LinuxCheatSheet

2018-01-14 18:07:19 [SSH] [VPN] Do you need a quick and dirty VPN? Do it with ssh!
Sometime you need to temporarly join two networks, and you already have an host that you can reach by ssh in one of the two. One lesser know option of ssh is the possibility to create a vpn between client and server using tun devices.
To do so, create a tun device on your client and assign an ip address, then create another on your server and assign an ip in the same subnet.
Then connect to your server with ssh -w x:y root@yourserver where x and y are respectively the tun device numbers of client and server interfaces (e.g. x = 1 if client have tun1 ). Please be sure to have PermitTunnel yes on your server before doing it.
Have a look at this small bash example script.
I found this feature useful for connecting two networks temporarly, for example to access the EC2 instances on a remote AWS VPC that doesn't have a public ip address for testing purposes.
Remember: this is quick and dirty. If you need to create a permanent tunnel, please evaluate IPsec or any better option.

If you like it, please vote for the channel or share it
https://tchannels.me/c/linuxcheatsheet
http://www.telegramitalia.it/linuxcheatsheet/

Bye
G. Aprire / Come

2018-01-13 03:51:17 [APACHE] [LOGGING] Modernize your Apache log!
Apache logging format is quite old, and it was good in 90's when you ran only one web server in a dedicated hosting.
Today a lot of application run on containers, and it is possible to still use Apache (maybe you ported a legacy app to docker, maybe you just feel comfortable with it). A good idea can be to have a log in JSON format. It is useful if you want to parse log later, or insert it in an Elastic Search for analysis.
In this case have a look to this example
You can adapt it to your Apache server or just test it with the official httpd docker app available at Docker Hub. After you run it, you can get the server logs with
[cheats@telegram ~]$ docker logs my-apache-app
{"remoteip":"172.17.0.1","identd":"-","remoteuser":"-","timestamp":"2018-01-13T00:30:13+0000","request":"GET / HTTP/1.1","status":"200","bytes":"35"}
[cheats@telegram ~]$

This is just an adaptation one to one of the common LogFormat. You can of course personalize the jsoncommon LogFormat in the httpd-json.conf file according to apache documentation to extend and personalize it to your needs.

If you like it, vote for the channel
https://tchannels.me/c/linuxcheatsheet
http://www.telegramitalia.it/linuxcheatsheet/

Bye
G. Aprire / Come

2018-01-10 19:28:48 [NGINX] Do you need to resize images on the fly on your web server? Try nginx image filter
With this module you will be able to resize images on the fly before serving them. For example you can use it to generate thumbnails for your site.
Have a look at this small configuration example nginx.conf. You can also manipulate the image with some simple filters, like rotate or transparency.
You can also take advantage of this module to create a frontend proxy that will resize images stored in another web server, for example you may have static images put into an AWS S3 bucket and use an EC2 instance with nginx to dynamically resize images (well, you can do it also with a lambda function, but that's another story).

I hope you found this useful! Share the channel with your friends: http://t.me/linuxcheatsheet
Bye!
G. Aprire / Come

2018-01-09 00:11:50 [PERMISSIONS] Do you need to grant permission to a directory to multiple users in different groups? Try filesystem ACLs.
There are cases when normal UNIX filesystem permission are not enough granular to allow us setup a corrent grant.
For example you may have a directory that should be writable by your web server, and you want also to grant R/W permission to another user, maybe a batch job scheduled in cron, or by another process running as a different user. Or another example is when you have a Samba Server accessed by multiple users through a network, and you want to share a directory between users belonging to different groups.
With standard UNIX filesystem permissions all you can do is chmod 0777 dirname (or equivalent chmod ugo+rwx dirname) but doing it you are opening that directory to everyone can access the server, and this is something you should avoid. Instead of doing that, let mount your filesystem with acl option in fstab (ext4 and btrfs support this option).
Then use setfacl and getfacl commands (see man page) to setup additional permission on a directory or file. Look at getfacl.txt for a brief example.

I hope you found this useful! Share the channel with your friends: http://t.me/linuxcheatsheet
Bye!
G. Aprire / Come

2018-01-07 17:04:48 [DOCKER] What about the networking in Docker using the default network type bridge?
If you are running multiple instances of Docker containers on the same server, you may need to know on which server network interface each container is attached.
When you run ifconfig on the host server you see a lot of interfaces called veth*. Those interfaces are mapped 1:1 to each Docker container in execution.
How to know which interface is bound to each container?
Let's say that
[cheats@telegram ~]$ docker ps
CONTAINER ID IMAGE
470f1bc223ff nginx:alpine
255b4a5bf2ed nginx:alpine
[cheats@telegram ~]$
(I shortened the output of docker ps to fit in a mobile phone)
And You also have
[cheats@telegram ~]$ ifconfig | grep ^veth | cut -d ":" -f 1
veth27478e0
vethcfb7e2d
[cheats@telegram ~]$
If You do
[cheats@telegram ~]$ docker exec -ti 470f1bc223ff cat /sys/class/net/eth0/iflink
12
[cheats@telegram ~]$
you will find the link number of the interface inside the container. To map it to the one running on the host, from the server running Docker, simply search for that number in the ifindex file of each interface
[cheats@telegram ~]$ grep -lxG 12 /sys/class/net/veth*/ifindex
/sys/class/net/vethcfb7e2d/ifindex
Now you discovered that your Docker container is attached to vethcfb7e2d. You can use this information for different purposes. I personally find it useful to do a tcpdump on that interface to be able to check the i/o traffic of a specific container (usually for debug).

I hope you found this useful! Share the channel with your friends: http://t.me/linuxcheatsheet
Bye!
G. Aprire / Come

2018-01-07 01:14:34 [CURL] Are you scripting with curl and do you need to login to a website before doing some operation on a particular page?
You may need a mix of the following features of curl:
- UserAgent declaration. list of user agents
Some web sites won't allow you interaction or present a captcha if you don't set a common browser (e.g. firefox) UA
- Cookie management
You usually need to store and present the correct cookies to be logged to a page
- Content Type declaration
Normally when you do a POST with some data you must submit it as "x-www-form-urlencoded"

A typical curl usage can be
curl -A "UserAgent string foobar browser" -c /tmp/cookies.txt -L https://www.yourwebsite.com/login.php
curl will create a 'cookie-jar' at /tmp/cookies.txt where it stores all cookies received from the yourwebsite. Then you can use in your script a command like: curl -A "UserAgent string foobar browser" -c /tmp/cookies.txt -b /tmp/cookies.txt -L https://www.yourwebsite.com/anotherpage.php
to pass the cookies you saved on another page to have the correct interaction.
Last but not least consider using method POST to send login information to the page you want to interact with (i.e. login.php), like
curl -s -L -k -A "UserAgent string foobar browser" -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "variablename=variablevalue" -c /tmp/cookies.txt -b /tmp/cookies.txt https://www.yourwebsite.com/login.php
To get a list of valid variables in the web page you want to access, you may first attempt a manual login with Firefox, inspecting it with the Web Developers Tools (F12 key). Look at the 'Network' tab during a login and you can get a variable list and also retrieve a curl string to reproduce it.
Combining multiple curl in your script you can mimick a complete real login to a website and in most cases you will be able to automate your operations.

I hope you found this useful! Share the channel with your friends: http://t.me/linuxcheatsheet
Bye!
G. Aprire / Come

2018-01-05 23:00:15 [MELTDOWN] Hi everyone, this is not a news channel, but it can be useful to have some tips on how to check if your Linux kernel has enabled KPTI feature against the Meltdown attack that everyone is talking about.
Use one of this methods:
1) [cheats@telegram ~]$ zgrep CONFIG_PAGE_TABLE_ISOLATION /proc/config.gz
it should return CONFIG_PAGE_TABLE_ISOLATION=y
2) [cheats@telegram ~]$ dmesg | grep 'page tables isolation'
should return Kernel/User page tables isolation: enabled
3) [cheats@telegram ~]$ dmesg | grep 'x86/pti'
should return x86/pti: Unmapping kernel while in userspace
4) [cheats@telegram ~]$ grep cpu_insecure /proc/cpuinfo
should return bugs : cpu_insecure

I was able to verify personally commands 1-3 on different servers with different linux versions (version 4 didn't work but it is reported to work on different websites).

If none of the above commands works please update your kernel. More information on Meltdown/Spectre: https://meltdownattack.com/

I hope you like it! Share the channel with your friends: http://t.me/linuxcheatsheet
Bye
G. Aprire / Come

2018-01-05 17:06:20 [RATELIMITING] Do you expose an API through Nginx and you want to limit abuse or ratelimit it for of any reasons?
Try limit_req module http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
There is plenty of examples on how to implement it with $binary_remote_addr, that is, limit by remote IP address. This will equally distribute the traffic limit by incoming IP. But even more powerful is the possibility to replace $binary_remote_addr with virtually any variable that Nginx expose http://nginx.org/en/docs/varindex.html
I find especially useful to throttle by a particular HTTP header (look at var $http_ in doc), for example when the header exchanged with the application can identify an unique user, so that ratelimiting is splitted by user and not by remote ip address (that in some case, i.e. residential network connection, can be shared by more that one user).
It is very useful too when you combine ratelimiting with the URL of a login page to limit incoming password attempts (even before they are event sent to the underlying application, so preventing a bruteforce attack).
Check out the official documentation here: https://www.nginx.com/blog/rate-limiting-nginx/

I hope you like it! Share the channel with your friends: http://t.me/linuxcheatsheet
Bye
G. Aprire / Come

2018-01-04 22:06:24 [COMPRESSION] File compression is one of the most common tasks done by many of us.
Different algorithms has been developed to do so, from the old good Zip to the modern 7zip/xz. One lesser know method is called Zstandard, and is available in main Linux distributions installing the zstd package.
It was developed by Facebook to be fast and to have a good compression ratio, you can find more information on their site: http://facebook.github.io/zstd/
If you want to use it with tar you can use the -I option to specify compression program:
tar -I zstd -cf archivename.tar.zst dir_to_compress/
I found it very useful in example when I have to compress huge log files, and move them across the Internet.

I hope you like it! Share the channel with your friends: http://t.me/linuxcheatsheet
Bye
G. Aprire / Come

2018-01-03 17:35:41 [BROWSER CACHE] Modern browsers (and in particular Chrome family) cache a lot of informations.
Sometime you need a completely clean browser just to check that particular feature you deployed on a web site, and you can't delete cookies/cache from the browser you use for daily tasks. One method to do so is to enable 'privacy' mode in the browser, but this has some drawbacks because, at least with firefox, the privacy mode also enable options like 'do not track me'.
If you really want a disposable new browser, use:
chromium --user-data-dir=(temporary directory)
or
firefox -profile (temporary directory)
The below example script can launch both chromium and firefox with a clean profile and will destroy the temporary directory once you close it.
https://glot.io/snippets/ex0ogy9ymx

If you like it, please share my telegram channel: https://t.me/linuxcheatsheet
Bye
G. Aprire / Come