Category: Linux

Linux commands #2 – some environment variables

Posted on | by johniax 

$BASH_VERSION                    # bash version
$EDITOR                          # default editor
$GROUPS                          # membership in groups
$HISTFILE                        # user shell`s history file
$HISTSIZE                        # how many commands can be stored in bash $HISTFILE
$HOME                            # home directory
$HOSTNAME                        # hostname
$LANG                            # locale for the shell
$LC_*                            # locale settings that override $LANG
$LC_ALL                          # 
$LD_LIBRARY_PATH                 # paths to search for libraries
$PATH                            # paths to search for commands, priority order
$PS1                             # 
$PS2                             # 
$PWD                             # users working directory
$SHLLVL                          # current shell level
$TZ                              # current time zone if different from system time zone
$UID                             # user id
$VISUAL                          #

Linux commands #1

Posted on | by johniax 

readlink /bin/sh           # to which shell points /bin/sh 
echo $SHELL                # current shell 
echo $BASH_VERSION         # bash version
uname                      # distribution
uname -r                   # kernel version
uname -a                   # detailed kernel information
echo hello you             # output some text 
echo \[some \'content\'\]  # escape special characters: *?[]'"\$;&()|^<>
 
pwd                        # current directory
cd ~                       # cd to home 
cd $HOME                   # cd to home 
cd -                       # cd to home and print home dir location
type echo                  # shell built in or external command

 

Git console / gitbash – basic console commands

Posted on | by johniax 
#show commit history
git log

#list files modified on a certain commit
git diff-tree --no-commit-id --name-only -r commit-hash

#list files modified within last 30 days
git diff --name-only "@{30 days ago}"

#list remote branches 
git fetch 
git branch -r 
git ls-remote --heads 
git remote show origin

git branch -vv # list local branches

git checkout -b BRANCHNAME # create a new branch and switch to it
git push --set-upstream origin BRANCHNAME # push your new branch to remote repo

git checkout BRANCHNAME    # switch to a branch BRANCHNAME
git push origin BRANCHNAME # push your branch to github

#merge master branch into feature branch
git checkout F1 # switch to branch F1
git merge master # merge from master branch

# completely remove all staged and unstaged changes to tracked files
git reset --hard

#config
git config --list
git config --global user.name "John Doe"
git config --global user.email johndoe@example.com

#if git is tracking files that should be ignored by .gitignore
git rm -r --cached .
git add .
git commit -m "fixed untracked files"

git branch -d branch_name    #delete local branch
git push origin --delete dev #delete remote branch

Oneliners

Posted on | by johniax 
#delete directories older than 20 days and not older than 365 days
find /home/username/backup/ -type d -mtime +20 -mtime -365 -exec rm -rf {} \;

#delete pdf files older than 6 days but not older than 365 days
find /home/username/public_html/storage/ -type f -mtime +6 -mtime -365 -name '*.pdf' -exec rm {} \

Setup OpenVPN server on Debian 9

Posted on | by johniax

1. Installing OpenVPN and EasyRSA

On the OpenVPN server: 

sudo apt update
sudo apt install openvpn -y

# Choose the newest release
wget -P ~/server https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz
cd server
tar xvf EasyRSA-nix-3.0.5.tgz

On the CA server: 

# Choose the newest release
wget -P ~/ca https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz
cd ca
tar xvf EasyRSA-nix-3.0.5.tgz
cd ca/EasyRSA-3.0.5/

2. Configure EasyRSA and build CA

On the CA server: 

cp vars.example vars

vi vars
# uncomment and fill in your information: 
set_var EASYRSA_REQ_COUNTRY    "LT"
set_var EASYRSA_REQ_PROVINCE   "Vilnius"
set_var EASYRSA_REQ_CITY       "Vilnius"
set_var EASYRSA_REQ_ORG        "Jonas"
set_var EASYRSA_REQ_EMAIL      "admin@example.com"
set_var EASYRSA_REQ_OU         "Organisational unit"

./easyrsa init-pki
./easyrsa build-ca nopass

3. Create the Server Certificate, Key, and Encryption Files

On the OpenVPN server: 

cd server/EasyRSA-3.0.5/
./easyrsa init-pki
./easyrsa gen-req server nopass
sudo cp pki/private/server.key /etc/openvpn/

# copy server.req file to CA server
mkdir ~/ca/tmp && cp pki/reqs/server.req ~/ca/tmp/

On the CA server: 

cd ~/ca/EasyRSA-3.0.5/
./easyrsa import-req ../tmp/server.req server
./easyrsa sign-req server server
mkdir ~/server/tmp && cp pki/issued/server.crt ../../server/tmp/
cp pki/ca.crt ../../server/tmp/

On the OpenVPN server: 

cd ~/server/EasyRSA-3.0.5/
sudo cp ../tmp/server.crt /etc/openvpn/
sudo cp ../tmp/ca.crt /etc/openvpn/
./easyrsa gen-dh
sudo openvpn --genkey --secret ta.key
sudo cp ta.key /etc/openvpn/
sudo cp pki/dh.pem /etc/openvpn/

4. Generate a Client Certificate and Key Pair

On the OpenVPN server: 

mkdir -p ~/server/client-configs/keys
chmod -R 700 ~/server/client-configs
./easyrsa gen-req client1 nopass
cp pki/private/client1.key ~/server/client-configs/keys/

# copy client1.req file to CA server
cp pki/reqs/client1.req ../../ca/tmp/

On the CA server: 

cd ../../ca/EasyRSA-3.0.5/
./easyrsa import-req ../tmp/client1.req client1
./easyrsa sign-req client client1

#copy client1.crt file to OpenVPN server
cp pki/issued/client1.crt ../../server/tmp/

On the OpenVPN server: 

cd ~/server/EasyRSA-3.0.5/
cp ../tmp/client1.crt ~/server/client-configs/keys/
sudo cp ta.key ~/server/client-configs/keys/
sudo cp /etc/openvpn/ca.crt ~/server/client-configs/keys/

5. Set up the OpenVPN service

On the OpenVPN server: 

cd
sudo gzip -d /etc/openvpn/server.conf.gz

sudo vi /etc/openvpn/server.conf

# uncomment this line: 
tls-auth ta.key 0 # This file is secret

#add this line bewlow: 
key-direction 0

# uncomment this line: 
cipher AES-256-CBC

# add this line below: 
auth SHA256

#change line
dh dh2048.pem 
#to line
dh dh.pem

# uncomment these two lines: 
user nobody
group nogroup

# push DNS Changes to Redirect All Traffic Through the VPN
# uncomment these lines: 
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"

6. Adjust network accordingly

sudo vi /etc/sysctl.conf

# uncomment this line: 
net.ipv4.ip_forward=1

# read the file and apply changes to the current session
sudo sysctl -p

7. Enable the OpenVPN Sercice

sudo systemctl start openvpn@server
sudo systemctl status openvpn@server
ip addr show tun0
sudo systemctl enable openvpn@server

8. Forward all VPN client traffic through VPN server

# Masquerade outgoing traffic
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

# Allow return traffic
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Forward everything
iptables -A FORWARD -j ACCEPT

# Save iptables configuration
sudo iptables-save | sudo tee /etc/iptables/rules.active

sudo vi editor /etc/network/if-pre-up.d/iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables/rules.active

sudo chmod +x /etc/network/if-pre-up.d/iptables

9. Create client configuration infrastructure

mkdir -p server/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/server/client-configs/base.conf

vi server/client-configs/base.conf

remote your_server_ip 1194
proto udp

# uncomment these lines for non-windows clients
user nobody
group nogroup

# comment out these lines
#ca ca.crt
#cert client.crt
#key client.key

# make sure these lines are
cipher AES-256-CBC
auth SHA256

# add these lines as well and uncomment if yout linux client has an /etc/openvpn/update-resolv-conf file
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
vi server/client-configs/make_config.sh

#!/bin/bash
# First argument: Client identifier

KEY_DIR=/home/jonas/server/client-configs/keys
OUTPUT_DIR=/home/jonas/server/client-configs/files
BASE_CONFIG=/home/jonas/server/client-configs/base.conf

cat ${BASE_CONFIG} \
    <(echo -e '') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '\n') \
    ${KEY_DIR}/${1}.crt \
    <(echo -e '\n') \
    ${KEY_DIR}/${1}.key \
    <(echo -e '\n') \
    ${KEY_DIR}/ta.key \
    <(echo -e '') \
    > ${OUTPUT_DIR}/${1}.ovpn
chmod 700 ~/server/client-configs/make_config.sh

10. Generate client config file

cd ~/server/client-configs/
sudo ./make_config.sh client1
ls -al files/

11. Connect to OpenVPN server from Ubuntu 18

sudo apt install openvpn 
sudo openvpn --config client1.ovpn

Setting up fail2ban on debian 9

Posted on | by johniax 
sudo apt update
sudo apt install fail2ban -y
sudo vi /etc/fail2ban/jail.local
# -1 means forever
[DEFAULT]
ignoreip      = 127.0.0.1 11.22.33.44 55.66.77.88
bantime       = -1
findtime      = -1
maxentry      = 3
maxretry      = 3
sendername    = Fail2Ban
destemail     = root@localhost
mta           = sendmail
protocol      = tcp
chain         = INPUT
banaction     = iptables-multiport
action        = %(action_)s # without sending emails

# JAILS
[sshd]
enabled     = true
port        = ssh
filter      = sshd
logpath     = %(sshd_log)s
sudo systemctl enable fail2ban
sudo service fail2ban restart
sudo service fail2ban status
sudo fail2ban-client status
sudo tail -f /var/log/fail2ban.log

Setup Let’s Encrypt SSL certificate using certbot on debian 9

Posted on | by johniax

Install certbot

"echo "deb http://ftp.debian.org/debian stretch-backports main" | sudo tee --append /etc/apt/sources.list
sudo apt-get update
sudo apt-get install python-certbot-apache -t stretch-backports

Setup certbot

# setup certificate for chosen websites, force http to https
sudo certbot --apache

Simulate certificate renewal

sudo certbot renew --dry-run

Check if certbot cron entry is created

tail -1 /etc/cron.d/certbot