Update all code blocks
This commit is contained in:
parent
5bd12c70c7
commit
1d67e73eff
14 changed files with 237 additions and 246 deletions
|
@ -6,7 +6,7 @@ hide:
|
|||
|
||||
[PDF version](CV.pdf)
|
||||
|
||||
```
|
||||
```console
|
||||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||||
@ WARNING: THIS RESUME IS SO GEEK!!!11 @
|
||||
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||||
|
|
|
@ -2,14 +2,14 @@
|
|||
|
||||
Upgrade from 8 to Stream.
|
||||
|
||||
```
|
||||
dnf install centos-release-stream && dnf update
|
||||
```console
|
||||
# dnf install centos-release-stream && dnf update
|
||||
```
|
||||
|
||||
Exclude path when unpacking package. Useful for unprivileged containers.
|
||||
|
||||
```console
|
||||
# dnf reinstall --downloadonly filesystem
|
||||
# find /var/cache -iname "*filesy*"
|
||||
# rpm -ivh --excludepath=/proc --excludepath=/sys /var/cache/dnf/baseos-504ddb1bf3482a98/packages/filesystem-3.8-3.el8.x86_64.rpm
|
||||
```
|
||||
dnf reinstall --downloadonly filesystem
|
||||
find /var/cache -iname "*filesy*"
|
||||
rpm -ivh --excludepath=/proc --excludepath=/sys /var/cache/dnf/baseos-504ddb1bf3482a98/packages/filesystem-3.8-3.el8.x86_64.rpm
|
||||
```
|
|
@ -1,31 +1,31 @@
|
|||
## Monitor mode
|
||||
For my RTL8188EUS:
|
||||
|
||||
```
|
||||
ip link set wlanX down
|
||||
iw dev wlanX set type monitor
|
||||
```console
|
||||
# ip link set wlanX down
|
||||
# iw dev wlanX set type monitor
|
||||
```
|
||||
|
||||
## Scan networks
|
||||
|
||||
All channels:
|
||||
```
|
||||
airodump-ng wlanX
|
||||
```console
|
||||
# airodump-ng wlanX
|
||||
```
|
||||
Specific channel:
|
||||
```
|
||||
airodump-ng -c 6 wlanX
|
||||
```console
|
||||
# airodump-ng -c 6 wlanX
|
||||
```
|
||||
|
||||
## Save a capture of chosen BSSID
|
||||
|
||||
```
|
||||
airodump-ng -c 6 --bssid 00:23:B1:82:08:xx -w <filename> wlanX
|
||||
```console
|
||||
# airodump-ng -c 6 --bssid 00:23:B1:82:08:xx -w <filename> wlanX
|
||||
```
|
||||
|
||||
You need to wait for a client to connect, or to deauth it and get the 4-way handshake.
|
||||
```
|
||||
aireplay-ng -0 1 -a 00:23:B1:82:0C:xx -c D0:37:45:2F:52:xx wlanX
|
||||
```console
|
||||
# aireplay-ng -0 1 -a 00:23:B1:82:0C:xx -c D0:37:45:2F:52:xx wlanX
|
||||
```
|
||||
`-a` is access point
|
||||
`-c` is client
|
||||
|
@ -36,8 +36,8 @@ Then you should have an EAPOL/WPA handshake.
|
|||
|
||||
### For a 8 digits scheme
|
||||
|
||||
```
|
||||
crunch 8 8 0123456789 -s 00000000 | aircrack-ng -w - -b 00:23:B1:82:08:xx <filename>.cap
|
||||
```console
|
||||
$ crunch 8 8 0123456789 -s 00000000 | aircrack-ng -w - -b 00:23:B1:82:08:xx <filename>.cap
|
||||
```
|
||||
|
||||
## Wireshark
|
||||
|
@ -46,8 +46,8 @@ PSK Generator: <https://www.wireshark.org/tools/wpa-psk.html>
|
|||
|
||||
## PMKID method
|
||||
|
||||
```
|
||||
hcxdumptool -i wlanX -o PMKID --enable_status=1
|
||||
```console
|
||||
$ hcxdumptool -i wlanX -o PMKID --enable_status=1
|
||||
```
|
||||
|
||||
TODO...
|
||||
|
@ -56,8 +56,8 @@ TODO...
|
|||
|
||||
AP must have WPS enabled with a PIN. Not PBC, push button.
|
||||
|
||||
```
|
||||
reaver -i wlanX -b 00:23:B1:82:84:xx
|
||||
```console
|
||||
# reaver -i wlanX -b 00:23:B1:82:84:xx
|
||||
```
|
||||
|
||||
## Resources
|
||||
|
|
|
@ -1,17 +1,17 @@
|
|||
# Convert
|
||||
## Convert
|
||||
|
||||
# MKV to WebM
|
||||
### MKV to WebM
|
||||
|
||||
~~~
|
||||
```console
|
||||
$ ffmpeg -i input.mkv -c:v libvpx -qmin 0 -qmax 50 -crf 10 -b:v 2M -c:a libvorbis output.webm
|
||||
~~~
|
||||
|
||||
# Recording Screen
|
||||
|
||||
## Within a specified zone
|
||||
|
||||
```
|
||||
avconv -threads auto -f pulse -i bluez_sink.0C_E0_E4_81_2F_C1.monitor -ac 2 -f pulse -i alsa_input.usb-BLUE_MICROPHONE_Blue_Snowball_201306-00-Snowball.analog-mono -ac 1 -f x11grab -show_region 1 -s 1024x768 -i :0.0+112,111 -c:v libvpx -pre:v libvpx-720p -vsync cfr -r 15 -c:a libvorbis -q:a 6 -filter_complex amix=inputs=2 output.webm
|
||||
```
|
||||
|
||||
With sound from microphone and monitor of input.
|
||||
## Recording Screen
|
||||
|
||||
### Within a specified zone
|
||||
|
||||
```console
|
||||
$ avconv -threads auto -f pulse -i bluez_sink.0C_E0_E4_81_2F_C1.monitor -ac 2 -f pulse -i alsa_input.usb-BLUE_MICROPHONE_Blue_Snowball_201306-00-Snowball.analog-mono -ac 1 -f x11grab -show_region 1 -s 1024x768 -i :0.0+112,111 -c:v libvpx -pre:v libvpx-720p -vsync cfr -r 15 -c:a libvorbis -q:a 6 -filter_complex amix=inputs=2 output.webm
|
||||
```
|
||||
|
||||
With sound from microphone and monitor of input.
|
||||
|
|
|
@ -1,35 +1,35 @@
|
|||
# HowtoGPG
|
||||
|
||||
## Some commands:
|
||||
```
|
||||
gpg --card-status
|
||||
gpg --export-ssh-key keyID
|
||||
gpg --armor --export keyID > pubkey.asc
|
||||
```console
|
||||
$ gpg --card-status
|
||||
$ gpg --export-ssh-key keyID
|
||||
$ gpg --armor --export keyID > pubkey.asc
|
||||
```
|
||||
|
||||
## Use Nitrokey from new system:
|
||||
|
||||
```
|
||||
gpg --import pubkey.asc
|
||||
gpg --card-status
|
||||
```console
|
||||
$ gpg --import pubkey.asc
|
||||
$ gpg --card-status
|
||||
```
|
||||
|
||||
## Use GPG Agent as SSH Agent
|
||||
|
||||
```
|
||||
vim .gnupg/gpg-agent.conf
|
||||
```console
|
||||
$ vim .gnupg/gpg-agent.conf
|
||||
enable-ssh-support
|
||||
pinentry-program /usr/bin/pinentry-qt
|
||||
|
||||
systemctl --user enable --now /usr/lib/systemd/user/gpg-agent*
|
||||
$ systemctl --user enable --now /usr/lib/systemd/user/gpg-agent*
|
||||
|
||||
vim .bashrc
|
||||
$ vim .bashrc
|
||||
export SSH_AUTH_SOCK="/run/user/$(id -u)/gnupg/S.gpg-agent.ssh"
|
||||
```
|
||||
|
||||
## Export your public key to your web server:
|
||||
|
||||
```
|
||||
```console
|
||||
$ mkdir openpgpkey
|
||||
$ gpg --list-options show-only-fpr-mbox -k keyID | /usr/lib/gnupg/gpg-wks-client -v --install-key
|
||||
```
|
||||
|
@ -43,22 +43,22 @@ My public key is available via: <https://openpgpkey.benpro.fr/.well-known/openpg
|
|||
|
||||
WKD mean Web Key Directory. Interesting website: <https://metacode.biz/openpgp/web-key-directory>
|
||||
|
||||
```
|
||||
gpg --locate-key user@example.com
|
||||
```console
|
||||
$ gpg --locate-key user@example.com
|
||||
```
|
||||
|
||||
### From keyserver
|
||||
|
||||
#### With keys.openpgp.org
|
||||
|
||||
```
|
||||
echo keyserver hkps://keys.openpgp.org >> ~/.gnupg/gpg.conf
|
||||
gpg --auto-key-locate keyserver --locate-keys user@example.com
|
||||
```console
|
||||
$ echo keyserver hkps://keys.openpgp.org >> ~/.gnupg/gpg.conf
|
||||
$ gpg --auto-key-locate keyserver --locate-keys user@example.com
|
||||
```
|
||||
|
||||
#### With sks-keyservers.net
|
||||
|
||||
```
|
||||
gpg --keyserver pool.sks-keyservers.net --recv-keys keyID
|
||||
```console
|
||||
$ gpg --keyserver pool.sks-keyservers.net --recv-keys keyID
|
||||
```
|
||||
|
||||
|
|
|
@ -1,28 +1,28 @@
|
|||
Some commands:
|
||||
|
||||
```
|
||||
lxc image alias list images:
|
||||
lxc info <name>
|
||||
lxc config edit <name>
|
||||
lxc config sonw <name>
|
||||
lxc exec <name> bash
|
||||
lxc config set <name> limits.memory 512MB
|
||||
lxc config set <name> limits.cpu 2
|
||||
lxc config device set <name> root size 20GB
|
||||
lxc launch images:debian/stretch/amd64 <name>
|
||||
lxc config set <name> environment.LC_ALL=en_US.UTF-8
|
||||
lxc list
|
||||
lxc storage volume list <storagename>
|
||||
# mode privileged
|
||||
lxc launch ubuntu:16.04 test -c security.privileged=true -c security.nesting=true
|
||||
lxc config device add test ssh proxy listen=tcp:0.0.0.0:2222 connect=tcp:127.0.0.1:22
|
||||
# Create a backups volume in the local (default) pool (ZFS) and use it for backups
|
||||
lxc storage volume create local backups
|
||||
lxc config set storage.backups_volume local/backups
|
||||
# Create a images volume in the local (default) pool (ZFS) and use it for images (containers images downloaded)
|
||||
lxc storage volume create local images
|
||||
lxc config set storage.images_volume local/images
|
||||
lxc config device add $containerName $deviceName disk source=/home/foo path=/home/foo
|
||||
```console
|
||||
$ lxc image alias list images:
|
||||
$ lxc info <name>
|
||||
$ lxc config edit <name>
|
||||
$ lxc config sonw <name>
|
||||
$ lxc exec <name> bash
|
||||
$ lxc config set <name> limits.memory 512MB
|
||||
$ lxc config set <name> limits.cpu 2
|
||||
$ lxc config device set <name> root size 20GB
|
||||
$ lxc launch images:debian/stretch/amd64 <name>
|
||||
$ lxc config set <name> environment.LC_ALL=en_US.UTF-8
|
||||
$ lxc list
|
||||
$ lxc storage volume list <storagename>
|
||||
$ #mode privileged
|
||||
$ lxc launch ubuntu:16.04 test -c security.privileged=true -c security.nesting=true
|
||||
$ lxc config device add test ssh proxy listen=tcp:0.0.0.0:2222 connect=tcp:127.0.0.1:22
|
||||
$ #Create a backups volume in the local (default) pool (ZFS) and use it for backups
|
||||
$ lxc storage volume create local backups
|
||||
$ lxc config set storage.backups_volume local/backups
|
||||
$ #Create a images volume in the local (default) pool (ZFS) and use it for images (containers images downloaded)
|
||||
$ lxc storage volume create local images
|
||||
$ lxc config set storage.images_volume local/images
|
||||
$ lxc config device add $containerName $deviceName disk source=/home/foo path=/home/foo
|
||||
```
|
||||
|
||||
Chemins :
|
||||
|
@ -41,7 +41,7 @@ dnsutils
|
|||
|
||||
N'est plus nécessaire sur les images récentes :
|
||||
|
||||
```
|
||||
```console
|
||||
# systemctl disable getty@tty{1..4}
|
||||
# reboot
|
||||
```
|
||||
|
@ -57,17 +57,16 @@ etckeeper
|
|||
vim
|
||||
```
|
||||
|
||||
```
|
||||
sed -i 's/^tty/# tty/g' /etc/inittab
|
||||
```console
|
||||
# sed -i 's/^tty/# tty/g' /etc/inittab
|
||||
|
||||
# clean messages
|
||||
# #clean messages
|
||||
rm /var/log/messages
|
||||
|
||||
```
|
||||
|
||||
Nginx :
|
||||
|
||||
```
|
||||
```nginx
|
||||
set_real_ip_from W.X.Y.Z;
|
||||
#real_ip_recursive on;
|
||||
real_ip_header X-Forwarded-For;
|
||||
|
@ -79,6 +78,6 @@ access_log /var/log/nginx/access.log custom;
|
|||
|
||||
Aller dans le namespace de LXD (snap0 pour faire des actions genre mount/umount :
|
||||
|
||||
```
|
||||
```console
|
||||
# nsenter -t $(cat /var/snap/lxd/common/lxd.pid) -m
|
||||
```
|
||||
```
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
Thermal info:
|
||||
|
||||
```
|
||||
sudo powermetrics –s thermal
|
||||
sudo powermetrics -s thermal | grep -A2 -i thermal
|
||||
```console
|
||||
$ sudo powermetrics –s thermal
|
||||
$ sudo powermetrics -s thermal | grep -A2 -i thermal
|
||||
```
|
||||
|
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
title: Howto Serveur de mail sécurisé avec Mailcow et Scaleway
|
||||
categories: sysadmin mail
|
||||
---
|
||||
|
||||
???+ Danger
|
||||
|
||||
Documentation obsolète !
|
||||
|
||||
# Intro
|
||||
|
||||
Ce Howto explique comment monter un serveur de mail sécurisé en utilisant [Mailcow](https://github.com/andryyy/mailcow) et un serveur virtuel chez [Scaleway](https://www.scaleway.com/). L'introduction est à lire sur mon [blog](https://www.lekernelpanique.fr/2017/03/05/votre-propre-serveur-de-mail-securise-pour-3emois/).
|
||||
|
@ -15,7 +18,7 @@ La première étape consiste évidement à créer l'instance sur la console de S
|
|||
|
||||
L'image Debian de Scaleway n'étant pas « buildé » tous les jours, il se peut qu'il y ait quelques mises à jour à faire. On fait donc une upgrade.
|
||||
|
||||
```
|
||||
```console
|
||||
# apt update
|
||||
# apt upgrade
|
||||
```
|
||||
|
@ -26,7 +29,7 @@ Ce volume accueillera vos mails et journaux systèmes. Il est donc intéressant
|
|||
|
||||
Création du fichier image et montage sur `/dev/loop0`.
|
||||
|
||||
```
|
||||
```console
|
||||
# dd if=/dev/zero of=/var.img bs=1M count=35000
|
||||
# chmod 600 /var.img
|
||||
# losetup /dev/loop0 /var.img
|
||||
|
@ -34,7 +37,7 @@ Création du fichier image et montage sur `/dev/loop0`.
|
|||
|
||||
On en profite pour aussi créer une swap de 1G tant qu'à faire.
|
||||
|
||||
```
|
||||
```console
|
||||
# dd if=/dev/zero of=/swapfile.img bs=1M count=1000
|
||||
# chmod 600 /swapfile.img
|
||||
# mkswap -LSWAP
|
||||
|
@ -43,7 +46,7 @@ On en profite pour aussi créer une swap de 1G tant qu'à faire.
|
|||
|
||||
On chiffre le volume en LUKS avec `cryptsetup`. Choisissez une passphrase, vous aller devoir la taper à chaque démarrage dans la console de Scaleway. Pas très souvent si tout est stable ! :-)
|
||||
|
||||
```
|
||||
```console
|
||||
# apt install cryptsetup
|
||||
# cryptsetup luksFormat --hash sha256 --key-size=512 /dev/loop0
|
||||
# cryptsetup luksOpen /dev/loop0 crypted-var
|
||||
|
@ -51,7 +54,7 @@ On chiffre le volume en LUKS avec `cryptsetup`. Choisissez une passphrase, vous
|
|||
|
||||
On formate le tout en EXT4, on monte le volume, on stoppe les services qui utilisent actuellement `/var` et on rsync le tout.
|
||||
|
||||
```
|
||||
```console
|
||||
# mkfs.ext4 -LVAR /dev/mapper/crypted-var
|
||||
# mount /dev/mapper/crypted-var /mnt/
|
||||
# for pid in $(lsof | grep /var | tr -s '\t' ' ' | cut -d' ' -f2 | sort | uniq | grep -v "^1$"); do kill $pid; done
|
||||
|
@ -64,7 +67,7 @@ On indique le volume chiffré dans `crypttab` et le point de montage dans `fstab
|
|||
|
||||
> **Note** : On désactive `unattended-upgrades` qui va planter l'arrêt à cause du /var qui n'existe plus.
|
||||
|
||||
```
|
||||
```console
|
||||
# echo "crypted-var /var.img none luks" >> /etc/crypttab
|
||||
# echo "/dev/mapper/crypted-var /var ext4 defaults 0 2" >> /etc/fstab
|
||||
# systemctl disable unattended-upgrades.service
|
||||
|
@ -89,7 +92,7 @@ Au niveau de vos entrées DNS, il vous faudra un champ A et un MX. Plus de déta
|
|||
|
||||
On supprime exim4, car Mailcow utilise postfix.
|
||||
|
||||
```
|
||||
```console
|
||||
# apt purge exim4 exim4-base exim4-config exim4-daemon-light
|
||||
```
|
||||
|
||||
|
@ -97,7 +100,7 @@ On supprime exim4, car Mailcow utilise postfix.
|
|||
|
||||
Puis on télécharge le script d'installation, on édite la configuration et on lance l'installation.
|
||||
|
||||
```
|
||||
```console
|
||||
# wget -O - https://github.com/andryyy/mailcow/archive/v0.14.tar.gz | tar xfz -
|
||||
# cd mailcow-0.14
|
||||
# vim mailcow.config
|
||||
|
@ -107,7 +110,7 @@ Puis on télécharge le script d'installation, on édite la configuration et on
|
|||
|
||||
Laissez-vous guider par le script d'installation.
|
||||
|
||||
```
|
||||
```console
|
||||
# ./install.sh
|
||||
```
|
||||
|
||||
|
@ -125,7 +128,7 @@ Pour cela il faut mettre en place une `PKI` et émettre un certificat client. J'
|
|||
|
||||
## ShellPKI
|
||||
|
||||
```
|
||||
```console
|
||||
# cd /usr/local
|
||||
# git clone https://forge.evolix.org/shellpki.git
|
||||
# cd shellpki
|
||||
|
@ -137,20 +140,20 @@ Pour cela il faut mettre en place une `PKI` et émettre un certificat client. J'
|
|||
|
||||
Éditer `/etc/shellpki/openssl.cnf` et initialiser shellPKI. Le plus important est de remplir le « Common Name », par exemple `Myname Root Certificate`.
|
||||
|
||||
```
|
||||
```console
|
||||
# vim /etc/shellpki/openssl.cnf
|
||||
# ./shellpki.sh init
|
||||
```
|
||||
|
||||
On génère un certificat client (sans passphrase), soit un utilisateur par exemple. Il faudra choisir un « Common Name » du type `user@domain.tld`.
|
||||
|
||||
```
|
||||
```console
|
||||
# ./shellpki.sh create
|
||||
```
|
||||
|
||||
Puis on le convertit au format `PKCS#12` avec une passphrase d'export. Cette passphrase sera demandé à l'import dans un navigateur ou smartphone par exemple.
|
||||
|
||||
```
|
||||
```console
|
||||
# cd /etc/ssl/clients
|
||||
# openssl pkcs12 -export -in user@mail.domain.tld.crt -inkey user@mail.domain.tld.key -out user@mail.domain.tld.p12
|
||||
```
|
||||
|
@ -161,12 +164,12 @@ La dernière étape consiste à dire à dovecot et nginx qu'il est nécessaire d
|
|||
|
||||
## Nginx
|
||||
|
||||
```
|
||||
```nginx
|
||||
ssl_client_certificate /etc/shellpki/ca/cacert.pem;
|
||||
ssl_verify_client on;
|
||||
```
|
||||
|
||||
```
|
||||
```console
|
||||
# systemctl restart nginx
|
||||
```
|
||||
|
||||
|
@ -174,7 +177,7 @@ ssl_verify_client on;
|
|||
|
||||
> **Note** : Attention, si vous avez un webmail qui se connecte en local, imap non chiffré, l'activation de `auth_ssl_require_client_cert`, va imposer d'utiliser un certificat… Cassant votre webmail. Il n'y a pas à ce jour la possibilité d'activer `auth_ssl_require_client_cert` seulement pour imaps… Si vous utilisez un webmail, n'activez pas ceci sur dovecot.
|
||||
|
||||
```
|
||||
```dovecot
|
||||
# Client certificate
|
||||
ssl_ca = </etc/shellpki/ca/cacert.pem
|
||||
ssl_verify_client_cert = yes
|
||||
|
@ -187,7 +190,7 @@ protocol !smtp {
|
|||
}
|
||||
```
|
||||
|
||||
```
|
||||
```console
|
||||
# systemctl restart dovecot.service
|
||||
```
|
||||
|
||||
|
@ -197,8 +200,8 @@ Vous devez maintenant faire le nécessaire côté client (Thunderbird, K9-Mail
|
|||
|
||||
Voici une liste de tâches non exhaustives à faire de votre côté que je ne documente pas, non obligatoire mais conseillé…
|
||||
|
||||
- Monter un serveur de MX secondaire ;
|
||||
- Activer un pare-feu sur votre machine, par exemple `ufw` ;
|
||||
- Monitorer votre serveur ;
|
||||
- S'assurer du suivi des mises à jour ;
|
||||
- Faire des sauvegardes.
|
||||
- [ ] Monter un serveur de MX secondaire ;
|
||||
- [ ] Activer un pare-feu sur votre machine, par exemple `ufw` ;
|
||||
- [ ] Monitorer votre serveur ;
|
||||
- [ ] S'assurer du suivi des mises à jour ;
|
||||
- [ ] Faire des sauvegardes.
|
||||
|
|
|
@ -1,152 +1,152 @@
|
|||
Get Github or Gitlab user key:
|
||||
|
||||
```
|
||||
curl https://github.com/<username>.keys
|
||||
curl https://gitlab.com/<username>.keys
|
||||
```console
|
||||
$ curl https://github.com/<username>.keys
|
||||
$ curl https://gitlab.com/<username>.keys
|
||||
```
|
||||
|
||||
Enter a namespace, for example LXD (which is in a NS by Snap).
|
||||
|
||||
```
|
||||
nsenter -t $(cat /var/snap/lxd/common/lxd.pid) -m
|
||||
```console
|
||||
$ nsenter -t $(cat /var/snap/lxd/common/lxd.pid) -m
|
||||
```
|
||||
|
||||
SSH into a machine without checking host key. Useful when servers are in a rescue mode.
|
||||
|
||||
~~~
|
||||
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -o "GlobalKnownHostsFile=/dev/null"
|
||||
~~~
|
||||
```console
|
||||
$ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -o "GlobalKnownHostsFile=/dev/null"
|
||||
```
|
||||
|
||||
Certbot manual example.
|
||||
|
||||
~~~
|
||||
certbot certonly --non-interactive --webroot --webroot-path /var/www/html/ -d foo.bar -d www.foo.bar
|
||||
~~~
|
||||
```console
|
||||
# certbot certonly --non-interactive --webroot --webroot-path /var/www/html/ -d foo.bar -d www.foo.bar
|
||||
```
|
||||
|
||||
GPG-agent list SSH key and remove.
|
||||
|
||||
~~~
|
||||
```
|
||||
gpg-connect-agent
|
||||
KEYINFO --ssh-list --ssh-fpr
|
||||
DELETE_KEY $HASH
|
||||
~~~
|
||||
```
|
||||
|
||||
Show md5 fingerprint of SSH key.
|
||||
|
||||
~~~
|
||||
ssh-keygen -l -E md5 -f .ssh/key.pub
|
||||
~~~
|
||||
```console
|
||||
$ ssh-keygen -l -E md5 -f .ssh/key.pub
|
||||
```
|
||||
|
||||
Password recovery. At grub stage, press `e` to edit the kernel line and add `init=/bin/bash`. It will drop you in a shell before init system (systemd).
|
||||
|
||||
~~~
|
||||
mount -o remount,rw /
|
||||
passwd
|
||||
~~~
|
||||
```console
|
||||
# mount -o remount,rw /
|
||||
# passwd
|
||||
```
|
||||
Mount partitions on an image file using losetup.
|
||||
|
||||
~~~
|
||||
losetup -P -f --show my.img
|
||||
~~~
|
||||
```console
|
||||
# losetup -P -f --show my.img
|
||||
```
|
||||
|
||||
List all software installed from particular component (non-free, contrib)
|
||||
|
||||
~~~
|
||||
```console
|
||||
$ dpkg-query -W -f='${Section}\t${Package}\n' | grep ^non-free
|
||||
~~~
|
||||
```
|
||||
|
||||
Manually rotate a file without logrotate, with savelog(8).
|
||||
|
||||
~~~
|
||||
```console
|
||||
$ savelog
|
||||
~~~
|
||||
```
|
||||
|
||||
What processes uses swap?
|
||||
|
||||
~~~
|
||||
for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done | sort -k 2 -n -r | less
|
||||
~~~
|
||||
```console
|
||||
$ for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done | sort -k 2 -n -r | less
|
||||
```
|
||||
|
||||
MySQL "fast" shutdown.
|
||||
|
||||
~~~
|
||||
```console
|
||||
> set global innodb_max_dirty_pages_pct = 0;
|
||||
$ mysqladmin ext -i10 | grep dirty
|
||||
~~~
|
||||
```
|
||||
|
||||
mkfs.ext4 for old systems in rescue mode (Debian Wheezy, …).
|
||||
|
||||
~~~
|
||||
mkfs.ext4 -O ^64bit,^metadata_csum
|
||||
~~~
|
||||
```console
|
||||
# mkfs.ext4 -O ^64bit,^metadata_csum
|
||||
```
|
||||
|
||||
Send a mail from queue.
|
||||
|
||||
```
|
||||
postcat -q ID > mail
|
||||
< mail sendmail -f FROM TO
|
||||
```console
|
||||
$ postcat -q ID > mail
|
||||
$ < mail sendmail -f FROM TO
|
||||
```
|
||||
|
||||
Python Simple HTTP Server (useful for Munin for example).
|
||||
|
||||
```
|
||||
cd /var/cache/munin/www
|
||||
python -m SimpleHTTPServer 8080
|
||||
```console
|
||||
$ cd /var/cache/munin/www
|
||||
$ python -m SimpleHTTPServer 8080
|
||||
```
|
||||
|
||||
Show custom certs (not a link) and expiration in `/etc/ssl/certs`.
|
||||
|
||||
```
|
||||
find /etc/ssl/certs/ -type f -print -exec openssl x509 -text -in {} \; | grep --color=auto -e etc -e CN= -e DNS: -e After;
|
||||
```console
|
||||
# find /etc/ssl/certs/ -type f -print -exec openssl x509 -text -in {} \; | grep --color=auto -e etc -e CN= -e DNS: -e After;
|
||||
```
|
||||
|
||||
Edit Bind DNS serial (needs modifications, not generic).
|
||||
|
||||
```
|
||||
sed -ri 's/^\s*[0-9]+\s*; serial/\t\t\t 2017041010\t ; serial/' db.*
|
||||
```console
|
||||
$ sed -ri 's/^\s*[0-9]+\s*; serial/\t\t\t 2017041010\t ; serial/' db.*
|
||||
```
|
||||
|
||||
After Debian/Ubuntu upgrade, merge local config files according to config files shipped in packages.
|
||||
|
||||
```
|
||||
for file in $(find /etc -iname '*.dpkg-dist'); do vimdiff ${file%%.dpkg-dist} $file; rm $file; done
|
||||
for file in $(find /etc -iname '*.dpkg-old'); do vimdiff ${file%%.dpkg-old} $file; rm $file; done
|
||||
for file in $(find /etc -iname '*.dpkg-new'); do vimdiff ${file%%.dpkg-new} $file; rm $file; done
|
||||
for file in $(find /etc -iname '*.ucf-dist'); do vimdiff ${file%%.ucf-dist} $file; rm $file; done
|
||||
for file in $(find /etc -iname '*.ucf-old'); do vimdiff ${file%%.ucf-old} $file; rm $file; done
|
||||
for file in $(find /etc -iname '*.ucf-new'); do vimdiff ${file%%.ucf-new} $file; rm $file; done
|
||||
```console
|
||||
# for file in $(find /etc -iname '*.dpkg-dist'); do vimdiff ${file%%.dpkg-dist} $file; rm $file; done
|
||||
# for file in $(find /etc -iname '*.dpkg-old'); do vimdiff ${file%%.dpkg-old} $file; rm $file; done
|
||||
# for file in $(find /etc -iname '*.dpkg-new'); do vimdiff ${file%%.dpkg-new} $file; rm $file; done
|
||||
# for file in $(find /etc -iname '*.ucf-dist'); do vimdiff ${file%%.ucf-dist} $file; rm $file; done
|
||||
# for file in $(find /etc -iname '*.ucf-old'); do vimdiff ${file%%.ucf-old} $file; rm $file; done
|
||||
# for file in $(find /etc -iname '*.ucf-new'); do vimdiff ${file%%.ucf-new} $file; rm $file; done
|
||||
```
|
||||
|
||||
Debug php with strace and php-cgi (especially useful for wp multisites).
|
||||
|
||||
```
|
||||
HTTP_HOST=www.site.com SCRIPT_FILENAME=index.php REDIRECT_STATUS=CGI SERVER_NAME=www.site.com strace -s 65535 -o /tmp/strace php-cgi -f index.php
|
||||
```console
|
||||
$ HTTP_HOST=www.site.com SCRIPT_FILENAME=index.php REDIRECT_STATUS=CGI SERVER_NAME=www.site.com strace -s 65535 -o /tmp/strace php-cgi -f index.php
|
||||
```
|
||||
|
||||
```ps``` with long user fields (here 20).
|
||||
`ps` with long user fields (here 20).
|
||||
|
||||
```
|
||||
ps axo user:20,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,comm
|
||||
```console
|
||||
$ ps axo user:20,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,comm
|
||||
```
|
||||
|
||||
WTF is happening in apache (or other)? Let's strace all apache processes.
|
||||
```
|
||||
```console
|
||||
# strace -p $(ps auwwwx | grep apache | tr -s '\t' ' ' | cut -d' ' -f2 | tr '\n' ' ' | sed 's/ / -p /g') 9999
|
||||
```
|
||||
|
||||
WTF is happening? Let's tail all logs.
|
||||
|
||||
```
|
||||
```console
|
||||
# tail -f $(lsof | grep -F .log | tr -s '\t' ' ' | cut -d' ' -f10 | sort | uniq | tr -s '\n' ' ')
|
||||
```
|
||||
|
||||
Search for suspects POST in apache.log (often attacks).
|
||||
```{.bash}
|
||||
grep -Eo '"POST .*.php' access.log | grep -ve cron -e login -e admin -e xmlrpc -e trackback -e comment -e 404 | sort -u
|
||||
```console
|
||||
# grep -Eo '"POST .*.php' access.log | grep -ve cron -e login -e admin -e xmlrpc -e trackback -e comment -e 404 | sort -u
|
||||
```
|
||||
|
||||
Check for crashed MySQL table in syslog and launch a repair.
|
||||
```{.bash}
|
||||
```bash
|
||||
#!/bin/bash
|
||||
tables=$(grep crashed /var/log/syslog | grep -Eo \'\./.*\' --color=auto | sed s#\'./## | sed s#\'## | uniq | tr -s '\n' ' ')
|
||||
for tableC in $tables; do
|
||||
|
@ -157,37 +157,36 @@ done
|
|||
```
|
||||
|
||||
Get the groups of an user and add another user into these groups.
|
||||
```{.bash}
|
||||
for group in $(grep user1 /etc/group | cut -d':' -f1 | sed '/user1/d'); do adduser user2 $group; done
|
||||
```console
|
||||
# for group in $(grep user1 /etc/group | cut -d':' -f1 | sed '/user1/d'); do adduser user2 $group; done
|
||||
```
|
||||
|
||||
Get the last acceded URLs in Squid Access list.
|
||||
```{.bash}
|
||||
tail -n100 /var/log/squid3/access.log | grep -oE 'http.*' | cut -d ' ' -f1 | sort | uniq
|
||||
```console
|
||||
# tail -n100 /var/log/squid3/access.log | grep -oE 'http.*' | cut -d ' ' -f1 | sort | uniq
|
||||
```
|
||||
|
||||
Migrate MySQL users.
|
||||
```{.bash}
|
||||
# SRC Server
|
||||
mysql mysql -e "select * from user WHERE USER='user1' OR USER='user2' INTO OUTFILE '/tmp/mysql_user';"
|
||||
mysql mysql -e "select * from db WHERE USER='user1' OR USER='user2' INTO OUTFILE '/tmp/mysql_db';"
|
||||
```console
|
||||
# #SRC Server
|
||||
# mysql mysql -e "select * from user WHERE USER='user1' OR USER='user2' INTO OUTFILE '/tmp/mysql_user';"
|
||||
# mysql mysql -e "select * from db WHERE USER='user1' OR USER='user2' INTO OUTFILE '/tmp/mysql_db';"
|
||||
|
||||
# DST Server
|
||||
scp server:/tmp/mysql_{db,user} /tmp
|
||||
chmod 664 /tmp/mysql_{db,user}
|
||||
mysql mysql -e "LOAD DATA INFILE '/tmp/mysql_user' INTO TABLE user;"
|
||||
mysql mysql -e "LOAD DATA INFILE '/tmp/mysql_db' INTO TABLE db;"
|
||||
# #DST Server
|
||||
# scp server:/tmp/mysql_{db,user} /tmp
|
||||
# chmod 664 /tmp/mysql_{db,user}
|
||||
# mysql mysql -e "LOAD DATA INFILE '/tmp/mysql_user' INTO TABLE user;"
|
||||
# mysql mysql -e "LOAD DATA INFILE '/tmp/mysql_db' INTO TABLE db;"
|
||||
```
|
||||
|
||||
Find userid of mails in mailq.
|
||||
```{.bash}
|
||||
for i in $(mailq | grep -Eo [A-F0-9]{10} | tr -s '\n' ' '); do postcat -q $i | grep userid | grep -Eo "[0-9]{4,}" >> tmp/userid; done
|
||||
sort -n /tmp/userid | uniq
|
||||
```console
|
||||
$ for i in $(mailq | grep -Eo [A-F0-9]{10} | tr -s '\n' ' '); do postcat -q $i | grep userid | grep -Eo "[0-9]{4,}" >> tmp/userid; done
|
||||
$ sort -n /tmp/userid | uniq
|
||||
```
|
||||
|
||||
Kill every MySQL SELECT older than X seconds – Original: https://anothersysadmin.wordpress.com/2008/10/29/kill-every-mysql-select-older-than-x-seconds/
|
||||
```{.bash}
|
||||
|
||||
```bash
|
||||
#!/bin/bash
|
||||
# From https://anothersysadmin.wordpress.com/2008/10/29/kill-every-mysql-select-older-than-x-seconds/
|
||||
SEC=$1
|
||||
|
@ -210,10 +209,10 @@ abuse@<domain>, admin@<domain>, administrator@<domain>, contact@<domain>, info@<
|
|||
```
|
||||
|
||||
itk change rights.
|
||||
```{.bash}
|
||||
```console
|
||||
|
||||
find /tmp/ -user www-user.old -exec chown www-user:user {} \;
|
||||
find /tmp/ -user user.old -exec chown user:user {} \;
|
||||
# find /tmp/ -user www-user.old -exec chown www-user:user {} \;
|
||||
# find /tmp/ -user user.old -exec chown user:user {} \;
|
||||
|
||||
* Détecter les fichiers non lisibles par Apache (lecture sur le groupe) : find ./ -type f ! -perm /g=r -exec ls -l {} \;
|
||||
* Détecter les répertoires non lisibles par Apache (lecture/exécution sur le groupe) : find ./ -type d \( ! -perm /g=r -o ! -perm /g=x \) -exec ls -ld {} \;
|
||||
|
@ -222,16 +221,15 @@ find /tmp/ -user user.old -exec chown user:user {} \;
|
|||
```
|
||||
|
||||
Get useradd command for migrating account.
|
||||
```{.bash}
|
||||
|
||||
for i in user1 user2 user3...; do echo -n 'useradd -m -s /bin/bash -u '$(grep -E "^$i" /etc/passwd | cut -d':' -f3) && echo -en ' -p' \'$(grep -E "^$i" /etc/shadow | cut -d ':' -f2)\' $i '\n'; done
|
||||
```console
|
||||
# for i in user1 user2 user3...; do echo -n 'useradd -m -s /bin/bash -u '$(grep -E "^$i" /etc/passwd | cut -d':' -f3) && echo -en ' -p' \'$(grep -E "^$i" /etc/shadow | cut -d ':' -f2)\' $i '\n'; done
|
||||
|
||||
Output :
|
||||
useradd -m -s /bin/bash -u USERID -p 'USERPWD' username
|
||||
```
|
||||
|
||||
Find files newert than (mtime) a precise date, and execute an action.
|
||||
```{.bash}
|
||||
find . ! -newermt '2012-09-19 11:40:00' -exec cp {} /tmp/mails \;
|
||||
```bash
|
||||
# find . ! -newermt '2012-09-19 11:40:00' -exec cp {} /tmp/mails \;
|
||||
```
|
||||
|
||||
|
|
|
@ -1,27 +1,27 @@
|
|||
Some commands:
|
||||
|
||||
```console
|
||||
# apt install zfsutils-linux
|
||||
# zpool create local /dev/xxx
|
||||
# zpool list
|
||||
# zfs create local/home
|
||||
# zfs list
|
||||
# zfs set compression=lz4 local/home
|
||||
# zfs get compression
|
||||
# zfs get compressratio local/home
|
||||
# zfs set dedup=on local/home
|
||||
# zpool get dedupratio local
|
||||
# zfs set mountpoint=/home local/home
|
||||
# apt install nfs-kernel-server nfs-common
|
||||
# systemctl enable --now rpc-statd.service nfs-server.service
|
||||
# zfs set sharenfs="rw=@10.0.1.0/24" local/home
|
||||
# zfs share local/home
|
||||
# zfs get sharenfs
|
||||
# #Import pool after boot/cryptsetup Open
|
||||
# zpool import local
|
||||
# zfs snapshot local/containers/archive@backup
|
||||
# zfs list -t snapshot
|
||||
# zfs send local/containers/archive@backup | ssh zfs@10.0.1.1 sudo zfs recv local/lxd00/containers/archive
|
||||
# zfs destroy local/containers/archive@backup
|
||||
# zfs clone local/containers/archive@backup local/containers/archive-clone
|
||||
```
|
||||
apt install zfsutils-linux
|
||||
zpool create local /dev/xxx
|
||||
zpool list
|
||||
zfs create local/home
|
||||
zfs list
|
||||
zfs set compression=lz4 local/home
|
||||
zfs get compression
|
||||
zfs get compressratio local/home
|
||||
zfs set dedup=on local/home
|
||||
zpool get dedupratio local
|
||||
zfs set mountpoint=/home local/home
|
||||
apt install nfs-kernel-server nfs-common
|
||||
systemctl enable --now rpc-statd.service nfs-server.service
|
||||
zfs set sharenfs="rw=@10.0.1.0/24" local/home
|
||||
zfs share local/home
|
||||
zfs get sharenfs
|
||||
# Import pool after boot/cryptsetup Open
|
||||
zpool import local
|
||||
zfs snapshot local/containers/archive@backup
|
||||
zfs list -t snapshot
|
||||
zfs send local/containers/archive@backup | ssh zfs@10.0.1.1 sudo zfs recv local/lxd00/containers/archive
|
||||
zfs destroy local/containers/archive@backup
|
||||
zfs clone local/containers/archive@backup local/containers/archive-clone
|
||||
```
|
|
@ -1,8 +1,6 @@
|
|||
---
|
||||
format: Markdown
|
||||
toc: yes
|
||||
title: Backup Strategy
|
||||
...
|
||||
???+ Danger
|
||||
|
||||
Deprecated, todo...
|
||||
|
||||
# Servers
|
||||
|
||||
|
@ -37,4 +35,4 @@ $ adb shell 'dd if=/dev/block/mmcblk0' | lz4 > mmcblk0.img.lz4
|
|||
$ adb shell 'dd if=/dev/block/mmcblk1' | lz4 > mmcblk1.img.lz4
|
||||
```
|
||||
|
||||
Nextcloud is used for some data (photos, some synced folders) and all contacts, permanent synchronization.
|
||||
Nextcloud is used for some data (photos, some synced folders) and all contacts, permanent synchronization.
|
||||
|
|
|
@ -1,12 +1,8 @@
|
|||
---
|
||||
title: Basic CPU Benchmark on GCP/Vultr/Hetzner/Scaleway
|
||||
...
|
||||
|
||||
*Updated whenever I can.*
|
||||
Encoding a 2h video (live concert from Japanese TV, MPEG-2, dark scene with grain) at 1280x720 resolution.
|
||||
|
||||
```
|
||||
HandBrakeCLI -i in.ts -o out.mp4 -f av_mp4 -O -e x264 --encoder-preset slow --encoder-tune grain --encoder-profile high --encoder-level auto -q 20 --vfr -E copy:aac -w 1280 -l 720 --decomb --detelecine --crop 0:0:0:0
|
||||
```console
|
||||
$ HandBrakeCLI -i in.ts -o out.mp4 -f av_mp4 -O -e x264 --encoder-preset slow --encoder-tune grain --encoder-profile high --encoder-level auto -q 20 --vfr -E copy:aac -w 1280 -l 720 --decomb --detelecine --crop 0:0:0:0
|
||||
```
|
||||
|
||||
- Scaleway bare-metal 8 CPU C2L:
|
||||
|
|
|
@ -1,13 +1,10 @@
|
|||
---
|
||||
format: Markdown
|
||||
toc: yes
|
||||
categories: Nihongo
|
||||
title: Mémo/Cours de Japonais 1ère année
|
||||
...
|
||||
---
|
||||
|
||||
# Deprecated
|
||||
???+ Danger
|
||||
|
||||
> **Note** : Je ne tiens plus à jour cette page.
|
||||
Obsolète ! Je ne tiens plus à jour cette page.
|
||||
|
||||
Cette page me sert de mémo pour mon apprentissage du Japonais (1ère année) et part du principe que les Hiragana et Katakana sont maîtrisés :) !
|
||||
(Ce mémo est inspiré de l'application [Human Japanese sur Android](https://play.google.com/store/apps/details?id=com.braksoftware.HumanJapanese&hl=fr) pour la structure et de mes cours à [Toulouse-Manga](http://toulousemanga.fr/les-cours-de-manga-a-toulouse/cours-de-japonais/)).
|
||||
|
@ -847,4 +844,4 @@ Kanji
|
|||
さん
|
||||
|
||||
...が わかります
|
||||
Comprendre ... (Qqch)
|
||||
Comprendre ... (Qqch)
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
|
||||
## IP address in Japan with WG+Socks
|
||||
|
||||
```
|
||||
for i in {6..13}; do curl ipinfo.io/ip --socks5-host jp${i}-wg.socks5.mullvad.net:1080; curl ifconfig.co --socks5-host jp${i}-wg.socks5.mullvad.net:1080; done
|
||||
```console
|
||||
$ for i in {6..13}; do curl ipinfo.io/ip --socks5-host jp${i}-wg.socks5.mullvad.net:1080; curl ifconfig.co --socks5-host jp${i}-wg.socks5.mullvad.net:1080; done
|
||||
217.138.252.227
|
||||
2001:ac8:40:b6::a06d
|
||||
217.138.252.243
|
||||
|
@ -20,4 +20,4 @@ for i in {6..13}; do curl ipinfo.io/ip --socks5-host jp${i}-wg.socks5.mullvad.ne
|
|||
2001:ac8:40:bc::a12d
|
||||
91.193.7.83
|
||||
2001:ac8:40:bd::a13d
|
||||
```
|
||||
```
|
||||
|
|
Loading…
Reference in a new issue