_config
sudo /etc/init.d/ssh restart

If SSH is stuck and you can’t connect:

rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
reboot
#Update client side hosts:
~/.ssh/known_hosts files

Change Ftp port number:

nano /etc/pure-ftpd.conf

To search in nano editor:

CTRL W

Copy file and replace original with no prompt:

yes | cp sendmessage.php /home/digi77/forum/

To edit cron jobs:

crontab -e

To list them:

crontab -l

Execute a cron job every 5 Minutes

*/5 * * * * bash /root/stat.sh  > /var/www/myfile.html

Execute a cron job every 5 Days

0 0 */5 * * bash /root/stat.sh  > /var/www/myfile.html

Cron job simplification:

+---------------- minute (0 - 59)
 |  +------------- hour (0 - 23)
 |  |  +---------- day of month (1 - 31)
 |  |  |  +------- month (1 - 12)
 |  |  |  |  +---- day of week (0 - 6) (Sunday=0 or 7)
 |  |  |  |  |
 *  *  *  *  *  command to be executed

To view day of the week:

echo $(( $(date -d "$1" +%w ) + 1 ))

To delete files older than a year:

find /home/digi77/www/uploads/  -name '*.*' -mtime +360 -exec rm {} \;

To delete files older than 2 days:

ls -t | sed -e '1,2d' |xargs rm

To check disk health and folder sizes:

du -h --max-depth=1

View folder size in summary for MG:

du -s -m /home/digi77

Kill a process by its name (example process name is: cxs):

kill -9 `ps -ef | grep cxs | grep -v grep | awk '{print $2}'`

To extract .rar compressed files:

yum install rar unrar
unrar x -kb

To compress and add folder to .tar and .gz file:

tar -cf thefile.tar /home 
gzip -1 thefile.tar

To compress and add folder to tar then auto gzip it -z for backups:

tar -zcf theBackupFileofDigi77.tar /home/digi77

To extract from zip file:

unzip filename.zip

To extract from password protected zip file:

sudo unzip -P the_Password filename.zip

To add to zip file;

zip -r thedes.zip thesourc.wav

Add the file to the same folder as in the original directory hierarchy:

zip -g xxx.mp3 folder/file

To extract from tar or .gz file:

tar -xvf thefile.tar
gunzip -c thefile.tar.gz | tar xvf

How to install 7zip on Linux Centos:

rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
Check machine architecture: uname -i
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
rpm -K rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
rpm -i rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
yum -y install p7zip

On Debian or Ubuntu:

sudo apt-get install p7zip-full

To create an encrypted zip file with 7z archiver:

7za a -tzip -pMY_SECRET -mem=AES256 secure.zip doc.pdf doc2.pdf doc3.pdf 

To uncompress a zip file that is encrypted with 7za command:

7za e secure.zip 

To extract a password protected file on CentOS:

7za x thefile.zip -pThePassword

To extract a password protected file on Debian:

7z x thefile.zip -pThePassword

To set root email foward:

/root/.forward

To prevent Cpanel from restarting Apache and other services:

nano /etc/chkserv.d/chkservd.conf

Display list of updated software centOS:

yum list updates

Updaye centOS:

yum update

Find out if httpd package is installed or not:

rpm -qa | grep httpd*
yum list installed httpd

Update package httpd:

yum update httpd

Add Apache httpd to system start-up:

chkconfig httpd --add
chkconfig  httpd  on --level 2,3,5

Check if on the list:

chkconfig --list httpd

Remove from the list:

chkconfig httpd off
chkconfig httpd --del

Or use:

sudo apt-get install sysv-rc-conf
sysv-rc-conf

Let apache2 start with OS boot Ubuntu:

sudo update-rc.d -f apache2 remove
update-rc.d apache2 defaults
service apache2 stop
service apache2 start

Restart a service like ssh:

sudo service ssh restart
or
sudo /etc/init.d/ssh restart

Clear temporary blocked ips from CSF firewall:

perl /etc/csf/csf.pl -tf
# or
csf -tf

Clear permanent blocked ips from CSF firewall:

perl /etc/csf/csf.pl -df
# or
csf -df

Disable CSF firewall:

csf -x
# or enable it by:
csf -e

Restart CSF firewall:

perl /etc/csf/csf.pl -r

FTP Passive Mode blocked by CSF firewall:

# PureFTPd
nano /etc/pure-ftpd.conf
#Set PassivePortRange    32000 33000

# ProFTPd
nano /etc/pure-ftpd.conf
# Set PassivePorts    32000 33000
# Change CSF settings TCP_IN: 20,21,22,25,53,80,110,143,443,32000:33000
# Restart FTP + Restart CSF

Directory permission reference:

755 -- **ALL** Folders (Including those that script authors tell you to set 777)
644 -- Non Script Files (Images, Basic HTML, Templates, Etc)
600 -- PHP Scripts (*.php, *.php4, *.php5)
755 -- CGI and Shell Scripts (*.cgi, *.pl, *.pm, *.py, *.e, *.sh)
400 -- RARE When PHP scripts **DON'T** want to be writable
755 -- RARE PHP Scripts used under CLI as a shell script

Allow TLS via FTP (Proftp – Ubuntu ) and restrict access via TLS only:

mkdir /etc/proftpd/ssl
openssl req -new -x509 -days 180 -nodes -out /etc/proftpd/ssl/ftp.cert.pem -keyout /etc/proftpd/ssl/ftp.key.pem

#uncomment the following from the file  /etc/proftpd/proftpd.conf
nano  /etc/proftpd/proftpd.conf
#include /etc/proftpd/tls.conf

#add the follwing at the end of the file just before  

TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSOptions NoCertRequest
TLSRSACertificateFile /etc/proftpd/ssl/ftp.cert.pem
TLSRSACertificateKeyFile /etc/proftpd/ssl/ftp.key.pem
TLSVerifyClient off
TLSRequired on


/etc/init.d/proftpd restart

Prevent script from running twice:

#!/bin/bash

(
  # Wait for lock on /var/lock/.myscript.exclusivelock (fd 200) for 10 seconds
  flock -x -w 10 200 || exit 1

  # Do stuff
  cd /home
  ./myscript
) 200>/var/lock/.myscript.exclusivelock

To know how long (execution time) your shell script took to execute:

#!/bin/bash
start=$(date +%s.%N)

# HERE Your CODE

end=$(date +%s.%N)    
runtime=$(python -c "print ${end} - ${start}")

echo "Runtime was $runtime"

Compress http output using DEFLATE – gzip:

nano /usr/local/apache/conf/includes/post_virtualhost_global.conf
#Add to the end of the file the following:
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/x-httpd-eruby
AddOutputFilterByType DEFLATE text/html
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.avi$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mov$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mp3$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mp4$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.rm$ no-gzip dont-vary
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
Header append Vary User-Agent env=!dont-vary

Get Ip from file .eeds-xxxx:

cat .eeds-xxxx|cut -d : -f 1}

Get process age for openvpn:

ps -eo pid,command,etime|grep 'openvpn --daemon --config'|cut -d / -f 2|sed 's/^ *//;s/ *$//'

Get Status from file in this format ip:status:country -> 69.55.49.223:[secure]:USA

cat .eeds-ipinfo|cut -d : -f 2|cut -d [ -f 2|cut -d ] -f 1

Get country from file in this format ip:status:country -> 69.55.49.223:[secure]:USA

geoiplookup `cat .eeds-xxxx|cut -d : -f 1`|cut -d : -f 2|cut -d , -f 2|sed 's/^ *//;s/ *$//'

Get Tor Ip then send to file:

curl --proxy socks5h://localhost:9050 -s -m 30 https://www.digi77.com/xx/xxx/xxxxx.php > .eeds-xxx

Get Dns Info from resolv.conf:

cat /etc/resolv.conf |grep Dnsused|cut -d : -f 2
cat /etc/resolv.conf |grep nameserver|cut -d r -f 3|sed 's/^ *//;s/ *$//'| awk 'NR==1'
cat /etc/resolv.conf |grep nameserver|cut -d r -f 3|sed 's/^ *//;s/ *$//'| awk 'NR==2'

In Debian in order to allow x86 32-bit applications to work on 64-bit OS installation:

sudo dpkg --add-architecture i386
sudo apt-get update    

Delete GPA default expired keys on Debian:

truncate -s 0 ~/.gnupg/pubring.kbx

To check if your processors are 32-bit or 64-bit :

getconf LONG_BIT 

To know the graphic card driver that is being used (VGA):

lspci |grep VGA

Change node time to GMT+4 Oman time:

cd /etc
ln -sf /usr/share/zoneinfo/Asia/Muscat localtime

Change node time to GMT+4 Moscow time:

rm /etc/localtime
cd /etc
ln -s /usr/share/zoneinfo/Europe/Moscow localtime

Or in Debian use:

sudo dpkg-reconfigure tzdata

Use ‘rdate’ or ‘ntpdate’ to synchronize your server time with reference time. Make sure your firewall allows it or switch it off temporary csf -x

service ntpd stop
ntpdate clock.redhat.com
service ntpd start

Set php time zone to GMT+4 – Debian:

php --ini
nano /etc/php5/cli/php.ini
date.timezone ="Asia/Muscat"

Disable script watch for cpanel:

/usr/local/cpanel/bin/tailwatchd --disable=Cpanel::TailWatch::ChkServd

Enable script watch for cpanel

/usr/local/cpanel/bin/tailwatchd --enable=Cpanel::TailWatch::ChkServd

Enable all monitoring services for Cpanel:

whmapi1 enable_monitor_all_enabled_services 

Get md5 of a file or list of files:

md5sum *.tar

Count number of lines in file:

wc -l myfile
#Use the following to get the number only
cat myfile |wc -l

Check if file /etc/passwd exists or not:

[ -f /etc/passwd ] && echo "File exists" || echo "File does not exists"

Check if file /etc/passwd exists or not on shell script:

FILE='/etc/passwd'
if [ -f $FILE ];
then
   echo "File $FILE does exists"
else
   echo "File $FILE does not exists"
fi

Redirect your Webserver home page from HTTPS to HTTP

RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI}   !^/(.*)\.(css|png|js|jpe?g|gif|bmp)$
RewriteRule ^$ http://%{HTTP_HOST} [L,R]

Redirect your Webserver home page from HTTP to HTTPS

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Email list clean up – Read a file Line By Line and check if the email is not valid and output to text file:

while read line; do sendmail -bv "$line"; done < emails.txt |grep failed > invalidemails.txt

Now you can grep all email addresses from a Text File using regular expressions:

grep -E -o "\b[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+\.[a-zA-Z0-9.-]+\b" invalidemails.txt > invalidemails2.txt

Find PHP root path of the current valuable folder for installations:

List directory and file structure:

tree -d /path

Networking

To Get your remote IP:

echo $SSH_CLIENT | awk '{ print $1}'

Get your local ip from eth0:

/sbin/ifconfig eth0 | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}'

Function to get your local IP:

#!/bin/bash
function int-ip { /sbin/ifconfig $1 | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}'; }
IP_ADDR=$(int-ip eth0)

Function to get your local IP and allow traffic forwarding:

#!/bin/bash
function int-ip { /sbin/ifconfig $1 | grep "inet addr" | awk -F: '{print $2}' |$
IP_ADDR=$(int-ip eth0)
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $IP_ADDR
echo 1 > /proc/sys/net/ipv4/ip_forward

Resolve domain name to ip number:

sudo apt-get install dnsutils
dig +short google.com | awk 'NR==1'

Extract ips from a file:

grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' pentest.txt |sort -n|uniq -u

Commands you need to change ip address or configure your network cards on Centos:

nano /etc/sysconfig/network
nano /etc/resolv.conf
nano /etc/hosts
nano /etc/sysconfig/network-scripts/ifcfg-eth0
service network restart

Get connections per port number:

netstat -tuna | awk -F':+| +' 'NR>2{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Get connections per IP number (useful if you are facing DDOS attack):

netstat -ntu | awk -F"[ :]+" 'NR>2{print $6}'|sort|uniq -c|sort -nr
#or
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
#or
netstat -ntu | tail -n +3 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Find applications with ports that they are using TCP:

netstat -tlnp

Find applications with ports that they are using TCP UDP:

lsof -i -P

Kill an application by the port its using (Example port: 51128) :

kill -9 $(sudo netstat -anp | grep :51128 | awk '{print $7}' | cut -d '/' -f 1)

Installing and Configuring ufw (Uncomplicated Firewall) first, ufw needs to be enabled:

sudo apt-get install ufw
sudo ufw enable

To see the firewall status, enter:

sudo ufw status

To change default profile so it accepts all incoming and outgoing traffic:

sudo ufw status verbose
sudo ufw default allow incoming
sudo ufw reset
sudo ufw enable

To allow ufw to forward VPN traffic:

nano /etc/default/ufw
# Set 
DEFAULT_FORWARD_POLICY="ACCEPT"

Similarly, to close an opened port:

sudo ufw deny 22
sudo ufw deny 80/tcp

To remove a rule, use delete followed by the rule:

sudo ufw delete deny 22

Allow specific ports:

sudo ufw allow ssh
sudo ufw allow 22/tcp
sudo ufw allow www or sudo ufw allow 80/tcp
sudo ufw allow ftp or sudo ufw allow 21/tcp 

It is also possible to allow access from specific hosts or networks to a port. The following example allows ssh access from host 192.168.0.2 to any ip address on this host:

sudo ufw allow proto tcp from 192.168.0.2 to any port 22
sudo ufw allow proto tcp from 128.199.214.224 to 39.129.27.211 port 42121
sudo ufw allow from 192.168.255.255   # Alow all ports from 192.168.255.255

Adding the –dry-run option to a ufw command will output the resulting rules, but not apply them. For example, the following is what would be applied if opening the HTTP port:

sudo ufw --dry-run allow http

To allow ports 1000 through 2000, use the command:

sudo ufw allow 1000:2000/tcp

ufw can be disabled by:

sudo ufw disable

To view the numbered format:

sudo ufw status numbered

Delete specific number:

sudo ufw delete 3

Reset Everything:

sudo ufw reset

Block IP address in Iptables:

sudo iptables -I INPUT -s 192.168.0.1 -j DROP

UnBlock IP address in Iptables:

sudo iptables -D INPUT -s 192.168.0.1 -j DROP

Flush All Chains:

sudo iptables -F

Determine a rule’s line number :

sudo iptables -L --line-numbers
sudo iptables -L --line-numbers|grep 24.2x3.1x9.2xx    # with specific ip

Delete Rule by Chain and Number:

sudo iptables -D INPUT 7

List Rules as Tables:

sudo iptables -L
sudo iptables -L|grep  24.2x3.1x9.2xx    # with specific ip 

Set static ip on Centos:

nano /etc/sysconfig/network
#Sample static ip configuration should look like this

NETWORKING=yes
HOSTNAME=server1.cyberciti.biz # set ur own
GATEWAY=192.168.1.254 # set ur own


nano /etc/sysconfig/network-scripts/ifcfg-eth0
#Sample static ip configuration should look like this

# Intel Corporation 82573E Gigabit Ethernet Controller (Copper)
DEVICE=eth0
BOOTPROTO=static # for dynamic ip set this to dhcp
DHCPCLASS=
HWADDR=00:30:48:56:A6:2E
IPADDR=192.168.1.10       # set ur own
NETMASK=255.255.255.0 # set ur own
ONBOOT=yes
 
 
nano /etc/resolv.conf
#Sample static ip configuration should look like this

search cyberciti.biz
nameserver 192.168.1.254
nameserver 8.8.8.8 # set ur own dns ips
nameserver 8.8.4.4 # set ur own dns ips

/etc/init.d/network restart
#or
serivec network restart
 
#To verify new static ip configuration for eth0, enter:
ifconfig eth0
route -n
ping 192.168.1.254
ping google.com

Get network drivers support for Debian live cd and make it connect on boot:

cd /root
wget http://cdimage.debian.org/cdimage/unofficial/non-free/firmware/stable/current/firmware.zip
unzip firmware.zip
rm -f firmware-b43-installer_015-14.1_all.deb
rm -f firmware-b43legacy-installer_015-14.1_all.deb
rm -f amd64-microcode_1.20120910-2_i386.deb
rm -f intel-microcode_1.20130222.1_i386.deb
rm -f ixp4xx-microcode_2.4-3_armel.deb
rm -f prism2-usb-firmware-installer_0.2.9+dfsg-5_armel.deb
rm -f prism2-usb-firmware-installer_0.2.9+dfsg-5_armhf.deb
rm -f prism2-usb-firmware-installer_0.2.9+dfsg-5_i386.deb
rm -f prism2-usb-firmware-installer_0.2.9+dfsg-5_powerpc.deb
rm -f firmware-b43-lpphy-installer_015-14.1_all.deb
dpkg -i *.deb

rm -f *.deb
rm -f firmware.zip

nano /etc/network/interfaces
# Add the following before any command avoid any duplicates:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp

allow-hotplug eth1
iface eth1 inet dhcp

allow-hotplug eth2
iface eth2 inet dhcp

allow-hotplug eth3
iface eth3 inet dhcp


# To test
/etc/init.d/networking restart

# Or ge the drivers from non free Debian Source
sudo nano /etc/apt/sources.list
deb http://ftp.nl.debian.org/debian stable main contrib non-free

sudo apt-get update
sudo apt-get install firmware-b43legacy-installer firmware-brcm80211 firmware-ivtv firmware-linux-free firmware-qlogic firmware-adi firmware-crystalhd firmware-iwlwifi firmware-linux-nonfree firmware-ralink firmware-atheros firmware-bnx2 firmware-intelwimax firmware-libertas firmware-myricom firmware-realtek firmware-b43-installer firmware-bnx2x firmware-ipw2x00 firmware-linux firmware-netxen

To forward all incoming traffic to digi77.com on port 80 and redirect it to remote website -google.com- on port 443:

sudo apt-get install socat
socat TCP4-LISTEN:80,fork TCP4:google.com:443

# or use redir if local ip is 129.13.124.21 then forward all port 80 and 8080 traffic to google.com on port 443

redir --laddr=129.13.124.21 --lport=80  --caddr=google.com --cport=443|redir --laddr=129.13.124.21 --lport=8080  --caddr=google.com --cport=443

# Or use iptables:

sudo sysctl net.ipv4.ip_forward=1
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 173.194.37.37:443
sudo iptables -t nat -A POSTROUTING -j MASQUERADE 

Add bash file to allow incoming traffic to be forwarded to the internet mostly used for vpn connections:

#!/bin/bash
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to 141.0.162.111    # Sometimes change venet0 to eth0 change the ip as well
echo 1 > /proc/sys/net/ipv4/ip_forward

More tips on port forwarding see here.

To monitor your bandwidth usage you can use tools such as iftop and vnstat:

To install:

 sudo apt-get install iftop
 sudo apt-get install vnstat

Iftop usage:

iftop
# Sort by 40s column display port and hide hostname:
iftop -n -o 40s -P

vnstat usage (You can swap eth0 with venet0):

vnstat -i eth0 -h               # -h Hourly  -d Daily  -m Monthly
vnstat -i eth0 -d								
vnstat -i eth0 -m               

To block bit torrent traffic on vps node using iptables ( Uncomment the the rest if you only need them ):

iptables -N LOGDROP > /dev/null 2> /dev/null
iptables -F LOGDROP
iptables -A LOGDROP -j LOG --log-prefix "LOGDROP "
iptables -A LOGDROP -j DROP
#iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j LOGDROP
iptables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j LOGDROP
#iptables -A FORWARD -m string --algo bm --string "peer_id=" -j LOGDROP
#iptables -A FORWARD -m string --algo bm --string ".torrent" -j LOGDROP
#iptables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j LOGDROP
#iptables -A FORWARD -m string --algo bm --string "torrent" -j LOGDROP
#iptables -A FORWARD -m string --algo bm --string "announce" -j LOGDROP
#iptables -A FORWARD -m string --algo bm --string "info_hash" -j LOGDROP
#iptables -A FORWARD -m string --string "get_peers" --algo bm -j LOGDROP
#iptables -A FORWARD -m string --string "announce_peer" --algo bm -j LOGDROP
#iptables -A FORWARD -m string --string "find_node" --algo bm -j LOGDROP

Change webserver apache port number:

nano /etc/apache2/ports.conf
Listen 8010

To have apache listen on two ports:

Listen 80
Listen 8010

To make the apache server accept connections on two specified interfaces and port numbers, enter:

Listen 212.53.2.1:80
Listen 212.53.2.5:8010

To check if the remote node is blocking any given port number:

nc -vv google.com 21

To split a file into smaller chunks of 100MB:

split --bytes 100M --numeric-suffixes --suffix-length=3 thebigfile.sql split-file

Find the word userOption51 in every file on the directory and return only file names -l:

grep -rl userOption51

For accelerated download instead of wget use axle:

sudo apt-get install axel 
# Limit speed 
axel -s 5242880 http://download.com/my.iso 
# Limit a number of connection
axel -n 3 -s 5242880 http://download.com/my.iso 

Security

Display connect time in hours:

ac

Display list of last logged-in users:

last

Display list of bad last login attempts:

lastb

Display last time user logged in:

lastlog

Display last command executed in reverse order:

lastcomm

Display currently logged in users:

who

Display who is logged in and what they are doing:

w

List Linux hidden users hunt for hackers:

cat /etc/passwd | grep /home | cut -d: -f1
cat /etc/passwd |grep 500* 
cat /etc/passwd
cat /etc/sudoers

Another method to hunt for shells:

find /home -name "*php*" -print | xargs grep -F 'base64_decode($_POST["qer"]).";"); ?'
find /home -name "*php*" -print | xargs grep -F 'c99sh'
find /home -name "*php*" -print | xargs grep -F 'owned by uid'
find /home -name "*php*" -print | xargs grep -F 'eval(gzinflate(base64_decode'

Add user fox with root privilege:

useradd -G root fox
passwd fox
id fox

Delete the user along with the home folder:

userdel -r fox

Get the root password:

head -10 /etc/shadow

Kick a user from ssh session:

ps aux | grep sshd
ps aux | grep pts/1
kill -9 26882

If your server is under DDOS attack on port 80 these commands are useful:

netstat -alpn | grep :80 | awk '{print $4}' | cut -d: -f1 | sort | uniq -c
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -f1 -d: | sort | uniq -c | sort -rn | head
netstat -s

Find who is using a specific port ex:8443 :

lsof -w -n -i tcp:8443
fuser -n tcp 8443 
netstat -anp|grep :8443[[:blank:]]

Clean user and mysql history:

cat > .bash_history
history -c
cat > /root/.mysql_history

Get email notification sent to you if ssh is accessed via root:

cd /root
nano .bashrc
echo 'ALERT - Root Shell Access (Your server Name) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" youremail@yourdomain.com

Add ssh keys to server:

nano /root/.ssh/authorized_keys
or
nano /root/.ssh/authorized_keys2
# each key on single line

Disable root login if you have ssh keys set:

nano /etc/ssh/sshd_config
#Add the following after #PermitEmptyPasswords no:
PasswordAuthentication  no
sudo service ssh restart

Mitigating the Beast, Heartbleed, and POODLE attack on TLS on CentOS with this changes you will get grade A on sslabs detailed guide is here.

Disable file listing on your Webserver add this line to the beginning of .htaccess file:

Options All -Indexes

Deny Baidu from accessing your site via .htaccess

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} Baidu
RewriteRule ^.*$ http://127.0.0.1 [R,L]
BrowserMatchNoCase Baiduspider bad_bot
Deny from env=bad_bot

Protecting a directory with Apache and .htaccess:

htpasswd -c /etc/apache2/.htpasswd user1
htpasswd /etc/apache2/.htpasswd user2

Create a .htaccess file in the folder you wish to protect:

AuthType Basic
AuthUserFile /etc/apache2/.htpasswd
AuthName "Enter password"
Require valid-user

Shred all files in folder and sub folders:

find -type f -execdir shred -v -u '{}' \;
rm -rf *

To check for Bash ‘shell shock’ vulnerability:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If it says vulnerable then update your system immediately. A respond from patched system looks like this:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

To generate new pgp – gpg keys on CentOS server:
# Make sure you choose a strong password with a key strength of 4096 bits

--gen-key

To view private keys:

gpg -K

To view public keys:

gpg -k

To Export private key:

gpg --armor --export-secret-keys sales@digi77.com > private-key.asc

To Export public key:

gpg --armor --export sales@digi77.com  > public-key.asc

 
More OpenPGP/GPG commands 1 , 2.

 
Hardening SSH server you will need to use Xshell or SecureCRT as SSH client:
Delete all host keys:

ls -l /etc/ssh/
rm -f /etc/ssh/ssh_host_*_key*
ls -l /etc/ssh/

Generate new RSA (4096) host key:
# Do not set a password

ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key          

You can import ssh_host_rsa_key to puttyGEN. Then export putty-public-key / putty-private-key / screen key to be pasted in /root/.ssh/authorized_keys )

nano /root/.ssh/authorized_keys

– Change Default port to a higher number 41221

nano /etc/ssh/sshd_config

Then:

Port 41221

– Comment dsa and ecdsa “HostKey”

#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

– Change “PasswordAuthentication” to “no”

PasswordAuthentication no

– Paste the following to the end of the config file:

KexAlgorithms diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160     #Putty does not support hmac-sha2-512  
#New cent os will through error you need to use  the follwing to see what is supported:
ssh -Q mac
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
# Check ssh config for errors before restarting
sshd -t

Mail Exim

Check mail logs:

tail -f /var/log/exim_mainlog

Exim mail cleaner:

exiqgrep -i -o 172000 | xargs exim -Mrm
exim -bp - shows mail queue
exim -M emailID - force delivery of one message
exim -Mvl messageID - View Log for message
exim -Mvb messageID - View Body for message
exim -Mvh messageID - View Header for message
exim -Mrm messageID - ReMove message (no errors sent)
exiqgrep -zi | xargs exim -Mrm - Remove all frozen mails in q

Exim mail queue run:

exim -q -v

Exim mail counter:

exim -bpc

To change max load value of Exim mail:

first locate exim.conf
locate -s exim.conf
nano exim.conf
#change max load value

Install sendmail on Ubuntu:

apt-get install sendmail
apt-get install bsd-mailx

How to extract file attachment from email file linux or .eml format:
Install uudeview:

#Debian or Ubuntu
sudo apt-get install uudeview
#CentOS
yum install uudeview

Run uudeview:

cd /home/oman0/mail/.hproxy@digi77_com/new  # change this to your mail box folder it can be /new or /cur
uudeview -c -i *  
# c for clear email when done -i for skip encoding confirmation 
uudeview -c -i mail-file-name

MySQL

Usefull scripts to tune Mysql let it run at least for 48 hours before you run those scripts:
# Note binary log will slow down the performance of you Database make sure its always OFF!

# First is ssh script:
wget https://launchpad.net/mysql-tuning-primer/trunk/1.6-r1/+download/tuning-primer.sh
sh tuning-primer.sh

# Second is Perl script:
wget http://mysqltuner.pl
mv index.html mysqltuner.pl 
# or 
wget https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl
perl mysqltuner.pl 

To prune Mysql bin logs (This statement has no effect if the server was not started with the –log-bin option to enable binary logging. ):

PURGE BINARY LOGS TO 'mysql-bin.000054';

Examples on how to change Mysql variables values without shutting down this will be valid for one session only for permanent changes edit /etc/my.cnf:

select @@sql_log_bin;
set @@sql_log_bin=0;
select @@max_heap_table_size;
set @@max_heap_table_size=2147483648;
select @@tmp_table_size;
set @@tmp_table_size=2147483648;
set storage_engine=INNODB;
set global max_connections := 800;
set global max_allowed_packet=1073741824;
select @@key_buffer_size;
set global key_buffer_size=67108864;
select @@join_buffer_size;
set @@join_buffer_size=262144;
select @@query_cache_size;  
set global query_cache_size=0;
select @@query_cache_limit;
set global query_cache_limit=1048576;

Check if a column in MySQL table has duplicate values:

SELECT my_column, COUNT(*) as count
FROM my_table
GROUP BY my_column
HAVING COUNT(*) > 1;

How to select records from two tables wcf1_user_option_value and wcf1_user where wcf1_user.wbbPosts < 10 and birth date on wcf1_user_option_value not equal to 0000-00-00:

SELECT *
FROM wcf1_user_option_value
JOIN wcf1_user ON wcf1_user_option_value.userid = wcf1_user.userid
WHERE wcf1_user.wbbPosts < '10' and wcf1_user_option_value.userOption2 !='0000-00-00'

How to update a table based on information on another table giving that you have primary and foreign key on those tables:

UPDATE wcf1_user_option_value AS U1,  wcf1_user AS U2 
SET U1.userOption2 = '0000-00-00'
WHERE U1.userid =U2.userid  and U2.wbbPosts=127148

How to replace data in rows with a given word:

UPDATE wcf1_user SET `signature`=REPLACE(`signature`,'[size]','[/size]');

To increase the primary key id by given number:

update Table_name set id = id +844798 order by id desc;

To reset the primary key id to start from 1 and forward:

ALTER TABLE Table_name DROP id;
ALTER TABLE Table_name ADD  id BIGINT( 200 ) NOT NULL AUTO_INCREMENT FIRST ,ADD PRIMARY KEY (id);

To change the next increment number for primary key id:

Alter table Table_name AUTO_INCREMENT=1087063;

Convert Your Database from Swidish_latin_ci to utf8 (utf8_general_ci) or (utf8_unicode_ci):

# Export DB as Latin
mysqldump --opt -u DB_USER --password=DB_Password --default-character-set=latin1 --skip-extended-insert DB_NAME -r Exported_DB_NAME.sql

# Check file encoding type it may be Asci or Latin 
file -ib Exported_DB_NAME.sql

# Now replace all words of latin1 to utf8
sed -e's/latin1/utf8/g' Exported_DB_NAME.sql > Exported_DB_NAME_sed.sql

# Get tools for conversion 
yum install dejavu-sans-mono-fonts
yum install recode

# Prepare your OS for UTF8 you may need to do this every time before you run the converting tool
export LANG=en_US.utf8

# This tools won't work with Arabic 
iconv -f ISO-8859-1 -t UTF-8 DB_NAME.sql  > UTF8_DB.sql

# So we use this tool instead to convert the Latin encoded DB to UTF8 
recode ms-arab Exported_DB_NAME_sed.sql  

# Import you UTF8 DB
mysql -u DB_USER --password=DB_Password --default-character-set=utf8 DB_NAME < Exported_DB_NAME_sed.sql 

Export specific table:

mysqldump -u DB_USER --password=DB_Password --default-character-set=utf8 --skip-extended-insert DB_NAME Table_Name > Exported_DB_Table_NAME.sql

Export specific table row by row:

mysqldump --opt -u DB_USER --password=DB_Password --default-character-set=utf8 --skip-extended-insert DB_NAME Table_Name > Exported_DB_Table_NAME.sql

Restore specific table:

mysql -u DB_USER --password=DB_Password --default-character-set=utf8 DB_NAME < Exported_DB_Table_NAME.sql

Export and Compress the DB:

mysqldump -u DB_USER --password=DB_Password --default-character-set=utf8 --skip-extended-insert DB_NAME | gzip -9 > Exported_DB_NAME.gz

Export 100 rows only of the DB Table:

mysqldump -u DB_USER --opt --where="1 limit 100" --password=DB_Password --default-character-set=utf8 --skip-extended-insert DB_NAME Table_Name > Exported_DB_Table_NAME.sql

Restore a single table from a full mysql mysqldump file:

sed -n -e '/CREATE TABLE.*`mytable`/,/CREATE TABLE/p' mysql.dump > mytable.dump

To change MySQL data directory:

# Stop mysql
/etc/init.d/mysql stop

# Copy mysql folder
cp -R -p /var/lib/mysql /home

# Create temp folder and change owner
mkdir /home/temp
chown mysql.mysql /home/temp

# Edit mysql config file
nano /etc/my.cnf

[mysqld]

datadir=/home/mysql tmpdir=/home/temp # Start mysql /etc/init.d/mysql restart # If everything is ok we delete the original data directory rm -fr /var/lib/mysql

To repair innodb tables on startup:

[mysqld]
innodb_force_recovery = 1

If mysql refuses to start:

ps aux | grep mysql
sudo kill -9 2804 3009 # based on top cpmmand results
# Then start my sql in safe mode:
sudo -u mysql mysqld_safe --log-error=/tmp/mysql.log
# Watch logs for error
tail -f /tmp/mysql.log

To restore mysql files specially ibd format for Worpress make sure you do the following:

/etc/init.d/mysql stop
chmod 660 filename
chown mysql.mysql filename
/etc/init.d/mysql start

Stop mysql service:

/etc/init.d/mysql stop

Start mysql service:

/etc/init.d/mysql start

InnoDB maintains a cache memory, called the buffer pool. With the parameter innodb_buffer_pool_size you can define the size of this pool. The required size can be calculated with the following query:

SELECT CONCAT(ROUND(KBS/POWER(1024,
IF(PowerOf1024<0,0,IF(PowerOf1024>3,0,PowerOf1024)))+0.49999),
SUBSTR(' KMG',IF(PowerOf1024<0,0,
IF(PowerOf1024>3,0,PowerOf1024))+1,1)) recommended_innodb_buffer_pool_size
FROM (SELECT SUM(data_length+index_length) KBS FROM information_schema.tables
WHERE engine='InnoDB') A,
(SELECT 3 PowerOf1024) B;

 
 
PHP script that would convert DB + Tables + Columns into utf8_unicode_ci but it wont convert the data that is already stored it will work for future inserted data:

Changed collation of DATABASE $database to $new_collation
";

// Loop through all tables changing collation
$result=mysql_query('show tables');
while($tables = mysql_fetch_array($result)) {
$table = $tables[0];
mysql_query("ALTER TABLE $table DEFAULT CHARACTER SET $new_charset COLLATE $new_collation");
print "
Changed collation of $table to $new_collation and charset of $new_charset
";

// loop through each column changing collation
$columns = mysql_query("SHOW FULL COLUMNS FROM $table where collation is not null");
while($cols = mysql_fetch_array($columns)) {
$column = $cols[0];
$type = $cols[1];
mysql_query("ALTER TABLE $table MODIFY $column $type CHARACTER SET $new_charset COLLATE $new_collation");
print "
Changed collation of $table and $column to  $new_collation and charset of $new_charset
";
}

print "
Changed collation of $table to $new_collation
";
}
print '
The collation of your database $database has been successfully changed!
'; 
?>

# Put it on a file and run it like this on SSH
php latinToutf.php

Shell script to backup Mysql database one by one each on separate files:

#!/bin/bash
# Prepare mysql and rest
fulldate="`date`"
OUTPUT="/home/backup"
domanvalue="mysql"
echo "Backing mysql folder at: /home/mysql " $fulldate

# MySQL User
USER='root'
# MySQL Password
PASSWORD='Your DB Password goes here'
  
start=$(date +%s.%N)
fulldate="`date`"
bakdate="`date +%y%m%d`"
cd $OUTPUT

echo "Starting MySQL Backup";
echo `date`;
databases=`mysql --user=$USER --password=$PASSWORD -e "SHOW DATABASES;" | tr -d "| " | grep -v Database`
for db in $databases; do
    if [[ "$db" != "information_schema" ]] && [[ "$db" != _* ]] ; then
        echo "Dumping database: $db"
        mysqldump --force --opt --user=$USER --password=$PASSWORD --databases $db > $OUTPUT/$domanvalue-$bakdate-$db.sql
	    7za a -tzip -pYour7zippasswordgoeshere -mem=AES256 $domanvalue-$bakdate-$db.zip $domanvalue-$bakdate-$db.sql
		rm -f $OUTPUT/$domanvalue-$bakdate-$db.sql
    fi
done
echo "Finished MySQL Backup";