Changes

From SME Server
Jump to navigationJump to search
1,680 bytes added ,  16:10, 5 August 2021
Line 2: Line 2:  
==SME Server locale==
 
==SME Server locale==
 
By default the sme server 8 locale is ISO-8859-1ldapsear
 
By default the sme server 8 locale is ISO-8859-1ldapsear
 +
 +
 +
==ACL==
 +
 +
===See ACL===
 +
getfacl /path/2/files/or/folders
 +
 +
===set ACL===
 +
setfacl -P -R -m u:apache:rwX,d:u:apache:rwX /path/2/files/or/folders
 +
 +
-R : recursive<br />
 +
 +
-P : physical, follow symlinks
    
==Apache Related Commands==
 
==Apache Related Commands==
Line 18: Line 31:  
or  
 
or  
 
  sv t /service/httpd-e-smith
 
  sv t /service/httpd-e-smith
 +
 +
=====SME10=====
 +
How do I start, restart, stop, reload and check the status of a service (httpd-e-smith.service) with systemd.
 +
 +
# systemctl start httpd-e-smith.service
 +
# systemctl restart httpd-e-smith.service
 +
# systemctl stop httpd-e-smith.service
 +
# systemctl reload httpd-e-smith.service
 +
# systemctl status httpd-e-smith.service
    
====Enable AllowOverride All/None====
 
====Enable AllowOverride All/None====
Line 92: Line 114:  
  signal-event ibay-modify ibayname
 
  signal-event ibay-modify ibayname
   −
  AllowUrlfOpen : enabled/disabled
+
  AllowUrlFopen : enabled/disabled
 
  MemoryLimit : set a M as unit, eg 64M
 
  MemoryLimit : set a M as unit, eg 64M
 
  UpMaxFileSize : set a M as unit, eg 64M
 
  UpMaxFileSize : set a M as unit, eg 64M
 
  PostMaxSize : set a M as unit, eg 64M
 
  PostMaxSize : set a M as unit, eg 64M
 
  MaxExecTime: unlimited or set time in second without units, eg 60
 
  MaxExecTime: unlimited or set time in second without units, eg 60
      
====PHPinfo====
 
====PHPinfo====
Line 200: Line 221:  
  signal-event post-upgrade
 
  signal-event post-upgrade
 
  signal-event reboot
 
  signal-event reboot
 +
alternately
 +
config show modSSL
 +
config delprop modSSL crt key CertificateChainFile
 +
signal-event ssl-update
    
==Command-Line Quick Reference Guide==
 
==Command-Line Quick Reference Guide==
Line 216: Line 241:  
|-
 
|-
 
| httpd -tf /path/to/config/file || verify the syntax of the specified configuration file of apache
 
| httpd -tf /path/to/config/file || verify the syntax of the specified configuration file of apache
 +
|-
 +
| httpd -t -D DUMP_MODULES || display all loaded modules of apache
 
|-
 
|-
 
| mysql -v || mysql version
 
| mysql -v || mysql version
Line 238: Line 265:  
|-
 
|-
 
| ps -AH || report process status
 
| ps -AH || report process status
 +
|-
 +
| ps fax || display processes by tree with their pid
 
|-
 
|-
 
| top || shows processes
 
| top || shows processes
Line 262: Line 291:  
|-
 
|-
 
| grep -nsri server-manager.jpg  /etc/e-smith/ || search the file server-manager.jpg in the path directory /etc/e-smith
 
| grep -nsri server-manager.jpg  /etc/e-smith/ || search the file server-manager.jpg in the path directory /etc/e-smith
 +
|-
 +
| grep -P '^www |apache' /etc/group || search after patterns which start by www and/or apache in /etc/group
 
|-
 
|-
 
| tail -f /var/log/<LOGFILE> || realtime viewing of your log file
 
| tail -f /var/log/<LOGFILE> || realtime viewing of your log file
Line 276: Line 307:  
|-
 
|-
 
| sed '/abba/Id' file.txt || remove all '''lines''' with the string 'abba' (case sensitive) in the file.txt
 
| sed '/abba/Id' file.txt || remove all '''lines''' with the string 'abba' (case sensitive) in the file.txt
 +
|-
 +
| sed -n '/^www/p' /etc/group || print all line starting by www in the file /etc/group
 
|-
 
|-
 
| watch mysqladmin process || shows the mysql processes running
 
| watch mysqladmin process || shows the mysql processes running
Line 288: Line 321:  
|-
 
|-
 
| pstree || pstree shows running processes as a tree. The tree is rooted at either pid or init if pid is omitted.
 
| pstree || pstree shows running processes as a tree. The tree is rooted at either pid or init if pid is omitted.
 +
|-
 +
| clamdtop || clamdtop is a tool to monitor one or multiple clamd(s), that shows the jobs in clamd’s queue, memory usage, and information about the loaded signature database.
 
|}
 
|}
   Line 352: Line 387:  
  # perl -Mesmith::ethernet -e "print esmith::ethernet::probeAdapters();"
 
  # perl -Mesmith::ethernet -e "print esmith::ethernet::probeAdapters();"
 
  EthernetDriver1 e1000 08:00:27:23:85:a6 "Intel Corporation 82540EM Gigabit Ethernet Controller (rev 02)"
 
  EthernetDriver1 e1000 08:00:27:23:85:a6 "Intel Corporation 82540EM Gigabit Ethernet Controller (rev 02)"
 +
alternatively, and only for SME9 or greater, you can use
 +
# ip addr
 +
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
 +
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 +
    inet 127.0.0.1/8 scope host lo
 +
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
 +
    link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
 +
    inet 11.22.22.44/XY brd 11.22.33.255 scope global eth0
 +
3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
 +
    link/ether 10:00:01:02:03:04 brd ff:ff:ff:ff:ff:ff
 +
    inet 192.168.45.1/24 brd 192.168.45.255 scope global dummy0
    
====find files by their size====
 
====find files by their size====
Line 362: Line 408:  
  ‘M’    for Megabytes (units of 1048576 bytes)
 
  ‘M’    for Megabytes (units of 1048576 bytes)
 
  ‘G’    for Gigabytes (units of 1073741824 bytes)
 
  ‘G’    for Gigabytes (units of 1073741824 bytes)
 +
 +
====reduce root's user reserved space====
 +
as a default, 5% of the disk space is allocated to root user
 +
 +
you can reduce the allocated space to 1% with (for LVM)
 +
 +
tune2fs -m 1 /dev/mapper/main-root
 +
 +
if you're not using LVM, use
 +
 +
df -h
 +
 +
to see where / is mounted
    
====find files by the Name====
 
====find files by the Name====
Line 413: Line 472:     
the history command can be useful in combination with added comments to shell commands for more precise analysis or (automatic) reporting based on a shell script and cron.
 
the history command can be useful in combination with added comments to shell commands for more precise analysis or (automatic) reporting based on a shell script and cron.
 +
 +
====Find open ports====
 +
 +
* netstat
 +
# netstat -anp|grep 5232
 +
tcp        0      0 192.168.12.233:5232        0.0.0.0:*                  LISTEN      2028/python
 +
 +
* nmap
 +
nmap can specify if a port is closed or not
 +
yum install nmap
 +
nmap localhost -p 5232
    
===Raid===
 
===Raid===
Line 432: Line 502:  
when you install the smeserver with one drive and in a degraded raid, you will see a 'U_' state but without warnings. If you want to leave just one 'U'
 
when you install the smeserver with one drive and in a degraded raid, you will see a 'U_' state but without warnings. If you want to leave just one 'U'
 
  mdadm --grow /dev/md0 --force --raid-devices=1
 
  mdadm --grow /dev/md0 --force --raid-devices=1
 +
mdadm --grow /dev/md1 --force --raid-devices=1
    
===RPM's===
 
===RPM's===
Line 491: Line 562:  
|-
 
|-
 
| yum remove <packagename> || removes packagename
 
| yum remove <packagename> || removes packagename
 +
|-
 +
| yum history package-info <packagename> || Shows the installation/removal history of a package and it's Transaction ID [http://yum.baseurl.org/wiki/YumHistory see more commands]
 +
|-
 +
| yum history undo <Transaction ID> || Removes all packages from a specific Transaction ID [http://yum.baseurl.org/wiki/YumHistory see more commands]
 
|-
 
|-
 
| yum list updates || list updates to any installed package
 
| yum list updates || list updates to any installed package
Line 553: Line 628:  
===namingContexts===
 
===namingContexts===
 
we can conduct a simple search of the naming context to see our directory information you can display 'dn' LDAP parameters, either by the [[SME_Server:Documentation:Administration_Manual:Chapter13#Directory|server-manager]] or by the command line :
 
we can conduct a simple search of the naming context to see our directory information you can display 'dn' LDAP parameters, either by the [[SME_Server:Documentation:Administration_Manual:Chapter13#Directory|server-manager]] or by the command line :
  ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
+
  ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts''
 
or you can do
 
or you can do
 
  ldapsearch -x -h localhost -s base |grep 'dn'
 
  ldapsearch -x -h localhost -s base |grep 'dn'
Line 574: Line 649:     
===Bind with a specific user on LDAP===
 
===Bind with a specific user on LDAP===
Try to connect to ldap with credentials of a specific user and see the LDAP catalogue. Find the ''''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]
+
Try to connect to ldap with credentials of a specific user and see the LDAP catalogue. Find the '<nowiki/>'''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]
      Line 583: Line 658:     
===Check a specific  user in LDAP catalogue===
 
===Check a specific  user in LDAP catalogue===
display informations on the user requested. Find the ''''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]
+
display informations on the user requested. Find the '<nowiki/>'''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]
    
'''for sme9'''
 
'''for sme9'''
Line 612: Line 687:  
==Log==
 
==Log==
 
===Parse Log files to search for errors===
 
===Parse Log files to search for errors===
When you want to test the SME Product it can be useful to see what it occurs
+
When you want to test the SME Product it can be useful to see what it occurs.
 
This CL can help you, but you should read the entire log
 
This CL can help you, but you should read the entire log
 
  grep -iE "uninitialized|WARNING|ERROR" /var/log/messages
 
  grep -iE "uninitialized|WARNING|ERROR" /var/log/messages
Line 622: Line 697:  
{{Note box| you have now a tool in your hand to parse logfile : [[Audit_Tools#logcheck]]. You should be aware that tool is here to help to find errors in the development side of the SME Server and thus you could have a lot of false positive}}
 
{{Note box| you have now a tool in your hand to parse logfile : [[Audit_Tools#logcheck]]. You should be aware that tool is here to help to find errors in the development side of the SME Server and thus you could have a lot of false positive}}
    +
=== '''Parse log for hack / phishing for missing files''' ===
 +
<syntaxhighlight lang="bash">
 +
EXTIP=`curl -s ifconfig.me/ip`
 +
grep "File does not exist" /var/log/httpd/error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_err.txt
 +
# grep "File does not exist" /var/log/httpd/admin_error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_admin_err.txt
 +
</syntaxhighlight>
 
* verbose output
 
* verbose output
   Line 672: Line 753:  
  db spamassassin setprop wbl.global user@domain3.com White
 
  db spamassassin setprop wbl.global user@domain3.com White
 
  db spamassassin setprop wbl.global spammer@spamdomain.com Black
 
  db spamassassin setprop wbl.global spammer@spamdomain.com Black
 +
 
expland template and save the configuration to the database
 
expland template and save the configuration to the database
  expand-template /etc/mail/spamassassin/local.cf
+
  signal-event email-update
svc -t /service/spamd
      
You can view the lists with this command:
 
You can view the lists with this command:
Line 715: Line 796:  
  mysql
 
  mysql
 
  create database '''databasename''';
 
  create database '''databasename''';
  grant all privileges on '''databasename'''.* to '''username''' identified by ''''password'''';
+
  grant all privileges on '''databasename'''.* to '''username''' identified by '<nowiki/>'''password'''';
 
  flush privileges;
 
  flush privileges;
 
  exit
 
  exit
Line 722: Line 803:     
  mysql -e "create database '''databasename''';"
 
  mysql -e "create database '''databasename''';"
  mysql -e "grant all privileges on '''databasename'''.* to '''username''' identified by ''''password'''';"
+
  mysql -e "grant all privileges on '''databasename'''.* to '''username''' identified by '<nowiki/>'''password'''';"
 
  mysql -e "flush privileges;"
 
  mysql -e "flush privileges;"
   Line 858: Line 939:       −
===Configure <b><u>PHP Basedir</u></B> Restriction per ibay===
+
===Configure <b><u>PHP Basedir</u></b> Restriction per ibay===
    
  db accounts setprop IBAYNAME PHPBaseDir DIR1:DIR2:DIRn
 
  db accounts setprop IBAYNAME PHPBaseDir DIR1:DIR2:DIRn
Line 899: Line 980:  
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]]<br />
 
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]]<br />
 
Not secure. Instead use per ibay or directory.
 
Not secure. Instead use per ibay or directory.
 +
 +
==SAMBA==
 +
===shows samba mappings to nt groups===
 +
  net groupmap list
 +
===manage the SAM database(Database of Samba Users)===
 +
The pdbedit program is used to manage the users accounts stored in the sam database and can only be run by root.
 +
pdbedit -u USER -v
 +
for example
 +
pdbedit -u stephane -v
 +
 +
===check an smb.conf configuration===
 +
testparm - check an smb.conf configuration file for internal correctness
 +
testparm -vs
 +
 +
===The Trust Relationship Failure===
 +
Using Samba 3 sometimes some Windows computers fall off the domain, resulting in a trust relationship failure.
 +
 +
    The trust relationship between this workstation and the primary domain failed.
 +
 +
This is generally caused by mis-matched work-station and domain controller account passwords. To reset this you must un-join/re-join the domain.
 +
 +
===enable samba audit logs for ibays===
 +
Samba audit logging can be enabled for ibays using db variables.
 +
 +
Samba activity is logged in /var/log/samba/samba_audit
 +
 +
To enable audit logging for an ibay named "fileshare":
 +
<nowiki>db accounts setprop fileshare Audit enabled
 +
signal-event ibay-modify fileshare</nowiki>
 +
 +
To enable audit logging for every ibay on your server:
 +
<nowiki>for ibay in $(db accounts show |grep \=ibay |cut -d= -f1); do db accounts setprop $ibay Audit enabled; done
 +
signal-event ibay-modify</nowiki>
 +
 +
The details of what gets logged are controlled by /etc/e-smith/templates/etc/smb.conf/ibays/10smbaudit
    
==SME Server specific==
 
==SME Server specific==
Line 1,033: Line 1,149:     
=== General Service Handling ===
 
=== General Service Handling ===
 +
====SME9====
 
SME Server uses [http://smarden.org/runit/ runit], a UNIX init scheme with service supervision. See the man page of [http://smarden.org/runit/sv.8.html the 'sv' command]
 
SME Server uses [http://smarden.org/runit/ runit], a UNIX init scheme with service supervision. See the man page of [http://smarden.org/runit/sv.8.html the 'sv' command]
   Line 1,050: Line 1,167:  
{{tip box|you may use TAB to auto-complete your command line}}
 
{{tip box|you may use TAB to auto-complete your command line}}
   −
 
+
you have some shortcuts
 
+
down => 'd',
====Example====  
+
stop => 'd',
 +
up => 'u',
 +
start => 'u',
 +
restart => 't',
 +
sigterm => 't',
 +
adjust => 'h',
 +
reload => 'h',
 +
sighup => 'h',
 +
sigusr1 => '1',
 +
sigusr2 => '2',
 +
once => 'o',
 +
pause => 'p',
 +
alarm => 'a',
 +
interrupt => 'i',
 +
quit => 'q',
 +
kill => 'k',
 +
exit => 'x',
    
Restarting:
 
Restarting:
Line 1,058: Line 1,191:  
  sv t /service/httpd-e-smith
 
  sv t /service/httpd-e-smith
   −
===chkconfig and runlevel information===
+
====SME10====
[http://linuxcommand.org/man_pages/chkconfig8.html chkconfig] provides a  simple  command-line  tool  for  maintaining  the /etc/rc[0-6].d  directory  hierarchy by relieving system administrators of the task of directly manipulating the  numerous  symbolic  links  in those directories.
+
'''Systemctl''' is a '''systemd''' utility that is responsible for Controlling the '''systemd''' system and service manager. '''Systemd''' is a collection of system management daemons, utilities, and libraries which serves as a replacement of '''System V init''' daemon. Systemd functions as central management and configuration platform
 
  −
You need to say to SME Server to add the script to each run level you have specified at the top of your init script( Default-Start: 2 3 4 5 and Default-Stop: 0 1 6 ). For Linux using rpm as centos or redhat, you can use
  −
 
  −
chkconfig YOUR_SERVICE_NAME --add
  −
 
  −
You can set the levels where the initscript has to start
  −
chkconfig YOUR_SERVICE_NAME --level 2345 on
  −
 
  −
If you want to see which runlevel your script will run in
  −
 
  −
chkconfig YOUR_SERVICE_NAME --list
  −
you can pipe the command
  −
chkconfig --list | egrep "nfs|rpc"
  −
 
  −
example :
  −
# chkconfig dhcp-dns --list
  −
dhcp-dns      0:arrêt 1:arrêt 2:marche 3:marche 4:marche 5:marche 6:arrêt
  −
 
  −
===allow a service to start for a particular time===
  −
{{Note box| '''If you want to start a service at boot time, a relevant page needs  [[Add_a_custom_service|also your attention ]]'''}}
  −
If your package implements a server or daemon, you will probably want it to be started automatically when the system boots. The SME Server boots in runlevel 7, so you can get an idea of the startup processes by listing the contents of /etc/rc.d/rc7.d.
  −
 
  −
These are similar to the init scripts you may be familiar with from other Linux systems, with one important difference. Instead of pointing to scripts within /etc/rc.d/init.d, all of those init entries are links to /etc/rc.d/init.d/e-smith-service. This is a wrapper which checks the configuration database to see if the service is supposed to be running and if so, starts the service from /etc/rc.d/init.d/whatever.
  −
 
  −
So for example, you might have:
  −
 
  −
S90squid -> /etc/rc.d/init.d/e-smith-service
  −
 
  −
The e-smith-service script looks up the name it was invoked with (S90squid), drops the prefix (leaving squid), checks the configuration database for the "squid" service, then if it's supposed to run, does:
  −
 
  −
/etc/rc.d/init.d/squid start
  −
 
  −
* with this way SME's knows how to/if start the service at startup
  −
 
  −
config set '''myapplicationname''' service status enabled
  −
 
  −
cd /etc/rc.d/init.d
  −
ln -s /path/to/myinitscript '''myapplicationname'''
  −
 
  −
'''We are creating a symlink of the original startup script with a new name (the point is that '''myapplicationname''' must be identical to the service name above)'''
  −
 
  −
cd /etc/rc7.d
  −
ln -s  /etc/rc.d/init.d/e-smith-service '''SXXmyapplicationname'''
  −
 
  −
we create a symlink to e-smith-service startup script with a name where: S tells SME to start XX are numbers
  −
 
  −
You can decide when to start the service '''myapplicationname''', but you should not start something that need the network before the network itself is up and running. Therefore you can see the content of /etc/rc7.d and see which scripts are needed to execute your new startup script
  −
 
  −
signal-event remoteaccess-update
  −
service '''myapplicationname''' start
  −
====Creating or deleting a service====
     −
*Creating and starting service
+
To list all loaded services on your system (whether active; running, exited or failed, use the '''list-units''' subcommand and <code>--type</code> switch with a value of service.
 +
# systemctl list-units --type=service
 +
OR
 +
# systemctl --type=service
   −
ln -f -s /etc/rc.d/init.d/e-smith-service /etc/rc7.d/S98popfile
  −
/sbin/e-smith/db configuration set popfile service status enabled
  −
/sbin/e-smith/signal-event remoteaccess-update
  −
service popfile start
     −
*Deleting and unregistering service
+
But to get a quick glance of all running services (i.e all loaded and actively running services), run the following command.
 +
# systemctl list-units --type=service --state=running
 +
OR
 +
# systemctl --type=service --state=running
   −
service popfile stop
  −
sleep 3
  −
rm -f /etc/rc7.d/S98popfile
  −
rm -f /etc/rc.d/init.d/popfile
  −
/sbin/e-smith/config delete popfile
  −
/sbin/e-smith/signal-event remoteaccess-update
     −
====Create a service with db command and set network access====
+
List all failed units.
[[DB_Variables_Configuration#Additional_information_on_customizing_iptables]]
+
# systemctl --failed
   −
Create a custom-named service definition in the configuration database.
     −
  db configuration set <servicename> service
+
Check whether a Unit or Service is running or not?.
 +
  # systemctl status httpd-e-smith
   −
Apply your desired firewall restrictions to any existing SME 'service' or to a custom-named service that you have created. Combine a custom-named service with port-forwarding to create customized firewall rules.
     −
db configuration setprop <servicename> TCPPort <portnumber>
+
How do I start, restart, stop, reload and check the status of a service ('''httpd.service''') in Linux.
  db configuration setprop <servicename> TCPPorts <portnumbers> # Ranges of ports are defined with a : not a -
+
  # systemctl start httpd-e-smith.service
  db configuration setprop <servicename> UDPPort <portnumber>
+
  # systemctl restart httpd-e-smith.service
  db configuration setprop <servicename> UDPPorts <portnumbers> # Ranges of ports are defined with a : not a -
+
  # systemctl stop httpd-e-smith.service
  db configuration setprop <servicename> status enabled|disabled
+
  # systemctl reload httpd-e-smith.service
db configuration setprop <servicename> access public|private
+
  # systemctl status httpd-e-smith.service
db configuration setprop <servicename> AllowHosts a.b.c.d,x.y.z.0/24
  −
  db configuration setprop <servicename> DenyHosts e.f.g.h,l.m.n.0/24
      +
===Add a custom service===
   −
Effectuate the changes you have made
+
see this [[Add_a_custom_service |page]]
signal-event remoteaccess-update
      
==SSL==
 
==SSL==
Line 1,162: Line 1,237:  
*on a remote host
 
*on a remote host
 
  openssl s_client -connect yourdomain:993
 
  openssl s_client -connect yourdomain:993
 +
 +
===SSL Signature algorithm===
 +
you can verify the algorithm signature of your certificate<br />
 +
 +
for example
 +
openssl x509 -noout -text -in /home/e-smith/ssl.pem/sme9dev2.mycompany.local.pem
    
== SSH ==
 
== SSH ==
Line 1,232: Line 1,313:     
  https://localhost:9443/server-manager
 
  https://localhost:9443/server-manager
       

Navigation menu