From 2f82e250e3b406325358f3f7e9dcf8179a92c2e4 Mon Sep 17 00:00:00 2001 From: benoit Date: Wed, 30 Dec 2015 10:06:53 +0100 Subject: [PATCH] Add tips --- SysadminTips.page | 95 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 SysadminTips.page diff --git a/SysadminTips.page b/SysadminTips.page new file mode 100644 index 0000000..7082bff --- /dev/null +++ b/SysadminTips.page @@ -0,0 +1,95 @@ +Search for suspects POST in apache.log (often attacks). +```{.bash} +grep -Eo '"POST .*.php' access.log | grep -ve cron -e login -e admin -e xmlrpc -e trackback -e comment -e 404 | sort -u +``` + +Check for crashed MySQL table in syslog and launch a repair. +```{.bash} +#!/bin/bash +tables=$(grep crashed /var/log/syslog | grep -Eo \'\./.*\' --color=auto | sed s#\'./## | sed s#\'## | uniq | tr -s '\n' ' ') +for tableC in $tables; do + db=${tableC%/*} + table=${tableC#*/} + mysqlcheck --auto-repair --check $db $table +done +``` + +Get the groups of an user and add another user into these groups. +```{.bash} +for group in $(grep user1 /etc/group | cut -d':' -f1 | sed '/user1/d'); do adduser user2 $group; done +``` + +Get the last acceded URLs in Squid Access list. +```{.bash} +tail -n100 /var/log/squid3/access.log | grep -oE 'http.*' | cut -d ' ' -f1 | sort | uniq +``` + +Migrate MySQL users. +```{.bash} +# SRC Server +mysql mysql -e "select * from user WHERE USER='user1' OR USER='user2' INTO OUTFILE '/tmp/mysql_user';" +mysql mysql -e "select * from db WHERE USER='user1' OR USER='user2' INTO OUTFILE '/tmp/mysql_db';" + +# DST Server +scp server:/tmp/mysql_{db,user} /tmp +chmod 664 /tmp/mysql_{db,user} +mysql mysql -e "LOAD DATA INFILE '/tmp/mysql_user' INTO TABLE user;" +mysql mysql -e "LOAD DATA INFILE '/tmp/mysql_db' INTO TABLE db;" +``` + +Find userid of mails in mailq. +```{.bash} +for i in $(mailq | grep -Eo [A-F0-9]{10} | tr -s '\n' ' '); do postcat -q $i | grep userid | grep -Eo "[0-9]{4,}" >> tmp/userid; done +sort -n /tmp/userid | uniq +``` + +Kill every MySQL SELECT older than X seconds – Original: https://anothersysadmin.wordpress.com/2008/10/29/kill-every-mysql-select-older-than-x-seconds/ +```{.bash} + +#!/bin/bash +# From https://anothersysadmin.wordpress.com/2008/10/29/kill-every-mysql-select-older-than-x-seconds/ +SEC=$1 +IFS='|' +if [[ $SEC -lt 1 ]]; then + echo "Usage: $0 SECONDS" + exit 1 +fi +mysqladmin proc -v|grep Query|grep -Evi "delete|update|insert|alter table" |while read dummy qid qusr qhost qdb qstat qsec qstat2 query; do + if [ $qsec -gt $SEC ]; then + echo "Killing query $qid..." + mysqladmin kill $qid + fi +done +``` + +List of contacts when sending a mail for technical purpose on a domain which doesn't announce their technical contacts in a whois. +``` +abuse@, admin@, administrator@, contact@, info@, postmaster@, support@, webmaster@ +``` + +itk change rights. +```{.bash} + +find /tmp/ -user www-user.old -exec chown www-user:user {} \; +find /tmp/ -user user.old -exec chown user:user {} \; + +* Détecter les fichiers non lisibles par Apache (lecture sur le groupe) : find ./ -type f ! -perm /g=r -exec ls -l {} \; +* Détecter les répertoires non lisibles par Apache (lecture/exécution sur le groupe) : find ./ -type d \( ! -perm /g=r -o ! -perm /g=x \) -exec ls -ld {} \; +* Détecter les fichiers/répertoires accessibles en écriture par Apache (écriture sur le groupe) : find ./ -perm /g=w +* Détecter les fichiers/répertoires accessibles en écriture par tous : find ./ -perm -007 -o -type f -perm -006 +``` + +Get useradd command for migrating account. +```{.bash} + +for i in user1 user2 user3...; do echo -n 'useradd -m -s /bin/bash -u '$(grep -E "^$i" /etc/passwd | cut -d':' -f3) && echo -en ' -p' \'$(grep -E "^$i" /etc/shadow | cut -d ':' -f2)\' $i '\n'; done + +Output : +useradd -m -s /bin/bash -u USERID -p 'USERPWD' username +``` + +Find files newert than (mtime) a precise date, and execute an action. +```{.bash} +find . ! -newermt '2012-09-19 11:40:00' -exec cp {} /tmp/mails \; +``` +