Update all code blocks

This commit is contained in:
Benoit S 2021-02-20 15:06:15 +09:00
parent 5bd12c70c7
commit 1d67e73eff
14 changed files with 237 additions and 246 deletions

View file

@ -6,7 +6,7 @@ hide:
[PDF version](CV.pdf) [PDF version](CV.pdf)
``` ```console
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: THIS RESUME IS SO GEEK!!!11 @ @ WARNING: THIS RESUME IS SO GEEK!!!11 @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

View file

@ -2,14 +2,14 @@
Upgrade from 8 to Stream. Upgrade from 8 to Stream.
``` ```console
dnf install centos-release-stream && dnf update # dnf install centos-release-stream && dnf update
``` ```
Exclude path when unpacking package. Useful for unprivileged containers. Exclude path when unpacking package. Useful for unprivileged containers.
``` ```console
dnf reinstall --downloadonly filesystem # dnf reinstall --downloadonly filesystem
find /var/cache -iname "*filesy*" # find /var/cache -iname "*filesy*"
rpm -ivh --excludepath=/proc --excludepath=/sys /var/cache/dnf/baseos-504ddb1bf3482a98/packages/filesystem-3.8-3.el8.x86_64.rpm # rpm -ivh --excludepath=/proc --excludepath=/sys /var/cache/dnf/baseos-504ddb1bf3482a98/packages/filesystem-3.8-3.el8.x86_64.rpm
``` ```

View file

@ -1,31 +1,31 @@
## Monitor mode ## Monitor mode
For my RTL8188EUS: For my RTL8188EUS:
``` ```console
ip link set wlanX down # ip link set wlanX down
iw dev wlanX set type monitor # iw dev wlanX set type monitor
``` ```
## Scan networks ## Scan networks
All channels: All channels:
``` ```console
airodump-ng wlanX # airodump-ng wlanX
``` ```
Specific channel: Specific channel:
``` ```console
airodump-ng -c 6 wlanX # airodump-ng -c 6 wlanX
``` ```
## Save a capture of chosen BSSID ## Save a capture of chosen BSSID
``` ```console
airodump-ng -c 6 --bssid 00:23:B1:82:08:xx -w <filename> wlanX # airodump-ng -c 6 --bssid 00:23:B1:82:08:xx -w <filename> wlanX
``` ```
You need to wait for a client to connect, or to deauth it and get the 4-way handshake. You need to wait for a client to connect, or to deauth it and get the 4-way handshake.
``` ```console
aireplay-ng -0 1 -a 00:23:B1:82:0C:xx -c D0:37:45:2F:52:xx wlanX # aireplay-ng -0 1 -a 00:23:B1:82:0C:xx -c D0:37:45:2F:52:xx wlanX
``` ```
`-a` is access point `-a` is access point
`-c` is client `-c` is client
@ -36,8 +36,8 @@ Then you should have an EAPOL/WPA handshake.
### For a 8 digits scheme ### For a 8 digits scheme
``` ```console
crunch 8 8 0123456789 -s 00000000 | aircrack-ng -w - -b 00:23:B1:82:08:xx <filename>.cap $ crunch 8 8 0123456789 -s 00000000 | aircrack-ng -w - -b 00:23:B1:82:08:xx <filename>.cap
``` ```
## Wireshark ## Wireshark
@ -46,8 +46,8 @@ PSK Generator: <https://www.wireshark.org/tools/wpa-psk.html>
## PMKID method ## PMKID method
``` ```console
hcxdumptool -i wlanX -o PMKID --enable_status=1 $ hcxdumptool -i wlanX -o PMKID --enable_status=1
``` ```
TODO... TODO...
@ -56,8 +56,8 @@ TODO...
AP must have WPS enabled with a PIN. Not PBC, push button. AP must have WPS enabled with a PIN. Not PBC, push button.
``` ```console
reaver -i wlanX -b 00:23:B1:82:84:xx # reaver -i wlanX -b 00:23:B1:82:84:xx
``` ```
## Resources ## Resources

View file

@ -1,17 +1,17 @@
# Convert ## Convert
# MKV to WebM ### MKV to WebM
~~~ ```console
$ ffmpeg -i input.mkv -c:v libvpx -qmin 0 -qmax 50 -crf 10 -b:v 2M -c:a libvorbis output.webm $ ffmpeg -i input.mkv -c:v libvpx -qmin 0 -qmax 50 -crf 10 -b:v 2M -c:a libvorbis output.webm
~~~
# Recording Screen
## Within a specified zone
``` ```
avconv -threads auto -f pulse -i bluez_sink.0C_E0_E4_81_2F_C1.monitor -ac 2 -f pulse -i alsa_input.usb-BLUE_MICROPHONE_Blue_Snowball_201306-00-Snowball.analog-mono -ac 1 -f x11grab -show_region 1 -s 1024x768 -i :0.0+112,111 -c:v libvpx -pre:v libvpx-720p -vsync cfr -r 15 -c:a libvorbis -q:a 6 -filter_complex amix=inputs=2 output.webm
## Recording Screen
### Within a specified zone
```console
$ avconv -threads auto -f pulse -i bluez_sink.0C_E0_E4_81_2F_C1.monitor -ac 2 -f pulse -i alsa_input.usb-BLUE_MICROPHONE_Blue_Snowball_201306-00-Snowball.analog-mono -ac 1 -f x11grab -show_region 1 -s 1024x768 -i :0.0+112,111 -c:v libvpx -pre:v libvpx-720p -vsync cfr -r 15 -c:a libvorbis -q:a 6 -filter_complex amix=inputs=2 output.webm
``` ```
With sound from microphone and monitor of input. With sound from microphone and monitor of input.

View file

@ -1,35 +1,35 @@
# HowtoGPG # HowtoGPG
## Some commands: ## Some commands:
``` ```console
gpg --card-status $ gpg --card-status
gpg --export-ssh-key keyID $ gpg --export-ssh-key keyID
gpg --armor --export keyID > pubkey.asc $ gpg --armor --export keyID > pubkey.asc
``` ```
## Use Nitrokey from new system: ## Use Nitrokey from new system:
``` ```console
gpg --import pubkey.asc $ gpg --import pubkey.asc
gpg --card-status $ gpg --card-status
``` ```
## Use GPG Agent as SSH Agent ## Use GPG Agent as SSH Agent
``` ```console
vim .gnupg/gpg-agent.conf $ vim .gnupg/gpg-agent.conf
enable-ssh-support enable-ssh-support
pinentry-program /usr/bin/pinentry-qt pinentry-program /usr/bin/pinentry-qt
systemctl --user enable --now /usr/lib/systemd/user/gpg-agent* $ systemctl --user enable --now /usr/lib/systemd/user/gpg-agent*
vim .bashrc $ vim .bashrc
export SSH_AUTH_SOCK="/run/user/$(id -u)/gnupg/S.gpg-agent.ssh" export SSH_AUTH_SOCK="/run/user/$(id -u)/gnupg/S.gpg-agent.ssh"
``` ```
## Export your public key to your web server: ## Export your public key to your web server:
``` ```console
$ mkdir openpgpkey $ mkdir openpgpkey
$ gpg --list-options show-only-fpr-mbox -k keyID | /usr/lib/gnupg/gpg-wks-client -v --install-key $ gpg --list-options show-only-fpr-mbox -k keyID | /usr/lib/gnupg/gpg-wks-client -v --install-key
``` ```
@ -43,22 +43,22 @@ My public key is available via: <https://openpgpkey.benpro.fr/.well-known/openpg
WKD mean Web Key Directory. Interesting website: <https://metacode.biz/openpgp/web-key-directory> WKD mean Web Key Directory. Interesting website: <https://metacode.biz/openpgp/web-key-directory>
``` ```console
gpg --locate-key user@example.com $ gpg --locate-key user@example.com
``` ```
### From keyserver ### From keyserver
#### With keys.openpgp.org #### With keys.openpgp.org
``` ```console
echo keyserver hkps://keys.openpgp.org >> ~/.gnupg/gpg.conf $ echo keyserver hkps://keys.openpgp.org >> ~/.gnupg/gpg.conf
gpg --auto-key-locate keyserver --locate-keys user@example.com $ gpg --auto-key-locate keyserver --locate-keys user@example.com
``` ```
#### With sks-keyservers.net #### With sks-keyservers.net
``` ```console
gpg --keyserver pool.sks-keyservers.net --recv-keys keyID $ gpg --keyserver pool.sks-keyservers.net --recv-keys keyID
``` ```

View file

@ -1,28 +1,28 @@
Some commands: Some commands:
``` ```console
lxc image alias list images: $ lxc image alias list images:
lxc info <name> $ lxc info <name>
lxc config edit <name> $ lxc config edit <name>
lxc config sonw <name> $ lxc config sonw <name>
lxc exec <name> bash $ lxc exec <name> bash
lxc config set <name> limits.memory 512MB $ lxc config set <name> limits.memory 512MB
lxc config set <name> limits.cpu 2 $ lxc config set <name> limits.cpu 2
lxc config device set <name> root size 20GB $ lxc config device set <name> root size 20GB
lxc launch images:debian/stretch/amd64 <name> $ lxc launch images:debian/stretch/amd64 <name>
lxc config set <name> environment.LC_ALL=en_US.UTF-8 $ lxc config set <name> environment.LC_ALL=en_US.UTF-8
lxc list $ lxc list
lxc storage volume list <storagename> $ lxc storage volume list <storagename>
# mode privileged $ #mode privileged
lxc launch ubuntu:16.04 test -c security.privileged=true -c security.nesting=true $ lxc launch ubuntu:16.04 test -c security.privileged=true -c security.nesting=true
lxc config device add test ssh proxy listen=tcp:0.0.0.0:2222 connect=tcp:127.0.0.1:22 $ lxc config device add test ssh proxy listen=tcp:0.0.0.0:2222 connect=tcp:127.0.0.1:22
# Create a backups volume in the local (default) pool (ZFS) and use it for backups $ #Create a backups volume in the local (default) pool (ZFS) and use it for backups
lxc storage volume create local backups $ lxc storage volume create local backups
lxc config set storage.backups_volume local/backups $ lxc config set storage.backups_volume local/backups
# Create a images volume in the local (default) pool (ZFS) and use it for images (containers images downloaded) $ #Create a images volume in the local (default) pool (ZFS) and use it for images (containers images downloaded)
lxc storage volume create local images $ lxc storage volume create local images
lxc config set storage.images_volume local/images $ lxc config set storage.images_volume local/images
lxc config device add $containerName $deviceName disk source=/home/foo path=/home/foo $ lxc config device add $containerName $deviceName disk source=/home/foo path=/home/foo
``` ```
Chemins : Chemins :
@ -41,7 +41,7 @@ dnsutils
N'est plus nécessaire sur les images récentes : N'est plus nécessaire sur les images récentes :
``` ```console
# systemctl disable getty@tty{1..4} # systemctl disable getty@tty{1..4}
# reboot # reboot
``` ```
@ -57,17 +57,16 @@ etckeeper
vim vim
``` ```
``` ```console
sed -i 's/^tty/# tty/g' /etc/inittab # sed -i 's/^tty/# tty/g' /etc/inittab
# clean messages # #clean messages
rm /var/log/messages rm /var/log/messages
``` ```
Nginx : Nginx :
``` ```nginx
set_real_ip_from W.X.Y.Z; set_real_ip_from W.X.Y.Z;
#real_ip_recursive on; #real_ip_recursive on;
real_ip_header X-Forwarded-For; real_ip_header X-Forwarded-For;
@ -79,6 +78,6 @@ access_log /var/log/nginx/access.log custom;
Aller dans le namespace de LXD (snap0 pour faire des actions genre mount/umount : Aller dans le namespace de LXD (snap0 pour faire des actions genre mount/umount :
``` ```console
# nsenter -t $(cat /var/snap/lxd/common/lxd.pid) -m # nsenter -t $(cat /var/snap/lxd/common/lxd.pid) -m
``` ```

View file

@ -2,7 +2,7 @@
Thermal info: Thermal info:
``` ```console
sudo powermetrics s thermal $ sudo powermetrics s thermal
sudo powermetrics -s thermal | grep -A2 -i thermal $ sudo powermetrics -s thermal | grep -A2 -i thermal
``` ```

View file

@ -1,8 +1,11 @@
--- ---
title: Howto Serveur de mail sécurisé avec Mailcow et Scaleway title: Howto Serveur de mail sécurisé avec Mailcow et Scaleway
categories: sysadmin mail
--- ---
???+ Danger
Documentation obsolète !
# Intro # Intro
Ce Howto explique comment monter un serveur de mail sécurisé en utilisant [Mailcow](https://github.com/andryyy/mailcow) et un serveur virtuel chez [Scaleway](https://www.scaleway.com/). L'introduction est à lire sur mon [blog](https://www.lekernelpanique.fr/2017/03/05/votre-propre-serveur-de-mail-securise-pour-3emois/). Ce Howto explique comment monter un serveur de mail sécurisé en utilisant [Mailcow](https://github.com/andryyy/mailcow) et un serveur virtuel chez [Scaleway](https://www.scaleway.com/). L'introduction est à lire sur mon [blog](https://www.lekernelpanique.fr/2017/03/05/votre-propre-serveur-de-mail-securise-pour-3emois/).
@ -15,7 +18,7 @@ La première étape consiste évidement à créer l'instance sur la console de S
L'image Debian de Scaleway n'étant pas « buildé » tous les jours, il se peut qu'il y ait quelques mises à jour à faire. On fait donc une upgrade. L'image Debian de Scaleway n'étant pas « buildé » tous les jours, il se peut qu'il y ait quelques mises à jour à faire. On fait donc une upgrade.
``` ```console
# apt update # apt update
# apt upgrade # apt upgrade
``` ```
@ -26,7 +29,7 @@ Ce volume accueillera vos mails et journaux systèmes. Il est donc intéressant
Création du fichier image et montage sur `/dev/loop0`. Création du fichier image et montage sur `/dev/loop0`.
``` ```console
# dd if=/dev/zero of=/var.img bs=1M count=35000 # dd if=/dev/zero of=/var.img bs=1M count=35000
# chmod 600 /var.img # chmod 600 /var.img
# losetup /dev/loop0 /var.img # losetup /dev/loop0 /var.img
@ -34,7 +37,7 @@ Création du fichier image et montage sur `/dev/loop0`.
On en profite pour aussi créer une swap de 1G tant qu'à faire. On en profite pour aussi créer une swap de 1G tant qu'à faire.
``` ```console
# dd if=/dev/zero of=/swapfile.img bs=1M count=1000 # dd if=/dev/zero of=/swapfile.img bs=1M count=1000
# chmod 600 /swapfile.img # chmod 600 /swapfile.img
# mkswap -LSWAP # mkswap -LSWAP
@ -43,7 +46,7 @@ On en profite pour aussi créer une swap de 1G tant qu'à faire.
On chiffre le volume en LUKS avec `cryptsetup`. Choisissez une passphrase, vous aller devoir la taper à chaque démarrage dans la console de Scaleway. Pas très souvent si tout est stable ! :-) On chiffre le volume en LUKS avec `cryptsetup`. Choisissez une passphrase, vous aller devoir la taper à chaque démarrage dans la console de Scaleway. Pas très souvent si tout est stable ! :-)
``` ```console
# apt install cryptsetup # apt install cryptsetup
# cryptsetup luksFormat --hash sha256 --key-size=512 /dev/loop0 # cryptsetup luksFormat --hash sha256 --key-size=512 /dev/loop0
# cryptsetup luksOpen /dev/loop0 crypted-var # cryptsetup luksOpen /dev/loop0 crypted-var
@ -51,7 +54,7 @@ On chiffre le volume en LUKS avec `cryptsetup`. Choisissez une passphrase, vous
On formate le tout en EXT4, on monte le volume, on stoppe les services qui utilisent actuellement `/var` et on rsync le tout. On formate le tout en EXT4, on monte le volume, on stoppe les services qui utilisent actuellement `/var` et on rsync le tout.
``` ```console
# mkfs.ext4 -LVAR /dev/mapper/crypted-var # mkfs.ext4 -LVAR /dev/mapper/crypted-var
# mount /dev/mapper/crypted-var /mnt/ # mount /dev/mapper/crypted-var /mnt/
# for pid in $(lsof | grep /var | tr -s '\t' ' ' | cut -d' ' -f2 | sort | uniq | grep -v "^1$"); do kill $pid; done # for pid in $(lsof | grep /var | tr -s '\t' ' ' | cut -d' ' -f2 | sort | uniq | grep -v "^1$"); do kill $pid; done
@ -64,7 +67,7 @@ On indique le volume chiffré dans `crypttab` et le point de montage dans `fstab
> **Note** : On désactive `unattended-upgrades` qui va planter l'arrêt à cause du /var qui n'existe plus. > **Note** : On désactive `unattended-upgrades` qui va planter l'arrêt à cause du /var qui n'existe plus.
``` ```console
# echo "crypted-var /var.img none luks" >> /etc/crypttab # echo "crypted-var /var.img none luks" >> /etc/crypttab
# echo "/dev/mapper/crypted-var /var ext4 defaults 0 2" >> /etc/fstab # echo "/dev/mapper/crypted-var /var ext4 defaults 0 2" >> /etc/fstab
# systemctl disable unattended-upgrades.service # systemctl disable unattended-upgrades.service
@ -89,7 +92,7 @@ Au niveau de vos entrées DNS, il vous faudra un champ A et un MX. Plus de déta
On supprime exim4, car Mailcow utilise postfix. On supprime exim4, car Mailcow utilise postfix.
``` ```console
# apt purge exim4 exim4-base exim4-config exim4-daemon-light # apt purge exim4 exim4-base exim4-config exim4-daemon-light
``` ```
@ -97,7 +100,7 @@ On supprime exim4, car Mailcow utilise postfix.
Puis on télécharge le script d'installation, on édite la configuration et on lance l'installation. Puis on télécharge le script d'installation, on édite la configuration et on lance l'installation.
``` ```console
# wget -O - https://github.com/andryyy/mailcow/archive/v0.14.tar.gz | tar xfz - # wget -O - https://github.com/andryyy/mailcow/archive/v0.14.tar.gz | tar xfz -
# cd mailcow-0.14 # cd mailcow-0.14
# vim mailcow.config # vim mailcow.config
@ -107,7 +110,7 @@ Puis on télécharge le script d'installation, on édite la configuration et on
Laissez-vous guider par le script d'installation. Laissez-vous guider par le script d'installation.
``` ```console
# ./install.sh # ./install.sh
``` ```
@ -125,7 +128,7 @@ Pour cela il faut mettre en place une `PKI` et émettre un certificat client. J'
## ShellPKI ## ShellPKI
``` ```console
# cd /usr/local # cd /usr/local
# git clone https://forge.evolix.org/shellpki.git # git clone https://forge.evolix.org/shellpki.git
# cd shellpki # cd shellpki
@ -137,20 +140,20 @@ Pour cela il faut mettre en place une `PKI` et émettre un certificat client. J'
Éditer `/etc/shellpki/openssl.cnf` et initialiser shellPKI. Le plus important est de remplir le « Common Name », par exemple `Myname Root Certificate`. Éditer `/etc/shellpki/openssl.cnf` et initialiser shellPKI. Le plus important est de remplir le « Common Name », par exemple `Myname Root Certificate`.
``` ```console
# vim /etc/shellpki/openssl.cnf # vim /etc/shellpki/openssl.cnf
# ./shellpki.sh init # ./shellpki.sh init
``` ```
On génère un certificat client (sans passphrase), soit un utilisateur par exemple. Il faudra choisir un « Common Name » du type `user@domain.tld`. On génère un certificat client (sans passphrase), soit un utilisateur par exemple. Il faudra choisir un « Common Name » du type `user@domain.tld`.
``` ```console
# ./shellpki.sh create # ./shellpki.sh create
``` ```
Puis on le convertit au format `PKCS#12` avec une passphrase d'export. Cette passphrase sera demandé à l'import dans un navigateur ou smartphone par exemple. Puis on le convertit au format `PKCS#12` avec une passphrase d'export. Cette passphrase sera demandé à l'import dans un navigateur ou smartphone par exemple.
``` ```console
# cd /etc/ssl/clients # cd /etc/ssl/clients
# openssl pkcs12 -export -in user@mail.domain.tld.crt -inkey user@mail.domain.tld.key -out user@mail.domain.tld.p12 # openssl pkcs12 -export -in user@mail.domain.tld.crt -inkey user@mail.domain.tld.key -out user@mail.domain.tld.p12
``` ```
@ -161,12 +164,12 @@ La dernière étape consiste à dire à dovecot et nginx qu'il est nécessaire d
## Nginx ## Nginx
``` ```nginx
ssl_client_certificate /etc/shellpki/ca/cacert.pem; ssl_client_certificate /etc/shellpki/ca/cacert.pem;
ssl_verify_client on; ssl_verify_client on;
``` ```
``` ```console
# systemctl restart nginx # systemctl restart nginx
``` ```
@ -174,7 +177,7 @@ ssl_verify_client on;
> **Note** : Attention, si vous avez un webmail qui se connecte en local, imap non chiffré, l'activation de `auth_ssl_require_client_cert`, va imposer d'utiliser un certificat… Cassant votre webmail. Il n'y a pas à ce jour la possibilité d'activer `auth_ssl_require_client_cert` seulement pour imaps… Si vous utilisez un webmail, n'activez pas ceci sur dovecot. > **Note** : Attention, si vous avez un webmail qui se connecte en local, imap non chiffré, l'activation de `auth_ssl_require_client_cert`, va imposer d'utiliser un certificat… Cassant votre webmail. Il n'y a pas à ce jour la possibilité d'activer `auth_ssl_require_client_cert` seulement pour imaps… Si vous utilisez un webmail, n'activez pas ceci sur dovecot.
``` ```dovecot
# Client certificate # Client certificate
ssl_ca = </etc/shellpki/ca/cacert.pem ssl_ca = </etc/shellpki/ca/cacert.pem
ssl_verify_client_cert = yes ssl_verify_client_cert = yes
@ -187,7 +190,7 @@ protocol !smtp {
} }
``` ```
``` ```console
# systemctl restart dovecot.service # systemctl restart dovecot.service
``` ```
@ -197,8 +200,8 @@ Vous devez maintenant faire le nécessaire côté client (Thunderbird, K9-Mail
Voici une liste de tâches non exhaustives à faire de votre côté que je ne documente pas, non obligatoire mais conseillé… Voici une liste de tâches non exhaustives à faire de votre côté que je ne documente pas, non obligatoire mais conseillé…
- Monter un serveur de MX secondaire ; - [ ] Monter un serveur de MX secondaire ;
- Activer un pare-feu sur votre machine, par exemple `ufw` ; - [ ] Activer un pare-feu sur votre machine, par exemple `ufw` ;
- Monitorer votre serveur ; - [ ] Monitorer votre serveur ;
- S'assurer du suivi des mises à jour ; - [ ] S'assurer du suivi des mises à jour ;
- Faire des sauvegardes. - [ ] Faire des sauvegardes.

View file

@ -1,152 +1,152 @@
Get Github or Gitlab user key: Get Github or Gitlab user key:
``` ```console
curl https://github.com/<username>.keys $ curl https://github.com/<username>.keys
curl https://gitlab.com/<username>.keys $ curl https://gitlab.com/<username>.keys
``` ```
Enter a namespace, for example LXD (which is in a NS by Snap). Enter a namespace, for example LXD (which is in a NS by Snap).
``` ```console
nsenter -t $(cat /var/snap/lxd/common/lxd.pid) -m $ nsenter -t $(cat /var/snap/lxd/common/lxd.pid) -m
``` ```
SSH into a machine without checking host key. Useful when servers are in a rescue mode. SSH into a machine without checking host key. Useful when servers are in a rescue mode.
~~~ ```console
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -o "GlobalKnownHostsFile=/dev/null" $ ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -o "GlobalKnownHostsFile=/dev/null"
~~~ ```
Certbot manual example. Certbot manual example.
~~~ ```console
certbot certonly --non-interactive --webroot --webroot-path /var/www/html/ -d foo.bar -d www.foo.bar # certbot certonly --non-interactive --webroot --webroot-path /var/www/html/ -d foo.bar -d www.foo.bar
~~~ ```
GPG-agent list SSH key and remove. GPG-agent list SSH key and remove.
~~~ ```
gpg-connect-agent gpg-connect-agent
KEYINFO --ssh-list --ssh-fpr KEYINFO --ssh-list --ssh-fpr
DELETE_KEY $HASH DELETE_KEY $HASH
~~~ ```
Show md5 fingerprint of SSH key. Show md5 fingerprint of SSH key.
~~~ ```console
ssh-keygen -l -E md5 -f .ssh/key.pub $ ssh-keygen -l -E md5 -f .ssh/key.pub
~~~ ```
Password recovery. At grub stage, press `e` to edit the kernel line and add `init=/bin/bash`. It will drop you in a shell before init system (systemd). Password recovery. At grub stage, press `e` to edit the kernel line and add `init=/bin/bash`. It will drop you in a shell before init system (systemd).
~~~ ```console
mount -o remount,rw / # mount -o remount,rw /
passwd # passwd
~~~ ```
Mount partitions on an image file using losetup. Mount partitions on an image file using losetup.
~~~ ```console
losetup -P -f --show my.img # losetup -P -f --show my.img
~~~ ```
List all software installed from particular component (non-free, contrib) List all software installed from particular component (non-free, contrib)
~~~ ```console
$ dpkg-query -W -f='${Section}\t${Package}\n' | grep ^non-free $ dpkg-query -W -f='${Section}\t${Package}\n' | grep ^non-free
~~~ ```
Manually rotate a file without logrotate, with savelog(8). Manually rotate a file without logrotate, with savelog(8).
~~~ ```console
$ savelog $ savelog
~~~ ```
What processes uses swap? What processes uses swap?
~~~ ```console
for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done | sort -k 2 -n -r | less $ for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done | sort -k 2 -n -r | less
~~~ ```
MySQL "fast" shutdown. MySQL "fast" shutdown.
~~~ ```console
> set global innodb_max_dirty_pages_pct = 0; > set global innodb_max_dirty_pages_pct = 0;
$ mysqladmin ext -i10 | grep dirty $ mysqladmin ext -i10 | grep dirty
~~~ ```
mkfs.ext4 for old systems in rescue mode (Debian Wheezy, …). mkfs.ext4 for old systems in rescue mode (Debian Wheezy, …).
~~~ ```console
mkfs.ext4 -O ^64bit,^metadata_csum # mkfs.ext4 -O ^64bit,^metadata_csum
~~~ ```
Send a mail from queue. Send a mail from queue.
``` ```console
postcat -q ID > mail $ postcat -q ID > mail
< mail sendmail -f FROM TO $ < mail sendmail -f FROM TO
``` ```
Python Simple HTTP Server (useful for Munin for example). Python Simple HTTP Server (useful for Munin for example).
``` ```console
cd /var/cache/munin/www $ cd /var/cache/munin/www
python -m SimpleHTTPServer 8080 $ python -m SimpleHTTPServer 8080
``` ```
Show custom certs (not a link) and expiration in `/etc/ssl/certs`. Show custom certs (not a link) and expiration in `/etc/ssl/certs`.
``` ```console
find /etc/ssl/certs/ -type f -print -exec openssl x509 -text -in {} \; | grep --color=auto -e etc -e CN= -e DNS: -e After; # find /etc/ssl/certs/ -type f -print -exec openssl x509 -text -in {} \; | grep --color=auto -e etc -e CN= -e DNS: -e After;
``` ```
Edit Bind DNS serial (needs modifications, not generic). Edit Bind DNS serial (needs modifications, not generic).
``` ```console
sed -ri 's/^\s*[0-9]+\s*; serial/\t\t\t 2017041010\t ; serial/' db.* $ sed -ri 's/^\s*[0-9]+\s*; serial/\t\t\t 2017041010\t ; serial/' db.*
``` ```
After Debian/Ubuntu upgrade, merge local config files according to config files shipped in packages. After Debian/Ubuntu upgrade, merge local config files according to config files shipped in packages.
``` ```console
for file in $(find /etc -iname '*.dpkg-dist'); do vimdiff ${file%%.dpkg-dist} $file; rm $file; done # for file in $(find /etc -iname '*.dpkg-dist'); do vimdiff ${file%%.dpkg-dist} $file; rm $file; done
for file in $(find /etc -iname '*.dpkg-old'); do vimdiff ${file%%.dpkg-old} $file; rm $file; done # for file in $(find /etc -iname '*.dpkg-old'); do vimdiff ${file%%.dpkg-old} $file; rm $file; done
for file in $(find /etc -iname '*.dpkg-new'); do vimdiff ${file%%.dpkg-new} $file; rm $file; done # for file in $(find /etc -iname '*.dpkg-new'); do vimdiff ${file%%.dpkg-new} $file; rm $file; done
for file in $(find /etc -iname '*.ucf-dist'); do vimdiff ${file%%.ucf-dist} $file; rm $file; done # for file in $(find /etc -iname '*.ucf-dist'); do vimdiff ${file%%.ucf-dist} $file; rm $file; done
for file in $(find /etc -iname '*.ucf-old'); do vimdiff ${file%%.ucf-old} $file; rm $file; done # for file in $(find /etc -iname '*.ucf-old'); do vimdiff ${file%%.ucf-old} $file; rm $file; done
for file in $(find /etc -iname '*.ucf-new'); do vimdiff ${file%%.ucf-new} $file; rm $file; done # for file in $(find /etc -iname '*.ucf-new'); do vimdiff ${file%%.ucf-new} $file; rm $file; done
``` ```
Debug php with strace and php-cgi (especially useful for wp multisites). Debug php with strace and php-cgi (especially useful for wp multisites).
``` ```console
HTTP_HOST=www.site.com SCRIPT_FILENAME=index.php REDIRECT_STATUS=CGI SERVER_NAME=www.site.com strace -s 65535 -o /tmp/strace php-cgi -f index.php $ HTTP_HOST=www.site.com SCRIPT_FILENAME=index.php REDIRECT_STATUS=CGI SERVER_NAME=www.site.com strace -s 65535 -o /tmp/strace php-cgi -f index.php
``` ```
```ps``` with long user fields (here 20). `ps` with long user fields (here 20).
``` ```console
ps axo user:20,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,comm $ ps axo user:20,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,comm
``` ```
WTF is happening in apache (or other)? Let's strace all apache processes. WTF is happening in apache (or other)? Let's strace all apache processes.
``` ```console
# strace -p $(ps auwwwx | grep apache | tr -s '\t' ' ' | cut -d' ' -f2 | tr '\n' ' ' | sed 's/ / -p /g') 9999 # strace -p $(ps auwwwx | grep apache | tr -s '\t' ' ' | cut -d' ' -f2 | tr '\n' ' ' | sed 's/ / -p /g') 9999
``` ```
WTF is happening? Let's tail all logs. WTF is happening? Let's tail all logs.
``` ```console
# tail -f $(lsof | grep -F .log | tr -s '\t' ' ' | cut -d' ' -f10 | sort | uniq | tr -s '\n' ' ') # tail -f $(lsof | grep -F .log | tr -s '\t' ' ' | cut -d' ' -f10 | sort | uniq | tr -s '\n' ' ')
``` ```
Search for suspects POST in apache.log (often attacks). Search for suspects POST in apache.log (often attacks).
```{.bash} ```console
grep -Eo '"POST .*.php' access.log | grep -ve cron -e login -e admin -e xmlrpc -e trackback -e comment -e 404 | sort -u # grep -Eo '"POST .*.php' access.log | grep -ve cron -e login -e admin -e xmlrpc -e trackback -e comment -e 404 | sort -u
``` ```
Check for crashed MySQL table in syslog and launch a repair. Check for crashed MySQL table in syslog and launch a repair.
```{.bash} ```bash
#!/bin/bash #!/bin/bash
tables=$(grep crashed /var/log/syslog | grep -Eo \'\./.*\' --color=auto | sed s#\'./## | sed s#\'## | uniq | tr -s '\n' ' ') tables=$(grep crashed /var/log/syslog | grep -Eo \'\./.*\' --color=auto | sed s#\'./## | sed s#\'## | uniq | tr -s '\n' ' ')
for tableC in $tables; do for tableC in $tables; do
@ -157,37 +157,36 @@ done
``` ```
Get the groups of an user and add another user into these groups. Get the groups of an user and add another user into these groups.
```{.bash} ```console
for group in $(grep user1 /etc/group | cut -d':' -f1 | sed '/user1/d'); do adduser user2 $group; done # for group in $(grep user1 /etc/group | cut -d':' -f1 | sed '/user1/d'); do adduser user2 $group; done
``` ```
Get the last acceded URLs in Squid Access list. Get the last acceded URLs in Squid Access list.
```{.bash} ```console
tail -n100 /var/log/squid3/access.log | grep -oE 'http.*' | cut -d ' ' -f1 | sort | uniq # tail -n100 /var/log/squid3/access.log | grep -oE 'http.*' | cut -d ' ' -f1 | sort | uniq
``` ```
Migrate MySQL users. Migrate MySQL users.
```{.bash} ```console
# SRC Server # #SRC Server
mysql mysql -e "select * from user WHERE USER='user1' OR USER='user2' INTO OUTFILE '/tmp/mysql_user';" # mysql mysql -e "select * from user WHERE USER='user1' OR USER='user2' INTO OUTFILE '/tmp/mysql_user';"
mysql mysql -e "select * from db WHERE USER='user1' OR USER='user2' INTO OUTFILE '/tmp/mysql_db';" # mysql mysql -e "select * from db WHERE USER='user1' OR USER='user2' INTO OUTFILE '/tmp/mysql_db';"
# DST Server # #DST Server
scp server:/tmp/mysql_{db,user} /tmp # scp server:/tmp/mysql_{db,user} /tmp
chmod 664 /tmp/mysql_{db,user} # chmod 664 /tmp/mysql_{db,user}
mysql mysql -e "LOAD DATA INFILE '/tmp/mysql_user' INTO TABLE user;" # mysql mysql -e "LOAD DATA INFILE '/tmp/mysql_user' INTO TABLE user;"
mysql mysql -e "LOAD DATA INFILE '/tmp/mysql_db' INTO TABLE db;" # mysql mysql -e "LOAD DATA INFILE '/tmp/mysql_db' INTO TABLE db;"
``` ```
Find userid of mails in mailq. Find userid of mails in mailq.
```{.bash} ```console
for i in $(mailq | grep -Eo [A-F0-9]{10} | tr -s '\n' ' '); do postcat -q $i | grep userid | grep -Eo "[0-9]{4,}" >> tmp/userid; done $ for i in $(mailq | grep -Eo [A-F0-9]{10} | tr -s '\n' ' '); do postcat -q $i | grep userid | grep -Eo "[0-9]{4,}" >> tmp/userid; done
sort -n /tmp/userid | uniq $ sort -n /tmp/userid | uniq
``` ```
Kill every MySQL SELECT older than X seconds Original: https://anothersysadmin.wordpress.com/2008/10/29/kill-every-mysql-select-older-than-x-seconds/ Kill every MySQL SELECT older than X seconds Original: https://anothersysadmin.wordpress.com/2008/10/29/kill-every-mysql-select-older-than-x-seconds/
```{.bash} ```bash
#!/bin/bash #!/bin/bash
# From https://anothersysadmin.wordpress.com/2008/10/29/kill-every-mysql-select-older-than-x-seconds/ # From https://anothersysadmin.wordpress.com/2008/10/29/kill-every-mysql-select-older-than-x-seconds/
SEC=$1 SEC=$1
@ -210,10 +209,10 @@ abuse@<domain>, admin@<domain>, administrator@<domain>, contact@<domain>, info@<
``` ```
itk change rights. itk change rights.
```{.bash} ```console
find /tmp/ -user www-user.old -exec chown www-user:user {} \; # find /tmp/ -user www-user.old -exec chown www-user:user {} \;
find /tmp/ -user user.old -exec chown user:user {} \; # find /tmp/ -user user.old -exec chown user:user {} \;
* Détecter les fichiers non lisibles par Apache (lecture sur le groupe) : find ./ -type f ! -perm /g=r -exec ls -l {} \; * Détecter les fichiers non lisibles par Apache (lecture sur le groupe) : find ./ -type f ! -perm /g=r -exec ls -l {} \;
* Détecter les répertoires non lisibles par Apache (lecture/exécution sur le groupe) : find ./ -type d \( ! -perm /g=r -o ! -perm /g=x \) -exec ls -ld {} \; * Détecter les répertoires non lisibles par Apache (lecture/exécution sur le groupe) : find ./ -type d \( ! -perm /g=r -o ! -perm /g=x \) -exec ls -ld {} \;
@ -222,16 +221,15 @@ find /tmp/ -user user.old -exec chown user:user {} \;
``` ```
Get useradd command for migrating account. Get useradd command for migrating account.
```{.bash} ```console
# for i in user1 user2 user3...; do echo -n 'useradd -m -s /bin/bash -u '$(grep -E "^$i" /etc/passwd | cut -d':' -f3) && echo -en ' -p' \'$(grep -E "^$i" /etc/shadow | cut -d ':' -f2)\' $i '\n'; done
for i in user1 user2 user3...; do echo -n 'useradd -m -s /bin/bash -u '$(grep -E "^$i" /etc/passwd | cut -d':' -f3) && echo -en ' -p' \'$(grep -E "^$i" /etc/shadow | cut -d ':' -f2)\' $i '\n'; done
Output : Output :
useradd -m -s /bin/bash -u USERID -p 'USERPWD' username useradd -m -s /bin/bash -u USERID -p 'USERPWD' username
``` ```
Find files newert than (mtime) a precise date, and execute an action. Find files newert than (mtime) a precise date, and execute an action.
```{.bash} ```bash
find . ! -newermt '2012-09-19 11:40:00' -exec cp {} /tmp/mails \; # find . ! -newermt '2012-09-19 11:40:00' -exec cp {} /tmp/mails \;
``` ```

View file

@ -1,27 +1,27 @@
Some commands: Some commands:
``` ```console
apt install zfsutils-linux # apt install zfsutils-linux
zpool create local /dev/xxx # zpool create local /dev/xxx
zpool list # zpool list
zfs create local/home # zfs create local/home
zfs list # zfs list
zfs set compression=lz4 local/home # zfs set compression=lz4 local/home
zfs get compression # zfs get compression
zfs get compressratio local/home # zfs get compressratio local/home
zfs set dedup=on local/home # zfs set dedup=on local/home
zpool get dedupratio local # zpool get dedupratio local
zfs set mountpoint=/home local/home # zfs set mountpoint=/home local/home
apt install nfs-kernel-server nfs-common # apt install nfs-kernel-server nfs-common
systemctl enable --now rpc-statd.service nfs-server.service # systemctl enable --now rpc-statd.service nfs-server.service
zfs set sharenfs="rw=@10.0.1.0/24" local/home # zfs set sharenfs="rw=@10.0.1.0/24" local/home
zfs share local/home # zfs share local/home
zfs get sharenfs # zfs get sharenfs
# Import pool after boot/cryptsetup Open # #Import pool after boot/cryptsetup Open
zpool import local # zpool import local
zfs snapshot local/containers/archive@backup # zfs snapshot local/containers/archive@backup
zfs list -t snapshot # zfs list -t snapshot
zfs send local/containers/archive@backup | ssh zfs@10.0.1.1 sudo zfs recv local/lxd00/containers/archive # zfs send local/containers/archive@backup | ssh zfs@10.0.1.1 sudo zfs recv local/lxd00/containers/archive
zfs destroy local/containers/archive@backup # zfs destroy local/containers/archive@backup
zfs clone local/containers/archive@backup local/containers/archive-clone # zfs clone local/containers/archive@backup local/containers/archive-clone
``` ```

View file

@ -1,8 +1,6 @@
--- ???+ Danger
format: Markdown
toc: yes Deprecated, todo...
title: Backup Strategy
...
# Servers # Servers

View file

@ -1,12 +1,8 @@
---
title: Basic CPU Benchmark on GCP/Vultr/Hetzner/Scaleway
...
*Updated whenever I can.* *Updated whenever I can.*
Encoding a 2h video (live concert from Japanese TV, MPEG-2, dark scene with grain) at 1280x720 resolution. Encoding a 2h video (live concert from Japanese TV, MPEG-2, dark scene with grain) at 1280x720 resolution.
``` ```console
HandBrakeCLI -i in.ts -o out.mp4 -f av_mp4 -O -e x264 --encoder-preset slow --encoder-tune grain --encoder-profile high --encoder-level auto -q 20 --vfr -E copy:aac -w 1280 -l 720 --decomb --detelecine --crop 0:0:0:0 $ HandBrakeCLI -i in.ts -o out.mp4 -f av_mp4 -O -e x264 --encoder-preset slow --encoder-tune grain --encoder-profile high --encoder-level auto -q 20 --vfr -E copy:aac -w 1280 -l 720 --decomb --detelecine --crop 0:0:0:0
``` ```
- Scaleway bare-metal 8 CPU C2L: - Scaleway bare-metal 8 CPU C2L:

View file

@ -1,13 +1,10 @@
--- ---
format: Markdown
toc: yes
categories: Nihongo
title: Mémo/Cours de Japonais 1ère année title: Mémo/Cours de Japonais 1ère année
... ---
# Deprecated ???+ Danger
> **Note** : Je ne tiens plus à jour cette page. Obsolète ! Je ne tiens plus à jour cette page.
Cette page me sert de mémo pour mon apprentissage du Japonais (1ère année) et part du principe que les Hiragana et Katakana sont maîtrisés :) ! Cette page me sert de mémo pour mon apprentissage du Japonais (1ère année) et part du principe que les Hiragana et Katakana sont maîtrisés :) !
(Ce mémo est inspiré de l'application [Human Japanese sur Android](https://play.google.com/store/apps/details?id=com.braksoftware.HumanJapanese&hl=fr) pour la structure et de mes cours à [Toulouse-Manga](http://toulousemanga.fr/les-cours-de-manga-a-toulouse/cours-de-japonais/)). (Ce mémo est inspiré de l'application [Human Japanese sur Android](https://play.google.com/store/apps/details?id=com.braksoftware.HumanJapanese&hl=fr) pour la structure et de mes cours à [Toulouse-Manga](http://toulousemanga.fr/les-cours-de-manga-a-toulouse/cours-de-japonais/)).

View file

@ -2,8 +2,8 @@
## IP address in Japan with WG+Socks ## IP address in Japan with WG+Socks
``` ```console
for i in {6..13}; do curl ipinfo.io/ip --socks5-host jp${i}-wg.socks5.mullvad.net:1080; curl ifconfig.co --socks5-host jp${i}-wg.socks5.mullvad.net:1080; done $ for i in {6..13}; do curl ipinfo.io/ip --socks5-host jp${i}-wg.socks5.mullvad.net:1080; curl ifconfig.co --socks5-host jp${i}-wg.socks5.mullvad.net:1080; done
217.138.252.227 217.138.252.227
2001:ac8:40:b6::a06d 2001:ac8:40:b6::a06d
217.138.252.243 217.138.252.243