will.brien + sysadmin   442

Compliance Forge
We take care of the tedious and time-consuming work that is associated with writing comprehensive cybersecurity documentation. By doing this, we offer a unique service to businesses - we can provide you with semi-customized IT security documentation, based on industry-recognized leading practices that include ISO, NIST, OWASP, CSA and others. This allows you to quickly obtain professionally-written IT security documentation and you have the ability to edit this documentation for your specific needs, since it comes in Microsoft Office formats. This is beyond buying an "IT security policy template" online - these products allow you to have the same level of professional quality documentation that you would expect from hiring an IT security consultant to write it for you. Please take a few minutes and look at the examples to see for yourself!

Our comprehensive written information security documentation includes the policies and standards that businesses need to meet common information security requirements, such as PCI DSS, HIPAA, FACTA, GLBA, as well as unique requirements like FedRAMP and NIST 800-171 compliance. We've been doing this since 2005, so we have a long track record of successfully writing IT security policies and other compliance-related documentation, such as risk assessments, vulnerability assessments and audit templates. Everything we do centers around providing your company a solid set of cybersecurity policies and standards to use as a foundation to build from!
sysadmin  documentation  reference  work  government 
17 days ago by will.brien
find - Finding all large files in the root filesystem - Unix & Linux Stack Exchange
The following command not only find you the top 50 largest files (>100M) on your filesystem, but also sort (GNU sort) by the biggest:

find / -xdev -type f -size +100M -exec du -sh {} ';' | sort -rh | head -n50

-xdev Don't descend directories on other filesystems.

On BSD find use -x which is equivalent to the deprecated -xdev primary.

For all files and directories, it's even easier:

du -ahx / | sort -rh | head -20

(the -x flag is what's required to constrain du to a single filesystem)

If you're not using GNU sort (from coreutils), use it without -h:

du -ax / | sort -rn | head -20

For currently directory only (for quicker results), replace / with ..
cli  linux  sysadmin  reference 
december 2017 by will.brien
Quad 9 | Internet Security and Privacy in a Few Easy Steps
Quad9 is a free, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy.

Security: Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting malware or phishing sites. Whenever a Quad9 user clicks on a website link or types in an address into a web browser, Quad9 will check the site against the IBM X-Force threat intelligence database of over 40 billion analyzed web pages and images. Quad9 also taps feeds from 18 additional threat intelligence partners to block a large portion of the threats that present risk to end users and businesses alike.

Performance: Quad9 systems are distributed worldwide in more than 70 locations at launch, with more than 160 locations in total on schedule for 2018. These servers are located primarily at Internet Exchange points, meaning that the distance and time required to get answers is lower than almost any other solution. These systems are distributed worldwide, not just in high-population areas, meaning users in less well-served areas can see significant improvements in speed on DNS lookups. The systems are “anycast” meaning that queries will automatically be routed to the closest operational system.

Privacy: No personally-identifiable information is collected by the system. IP addresses of end users are not stored to disk or distributed outside of the equipment answering the query in the local data center. Quad9 is a nonprofit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally-identifiable data, and the core charter of the organization is to provide secure, fast, private DNS.

IP: 9.9.9.9
dns  sysadmin  security 
november 2017 by will.brien
Stop error 0x109: CRITICAL_STRUCTURE_CORRUPTION on a VMWare virtual machine
On a Windows Server Virtual Machine that is running VMWare ESXi 5.0.x, you receive a "CRITICAL_STRUCTURE_CORRUPTION" Stop error code that begins as follows:

Bugcheck code 00000109
Arguments a3a01f58`92797517 b3b72bde`e4f976b6 00000000`c0000103 00000000`00000007

Cause

This problem occurs because the system detects a Critical MSR modification, and then it crashes.

Resolution

To resolve this problem, go to the following VMWare website:

Windows 8.1/Windows Server 2012 virtual machines fail with a blue screen and report the error: CRITICAL_STRUCTURE_CORRUPTION (2060019)

This is a known issue that affects ESXi 5.0.x. For more information, contact VMWare.

To work around this issue, manually create a CPUID mask for the affected virtual machines. To do this, follow these steps:

Turn off the virtual machine.
Right-click the virtual machine, and then click Edit Settings.
Click the Options tab.
Under Advanced, click CPUID Mask.
Click Advanced.
In the Register column, locate the edx register under Level 80000001.
In the Value field, enter the following character string exactly:

----:0---:----:----:----:----:----:----
Click OK two times.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
vmware  windows  virtualisation  work  sysadmin 
october 2017 by will.brien
Cocktail - A perfect mixture for macOS
Cocktail is a general purpose utility for macOS that lets you clean, repair and optimize your Mac. It is a powerful digital toolset that helps hundreds of thousands of Mac users around the world get the most out of their computers every day.

The application serves up a perfect mix of maintenance tools and tweaks, all accessible through a clean and easy to use interface. Cocktail's features are arranged into five categories that helps you manage various aspects of your computer. It also comes with an automatic Pilot mode that allows you to simply press a button and relax, knowing that Cocktail will take care of the rest.

Cocktail is installed at more than 250 000 computers world wide. The largest part being private individuals, but Cocktail can also be found at large international companies, educational institutions or newspapers.
mac  software  sysadmin 
october 2017 by will.brien
postfix: aliases will be ignored - Server Fault
Instead, you probably want to use the virtual maps.

As root (or sudo)

In /etc/postfix/virtual (or where virtual is)

root hostmaster@my.domain

In main.cf

virtual_maps = hash:/etc/postfix/virtual

or (modern versions of postfix)

virtual_alias_maps = hash:/etc/postfix/virtual

after the virtual map has been modified

# postmap /etc/postfix/virtual
# postfix reload

Beware that all mail for "root" will be redirected to "hostmaster@my.domain".
postfix  mail  cli  linux  debian  sysadmin  reference 
october 2017 by will.brien
ForwardMX
ForwardMX is a simple but powerful email forwarding service helping you to receive all your emails to a central inbox fast & simple by changing the MX records for your Domain.
email  sysadmin  <todo> 
september 2017 by will.brien
python - Upgrading all packages with pip - Stack Overflow
To upgrade all local packages; you could use pip-review:

$ pip install pip-review
$ pip-review --local --interactive

pip-review is a fork of pip-tools. See pip-tools issue mentioned by @knedlsepp. pip-review package works but pip-tools package no longer works.
python  pip  sysadmin  cli  linux 
september 2017 by will.brien
ssh - Converting keys between openssl and openssh - Information Security Stack Exchange
If you just want to share the private key, the OpenSSL key generated by your example command is stored in private.pem, and it should already be in PEM format compatible with (recent) OpenSSH. To extract an OpenSSH compatible public key from it, you can just run:

ssh-keygen -f private.pem -y > private.pub
ssh  cli  sysadmin  aws  linux 
september 2017 by will.brien
Securing Windows Workstations: Developing a Secure Baseline – Active Directory Security
Securing Windows Workstation:

Deploying Free/Near-Free Microsoft Tools to Improve Windows Security
Deploy Microsoft AppLocker to lock down what can run on the system.

Deploy current version of EMET with recommended software settings.

Deploy LAPS to manage the local Administrator (RID 500) password.
Force Group Policy to reapply settings during “refresh”
Disable Windows Legacy & Typically Unused Features

Disable Net Session Enumeration (NetCease)

Disable WPAD
Disable LLMNR

Disable Windows Browser Protocol

Disable NetBIOS

Disable Windows Scripting Host (WSH) & Control Scripting File Extensions

Deploy security back-port patch (KB2871997).

Prevent local Administrator (RID 500) accounts from authenticating over the network

Ensure WDigest is disabled
Remove SMB v1 support

Windows 10 & Windows 2016

Windows 10 & 2016 System Image Configuration
Block Untrusted Fonts
Enable Credential Guard
Configure Device Guard
Application Security Settings

Disable Microsoft Office Macros

Disable Microsoft Office OLE
Additional Group Policy Security Settings
Configure Lanman Authentication to a secure setting
Configure restrictions for unauthenticated RPC clients
Configure NTLM session security
security  windows  sysadmin  work  grouppolicy  @read 
september 2017 by will.brien
DevOps Topologies
Type 3: Ops as Infrastructure-as-a-Service

For organisations with a fairly traditional IT Operations department which cannot or will not change rapidly [enough], and for organisations who run all their applications in the public cloud (Amazon EC2, Rackspace, Azure, etc.), it probably helps to treat Operations as a team who simply provides the elastic infrastructure on which applications are deployed and run; the internal Ops team is thus directly equivalent to Amazon EC2, or Infrastructure-as-a-Service.

A team (perhaps a virtual team) within Dev then acts as a source of expertise about operational features, metrics, monitoring, server provisioning, etc., and probably does most of the communication with the IaaS team. This team is still a Dev team, however, following standard practices like TDD, CI, iterative development, coaching, etc.

The IaaS topology trades some potential effectiveness (losing direct collaboration with Ops people) for easier implementation, possibly deriving value more quickly than by trying for Type 1 (Dev and Ops Collaboration) which could be attempted at a later date.
Type 3

Type 3 suitability: organisations with several different products and services, with a traditional Ops department, or whose applications run entirely in the public cloud.

Potential effectiveness: MEDIUM
devops  programming  work  sysadmin  @read 
september 2017 by will.brien
Home · jay0lee/GAM Wiki · GitHub
GAM is a command line tool that allows administrators to manage many aspects of their Google Apps Account. This page provides simple instructions for downloading, installing and starting to use GAM.

GAM requires Google Apps Business, Education, Partner or Government Edition. Google Apps Free Edition has limited API support and not all GAM commands work.

While many GAM functions do not require domain administrative privileges, the setup does.
google  sysadmin  windows  documentation 
september 2017 by will.brien
GoAccess - Visual Web Log Analyzer
GoAccess was designed to be a fast, terminal-based log analyzer. Its core idea is to quickly analyze and view web server statistics in real time without needing to use your browser (great if you want to do a quick analysis of your access log via SSH, or if you simply love working in the terminal).

While the terminal output is the default output, it has the capability to generate a complete real-time HTML report (great for analytics, monitoring and data visualization), as well as a JSON, and CSV report.
logs  apache  sysadmin  software  linux  debian 
july 2017 by will.brien
Best Practices for Securing Active Directory | Microsoft Docs
This document provides a practitioner's perspective and contains a set of practical techniques to help IT executives protect an enterprise Active Directory environment. Active Directory plays a critical role in the IT infrastructure, and ensures the harmony and security of different network resources in a global, interconnected environment. The methods discussed are based largely on the Microsoft Information Security and Risk Management (ISRM) organization's experience, which is accountable for protecting the assets of Microsoft IT and other Microsoft Business Divisions, in addition to advising a selected number of Microsoft Global 500 customers.
activedirectory  security  windows  sysadmin  microsoft 
july 2017 by will.brien
Footgun Prevention with AWS VPC Subnetting and Addressing
In AWS, where you don’t have to worry about broadcast domains and all that crap, you do networking differently. For a start, when you create your VPC, you don’t carefully size it for what you need right now (your Wordpress on EC2 tutorial, for example): you size it so that you avoid problems in the future. That means: going big! Cloud networks are, in this way, totally different to non-cloud networks.
aws  networking  reference  tutorials  sysadmin 
july 2017 by will.brien
Running commands - Ansible Tips and Tricks
Limit to one or more hosts

This is required when one wants to run a playbook against a host group, but only against one or more members of that group.

Limit to one host

ansible-playbook playbooks/PLAYBOOK_NAME.yml --limit "host1"

Limit to multiple hosts

ansible-playbook playbooks/PLAYBOOK_NAME.yml --limit "host1,host2"

Negated limit. NOTE: Single quotes MUST be used to prevent bash interpolation.

ansible-playbook playbooks/PLAYBOOK_NAME.yml --limit 'all:!host1'

Limit to host group

ansible-playbook playbooks/PLAYBOOK_NAME.yml --limit 'group1'

Limiting Tasks with Tags

Limit to all tags matching install

ansible-playbook playbooks/PLAYBOOK_NAME.yml --tags 'install'
ansible  documentation  reference  cli  sysadmin  python 
june 2017 by will.brien
Duply (simple duplicity) - duply
duply is a frontend for the mighty duplicity magic. duplicity is a python based shell application that makes encrypted incremental backups to remote storages. Different backends like ftp, sftp, imap, s3 and others are supported. See duplicity manpage for a complete list of backends and features.

duply simplifies running duplicity with cron or on command line by:

keeping recurring settings in profiles per backup job
automated import/export of keys between profile and keyring
enabling batch operations eg. backup_verify_purge
executing pre/post scripts
precondition checking for flawless duplicity operation

Since version 1.5.0 all duplicity backends are supported. Hence the name changed from ftplicity to duply.
duplicity  backup  cli  linux  aws  sysadmin  python 
june 2017 by will.brien
GitHub - petemcw/ansible-role-logwatch: Logwatch Role for Ansible
This role installs Logwatch which is an application that helps with simple log management by daily analyzing and reporting a short digest from activities taking place on your server.
ansible  cli  debian  linux  ssh  sysadmin  logs  logwatch 
june 2017 by will.brien
Securing a Server with Ansible
A while back, Bryan Kennedy wrote a post describing how he spends the first 5 minutes configuring and securing a new linux server. He runs through the list of commands and configuration settings that address things like:

secure passwords
automatic updates
basic intrusion detection
public key authentication
firewall settings
log monitoring

There were a couple of blog posts in response that took this one step further and demonstrated how to accomplish the same things in a more automated fashion using Ansible. Things move pretty fast and I found both posts were a little outdated. So this post continues the tradition and automates the process using an Ansible playbook. It takes care of the basic things described in these posts with a couple of additions and enhancements.
ansible  cli  sysadmin  linux  security  firewall  logwatch 
june 2017 by will.brien
GitHub - berzerk0/Probable-Wordlists: Wordlists sorted by probability originally created for password generation and testing
While I was able to locate a few Password Wordlists that were sorted by popularity, the vast majority of lists, especially the larger lists, were sorted alphabetically. This seems like a major practicality flaw! If we assume that the most common password is password, (which is actually the 2nd most common, after 123456) and we are performing a dictionary attack using an English dictionary, we are going to have to slog from aardvark through passover to get to password. I don't know off the top of my head just how common "aardvark" is as a password - but we could be wasting a lot of time by not starting with the most common password on our list!

I went to SecLists, Weakpass, and Hashes.org and downloaded nearly every single Wordlist containing real passwords I could find. These lists were huge, and I ended up with over 80 GB actual, human-generated and used passwords. These were split up among over 350 files of varying length, sorting scheme, character encoding, origin and other properties. I sorted these files, removed duplicates from within the files themselves, and prepared to join them all together.

Some of these lists were composed of the other lists, and some were exact duplicates. I took care to remove any exact duplicate files - we didn't need to have any avoidable false positives. If a password was found across multiple files, I considered this to be an approximation of its popularity. If an entry was found in 5 files, it wasn't too popular. If an entry could be found in 300 files, it was very popular. Using Unix commands, I concatenated all the files into one giant file representing keys to over 4 billion secret areas on the web, and sorted them by number of appearances in the single file. From this, I was able to create a large wordlist sorted by popularity, not the alphabet.
security  sysadmin  cli  wordlists 
june 2017 by will.brien
Tutorial: Create your own automated backup scripts in Linux with S3
As a software development company, we are often tasked to create backup scripts to ensure data is recoverable in case of catastrophic failure. I’m sharing below the basic script that we use to some clients that require automated daily backup script in Linux and Amazon S3. This script supports backup of files and database into a local storage and transfer the backup files to Amazon S3.
aws  backup  cli  linux  sysadmin 
june 2017 by will.brien
GitHub - open-guides/og-aws: 📙 Amazon Web Services — a practical guide
A lot of information on AWS is already written. Most people learn AWS by reading a blog or a “getting started guide” and referring to the standard AWS references. Nonetheless, trustworthy and practical information and recommendations aren’t easy to come by. AWS’s own documentation is a great but sprawling resource few have time to read fully, and it doesn’t include anything but official facts, so omits experiences of engineers. The information in blogs or Stack Overflow is also not consistently up to date.

This guide is by and for engineers who use AWS. It aims to be a useful, living reference that consolidates links, tips, gotchas, and best practices. It arose from discussion and editing over beers by several engineers who have used AWS extensively.
<todo>  amazon  web  sysadmin  reference 
june 2017 by will.brien
GitHub - kamranahmedse/developer-roadmap: Roadmap to becoming a web developer in 2017
Below you find a set of charts demonstrating the paths that you can take and the technologies that you would want to adopt in order to become a frontend, backend or a devops. I made these charts for an old professor of mine who wanted something to share with his college students to give them a perspective.
web  sysadmin  reference  devops 
june 2017 by will.brien
Cheat-Sheets — Malware Archaeology
In looking into compromised systems, often what is needed by incident responders and investigators is not enabled or configured when it comes to logging. To help get system logs properly Enabled and Configured, below are some cheat sheets to help you do logging well and so the needed data we all need is there when we look.
windows  sysadmin  security  reference  powershell  logs 
june 2017 by will.brien
How to convert existing non-empty directory into a Git working directory and push files to a remote repository - Stack Overflow
Given you've set up a git daemon on <url> and an empty repository:

cd <localdir>
git init
git add .
git commit -m 'message'
git remote add origin <url>
git push -u origin master
git  cli  linux  reference  sysadmin  work 
june 2017 by will.brien
How to Secure Postfix Using Let's Encrypt - UpCloud
Once you have finished the process, the certificates will be stored under /etc/letsencrypt/live/<your.domain>/. You can add your new certificates to the Postfix configuration using the two commands below. Replace the <your.domain> with your email server’s domain name.

sudo postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/<your.domain>/fullchain.pem'
sudo postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/<your.domain>/privkey.pem'

With the certificate installed, you can configure the rest of the email server.
letsencrypt  postfix  cli  sysadmin  email  encryption  <github> 
june 2017 by will.brien
Install Dropbox In An Entirely Text-Based Linux Environment - The Unofficial Dropbox Wiki
dropboxd will create a ~/Dropbox folder and start synchronizing it after this step! Go to the URL given; you should see a success message at the top of your screen.

NOTE: If you want to change the account it is linked to, unlink it from the first account, then kill the running dropbox process, start it up again (with “~/.dropbox-dist/dropboxd &”) and obtain the new host_id with dbreadconfig.py . If you don’t restart the dropbox client, it will give the same host_id (which for some reason cause me to be unable to change the account it is linked to).
linux  dropbox  cli  documentation  sysadmin 
june 2017 by will.brien
Ansible Galaxy | geerlingguy.certbot
Installs and configures Certbot (for Let's Encrypt).
Requirements

If installing from source, Git is required. You can install Git using the geerlingguy.git role.
ansible  cli  debian  linux  letsencrypt  encryption  ssh  sysadmin 
may 2017 by will.brien
How to find and check my IP address
Whoer.net is a service aimed at verifying the information your computer sends to the web.

It is perfect for checking proxy or socks servers, providing information about your VPN server and scanning black lists for your IP address. The service shows whether your computer enables Flash and Java, as well as its language and system settings, OS and web-browser, define the DNS etc.

The main and the most powerful side of our service is the interactive checking by Java, Flash and WebRTC, allowing to detect the actual system settings and its weaknesses, which can be used by third-party resources to find out the information about your computer.

For your convenience, we have set up two versions of our website: light and extended (for displaying additional information).
vpn  privacy  security  reference  sysadmin  networking 
may 2017 by will.brien
How do I install cygwin components from the command line? - Stack Overflow
Cygwin’s setup.exe

It also has a command line mode. Moreover, it allows you to upgrade all installed packages at once (as apt-get upgrade does on Debian based Linux).

Example use:

setup-x86_64.exe -q --packages=bash,vim

You can create an alias for easier use, for example:

alias cyg-get="/cygdrive/d/path/to/cygwin/setup-x86_64.exe -q -P"

Then you can, for example, install Vim package with:

cyg-get vim
windows  cli  cygwin  sysadmin 
may 2017 by will.brien
Ansible Galaxy | tersmitten.postfix
Set up a postfix server in Debian-like systems.
ansible  postfix  cli  debian  linux  ssh  sysadmin 
may 2017 by will.brien
Ansible Galaxy | geerlingguy.php
Installs PHP on RedHat/CentOS and Debian/Ubuntu servers.
ansible  linux  debian  sysadmin  cli  ssh  php 
may 2017 by will.brien
Ansible Galaxy | geerlingguy.mysql
Installs and configures MySQL or MariaDB server on RHEL/CentOS or Debian/Ubuntu servers.
ansible  linux  debian  sysadmin  cli  ssh  mysql 
may 2017 by will.brien
GitHub - geerlingguy/ansible-role-apache: Ansible Role - Apache 2.x.
An Ansible Role that installs Apache 2.x on RHEL/CentOS, Debian/Ubuntu, SLES and Solaris.
ansible  linux  debian  sysadmin  cli  ssh  apache 
may 2017 by will.brien
GitHub - debops/ansible-fail2ban: Install and configure fail2ban service
fail2ban is a service which parses specified log files and can perform configured actions when a given regexp is found. It's usually used to ban offending IP addresses using iptables rules (only IPv4 connections are supported at the moment).
ansible  linux  debian  sysadmin  cli  ssh  security 
may 2017 by will.brien
Your Debian-based data center in a box
Your Debian-based data center in a box

A collection of Ansible playbooks, scalable from one container to an entire data center.
ansible  linux  debian  sysadmin  cli  ssh 
may 2017 by will.brien
Ansible Galaxy | geerlingguy.firewall
Installs an iptables-based firewall for Linux. Supports both IPv4 (iptables) and IPv6 (ip6tables).

This firewall aims for simplicity over complexity, and only opens a few specific ports for incoming traffic (configurable through Ansible variables). If you have a rudimentary knowledge of iptables and/or firewalls in general, this role should be a good starting point for a secure system firewall.

After the role is run, a firewall init service will be available on the server. You can use service firewall [start|stop|restart|status] to control the firewall.
ansible  linux  debian  sysadmin  cli  ssh  security  iptables 
may 2017 by will.brien
Ansible Galaxy | geerlingguy.repo-dotdeb
ansible-galaxy install geerlingguy.repo-dotdeb
ansible  cli  debian  linux  php  ssh  sysadmin  apt 
may 2017 by will.brien
WSUS Offline Automation
The following scripts and utilities will streamline the automation of pushing out Windows Updates to several machines at once without an internet connection using WSUS Offline.
windows  wsus  sysadmin  scripts  work  microsoft 
may 2017 by will.brien
Adamj Clean-WSUS - Script Center - Spiceworks
This is the last WSUS Script you will ever need. It has the capacity to remove all drivers from the database, remove declined updates, decline superseded updates, run the SQL database maintenance, remove synchronization logs, and finally run the server cleanup wizard.
windows  sysadmin  work  documentation 
april 2017 by will.brien
WeTransfer
WeTransfer is the simplest way to send your files around the world. Last year, our users sent 10 billion files through our service. Founded in 2009, our team is based in the Netherlands and the US.
storage  email  sysadmin  work 
march 2017 by will.brien
DietPi - Lightweight justice for your SBC
DietPi is a extremely lightweight Debian Jessie OS. With images starting at 400MB, thats 3x lighter than 'Raspbian Lite'.
linux  raspberrypi  os  debian  iso  sysadmin 
march 2017 by will.brien
Synergy - Mouse and keyboard sharing software
Synergy combines your desktop devices together in to one cohesive experience. It's software for sharing your mouse and keyboard between multiple computers on your desk. It works on Windows, Mac OS X and Linux.
software  windows  mac  linux  kvm  sysadmin 
november 2016 by will.brien
Ransomware Prevention Kit
In 2013 we created the first set of Group Policies to combat Cryptolocker. Since then we’ve continued to expand and improve our IT Best Practices approach to Ransomware Prevention. It now includes documents, policies, recovery keys, and instruction sets for other tools native to Windows Server and Desktop OS’s. We also include suggestions of how you can modernize your network configuration best practices a build a great solution for your clients.
sysadmin  windows  grouppolicy  reference  software  <todo> 
july 2016 by will.brien
Penetration Testing Tools Cheat Sheet
enum4linux -a target-ip

Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing
<todo>  security  tools  reference  cli  linux  windows  samba  sysadmin  work 
july 2016 by will.brien
GitHub - chassing/linux-sysadmin-interview-questions: Collection of linux sysadmin/devop interview questions
[⬆] DevOps Questions:

Can you describe your workflow when you create a script?
What is GIT?
What is a dynamically/statically linked file?
What does "configure && make && make install" do?
What is puppet/chef/ansible used for?
What is Nagios/Zenoss/NewRelic used for?
What is the difference between Containers and VMs?
How do you create a new postgres user?
What is a virtual IP address? What is a cluster?
How do you print all strings of printable characters present in a file?
How do you find shared library dependencies?
What is Automake and Autoconf?
./configure shows an error that libfoobar is missing on your system, how could you fix this, what could be wrong?
What are the Advantages/disadvantages of script vs compiled program?
What's the relationship between continuous delivery and DevOps?
What are the important aspects of a system of continuous integration and deployment?
devops  sysadmin  linux 
may 2016 by will.brien
GitHub - trick77/ipset-blacklist: A script to ban large numbers of IP addresses published in blacklists.
A tiny Bash shell script which uses ipset and iptables to ban a large number of IP addresses published in IP blacklists. ipset uses a hashtable to store/fetch IP addresses and thus the IP lookup is a lot (!) faster than thousands of sequentially parsed iptables ban rules.
security  firewall  iptables  debian  sysadmin 
april 2016 by will.brien
DigitalLlama.net: Allow non admin users to connect with OpenVPN client
This guide was written based on a Windows 8.1 Pro laptop - it should also apply to Windows 7 but some of the screens might be slightly different. It was based partly on the more advanced solution at http://community.openvpn.net/openvpn/wiki/Nonprivileged - that will automatically do all the above for any user that logs on so is great for a machine many users could use, or an auto deployment system. As a one off for a single user it is more complicated than required though and the 3 steps above have the same end result.
vpn  work  windows  sysadmin 
november 2015 by will.brien
xhaus.com: HTTP header check
Your browser software transmitted the following HTTP headers
http  logs  proxy  testing  sysadmin  reference  work 
june 2015 by will.brien
Evolution of a Web Developer: From PHP Newbie To Python Ninja
Some of you may have come out of the womb hacking shell scripts to disable that Internet-enabled baby video surveilliance monitor that your parents used to watch what you're doing on their iPad in the kitchen (visualize eTrade baby hacking away on a terminal app on his Android phone). But, I suspect most of us started more modestly than that and moved up the learning curve (some faster than others). The following is a somewhat fictional, somewhat true recollection.
sysadmin  reference  humour  php  python  lists  <todo> 
april 2015 by will.brien
How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012
To enable SMBv1 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force

To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 -Force
windows  sysadmin  samba  networking  reference 
november 2014 by will.brien
John Resig - Keeping Passwords in Source Control
It has to deal with the eternal question: How do you store sensitive configuration options (such as usernames, passwords, etc.) in source control? Typically what I’ve done is to just punt on the problem entirely. I create a dummy configuration file, such as conf/sample-settings.json which has the basic structure but none of the details filled out. For example:

conf/sample-settings.json

// Copy to conf/settings.json
// and fill these in with your login details!
{
"db": {
"username": "",
"password": ""
}
}

If someone else needed the details I would just email it to them, or some such (not ideal). Especially when it came time to add additional information to the file or make other changes.

The technique I picked up from Craig was to, instead, keep an encrypted version of the configuration file in source control and then provide a means through which the user can encrypt and decrypt that data.

In this case you can still have the a dummy config file, if you wish.
git  programming  security  sysadmin  devops  <todo> 
november 2014 by will.brien
Remove old versions of Java via msiexec script
JAVA Uninstall and cleanup script for through Java 1.7.u11 with install of Java 1.7.u11 x86 and X64 in Mixed Environment
Calls removal of Java Autoupdate after install
Skips Removal of versions of Java 1.6.x if SAS is detected
These can be removed if your environment does not use SAS or uses built in Java for SAS
Requires x86 and x64 JRE Executables and x86 MSI files to install x86 Java on x64
MSI files can be located in
C:\Documents and Settings\<install user>\Application Data\Sun\Java\<version> or
C:\Users\<install user>\Appdata\locallow\Sun\Java\<Version>
after install to a workstation preferably 32-bit
written for use in SCCM 2007, but will likely work elsewhere
Written by David Nelson, Computer Professional, CSBS Computing, University of Utah
2012-2013
sysadmin  scripts  cli  windows  java 
april 2014 by will.brien
Hardware Lister (lshw)
lshw (Hardware Lister) is a small tool to provide detailed information on the hardware configuration of the machine. It can report exact memory configuration, firmware version, mainboard configuration, CPU version and speed, cache configuration, bus speed, etc. on DMI-capable x86 or EFI (IA-64) systems and on some PowerPC machines (​PowerMac G4 is known to work).
linux  sysadmin  tools  hardware 
january 2014 by will.brien
OSSEC | Home | Open Source SECurity
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows.

Check out OSSEC features and how it works for more information about how OSSEC can help you solve your host-based security problems.
linux  software  sysadmin  security  macintosh  logs  opensource 
october 2013 by will.brien
PRISM Break: software and service alternatives to help increase your privacy
In almost all cases, only free software is allowed to be featured on PRISM Break. The only exception is when free software offers no viable alternative to proprietary software. "Web search" is the only category with this exception currently.

Quality over quantity. PRISM Break strives to promote the best open source applications. Ease of use, stability, and performance matter. This is the first time many people are looking to leave their proprietary walled gardens. Let's make it a good experience for them. If you're writing a privacy-minded FOSS app, please finish it before asking PRISM Break to promote it.
software  security  sysadmin  privacy  internet  reference  networking  linux 
september 2013 by will.brien
Apaxy: A simple, customisable Apache directory theme
Apaxy is a customisable theme built to enhance the experience of browsing web directories. It uses the mod_autoindex Apache module—and some CSS—to override the default style of a directory listing.
apache  htaccess  css  sysadmin 
december 2012 by will.brien
SystemRescueCd
SystemRescueCd is a Linux system rescue disk available as a bootable CD-ROM or USB stick for administrating or repairing your system and data after a crash. It aims to provide an easy way to carry out admin tasks on your computer, such as creating and editing the hard disk partitions. It comes with a lot of linux software such as system tools (parted, partimage, fstools, ...) and basic tools (editors, midnight commander, network tools). It can be used for both Linux and windows computers, and on desktops as well as servers. This rescue system requires no installation as it can be booted from a CD/DVD drive or USB stick, but it can be installed on the hard disk if you wish. The kernel supports all important file systems (ext2/ext3/ext4, reiserfs, btrfs, xfs, jfs, vfat, ntfs), as well as network filesystems (samba and nfs).
linux  usb  sysadmin  utilities  work 
december 2012 by will.brien
Start Windows Explorer In The C Drive
Since the first days Windows Explorer appeared, the list of switches reproduced below has been floating around the internet. I'm not sure who was the first to assemble the list but here it is in its entirety. Play around with it and see if one of the views is what you're seeking. Just copy and paste the bold text into the Target line on the Property Sheet of Windows Explorer. If it's not what you expected you can always switch back to the default view by using C:WINDOWSexplorer.exe in the Target line.

"My Computer" highlighted in left side with all drives visible but not expanded and C: highlighted in right side: %SystemRoot%explorer.exe /e,/select,c:

Desktop highlighted and nothing expanded: %SystemRoot%explorer.exe /e,/n,/select,/root,c:

All drives visible and the system drive highlighted and expanded in full screen: %SystemRoot%explorer.exe /e,/select

All drives visible and the system drive expanded in small screen: %SystemRoot%explorer.exe /e,/select,%systemroot%

Only Windows Directory visible highlighted and expanded: %SystemRoot%explorer.exe /e,/root,%systemroot%

All drives visible but only C: highlighted and expanded: %SystemRoot%explorer.exe /e,c:

Nothing expanded and My Computer highlighted in right side: %SystemRoot%explorer.exe /n,/e,/select,

Opens the Windows folder as a folder: %SystemRoot%explorer.exe %systemroot%

Opens as "My Computer": %SystemRoot%explorer.exe %systemroot%,

This opens the Desktop folder with "My Computer" highlighted: %SystemRoot%explorer.exe %systemroot%,/select,

"Desktop" highlighted in the left side and no drives visible:
%systemroot%explorer.exe /e,/root,::{20D04FE0-3AEA-1069-A2D8-08002B30309D},/select

"My Computer" highlighted in left side and all drives visible but none expanded:
%systemroot%explorer.exe /e,/root,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}

"Desktop" in left side highlighted and "My Computer" highlighted in right side and no drives visible:
%systemroot%explorer.exe /e,/select,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
windows  faq  sysadmin  work  reference 
december 2012 by will.brien
IPTraf - An IP Network Monitor
IPTraf is a console-based network statistics utility for Linux. It gathers a variety of figures such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts.
linux  cli  sysadmin  networking  tools  work 
december 2012 by will.brien
Tor and HTTPS
Click the "Tor" button to see what data is visible to eavesdroppers when you're using Tor. The button will turn green to indicate that Tor is on.

Click the "HTTPS" button to see what data is visible to eavesdroppers when you're using HTTPS. The button will turn green to indicate that HTTPS is on.

When both buttons are green, you see the data that is visible to eavesdroppers when you are using both tools.

When both buttons are grey, you see the data that is visible to eavesdroppers when you don't use either tool.

Potentially visible data includes: the site you are visiting (SITE.COM), your username and password (USER/PW), the data you are transmitting (DATA), your IP address (LOCATION), and whether or not you are using Tor (TOR).
tor  ssl  https  encryption  privacy  eff  reference  security  wireless  sysadmin 
november 2012 by will.brien
Scunthorpe problem - Wikipedia, the free encyclopedia
The Scunthorpe problem occurs when a spam filter or search engine blocks e-mails or search results because their text contains a string of letters that are shared with an obscene word. While computers can easily identify strings of text within a document, broad blocking rules may result in false positives, causing innocent phrases to be blocked.
spam  filtering  email  wikipedia  reference  sysadmin  work 
november 2012 by will.brien
CIPB - Create Country ACL
To create your Access Control Lists select a country or countries, choose the format of your list and click create. Your results will appear in this column.

Select Format:
CIDR Netmask IP Range
.htaccess Deny .htaccess Allow
Decimal/CIDR Cisco ACL PeerGuardian2
Web.config deny Web.config allow
iptables  reference  lists  work  sysadmin  security  networking  linux  htaccess  cisco  bittorrent 
november 2012 by will.brien
Rufus - Create bootable USB drives
Rufus is a small utility that helps format and create bootable USB flash drives, such as USB keys/pendrives, memory sticks, etc.

It can be be especially useful for cases where:

you need to create USB installation media from bootable ISOs (Windows, Linux, etc.)
you need to work on a system that doesn't have an OS installed
you need to flash a BIOS or other firmware from DOS
you want to run a low-level utility

Despite its small size, Rufus provides everything you need!
windows  software  sysadmin  iso 
november 2012 by will.brien
pfSense Open Source Firewall Distribution - Home
pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations protecting thousands of network devices.
networking  iptables  firewall  sysadmin  router  security 
november 2012 by will.brien
How to configure versioning of your /etc directory with Etckeeper
Keeping a version history of your configuration files is every administrator’s dream. Knowing that you have a complete history of all of your configuration files makes it really easy for system administrators to sleep well at night knowing that if anything goes wrong, they can simply roll back their configuration to an earlier date.

This is all possible with a program called EtcKeeper. EtcKeeper is a revision control system for your /etc directory using bzr, git, hf, or darcs as a back-end. EtcKeeper will allow you to make commits, like any other revision system, that will keep a version history of all your changes to the /etc directory. If configured correctly, you can also use EtcKeeper to check who made configuration changes and at what time, which can be useful for troubleshooting and auditing purposes.

In this article, I am going to show you how you can install and configure EtcKeeper to put your configuration files under version control.
linux  cli  sysadmin  centos  debian  ubuntu  versioncontrol  work  tutorials 
october 2012 by will.brien
Improving your resolv.conf file - Curator
The resolver can load up to 3 name servers. If your server needs to find the mx record of gmail.com, it will first need to resolve gmail.com locally.

using a resolver from resolv.conf

dig @8.8.8.8 gmail.com -t mx +short

result: alt1.gmail-smtp-in.l.google.com
connect to alt1.gmail-smtp-in.l.google.com

dig @8.8.4.4 alt1.gmail-smtp-in.l.google.com +short

result: 209.85.227.27
connect to 209.85.227.27:25

Optimized resolv.conf

nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 4.2.2.2
option rotate
option timeout:1
linux  cli  dns  sysadmin  networking  reference  work 
october 2012 by will.brien
Automatic creation of user folders for home, roaming profile and redirected folders.
Hi Rob here again. Periodically we’re asked "what is the best way to auto-create home, roaming profile, and folder redirection folders instead of Administrators creating and configuring the NTFS permissions manually?" The techniques in this post requires you to use the environment variable %USERNAME% in the user’s home folder attribute when you create the users account.

We will also make use of the “$” symbol in the share name; which makes the share hidden from anyone who attempts to list the shares on the file server via computer browsing.
windows  sysadmin  faq  reference  activedirectory 
september 2012 by will.brien
Cisco 7940 & 7960 IP Phones - How To Upgrade
This How-To summarises our experiences in upgrading 7940G and 7960G to function as SIP phones with trixbox®. These phones are originally supplied with Cisco Call Manager (CCM) firmware.
cisco  sip  voip  telephony  reference  sysadmin  work  tftp  centos 
september 2012 by will.brien
HeidiSQL - MySQL made easy
HeidiSQL is a lightweight, Windows based interface for managing MySQL and Microsoft SQL databases. It enables you to browse and edit data, create and edit tables, views, procedures, triggers and scheduled events. Also, you can export structure and data either to SQL file, clipboard or to other servers.
mysql  software  windows  database  sysadmin  work 
september 2012 by will.brien
JavaRa | SingularLabs
JavaRa is a simple tool that does a simple job: it removes old and redundant versions of the Java Runtime Environment (JRE). Simply select “Check for Updates” or “Remove Older Version” to begin. JavaRa is free under the GNU GPL version two.

(JavaRa.exe /CLEAN /PURGE /SILENT)
software  java  security  windows  sysadmin  utilities 
september 2012 by will.brien
Open Source Tripwire® | Free System Administration software downloads at SourceForge.net
"Open Source Tripwire® software is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems. The project is based on code originally contributed by Tripwire, Inc. in 2000."
linux  cli  security  sysadmin  software  opensource 
august 2012 by will.brien
Remote Uninstall of Symantec Endpoint Protection 11 with CleanWipe – Concentris Blog
Symantec Endpoint Protection 11 has got to be one of the worst anti-virus products ever produced. Not only is it a resource hog, but it also will fill your entire hard drive with virus definition updates. I recently switched a client from SEP 11 to Kaspersky, a much better product IMO, and needed to remotely uninstall SEP 11. I wrote a batch file to accomplish the removal of SEP. There are several things you need to make the batch file work:

pstools from Microsoft – psexec is what we’ll be using
Windows 2003 Resource Kit Tools – we’ll be using robocopy
CleanWipe from Symantec – you’ll need to call Symantec support for this one

There may be other ways of getting CleanWipe, but I wouldn’t know about them.
antivirus  sysadmin  windows  tutorials  work 
august 2012 by will.brien
Certificates
To set up a secure server using public-key cryptography, in most cases, you send your certificate request (including your public key), proof of your company's identity, and payment to a CA. The CA verifies the certificate request and your identity, and then sends back a certificate for your secure server. Alternatively, you can create your own self-signed certificate.
linux  debian  ubuntu  security  sysadmin  apache  http  web  networking  work 
august 2012 by will.brien
Answer : Export/Inport package list from YUM?
List everything installed using rpm so you can copy/paste it into yum on another system:

"rpm -qa --qf %{NAME} "
linux  centos  redhat  cli  sysadmin  reference  work 
july 2012 by will.brien
Living with HTTPS
In order to stop SSL stripping, we need to make HTTPS the only protocol. We can't do that for the whole Internet, but we can do it site-by-site with HTTP Strict Transport Security (HSTS).

HSTS tells browsers to always make requests over HTTPS to HSTS sites. Sites become HSTS either by being built into the browser, or by advertising a header:

Strict-Transport-Security: max-age=8640000; includeSubDomains

The header is in force for the given number of seconds and may also apply to all subdomains. The header must be received over a clean HTTPS connection.

Once the browser knows that a site is HTTPS only, the user typing mail.google.com is safe: the initial request uses HTTPS and there's no hole for an attacker to exploit.
http  security  tutorials  web  sysadmin  wordpress  apache 
july 2012 by will.brien
Going Colo (Pinboard Blog)
I had a short list of requirements when I started looking for colocation:

A quarter rack of space.
100 Mbps dedicated. I wanted to avoid having to monitor and throttle my own Internet use. A capped, dedicated link meant one less thing to configure.
Round-the-clock physical access to my stuff, so I could fix and tinker as necessary.
Somewhere reachable by car within a few hours.
Low seismic risk.

Unforunately, it's not possible to get #2, #4 and #5 at the same time in California. The only place where data centers will not plummet into the sea when the Big One hits is Sacramento, and bandwidth prices there are extremely high, on the order of $20/Mbps.

So I decided to eat it, seismically speaking. I would try to mitigate the risk by hosting in two locations, each within driving distance from home. I reasoned that the risk of an earthquake big enough to affect two data centers was negligible compared to the risk of general equipment failure, so it was better to host somewhere shaky but reachable.
hardware  diy  reference  sysadmin  networking  pinboard 
june 2012 by will.brien
« earlier      
per page:    204080120160

related tags

<github>  <todo>  @read  activedirectory  ajax  amazon  ansible  antivirus  apache  apt  archives  asterisk  aws  backup  bittorrent  blogs  books  business  calendar  centos  certification  cisco  cli  code  css  cygwin  database  debian  design  devops  dictionary  distro  diy  dns  documentation  drivers  dropbox  duplicity  education  eff  email  encryption  exchange  extension  faq  fetchmail  filtering  firefox  firewall  freelancing  ftp  generator  git  google  government  graphics  grouppolicy  h.323  hardware  history  htaccess  html  http  https  humour  iax  im  imap  internet  iptables  ipv6  ireland  iso  java  kvm  ldap  letsencrypt  links  linux  lists  logrotate  logs  logwatch  mac  macintosh  mail  management  marketing  mbox  microsoft  music  mutt  mysql  nas  networking  ntp  openbsd  opensource  organisations  os  outlook  perl  philosophy  php  phpmyadmin  pinboard  pip  pix  plugins  postfix  powershell  privacy  programming  proxy  publishing  python  raspberrypi  redhat  reference  router  rsync  ruby  samba  scripts  search  security  shopping  sip  smtp  snmp  software  spam  squid  ssh  ssl  storage  sysadmin  syslog  sysprep  technology  telephony  testing  tftp  tools  tor  tutorials  ubuntu  unix  usb  utilities  vendor  versioncontrol  video  virtualisation  vmware  vnc  voip  vpn  web  wiki  wikipedia  windows  wireless  wordlists  wordpress  work  wsus  xen  yahoo 

Copy this bookmark:



description:


tags: