NiyasHussain.com

history
history | less

#history

is the command to see all the commands enter by the terminal

it is stored in

/root/.bash_history file
for user root

and similarly for other users
in their home directory

keep in mind that smart user can delete history file or just link it back to /dev/null, a better way is to configure process and command auditing

http://niyashussain.com/2009/06/how-to-keep-a-detailed-audit-trail-of-what%E2%80%99s-being-done-on-your-linux-systems/

How to keep a detailed audit trail of what’s being done on your Linux systems?

Intrusions can take place from both authorized (insiders) and unauthorized (outsiders) users. My personal experience shows that unhappy user can damage the system, especially when they have a shell access. Some users are little smart and removes history file (such as ~/.bash_history) but you can monitor all user executed commands.

It is recommended that you log user activity using process accounting. Process accounting allows you to view every command executed by a user including CPU and memory time. With process accounting sys admin always find out which command executed at what time

The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa.

* The ac command displays statistics about how long users have been logged on.
* The lastcomm command displays information about previous executed commands.
* The accton command turns process accounting on or off.
* The sa command summarizes information about previously executed commmands.

Task: Install psacct or acct package

Use up2date command if you are using RHEL ver 4.0 or less
# up2date psacct
Use yum command if you are using CentOS/Fedora Linux / RHEL 5:
# yum install psacct
Use apt-get command if you are using Ubuntu / Debian Linux:
$ sudo apt-get install acct OR # apt-get install acct
Task: Start psacct/acct service

By default service is started on Ubuntu / Debian Linux by creating /var/account/pacct file. But under Red Hat /Fedora Core/Cent OS you need to start psacct service manually. Type the following two commands to create /var/account/pacct file and start services:
# chkconfig psacct on
# /etc/init.d/psacct start

If you are using Suse Linux, the name of service is acct. Type the following commands:
# chkconfig acct on
# /etc/init.d/acct start

Now let us see how to utilize these utilities to monitor user commands and time.
Task: Display statistics about users’ connect time

ac command prints out a report of connect time in hours based on the logins/logouts. A total is also printed out. If you type ac without any argument it will display total connect time:
$ acOutput:

total       95.08

Display totals for each day rather than just one big total at the end:
$ ac -dOutput:

Nov  1  total        8.65
Nov  2  total        5.70
Nov  3  total       13.43
Nov  4  total        6.24
Nov  5  total       10.70
Nov  6  total        6.70
Nov  7  total       10.30
…..
..
…
Nov 12  total        3.42
Nov 13  total        4.55
Today   total        0.52

Display time totals for each user in addition to the usual everything-lumped-into-one value:
$ ac -pOutput:

vivek                             87.49
root                                 7.63
total       95.11

Task: find out information about previously executed user commands

Use lastcomm command which print out information about previously executed commands. You can search command using usernames, tty names, or by command names itself.

Display command executed by vivek user:
$ lastcomm vivekOutput:

userhelper        S   X vivek  pts/0      0.00 secs Mon Nov 13 23:58
userhelper        S     vivek  pts/0      0.00 secs Mon Nov 13 23:45
rpmq                    vivek  pts/0      0.01 secs Mon Nov 13 23:45
rpmq                    vivek  pts/0      0.00 secs Mon Nov 13 23:45
rpmq                    vivek  pts/0      0.01 secs Mon Nov 13 23:45
gcc                     vivek  pts/0      0.00 secs Mon Nov 13 23:45
which                   vivek  pts/0      0.00 secs Mon Nov 13 23:44
bash               F    vivek  pts/0      0.00 secs Mon Nov 13 23:44
ls                      vivek  pts/0      0.00 secs Mon Nov 13 23:43
rm                      vivek  pts/0      0.00 secs Mon Nov 13 23:43
vi                      vivek  pts/0      0.00 secs Mon Nov 13 23:43
ping              S     vivek  pts/0      0.00 secs Mon Nov 13 23:42
ping              S     vivek  pts/0      0.00 secs Mon Nov 13 23:42
ping              S     vivek  pts/0      0.00 secs Mon Nov 13 23:42
cat                     vivek  pts/0      0.00 secs Mon Nov 13 23:42
netstat                 vivek  pts/0      0.07 secs Mon Nov 13 23:42
su                S     vivek  pts/0      0.00 secs Mon Nov 13 23:38

For each entry the following information is printed. Take example of first output line:
userhelper S X vivek pts/0 0.00 secs Mon Nov 13 23:58
Where,

* userhelper is command name of the process
* S and X are flags, as recorded by the system accounting routines. Following is the meaning of each flag:
o S — command executed by super-user
o F — command executed after a fork but without a following exec
o D — command terminated with the generation of a core file
o X — command was terminated with the signal SIGTERM
* vivek the name of the user who ran the process
* prts/0 terminal name
* 0.00 secs - time the process exited

Search the accounting logs by command name:
$ lastcomm rm
$ lastcomm passwdOutput:

rm                S     root     pts/0      0.00 secs Tue Nov 14 00:39
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:39
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:38
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:38
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:36
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:36
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:35
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:35
rm                      vivek    pts/0      0.00 secs Tue Nov 14 00:30
rm                      vivek    pts/1      0.00 secs Tue Nov 14 00:30
rm                      vivek    pts/1      0.00 secs Tue Nov 14 00:29
rm                      vivek    pts/1      0.00 secs Tue Nov 14 00:29

Search the accounting logs by terminal name pts/1
$ lastcomm pts/1
Task: summarizes accounting information

Use sa command to print summarizes information about previously executed commands. In addition, it condenses this data into a summary file named savacct which contains the number of times the command was called and the system resources used. The information can also be summarized on a per-user basis; sa will save this iinformation into a file named usracct.
# saOutput:

579     222.81re       0.16cp     7220k
4       0.36re       0.12cp    31156k   up2date
8       0.02re       0.02cp    16976k   rpmq
8       0.01re       0.01cp     2148k   netstat
11       0.04re       0.00cp     8463k   grep
18     100.71re       0.00cp    11111k   ***other*
8       0.00re       0.00cp    14500k   troff
5      12.32re       0.00cp    10696k   smtpd
2       8.46re       0.00cp    13510k   bash
8       9.52re       0.00cp     1018k   less

Take example of first line:
4 0.36re 0.12cp 31156k up2date
Where,

* 0.36re “real time” in wall clock minutes
* 0.12cp sum of system and user time in cpu minutes
* 31156k cpu-time averaged core usage, in 1k units
* up2date command name

Display output per-user:
# sa -uOutput:

root       0.00 cpu      595k mem accton
root       0.00 cpu    12488k mem initlog
root       0.00 cpu    12488k mem initlog
root       0.00 cpu    12482k mem touch
root       0.00 cpu    13226k mem psacct
root       0.00 cpu      595k mem consoletype
root       0.00 cpu    13192k mem psacct           *
root       0.00 cpu    13226k mem psacct
root       0.00 cpu    12492k mem chkconfig
postfix    0.02 cpu    10696k mem smtpd
vivek      0.00 cpu    19328k mem userhelper
vivek      0.00 cpu    13018k mem id
vivek      0.00 cpu    13460k mem bash             *
lighttpd   0.00 cpu    48240k mem php              *

Display the number of processes and number of CPU minutes on a per-user basis
# sa -mOutput:

667     231.96re       0.17cp     7471k
root                                  544      51.61re       0.16cp     7174k
vivek                                 103      17.43re       0.01cp     8228k
postfix                                18     162.92re       0.00cp     7529k
lighttpd                                2       0.00re       0.00cp    48536k

Task: Find out who is eating CPU

By looking at re, k, cp/cpu (see above for output explanation) time you can find out suspicious activity or the name of user/command who is eating up all CPU. An increase in CPU/memory usage (command) is indication of problem.

Please note that above commands and packages also available on other UNIX like oses such as Sun Solaris and *BSD oses.

To Check CPU Speed in Linux

less /proc/cpuinfo
egrep  ‘GHz|MHz’ /proc/cpuinfo

To check avilable memory in Linux type free -m command. free displays the total amount of free and used physical and swap memory in the system, as well as the buffers used by the kernel.

free -m
free -b
free -k

1. The -b switch displays the amount of memory in bytes
2. The -k switch (set by default) displays it in kilobytes
3. The -m switch displays it in megabytes
4. The -g switch displays it in gigabytes.

vmstat

Output

procs ———–memory———- —swap– —–io—- -system– —-cpu—-
r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa
0  0      0  63316 176624 1062340    0    0    25    18   39  592  5  1 94  0

1. swpd: the amount of virtual memory used.
2. free: the amount of idle memory.
3. buff: the amount of memory used as buffers.
4. cache: the amount of memory used as cache.

This document will guide you in configuring ssh keys on Linux, normally you need such type of configuration when you connect to some Linux server using some scripts without giving username and password to do some sys admin activity.

Make sure that ssh is installed on all the servers. Here is the output of rpm -qa from server1

[root@server1 ~]# rpm -qa |grep ssh
openssh-clients-3.9p1-8.RHEL4.9
openssh-askpass-3.9p1-8.RHEL4.9
openssh-3.9p1-8.RHEL4.9
openssh-server-3.9p1-8.RHEL4.9
openssh-askpass-gnome-3.9p1-8.RHEL4.9
[root@server1 ~]#[/i]

Here is the output of rpm -qa from server2

[root@server2 ~]# rpm -qa | grep ssh
openssh-clients-3.9p1-8.RHEL4.9
openssh-askpass-3.9p1-8.RHEL4.9
openssh-3.9p1-8.RHEL4.9
openssh-server-3.9p1-8.RHEL4.9
openssh-askpass-gnome-3.9p1-8.RHEL4.9
[root@server2 ~]#

Now generate a ssh key on server1 using following commands.

[root@server1 ~]# ssh-keygen -t dsa (Press Enter)
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase): (Enter passphrase if you want, otherwise just Enter)
Enter same passphrase again: (Enter Again)
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
1e:56:19:54:86:03:38:61:d5:1e:2c:c7:c3:11:bf:50 root@server1
[root@server1 ~]#

Now you need to copy /root/.ssh/id_dsa.pub from server1 to server2 and need to rename it to authorized_keys, place this file in the same directory i.e. /root/.ssh on server2. If you don’t find this directory then create it and chnage the permissions to 644 using chmod.

[root@server1 ~]# scp /root/.ssh/id_dsa.pub server2:/root/.ssh/authorized_keys
The authenticity of host ’server2 (10.216.152.221)’ can’t be established.
RSA key fingerprint is c1:14:0b:ef:0d:c7:48:94:2e:e3:fc:62:9a:2c:e6:2b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ’server2′ (RSA) to the list of known hosts.
root@server2’s password:
id_dsa.pub

Note: Here you need to give root password of server2 since you are scping the file with username root from server1. Once you have configured ssh keys it wont ask you about the password.

Now login to server2 and check for authorized_keys file in /root/.ssh directory.

[root@server2 .ssh]# pwd
/root/.ssh

[root@server2 .ssh]# ls -lrt
total 24
-rw-r–r–  1 root root 224 Jan 27 06:22 known_hosts
-rw-r–r–  1 root root 602 Jun 14 05:54 id_dsa.pub
-rw-r–r–  1 root root 602 Jun 14 07:28 authorized_keys
[root@server2 .ssh]#

Now login from server1 to server2 using ssh and it will not ask for any password.

[root@server1 ~]# ssh server2
Last login: Wed Jun 14 07:28:36 2006 from server2
[root@server2 ~]#

To achive the same from server2, follow the all steps mentioned above on server2.

You can easily install rpm file with rpm -ivh

rpm -ivh file-package.name.rpm

To view rpm file contents

rpm -qlp file-package.name.rpm

To get info about rpm package itself

rpm -qip file-package.name.rpm

To extract or open rpm file in current directory:

rpm2cpio file.rpm | cpio -idmv
ls

I know itz very simple using “top” command. and then press “1″. But another easy way.

#grep -c processor /proc/cpuinfo

/sbin/service iptables save
/sbin/service ip6tables save
/sbin/service iptables off
/sbin/service ip6tables off
/sbin/service iptables stop
/sbin/service ip6tables stop

save -> save the firewall.
off -> turn off the firewall.
stop -> stop the firewall and open system.
iptables -> IPv4 firewall.
ip6tables -> IPv6 firewall.

Here are some examples you may find interesting:

Display message welcome on screen

echo ‘Welcome’

Write message File deleted to a file called /tmp/log.txt

echo ‘File has been deleted’ > /tmp/log.txt

Append message File deleted to a file called /tmp/log.txt

echo ‘File has been deleted’ >> /tmp/log.txt

echo “Today’s date is $(date)”
echo “Today’s date is $(date)” > /tmp/date.txt
man echo

#echo $PATH
#echo $HOSTNAME
#echo $HISTSIZE

Use rename command which is a quick and powerful tool written in C, featuring extended regular expression support for searching and substituting pattern strings in filenames. Rename can rename, convert to lowercase/uppercase, and change the ownership of a large number of files.

Rename all *.c file as *.cpp:

rename .c .cpp *.c

Rename command is included with all Linux distro, under UNIX / FreeBSD, use ports:

cd /usr/ports/sysutils/rename
make install clean

man rename

Login to the Mysql prompt :

mysql > select * from table INTO OUTFILE ‘/tmp/test.txt’;

This command will create a test.txt file in /tmp directory.

I need to know Server CPU, Memory and OS version of diifrent linux flavors. Here it goes.

CPU : cat /proc/cpuinfo
Memory : free -m or top
OS : cat /etc/redhat-release or /etc/debian-release or /etc/SuSUE-release or /proc/version

But for OpenBSD flavors use this :

dmesg | grep mem
dmesg | grep cpu
dmesg | grep version

Add these lines into .htaccess

RewriteEngine On

RewriteCond %{QUERY_STRING}    ^.*(;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
RewriteRule .* - [F]