System Administration

For Debian and CentOS
Table of contents:

Interfaces
Routing
Firewall(iptables)
IPs and Ports
Services
Users and Groups
Package Management
ipmitool
Other system commands

INTERFACES
1. Show physical (or virtualized) network cards:
```
lspci | grep -i Ethernet
```
2. Show interfaces:
```
ip link
ip addr # To also show the IPs associated
ip addr show eth0 # To only print the address of a certain interface
```
  If you do not see your interface in ip link, you can check for errors in dmesg.
3. Check interface for link and speed:
```
mii-tool eth0 # Requires root permissions
```
  Returns something like:
```
eth0: negotiated 1000baseT-HD flow-control, link ok
```
  This translates to a Gigabit connection(1000baseT-HD) with a cable plugged in(link on). You can also check for these values without root permissions by looking into:
```
grep . /sys/class/net/eth0/{carrier,speed}
```
  If carrier is 1, then you have a cable plugged in. The speed might be 0 when it's unknown. operstate might also give you a hint if the cable is plugged in or not. You can also use ethtool for this (if you don't mind installing a new tool). If you do not see your interface in ip link, you can check for errors in dmesg.
4. Manage interface with the ip command
```
# Assign an IP to an interface:
ip addr add 192.168.0.2/24 dev eth0
# Delete an IP from an interface:
ip address del 192.168.220.26/24 dev eth0
# Bring the interface up & down
ip link set ens3 down
ip link set ens3 up
```
5. Create VLAN:
  Make sure that the kernel module 8021q is loaded
```
modprobe 8021q
```
  Then create new VLAN interfaces by running:
```
ip link add link eth0 name eth0.1 type vlan id 1
```
  Then you can simply use it as a normal interface.
ROUTING
1. Show routing table:
```
netstat -rn
```
  or
```
ip route list
```
  or
```
route -n # Requires root
```
2. List routing table entries for a specific table:
```
ip route list table 200
```
  The default table name is main but you can have more than one table. In this case the table name is "200". You can then use rules to specify which routing table should be applied.
3. Add routing table entry:
  The following routing directive tells the Kernel that every packet that is going to the 192.168.100.X network, needs to be forwarded through the 10.9.8.1 gateway - through the tun1 device.
```
route add -net 192.168.100.0 gw 10.9.8.1 netmask 255.255.255.0 dev tun1
```
4. Remove routing table entry:
  To remove an entry (like the one above) you can run:
```
route del -net 192.168.100.0 gw 10.9.8.1 netmask 255.255.255.0 dev tun1
```
5. Show list of rules:
```
ip rule list
```
6. Add route to table:
  This adds a new routing instruction to table 200:
```
ip route add default via 10.1.0.1 dev tun3 table 200
```
  To delete the routing instruction, simply replace add with delete. On OpenBSD you can use something like:
```
route add -mpath default 192.168.122.1
```
7. Add rule:
  This adds a new rule saying that traffic coming from 192.168.1.0/24 should be handled by routing table with name "200":
```
ip rule add from 192.168.1.0/24 table 200
```
  To delete the rule, simply replace add with delete

FIREWALL (iptables)

Show firewall rules:

iptables -nvL --line-numbers
iptables -nvL --line-numbers -t nat

Delete firewall rule:

iptables -D FORWARD 11 # Deletes rule 11 from the FORWARD section

Insert firewall rule at position (Rules are applied in order):

iptables -I INPUT 2 -s 202.54.1.2 -j DROP # Inserts the rule at position 2

Forward traffic from/to VPN tunnel:

iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.9.8.0/24 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -o eth0 -j MASQUERADE

IPs and Ports

List active internet connections (servers and established):
```
netstat -atnp
```
Check if someone is listening on port 25:
```
netstat -atnp | grep -w 25
```
Check if you can connect to 127.0.0.1/3306:
```
timeout 1 bash -c "cat < /dev/null > /dev/tcp/127.0.0.1/3306" 2>/dev/null; echo $?
```
An exit code of 0 means that it was able to connect, and 1 means that it could not connect in the given timeout of 1 second.

Convert IP to domain and domain to IP:

host 192.168.0.181 # Converts this IP to a domain
dig +short myserver.mydomain.ext # Returns the list of IP's
host -a myserver.mydomain.ext # DNS records like NS, CNAME, TXT (and also A - IPv4 IP's)

Services(daemons)

List available services:

# Debian
ls -la /etc/init.d/
# CentOS
systemctl

Status:

# Should work on both Debian and CentOS
service mysql status
# Debian
/etc/init.d/mysql status
# CentOS
systemctl status mysqld

Start:

# Should work on both Debian and CentOS
service mysql start
# Debian
/etc/init.d/mysql start
# CentOS
systemctl start mysqld

Stop:

# Should work on both Debian and CentOS
service mysql stop
# Debian
/etc/init.d/mysql stop
# CentOS
systemctl stop mysqld

Restart:

# Should work on both Debian and CentOS
service mysql restart
# Debian
/etc/init.d/mysql restart
# CentOS
systemctl restart mysqld

Enable (set to start at boot):

# Debian
update-rc.d mysql enable
# CentOS
systemctl enable mysqld
# CentOS old
chkconfig mysqld on
# Arch (openrc) - adds to boot runlevel
rc-update add docker boot

Disable (prevent start at boot):

# Debian
update-rc.d mysql disable
# CentOS
systemctl disable mysqld
# CentOS old
chkconfig mysqld off
# Arch (openrc) - removes from runlevel
rc-update del docker boot

Users and groups

To manage users on your system run:

# 1. Adding a user:
useradd user1
# or this, in order to automatically create the home directory (usually in /home):
useradd user1 -m
# To also set the bash for your new user, use:
useradd user1 -m -s /bin/bash
# Remove a user from the system:
userdel user1
# 2. Adding an existing user to a group:
usermod -a -G developers samuel
# Remove a user from a group:
gpasswd -d samuel developers
# Change the username:
usermod -l newUserName1 user1
# 3. Show the list of groups, that a user is member of:
groups user1

To manage groups on your system:

# To list all available groups you can run:
cut -d: -f1 /etc/group
# To add a new group run:
groupadd group1
# To remove a group run:
groupdel group1
# To rename a group run:
groupmod -n group1NewName group1

Package Management Moved to: /kb/linux/software_packages .

ipmitool

  # Open Serial Over LAN (SOL) mode
  ssh -t server1 IPMI_PASSWORD=s3cr3t ipmitool -H 192.168.0.7 -U admin -E -I lanplus sol activate
  # Set next boot flag, to boot into BIOS
  IPMI_PASSWORD=s3cr3t ipmitool -H 192.168.0.7 -U admin -E chassis bootdev bios
  # Reset the machine
  IPMI_PASSWORD=s3cr3t ipmitool -H 192.168.0.7 -U admin -E chassis power reset
  # Reset/reboot the BMC(IPMI device), if it is not stable. You should see that
  # it should stop replying to ping for a while.
  IPMI_PASSWORD=s3cr3t ipmitool -H 192.168.0.7 -U admin -E bmc reset cold

Other system commands
To see when the system was installed you can check when the / partition(filesystem) was created using (requires root):

  tune2fs -l $(df / | tail -n 1 | awk '{print $1}') | grep "Filesystem created:"

To set the hostname of a certain computer you can:

  #On CentOS:
  hostnamectl set-hostname blecs
  #On Debian:
  echo "blecs" > /etc/hostname
  /etc/init.d/hostname.sh stop
  /etc/init.d/hostname.sh start

Remember that you have to restart bash, in order to have it load