Differences

This shows you the differences between two versions of the page.

--- quickreference:unix [2023/10/08 14:43] – rodolico
+++ quickreference:unix [2023/10/19 17:32] – [Rename Server] rodolico
@@ Line 5: / Line 5: @@
 ===== Systems Administration =====
-==== Rapidly wipe multiple hard drives ====
+==== Partitioning large drives ====
-Nothing beats DBAN [https://dban.org/] in ease of use and a feeling of good security. However, I recently had an issue where I had a server with 7 slow hard disks containing data that really wasn't all that sensitive, so I simply wanted to put a bunch of zeros on it, so I booted off of my SystemRescueCD thumbdrive [https://www.system-rescue.org/] and ran the following commands.
+Drives greater than 2 Terabytes are not handled well by the standard //fdisk// application, so instead we use parted. Fun Fact!!! gparted is a nice little GUI interface to this. But, we're dealing with command line stuff here.
+This assumes we have a drive, sdg, that we want to set up with gpt and create one partition on. That partition will set up on optimal sector boundries, and use all of the space available.
 <code bash>
+# remove all old file system information. Not necessary, but I do it just because I can
+wipefs -a /dev/sdg
+# make this a gpt disk. Will wipe out any other partitioning scheme
+parted /dev/sdg mklabel gpt
+# make a new partition on optimal sector boundries. This is a primary partition, and starts
+# at the beginning of the disk (0%) and goes to the end of the disk (100%)
+# I put that in quotes as, from what I've read, the percent symbol does not work well
+# within the bash command line
+# note, we are not telling it what file system to use, so it defaults to Linux
+parted -a optimal /dev/sdg mkpart primary '0%' '100%'
+# display the information on the disk
+parted /dev/sdg print
+# format as ext4, no reserved space, and a disk label marked 'backup'
+mkfs.ext4 -m0 -Lbackup /dev/sdg
+</code>
+==== Rapidly wipe multiple hard drives ====
+Nothing beats DBAN [https://dban.org/] in ease of use and a feeling of good security. However, I recently had an issue where I had a server with 7 slow hard disks containing data that really wasn't all that sensitive, so I simply wanted to put a bunch of zeros on it, so I booted off of my SystemRescueCD thumbdrive [https://www.system-rescue.org/] and ran the following bash script. Should work in any shell which has the //for// command, however.
+<code bash wipedrives.sh>
+#! /usr/bin/env bash
 # for truly not sensitive information, this command wipes all the OS information
-for drive in a b c d e f g ; do wipefs -a /dev/sd$drive ; done
+for drive in a b c d e f g
+do
+   wipefs -a /dev/sd$drive
+done
 # but, to really remove in a way that takes tons of effort to recover, do this also
-for drive in a b c d e f g ; do echo Cleaning sd%drive ;  dd if=/dev/zero | pv -petrs 580G | dd of=/dev/sd$drive ; done
+for drive in a b c
+do
+   echo Cleaning sd%drive
+   dd if=/dev/zero | pv -petrs 580G | dd of=/dev/sd$drive
+done
 </code>
-I then realized I had 7 drives which should be able to be accessed in parallel, and also the dd will wipe all the fs signatures anyway, so I changed my command to.
+I had 7 drives to wipe, and this takes about 5 hours per drive, so a total of 35 hours. I realized I could probably run all 7 processes in parallel since, on my system, the drive controller is a lot faster than any individual drive So I decided to use the //screen// command and see if I could make that work.
-<code bash>
+<code bash wipedrives2.sh>
-for drive in a b c d e f g ; do screen dd if=/dev/zero of=/dev/sd$drive status=progress ; done
+#! /usr/bin/env bash
+for drive in a b c d e f g h
+do
+   screen -dmS sd$drive bash -c "dd if=/dev/zero | pv -petrs 580G | dd of=/dev/sd$drive"
+done
 </code>
-Note: I have not done the parallel one yet. I'm waiting for the previous command to finish, which is estimated to take about 35 hours (5 hours per drive). I'll update this with the results of trying the parallel method when I do.
+Basically, we're using a bash for loop to grab all the drive names (I just used the last letter), running screen and immediately detaching the new process after telling it to run //bash -c// and the command after it in quotes (so it would not interpret the pipes in our current, non-screen shell). I'm running this right now, and //pv// is predicting it will be done in 11.5 hours, or less than a third of the time. BUT, it is really heating up the office with 7 drives being continuously written to at the same time.
-Haven't done this yet. The
+**Warning**: When SystemRescueCD boots, it tries to assemble any mdadm (software RAID) arrays, and since they are locked, //dd// and //wipefs// won't be able to write to them (maybe). In that case, do the following:
+<code bash>
+# find any mdadm volumes running on Linux
+cat /proc/mdstat
+# assuming it showed you md127 was running (normal)
+mdadm --stop /dev/md127
+# it should stop the MD array and make the individual drives accessible
+</code>
 ==== Check SSL Cert Expiration Date ====
-Ever wondered when your SMTP SSL Certificates are up for renewal? A quick and dirty way of doing it from the command line was shown at [https://serverfault.com/questions/131627/how-to-inspect-remote-smtp-servers-tls-certificate#131628].
+Ever wondered when your SMTP SSL Certificates are up for renewal? What DNS entries your certificates have? A quick and dirty way of doing it from the command line was shown at [https://serverfault.com/questions/131627/how-to-inspect-remote-smtp-servers-tls-certificate#131628] and [https://stackoverflow.com/questions/13127352/how-to-check-subject-alternative-names-for-a-ssl-tls-certificate]
-Note: the discussion covered other things, and is well worth a 5 minute read.
+Note: the discussions covered other things, and are well worth a 5 minute read.
+This is a quick and dirty that will get the certificate (and a lot of other stuff), but the certificate is in its MIME encoded format.
+<code bash>
+printf 'quit\n' | \
+openssl s_client -connect smtp.example.com:25 -starttls smtp
+</code>
+This basically makes a connection to smtp.example.com on port 25, issuing a starttls, then sends the //quit// command which logs out. The openssl command retrieves the  the entire conversation, which includes the certificate, and displays it on the
+You can do the same thing for other ports, like 587 for submission. If you want to test the SSL port (465), just remove the //-starttls smtp// from the command:
+<code bash>
+printf 'quit\n' | \
+openssl s_client -connect smtp.example.com:465
+</code>
+If you want to test an IMAP server, you need to send it a different logout (the first line). To log out of it, you need //a1 logout// followed by a line return, so
+<code bash>
+printf 'a1 logout\n' | \
+openssl s_client -connect mail.example.com:143 -starttls imap
+</code>
+Again, connecting to imaps (port 993), you just don't do the starttls
+<code bash>
+printf 'a1 logout\n' | \
+openssl s_client -connect mail.example.com:143 -starttls imap
+</code>
+And, finally, to look at a web site certificate, use port 443, and simply a line return, but you need to put in the server name on systems which have more than one web site (virtual hosting). Do that with the //-servername// flag.
+<code bash>
+printf "\n" | \
+openssl s_client -showcerts -servername web.example.com -connect web.example.com:443
+</code>
+All the above is well and good, but it would be nice to decode the certificate, wouldn't it? Well, openssl has a command that will allow you to inspect a certificate using the //openssl x509// subcommand. For additional information, see //man openssl-x509//. We want the -noout flag to keep our dump clean (prevents the output of the encoded version of the certificate)
+=== Dump the certificate ===
+Turning the certificate into something a human can read is done with the command //-text// flag, so let's pipe the output of the previous command to that.
+<code bash>
+printf 'quit\n' | \
+openssl s_client -connect smtp.example.com:25 -starttls smtp | \
+openssl x509 -text -noout
+</code>
+If you want to find what names the certificate is valid for, they are on a line which contains the text DNS, so grepping the output of the above will give you what you need without reading the whole thing.
+<code bash>
+printf 'quit\n' | \
+openssl s_client -connect smtp.example.com:25 -starttls smtp | \
+openssl x509 -text -noout | \
+grep DNS
+</code>
+=== Get Dates ===
+You could use //grep// to find the expiration date of a certificate
+<code bash>
+printf 'quit\n' | \
+openssl s_client -connect smtp.example.com:25 -starttls smtp | \
+openssl x509 -text -noout | \
+grep 'Not After :'
+</code>
+But, the openssl x509 has a special flag for that, //-dates//, so it is simpler to write it as
 <code bash>
@@ Line 38: / Line 153: @@
 </code>
+=== Other ===
+Again, //man openssl-x509// gives you more than I'm showing here under the Display Options section, but just a brief list of some interesting flags.
+-serial - the serial number of the certificate
+-subject - Subject Name
+-issuer - Issuer Name
+-startdate - beginning date of certificate (notBefore)
+-enddate - expiry date of certificate (notAfter)
 ==== Rename Server ====
@@ Line 50: / Line 173: @@
 <code bash>
 # change the host name, and the postfix name if that is installed
-sed -i.old 's/oldname/newname/g' /etc/hostname /etc/hosts /etc/mailname /etc/postfix/main.cf
+sed -i.old 's/oldname/newname/g' \
+   /etc/hostname \
+   /etc/hosts \
+   /etc/mailname \
+   /etc/postfix/main.cf \
+   /etc/camp/sysinfo-client/sysinfo-client.yaml \
+   /etc/msmtprc
 /etc/init.d/hostname.sh start
 # update the aliases, if they exist
@@ Line 370: / Line 499: @@
   * https://docs.nextcloud.com/server/18/user_manual/files/access_webdav.html
   * https://www.cyberciti.biz/faq/create-a-freebsd-swap-file/
+  * https://www.mybluelinux.com/test-imap-with-telnet/
+  * https://serverfault.com/questions/131627/how-to-inspect-remote-smtp-servers-tls-certificate#131628]