EK bio photo


Totally not a hacker

Email Twitter Github

Different Linux / Unix / IT tips, notes, howto part 3


Other parts

Part 1 Part 2 Part 3

Speed up MySQL Import


Coreutils List

curl 'http://www.gnu.org/software/coreutils/manual/coreutils.html' 2>/dev/null |grep 'h3 class' | grep 'class="command"' | sed 's/.*class="command">//' | sed 's|</span></samp>||' | sed 's|</h3>||' | grep ':' | sort

List all process swap space usage

for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done

Delete millions files from dir

# rm is fucked, this is ok =)
perl -e 'chdir "/tmp/1" or die; opendir D, "."; while ($n = readdir D) { unlink $n }'

Nice Diff

diff --side-by-side fileA.txt fileB.txt | pager

Run jobs with parallel

# apt-get install parallel
ls *.png | parallel -j4 convert {} {.}.jpg


ps alx | tail -n +2 | awk 'BEGIN{rss=0; vsz=0} {rss += $7; vsz+=$8} END{print rss, vsz;}'

Show ext4 fragmentation %

# be carefull!!
for D in $( mount | awk '$5~/ext4/ { print $1 }' ); do sudo fsck.ext4 -nvf ${D}; done
non-contiguous is a % of fragmentation

e4defrag /
e4defrag -c /

# fragmentation for file
filefrag -v /PATH/TO/FILE

Statistic of system resource

# apt-get install dstat
dstat -c --top-cpu -d --top-bio --top-latency

Tcpdump with SSH stream

# stream through SSH the tcpdump output and analyze it locally with Wireshark
mkfifo /tmp/wshark
ssh root@ip "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/wshark
wireshark -k -i /tmp/wshark

Linux Namespaces

Starting from kernel 2.6.24, Linux supports 6 different types of namespaces. Namespaces are useful in creating processes that are more isolated from the rest of the system, without needing to use full low level virtualization technology.

CLONE_NEWIPC: IPC Namespaces: SystemV IPC and POSIX Message Queues can be isolated.
CLONE_NEWPID: PID Namespaces: PIDs are isolated, meaning that a virtual PID inside of the namespace can conflict with a PID outside of the namespace. PIDs inside the namespace will be mapped to other PIDs outside of the namespace. The first PID inside the namespace will be ‘1’ which outside of the namespace is assigned to init
CLONE_NEWNET: Network Namespaces: Networking (/proc/net, IPs, interfaces and routes) are isolated. Services can be run on the same ports within namespaces, and “duplicate” virtual interfaces can be created.
CLONE_NEWNS: Mount Namespaces. We have the ability to isolate mount points as they appear to processes. Using mount namespaces, we can achieve similar functionality to chroot() however with improved security.
CLONE_NEWUTS: UTS Namespaces. This namespaces primary purpose is to isolate the hostname and NIS name.
CLONE_NEWUSER: User Namespaces. Here, user and group IDs are different inside and outside of namespaces and can be duplicated.

Show daemon list need to restart after update

sudo lsof / | grep DEL | cut -f1 -d' ' | sort -u

Increases TCPdump buffer

tcpdump -l -B 10000 host example.com

Get Firefox bookmarks

sqlite3 ~/.mozilla/firefox/*.[dD]efault/places.sqlite "SELECT strftime('%d.%m.%Y %H:%M:%S', dateAdded/1000000, 'unixepoch', 'localtime'),url FROM moz_places, moz_bookmarks WHERE moz_places.id = moz_bookmarks.fk ORDER BY dateAdded;"

SSL certs info

# show expire date of cert
openssl x509 -enddate -noout -in certnew.cer
# show all info of cert
openssl x509 -text -noout -in certnew.cer
# check that secret key (privkey.pem) is valid
openssl rsa -noout -text -in privkey.pem

Reset root password on RHEL7\CentOS7

grub linux16 to the end of the line add "rd.break  console=tty1"
switch_root:/# mount -o remount,rw /sysroot
switch_root:/# chroot /sysroot
sh-4.2# passwd root
sh-4.2# touch /.autorelabel

Blacklisting firewire in Linux

find /lib/modules/`uname -r` -name *firewire*
modinfo snd-firewire-lib
modinfo firewire-core
echo "blacklist firewire-core" > /etc/modprobe.d/blacklist-firewire.conf
modprobe --showconfig | grep blacklist #show blacklist modules
modprobe --showconfig | grep "^install" | grep "/bin"

Install Ubuntu OpenStack

sudo apt-add-repository -y ppa:cloud-installer/stable
sudo apt-get update
sudo apt-get install -y openstack
sudo openstack-install

Vagrant WinXP

# https://www.bram.us/2014/09/24/modern-ie-vagrant-boxes/
# http://aka.ms/vagrant-xp-ie6
vagrant box add winxpie6 http://aka.ms/vagrant-xp-ie6
vagrant init winxpie6
vagrant up

Simple Cut Video in linux

# cut video from 00:02:52 to 00:03:45
ffmpeg -i original.mp4 -ss 00:02:52 -t 00:03:45 -async 1 -strict -2 cut.mp4

How to clean TMP dir on boot


The port scan attack detector - PSAD

# http://cipherdyne.org/psad/
apt-get install psad

kern.info       |/var/lib/psad/psadfifo

/etc/init.d/sysklogd restart

/etc/init.d/psad restart

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

view port scan report
psad -S

SNMPTrap using


authCommunity log public

snmptrap -v 1 -c public . localhost 6 17 '' . s "Just a test"

Jun 23 12:14:47 linux snmptrapd[14221]: 2015-06-23 12:14:47 linux [] (via UDP: []:58914->[]) TRAP, SNMP v1, community public#012#011iso.3.6.1 Enterprise Specific Trap (17) Uptime: 1 day, 1:45:51.14#012#011iso.3.6.1 = STRING: "Just a test"

# tcpdump snmptraps
tcpdump -i eth1 -w test.log "udp and (src port 161 or 162)"
tcpdump -w troubleshoot.pcap -vv -A -T snmp "(dst port 162) or (src port 161) or (dst port 161)

Remove Postfix Resiver Header

# add to /etc/postfix/header_checks
/^Received:.*with ESMTP/              IGNORE

# add to /etc/postfix/main.cf
mime_header_checks = regexp:/etc/postfix/header_checks header_checks = regexp:/etc/postfix/header_checks
postmap /etc/postfix/header_checks
postfix reload

SSH key login only for one user

# add to /etc/ssh/sshd_config
Match user stew
PasswordAuthentication no


Match group dumbusers
PasswordAuthentication no

Revert Firefox to init state

open about:support and press <Refresh Firefox>

Limit MySQL and MongoDB mem usage with Cgroups

cgcreate -g memory:DBLimitedGroup
echo 16G > /sys/fs/cgroup/memory/DBLimitedGroup/memory.limit_in_bytes
sync; echo 3 > /proc/sys/vm/drop_caches
cgclassify -g memory:DBLimitedGroup `pidof mongod`
cgclassify -g memory:DBLimitedGroup `pidof mysqld_safe`

Strace using

# file activity common syscalls:
access ()
close (close file handle)
fchmod (change file permissions)
fchown (change file ownership)
fstat (retrieve details)
lseek (move through file)
open (open file for reading/writing)
read (read a piece of data)
statfs (retrieve file system related details)

$ strace php 2>&1 | grep php.ini
$ strace -e open php 2>&1 | grep php.ini
$ strace -e open,access 2>&1 | grep your-filename
$ strace -p PID
# strace -c -p PID

# the network common syscalls:
bind – link the process to a network port
listen – allow to receive incoming connections
socket – open a local or network socket
setsockopt – define options for an active socket

$ strace -e poll,select,connect,recvfrom,sendto nc www.news.com 80
$ strace -e trace=network

# memory common syscalls:

$ strace -e trace=memory

# useful options and examples:
-c – See what time is spend and where (combine with -S for sorting)
-f – Track process including forked child processes
-o my-process-trace.txt – Log strace output to a file
-p 1234 – Track a process by PID
-P /tmp – Track a process when interacting with a path
-T – Display syscall duration in the output

# track by specific syscall group:
-e trace=ipc – Track communication between processes (IPC)
-e trace=memory – Track memory syscalls
-e trace=network – Track memory syscalls
-e trace=process – Track process calls (like fork, exec)
-e trace=signal – Track process signal handling (like HUP, exit)
-e trace=file – Track file related syscalls

# trace multiple syscalls:
strace -e open,close

Linux System Errors Types

cat /usr/include/asm-generic/errno.h |grep "#"


# create rule: open
auditctl -a always,exit -F arch=b64 -F pid=8175 -S open -k cups-open-files
ausearch -k cups-open-files

# check which process is modifying a certain directory or file
auditctl -w /path/to/directory -p war
ausearch -f /path/to/directory

MySQL version from an FRM file

# MySQL version 5.5.32
$ hexdump -s 0x33 -n 2 -v -d 55_test.frm
0000033 50532
# MySQL version 5.1.73
$ hexdump -s 0x33 -n 2 -v -d 51_test.frm
0000033 50173

Check if a library is installed

$ ldconfig -p | grep libjpeg

FS in File

$ dd if=/dev/zero of=/tmp/disk-image count=20480
$ mkfs -t ext4 -q /tmp/disk-image
$ mkdir /virtual-fs
$ mount -o loop=/dev/loop0 /tmp/disk-image /virtual-fs
# add to /etc/fstab
/tmp/disk-image /virtual-fs ext4 rw,loop 0 0

Encrypt Tar with OpenSSL\GPG

# encrypt
$ gpg -c test.tar
$ tar -czv stuff|openssl des3 -salt -k secretpassword | dd of=stuff.des3
# decrypt
$ gpg test.tar.gpg
$ dd if=stuff.des3 |openssl des3 -d -k secretpassword|tar xz

Split big archive

split -b 700m archive.tar part
cat part* > archive.tar

Installed pkgs size

# freebsd

pkg_info -as | perl -pe '$/=")"; s/\n*Information for (.*?):[\n\s]*Package Size:[\n\s]*(\d+)\s*\(\s*1K\-blocks\s*\)/$2 - $1\n/;' | sort -nr | less

# ubuntu
dpkg-query -W --showformat='${Installed-Size} ${Package}\n' | sort -n

Compare 2 directory

diff -qr dir1 dir2

WGet ALL site

wget -m -k -nv -np -p --user-agent="Mozilla/5.0 (compatible; Konqueror/3.0.0/10; Linux)" http://www.rhd.ru/docs/manuals/enterprise/RHEL-5-Manual/Virtual-Server-Administration/

Mount with SSH

apt-get install sshfs
mkdir ~/music
sshfs <remote_ip>:/music ~/music/
fusermount -u ~/music/

Boot in DOS

apt-get install syslinux
cp /usr/share/syslinux/memdisk /boot
wget -O /boot/Dos6.22.img http://www.allbootdisks.com/downloads/Disks/MS-DOS_Boot_Disk_Download47/Diskette%20Images/Dos6.22.img
# add to /boot/grub/menu.lst
title MSDOS
root(hd0,0) # Номер диска изменить на нужный
kernel /memdisk
initrd /Dos6.22.img

Remove all tables from MySQL DB

mysql -u root -ppassword -Ddb-name -e 'show tables;' | grep -v 'Tables_in' > /tmp/tables_list
for table in `cat /tmp/tables_list`; do mysql -u root -ppassword -Ddb-name -e "drop table $table;" ; done

Resize jpg for web

for i in *.jpg; do convert -resize 640x480 -quality 85 $i small-$i.jpg; done

Postfix redirect outbound mail

# all outbound mail redirect to local <username>
$ postconf -e luser_relay=username
$ postmap /etc/postfix/transport
$ postconf -e transport_maps=hash:/etc/postfix/transport
# add to /etc/postfix/transport
localhost :
* local:username

RM: Argument list too long

find | xargs --no-run-if-empty -n 500 rm -f

Rootkits check

apt-get install rkhunter
rkhunter –-update
rkhunter –-check

Restore deleted files

lsof | grep storage.db
memcached 22073 memcachedb   15u      REG                8,1 88090279936   14221332 /path/memcachedb/storage.db (deleted)
find /path/memcachedb/ -inum 14221332 -exec cp {} /var/tmp/storage.db \;

Flush linux disk cache

sudo sh -c 'sync; echo 3 > /proc/sys/vm/drop_caches'
free && sync && echo 3 > /proc/sys/vm/drop_caches && free

Firewall-cmd open http port 80

# open
$ firewall-cmd --zone=public --add-port=80/tcp --permanent
$ firewall-cmd --reload
$ iptables-save | grep 80

# to block
$ firewall-cmd --zone=public --remove-port=80/tcp --permanent
$ firewall-cmd --reload


# install
$ $ sudo yum list audit audit-libs

# /etc/audit/auditd.conf
max_log_file = 30
max_log_file_action = ROTATE
sudo service auditd restart

# Generating Audit Reports
$ sudo aureport -x --summary
$ sudo aureport --failed
$ sudo aureport -f -i

# view the current set of audit rules
$ sudo auditctl -l
# current status of the audit system
$ sudo auditctl -s
# add rule fo file
$ auditctl -w path_to_file -p permissions -k key_name
$ sudo auditctl -w /etc/hosts -p wa -k hosts_file_change

# /etc/audit/rules.d/audit.rules
-w /etc/hosts -p wa -k hosts_file_change
$ sudo auditctl -l
# add rule for dir
$ sudo auditctl -w /etc/sysconfig/ -p rwa -k configaccess
$ sudo ausearch -k configaccess

# system call rules
$ auditctl -a action,filter -S system_call -F field=value -k key_name
$ sudo auditctl -a always,exit -F arch=b64 -F "auid>=1000" -S rename -S renameat -k rename
$ sudo auditctl -a always,exit -F arch=b64 -F auid=1001 -S open -k userfileaccess

# removing audit rules
$ sudo auditctl -W /etc/passwd -p wa -k passwdaccess

Create dark directory

# read file only if you know it name
mkdir darkroom
chmod a-r+x darkroom

File attributes Linux-Unix

# linux
chattr +i vip_file
lsattr vip_file
chattr +a vip_file

# freebsd
chflags schg vip_file
chflags noschg vip_file
ls -lo vip_file

# freebsd flags

Iptables to limit connections

# Interface id
# Http Port
# Max connection in seconds
# Max connections per IP
# Default action can be DROP or REJECT
$IPT -I INPUT -p tcp --dport ${HTTP_PORT} -i ${INET_IF} -m state --state NEW -m recent --set
$IPT -I INPUT -p tcp --dport ${HTTP_PORT} -i ${INET_IF} -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}

# for test we can use
ab -c 100 -n 1000 http://ip.ad.dr.es/
iptables -vL

Reboot linux with kernel panic

# /etc/sysctl.conf
kernel.panic = 15
$ sysctl -p