Colorize terminal output and log files with CCZE

CCZE is a fast log colorizer written in C intended to be a replacement for other terminal colorizer like colorize (made in perl) and grc/grcat (made in python). CCZE is way more faster then it predecessor, and come with twenty preset profile for thing like exim, fetchmail, apache, postfix, php and syslog log file. CCZE can also colorize you terminal input, if you add the -A parameter.

Usage

ccze /var/log/foobar.log

As usual you can add a pipe for more (or less 😉 ) usage:

ccze /var/log/foobar.log | more

For less don’t forget to add the -R option for ANSI colors interpretation:

tail -n 50 /var/log/foobar.log | ccze -A | less -R

Increase the maximum number of file descriptors

List the max value of open file descriptors

You can use the following command:

# sysctl fs.file-max

Or

# cat /proc/sys/fs/file-max

Increase the file-max value

# sysctl -w fs.file-max=100000

To make the change permanent:

# vi /etc/sysctl.conf
fs.file-max = 100000

Don’t forget to sysctl -p to reload the setting file.

User level FD limits

Beside the system maximum value, there is also two limits (hard and soft) for user account. You can check theses values using ulimit like this:

# ulimit -Hn
# ulimit -Sn

You can override theses values for a specific user if needed, into the /etc/security/limits.conf file. To get the list of the most greedy process, use this snippet:

lsof +c 15 | awk '{printf("%15s  (%s)\n", $1, $2)}' | sort | uniq -c | sort -rn

Restrict SSH login to a single command

One of OpenSSH coolest features is the ability to force a command for a given SSH access. You can use this to create limited access for demos, monitoring tools, administration tasks and backup process.

Command without arguments

This is the simplest case, you want to restrict the user to a single command without any arguments. This can be achieved with the command= option into the authorized_keys file like this:

command="/usr/bin/command",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB...YrAFnVw== foobar_public_key

Note that in addition to enforcing the command, i also disabled terminal and a number of advanced SSH features, such as TCP and X11 forwarding.

Command with fixed arguments

Same as before, just add the complete chain into the command= block. For example with rsync :

command="rsync --server --delete -logDtpre.iLsf . ~/foobar",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB...YrAFnVw== foobar_public_key

Or if you use rsync in daemon mode:

command="rsync --server --daemon .",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB...YrAFnVw== foobar_public_key

Command with arbitrary arguments

Authorize arbitrary arguments is a little more complicated. This is where the environment variable $SSH_ORIGINAL_COMMAND comes in. When forcing the user command, OpenSSH store the original user command into this variable. By forcing the user to a custom script shell parsing the content of the $SSH_ORIGINAL_COMMAND, you can authorize a specific command with arbitrary arguments:

#!/bin/sh
# /usr/local/bin/limitssh.sh

set -- $SSH_ORIGINAL_COMMAND
case "$1" in
  /usr/bin/command *)
    ;;
  *)
    exit 1
    ;;
esac

exec "/usr/bin/command" "$@"

Then modify your authorized_keys file like this:

command="/usr/local/bin/limitssh.sh $SSH_ORIGINAL_COMMAND",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB...YrAFnVw== foobar_public_key

It is important to be aware of potential security issues here, such as user escaping to a shell prompted from the listed command. Therefore i recommend you to always disable user terminal (no-pty option) and never use this technique with complex ‘command’ like rsync.

Multiple commands

You can modify your bash script to authorize multiple commands instead of one. Keep in mind this solution is kind of a patch-up job and you should really consider using a more robust restricted shell solution instead:

#!/bin/sh
# /usr/local/bin/limitssh.sh

set -- $SSH_ORIGINAL_COMMAND
case "$1" in
	"ps")
		ps -ef
		;;
	"vmstat")
		vmstat 1 100
		;;
	"apache stop")
		/etc/init.d/apache2 stop
		;;
	"apache start")
		/etc/init.d/apache2 start
		;;
	*)
		exit 1
		;;
esac

[Bash] Bash history tips

Changing bash history length

To increase the history length of your command history simply redefine the HISTFILESIZE variable into your .bash_profile. For example:

HISTFILESIZE=2000

will quadruple the default value.

Checking bash history

Everybody know the standard history command, but do you know you this command can take options ?

For example for displaying only the last 5 commands:

history 5

For writing the current display to a file:

history -w /tmp/foobar.txt

There is a ton of other options for modify or filter the ouput, built-in into the history command.

Disable bash history

Setting the HISTFILESIZE variable to zero will disable bash command history completely. Having the history file disabled does not effect command recall for the current session.

Executing commands from bash history

Just give the command number. For example for the 51th command:

!51

For the last command use the shortcut: !!.

Dealing with multiple bash session

By default, bash writes its history at the end of each session, overwriting the existing file with an updated version. This means that if you are logged in with multiple sessions, only the last one to exit will have its history saved.

To bypass this limitation you can add the following into your .bashrc:

shopt -s histappend

Unlimited bash history

Beware: unlimited bash history could slow down your session.
If you want an unlimited bash history you can modify your .bash_profile like this:

# Unlimited bash history setting
# http://stackoverflow.com/questions/9457233/unlimited-bash-history
export HISTFILESIZE=
export HISTSIZE=
export HISTTIMEFORMAT="[%F %T] "
# Change the file location because certain bash sessions truncate .bash_history file upon close.
export HISTFILE=~/.bash_unlimited_history

What is the difference between HISTSIZE and HISTFILESIZE ?

HISTSIZE is the number of lines or commands that are stored in memory in a history list while your bash session is ongoing.

HISTFILESIZE is the number of lines or commands that are allowed in the history file at startup time of a session, and also are stored in the history file at the end of your bash session.

Saidar – an ncurses tool for viewing system statistics

saidar is a curses-based tool for viewing the system statistics available through libstatgrab. As libstatgrab provides an abstraction layer for retrieving information, saidar can be use on multiple OS (Solaris 2.x, GNU/Linux, FreeBSD, NetBSD, OpenBSD, HP-UX).

Statistics include CPU, processes, load, memory, swap, network I/O, disk I/O and file system information. For launching saidar simply type it name:

# saidar

The refresh delay is 3 seconds by default and can be changed using the -d parameter. You can also add color to the output using the -c option.

[Redhat] chkconfig

The chkconfig utility is a command-line tool for Redhat/Redhat-based distribution that allows you to specify in which runlevel to start a selected service, as well as to list all available services along with their current setting.

List all services

To display a list of services from the /etc/rc.d/init.d/ directory and services controlled by xinetd type either chkconfig --list or chkconfig with no additional arguments.

Enabling or disabling a given service

# chkconfig <service_name> <on|off>

For example, to enable postfix :

# chkconfig postfix on

By default chkconfig use headers from the init script to determine for which runlevel the script should be enabled/disabled.

You can override this behavior with the --level options. For instance, to enable the abrtd service in runlevels 3 and 5:

# chkconfig abrtd on --level 35

Do not use the --level option for service managed by xinetd.

Add a ‘custom’ service

You must add a custom line for chkconfig into your init script. For example:

# chkconfig: 2345 90 60

The first argument list runlevel to start the service for. The second argument is the startup priority and the third the stop priority.

After that, add the init script :

chkconfig --add <my_script>
chkconfig <my_script> on

Check TCP/UDP port with netcat

netcat, usually abbreviated in nc, is a network tool able to reads and writes data across network connections using TCP or UDP protocol. It’s a feature-rich tool, that every admin should know.

Check TCP port

nc -zv 192.168.0.10 80
Connection to 192.168.0.10 80 port [tcp/http] succeeded!

Check UDP port

nc -zuv 192.168.0.10 123
Connection to 192.168.0.10 123 port [udp/ntp] succeeded!

Not that contrary to TCP, UDP is a connectionless protocol. In theory if an UDP port is formally “closed” (for example via an iptables REJECT rule) the destination host should respond with an ICMP Port unreachable packet. But a lot of firewall simply silently drop the message, resulting in a wrong ‘succeed’ result.

Scan a range of ports

To find all the open ports in a given range:

nc -zv 192.168.0.10 1-500 2>&1 | grep succeeded
Connection to 192.168.0.10 21 port [tcp/ftp] succeeded!
Connection to 192.168.0.10 22 port [tcp/ssh] succeeded!
Connection to 192.168.0.10 80 port [tcp/http] succeeded!

To run a pseudo-server on a given port

nc -l -p 3873

Reverse SSH tunnel

Have you ever wanted to SSH to an host that sits behind a firewall doing NAT ?
That possible with some trickery via a reverse SSH tunnel.

First, let say to our nated-host’s administrator to SSH our public-host relay server like this:

ssh -R 2222:localhost:22 user@<public-host>

This command open the port 2222 on the public-host and redirect it to the nated-host port 22.

Then we simply connect to the public-host as usual :

ssh user@<public-host>

and then access to the SSH tunnel:

ssh localhost -p 2222

Make a file immutable

Native linux partition format (like ext2/3/4) have a pretty cool functionality: file attribute. Theses attributes give you some control on how the kernel treat a particular file. The command chattr and lsattr allow you to change and check theses attributes.

One attribute that can be a life saver for system administrator is the ‘immutable’ one. When flagged ‘immutable’ no one, not even root, can change a file. This allow you to prevent any accidental modification. For example let say we want to prevent any change on the /etc/shadow file:

# chattr +i /etc/shadow

When modification are required, we simply remove the flag:

# chattr -i /etc/shadow

There is a lot of other attributes to play with. Check chattr man page for more detail on them.

IPMI on dedibox server

Check if your hardware is compatible

Most middle and all high-end models are IPMI compatible. To check if your server is, log into the dedibox website then: Quick access -> Server selection -> Hardware -> IPMI information and configuration. If the hardware is compatible an IP is already assigned to the IPMI controller.

Into the Access list -> Add IP address you can modify the IPs authorized to connect to the IPMI controller. The modification isn’t taken into account immediately, so maybe you have to wait a couple of hours.

Dedibox configuration

Under Debian the ipmitools package provide the appropriate modules and tools to send and receive IPMI orders. But before using it you have to load two kernel modules:

# modprobe ipmi_si
# modprobe ipmi_devintf

Don’t forget to add them into the /etc/modules file.

Then you must create an IPMI user:

# ipmitool -U root user set name 8 foobar
# ipmitool -U root user set password 8 foofoo
# ipmitool -U root user enable 8

Test your setup

You can check your setup using a simple status command:

# ipmitool -I lanplus -U foobar -P foofoo -H XX.XX.XX.XX chassis status

Serial Over Lan

SOL is a useful feature that give you access to the server’s serial port over its IPMI network address. If you configure the server OS to have a tty on this physical interface, then you can do a lot of interesting stuff, like gathering data for troubleshoot a crashed server or live-checking the server boot process.

First modify the grub setting file /boot/grub/menu.lst and add BEFORE the “AUTOMAGIC KERNELS LIST” section this line:

serial --unit=0 --speed=9600 --word=8 --parity=no --stop=1
terminal --timeout=15 serial console

Then replace the line

# defoptions=quiet

by

# defoptions=quiet console=tty0 console=ttyS0,9600n8

Don’t forget to make an update-grub to apply the modifications.
Then modify the /etc/inittab file to add the serial interface to the getty entries:

T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100

Reboot the server. Now that you have a working tty on the serial port you can enable SOL like this:

# ipmitool -I lanplus -U foobar -P foofoo -H XX.XX.XX.XX sol activate

Usefull IPMI commands

Here a short list of some of the most useful IPMI commands:

– Do a complete electrical reset (stop, wait the start):

# ipmitool -I lanplus -U foobar -P foofoo -H XX.XX.XX.XX chassis power cycle

– Do an hardware power reset:

# ipmitool -I lanplus -U foobar -P foofoo -H XX.XX.XX.XX chassis power reset

– Do an ACPI reset:

# ipmitool -I lanplus -U foobar -P foofoo -H XX.XX.XX.XX chassis  power soft

– Shutdown the server:

# ipmitool -I lanplus -U foobar -P foofoo -H XX.XX.XX.XX chassis  power off

– Start the server:

# ipmitool -I lanplus -U foobar -P foofoo -H XX.XX.XX.XX chassis  power on

– Get the server status:

# ipmitool -I lanplus -U foobar -P foofoo -H XX.XX.XX.XX chassis status

– Make an hardware self-check:

# ipmitool -I lanplus -U foobar -P foofoo -H XX.XX.XX.XX chassis selftest

Further Reading and sources