Difference between revisions of "Damme's linux stuff"

Latest revision as of 10:26, 28 February 2024

Profile.d/damme.sh

alias ls='ls --group-directories-first -hF --color=auto'
alias more='less'
alias nano='nano -w'
alias du='du -c -h'
alias diff='diff --color=auto'
alias grep='grep --color=auto -ni'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
alias free='free -h'
alias ip='ip -color=auto'
alias ll='ls -l'
alias la='ls -A'
alias l='ls -lrtha'

function cdl(){
  cd ""
  ls
}

function cdal(){
  cd ""
  ls -al
}

export LESS=-R
export LESS_TERMCAP_mb=$'\E[1;31m'     # begin blink
export LESS_TERMCAP_md=$'\E[1;36m'     # begin bold
export LESS_TERMCAP_me=$'\E[0m'        # reset bold/blink
export LESS_TERMCAP_so=$'\E[01;44;33m' # begin reverse video
export LESS_TERMCAP_se=$'\E[0m'        # reset reverse video
export LESS_TERMCAP_us=$'\E[1;32m'     # begin underline
export LESS_TERMCAP_ue=$'\E[0m'        # reset underline

export EDITOR="nano"

export TERM='xterm-256color'
# if term == rxvt-unicode-256color && file not exists -> xterm-256color

_islinux=false
[[ "$(uname -s)" =~ Linux|GNU|GNU/* ]] && _islinux=true

_isarch=false
[[ -f /etc/arch-release ]] && _isarch=true

_isxrunning=false
[[ -n "$DISPLAY" ]] && _isxrunning=true

_isroot=false
[[ $UID -eq 0 ]] && _isroot=true

C=$(cat /etc/hostname | md5sum)
I="${C:0:1}"
H="${C:1:2}"
CSERV=$((0x${H}))

if [ $CSERV -lt 16 ] ; then
  CSERV=$(($CSERV+16))
fi

if [ $CSERV -gt 231 ] ; then
  CSERV=$(($CSERV-25))
fi

CSERV="$(tput setaf $CSERV)"
CNONE="$(tput sgr0)"
CROOT="$(tput setaf 48)"
if $_isroot; then
  CROOT="$(tput setaf 196)"
fi
CPATH="$(tput setaf 38)"

export PS1="[$CSERV\u@\h$CNONE]$CPATH\w$CROOT\$$CNONE "

[[ -f /bin/neofetch ]] && neofetch --disable packages gpu

Text manipulation

sed -e # Show result, Will not change anything

sed -i 's/[Search]/[Replace]/g' [File]
sed -i '/[row containing]/ s/$/ [append]/' [File] # append to end of line of search

SSH

SOCKS5 proxy

ssh -C -N -D [local port] [name]@[server]

Generate SSH keys

#generate all keys - don't ask for passkey, save in ~/.ssh/id_rsa
ssh-keygen -t ed25519 -N '' -f ~/.ssh/id_rsa

# if ~/.ssh/id_rsa.pub is missing!
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

# copy local 'id_rsa.pub' to remote host '~/.ssh/authorized_keys'
ssh-copy-id user@host

# Generate all keys for server
ssh-keygen -A

sshpiper auth process:

(client)[id_rsa.pub] -> (sshpiper)[authorized_keys] [id_rsa.pub] -> (target) [authorized_keys]

pacman

pacman -F $filename # Search package including $filename
pacman -Qo $filename # Search package including $filename
pacman -Ss $package # Search $package
pacman -S $package # Install $package
pacman -R $package # Remove $package

# remove partial packages:
find /var/cache/pacman/pkg/ -iname "*.part" -delete

Filesystems and LVM

MDADM

Growing -> https://raid.wiki.kernel.org/index.php/Growing

LVM

lvcreate -L [SIZE]g -n [NAME] [VG] /dev/[PV]

lvcreate --type cache --cachemode writethrough -L 20G -n dataLV_cachepool dataVG/dataLV /dev/fast
# writethrough ensures that any data written will be stored both in the cache pool LV and on the origin LV. The loss of a device associated with the cache pool LV in this case would not mean the loss of any data;
# writeback ensures better performance, but at the cost of a higher risk of data loss in case the drive used for cache fails.

lvconvert --splitcache MyVolGroup/rootvol
lvconvert --uncache MyVolGroup/rootvol

lvresize --resizefs -L +XG vg/lv 

# Move LV Between physical drives in same VG - Can be done LIVE
# Create mirror
lvconvert -m 1 [LV] [NEW DEV] 
# wait for it to copy data (Check via lvs)
# Remove mirror
lvconvert -m 0 [LV] [OLD DEV] 

# Alt: pvmove -n [LV] [OLD DEV] [NEW DEV]

lvcreate --type thin-pool -n thin-pool -L size vg [pv?]

lvs -o +devices

lvremove [LVM]
# Logical volume [LVM] is used by another device.
kpartx -d /dev/mapper/[LVM]
#dmsetup ls
dmsetup remove [LVM]
lvremove [LVM]

fstab

/source /destination none defaults,bind 0 0

#check fstab:
mount -fav

Other

pv -s 20G < /dev/foo > /dev/baz

diskspd.exe –c50G -d300 -r -w40 -t8 -o32 -b64K -Sh -L E:\diskpsdtmp.dat > DiskSpeedResults.txt

Resue Data

https://www.gnu.org/software/ddrescue/manual/ddrescue_manual.html

BTRFS

# Resize BTRFS
btrfs filesystem resize max /path
btrfs device usage /path

Raid sas etc

# spin down sas
sdparm --readonly --command=stop /dev/xxx

# spin up sas
sdparm --command=start /dev/xxx

# check status, "Not ready" = not spinning, "Ready" = Spinning
sdparm --command=ready /dev/xxx

Low level format SATA

hdparm -I /dev/sda
# if frozen need to unfreeze
hdparm --user-master u --security-set-pass llformat /dev/sd_
hdparm --user-master u --security-erase llformat /dev/sd_

Docker

docker ps [-a/--all] # print (all) running containers
docker exec -it [container_id] /bin/bash # run shell in container#
docker update --cpuset-cpus="1-5" [container_id]

Reinstall Portainer

docker stop portainer
docker rm portainer
docker pull portainer/portainer-ce
docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer/data:/data portainer/portainer-ce

docker stop portainer && docker rm portainer && docker pull portainer/portainer-ce && docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer/data:/data portainer/portainer-ce

Generate rsa keys for encrypted communication between

#server:
export PASS=SuperSecret
export SUBJ='/C=SE/L=Skällinge/O=Unimatrix'
export DAYS=3650

openssl genrsa -aes256 -out ca-key.pem -passout pass:$PASS 4096
openssl req -new -x509 -days $DAYS -key ca-key.pem -sha256 -out ca.pem -passin pass:$PASS -subj $SUBJ

openssl genrsa -out server-key.pem 4096

#client:
openssl req -subj "/CN=$HOSTNAME" -sha256 -new -key server-key.pem -out server.csr

echo subjectAltName = DNS:$HOSTNAME,IP:10.0.0.200,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days $DAYS -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out server-cert.pem -extfile extfile.cnf -passin pass:$PASS

openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile-client.cnf
openssl x509 -req -days $DAYS -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out cert.pem -extfile extfile-client.cnf -passin pass:$PASS

/etc/systemd/system/docker.service.d/execstart.conf

[Service]
ExecStart=
#ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:4243
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ssl/ca.pem --tlscert=/etc/docker/ssl/server-cert.pem --tlskey=/etc/docker/ssl/server-key.pem -H fd:// -H tcp://0.0.0.0:2376

netcat

echo "test" | nc wiegert.link 12345 # client
nc -l 12345 -k # listener server, k = continuous

systemd

systemctl edit --full lvm2-lvmetad.service # edit service
systemctl edit lvm2-lvmetad.service # edit service override
systemctl daemon-reload # Reload systemd manager configuration

rsync

rsync -rav
rsync -ravHAX
rsync -avHAX --one-file-system

ZFS

ZFS Best practices

Other stuff

Fixperm on files (664) and folders (775):

find . -type d -exec chown root:share {} \; -exec chmod 775 {} \;
find . -type f -exec chown root:share {} \; -exec chmod 664 {} \;

docker + kvm + networking = :( https://serverfault.com/questions/963759/docker-breaks-libvirt-bridge-network

pfsense port forwarding while not being default gw: https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat.html#figure-manual-outbound-nat-local-device

smtprelay via gmail with postfix mailutils, s-nail https://www.howtoforge.com/tutorial/configure-postfix-to-use-gmail-as-a-mail-relay/

Nut sending mails -> https://freekode.org/nut-sending-emails/

Secure rsync over SSH without shell access - https://lxadm.com/Secure_rsync_over_SSH_without_shell_access

ipv4=$(curl -s -X GET -4 https://ifconfig.co)
ipv6=$(curl -s -X GET -6 https://ifconfig.co)

Fail2ban

https://wiki.archlinux.org/index.php/Fail2ban

sudo pacman -Sy
sudo pacman --noconfirm -S fail2ban
sudo cat << EOF >> /etc/fail2ban/jail.local
[DEFAULT]
bantime = 5d

[sshd]
enabled = true
mode = aggressive
EOF
sudo systemctl enable fail2ban.service
sudo systemctl start fail2ban.service

# Fail2ban status
fail2ban-client status sshd

# Unban ip:
fail2ban-client set sshd unbanip 1.2.3.4

UDEV fun!

KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="00", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TIherdsman"
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="03", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TImcu"

SUBSYSTEMS=="usb", ATTRS{idVendor}=="047c", ATTRS{idProduct}=="ffff", SYMLINK+="DellUPS0", MODE="0666"

KERNEL=="ttyUSB*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="00", ENV{ID_VENDOR_ID}=="1a86", SYMLINK+="GSM-SIM800", MODE="0666"

# Reload and re-trigger udev rules without reboot
udevadm control --reload-rules && udevadm trigger

Wireshark

ssh user@remote "tcpdump -s0 -w - 'port 1234'" | wireshark -k -i -

# Filter macaddress beginning with:
(ether [0:4] & 0xffffff00 = 0x000c2200) or (ether [6:4] & 0xffffff00 = 0x000c2200)

# First / Last
eth.addr[0:3] == bc:05:43
eth.addr[4:2] == 28:06

Server Queen Specific changes

https://forums.servethehome.com/index.php?threads/flash-crossflash-dell-h330-raid-card-to-hba330-12gbps-hba-it-firmware.25498/#post-236242
DISABLE WATCHDOG! Server will reboot due to watchdog during reboot in filesystem tasks.. BAD!
Added "TimeoutSec=900" in [Service]-Section /etc/systemd/system/lvm2-lvmetad.service , otherwise shutdown takes too long time and lvmetad gets killed instead of clean shutdown, Results in failed lv which needs lvchange -ay [lvm] or worse - lvconvert --repair.
~~Docker /etc/docker/daemon.json added "iptables": false.~~ Update: Use /etc/sysctl.d/30-ipforward.conf and /etc/udev/rules.d/99-bridge.rules instead. Docker kills kvm bridges without it.
sysctl rules:

#/etc/sysctl.d/40-ipv6.conf:
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.nic0.disable_ipv6 = 1
...
net.ipv6.conf.nicN.disable_ipv6 = 1

Note on sysctl reload : https://serverfault.com/questions/963759/docker-breaks-libvirt-bridge-network

udev rules:

# /etc/sysctl.d/30-ipforward.conf
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

# /etc/udev/rules.d/60-md-stripe-cache.rules
# Change stripe cache size to maximum, we got the ram! memory_consumed = system_page_size * nr_disks * stripe_cache_size
# https://www.cyberciti.biz/tips/linux-raid-increase-resync-rebuild-speed.html
SUBSYSTEM=="block", KERNEL=="md*", ACTION=="change", TEST=="md/stripe_cache_size", ATTR{md/stripe_cache_size}="32768"

## TODO ? sudo blockdev --setra ?? -> https://unix.stackexchange.com/questions/71364/persistent-blockdev-setra-read-ahead-setting

# /etc/udev/rules.d/89-usb.rules
#ups and TI zigbee module fix:
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="00", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TIherdsman"
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="03", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TImcu"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="047c", ATTRS{idProduct}=="ffff", SYMLINK+="DellUPS0", MODE="0666"

# /etc/udev/rules.d/99-bridge.rules
# reload sysctl if br_netfilter is loaded, wierd stuff happens otherwise.
ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", RUN+="/sbin/sysctl --system"

# /usr/lib/udev/rules.d/11-dm-lvm.rules
# Create symlinks for top-level devices only.
## EDIT BY DAMME 2020-07-22 to populate partitions for libvirt
ENV{DM_VG_NAME}=="?*", ENV{DM_LV_NAME}=="?*", SYMLINK+="$env{DM_VG_NAME}/$env{DM_LV_NAME}"
ENV{DM_VG_NAME}=="?*", ENV{DM_LV_NAME}=="?*", RUN+="/sbin/kpartx -un /dev/%E{DM_VG_NAME}/%E{DM_LV_NAME}", GOTO="lvm_end"

New server thoughts

https://www.youtube.com/watch?v=MucGkPUMjNo Building a Power Efficient Home Server!

Difference between revisions of "Damme's linux stuff"

Latest revision as of 10:26, 28 February 2024

Contents

Profile.d/damme.sh

Text manipulation

SSH

SOCKS5 proxy

Generate SSH keys

pacman

Filesystems and LVM

MDADM

LVM

fstab

Other

Resue Data

BTRFS

Raid sas etc

Low level format SATA

Docker

/etc/systemd/system/docker.service.d/execstart.conf

netcat

systemd

rsync

ZFS

Other stuff

Fail2ban

UDEV fun!

Wireshark

Server Queen Specific changes

New server thoughts

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools

@@ Line 1: / Line 1: @@
 == Profile.d/damme.sh ==
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="bash" line="1">
 alias ls='ls --group-directories-first -hF --color=auto'
 alias more='less'
@@ Line 79: / Line 79: @@
 == Text manipulation ==
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="bash" line="1">
 sed -e # Show result, Will not change anything
@@ Line 89: / Line 89: @@
 === SOCKS5 proxy ===
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="bash" line="1">
 ssh -C -N -D [local port] [name]@[server]
 </syntaxhighlight>
 === Generate SSH keys ===
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="bash" line="1">
 #generate all keys - don't ask for passkey, save in ~/.ssh/id_rsa
-ssh-keygen -N '' -f ~/.ssh/id_rsa
+ssh-keygen -t ed25519 -N '' -f ~/.ssh/id_rsa
 # if ~/.ssh/id_rsa.pub is missing!
@@ Line 109: / Line 109: @@
 sshpiper auth process:
-<syntaxhighlight lang="json">
+<syntaxhighlight lang="json" line="1">
 (client)[id_rsa.pub] -> (sshpiper)[authorized_keys] [id_rsa.pub] -> (target) [authorized_keys]
 </syntaxhighlight>
@@ Line 115: / Line 115: @@
 == pacman ==
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="bash" line="1">
-pacman -F $filename # Search package including $filename:
+pacman -F $filename # Search package including $filename
+pacman -Qo $filename # Search package including $filename
 pacman -Ss $package # Search $package
 pacman -S $package # Install $package
 pacman -R $package # Remove $package
+# remove partial packages:
+find /var/cache/pacman/pkg/ -iname "*.part" -delete
 </syntaxhighlight>
@@ Line 127: / Line 132: @@
 === LVM ===
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="bash" line="1">
+lvcreate -L [SIZE]g -n [NAME] [VG] /dev/[PV]
 lvcreate --type cache --cachemode writethrough -L 20G -n dataLV_cachepool dataVG/dataLV /dev/fast
 # writethrough ensures that any data written will be stored both in the cache pool LV and on the origin LV. The loss of a device associated with the cache pool LV in this case would not mean the loss of any data;
 # writeback ensures better performance, but at the cost of a higher risk of data loss in case the drive used for cache fails.
-lvresize --resizefs vg/lv
+lvconvert --splitcache MyVolGroup/rootvol
+lvconvert --uncache MyVolGroup/rootvol
+lvresize --resizefs -L +XG vg/lv
+# Move LV Between physical drives in same VG - Can be done LIVE
+# Create mirror
+lvconvert -m 1 [LV] [NEW DEV]
+# wait for it to copy data (Check via lvs)
+# Remove mirror
+lvconvert -m 0 [LV] [OLD DEV]
+# Alt: pvmove -n [LV] [OLD DEV] [NEW DEV]
+lvcreate --type thin-pool -n thin-pool -L size vg [pv?]
+lvs -o +devices
+lvremove [LVM]
+# Logical volume [LVM] is used by another device.
+kpartx -d /dev/mapper/[LVM]
+#dmsetup ls
+dmsetup remove [LVM]
+lvremove [LVM]
 </syntaxhighlight>
+=== fstab ===
+<syntaxhighlight lang="bash" line="1">
+/source /destination none defaults,bind 0 0
+#check fstab:
+mount -fav
+</syntaxhighlight>
 === Other ===
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="bash" line="1">
 pv -s 20G < /dev/foo > /dev/baz
+</syntaxhighlight>
+<syntaxhighlight lang="bash" line="1">
+diskspd.exe –c50G -d300 -r -w40 -t8 -o32 -b64K -Sh -L E:\diskpsdtmp.dat > DiskSpeedResults.txt
 </syntaxhighlight>
@@ Line 144: / Line 185: @@
 https://www.gnu.org/software/ddrescue/manual/ddrescue_manual.html
-== Raid sas etc ==
+=== BTRFS ===
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="bash" line="1">
+# Resize BTRFS
+btrfs filesystem resize max /path
+btrfs device usage /path
+</syntaxhighlight>
+=== Raid sas etc ===
+<syntaxhighlight lang="bash" line="1">
 # spin down sas
 sdparm --readonly --command=stop /dev/xxx
@@ Line 154: / Line 202: @@
 # check status, "Not ready" = not spinning, "Ready" = Spinning
 sdparm --command=ready /dev/xxx
+</syntaxhighlight>
+=== Low level format SATA ===
+<syntaxhighlight lang="bash" line="1">
+hdparm -I /dev/sda
+# if frozen need to unfreeze
+hdparm --user-master u --security-set-pass llformat /dev/sd_
+hdparm --user-master u --security-erase llformat /dev/sd_
 </syntaxhighlight>
 == Docker ==
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="bash" line="1">
 docker ps [-a/--all] # print (all) running containers
 docker exec -it [container_id] /bin/bash # run shell in container#
+docker update --cpuset-cpus="1-5" [container_id]
 </syntaxhighlight>
 Reinstall Portainer
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="bash" line="1">
 docker stop portainer
 docker rm portainer
 docker pull portainer/portainer-ce
 docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer/data:/data portainer/portainer-ce
+docker stop portainer && docker rm portainer && docker pull portainer/portainer-ce && docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer/data:/data portainer/portainer-ce
 </syntaxhighlight>
 Generate rsa keys for encrypted communication between
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="bash" line="1">
+#server:
 export PASS=SuperSecret
 export SUBJ='/C=SE/L=Skällinge/O=Unimatrix'
@@ Line 180: / Line 240: @@
 openssl genrsa -out server-key.pem 4096
+#client:
 openssl req -subj "/CN=$HOSTNAME" -sha256 -new -key server-key.pem -out server.csr
@@ Line 187: / Line 249: @@
    -CAcreateserial -out server-cert.pem -extfile extfile.cnf -passin pass:$PASS
-#client:
 openssl genrsa -out key.pem 4096
 openssl req -subj '/CN=client' -new -key key.pem -out client.csr
@@ Line 193: / Line 254: @@
 openssl x509 -req -days $DAYS -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
    -CAcreateserial -out cert.pem -extfile extfile-client.cnf -passin pass:$PASS
+</syntaxhighlight>
+== /etc/systemd/system/docker.service.d/execstart.conf ==
+<syntaxhighlight lang="bash" line="1">
+[Service]
+ExecStart=
+#ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:4243
+ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ssl/ca.pem --tlscert=/etc/docker/ssl/server-cert.pem --tlskey=/etc/docker/ssl/server-key.pem -H fd:// -H tcp://0.0.0.0:2376
 </syntaxhighlight>
 == netcat ==
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="bash" line="1">
 echo "test" | nc wiegert.link 12345 # client
 nc -l 12345 -k # listener server, k = continuous
@@ Line 202: / Line 271: @@
 == systemd ==
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="bash" line="1">
 systemctl edit --full lvm2-lvmetad.service # edit service
 systemctl edit lvm2-lvmetad.service # edit service override
 systemctl daemon-reload # Reload systemd manager configuration
 </syntaxhighlight>
+== rsync ==
+<syntaxhighlight lang="bash" line="1">
+rsync -rav
+rsync -ravHAX
+rsync -avHAX --one-file-system
+</syntaxhighlight>
+== ZFS ==
+[[ZFS Best practices]]
 == Other stuff ==
 Fixperm on files (664) and folders (775):
-<syntaxhighlight lang="bash">
+<syntaxhighlight lang="bash" line="1">
 find . -type d -exec chown root:share {} \; -exec chmod 775 {} \;
 find . -type f -exec chown root:share {} \; -exec chmod 664 {} \;
@@ Line 223: / Line 302: @@
 Nut sending mails -> https://freekode.org/nut-sending-emails/
-stop brute-force attacks -> https://wiki.archlinux.org/index.php/Fail2ban
+Secure rsync over SSH without shell access - https://lxadm.com/Secure_rsync_over_SSH_without_shell_access
+<syntaxhighlight lang="bash" line="1">
+ipv4=$(curl -s -X GET -4 https://ifconfig.co)
+ipv6=$(curl -s -X GET -6 https://ifconfig.co)
+</syntaxhighlight>
+== Fail2ban ==
+https://wiki.archlinux.org/index.php/Fail2ban
+<syntaxhighlight lang="bash" line="1">
+sudo pacman -Sy
+sudo pacman --noconfirm -S fail2ban
+sudo cat << EOF >> /etc/fail2ban/jail.local
+[DEFAULT]
+bantime = 5d
+[sshd]
+enabled = true
+mode = aggressive
+EOF
+sudo systemctl enable fail2ban.service
+sudo systemctl start fail2ban.service
+# Fail2ban status
+fail2ban-client status sshd
+# Unban ip:
+fail2ban-client set sshd unbanip 1.2.3.4
+</syntaxhighlight>
+== UDEV fun! ==
+<syntaxhighlight lang="c" line="1">
+KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="00", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TIherdsman"
+KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="03", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TImcu"
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="047c", ATTRS{idProduct}=="ffff", SYMLINK+="DellUPS0", MODE="0666"
+KERNEL=="ttyUSB*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="00", ENV{ID_VENDOR_ID}=="1a86", SYMLINK+="GSM-SIM800", MODE="0666"
+</syntaxhighlight>
+<syntaxhighlight lang="bash" line="1">
+# Reload and re-trigger udev rules without reboot
+udevadm control --reload-rules && udevadm trigger
+</syntaxhighlight>
+== Wireshark ==
+<syntaxhighlight lang="bash" line="1">
+ssh user@remote "tcpdump -s0 -w - 'port 1234'" | wireshark -k -i -
+# Filter macaddress beginning with:
+(ether [0:4] & 0xffffff00 = 0x000c2200) or (ether [6:4] & 0xffffff00 = 0x000c2200)
+# First / Last
+eth.addr[0:3] == bc:05:43
+eth.addr[4:2] == 28:06
+</syntaxhighlight>
 == Server Queen Specific changes ==
+* https://forums.servethehome.com/index.php?threads/flash-crossflash-dell-h330-raid-card-to-hba330-12gbps-hba-it-firmware.25498/#post-236242
 * DISABLE WATCHDOG! Server will reboot due to watchdog during reboot in filesystem tasks.. BAD!
 * Added "TimeoutSec=900" in [Service]-Section '''/etc/systemd/system/lvm2-lvmetad.service''' , otherwise shutdown takes too long time and lvmetad gets killed instead of clean shutdown, Results in failed lv which needs lvchange -ay [lvm] or worse - lvconvert --repair.
 *  <del> Docker '''/etc/docker/daemon.json''' added "iptables": false.</del> Update: Use /etc/sysctl.d/30-ipforward.conf and /etc/udev/rules.d/99-bridge.rules instead. Docker kills kvm bridges without it.
+* sysctl rules:
+<syntaxhighlight lang="c" line="1">
+#/etc/sysctl.d/40-ipv6.conf:
+# Disable IPv6
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.nic0.disable_ipv6 = 1
+...
+net.ipv6.conf.nicN.disable_ipv6 = 1
+</syntaxhighlight>
+* Note on sysctl reload : https://serverfault.com/questions/963759/docker-breaks-libvirt-bridge-network
 * udev rules:
-<syntaxhighlight lang="c">
+<syntaxhighlight lang="c" line="1">
 # /etc/sysctl.d/30-ipforward.conf
 net.ipv4.ip_forward=1
@@ Line 263: / Line 409: @@
 </syntaxhighlight>
-* Note on sysctl reload : https://serverfault.com/questions/963759/docker-breaks-libvirt-bridge-network
+== New server thoughts ==
+* https://www.youtube.com/watch?v=MucGkPUMjNo Building a Power Efficient Home Server!