| В документе "Unix Toolbox" собраны небольшие инструкции по различным аспектам работы в Linux, FreeBSD и Solaris. Охват тем очень широкий, от программирования на Shell до шифрования и организации SSH туннелей. This document is a collection of Unix/Linux/BSD commands and tasks which are useful for IT work or for advanced users. This is a practical guide with concise explanations, however the reader is supposed to know what s/he is doing. Unix Toolbox revision 11 The latest version of this document can be found at http://cb.vu/unixtoolbox.xhtml. Replace .xhtml on the link with .pdf for the PDF version and with .book.pdf for the booklet version. On a duplex printer the booklet will create a small book ready to bind. This XHTML page can be converted into a nice PDF document with a CSS3 compliant application (see the script example). Error reports and comments are most welcome - c@cb.vu Colin Barschel. Running kernel and system information # uname -a # Get the kernel version (and BSD version) Use /etc/DISTR-release with DISTR= lsb (Ubuntu), redhat, gentoo, mandrake, sun (Solaris), and so on. # uptime # Show how long the system has been running + load Hardware Informations Kernel detected hardware # dmesg # Detected hardware and boot messages Linux # cat /proc/cpuinfo # CPU model FreeBSD # sysctl hw.model # CPU model Load, statistics and messages The following commands are useful to find out what is going on on the system. # top # display and update the top cpu processes Users # id # Show the active user id with login and group Encrypted passwords are stored in /etc/shadow for Linux and Solaris and /etc/master.passwd on FreeBSD. If the master.passwd is modified manually (say to delete a password), run # pwd_mkdb -p master.passwd to rebuild the database. To temporarily prevent logins system wide (for all users but root) use nologin. The message in nologin will be displayed. # echo "Sorry no login now" > /etc/nologin # (Linux) Limits Some application require higher limits on open files and sockets (like a proxy Per shell/script The shell limits are governed by ulimit. The status is checked # ulimit -n 10240 # This is only valid within the shell The ulimit command can be used in a script to change the limits for the script only. Per user/process Login users and applications can be configured in /etc/security/limits.conf. For example: # cat /etc/security/limits.conf System wide Kernel limits are set with sysctl. Permanent limits are set in /etc/sysctl.conf. # sysctl -a # View all system limits FreeBSD Per shell/script Use the command limits in csh or tcsh or as in Linux, use ulimit in an sh or bash shell. The default limits on login are set in /etc/login.conf. An unlimited value is still limited by the system maximal value. Kernel limits are also set with sysctl. Permanent limits are set in /etc/sysctl.conf or /boot/loader.conf. The syntax is the same as Linux but the keys are different. # sysctl -a # View all system limits See The FreeBSD handbook Chapter 11http://www.freebsd.org/handbook/configtuning-kernel-limits.html for details. Solaris The following values in /etc/system will increase the maximum file descriptors per proc: set rlim_fd_max = 4096 # Hard limit on file descriptors for a single proc Runlevels Linux Once booted, the kernel starts init which then starts rc which starts all scripts belonging to a runlevel. The scripts are stored in /etc/init.d and are linked into /etc/rc.d/rcN.d with N the runlevel number. The default runlevel is configured in /etc/inittab. It is usually 3 or 5: # grep default: /etc/inittab The actual runlevel (the list is shown below) can be changed with init. For example to go from 3 to 5: # init 5 # Enters runlevel 5 * 0 Shutdown and halt * 1 Single-User mode (also S) * 2 Multi-user without network * 3 Multi-user with network * 5 Multi-user with X * 6 Reboot Use chkconfig to configure the programs that will be started at boot in a runlevel. # chkconfig --list # List all init scripts Debian and Debian based distributions like Ubuntu or Knoppix use the command update-rc.d to manage the runlevels scripts. Default is to start in 2,3,4 and 5 and shutdown in 0,1 and 6. # update-rc.d sshd defaults # Activate sshd with the default runlevels FreeBSD The BSD boot approach is different from the SysV, there are no runlevels. The final boot state (single user, with or without X) is configured in /etc/ttys. All OS scripts are located in /etc/rc.d/ and in /usr/local/etc/rc.d/ for third-party applications. The activation of the service is configured in /etc/rc.conf and /etc/rc.conf.local. The default behavior is configured in /etc/defaults/rc.conf. The scripts responds at least to start|stop|status. # /etc/rc.d/sshd status The process init can also be used to reach one of the following states level. For example # init 6 for reboot. * 0 Halt and turn the power off (signal USR2) * 1 Go to single-user mode (signal TERM) * 6 Reboot the machine (signal INT) * c Block further logins (signal TSTP) * q Rescan the ttys(5) file (signal HUP) Reset root password Linux method 1 At the boot loader (lilo or grub), enter the following boot option: init=/bin/sh The kernel will mount the root partition and init will start the bourne shell If, after booting, the root partition is mounted read only, remount it rw: # mount -o remount,rw / FreeBSD and Linux method 2 FreeBSD won't let you go away with the simple init trick. The solution is to mount the root partition from an other OS (like a rescue CD) and change the password on the disk. * Boot a live CD or installation CD into a rescue mode which will give you a shell. * Find the root partition with fdisk e.g. fdisk /dev/sda * Mount it and use chroot: # mount -o rw /dev/ad4s3a /mnt Alternatively on FreeBSD, boot in single user mode, remount / rw and use passwd. # mount -u /; mount -a # will mount / rw Kernel modules Linux # lsmod # List all modules loaded in the kernel FreeBSD # kldstat # List all modules loaded in the kernel Compile Kernel Linux # cd /usr/src/linux FreeBSD To modify and rebuild the kernel, copy the generic configuration file to a new name and edit it as needed. It is however also possible to edit the file GENERIC directly. # cd /usr/src/sys/i386/conf/ To rebuild the full OS: # make buildworld # Build the full OS but not the kernel For small changes in the source, sometimes the short version is enough: # make kernel world # Compile and install both kernel and OS Processes Listing | Priority | Background/Foreground | Top | Kill Listing and PIDs Each process has a unique number, the PID. A list of all running process is retrieved with ps. # ps -auxefw # Extensive list of all running process However more typical usage is with a pipe or with pgrep: # ps axww | grep cron Priority Change the priority of a running process with renice. Negative numbers have a higher priority, the lowest is -20 and "nice" have a positive value. # renice -5 586 # Stronger priority Start the process with a defined priority with nice. Positive is "nice" or weak, negative is strong scheduling priority. Make sure you know if /usr/bin/nice or the shell built-in is used (check with # which nice). # nice -n -5 top # Stronger priority (/usr/bin/nice) Background/Foreground When started from a shell, processes can be brought in the background and back to the foreground with [Ctrl]-[Z] (^Z), bg and fg. For example start two processes, bring them in the background, list the processes with jobs and bring one in the foreground. # ping cb.vu > ping.log Use nohup to start a process which has to keep running when the shell is closed (immune to hangups). # nohup ping -i 60 > ping.log & Top The program top displays running information of processes. # top While top is running press the key h for a help overview. Useful keys are: * u [user name] To display only the processes belonging to the user. Use + or blank to see all users * k [pid] Kill the process with pid. * 1 To display all processors statistics (Linux only) * R Toggle normal/reverse sort. Signals/Kill Terminate or send a signal with kill or killall. # ping -i 60 cb.vu > ping.log & Important signals are: * 1 HUP (hang up) * 2 INT (interrupt) * 3 QUIT (quit) * 9 KILL (non-catchable, non-ignorable kill) * 15 TERM (software termination signal) File System Disk info | Boot | Disk usage | Opened files | Mount/remount | Mount SMB | Mount image | Burn ISO | Create image | Memory disk | Disk performance Permissions Change permission and ownership with chmod and chown. The default umask can be changed for all users in /etc/profile for Linux or /etc/login.conf for FreeBSD. The default umask is usually 022. The umsak is subtracted from 777, thus umask 022 results in a permission 0f 755. 1 --x execute # Mode 764 = exec/read/write | read/write | read # chmod [OPTION] MODE[,MODE] FILE # MODE is of the form [ugoa]*([-+=]([rwxXst])) Disk information # diskinfo -v /dev/ad2 # information about disk (sector/size) FreeBSD Boot FreeBSD To boot an old kernel if the new kernel doesn't boot, stop the boot at during the count down. # unload System mount points/Disk usage # mount | column -t # Show mounted file-systems on the system Disk usage # du -sh * # Directory sizes as listing Who has which files opened This is useful to find out which file is blocking a partition which has to be unmounted and gives a typical error of: # umount /home/ FreeBSD and most Unixes # fstat -f /home # for a mount point Find opened log file (or other opened files), say for Xorg: # ps ax | grep Xorg | awk '{print $1}' The file with inum 212042 is the only file in /var: # find -x /var -inum 212042 Linux Find opened files on a mount point with fuser or lsof: # fuser -m /home # List processes accessing /home About an application: ps ax | grep Xorg | awk '{print $1}' About a single file: # lsof /var/log/Xorg.0.log Mount/remount a file system For example the cdrom. If listed in /etc/fstab: # mount /cdrom Or find the device in /dev/ or with dmesg # mount -v -t cd9660 /dev/cd0c /mnt # cdrom Entry in /etc/fstab: # Device Mountpoint FStype Options Dump Pass# To let users do it: # sysctl vfs.usermount=1 # Or insert the line "vfs.usermount=1" in /etc/sysctl.conf Linux # mount -t auto /dev/cdrom /mnt/cdrom # typical cdrom mount command Entry in /etc/fstab: /dev/cdrom /media/cdrom subfs noauto,fs=cdfss,ro,procuid,nosuid,nodev,exec 0 0 Mount a FreeBSD partition with Linux Find the partition number containing with fdisk, this is usually the root partition, but it could be an other BSD slice too. If the FreeBSD has many slices, they are the one not listed in the fdisk table, but visible in /dev/sda* or /dev/hda*. # fdisk /dev/sda # Find the FreeBSD partition Remount Remount a device without unmounting it. Necessary for fsck for example # mount -o remount,ro / # Linux Copy the raw data from a cdrom into an iso image: # dd if=/dev/cd0c of=file.iso Mount an SMB share Suppose we want to access the SMB share myshare on the computer smbserver, the address as typed on a Windows PC is \\smbservermyshare. We mount on /mnt/smbshare. Warning> cifs wants an IP or DNS name, not a Windows name. # smbclient -U user -I 192.168.16.229 -L //smbshare/ # List the shares Additionally with the package mount.cifs it is possible to store the credentials in a file, for example /home/user/.smb: username=winuser And mount as follow: # mount -t cifs -o credentials=/home/user/.smb //192.168.16.229/myshare /mnt/smbshare FreeBSD Use -I to give the IP (or DNS name); smbserver is the Windows name. # smbutil view -I 192.168.16.229 //winuser@smbserver # List the shares Mount an image Linux loop-back # mount -t iso9660 -o loop file.iso /mnt # Mount a CD image FreeBSD With memory device (do # kldload md.ko if necessary): # mdconfig -a -t vnode -f file.iso -u 0 Or with virtual node: # vnconfig /dev/vn0c file.iso; mount -t cd9660 /dev/vn0c /mnt Solaris and FreeBSD with loop-back file interface or lofi: # lofiadm -a file.iso Create and burn an ISO image This will copy the cd or DVD sector for sector. Without conv=notrunc, the image will be smaller if there is less content on the cd. See below and the dd examples. # dd if=/dev/hdc of=/tmp/mycd.iso bs=2048 conv=notrunc Use mkisofs to create a CD/DVD image from files in a directory. To overcome the file names restrictions: -r enables the Rock Ridge extensions common to UNIX systems, -J enables Joliet extensions used by Microsoft systems. -L allows ISO9660 filenames to begin with a period. # mkisofs -J -L -r -V TITLE -o imagefile.iso /path/to/dir On FreeBSD, mkisofs is found in the ports in sysutils/cdrtools. FreeBSD FreeBSD does not enable DMA on ATAPI drives by default. DMA is enabled with the sysctl command and the arguments below, or with /boot/loader.conf with the following entries: hw.ata.ata_dma="1" Use burncd with an ATAPI device (burncd is part of the base system) and cdrecord (in sysutils/cdrtools) with a SCSI drive. # burncd -f /dev/acd0 data imagefile.iso fixate # For ATAPI drive Linux Also use cdrecord with Linux as described above. Additionally it is possible to use the native ATAPI interface which is found with: # cdrecord dev=ATAPI -scanbus And burn the CD/DVD as above. Nero simply adds a 300Kb header to a normal iso image. This can be trimmed with dd. # dd bs=1k if=imagefile.nrg of=imagefile.iso skip=300 Convert a bin/cue image to .iso The little bchunk programhttp://freshmeat.net/projects/bchunk/ can do this. It is in the FreeBSD ports in sysutils/bchunk. # bchunk imagefile.bin imagefile.cue imagefile.iso Create a file based image For example a partition of 1GB using the file /usr/vdisk.img. # dd if=/dev/random of=/usr/vdisk.img bs=1K count=1M Linux # dd if=/dev/zero of=/usr/vdisk.img bs=1024k count=1024 Linux with losetup /dev/zero is much faster than urandom, but less secure for encryption. # dd if=/dev/urandom of=/usr/vdisk.img bs=1024k count=1024 Create a memory file system A memory based file system is very fast for heavy IO application. How to create a 64 MB partition mounted on /memdisk: # mount_mfs -o rw -s 64M md /memdisk Linux # mount -t tmpfs -osize=64m tmpfs /memdisk Disk performance Read and write a 1 GB file on partition ad4s3c (/home) # time dd if=/dev/ad4s3c of=/dev/null bs=1024k count=1000 Network Routing | Additional IP | Change MAC | Ports | Firewall | IP Forward | NAT | DNS | DHCP | Traffic | QoS | NIS Debugging (See also Traffic analysis) # mii-diag eth0 # Show the link status (Linux) Routing Print routing table # route -n # Linux Add and delete a route FreeBSD # route add 212.117.0.0/16 192.168.1.1 Add the route permanently in /etc/rc.conf static_routes="myroute" Linux # route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.16.254 Windows # Route add 192.168.50.0 mask 255.255.255.0 192.168.51.253 Use add -p to make the route persistent. Configure additional IP addresses Linux # ifconfig eth0 192.168.50.254 netmask 255.255.255.0 # First IP FreeBSD # ifconfig fxp0 inet 192.168.50.254/24 # First IP Permanent entries in /etc/rc.conf ifconfig_fxp0="inet 192.168.50.254 netmask 255.255.255.0" Change MAC address # ifconfig eth0 hw ether 00:01:02:03:04:05 # Linux Ports in use Listening open ports: # netstat -an | grep LISTEN Firewall Check if a firewall is running (typical configuration only): # iptables -L -n -v # For status FreeBSD # ipfw show # For status IP Forward for routing Linux Check and then enable IP forward with: # cat /proc/sys/net/ipv4/ip_forward # Check IP forward 0=off, 1=on or edit /etc/sysctl.conf with: net.ipv4.ip_forward = 1 FreeBSD Check and enable with: # sysctl net.inet.ip.forwarding # Check IP forward 0=off, 1=on NAT Network Address Translation Linux # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE# to activate NAT Delete the port forward with -D instead of -A. FreeBSD # natd -s -m -u -dynamic -f /etc/natd.conf -n fxp0 Port forward with: # cat /etc/natd.conf DNS On Unix the DNS entries are valid for all interfaces and are stored in /etc/resolv.conf. The domain to which the host belongs is also stored in this file. A minimal configuration is: nameserver 78.31.70.238 Check the system domain name with: # hostname -d # Same as dnsdomainname Windows On Windows the DNS are configured per interface. To display the configured DNS and to flush the DNS cache use: # ipconfig /? # Display help Forward queries Dig is you friend to test the DNS settings. For example the public DNS server 213.133.105.2 ns.second-ns.de can be used for testing. See from which server the client receives the answer (simplified answer). # dig sleepyowl.net The router 192.168.51.254 answered and the response is the A entry. Any entry can be queried and the DNS server can be selected with @: # dig MX google.com The program host is also powerful. # host -t MX cb.vu # Get the mail MX entry Reverse queries Find the name belonging to an IP address (in-addr.arpa.). This can be done with dig, host and nslookup: # dig -x 78.31.70.238 /etc/hosts Single hosts can be configured in the file /etc/hosts instead of running named locally to resolve the hostname queries. The format is simple, for example: 78.31.70.238 sleepyowl.net sleepyowl The priority between hosts and a dns query, that is the name resolution order, can be configured in /etc/nsswitch.conf AND /etc/host.conf. The file also exists on Windows, it is usually in: C:WINDOWSSYSTEM32DRIVERSETC DHCP Linux Some distributions (SuSE) use dhcpcd as client. The default interface is eth0. # dhcpcd -n eth0 # Trigger a renew The lease with the full information is stored in: /var/lib/dhcpcd/dhcpcd-eth0.info FreeBSD FreeBSD (and Debian) uses dhclient. To configure an interface (for example bge0) run: # dhclient bge0 The lease with the full information is stored in: /var/db/dhclient.leases.bge0 Use /etc/dhclient.conf to prepend options or force different options: # cat /etc/dhclient.conf Windows The dhcp lease can be renewed with ipconfig: # ipconfig /renew # renew all adapters Yes it is a good idea to rename you adapter with simple names! Traffic analysis Bmonhttp://people.suug.ch/~tgr/bmon/ is a small console bandwidth monitor and can display the flow on different interfaces. # tcpdump -nl -i bge0 not port ssh and src (192.168.16.121 or 192.168.16.54) Additional important options: * -A Print each packets in clear text (without header) * -X Print packets in hex and ASCII * -l Make stdout line buffered * -D Print all interfaces available On Windows use windump from www.winpcap.org. Use windump -D to list the interfaces. Nmaphttp://insecure.org/nmap/ is a port scanner with OS detection, it is usually installed on most distributions and is also available for Windows. If you don't scan your servers, hackers do it for you... # nmap cb.vu # scans all reserved TCP ports on the host Traffic control (QoS) Traffic control manages the queuing, policing, scheduling, and other traffic parameters for a network. The following examples are simple practical uses of the Linux and FreeBSD capabilities to better use the available bandwidth. DSL or cable modems have a long queue to improve the upload throughput. However filling the queue with a fast device (e.g. ethernet) will dramatically decrease the interactivity. It is therefore useful to limit the device upload rate to match the physical capacity of the modem, this should greatly improve the interactivity. Set to about 90% of the modem maximal (cable) speed. For a 512 Kbit upload modem. # tc qdisc add dev eth0 root tbf rate 480kbit latency 50ms burst 1540 FreeBSD FreeBSD uses the dummynet traffic shaper which is configured with ipfw. Pipes are used to set limits the bandwidth in units of [K|M]{bit/s|Byte/s}, 0 means unlimited bandwidth. Using the same pipe number will reconfigure it. For example limit the upload bandwidth to 500 Kbit. # kldload dummynet # load the module if necessary Quality of service Linux Priority queuing with tc to optimize VoIP. See the full example on voip-info.org or www.howtoforge.com. Suppose VoIP uses udp on ports 10000:11024 and device eth0 (could also be ppp0 or so). The following commands define the QoS to three queues and force the VoIP traffic to queue 1 with QoS 0x1e (all bits set). The default traffic flows into queue 3 and QoS Minimize-Delay flows into queue 2. # tc qdisc add dev eth0 root handle 1: prio priomap 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 0 Status and remove with # tc -s qdisc ls dev eth0 # queue status Calculate port range and mask The tc filter defines the port range with port and mask which you have to calculate. Find the 2^N ending of the port range, deduce the range and convert to HEX. This is your mask. Example for 10000 -> 11024, the range is 1024. # 2^13 (8192) Add Hardware # Yes, Hardware is already connected * # Install the hardware that I manually select # Network adapters # Microsoft , Microsoft Loopback Adapter. * Configure the IP address of the fake device to 10.1.1.1 mask 255.255.255.0, no gateway. * advanced->WINS, Enable LMHosts Lookup; Disable NetBIOS over TCP/IP. * # Enable Client for Microsoft Networks. # Disable File and Printer Sharing for Microsoft Networks. I HAD to reboot for this to work. Now connect to the smb share with \\10.1.1.1 and remote desktop to 10.1.1.1:3388. If it is not working: * Are the ports forwarded: netstat -an? Look at 0.0.0.0:139 or 10.1.1.1:139 * Does telnet 10.1.1.1 139 connect? * You need the checkbox "Local ports accept connections from other hosts". * Is "File and Printer Sharing for Microsoft Networks" disabled on the loopback interface? Connect two clients behind NAT Suppose two clients are behind a NAT gateway and client cliadmin has to connect to client cliuser (the destination), both can login to the gate with ssh and are running Linux with sshd. You don't need root access anywhere as long as the ports on gate are above 1024. We use 2022 on gate. Also since the gate is used locally, the option GatewayPorts is not necessary. On client cliuser (from destination to gate): # ssh -R 2022:localhost:22 user@gate # forwards client 22 to gate:2022 On client cliadmin (from host to gate): # ssh -L 3022:localhost:2022 admin@gate # forwards client 3022 to gate:2022 Now the admin can connect directly to the client cliuser with: # ssh -p 3022 admin@localhost # local:3022 -> gate:2022 -> client:22 Connect to VNC behind NAT Suppose a Windows client with VNC listening on port 5900 has to be accessed from behind NAT. # ssh -R 15900:localhost:5900 user@gate On client cliadmin (from host to gate): # ssh -L 5900:localhost:15900 admin@gate Now the admin can connect directly to the client VNC with: # vncconnect -display :0 localhost VPN with SSH As of version 4.3, OpenSSH can use the tun/tap device to encrypt a tunnel. This is very similar to other TLS based VPN solutions like OpenVPN. One advantage with SSH is that there is no need to install and configure additional software. Additionally the tunnel uses the SSH authentication like pre shared keys. The drawback is that the encapsulation is done over TCP which might result in poor performance on a slow link. Also the tunnel is relying on a single (fragile) TCP connection. This technique is very useful for a quick IP based VPN setup. There is no limitation as with the single TCP port forward, all layer 3/4 protocols like ICMP, TCP/UDP, etc. are forwarded over the VPN. In any case, the following options are needed in the sshd_conf file: PermitRootLogin yes Single P2P connection Here we are connecting two hosts, hclient and hserver with a peer to peer tunnel. The connection is started from hclient to hserver and is done as root. The tunnel end points are 10.0.1.1 (server) and 10.0.1.2 (client) and we create a device tun5 (this could also be an other number). The procedure is very simple: * Connect with SSH using the tunnel option -w * Configure the IP addresses of the tunnel. Once on the server and once on the client. Connect to the server Connection started on the client and commands are executed on the server. cli># ssh -w5:5 root@hserver Server is on FreeBSD cli># ssh -w5:5 root@hserver Configure the client Commands executed on the client: cli># ifconfig tun5 10.0.1.2 netmask 255.255.255.252 # Client is on Linux The two hosts are now connected and can transparently communicate with any layer 3/4 protocol using the tunnel IP addresses. Connect two networks In addition to the p2p setup above, it is more useful to connect two private networks with an SSH VPN using two gates. Suppose for the example, netA is 192.168.51.0/24 and netB 192.168.16.0/24. The procedure is similar as above, we only need to add the routing. NAT must be activated on the private interface only if the gates are not the same as the default gateway of their network. 192.168.51.0/24 (netA)|gateA gateB|192.168.16.0/24 (netB) * Connect with SSH using the tunnel option -w. * Configure the IP addresses of the tunnel. Once on the server and once on the client. * Add the routing for the two networks. * If necessary, activate NAT on the private interface of the gate. The setup is started from gateA in netA. Connection is started from gateA and commands are executed on gateB. gateA># ssh -w5:5 root@gateB gateB is on FreeBSD gateA># ssh -w5:5 root@gateB # Creates the tun5 devices Configure gateA Commands executed on gateA: gateA># ifconfig tun5 10.0.1.2 netmask 255.255.255.252 gateA is on FreeBSD gateA># ifconfig tun5 10.0.1.2 10.0.1.1 The two private networks are now transparently connected via the SSH VPN. The IP forward and NAT settings are only necessary if the gates are not the default gateways. In this case the clients would not know where to forward the response, and nat must be activated. RSYNC Rsync can almost completely replace cp and scp, furthermore interrupted transfers are efficiently restarted. A trailing slash (and the absence thereof) has different meanings, the man page is good... Here some examples: Copy the directories with full content: # rsync -a /home/colin/ /backup/colin/ Same as before but over the network and with compression. Rsync uses SSH for the transport per default and will use the ssh key if they are set. Use ":" as with SCP. A typical remote copy: # rsync -axSRzv /home/user/ user@server:/backup/user/ Exclude any directory tmp within /home/user/ and keep the relative folders hierarchy, that is the remote directory will have the structure /backup/home/user/. This is typically used for backups. # rsync -azR --exclude /tmp/ /home/user/ user@server:/backup/ Use port 20022 for the ssh connection: # rsync -az -e 'ssh -p 20022' /home/colin/ user@server:/backup/colin/ Using the rsync daemon (used with "::") is much faster, but not encrypted over ssh. The location of /backup is defined by the configuration in /etc/rsyncd.conf. The variable RSYNC_PASSWORD can be set to avoid the need to enter the password manually. # rsync -axSRz /home/ ruser@hostname::rmodule/backup/ Some important options: * -a, --archive archive mode; same as -rlptgoD (no -H) * -r, --recursive recurse into directories * -R, --relative use relative path names * -H, --hard-links preserve hard links * -S, --sparse handle sparse files efficiently * -x, --one-file-system don't cross file system boundaries * --exclude=PATTERN exclude files matching PATTERN * --delete-during receiver deletes during xfer, not before * --delete-after receiver deletes after transfer, not before Rsync on Windows Rsync is available for Windows through cygwin or as stand-alone packaged in cwrsynchttp://sourceforge.net/projects/sereds. This is very convenient for automated backups. Install one of them (not both) and add the path to the Windows system variables: # Control Panel -> System -> tab Advanced, button Environment Variables. Edit the "Path" system variable and add the full path to the installed rsync, e.g. C:Program FilescwRsyncbin or C:cygwinbin. This way the commands rsync and ssh are available in a Windows command shell. Rsync is automatically tunneled over SSH and thus uses the SSH authentication on the server. Automatic backups have to avoid a user interaction, for this the SSH public key authentication can be used and the rsync command will run without a password. All the following commands are executed within a Windows console. In a console (Start -> Run -> cmd) create and upload the key as described in SSH, change "user" and "server" as appropriate. If the file authorized_keys2 does not exist yet, simply copy id_dsa.pub to authorized_keys2 and upload it. # ssh-keygen -t dsa -N '' # Creates a public and a private key Now test it with (in one line): rsync -rv "/cygdrive/c/Documents and Settings/%USERNAME%/My Documents/" Automatic backup Use a batch file to automate the backup and add the file in the scheduled tasks (Programs -> Accessories -> System Tools -> Scheduled Tasks). For example create the file backup.bat and replace user@server. @ECHO OFF SUDO Sudo is a standard way to give users some administrative rights without giving out the root password. Sudo is very useful in a multi user environment with a mix of server and workstations. Simply call the command with sudo: # sudo /etc/init.d/dhcpd restart # Run the rc script as root Configuration Sudo is configured in /etc/sudoers and must only be edited with visudo. The basic syntax is (the lists are comma separated): user hosts = (runas) commands # In /etc/sudoers * users one or more users or %group (like %wheel) to gain the rights * hosts list of hosts (or ALL) * runas list of users (or ALL) that the command rule can be run as. It is enclosed in ( )! * commands list of commands (or ALL) that will be run as root or as (runas) Additionally those keywords can be defined as alias, they are called User_Alias, Host_Alias, Runas_Alias and Cmnd_Alias. This is useful for larger setups. Here a sudoers example: # cat /etc/sudoers # User aliases are a list of users which can have the same rights # Command aliases define the full path of a list of commands # The actual rules # User sysadmin can mess around in the DMZ servers with some commands. # anyone can mount/unmount a cd-rom on the desktop machines Encrypt Files A single file Encrypt and decrypt: # openssl des -salt -in file -out file.des Note that the file can of course be a tar archive. tar and encrypt a whole directory # tar -cf - directory | openssl des -salt -out directory.tar.des # Encrypt tar zip and encrypt a whole directory # tar -zcf - directory | openssl des -salt -out directory.tar.gz.des # Encrypt * Use -k mysecretpassword after des to avoid the interactive password request. However note that this is highly insecure. * Use des3 instead of des to get even stronger encryption (Triple-DES Cipher). This uses also more CPU. Encrypt Partitions Linux with LUKS | Linux dm-crypt only | FreeBSD GELI | FBSD pwd only There are (many) other alternative methods to encrypt disks, I only show here the methods I know and use. Keep in mind that the security is only good as long the OS has not been tempered with. An intruder could easily record the password from the keyboard events. Furthermore the data is freely accessible when the partition is attached and will not prevent an intruder to have access to it in this state. Those instructions use the Linux dm-crypt (device-mapper) facility available on the 2.6 kernel. In this example, lets encrypt the partition /dev/sdc1, it could be however any other partition or disk, or USB or a file based partition created with losetup. In this case we would use /dev/loop0. See file image partition. The device mapper uses labels to identify a partition. We use sdc1 in this example, but it could be any string. LUKS with dm-crypt has better encryption and makes it possible to have multiple passphrase for the same partition or to change the password easily. To test if LUKS is available, simply type # cryptsetup --help, if nothing about LUKS shows up, use the instructions below Without LUKS. First create a partition if necessary: fdisk /dev/sdc. # dd if=/dev/urandom of=/dev/sdc1 # Optional. For paranoids only (takes days) | |
| Категория: Интересные статьи | Просмотров: 289 | |
Главная » Коллекция Unix команд на все случаи жизни