Sometimes you might need to add one or more lines of text to the top of an existing text file. Let ‘sed’ rescue you:
sed -i '1iSTUFF TO ADD' file.txtYou can add multiple lines (separated by \n) to multiple files at once:
sed -i '1iSTUFF TO ADD\nMORE STUFF' *.txtRight here:
/usr/lib/courier-imap/etc/...This proved to be useful in cleaning up a compromised site. List all the files created or modified within a certain time frame — in this case we are looking 30 days in the past:
find . -mtime -30 -type f -printIf you want to delete all files created/modified n days ago, you can do something like this:
find . -mtime -30 -type f -exec rm {} \;Or this:
find . -mtime -30 -type f -print0 | xargs -0 rmWhen cloning a Debian system, be sure to remove everything in:
/etc/udev/rules.d/*persistent-net.rulesThis will allow the new hardware to detect properly.
Normally you would use something like this:
du -k | sort -nr > sorted.txtBut the output is not pretty since we don’t like counting bytes. This will sort it in human readable format:
du -k | sort -nr | awk '
BEGIN {
split("KB,MB,GB,TB", Units, ",");
}
{
u = 1;
while ($1 >= 1024) {
$1 = $1 / 1024;
u += 1
}
$1 = sprintf("%.1f %s", $1, Units[u]);
print $0;
}
' > sorted.txtDetermine the nature of the attack (SYN, GET, ect):
netstat -nat | awk '{print $6}' | sort | uniq -cThe following will list all the IPs connecting to the server in order of most connections.
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1We can see which domains are most active (in the case of a GET style attack):
cd /usr/local/apache/domlogs/
ls -ltr |tail -50Then, we can see which IPs are active on a particular domain and take appropriate action (drop in firewall, ect):
cd /usr/local/apache/domlogs/
tail -f <domainname> | awk {'print $1'}If you are using a cpanel/WHM server then the MTA will be Exim by default.
Enable Mailheaders by running /scripts/easyapache script. After that, check the mail header using:
exim -Mvh <message id>From that you will able to find the source of spam.
Adaptec RAID cards have huge performance gains over other cards, but the management features in Linux stink. Really bad. If you don’t have a GUI installed, you cannot set up monitoring or alerts, but thankfully you can use a Windows machine to set this up remotely. Additionally, there are no .deb packages so we have to convert the .rpm to a .deb package.
Download the latest installer in RPM format:
sudo bash ### Dang it Debian! LOL
wget http://download.adaptec.com/raid/storage_manager/asm_linux_x64_v6_30_18507.rpm
Convert the .rpm to a .deb package and install it:
apt-get install alien
alien --scripts asm_linux_x64_v6_30_18507.rpm
dpkg -i storman_6.30-18508_amd64.deb
Start the ‘StorMan’ agent:
/usr/StorMan/StorMan.sh
Add the following to /etc/rc.local (before the ‘exit 0’ line) so it starts automatically as the included init script is broken miserably. Don’t forget the ampersand or else you’ll hang up the boot process:
/usr/StorMan/StorMan.sh &
Now you can remotely connect using a remote Windows or Linux GUI to check RAID status and set up email alerts. It’s painfully obvious Adaptec is catering to the Windows crowd on this one, but at least there’s a work around.
A very large disk array (hardware RAID) combined with LVM (Logical Volume Management) will give you a vast amount of flexibility. Without LVM, you’ll have to reboot the entire machine to realize the new space when adding RAID members. Using LVM, you can take advantage of OLE (On Line Expansion) and expand your existing volumes without rebooting. In this post, I discuss the creation of the initial VG (Volume Group), PV (Physical Volume) and LV (Logical Volume) which compose LVM. I’ll discuss OLE later in another post.
In this example, a large RAID array exists at /dev/sdb. There are no partitions on this disk; it is freshly created in the RAID card’s BIOS.
root@rj04:~# fdisk -l
...snip...
Disk /dev/sdb: 2977.4 GB, 2977474543616 bytes
255 heads, 63 sectors/track, 361990 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000
Disk /dev/sdb doesn't contain a valid partition table
1. Create a new PV (Physical Volume) on the new disk. This is the ‘top layer’ of LVM:
pvcreate /dev/hdb
2. Create a new VG (Volume Group) inside the new PV. This is the ‘middle layer’ of LVM:
vgcreate vg0 /dev/hdb
3. Create a new LV (full size). This is the ‘bottom layer’ of LVM where you can put your filesystems:
lvcreate -n lvol0 vg0 -L 2.70T
4. Create and format the filesystem. Remember to choose the correct block size (4k block size allows up to 8Tb size, which is enough for the max our array will expand to):
mkfs -t ext3 -m 0 -v -b 4096 /dev/vg0/lvol0
5. Add mount point, update fstab, and mount the new disk:
mkdir /data ## Create mount
echo "/dev/vg0/lvol0 /data ext3 defaults 0 2" >> /etc/fstab ## Make filesystem aware of the mount
mount /data ## Actually mount the disk
6. Verify your work:
root@rj04:~# df -h
Filesystem Size Used Avail Use% Mounted on
...snip...
/dev/mapper/vg0-lvol0
2.7T 202M 2.7T 1% /data
Absolutely essential in a shared hosting environment. This example is relevant to Apache 2.2.x.
#############
## Compile mod_ipconnlimit
cd /root
wget http://dominia.org/djao/limit/mod_limitipconn-0.23.tar.bz2
tar xjf mod_limitipconn-0.23.tar.bz2
cd mod_limitipconn-0.23
/usr/local/apache/bin/apxs -cia mod_limitipconn.c ### this needs to be redone after each apache recompile
## in WHM, add to apache Pre VirtualHost Include (all versions)
<IfModule mod_limitipconn.c>
# Set a server-wide limit of 10 simultaneous downloads per IP,
# except for image folders.
MaxConnPerIP 10
NoIPLimit image/*
NoIPLimit images/*
</IfModule>
##############