"A great Admin doesn't need to know everything, but they should be able to come up with amazing solutions to impossible projects." - cwheeler33 (ServerFault)
"My skills are making things work, not knowing a billion facts. [...] If I need to fix a system I’ll identify the problem, check the logs and look up the errors. If I need to implement a solution I’ll research the right solution, implement and document it, the later on only really have a general idea of how it works unless I interact with it frequently... it’s why it’s documented." - Sparcrypt (Reddit)
ℹ️ This project contains examples of test questions and answers that can be used during an interview or exam for positions such as *nix System Administrator.
🚥 If you find a question which doesn't make sense, or one of the answers doesn't seem right; please make a pull request! Feedback and advice is welcome.
- Introduction
- Simple Questions - 11 questions.
- General Knowledge
- Junior Sysadmin - 51 questions.
- Regular Sysadmin - 73 questions.
- Senior Sysadmin - 78 questions.
- Secret Knowledge
- Guru Sysadmin - 12 questions.
- What did you learn this week?
- What excites or interests you about the Sysadmin world?
- What is a recent technical challenge you experienced and how did you solve it?
- Tell me about the last major project you finished.
- Do you contribute to any open source projects?
- Describe the setup of your homelab.
- What personal achievement are you most proud of?
- Tell me about the biggest mistake you've made.
- Tell me about your favorite UNIX-like system.
- Tell me about how you manage your knowledge database (e.g. wikis).
- What news sources do you check daily? (Sysadmin or security-related)
Give some examples of Linux distribution names.
- Red Hat Enterprise Linux
- Fedora
- CentOS
- Debian
- Ubuntu
- SUSE Linux Enterprise Server (SLES)
- SUSE Linux Enterprise Desktop (SLED)
- Slackware
Useful resources:
What are the differences between Unix, Linux, BSD and GNU?
GNU isn't really an OS. It's more of a set of rules or philosophies that govern free software, that at the same time gave birth to a bunch of tools while trying to create an OS. So GNU tools are basically open versions of tools that already existed, but were reimplemented to conform to principals of open software. GNU/Linux is a mesh of those tools and the Linux kernel to form a complete OS, but there are other "GNU"s, e.g. GNU/Hurd.
Unix and BSD are "older" implementations of POSIX that are various levels of "closed source". Unix is usually totally closed source, but there are as many flavors of Unix as there are Linux (if not more). BSD is not usually considered "open", but it was considered to be very open when it was released. Its licensing also allowed for commercial use with far fewer restrictions than the more "open" licenses of the time allowed.
Linux is the newest of the four. Strictly speaking, it's "just a kernel"; however, in general, it's thought of as a full OS when combined with GNU Tools and several other core components.
The main governing differences between these are their ideals. Unix, Linux, and BSD have different ideals that they implement. They are all POSIX, and are all basically interchangeable. They do solve some of the same problems in different ways. So other then ideals and how they choose to implement POSIX standards, there is little difference.
For more info I suggest your read a brief article on the creation of GNU, OSS, Linux, BSD, and UNIX. They will be slanted towards their individual ideas, but those articles should give you a better idea of the differences.
Useful resources:
What is a CLI?
CLI is an acronym for Command Line Interface or Command Language Interpreter. The command line is one of the most powerful ways to control your system/computer.
In Linux, CLI is the interface by which a user can type commands for the system to execute. The CLI is very powerful, but is not very error-tolerant.
Useful resources:
What is your favourite shell and why?
BASH is my favorite. It’s really a preferential kind of thing, where I love the syntax and it just "clicks" for me. The input/output redirection syntax (>>
, << 2>&1
, 2>
, 1>
, etc) is similar to C++ which makes it easier for me to recognize.
I also like the ZSH shell, because is much more customizable than BASH. It has the Oh-My-Zsh framework, powerful context based tab completion, pattern matching/globbing on steroids, loadable modules and more.
Useful resources:
How do you get a list of logged-in users?
For a summary of logged-in users, including each login of a username, the terminal users are attached to, the date/time they logged in, and possibly the computer from which they are making the connection, enter:
# It uses /var/run/utmp and /var/log/wtmp files to get the details.
who
For extensive information, including username, terminal, IP number of the source computer, the time the login began, any idle time, process CPU cycles, job CPU cycles, and the currently running command, enter:
# It uses /var/run/utmp, and their processes /proc.
w
Also important for displays a list of last logged in users, enter:
# It uses /var/log/wtmp.
last
Useful resources:
How do you run commands in the background?
You can run command in background by appending &
after the command you want to run. For example if you want to download something in background, you can:
wget https://url-to-download.com/download.tar.gz &
When you run the above command you get the following output:
[1] 2203
Here 1 is the serial number of job and 2203 is PID of the job.
You can see the jobs running in background using the following command:
jobs
When you execute job in background it give you a PID of job, you can kill the job running in background using the following command:
kill PID
Replace the PID with the PID of the job. If you have only one job running you can bring it to foreground using:
fg
If you have multiple jobs running in background you can bring any job in foreground using:
fg %#
Replace the #
with serial number of the job.
Useful resources:
What does it mean when the effective user is "root", but the real user ID is still your name?
The real user ID is who you really are (the user who owns the process), and the effective user ID is what the operating system looks at to make a decision whether or not you are allowed to do something (most of the time, there are some exceptions).
When you log in, the login shell sets both the real and effective user ID to the same value (your real user id) as supplied by the password file.
If, for instance, you execute setuid, and besides running as another user (e.g. root) the setuid program is also supposed to do something on your behalf:
After executing setuid, it will have your real id (since you're the process owner) and the effective user id of the file owner (for example root) since it is setuid.
Let's use the case of passwd:
-rwsr-xr-x 1 root root 45396 may 25 2012 /usr/bin/passwd
When user2 wants to change their password, they execute /usr/bin/passwd
.
The RUID will be user2 but the EUID of that process will be root.
user2 can use only passwd to change their own password, because internally passwd checks the RUID and, if it is not root, its actions will be limited to real user's password.
It's neccesary that the EUID becomes root in the case of passwd because the process needs to write to /etc/passwd
and/or /etc/shadow
.
Useful resources:
Another admin is running all commands as root. Why is this a bad idea?
Running everything as root is bad because:
-
Stupidity: nothing prevents you from making a careless mistake. If you try to change the system in any potentially harmful way, you need to use sudo, which ensures a pause (while you're entering the password) to ensure that you aren't about to make a mistake.
-
Security: harder to hack if you dont know the admin user's login account. root means you already have one half of the working set of admin credentials.
-
You don't really need it: if you need to run several commands as root, and you're annoyed by having to enter your password several times when
sudo
has expired, all you need to do issudo -i
and you are now root. Want to run some commands using pipes? Then usesudo sh -c "command1 | command2"
. -
You can always use it in the recovery console: the recovery console allows you to recover from a major mistake, or fix a problem caused by an app (which you still had to run as
sudo
). Ubuntu doesn't have a password for the root account in this case, but you can search online for changing that - this will make it harder for anyone that has physical access to your box to be able to do harm.
Useful resources:
Which command is used to review boot messages?
dmesg
is used to review boot messages. This command will display system messages contained in the kernel ring buffer. We can use this command immediately after booting to see boot messages. A ring buffer is a buffer of fixed size for which any new data added to it overwrites the oldest data in it.
What is the swap space?
Swap space is used when the amount of physical memory (RAM) is full. If the system needs more memory resources and the RAM is full, inactive pages in memory are moved to the swap space. While swap space can help machines with a small amount of RAM, it should not be considered a replacement for more RAM. Swap space is located on hard drives, which have a slower access time than physical memory.
How to check memory stats and CPU stats?
You'd use top/htop
for both. Using free
and vmstat
command we can display the physical and virtual memory statistics respectively. With the help of sar
command we see the CPU utilization & other stats (but sar
isn't even installed in most systems).
What is load average?
Linux load averages are "system load averages" that show the running thread (task) demand on the system as an average number of running plus waiting threads. This measures demand, which can be greater than what the system is currently processing. Most tools show three averages, for 1, 5, and 15 minutes.
Some interpretations:
- If the averages are 0.0, then your system is idle.
- If the 1 minute average is higher than the 5 or 15 minute averages, then load is increasing.
- If the 1 minute average is lower than the 5 or 15 minute averages, then load is decreasing.
- If they are higher than your CPU count, then you might have a performance problem (it depends).
How to create partition and filesystem?
fdisk
orgparted
- create a new partitionmkfs
- create a new filesystem
Where journaling is dedicated?
Journaling has a dedicated area in the file system, where all the changes are tracked. When the system crashes, the possibility of file system corruption is less because of journaling.
What are the kinds of permissions under Unix-like?
- Read: users can read the files or list the directory
- Write: users may write to the file or add new files to the directory
- Execute: users may run the file or lookup a specific file within a directory
Where is password file located in Linux?
Linux passwords are stored in the /etc/shadow file. They are salted and the algorithm being used depends on the particular distribution and is configurable.
How do you change directory and subdirectory with file permissions in Linux/UNIX?
To change all the directories e.g. to 755 (drwxr-xr-x):
find /opt/data -type d -exec chmod 755 {} \;
To change all the files e.g. to 644 (-rw-r--r--):
find /opt/data -type f -exec chmod 644 {} \;
What is redirection?
It’s a fairly simple process, allowing you to direct data from one output to another. You can also use it to direct an output as an input to another process.
What is grep command?
grep
searches file patterns. If you are looking for a specific pattern in the output of another command, grep highlights the relevant lines. Use this grep command for searching log files, specific processes, and more.
Explain file content commands along with the description.
- head: to check the starting of a file.
- tail: to check the ending of the file. It is the reverse of head command.
- cat: used to view, create, concatenate the files.
- more: used to display the text in the terminal window in pager form.
- less: used to view the text in the backward direction and also provides single line movement.
Explain SIGHUP, SIGINT, SIGKILL and SIGTERM Posix signals.
- SIGHUP - the SIGHUP signal is sent to a process when its controlling terminal is closed. It was originally designed to notify the process of a serial line drop (a hangup). Many daemons will reload their configuration files and reopen their logfiles instead of exiting when receiving this signal.
- SIGINT - the SIGINT signal is sent to a process by its controlling terminal when a user wishes to interrupt the process. This is typically initiated by pressing Ctrl+C, but on some systems, the "delete" character or "break" key can be used.
- SIGKILL - the SIGKILL signal is sent to a process to cause it to terminate immediately (kill). In contrast to SIGTERM and SIGINT, this signal cannot be caught or ignored, and the receiving process cannot perform any clean-up upon receiving this signal.
- SIGTERM - the SIGTERM signal is sent to a process to request its termination. Unlike the SIGKILL signal, it can be caught and interpreted or ignored by the process. This allows the process to perform nice termination releasing resources and saving state if appropriate. SIGINT is nearly identical to SIGTERM.
What is the difference between rm
and rm -rf
?
rm
removes files and -rf
are two options:
-r
remove directories and their contents recursively-f
ignore nonexistent files, never prompt
How do you list contents of archive.tgz and extract only one file?
tar tf archive.tgz
tar xf archive.tgz filename
How to sync two local directories?
To sync the contents of dir1 to dir2 on the same system, type:
rsync -av --progress --delete dir1/ dir2
-a, --archive
- archive mode--delete
- delete extraneous files from dest dirs-v, --verbose
- verbose mode (increase verbosity)--progress
- show progress during transfer
How to quickly backup a file?
cp filename{,.orig}
How to find all files larger than 20M?
find / -type f -size +20M
Why do we use sudo su -
and not just sudo su
?
su -
invokes a login shell after switching the user. A login shell resets most environment variables, providing a clean base.
su
just switches the user, providing a normal shell with an environment nearly the same as with the old user.
How to find files that have been modified on your system in the past 60 minutes?
find / -mmin -60 -type f
What are the main reasons for keeping old log files?
They are essential to investigate issue on the system.
What is an incremental backup?
An incremental backup is a type of backup that only copies files that have changed since the previous backup.
What is RAID? What is RAID0, RAID1, RAID5, RAID6, RAID10?
A RAID (Redundant Array of Inexpensive Disks) is a technology that is used to increase the performance and/or reliability of data storage.
- RAID0: Also known as disk striping, is a technique that breaks up a file and spreads the data across all the disk drives in a RAID group. There are no safeguards against failure.
- RAID1: A popular disk subsystem that increases safety by writing the same data on two drives. Called "mirroring," RAID 1 does not increase write performance, but read performance may equal up to the sum of each disks' performance. However, if one drive fails, the second drive is used, and the failed drive is manually replaced. After replacement, the RAID controller duplicates the contents of the working drive onto the new one.
- RAID5: It is disk subsystem that increases safety by computing parity data and increasing speed by interleaving data across three or more drives (striping). Upon failure of a single drive, subsequent reads can be calculated from the distributed parity such that no data is lost.
- RAID6: RAID 6 extends RAID 5 by adding another parity block. It requires a minimum of four disks and can continue to execute read and write of any two concurrent disk failures. RAID 6 does not have a performance penalty for read operations, but it does have a performance penalty on write operations because of the overhead associated with parity calculations.
- RAID10: Also known as RAID 1+0, is a RAID configuration that combines disk mirroring and disk striping to protect data. It requires a minimum of four disks, and stripes data across mirrored pairs. As long as one disk in each mirrored pair is functional, data can be retrieved. If two disks in the same mirrored pair fail, all data will be lost because there is no parity in the striped sets.
How is a user’s default group determined? How would you change it?
useradd -m -g initial_group username
-g/--gid: defines the group name or number of the user's initial login group. If specified, the group name must exist; if a group number is provided, it must refer to an already existing group. If not specified, the behaviour of useradd will depend on the USERGROUPS_ENAB variable contained in /etc/login.defs. The default behaviour (USERGROUPS_ENAB yes) is to create a group with the same name as the username, with GID equal to UID.
Why would you want to mount servers in a rack?
- Protecting Hardware
- Organized Workspace
- Better Power Management
- Cleaner Environment
According to an HTTP monitor, a website is down. You're able to telnet to the port, so how do you resolve it?
I would connect to my web server via ssh to investigate the log files and resolve the issue regarding to the logs.
What are the default ports used for SMTP, FTP, DNS, DHCP and SSH protocols?
SERVICE | PORT |
---|---|
SMTP | 25 |
FTP | 20 for data transfer and 21 for connection established |
DNS | 53 |
DHCP | 67/UDP for DHCP server, 68/UDP for DHCP client |
SSH | 22 |
What happens when you type api.example.com in your browser and press return?
The browser has it's own DNS cache. When this cache fails, it simply asks the OS to resolve the domain. The OS resolver has it's own cache which it will check. If it fails this, it resorts to asking the OS configured DNS servers. The OS configured DNS servers will typically be configured by DHCP from the router where the DNS servers are likely to be the ISP's DNS servers configured by DHCP from the internet gateway to the router. In the event the router has it's own DNS servers, it may have it's own cache otherwise you should be directed straight to your ISP's DNS servers most typically as soon as the OS cache was found to be empty.
How to check default route and routing table?
Using the commands netstat -nr
, route -n
or ip route show
we can see the default route and routing tables.
What is the difference between 127.0.0.1 and localhost?
Well, the most likely difference is that you still have to do an actual lookup of localhost somewhere.
If you use 127.0.0.1
, then (intelligent) software will just turn that directly into an IP address and use it. Some implementations of gethostbyname
will detect the dotted format (and presumably the equivalent IPv6 format) and not do a lookup at all.
Otherwise, the name has to be resolved. And there's no guarantee that your hosts file will actually be used for that resolution (first, or at all) so localhost
may become a totally different IP address.
By that I mean that, on some systems, a local hosts file can be bypassed. The host.conf
file controls this on Linux (and many other Unices).
If you use a unix domain socket it'll be slightly faster than using TCP/IP (because of the less overhead you have).
Windows is using TCP/IP as a default, whereas Linux tries to use a Unix Domain Socket if you choose localhost and TCP/IP if you take 127.0.0.1
.
Useful resources:
How to resolves the domain name (using external dns server) with CLI commands?
# with host command:
host domain.com 8.8.8.8
# with dig command:
dig @9.9.9.9 google.com
# with nslookup command:
nslookup domain.com 8.8.8.8
How to test port connectivity with telnet
or nc
?
# with telnet command:
telnet code42.example.com 5432
# with nc (netcat) command:
nc -vz code42.example.com 5432
Why should you avoid telnet to administer a system remotely?
Telnet uses most insecure method for communication. It sends data across the network in plain text format and anybody can easily find out the password using the network tool.
In the case of Telnet, these include the passing of login credentials in plain text, which means anyone running a sniffer on your network can find the information he needs to take control of a device in a few seconds by eavesdropping on a Telnet login session.
What is the difference between wget
and curl
?
The main differences are: wget's major strong side compared to curl is its ability to download recursively. Wget is command line only. Curl supports FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, POP3, IMAP, SMTP, RTMP and RTSP.
How do SSH keys work?
SSH stands for Secure Shell. It is a protocol that lets you drop from a server "A" into a shell session to a server "B". It allows you interact with your server "B". An SSH connection to be established, the remote machine (server A) must be running a piece of software called an SSH daemon and the user's computer (server B) must have an SSH client. The SSH daemon and SSH client listen for connections on a specific network port (default 22), authenticates connection requests, and spawns the appropriate environment if the user provides the correct credentials.
What is a packet filter and how does it work?
Packet filtering is a firewall technique used to control network access by monitoring outgoing and incoming packets and allowing them to pass or halt based on the source and destination Internet Protocol (IP) addresses, protocols and ports.
What is a proxy and how does it work?
A proxy server is a dedicated computer or a software system running on a computer that acts as an intermediary between an endpoint device, such as a computer, and another server from which a user or client is requesting a service.
What is the difference between a router and a gateway? What is the default gateway?
Routers and Gateways are used to regulate network traffic between two or more separate networks. Gateways regulate traffic between two dissimilar networks, while routers regulate traffic between similar networks.
A default gateway serves as an access point or IP router that a networked computer uses to send information to a computer in another network or the internet. Default simply means that this gateway is used by default, unless an application specifies another gateway.
A gateway is a node (router) in a computer network, a key stopping point for data on its way to or from other networks. Thanks to gateways, we are able to communicate and send data back and forth.
Explain the function of each of the following DNS records: SOA, PTR, A, MX, and CNAME.
DNS records are basically mapping files that tell the DNS server which IP address each domain is associated with, and how to handle requests sent to each domain. Some DNS records syntax that are commonly used in nearly all DNS record configurations are A, AAAA, CNAME, MX, PTR, NS, SOA, SRV, TXT, and NAPTR.
- SOA - A Start Of Authority
- A - Address Mapping records
- AAAA - IP Version 6 Address records
- CNAME - Canonical Name records
- MX - Mail exchanger record
- NS - Name Server records
- PTR - Reverse-lookup Pointer records
What is the smallest IPv4 subnet mask that can be applied to a network containing up to 30 devices?
Whether you have a standard /24 VLAN for end users, a /30 for point-to-point links, or something in between and subnet that must contain up to 30 devices works out to be a /27 - or a subnet mask of 255.255.255.224
.
Various response codes from a web application?
- 1xx - Informational responses - communicates transfer protocol-level information
- 2xx - Success - indicates that the client’s request was accepted successfully
- 3xx - Redirection - indicates that the client must take some additional action in order to complete their request
- 4xx - Client side error - this category of error status codes points the finger at clients
- 5xx - Server side error - the server takes responsibility for these error status codes
What is Version Control?
It is a system that records changes to a file or set of files over time so that you can recall specific versions later. Version control systems consist of a central shared repository where teammates can commit changes to a file or set of file. Then you can mention the uses of version control.
Version control allows you to:
- revert files back to a previous state
- revert the entire project back to a previous state
- compare changes over time
- see who last modified something that might be causing a problem
- who introduced an issue and when
Explain some basic Git commands?
git init
- create a new local repositorygit commit -m "message"
- commit changes to headgit status
- list the files you've added withgit add
and also commit any files you've changed since thengit push origin master
- send changes to the master branch of your remote repository
What is a Security Misconfiguration?
Security misconfiguration is a vulnerability when a device/application/network is configured in a way which can be exploited by an attacker to take advantage of it. This can be as simple as leaving the default username/password unchanged or too simple for device accounts etc.
Explain Linux Boot Sequence.
BIOS: Full form of BIOS is Basic Input or Output System that performs integrity checks and it will search and load and then it will execute the bootloader.
MBR: MBR means Master Boot Record. MBR contains the information regarding GRUB and executes and loads this bootloader.
GRUB: GRUB means Grand Unified Bootloader. In case, many kernel images are installed on your system then you can select which one you want to execute.
Kernel: Root file system is mounted by Kernel and executes the /sbin/init
program.
Init: Init checks the file /etc/inittab
and decides the run level. There are seven-run levels available from 0-6. It will identify the default init level and will load the program.
Runlevel programs: As per your default settings for the run level, the system will execute the programs.
What is this UID 0 toor
account? Have I been compromised?
toor
is an "alternative" superuser account, where toor is root spelled backwards. It is intended to be used with a non-standard shell so the default shell for root does not need to change.
This is important as shells which are not part of the base distribution, but are instead installed from ports or packages, are installed in /usr/local/bin
which, by default, resides on a different file system. If root's shell is located in /usr/local/bin
and the file system containing /usr/local/bin
) is not mounted, root will not be able to log in to fix a problem and will have to reboot into single-user mode in order to enter the path to a shell.
Some people use toor for day-to-day root tasks with a non-standard shell, leaving root, with a standard shell, for single-user mode or emergencies. By default, a user cannot log in using toor as it does not have a password, so log in as root and set a password for toor before using it to login.
What is the name and path of the main system log?
By default, the main system log is /var/log/messages. This file contains all the messages and the script written by the user.
By default all scripts are saved in this file. This is the standard system log file, which contains messages from all system software, non-kernel boot issues, and messages that go to dmesg
(is a system file that is written upon system boot).
Explain /proc
filesystem.
/proc
is a virtual file system that provides detailed information about kernel, hardware and running processes.
Since /proc
contains virtual files, it is called virtual file system. These virtual files have unique qualities. Most of them are listed as zero bytes in size.
Virtual files such as /proc/interrupts
, /proc/meminfo
, /proc/mounts
and /proc/partitions
provide an up-to-the-moment glimpse of the system’s hardware. Others: /proc/filesystems
file and the /proc/sys/
directory provide system configuration information and interfaces.
Why is a load of 1.00 not ideal on a single-core machine?
The problem with a load of 1.00 is that you have no headroom. In practice, many sysadmins will draw a line at 0.70:
The "Need to Look into it" Rule of Thumb: 0.70 If your load average is staying above > 0.70, it's time to investigate before things get worse.
The "Fix this now" Rule of Thumb: 1.00. If your load average stays above 1.00, find the problem and fix it now. Otherwise, you're going to get woken up in the middle of the night, and it's not going to be fun.
Rule of Thumb: 5.0. If your load average is above 5.00, you could be in serious trouble, your box is either hanging or slowing way down, and this will (inexplicably) happen in the worst possible time like in the middle of the night or when you're presenting at a conference. Don't let it get there.
How the Linux kernel creates, manages and deletes the processes in the system? *
To be completed.
How would you recognize a process that is hogging resources?
top
works reasonably well, as long as you look at the right numbers.
- M Sorts by current resident memory usage
- T Sorts by total ( or cummulaative) CPU usage
- p Sorts by current CPU usage (this is the default refresh)
- ? Displays a usage summary for all top commands
This is very important information to obtain when problem solving why a computer process is running slowly and making decisions on what processes to kill / software to uninstall.
What is umask? How to set it permanently for a user?
On Linux and other Unix-like operating systems, new files are created with a default set of permissions. Specifically, a new file's permissions may be restricted in a specific way by applying a permissions "mask" called the umask. The umask command is used to set this mask, or to show you its current value.
Permanently change (set e.g. umask 02
):
- ~/.profile
- ~/.bashrc
- ~/.zshrc
- ~/.cshrc
Explain the differences among the following umask values: 000, 002, 022, 027, 077 and 277.
Umask | FIle result | Directory result |
---|---|---|
000 | 666 rw- rw- rw- | 777 rwx rwx rwx |
002 | 664 rw- rw- r-- | 775 rwx rwx r-x |
022 | 644 rw- r-- r-- | 755 rwx r-x r-x |
027 | 640 rw- r-- --- | 750 rwx r-x --- |
077 | 600 rw---- --- | 700 rwx --- --- |
277 | 400 r-- --- --- | 500 r-x --- --- |
What are symbolic links?
A symbolic link, also termed a soft link, is a special kind of file that points to another file, much like a shortcut in Windows or a Macintosh alias. Unlike a hard link, a symbolic link does not contain the data in the target file. It simply points to another entry somewhere in the file system.
List out the differences between softlink and hardlink?
a) Hardlink cannot be created for directories. Hard link can only be created for a file.
b) Softlink also termed a symbolic links or symlinks can link to a directory.
What is the sticky-bit?
A Sticky bit is a permission bit that is set on a file or a directory that lets only the owner of the file/directory or the root user to delete or rename the file. No other user is given privileges to delete the file created by some other user.
How to change the default run level in Linux?
To change the run level we have to edit the file /etc/inittab and change initdefault entry (id:5:initdefault
:). Using init
command we change the run level temporary like init 3
, this command will move the system in runlevl 3.
What steps will be taken by init when you run telinit 1
from run level 3? What will be the final result of this? *
To be completed.
I have forgotten the root password! What do I do in BSD?
Restart the system, type boot -s
at the Boot:
prompt to enter single-user mode.
At the question about the shell to use, hit Enter which will display a # prompt.
Enter mount -urw /
to remount the root file system read/write, then run mount -a
to remount all the file systems.
Run passwd root
to change the root password then run exit
to continue booting.
How to add & change the Kernel parameters?
To set the kernel parameters in UNIX-like, first edit the file /etc/sysctl.conf
after making the changes save the file and run the command sysctl -p
, this command will make the changes permanently without rebooting the machine.
What is the difference between ext2, ext3 and ext4 file systems?
ext2
- ext2 stands for second extended file system.
- ext2 does not have journaling feature.
- on flash drives, usb drives, ext2 is recommended, as it doesn’t need to do the over head of journaling.
- maximum individual file size can be from 16 GB to 2 TB.
- overall ext2 file system size can be from 2 TB to 32 TB.
ext3
- ext3 stands for third extended file system.
- starting from Linux Kernel 2.4.15 ext3 was available.
- the main benefit of ext3 is that it allows journaling.
- maximum individual file size can be from 16 GB to 2 TB.
- overall ext3 file system size can be from 2 TB to 32 TB.
- you can convert a ext2 file system to ext3 file system directly (without backup/restore).
ext4
- ext4 stands for fourth extended file system.
- starting from Linux Kernel 2.6.19 ext4 was available.
- supports huge individual file size and overall file system size.
- maximum individual file size can be from 16 GB to 16 TB.
- overall maximum ext4 file system size is 1 EB (exabyte). 1 EB = 1024 PB (petabyte). 1 PB = 1024 TB (terabyte).
- directory can contain a maximum of 64,000 subdirectories (as opposed to 32,000 in ext3).
- you can also mount an existing ext3 fs as ext4 fs (without having to upgrade it).
- several other new features are introduced in ext4: multiblock allocation, delayed allocation, journal checksum, fast fsck, etc.
- in ext4, you also have the option of turning the journaling feature "off".
Explain three types of journaling in ext3/ext4.
There are three types of journaling available in ext3/ext4 file systems:
- Journal - metadata and content are saved in the journal.
- Ordered - only metadata is saved in the journal. Metadata are journaled only after writing the content to disk. This is the default.
- Writeback - only metadata is saved in the journal. Metadata might be journaled either before or after the content is written to the disk.
What is an inode?
An inode is a data structure on a filesystem on Linux and other Unix-like operating systems that stores all the information about a file except its name and its actual data. A data structure is a way of storing data so that it can be used efficiently.
A Unix file is "stored" in two different parts of the disk - the data blocks and the inodes. (I won't get into superblocks and other esoteric information.) The data blocks contain the "contents" of the file. The information about the file is stored elsewhere - in the inode.
How to increase the size of LVM partition?
Use the lvextend
command for resize LVM partition.
- extending the size by 500MB:
lvextend -L +500M /dev/vgroup/lvolume
- extending all available free space:
lvextend -l +100%FREE /dev/vgroup/lvolume
and resize2fs
or xfs_growfs
to resize filesystem:
- for ext filesystems:
resize2fs /dev/vgroup/lvolume
- for xfs filesystem:
xfs_growfs mountpoint_for_/dev/vgroup/lvolume
Describe a process to create partition, lvm partition and filesystem.
- Create partition
fdisk /dev/sdb
- Create LVM
pvcreate /dev/sdb1
vgcreate vg0 /dev/sdb1
lvcreate --name datastore --size 50G vg0
- Create filesystem
mkfs -t xfs /dev/mapper/vg0-datastore
What is the advantage of executing the running processes in the background? How can you do that?
The most significant advantage of executing the running process in the background is that you can do any other task simultaneously while other processes are running in the background. So, more processes can be completed in the background while you are working on different processes. It can be achieved by adding a special character &
at the end of the command.
What is a zombie/defunct process?
Is a process that has completed execution (via the exit system call) but still has an entry in the process table: it is a process in the "Terminated state".
What if kill -9
does not work?
kill -9
(SIGKILL) always works, provided you have the permission to kill the process. Basically either the process must be started by you and not be setuid or setgid, or you must be root. There is one exception: even root cannot send a fatal signal to PID 1 (the init process).
However kill -9
is not guaranteed to work immediately. All signals, including SIGKILL, are delivered asynchronously: the kernel may take its time to deliver them. Usually, delivering a signal takes at most a few microseconds, just the time it takes for the target to get a time slice. However, if the target has blocked the signal, the signal will be queued until the target unblocks it.
Normally, processes cannot block SIGKILL. But kernel code can, and processes execute kernel code when they call system calls.
A process blocked in a system call is in uninterruptible sleep. The ps
or top
command will (on most unices) show it in state D.
A classical case of long uninterruptible sleep is processes accessing files over NFS when the server is not responding; modern implementations tend not to impose uninterruptible sleep (e.g. under Linux, the intr mount option allows a signal to interrupt NFS file accesses).
You may sometimes see entries marked Z (or H under Linux) in the ps
or top
output. These are technically not processes, they are zombie processes, which are nothing more than an entry in the process table, kept around so that the parent process can be notified of the death of its child. They will go away when the parent process pays attention (or dies).
What is strace command in Linux?
strace
is a powerful command line tool for debugging and trouble shooting programs in Unix-like operating systems such as Linux. It captures and records all system calls made by a process and the signals received by the process.
Which algorithms are supported in passwd file?
The algorithms supported are MD5, Blowfish, SHA256 and SHA512.
What is key-based authentication? Explain.
Key-based authentication is a kind of authentication that may be used as an alternative to password authentication. Instead of requiring a user's password, it is possible to confirm the client's identity by using asymmetric cryptography algorithms, with public and private keys.
Which utility is used to make automate rotation of a log?
logrotate
command is used to make automate rotation of log. It allows automatic rotation, compression, removal, and mailing of log files.
What is the use of ulimit in Unix-like systems?
Most UNIX-like operating systems, including Linux and BSD, provide ways to limit and control the usage of system resources such as threads, files, and network connections on a per-process and per-user basis. These "ulimits" prevent single users from using too many system resources.
What are soft limits and hard limits?
Hard limit is the maximum allowed to a user, set by the superuser or root. This value is set in the file /etc/security/limits.conf
. The user can increase the soft limit on their own in times of needing more resources, but cannot set the soft limit higher than the hard limit.
What is the difference between Cron and Anacron?
- one of the main difference between cron and anacron jobs is that cron works on the system that are running continuously that means it is designed for the system that is running24*7. While anacron is used for the systems that are not running continuously.
- other difference between the two is cron jobs can run every minute, but anacron jobs can be run only once a day.
- any normal user can do the scheduling of cron jobs, but the scheduling of anacron jobs can be done by the superuser only.
- cron should be used when you need to execute the job at a specific time as per the given time in cron, but anacron should be used in when there is no any restriction for the timing and can be executed at any time.
Create a file with 100 lines with random values.
For example:
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 100 > /path/to/file
How to run script as another user without password?
For example (with visudo
command):
user1 ALL=(user2) NOPASSWD: /opt/scripts/bin/generate.sh
The command paths must be absolute! Then call sudo -u user2 /opt/scripts/bin/generate.sh
from a user1 shell.
How to check if running as root in a bash script?
In a bash script, you have several ways to check if the running user is root.
As a warning, do not check if a user is root by using the root username. Nothing guarantees that the user with ID 0 is called root. It's a very strong convention that is broadly followed but anybody could rename the superuser another name.
I think the best way when using bash is to use $EUID because $UID could be changed and not reflect the real user running the script.
if (( $EUID != 0 )); then
echo "Please run as root"
exit
fi
Is there a way to redirect output to a file and have it display on stdout?
The command you want is named tee:
foo | tee output.file
For example, if you only care about stdout:
ls -a | tee output.file
If you want to include stderr, do:
program [arguments...] 2>&1 | tee outfile
2>&1
redirects channel 2 (stderr/standard error) into channel 1 (stdout/standard output), such that both is written as stdout. It is also directed to the given output file as of the tee command.
Furthermore, if you want to append to the log file, use tee -a as:
program [arguments...] 2>&1 | tee -a outfile
What is the preferred Bash shebang?
You should use #!/usr/bin/env bash
for portability: different *nixes put bash in different places, and using /usr/bin/env
is a workaround to run the first bash found on the PATH.
What is root certificate and intermediate certificate?
A "root" authority is a certificate issuer that parties choose to trust (explicitly). It is usually self-signed (self-issued) and very highly protected. An intermediate authority is a certificate issuer that has itself been issued by a root or another higher level intermediate authority.
Should the root certificate go on the server?
Self-signed root certificates need not/should not be included in web server configuration. They serve no purpose (clients will always ignore them) and they incur a slight performance (latency) penalty because they increase the size of the SSL handshake.
If the client does not have the root in their trust store, then it won't trust the web site, and there is no way to work around that problem. Having the web server send the root certificate will not help - the root certificate has to come from a trusted 3rd party (in most cases the browser vendor).
How to reload PostgreSQL after configuration changes?
Solution 1:
systemctl reload postgresql
Solution 2:
su - postgres
/usr/bin/pg_ctl reload
Solution 3:
SELECT pg_reload_conf();
How to restore config file in Debian GNU/Linux?
Will recreate any missing configuration files, e.g. /etc/mysql/my.cnf
in your case:
dpkg -i --force-confmiss mysql-common.deb
How reload shell without exit?
The best way is: exec $SHELL -l
How to exit without saving shell history?
kill -9 $$
unset HISTFILE && exit
How do I find all files containing specific string?
For example use fgrep
:
fgrep * -R "string"
or:
grep -insr "pattern" *
-i
ignore case distinctions in both the PATTERN and the input files-n
prefix each line of output with the 1-based line number within its input file-s
suppress error messages about nonexistent or unreadable files.-r
read all files under each directory, recursively.
How to find out the dynamic libraries executables loads when run?
You can do this with ldd
command:
ldd /bin/ls
Configure a virtual interface on your workstation. *
To be completed.
Load balancing can dramatically impact server performance. Discuss several load balancing mechanisms. *
To be completed.
Server A can't talk to Server B. Describe possible reasons in a few steps.
To troubleshoot communication problems between servers, it is better to ideally follow the TCP/IP stack:
- Application Layer: are the services up and running on both servers? Are they correctly configured (eg. bind the correct IP and correct port)? Do application and system logs show meaningful errors?
- Transport Layer: are the ports used by the application open (try telnet!)? Is it possible to ping the server?
- Network Layer: Is there a firewall on the network or on the OS correctly configured? Is the IP stack correctly configured (IP, routes, dns, etc.)? Are switches and routers working (check the ARP table!)?
- Physical Layer: Are the servers connected to a network? Are packets being lost?
List examples of network troubleshooting tools that can degrade during DNS issues. *
To be completed.
Why won’t the hostnames resolve on your server? Resolve this problem. *
To be completed.
What is handshake mechanism and why do we need 3 way handshake?
Handshaking begins when one device sends a message to another device indicating that it wants to establish a communications channel. The two devices then send several messages back and forth that enable them to agree on a communications protocol.
A three-way handshake is a method used in a TCP/IP network to create a connection between a local host/client and server. It is a three-step method that requires both the client and server to exchange SYN and ACK (SYN, SYN-ACK, ACK) packets before actual data communication begins.
Why is UDP faster than TCP?
UDP is faster than TCP, and the simple reason is because its nonexistent acknowledge packet (ACK) that permits a continuous packet stream, instead of TCP that acknowledges a set of packets, calculated by using the TCP window size and round-trip time (RTT).
What is NAT? What is it used for?
It enables private IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses, before packets are forwarded to another network.
Workstations or other computers requiring special access outside the network can be assigned specific external IPs using NAT, allowing them to communicate with computers and applications that require a unique public IP address. NAT is also a very important aspect of firewall security.
What's the purpose of Spanning Tree?
This protocol operates at layer 2 of the OSI model with the purpose of preventing loops on the network. Without STP, a redundant switch deployment would create broadcast storms that cripple even the most robust networks. There are several iterations based on the original IEEE 802.1D standard; each operates slightly different than the others while largely accomplishing the same loop-free goal.
How to check which ports are listening in my Linux Server?
Use the:
lsof -i
ss -l
netstat -atn
- for tcpnetstat -aun
- for udpnetstat -tulapn
How to get fingerprint from SSH key?
ssh-keygen -lf ~/.ssh/id_rsa.pub
How to send an HTTP request using Telnet?
For example:
telnet example.com 80
Trying 192.168.252.10...
Connected to example.com.
Escape character is '^]'.
GET /questions HTTP/1.0
Host: example.com
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
...
How to allow traffic to/from specific IP with iptables?
For example:
/sbin/iptables -A INPUT -p tcp -s XXX.XXX.XXX.XXX -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d XXX.XXX.XXX.XXX -j ACCEPT
How to block abusive IP addresses with pf
in OpenBSD?
The best way to do this is to define a table and create a rule to block the hosts, in pf.conf
:
table <badhosts> persist
block on fxp0 from <badhosts> to any
And then dynamically add/delete IP addresses from it:
pfctl -t badhosts -T add 1.2.3.4
pfctl -t badhosts -T delete 1.2.3.4
How to disable cache for specific domain in Varnish?
For example:
sub vcl_recv {
# dont cache foo.com or bar.com - optional www
if (req.host ~ "(www)?(foo|bar).com") {
return(pass);
}
}
or:
sub vcl_recv {
# dont cache foo.com or bar.com - optional www
if (req.http.host ~ "(www\.)?(foo|bar)\.com") {
return(pass);
}
# cache foobar.com - optional www
if (req.http.host ~ "(www\.)?foobar\.com") {
return(hash);
}
}
Analyse web server log and show only 5xx http codes.
tail -n 100 -f /path/to/logfile | grep "HTTP/[1-2].[0-1]\" [5]"
Developer uses private key on the server to deploy app through ssh. Why it is incorrect behavior and what is the better (but not ideal) solution in such situations?
You have the private key for your personal account. The server needs your public key so that it can verify that your private key for the account you are trying to use is authorized.
The whole point with private keys is that they are private, meaning only you have your private key. If someone takes over your private key, it will be able to impersonate you any time he wants.
A better solutions is the use of ssh key forwarding. An essence, you need to create a ~/.ssh/config
file, if it doesn't exist. Then, add the hosts (either domain name or IP address in the file and set ForwardAgent yes
). Example:
Host git.example.com
User john
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa.git.example.com
ForwardAgent yes
Your remote server must allow SSH agent forwarding on inbound connections and your local ssh-agent
must be running.
Forwarding an ssh agent carries its own security risk. If someone on the remote machine can gain access to your forwarded ssh agent connection, they can still make use of your keys. However, this is better than storing keys on remote machines: the attacker can only use the ssh agent connection, not the key itself. Thus, only while you're logged into the remote machine can they do anything. If you store the key on the remote machine, they can make a copy of it and use it whenever they want.
If you use ssh keys remember about passphrases which is strongly recommended to reduce risk of keys accidentally leaking.
Useful resources:
What is the difference between CORS and CSPs?
CORS allows the Same Origin Policy to be relaxed for a domain.
e.g. normally if the user logs into both example.com and example.org
, the Same Origin Policy prevents example.com
from making an AJAX request to example.org/current_user/full_user_details
and gaining access to the response.
This is the default policy of the web and prevents the user's data from being leaked when logged into multiple sites at the same time.
Now with CORS, example.org could set a policy to say it will allow the origin https://example.com
to read responses made by AJAX. This would be done if both example.com and example.org are ran by the same company and data sharing between the origins is to be allowed in the user's browser. It only affects the client-side of things, not the server-side.
CSPs on the other hand set a policy of what content can run on the current site. For example, if JavaScript can be executed inline, or which domains .js files can be loaded from. This can be beneficial to act as another line of defence against XSS attacks, where the attacker will try and inject script into the HTML page. Normally output would be encoded, however say the developer had forgotten only on one output field. Because the policy is preventing in-line script from executing, the attack is thwarted.
Explain four types of responses from firewall when scanning with Nmap.
There might be four types of responses:
- Open port - few ports in the case of the firewall
- Closed port - most ports are closed because of the firewall
- Filtered - Nmap is not sure whether the port is open or not
- Unfiltered - Nmap can access the port but is still confused about the open status of the port
Which are the top DevOps tools? Which tools have you worked on?
The most popular DevOps tools are mentioned below:
- Git : Version Control System tool
- Jenkins : Continuous Integration tool
- Selenium : Continuous Testing tool
- Puppet, Chef, Ansible : Configuration Management and Deployment tools
- Nagios : Continuous Monitoring tool
- Docker : Containerization tool
How do all these tools work together?
The most popular DevOps tools are mentioned below:
- Developers develop the code and this source code is managed by Version Control System tools like Git etc.
- Developers send this code to the Git repository and any changes made in the code is committed to this Repository.
- Jenkins pulls this code from the repository using the Git plugin and build it using tools like Ant or Maven.
- Configuration management tools like puppet deploys & provisions testing environment and then Jenkins releases this code on the test environment on which testing is done using tools like selenium.
- Once the code is tested, Jenkins send it for deployment on the production server (even production server is provisioned & maintained by tools like puppet).
- After deployment It is continuously monitored by tools like Nagios.
- Docker containers provides testing environment to test the build features.
What are playbooks in Ansible?
Playbooks are Ansible’s configuration, deployment, and orchestration language.
They can describe a policy you want your remote systems to enforce, or a set of steps in a general IT process. Playbooks are designed to be human-readable and are developed in a basic text language.
At a basic level, playbooks can be used to manage configurations of and deployments to remote machines.
What is NRPE (Nagios Remote Plugin Executor) in Nagios?
The NRPE addon is designed to allow you to execute Nagios plugins on remote Linux/Unix machines. The main reason for doing this is to allow Nagios to monitor "local" resources (like CPU load, memory usage, etc.) on remote machines.
Since these public resources are not usually exposed to external machines, an agent like NRPE must be installed on the remote Linux/Unix machines.
What is the difference between Active and Passive check in Nagios?
The major difference between Active and Passive checks is that Active checks are initiated and performed by Nagios, while passive checks are performed by external applications.
Passive checks are useful for monitoring services that are:
- asynchronous in nature and cannot be monitored effectively by polling their status on a regularly scheduled basis.
- located behind a firewall and cannot be checked actively from the monitoring host.
The main features of Actives checks are as follows:
- active checks are initiated by the Nagios process.
- active checks are run on a regularly scheduled basis.
How to git clone
including submodules?
For example:
# With -j8 - performance optimization
git clone --recurse-submodules -j8 git://github.com/foo/bar.git
# For already cloned repos or older Git versions
git clone git://github.com/foo/bar.git
cd bar
git submodule update --init --recursive
What is XSS, how will you mitigate it?
Cross Site Scripting is a JavaScript vulnerability in the web applications. The easiest way to explain this is a case when a user enters a script in the client side input fields and that input gets processed without getting validated. This leads to untrusted data getting saved and executed on the client side.
Countermeasures of XSS are input validation, implementing a CSP (Content security policy) etc.
HIDS vs NIDS and which one is better and why?
HIDS is host intrusion detection system and NIDS is network intrusion detection system. Both the systems work on the similar lines. It’s just that the placement in different. HIDS is placed on each host whereas NIDS is placed in the network. For an enterprise, NIDS is preferred as HIDS is difficult to manage, plus it consumes processing power of the host as well.
What is compliance?
Abiding by a set of standards set by a government/Independent party/organisation. E.g. An industry which stores, processes or transmits Payment related information needs to be complied with PCI DSS (Payment card Industry Data Security Standard). Other compliance examples can be an organisation complying with its own policies.
What is a WAF and what are its types?
WAF stands for web application firewall. It is used to protect the application by filtering legitimate traffic from malicious traffic. WAF can be either a box type or cloud based.
Explain the current architecture you’re responsible for and point out where it’s scalable or fault-tolerant. *
To be completed.
Tell me how code gets deployed in your current production. *
To be completed.
What are the different types of Kernels? Explain.
- Microkernel: This type of kernel only manages CPU, memory, and IPC. This kind of kernel provides portability, small memory footprint and also security.
- Monolithic Kernel: Linux is a monolithic kernel. So, this type of kernel provides file management, system server calls, also manages CPU, IPC as well as device drivers. It provides easier access to the process to communicate and as there is not any queue for processor time, so processes react faster.
- Hybrid Kernel: In this type of kernels, programmers can select what they want to run in user mode and what in supervisor mode. So, this kernel provides more flexibility than any other kernel but it can have some latency problems.
What is LD_LIBRARY_PATH?
Environment variable LD_LIBRARY_PATH
is a colon-separated set of directories where libraries should be searched for first, before the standard set of directories; this is useful when debugging a new library or using a nonstandard library for special purposes.
How shadow passwords are given by in Linux?
pwconv
command is used for giving shadow passwords. Shadow passwords are given for better system security. The pwconv
command creates the file /etc/shadow
and changes all passwords to 'x' in the /etc/passwd
file.
Explain all the fields in the /etc/passwd
file.
- Username: First field is the username that contains the username which is 1 to 32 length characters.
- Password: This field does not show the actual password as the password is encrypted. Here, x character shows that password is encrypted that is located in
/etc/shadow
file. - User ID (UID): All the users created in Linux is given a user ID whenever the user is created. UID 0 is fixed and reserved for the root user.
- Group ID (GID): This field specifies the name of the group to which the user belongs. The group information is also stored in a file
/etc/group
. - User ID Info: Here you can add comments and you can add any extra information related to the users like full name, contact number, etc.
- Home directory: This field provides the path where the user is directed after the login. For example,
/home/smith
. - Command/shell: This field provides the path of a command/shell and denotes that user has access to this shell i.e.
/bin/bash
.
What principles to follow for successful system performance tuning? *
To be completed.
Describe start-up configuration files and directory in BSD systems.
In BSD the primary start-up configuration file is /etc/defaults/rc.conf
. System startup scripts such as /etc/rc
and /etc/rc.d
just include this file.
If you want to add other programs to system startup you need to change /etc/rc.conf
file instead of /etc/defaults/rc.conf
.
What does Sar provides and at which location Sar logs are stored?
Sar collect, report or save system activity information. The default version of the sar command (CPU utilization report) might be one of the first facilities the user runs to begin system activity investigation, because it monitors major system resources. If CPU utilization is near 100 percent (user + nice + system), the workload sampled is CPU-bound.
By default log files of Sar command is located at /var/log/sa/sadd
file, where the dd parameter indicates the current day.
How to scan newly assigned luns on Linux box without rebooting?
Run the command: echo "---" >/sys/class/scsi_host/hostX/scan
.
Explain system calls used for process management?
There are some system calls used in Linux for process management. These are as follows:
Fork()
: It is used to create a new processExec()
: It is used to execute a new processWait()
: It is used to make the process to waitExit()
: It is used to exit or terminate the processGetpid()
: It is used to find the unique process IDGetppid()
: It is used to check the parent process IDNice()
: It is used to bias the currently running process property
Can’t mount the root file system. Why? *
To be completed.
What is the purpose of a process’s effective UID? *
To be completed.
Explain interrupts and interrupt handlers in Linux.
Interrupts means the processor is transferred temporarily to another program or function. When that program is completed, the processor will be given back to that program to complete the task.
Interrupt handler is the function that the kernel runs for a specific interrupt. It is also called Interrupt Service Routine. Interrupts handlers are the function that matches a particular prototype and enables the kernel to pass the handler information accurately.
How could you modify a text file without invoking a text editor?
For example:
# cat >filename ... - overwrite file
# cat >>filename ... - append to file
cat > filename << __EOF__
data data data
__EOF__
What fields are stored in an inode?
Within a POSIX system, a file has the following attributes which may be retrieved by the stat system call:
- Device ID (this identifies the device containing the file; that is, the scope of uniqueness of the serial number). File serial numbers
- The file mode which determines the file type and how the file's owner, its group, and others can access the file
- A link count telling how many hard links point to the inode
- The User ID of the file's owner
- The Group ID of the file
- The device ID of the file if it is a device file.
- The size of the file in bytes
- Timestamps telling when the inode itself was last modified (ctime, inode change time), the file content last modified (mtime, modification time), and last accessed (atime, access time)
- The preferred I/O block size
- The number of blocks allocated to this file
What is the Pluggable Authentication Modules? Explain.
It provides a layer between applications and actual authentication mechanism. It is a library of loadable modules which are called by the application for authentication. It also allows the administrator to control when a user can log in. All PAM applications are configured in the directory /etc/pam.d
or in a file /etc/pam.conf
. PAM is controlled using the configuration file or the configuration directory.
How do you run command every time a file is modified?
For example:
while inotifywait -e close_write filename ; do
echo "changed" >> /var/log/changed
done
What is the Superblock?
A superblock is a record of the characteristics of a filesystem, including its size, the block size, the empty and the filled blocks and their respective counts, the size and location of the inode tables, the disk block map and usage information, and the size of the block groups.
What is the use of Suid?
An "s" in the first position means that the SETUID (or SUID) bit was set (the GUID bit is the same thing, at the group level). Linux runs an executable file with the SETUID bit set with the User ID (that is, the privileges!) of the owner of that file, not the one of the user who launched it.
What does a kill
command do?
In Unix and Unix-like operating systems, kill is a command used to send a signal to a process. By default, the message sent is the termination signal, which requests that the process exit. But kill is something of a misnomer; the signal sent may have nothing to do with process killing.
Describe exceptions for which the use of SIGKILL is insufficient.
- Zombie processes cannot be killed since they are already dead and waiting for their parent processes to reap them.
- Processes that are in the blocked state will not die until they wake up again.
- The init process is special: It does not get signals that it does not want to handle, and thus it can ignore SIGKILL. An exception from this exception is while init is ptraced on Linux.
- An uninterruptibly sleeping process may not terminate (and free its resources) even when sent SIGKILL. This is one of the few cases in which a UNIX system may have to be rebooted to solve a temporary software problem.
Present and explain the correct process path using the kill
command.
Speaking of killing processes never use kill -9/SIGKILL
unless absolutely mandatory. This kill can cause problems because of its brute force.
Always try to use the following simple procedure:
- first, send SIGTERM (
kill -15
) signal first which tells the process to shutdown and is generally accepted as the signal to use when shutting down cleanly (but remember that this signal can be ignored). - next try to send SIGHUP (
kill -1
) signal which is commonly used to tell a process to shutdown and restart, this signal can also be caught and ignored by a process.
The far majority of the time, this is all you need - and is much cleaner.
What was getfacl
and setfacl
commands do?
The command setfacl
refers to Set File Access Control Lists and getfacl
refers to Get File Access Control List. Each file and directory in a Linux filesystem is created with a specific set of file permissions for its access. In order to know the access permissions of a file or directory we use getfacl.
What is a file descriptor in Linux?
In Unix and related computer operating systems, a file descriptor (FD, less frequently fildes) is an abstract indicator (handle) used to access a file or other input/output resource, such as a pipe or network socket. File descriptors form part of the POSIX application programming interface.
What is an open file table?
The process table entry (aka process control block) contains a table, the file descriptor table that gives the mapping between the descriptor the process uses to refer to a file connection and the data structure inside the kernel that represents the actual file connection.
What's the difference between /sbin/nologin
, /bin/false
and /bin/true
?
When /sbin/nologin
is set as the shell, if user with that shell logs in, they'll get a polite message saying 'This account is currently not available.'
/bin/false
is just a binary that immediately exits, returning false, when it's called, so when someone who has false as shell logs in, they're immediately logged out when false exits. Setting the shell to /bin/true
has the same effect of not allowing someone to log in but false is probably used as a convention over true since it's much better at conveying the concept that person doesn't have a shell.
nologin is the more user-friendly option, with a customizable message given to the user trying to log in, so you would theoretically want to use that; but both nologin and false will have the same end result of someone not having a shell and not being able to ssh in.
What is the meaning of the error maxproc limit exceeded by uid %i ...
in FreeBSD?
The FreeBSD kernel will only allow a certain number of processes to exist at one time. The number is based on the kern.maxusers
variable.
kern.maxusers
also affects various other in-kernel limits, such as network buffers. If the machine is heavily loaded, increase kern.maxusers
. This will increase these other system limits in addition to the maximum number of processes.
To adjust the kern.maxusers
value, see the File/Process Limits section of the Handbook. While that section refers to open files, the same limits apply to processes.
If the machine is lightly loaded but running a very large number of processes, adjust the kern.maxproc
tunable by defining it in /boot/loader.conf
.
How to read a file line by line and assigning the value to a variable.
For example:
while IFS='' read -r line || [[ -n "$line" ]] ; do
echo "Text read from file: $line"
done < "/path/to/filename"
Explanation:
IFS=''
(orIFS=
) prevents leading/trailing whitespace from being trimmed.-r
prevents backslash escapes from being interpreted.|| [[ -n $line ]]
prevents the last line from being ignored if it doesn't end with a\n
(since read returns a non-zero exit code when it encounters EOF).
How to rebuild Initial Ramdisk Image in Debian/CentOS?
Debian GNU/Linux:
update-initramfs -m -k all
update-grub
CentOS Linux:
dracut -f
grub2-mkconfig -o /boot/grub/grub.cfg
What does "CPU jumps" mean?
An OS is a very busy thing, particularly so when you have it doing something (and even when you aren't). And when we are looking at an active enterprise environment, something is always going on.
Most of this activity is "bursty", meaning processes are typically quiescent with short periods of intense activity. This is certainly true of any type of network-based activity (e.g. processing PHP requests), but also applies to OS maintenance (e.g. file system maintenance, page reclamation, disk I/O requests).
If you take a situation where you have a lot of such bursty processes, you get a very irregular and spiky CPU usage plot.
As "500 - Internal Server Error" says, the high number of context switches are going to make the situation even worse.
How does strace
connect to an already running process?
strace -p <PID>
- to attach a process to strace.
strace -e trace=read,write -p <PID>
- by this you can also trace a process/program for an event, like read and write (in this example). So here it will print all such events that include read and write system calls by the process.
Other such examples
-e trace= network
- trace all the network related system calls.-e trace=signal
- trace all signal related system calls.-e trace=ipc
- trace all IPC related system calls.-e trace=desc
- trace all file descriptor related system calls.-e trace=memory
- trace all memory mapping related system calls.
How to remove all files except some from a directory?
Solution 1 - with extglob:
shopt -s extglob
rm !(textfile.txt|backup.tar.gz|script.php|database.sql|info.txt)
Solution 2 - with find:
find . -type f -not -name '*txt' -print0 | xargs -0 rm --
How to check if a string contains a substring in Bash?
You can use * (wildcards) outside a case statement, too, if you use double brackets:
string='some text'
if [[ $string = *"My long"* ]] ; then
true
fi
How to redirect stderr and stdout to different files in the same line?
Just add them in one line command 2>> error 1>> output
.
However, note that >>
is for appending if the file already has data. Whereas, >
will overwrite any existing data in the file.
So, command 2> error 1> output
if you do not want to append.
Just for completion's sake, you can write 1>
as just >
since the default file descriptor is the output. so 1>
and >
is the same thing.
So, command 2> error 1> output
becomes, command 2> error > output
.
How to remove leading whitespace from each line in a file?
Warning: this will overwrite the original file:
sed -i "s/^[ \t]*//" filename
or:
sed 's/^[ \t]+//g' < input > output
How to enforce authorization methods in SSH?
Force login with a password:
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@remote_host
Force login using the key:
ssh -o PreferredAuthentications=publickey -o PubkeyAuthentication=yes -i id_rsa user@remote_host
Getting Too many Open files
error for Postgres. How to resolve it?
Fixed the issue by reducing max_files_per_process
e.g. to 200 from default 1000. This parameter is in postgresql.conf
file and this sets the maximum number of simultaneously open files allowed to each server subprocess.
Usually people start to edit /etc/security/limits.conf
file, but forget that this file only apply to the actively logged in users through the pam system.
In what circumstance can df
and du
disagree on available disk space? How do you solve it?
Solution 1:
Check for files on located under mount points. Frequently if you mount a directory (say a sambafs) onto a filesystem that already had a file or directories under it, you lose the ability to see those files, but they're still consuming space on the underlying disk.
I've had file copies while in single user mode dump files into directories that I couldn't see except in single usermode (due to other directory systems being mounted on top of them).
Solution 2:
On the other hand df -h
and du -sh
could mismatched by about 50% of the hard disk size. This was caused by e.g. apache (httpd) keeping large log files in memory which had been deleted from disk.
This was tracked down by running lsof | grep "/var" | grep deleted
where /var
was the partition I needed to clean up.
The output showed lines like this:
httpd 32617 nobody 106w REG 9,4 1835222944 688166 /var/log/apache/awstats_log (deleted)
The situation was then resolved by restarting apache (service httpd restart
) and cleared of disk space, by allowing the locks on deleted files to be cleared.
What is the difference between encryption and hashing?
Hashing: Finally, hashing is a form of cryptographic security which differs from encryption. Whereas encryption is a two step process used to first encrypt and then decrypt a message, hashing condenses a message into an irreversible fixed-length value, or hash.
How to log all commands run by root on production servers?
auditd
is the correct tool for the job here:
- Add these 2 lines to
/etc/audit/audit.rules
:
-a exit,always -F arch=b64 -F euid=0 -S execve
-a exit,always -F arch=b32 -F euid=0 -S execve
These will track all commands run by root (euid=0). Why two rules? The execve syscall must be tracked in both 32 and 64 bit code.
-
To get rid of
auid=4294967295
messages in logs, addaudit=1
to the kernel's cmdline (by editing/etc/default/grub
) -
Place the line
session required pam_loginuid.so
in all PAM config files that are relevant to login (/etc/pam.d/{login,kdm,sshd}
), but not in the files that are relevant to su or sudo. This will allow auditd to get the calling user's uid correctly when calling sudo or su.
Restart your system now.
Let's login and run some commands:
$ id -u
1000
$ sudo ls /
bin boot data dev etc home initrd.img initrd.img.old lib lib32 lib64 lost+found media mnt opt proc root run sbin scratch seLinux srv sys tmp usr var vmlinuz vmlinuz.old
$ sudo su -
# ls /etc
[...]
Now read /var/log/audit/auditd.log
for show what has been logged in.
How to prevent dd
from freezing system?
Try using ionice:
ionice -c3 dd if=/dev/zero of=z
This start the dd
process with the "idle" IO priority: it only gets disk time when no other process is using disk IO for a certain amount of time.
Of course this can still flood the buffer cache and cause freezes while the system flushes out the cache to disk. There are tunables under /proc/sys/vm/
to influence this, particularly the dirty_* entries.
How to limit processes to not exceed more than X% of CPU usage?
- nice/renice
nice is a great tool for 'one off' tweaks to a system:
nice COMMAND
- cpulimit
cpulimit if you need to run a CPU intensive job and having free CPU time is essential for the responsiveness of a system:
cpulimit -l 50 COMMAND
- cgroups
cgroups apply limits to a set of processes, rather than to just one:
cgcreate -g cpu:/cpulimited
cgset -r cpu.shares=512 cpulimited
cgexec -g cpu:cpulimited COMMAND_1
cgexec -g cpu:cpulimited COMMAND_2
cgexec -g cpu:cpulimited COMMAND_3
How mount a temporary ram partition?
# -t - filesystem type
# -o - mount options
mount -t tmpfs tmpfs /mnt -o size=64M
How to kills a process that is locking a file?
fuser -k filename
How to restore permission for /bin/chmod
?
# 1:
cp /bin/ls chmod.01
cp /bin/chmod chmod.01
./chmod.01 700 file
# 2:
/bin/busybox chmod 0700 /bin/chmod
# 3:
setfacl --set u::rwx,g::---,o::--- /bin/chmod
# 4:
/usr/lib/ld*.so /bin/chmod 0700 /bin/chmod
grub>
vs grub-rescue>
. Explain.
grub>
- this is the mode to which it passes if you find everything you need to run the system in addition to the configuration file. With this mode, we have access to most (if not all) modules and commands. This mode can be called from the menu by pressing the 'c' keygrub-rescue>
- this is the mode to which it passes if it is impossible to find its own directory (especially the directory with modules and additional commands, e.g. directory/boot/grub/i386-pc
), if its contents are damaged or if no normal module is found, contains only basic commands
How to check whether the private key and the certificate match?
(openssl rsa -noout -modulus -in private.key | openssl md5 ; openssl x509 -noout -modulus -in certificate.crt | openssl md5) | uniq
How to create user without useradd command in Linux?
- Add an entry of user details in
/etc/passwd
# username:password:UID:GID:Comments:Home_Directory:Login Shell
user:x:501:501:test user:/home/user:/bin/bash
- You will have to create a group with same name in
/etc/group
user:x:501:
- Assign a password to the user
passwd user
How profile app in Linux environment?
Ideally, I need an app that will attach to a process and log periodic snapshots of: memory usage number of threads CPU usage.
- You can use
top
in batch mode. It runs in the batch mode either until it is killed or until N iterations is done:
top -b -p `pidof a.out`
or
top -b -p `pidof a.out` -n 100
- You can use ps (for instance in a shell script):
ps --format pid,pcpu,cputime,etime,size,vsz,cmd -p `pidof a.out`
I need some means of recording the performance of an application on a Linux machine.
- To record performance data:
perf record -p `pidof a.out`
or to record for 10 secs:
perf record -p `pidof a.out` sleep 10
or to record with call graph ():
perf record -g -p `pidof a.out`
- To analyze the recorded data
perf report --stdio
perf report --stdio --sort=dso -g none
perf report --stdio -g none
perf report --stdio -g
This is an example of profiling a test program
- I run my test program (c++):
./my_test 100000000
- Then I record performance data of a running process:
perf record -g -p `pidof my_test` -o ./my_test.perf.data sleep 30
- Then I analyze load per module:
perf report --stdio -g none --sort comm,dso -i ./my_test.perf.data
# Overhead Command Shared Object
# ........ ....... ............................
#
70.06% my_test my_test
28.33% my_test libtcmalloc_minimal.so.0.1.0
1.61% my_test [kernel.kallsyms]
- Then load per function is analyzed:
perf report --stdio -g none -i ./my_test.perf.data | c++filt
# Overhead Command Shared Object Symbol
# ........ ....... ............................ ...........................
#
29.30% my_test my_test [.] f2(long)
29.14% my_test my_test [.] f1(long)
15.17% my_test libtcmalloc_minimal.so.0.1.0 [.] operator new(unsigned long)
13.16% my_test libtcmalloc_minimal.so.0.1.0 [.] operator delete(void*)
9.44% my_test my_test [.] process_request(long)
1.01% my_test my_test [.] operator delete(void*)@plt
0.97% my_test my_test [.] operator new(unsigned long)@plt
0.20% my_test my_test [.] main
0.19% my_test [kernel.kallsyms] [k] apic_timer_interrupt
0.16% my_test [kernel.kallsyms] [k] _spin_lock
0.13% my_test [kernel.kallsyms] [k] native_write_msr_safe
...
- Then call chains are analyzed:
perf report --stdio -g graph -i ./my_test.perf.data | c++filt
# Overhead Command Shared Object Symbol
# ........ ....... ............................ ...........................
#
29.30% my_test my_test [.] f2(long)
|
--- f2(long)
|
--29.01%-- process_request(long)
main
__libc_start_main
29.14% my_test my_test [.] f1(long)
|
--- f1(long)
|
|--15.05%-- process_request(long)
| main
| __libc_start_main
|
--13.79%-- f2(long)
process_request(long)
main
__libc_start_main
...
So at this point you know where your program spends time.
Also the simple way to do app profile is to use the pstack
utility or lsstack
.
Other tool is Valgrind. So this is what I recommend. Run program first:
valgrind --tool=callgrind --dump-instr=yes -v --instr-atstart=no ./binary > tmp
Now when it works and we want to start profiling we should run in another window:
callgrind_control -i on
This turns profiling on. To turn it off and stop whole task we might use:
callgrind_control -k
Now we have some files named callgrind.out.* in current directory. To see profiling results use:
kcachegrind callgrind.out.*
I recommend in next window to click on "Self" column header, otherwise it shows that "main()" is most time consuming task.
What is the easiest, safest and most portable way to remove -rf
directory entry?
They're effective but not optimally portable:
rm -- -fr
perl -le 'unlink("-fr");'
People who go on about shell command line quoting and character escaping are almost as dangerous as those who simply don't even recognize why a file name like that poses any problem at all.
The most portable solution:
rm ./-fr
Write a simple bash script (or pair of scripts) to backup and restore your system. *
To be completed.
Create SPF records for your site to help control spam. *
To be completed.
What is the difference between an authoritative and a nonauthorita-tive answer to a DNS query? *
To be completed.
Explore the current MTA configuration at your site. What are some of the special features of the MTA that are in use? *
To be completed.
Use tcpdump to capture FTP traffic for both active and passive FTP sessions.
tcpdump '(port ftp or ftp-data)'
Does having Varnish in front of your website/app mean you don't need to care about load balancing or redundancy?
It depends. Varnish is a cache server, so its purpose is to cache contents and to act as a reverse proxy, to speed up retrieval of data and to lessen the load on the webserver. Varnish can be also configured as a load-balancer for multiple web servers, but if we use just one Varnish server, this will become our single point of failure on our infrastructure.
A better solution to ensure load-balancing or redundacy will be a cluster of at least two Varnish istances, in active-active mode or active-passive mode.
What are hits, misses, and hit-for-pass in Varnish Cache?
A hit is a request which is successfully served from the cache, a miss is a request that goes through the cache but finds an empty cache and therefore has to be fetched from the origin, the hit-for-pass comes in when Varnish Cache realizes that one of the objects it has requested is uncachable and will result in a pass.
Useful resources:
What's a reasonable TTL for cached content given the following parameters? *
To be completed.
How do you kill program using one port in Linux?
To list any process listening to the port 8080:
lsof -i:8080
To kill any process listening to the port 8080:
kill $(lsof -t -i:8080)
or more violently:
kill -9 $(lsof -t -i:8080)
How to test connection with OpenSSL to remote host (with and without SNI)?
With OpenSSL:
# Testing connection to remote host (with SNI support)
echo | openssl s_client -showcerts -servername google.com -connect google.com:443
# Testing connection to remote host (without SNI support)
echo | openssl s_client -connect google.com:443 -showcerts
With GnuTLS:
# Testing connection to remote host (with SNI support)
gnutls-cli -p 443 google.com
# Testing connection to remote host (without SNI support)
gnutls-cli --disable-sni -p 443 google.com
How are cookies passed in the HTTP protocol?
The server sends the following in its response header to set a cookie field:
Set-Cookie:name=value
If there is a cookie set, then the browser sends the following in its request header:
Cookie:name=value
What is the proper way to test NFS performance?
The best benchmark is always "the application(s) that you normally use". The load on a NFS system when you have 20 people simultaneously compiling a Linux kernel is comletely different from a bunch of people logging in at the same time or the accounts uses as "home directories for the local web-server".
But we have some good tools for testing this.
- boonie - a classical performances evaluation tool tests. The main program tests database type access to a single file (or a set of files if you wish to test more than 1G of storage), and it tests creation, reading, and deleting of small files which can simulate the usage of programs such as Squid, INN, or Maildir format email.
- DBench - was written to allow independent developers to debug and test SAMBA. It is heavily inspired of the original SAMBA tool.
- IOZone - performance tests suite. POSIX and 64 bits compliant. This tests is the file system test from the L.S.E. Main features: POSIX async I/O, Mmap() file I/O, Normal file I/O Single stream measurement, Multiple stream measurement, Distributed file server measurements (Cluster) POSIX pthreads, Multi-process measurement Selectable measurements with fsync, O_SYNC Latency plots.
How to run scp
with a second remote host?
With ssh:
ssh user1@remote1 'ssh user2@remote2 "cat file"' > file
With tar (with compression):
ssh user1@remote1 'ssh user2@remote2 "cd path2; tar cj file"' | tar xj
With ssh and port forwarding tunnel:
# First, open the tunnel
ssh -L 1234:remote2:22 -p 45678 user1@remote1
# Then, use the tunnel to copy the file directly from remote2
scp -P 1234 user2@localhost:file .
How can you reduce load time of a dynamic website?
- webpage optimization
- cached web pages
- quality web hosting
- compressed text files
- apache/nginx tuning
Explain difference between HTTP 1.1 and HTTP 2.0.
HTTP/2 supports queries multiplexing, headers compression, priority and more intelligent packet streaming management. This results in reduced latency and accelerates content download on modern web pages.
Key differences with HTTP/1.1:
- it is binary, instead of textual
- fully multiplexed, instead of ordered and blocking
- can therefore use one connection for parallelism
- uses header compression to reduce overhead
- allows servers to “push” responses proactively into client caches
What's the difference between Cache-Control: max-age=0
and no-cache
?
When sent by the origin server:
max-age=0
simply tells caches (and user agents) the response is stale from the get-go and so they SHOULD revalidate the response (e.g. with the If-Not-Modified header) before using a cached copy, whereas, no-cache
tells them they MUST revalidate before using a cached copy.
In other words, caches may sometimes choose to use a stale response (although I believe they have to then add a Warning header), but no-cache
says they're not allowed to use a stale response no matter what. Maybe you'd want the SHOULD-revalidate behavior when baseball stats are generated in a page, but you'd want the MUST-revalidate behavior when you've generated the response to an e-commerce purchase.
When sent by the user agent:
If a user agent sends a request with Cache-Control: max-age=0
(aka. "end-to-end revalidation"), then each cache along the way will revalidate its cache entry (e.g. with the If-Not-Modified header) all the way to the origin server. If the reply is then 304 (Not Modified), the cached entity can be used.
On the other hand, sending a request with Cache-Control: no-cache
(aka. "end-to-end reload") doesn't revalidate and the server MUST NOT use a cached copy when responding.
What are the security risks of setting Access-Control-Allow-Origin
?
By responding with Access-Control-Allow-Origin: *
, the requested resource allows sharing with every origin. This basically means that any site can send an XHR request to your site and access the server’s response which would not be the case if you hadn’t implemented this CORS response.
So any site can make a request to your site on behalf of their visitors and process its response. If you have something implemented like an authentication or authorization scheme that is based on something that is automatically provided by the browser (cookies, cookie-based sessions, etc.), the requests triggered by the third party sites will use them too.
Create a single-use TCP or UDP proxy with Netcat.
### TCP -> TCP
nc -l -p 2000 -c "nc [ip|hostname] 3000"
### TCP -> UDP
nc -l -p 2000 -c "nc -u [ip|hostname] 3000"
### UDP -> UDP
nc -l -u -p 2000 -c "nc -u [ip|hostname] 3000"
### UDP -> TCP
nc -l -u -p 2000 -c "nc [ip|hostname] 3000"
Explain 3 techniques for Avoiding Firewalls with Nmap.
- Use Decoy addresses
# Generates a random number of decoys.
nmap -D RND:10 [target]
# Manually specify the IP addresses of the decoys.
nmap -D decoy1,decoy2,decoy3
In this type of scan you can instruct Nmap to spoof packets from other hosts.In the firewall logs it will be not only our IP address but also and the IP addresses of the decoys so it will be much harder to determine from which system the scan started.
- Source port number specification
nmap --source-port 53 [target]
A common error that many administrators are doing when configuring firewalls is to set up a rule to allow all incoming traffic that comes from a specific port number.The --source-port
option of Nmap can be used to exploit this misconfiguration.Common ports that you can use for this type of scan are: 20, 53 and 67.
- Append Random Data
nmap --data-length 25 [target]
Many firewalls are inspecting packets by looking at their size in order to identify a potential port scan.This is because many scanners are sending packets that have specific size.In order to avoid that kind of detection you can use the command --data-length
to add additional data and to send packets with different size than the default.
- TCP ACK Scan
nmap -sA [target]
It is always good to send the ACK packets rather than the SYN packets because if there is any active firewall working on the remote computer then because of the ACK packets the firewall cannot create the log, since firewalls treat ACK packet as the response of the SYN packet.
What does a Tcpdump do? How to capture only incoming traffic to your interface?
tcpdump
is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface.
tcpdump
puts your network card into promiscuous mode, which basically tells it to accept every packet it receives. It allows the user to see all traffic being passed over the network. Wireshark uses pcap to capture packets.
If you want to view only packets that come to your interface you should:
-Q in
- for Linuxtcpdump
version-D in
- for BSDtcpdump
version
Both params set send/receive direction direction for which packets should be captured.
tcpdump -nei eth0 -Q in host 192.168.252.125 and port 8080
Explain how Flap Detection works in Nagios?
Flapping occurs when a service or host changes state too frequently, this causes lot of problem and recovery notifications.
Once you have defined Flapping, explain how Nagios detects Flapping. Whenever Nagios checks the status of a host or service, it will check to see if it has started or stopped flapping.
Nagios follows the below given procedure to do that:
- storing the results of the last 21 checks of the host or service analyzing the historical check results and determine where state changes/transitions occur
- using the state transitions to determine a percent state change value (a measure of change) for the host or service
- comparing the percent state change value against low and high flapping thresholds
What are the advantages that Containerization provides over Virtualization?
Below are the advantages of containerization over virtualization:
- containers provide real-time provisioning and scalability but VMs provide slow provisioning
- containers are lightweight when compared to VMs
- VMs have limited performance when compared to containers
- containers have better resource utilization compared to VMs
What is OWASP Application Security Verification Standard? Explain in a few points. *
To be completed.
What is CSRF?
Cross Site Request Forgery is a web application vulnerability in which the server does not check whether the request came from a trusted client or not. The request is just processed directly. It can be further followed by the ways to detect this, examples and countermeasures.
What is the difference between policies, processes and guidelines?
As security policy defines the security objectives and the security framework of an organisation. A process is a detailed step by step how to document that specifies the exact action which will be necessary to implement important security mechanism. Guidelines are recommendations which can be customised and used in the creation of procedures.
What is a false positive and false negative in case of IDS?
When the device generated an alert for an intrusion which has actually not happened: this is false positive and if the device has not generated any alert and the intrusion has actually happened, this is the case of a false negative.
5 quick points on Web server hardening?
Web server hardening is filtering of unnecessary services running on various ports and removal of default test scripts from the servers. Although web server hardening is a lot more than this and usually organisations have a customised checklist for hardening the servers. Any server getting created has to be hardened and hardening has to be re-confirmed on a yearly basis. Even the hardening checklist has to be reviewed on a yearly basis for new add-ons.
Example:
- if machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened
- create a separate partition with the
nodev
,nosuid
, andnoexec
options set for/tmp
- create separate partitions for
/var
,/var/log
,/var/log/audit
, and/home
- enable randomized virtual memory region placement
- remove legacy services (e.g., telnet-server; rsh, rlogin, rcp; ypserv, ypbind; tftp, tftp-server; talk, talk-server).
- limit connections to services running on the host to authorized users of the service via firewalls and other access control technologies
- disable source routed packet acceptance
- enable TCP/SYN cookies
- disable SSH root login
- install and configure AIDE
- install and configure OSsec HIDS
- configure SELinux
- all administrator or root access must be logged
- integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested
- set password creation requirements
Why do we need mktemp
command? Present an example of use.
mktemp
randomizes the name. It is very important from the security point of view.
Just imagine that you do something like:
echo "random_string" > /tmp/temp-file
in your root-running script. And someone (who has read your script) does
ln -s /etc/passwd /tmp/temp-file
The mktemp
command could help you in this situation:
TEMP=$(mktemp /tmp/temp-file.XXXXXXXX)
echo "random_string" > ${TEMP}
Now this ln /etc/passwd
attack will not work.
Use sysfs virtual filesystem to test connection on all interfaces (without loopback).
For example:
#!/usr/bin/bash
for iface in $(ls /sys/class/net/ | grep -v lo) ; do
if [[ $(cat /sys/class/net/$iface/carrier) = 1 ]] ; then state=1 ; fi
done
if [[ $state -ne 0 ]] ; then echo "not connection" > /dev/stderr ; exit ; fi
Explain Varnish Cache SHM Log (pooling mechanism).
Every poll is recorded in the shared memory log as follows:
0 Backend_health - b0 Still healthy 4--X-S-RH 9 8 10 0.029291 0.030875 HTTP/1.1 200 Ok
The fields are:
- 0 - Constant
- Backend_health - Log record tag
- '-' client/backend indication (XXX: wrong! should be 'b')
- b0 - Name of backend (XXX: needs qualifier)
- two words indicating state:
- "Still healthy"
- "Still sick"
- "Back healthy"
- "Went sick"
Notice that the second word indicates present state, and the first word == "Still" indicates unchanged state.
- 4--X-S-RH - Flags indicating how the latest poll went
- 4 - IPv4 connection established
- 6 - IPv6 connection established
- x - Request transmit failed
- X - Request transmit succeeded
- s - TCP socket shutdown failed
- S - TCP socket shutdown succeeded
- r - Read response failed
- R - Read response succeeded
- H - Happy with result
- 9 - Number of good polls in the last .window polls
- 8 - .threshold (see above)
- 10 - .window (see above)
- 0.029291 - Response time this poll or zero if it failed
- 0.030875 - Exponential average (r=4) of responsetime for good polls.
- HTTP/1.1 200 Ok - The HTTP response from the backend.
How to rewrite POST data with Payload in Nginx?
You just need to write a Nginx rewrite rule with HTTP status code 307 or 308:
location / {
proxy_pass http://localhost:80;
client_max_body_size 10m;
}
location /api {
# HTTP 307 only for POST method.
if ($request_method = POST) {
return 307 https://api.example.com?request_uri;
}
# You can keep this for non-POST requests.
rewrite ^ https://api.example.com?request_uri permanent;
client_max_body_size 10m;
}
HTTP Status code 307 or 308 should be used instead of 301 because it changes the request method from POST to GET.
Developer reports a problem with connectivity to the remote service. Use /dev
for troubleshooting.
# <host> - set remote host
# <port> - set destination port
# 1
timeout 1 bash -c "</dev/tcp/<host>/<port>" >/dev/null 2>&1 ; echo $?
# 2
timeout 1 bash -c 'cat < /dev/null > </dev/tcp/<host>/<port>' ; echo $?
# 2
&> echo > "</dev/tcp/<host>/<port>"
Useful resources:
How do I measure request and response times at once using cURL?
cURL supports formatted output for the details of the request (see the cURL manpage for details, under -w| -write-out 'format'
). For our purposes we’ll focus just on the timing details that are provided.
- Create a new file, curl-format.txt, and paste in:
time_namelookup: %{time_namelookup}\n
time_connect: %{time_connect}\n
time_appconnect: %{time_appconnect}\n
time_pretransfer: %{time_pretransfer}\n
time_redirect: %{time_redirect}\n
time_starttransfer: %{time_starttransfer}\n
----------\n
time_total: %{time_total}\n
- Make a request:
curl -w "@curl-format.txt" -o /dev/null -s "http://example.com/"
What this does:
-w "@curl-format.txt"
- tells cURL to use our format file-o /dev/null
- redirects the output of the request to /dev/null-s
- tells cURL not to show a progress meterhttp://example.com/
is the URL we are requesting. Use quotes particularly if your URL has "&" query string parameters
Is there a way to allow multiple cross-domains using the Access-Control-Allow-Origin header in Nginx?
To match a list of domain and subdomain this regex make it ease to work with fonts:
location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
if ( $http_origin ~* (https?://(.+\.)?(domain1|domain2|domain3)\.(?:me|co|com)$) ) {
add_header "Access-Control-Allow-Origin" "$http_origin";
}
}
More sligtly configuration:
location / {
if ($http_origin ~* (^https?://([^/]+\.)*(domainone|domaintwo)\.com$)) {
set $cors "true";
}
# Nginx doesn't support nested If statements. This is where things get slightly nasty.
# Determine the HTTP request method used
if ($request_method = 'GET') {
set $cors "${cors}get";
}
if ($request_method = 'POST') {
set $cors "${cors}post";
}
if ($cors = "true") {
# Catch all incase there's a request method we're not dealing with properly
add_header 'Access-Control-Allow-Origin' "$http_origin";
}
if ($cors = "trueget") {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
if ($cors = "truepost") {
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
}
Explain :(){ :|:& };:
and how stop this code if you are already logged into a system?
It's a fork bomb.
:()
- this defines the function. ":" is the function name and the empty parenthesis shows that it will not accept any arguments{ }
- these characters shows the beginning and end of function definition:|:
- it loads a copy of the function ":" into memory and pipe its output to another copy of the ":" function, which has to be loaded into memory&
- this will make the process as a background process, so that the child processes will not get killed eventhough the parent gets auto-killed:
- final ":" will execute the function again and hence the chain reaction begins
The best way to protect a multi-user system is to use PAM to limit the number of processes a user can use. We know the biggest problem with a fork bomb is the fact it takes up so many processes.
So we have two ways of attempting to fix this, if you are already logged into the system:
- execute a SIGSTOP command to stop the process:
killall -STOP -u user1
- if you can't run at the command line you will have to use
exec
to force it to run (due to processes all being used):exec killall -STOP -u user1
With fork bombs your best method for this is preventing from being to big of an issue in the first place.
How to recover deleted file held open by Apache?
If a file has been deleted but is still open, that means the file still exists in the filesystem (it has an inode) but has a hard link count of 0. Since there is no link to the file, you cannot open it by name. There is no facility to open a file by inode either.
Linux exposes open files through special symbolic links under /proc
. These links are called /proc/12345/fd/42
where 12345 is the PID of a process and 42 is the number of a file descriptor in that process. A program running as the same user as that process can access the file (the read/write/execute permissions are the same you had as when the file was deleted).
The name under which the file was opened is still visible in the target of the symbolic link: if the file was /var/log/apache/foo.log
, then the target of the link is /var/log/apache/foo.log (deleted)
.
Thus you can recover the content of an open deleted file given the PID of a process that has it open and the descriptor that it's opened on like this:
recover_open_deleted_file () {
old_name=$(readlink "$1")
case "$old_name" in
*' (deleted)')
old_name=${old_name%' (deleted)'}
if [ -e "$old_name" ]; then
new_name=$(TMPDIR=${old_name%/*} mktemp)
echo "$oldname has been replaced, recovering content to $new_name"
else
new_name="$old_name"
fi
cat <"$1" >"$new_name";;
*) echo "File is not deleted, doing nothing";;
esac
}
recover_open_deleted_file "/proc/$pid/fd/$fd"
If you only know the process ID but not the descriptor, you can recover all files with:
for x in /proc/$pid/fd/* ; do
recover_open_deleted_file "$x"
done
If you don't know the process ID either, you can search among all processes:
for x in /proc/[1-9]*/fd/* ; do
case $(readlink "$x") in
/var/log/apache/*) recover_open_deleted_file "$x";;
esac
done
You can also obtain this list by parsing the output of lsof, but it isn't simpler nor more reliable nor more portable (this is Linux-specific anyhow).
How to install Linux on disk, from and where other Linux exist and running?
It is possible that the question should be: "System installation from the level and in place of already other system working".
On the example of the Debian GNU/Linux distribution.
- Creating a working directory and downloading the system using the debootstrap tool.
_working_directory="/mnt/system"
mkdir $_working_directory
debootstrap --verbose --arch amd64 {wheezy|jessie} . http://ftp.en.debian.org/debian
- Mounting sub-systems:
proc
,sys
,dev
anddev/pts
.
for i in proc sys dev dev/pts ; do mount -o bind $i $_working_directory/$i ; done
- Copy system backup for restore.
cp system_backup_22012015.tgz $_working_directory/mnt
However, it is better not to waste space and do it in a different way (assuming that the copy is in /mnt/backup
):
_backup_directory="${_working_directory}/mnt/backup"
mkdir $_backup_directory && mount --bind /mnt/backup $_backup_directory
- Chroot to "new" system.
chroot $_working_directory /bin/bash
- Updating information about mounted devices.
grep -v rootfs /proc/mounts > /etc/mtab
- In the "new" system, the next thing to do is mount the disk on which the "old" system is located (e.g.
/dev/sda1
).
_working_directory="/mnt/old_system"
_backup_directory="/mnt/backup"
mkdir $_working_directory && mount /dev/sda1 $_working_directory
- Remove all files of the old system.
for i in $(ls | awk '!(/proc/ || /dev/ || /sys/ || /mnt/)') ; do rm -fr $i ; done
- The next step is to restore the system from a backup.
tar xzvfp $_backup_directory/system_backup_22012015.tgz -C $_working_directory
- And mount
proc
,sys
,dev
anddev/pts
in a new working directory.
for i in proc sys dev dev/pts ; do mount -o bind $i $_working_directory/$i ; done
- Install and update grub configuration.
chroot $_working_directory /bin/bash -c "grub-install --no-floppy --root-directory=/ /dev/sda"
chroot $_working_directory /bin/bash -c "update-grub"
- Unmount
proc
,sys
,dev
anddev/pts
filesystems.
cd
grep $_working_directory /proc/mounts | cut -f2 -d " " | sort -r | xargs umount -n
None of the available commands, i.e. halt
, shutdown
or reboot
, will work. You need to reload the system configuration - to do this, use the kernel debugger (without the 'b' option):
echo 1 > /proc/sys/kernel/sysrq
echo reisu > /proc/sysrq-trigger
Of course, it is recommended to fully restart the machine in order to completely load the current system. To do this:
sync ; reboot -f
How does the OOM killer decide which process to kill first? How to control this?
Major distribution kernels set the default value of /proc/sys/vm/overcommit_memory
to zero, which means that processes can request more memory than is currently free in the system.
If memory is exhaustively used up by processes, to the extent which can possibly threaten the stability of the system, then the OOM killer comes into the picture.
NOTE: It is the task of the OOM Killer to continue killing processes until enough memory is freed for the smooth functioning of the rest of the process that the Kernel is attempting to run.
The OOM Killer has to select the best process(es) to kill. Best here refers to that process which will free up the maximum memory upon killing and is also the least important to the system.
The primary goal is to kill the least number of processes that minimizes the damage done and at the same time maximizing the amount of memory freed.
To facilitate this, the kernel maintains an oom_score
for each of the processes. You can see the oom_score of each of the processes in the /proc filesystem under the pid directory.
cat /proc/10292/oom_score
The higher the value of oom_score
of any process, the higher is its likelihood of getting killed by the OOM Killer in an out-of-memory situation.
If you want to create a special control group containing the list of processes which should be the first to receive the OOM killer's attention, create a directory under /mnt/oom-killer
to represent it:
mkdir lambs
Set oom.priority
to a value high enough:
echo 256 > /mnt/oom-killer/lambs/oom.priority
oom.priority
is a 64-bit unsigned integer, and can have a maximum value an nsigned 64-bit number can hold. While scanning for the process to be killed, the OOM-killer selects a process from the list of tasks with the highest oom.priority
value.
Add the PID of the process to be added to the list of tasks:
echo <pid> > /mnt/oom-killer/lambs/tasks
To create a list of processes, which will not be killed by the OOM-killer, make a directory to contain the processes:
mkdir invincibles
Setting oom.priority
to zero makes all the process in this cgroup to be excluded from the list of target processes to be killed.
echo 0 > /mnt/oom-killer/invincibles/oom.priority
To add more processes to this group, add the pid of the task to the list of tasks in the invincible group:
echo <pid> > /mnt/oom-killer/invincibles/tasks
What are salted hashes? Generate the password with salt for the /etc/shadow
file.
Salt at its most fundamental level is random data. When a properly protected password system receives a new password, it will create a hashed value for that password, create a new random salt value, and then store that combined value in its database. This helps defend against dictionary attacks and known hash attacks.
For example, if a user uses the same password on two different systems, if they used the same hashing algorithm, they could end up with the same hash value. However, if even one of the systems uses salt with its hashes, the values will be different.
The encrypted passwords in /etc/shadow
file are stored in the following format:
$ID$SALT$ENCRYPTED
The $ID
indicates the type of encryption, the $SALT
is a random (up to 16 characters) string and $ENCRYPTED
is a password’s hash.
Hash Type | ID | Hash Length |
---|---|---|
MD5 | $1 | 22 characters |
SHA-256 | $5 | 43 characters |
SHA-512 | $6 | 86 characters |
Use the below commands from the Linux shell to generate hashed password for /etc/shadow
with the random salt:
- Generate MD5 password hash
python -c "import random,string,crypt; randomsalt = ''.join(random.sample(string.ascii_letters,8)); print crypt.crypt('MySecretPassword', '\$1\$%s\$' % randomsalt)"
- Generate SHA-256 password hash
python -c "import random,string,crypt; randomsalt = ''.join(random.sample(string.ascii_letters,8)); print crypt.crypt('MySecretPassword', '\$5\$%s\$' % randomsalt)"
- Generate SHA-512 password hash
python -c "import random,string,crypt; randomsalt = ''.join(random.sample(string.ascii_letters,8)); print crypt.crypt('MySecretPassword', '\$6\$%s\$' % randomsalt)"