[[gnulinux]]
 
Trace:
You are here: start » gnulinux

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

gnulinux [2019/08/19 19:04]
dlicious Clarified some SSH relay internal documentation 		gnulinux [2023/01/11 18:56] (current)
dlicious Added Firefox session recovery section
Line 1: Line 1:
 +===== Firefox session recovery =====
 +
 +If Firefox crashes and you lose all (or some of) your tabs/windows, this might get them back.
 +
 +  - Make a backup/tarball of ''~/.mozilla/firefox/<profile>/sessionstore-backups'' (do this immediately, you don't have to stop Firefox first)
 +  - Quit Firefox gracefully, so that it creates the file ''~/.mozilla/firefox/<profile>/sessionstore.jsonlz4''
 +  - Before starting Firefox back up again, find the file ''.../sessionstore-backups/previous.jsonlz4'' in your backup, and overwrite the existing ''sessionstore.jsonlz4'' file
 +  - When you start Firefox back up, hopefully your old session will be restored.  If that doesn't work, try all the other ''*.jsonlz4'' files (quit Firefox and overwrite the main ''sessionstore.jsonlz4'' file with each one, and start Firefox back up to test)
 +
 +===== Manual transactions in yum shell =====
 +
 +This is an alternate method of using YUM to add/remove packages.  You won't usually need to do this, but it can be very helpful in situations like this:
 +
 +  * You want to replace "package1" with "package2"
 +  * As soon as you try to remove "package1", YUM also wants to remove a bunch of other stuff that depends on "package1"
 +  * You know that "package2" also fulfills those dependencies
 +
 +First, create a file called ''yum-transaction.txt'' with the following contents (you can have as many "remove" and "install" lines as necessary, if the situation is more complex):
 +
 +<code>
 +remove package1
 +install package2
 +run
 +</code>
 +
 +Then, run the transaction like so (for testing):
 +
 +<code>
 +yum shell < yum-transaction.txt
 +</code>
 +
 +The command will run, evaluate the dependencies, and then automatically exit without doing anything when it hits the interactive prompt (it won't wait for you to answer, it'll just immediately act as if you'd responded "no").  If the result looks like what you want, run it like this to have yum automatically agree to the prompt and apply the changes:
 +
 +<code>
 +yum -y shell < yum-transaction.txt
 +</code>
 +
 +===== OpenSSL cheatsheet =====
 +
 +Generate a private key (''private-key.key''), CSR (''certificate-signing-request.csr''), and self-signed certificate (''self-signed-certificate.crt'') in one non-interactive command pipeline.
 +
 +**Note:** The SAN hostnames don't make it into the certificate with this method, although they //are// in the CSR.  I'm not sure why this is, but I guess it's because the second invocation of openssl that generates the (self-signed) certificate doesn't understand the x.509v3 extensions from the CSR.  The CSR //is// good to go to submit to a CA for signing, including the SAN hostnames.
 +
 +<code>
 +openssl req -subj "/C=US/ST=State/L=Locality/O=Organization/CN=www.example.com" -new -addext "subjectAltName=DNS:www.example.com,DNS:example.com,DNS:example.net" -newkey rsa:2048 -nodes -keyout private-key.key | tee certificate-signing-request.csr | openssl x509 -signkey private-key.key -req -days 365 -out self-signed-certificate.crt 
 +</code>
 +
 +Generate a CSR (''matching-certificate-signing-request.crt'') based on an existing certificate (''existing-certificate.crt'') and private key (''existing-private-key.key'') (this allows you to submit this CSR and get a new signed certificate from the CA that still matches your existing private key).
 +
 +<code>
 +openssl x509 -x509toreq -in existing-certificate.crt -out matching-certificate-signing-request.csr -signkey existing-private-key.key
 +</code>
 +
 +Compare certificates/CSRs/private keys to see if they match each other (run each file through its corresponding command and make sure the outputs match //exactly//).
 +
 +<code>
 +key_modulus=$(  openssl rsa  -modulus -noout -in private-key.key                 )
 +csr_modulus=$(  openssl req  -modulus -noout -in certificate-signing-request.csr )
 +cert_modulus=$( openssl x509 -modulus -noout -in certificate.crt                 )
 +
 +[ "${key_modulus}" = "${csr_modulus}"  ] || echo "Key/CSR mismatch"
 +[ "${key_modulus}" = "${cert_modulus}" ] || echo "Key/certificate mismatch"
 +[ "${csr_modulus}" = "${cert_modulus}" ] || echo "CSR/certificate mismatch"
 +</code>
 +
 +===== jq cheatsheet =====
 +
 +==== Print array keys/values ====
 +
 +Given the following JSON input:
 +
 +<code>
 +{
 +    "key1": "value1",
 +    "key2": "value2"
 +}
 +</code>
 +
 +...use the following jq script:
 +
 +<code>
 +jq '. | to_entries[] | "\(.key) : \(.value)"'
 +</code>
 +
 +...to produce this output:
 +
 +<code>
 +key1 : value1
 +key2 : value2
 +</code>
 +
 +===== tcpdump expression cheatsheet =====
 +
 +==== Show only SYN packets ====
 +
 +First, the common case: just show all SYN packets, in both directions.  The ''tcp &&'' at the beginning is conceptually redundant since you're checking for TCP flags which by definition won't exist in any other protocol, but perhaps telling the filter up front that you're only interested in TCP may allow it to optimize?
 +
 +<code>
 +tcpdump -i tun0 "tcp && tcp[tcpflags] == tcp-syn"
 +</code>
 +
 +Here's essentially the same thing with more filtering, as a quickstart to fiddle with when you need to narrow things down (high-traffic hosts, etc.).  In this case, we're only showing SYN packets that have a) a destination of ''10.9.8.7/32'' and b) a destination port of ''443'':
 +
 +<code>
 +tcpdump -i tun0 "tcp && tcp[tcpflags] == tcp-syn && dst net 10.9.8.7/32 && dst port 443"
 +</code>
 +
 +Finally, let's add to the previous query and also show any SYN packets to/from our local network in addition to the outgoing ones we're already showing:
 +
 +<code>
 +tcpdump -i tun0 "tcp && tcp[tcpflags] == tcp-syn && ( ( dst net 10.9.8.7/32 && dst port 443 ) || net 192.168.1.0/24 )"
 +</code>
 +
 +==== SSH connections on any port ====
 +
 +This expression shows SSH connections regardless of port; is that clever or what?  Credit to [[https://danielmiessler.com/study/tcpdump]] (which is a great tcpdump cheatsheet page).
 +
 +<code>
 +tcpdump -i tun0 "tcp[(tcp[12]>>2):4] = 0x5353482D"
 +</code>
 +
 +==== Using capture files ====
 +
 +You can capture network traffic to a file, then analyze the contents later without having to work with live traffic (this can be really helpful, for example, if you're not 100% sure what you're looking for but you have limited time to capture behaviour).
 +
 +To capture to a file instead of stdout, just add ''-w filename.pcap'' to the command line.  The ''.pcap'' extension isn't required, but it's the standard extension that indicates the file's contents (for example, Ethereal/Wireshark can also read/write these files).  For example, to simply capture all packet metadata to a file:
 +
 +<code>
 +tcpdump -i tun0 -w all-packets-tun0.pcap
 +</code>
 +
 +If you want to capture all the //data// as well, don't forget to add ''-s 0'' (be careful, this can lead to //huge// capture files on busy systems).  You can also add an optional expression so that only certain packets are captured, just like when you're processing live traffic:
 +
 +<code>
 +tcpdump -i tun0 -s 0 -w all-http-traffic-tun0.pcap "dst port 80"
 +</code>
 +
 +Analyzing from a capture file is exactly the same as analyzing live data, except that you add ''-r filename.pcap'' to the command line:
 +
 +<code>
 +## Dump everything in the capture file.
 +tcpdump -r all-http-traffic-tun0.pcap
 +
 +## This will show the same thing, since this expression was already used to
 +## filter the same thing at capture time.
 +tcpdump -r all-http-traffic-tun0.pcap "dst port 80"
 +
 +## This shows traffic to an HTTP service on example.com; it'll still only show
 +## destination port 80 because that's all that's in the capture file in the
 +## first place.
 +tcpdump -r all-http-traffic-tun0.pcap "dst host example.com"
 +</code>
 +
 +===== Vim cheatsheet =====
 +
 +==== Soft text wrap ====
 +
 +Normally Vim just wraps lines by just continuing the character stream onto the next line; with this, you can get it to actually soft-wrap on word boundaries.  This can make things a lot more ergonomic if you're editing text with long lines and you don't want to do a lot of horizontal scrolling or having words cut off in the middle.  This is basically just a TLDR version of this page: [[https://vim.fandom.com/wiki/Word_wrap_without_line_breaks]].
 +
 +<code>
 +:set wrap linebreak textwidth=0 wrapmargin=0
 +</code>
 +
 +===== CentOS multi-version package retention =====
 +
 +This is one way to free up some space in /boot if it's small and you're running out of space.
 +
 +<code>
 +## Change `installonly_limit` to 3
 +sed -ir -e 's/\(installonly_limit=\).*/\13/' /etc/yum.conf
 +
 +## Bring the current package installs in line (YUM will maintain it going forward)
 +package-cleanup --oldkernels --count=3
 +</code>
 +
 ===== Puppet runtime message triage ===== ===== Puppet runtime message triage =====
  
Line 102: Line 277:
  
 <code bash> <code bash>
-ssh srchost "du -file.gz"+ssh srchost "du --bytes file.gz"
 </code> </code>
  
gnulinux.1566259452.txt.gz · Last modified: 2019/08/19 19:04 by dlicious
 
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Run by Debian Driven by DokuWiki