dd bs=4M if=/home/input.iso of=/dev/sd[?] conv=fdatasync status=progress
[?] = Run lsblk and find your USB
connect to wifi using terminal in ubuntu
1.Create file and add wifi name and creds (vi /etc/wpa_supplicant.conf)
network={
ssid="ssid_name"
psk="password"
}2.Connect
sudo wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant.conf -D wext
sudo dhclient wlan0More : https://askubuntu.com/questions/138472/how-do-i-connect-to-a-wpa-wifi-network-using-the-command-line
https://askubuntu.com/questions/294257/connect-to-wifi-network-through-ubuntu-terminal
sftp setup to restrict user to some /path
WHY?
– Secure access
– Secure path
adduser kool -s /sbin/nologin
#edit /etc/ssh/sshd_config and ADD
Subsystem sftp internal-sftp
Match User kool
ChrootDirectory /opt/dir1/dir2
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
chown root:root -R /opt/dir1/dir2
chmod 755 -R /opt/dir1/dir2
chown kool:kool /opt/dir1/dir2/kool
chmod 700 /opt/dir1/dir2/koolcockpit to manage virtual machines in centos8
why?
– Access vm via webconsole
– Easy to manage services
– Create/manage VM
– Create/manage podman
dnf install cockpit -y
systemctl start cockpit.socket
systemctl enable cockpit.socket
Browse https://127.0.0.1:9090 or https://YOUR_IP:9090more : https://cockpit-project.org
install openvas in centos8
sed -i 's/enforcing/disabled/g' /etc/selinux/config
reboot
dnf update
yum config-manager --set-enabled PowerTools
yum install epel-release
wget -q -O - http://www.atomicorp.com/installers/atomic |sh
yum install openvas
openvas-setupMore : https://github.com/Atomicorp/gvm
- Cronjob to update CVE database
10 1 * * * /usr/sbin/greenbone-nvt-sync > /dev/null
10 2 * * * /usr/sbin/greenbone-scapdata-sync > /dev/null
10 3 * * * /usr/sbin/greenbone-certdata-sync > /dev/nullOpenvas API:
gvm-cli --gmp-username USRENAME --gmp-password PASSWORD socket --sockpath /var/run/gvm/gvmd.sock --xml "<get_tasks/>"
gvm-cli socket --sockpath /var/run/gvm/gvmd.sock --xml "<get_version/>"iptables port allow/block
//Block port 8080
iptables -A INPUT -p tcp --dport 8080 -j DROP
//Allow port 8080
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT//Delete rule from same command(-D)
iptables -D INPUT -p tcp --dport 8080 -j DROP
//Delete iptable rule for 8080 as per line number
iptables -L --line-numbers
iptables -D INPUT 1//List rules
iptables -S
iptables -S TCP
iptables -L INPUT
iptables -L INPUT -v
#save
service iptables savePod affinity, readiness, liveness in kubernetes
why:
pod affinity: Attracts pods with with matching label.
readiness : checks pod health before sending any traffic
liveness : checks health of pod
kubectl get nodes --show-labels
kubectl label nodes <node-name> <label-key>=<label-value>
kubectl label nodes lp-knode-02 disk=ssd
kubectl label nodes lp-knode-02 nodename=lp-knode-02apiVersion: apps/v1
kind: Deployment
metadata:
name: httpd-affinity-deployment
spec:
replicas: 1
selector:
matchLabels:
app: httpd-affinity
template:
metadata:
name: httpd-affinity-deployment
labels:
app: httpd-affinity
env: prod
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: disk
operator: In
values:
- ssd
containers:
- name: httpd-node-affinity
image: httpd
imagePullPolicy: IfNotPresent
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "100m"
ports:
- name: httpd-port
containerPort: 80
livenessProbe:
httpGet:
path: /index.html
port: 80
httpHeaders:
- name: Custom-Header
value: custom1
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
exec:
command:
- cat
- /usr/local/apache2/htdocs/index.html
initialDelaySeconds: 10
periodSeconds: 10More :
https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
Special File Permissions in linux setuid, setgid, sticky bit
setuid permission:
When program is executed with setuid permission it will executed as owner of that program.
-rwsr-xr-x. 1 root root 27856 Aug 9 2019 /usr/bin/passwdas passwd has setuid set that’s why normal user can reset their password
#exec will be as owner user
chmod u+s file_name
#exec will be as owner user
chmod 4750 file_name
setgid permission:
When program is executed with setgid permission it will executed as group owner of that program.
-r-xr-sr-x. 1 root tty 15344 Jun 10 2014 /usr/bin/wallas wall has setgid enabled it has all the permission as group tty has.
chmod u+g file_name
chmod 2700 file_nameSticky bit:
Owner of files and directory and root can only delete the file when sticky bit is set.
drwxrwxrwt. 16 root root 4096 Oct 10 10:10 tmp
all linux /tmp directory has sticky bit enabled.
chmod +t /tmpNOTE: Capital S,T displayed when user does not have execute permission on that file
Apply selinux rules to file
Selinux add one more layer of security on top of linux.
To add SSL directory as per selinux context.
ls -ltrZ
sestatus -b
chcon -h system_u:object_r:httpd_config_t:s0 ssl
Install Linkerd in kubernetes
-Install linkerd
curl -sL https://run.linkerd.io/install | sh
export PATH=$PATH:$HOME/.linkerd2/bin
echo "export PATH=$PATH:$HOME/.linkerd2/bin
" > ~/.bashrc
linkerd version
linkerd check --pre
-Install linkerd on kubernetes
linkerd install | kubectl apply -f -
#It will take some time to apply
kubectl -n linkerd get deploy
– Linkerd dashboard
update linkerd-web deployment and add your host ip(eg. 192.168.0.183)
containers:
- args:
- -api-addr=linkerd-controller-api.linkerd.svc.cluster.local:8085
- -grafana-addr=linkerd-grafana.linkerd.svc.cluster.local:3000
- -controller-namespace=linkerd
- -log-level=info
- -enforced-host=^(192\.168\.0\.183|localhost|127\.0\.0\.1|linkerd-web\.linkerd\.svc\.cluster\.local|linkerd-web\.linkerd\.svc|\[::1\])(:\d+)?$– update Linkerd service to NodePort
- Inject linkerd
# Inject all the deployments in the default namespace.
kubectl get deploy -o yaml | linkerd inject - | kubectl apply -f -
adds a linkerd.io/inject: enabled annotation