docs(notes): expand storage, btrfs, linux, and ssh notes
btrfs.md: - Add device scan (no-arg form) and device stats --reset / -z - Add read-only mount, remount with performance/default options - Add Degraded Mount and Missing Device Removal subsection - Add stdbuf + zstd backgrounded defrag with log output - Add RAID1 balance conversion - Add ionice for scrub, watch scrub+device stats, watch scrub+temperatures - Add Recovery → Filesystem Check (btrfs check, --force) - Add Recovery → Diagnosis (journal by date, dmesg btrfs filter) linux.md: - Add CPU info commands (lscpu, /proc/cpuinfo, core count) - Add GPU info (lspci | grep vga) and CPU scaling driver - Add mount --bind and chroot with pseudo-fs setup - Add update-initramfs -k all and -c -k $(uname -r) variants - Add NFS section (showmount, exportfs) - Add Network Diagnostics section (curl timing, high-freq ping, jumbo frame ping) - Add journal date filtering and microcode grep to Diagnosis ssh.md: - Add Placeholders section - Replace all hardcoded usernames, hostnames, IPs, and key paths with placeholders - Add Skip Host Key Verification section (StrictHostKeyChecking, UserKnownHostsFile) storage.md: - Add lsblk -e 7 to exclude loop devices - Add blkid <partition> variant - Add cat /proc/mounts grep - Add SMART filtered greps (Reallocated, Pending, UDMA_CRC, Load_Cycle_Count) - Add drive temperature one-liner and watch loop - Add Hardware Monitoring section (lm-sensors, sensors-detect, sensors) - Add Kernel Messages section (dmesg tail, err/warn, -T, nvme, ata/scsi, I/O, ATA port mapping) - Add strings on raw device to Hex Dump
This commit is contained in:
parent
cd4cf23f92
commit
89e4bd519a
162
notes/btrfs.md
162
notes/btrfs.md
@ -9,6 +9,7 @@
|
|||||||
- [Information on Filesystem](#information-on-filesystem)
|
- [Information on Filesystem](#information-on-filesystem)
|
||||||
- [Drive Manipulation](#drive-manipulation)
|
- [Drive Manipulation](#drive-manipulation)
|
||||||
- [Replace Drives](#replace-drives)
|
- [Replace Drives](#replace-drives)
|
||||||
|
- [Degraded Mount and Missing Device Removal](#degraded-mount-and-missing-device-removal)
|
||||||
- [Filesystem Manipulation](#filesystem-manipulation)
|
- [Filesystem Manipulation](#filesystem-manipulation)
|
||||||
- [Upgrading Btrfs Block Group Cache to V2](#upgrading-btrfs-block-group-cache-to-v2)
|
- [Upgrading Btrfs Block Group Cache to V2](#upgrading-btrfs-block-group-cache-to-v2)
|
||||||
- [Defrag](#defrag)
|
- [Defrag](#defrag)
|
||||||
@ -19,6 +20,8 @@
|
|||||||
- [Delete Snapshots](#delete-snapshots)
|
- [Delete Snapshots](#delete-snapshots)
|
||||||
- [Backup Procedures](#backup-procedures)
|
- [Backup Procedures](#backup-procedures)
|
||||||
- [Recovery](#recovery)
|
- [Recovery](#recovery)
|
||||||
|
- [Filesystem Check](#filesystem-check)
|
||||||
|
- [Diagnosis](#diagnosis)
|
||||||
|
|
||||||
## Placeholders
|
## Placeholders
|
||||||
|
|
||||||
@ -110,6 +113,7 @@ btrfs device usage <mountpoint>
|
|||||||
Scan all devices or a specific drive:
|
Scan all devices or a specific drive:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
btrfs device scan
|
||||||
btrfs device scan <device>
|
btrfs device scan <device>
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -121,6 +125,17 @@ Read errors, write errors, flush errors, etc.:
|
|||||||
btrfs device stats <mountpoint>
|
btrfs device stats <mountpoint>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
**Reset Device Error Counters**
|
||||||
|
|
||||||
|
Reset all per-device error counters to zero after acknowledging them:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
btrfs device stats --reset <mountpoint>
|
||||||
|
btrfs device stats -z <mountpoint>
|
||||||
|
```
|
||||||
|
|
||||||
|
- `-z` / `--reset`: Zeroes the counters after printing. Useful after a known event you've already investigated.
|
||||||
|
|
||||||
**List BTRFS Subvolumes**
|
**List BTRFS Subvolumes**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
@ -179,6 +194,28 @@ btrfs subvol list /
|
|||||||
mount -o subvolid=<subvolume-id> /dev/disk/by-uuid/<uuid> <mountpoint>
|
mount -o subvolid=<subvolume-id> /dev/disk/by-uuid/<uuid> <mountpoint>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
**Mount Read-Only**
|
||||||
|
|
||||||
|
Mount a partition in read-only mode, useful for forensics or recovery without risking further writes:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mount -r <device> <mountpoint>
|
||||||
|
```
|
||||||
|
|
||||||
|
**Remount with Performance Options**
|
||||||
|
|
||||||
|
Apply common performance mount options to a live filesystem without unmounting:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mount -o remount,noatime,compress=zstd:3,autodefrag,space_cache=v2 <mountpoint>
|
||||||
|
```
|
||||||
|
|
||||||
|
**Remount with Default Options**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mount -o remount,defaults,noatime,compress=zstd:3 <mountpoint>
|
||||||
|
```
|
||||||
|
|
||||||
**Add a New Drive**
|
**Add a New Drive**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
@ -233,6 +270,33 @@ btrfs replace status -i <mountpoint>
|
|||||||
- Useful for both failing drive replacement and capacity upgrades.
|
- Useful for both failing drive replacement and capacity upgrades.
|
||||||
- Ensure the target drive has enough space to accommodate the source data.
|
- Ensure the target drive has enough space to accommodate the source data.
|
||||||
|
|
||||||
|
### Degraded Mount and Missing Device Removal
|
||||||
|
|
||||||
|
Use when a drive has failed and you need to access the filesystem with the remaining devices.
|
||||||
|
|
||||||
|
**Mount in degraded mode:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mount -o ro,degraded <device> <mountpoint>
|
||||||
|
```
|
||||||
|
|
||||||
|
**Mount a specific subvolume in degraded mode:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mount -t btrfs -o degraded,subvol=<subvolume>,noatime,compress=zstd:3 UUID=<uuid> <mountpoint>
|
||||||
|
```
|
||||||
|
|
||||||
|
**Remove the missing device from the filesystem:**
|
||||||
|
|
||||||
|
Once mounted degraded, remove the placeholder for the missing drive:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
btrfs device remove missing <mountpoint>
|
||||||
|
```
|
||||||
|
|
||||||
|
- This cleans up the missing device slot so the filesystem no longer expects it.
|
||||||
|
- Only safe to run if data is intact on the remaining devices (e.g., RAID1 with one drive).
|
||||||
|
|
||||||
## Filesystem Manipulation
|
## Filesystem Manipulation
|
||||||
|
|
||||||
### Upgrading Btrfs Block Group Cache to V2
|
### Upgrading Btrfs Block Group Cache to V2
|
||||||
@ -298,6 +362,8 @@ umount <mountpoint>
|
|||||||
|
|
||||||
### Defrag
|
### Defrag
|
||||||
|
|
||||||
|
**Standard recursive defrag with LZO compression:**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
btrfs filesystem defrag -r -v -clzo <mountpoint>
|
btrfs filesystem defrag -r -v -clzo <mountpoint>
|
||||||
```
|
```
|
||||||
@ -306,6 +372,18 @@ btrfs filesystem defrag -r -v -clzo <mountpoint>
|
|||||||
- `-v`: Verbose.
|
- `-v`: Verbose.
|
||||||
- `-clzo`: Optional LZO compression to save space.
|
- `-clzo`: Optional LZO compression to save space.
|
||||||
|
|
||||||
|
**Recursive defrag with Zstd compression, logged to file:**
|
||||||
|
|
||||||
|
Runs in the background with unbuffered output so the log file updates in real time:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
stdbuf -oL btrfs filesystem defrag -r -v -czstd <mountpoint> > /root/<date>-defrag.log 2>&1 &
|
||||||
|
```
|
||||||
|
|
||||||
|
- `stdbuf -oL`: Forces line-buffered stdout so log entries appear immediately.
|
||||||
|
- `-czstd`: Zstd compression (better ratio than LZO, available since kernel 5.1).
|
||||||
|
- `&`: Runs in the background; use `tail -f /root/<date>-defrag.log` to monitor.
|
||||||
|
|
||||||
## Balances
|
## Balances
|
||||||
|
|
||||||
**Full balance on nearly empty block groups:**
|
**Full balance on nearly empty block groups:**
|
||||||
@ -351,6 +429,14 @@ btrfs balance start --bg --full-balance -dusage=0 -musage=0 <mountpoint>
|
|||||||
btrfs balance start --bg -dlimit=100 <mountpoint>
|
btrfs balance start --bg -dlimit=100 <mountpoint>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
**Convert to RAID1:**
|
||||||
|
|
||||||
|
Rebalances data and metadata to RAID1 profile. Use after adding a second drive or to switch from single to mirrored:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
btrfs balance start -mconvert=raid1 -dconvert=raid1 <mountpoint>
|
||||||
|
```
|
||||||
|
|
||||||
**Cancel a balance:**
|
**Cancel a balance:**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
@ -367,7 +453,7 @@ btrfs balance status <mountpoint>
|
|||||||
|
|
||||||
**Start a scrub**
|
**Start a scrub**
|
||||||
|
|
||||||
The scrub operation verifies data integrity against checksums
|
The scrub operation verifies data integrity against checksums:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
btrfs scrub start <mountpoint>
|
btrfs scrub start <mountpoint>
|
||||||
@ -385,6 +471,37 @@ btrfs scrub status <mountpoint>
|
|||||||
btrfs scrub cancel <mountpoint>
|
btrfs scrub cancel <mountpoint>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
**Lower scrub I/O priority:**
|
||||||
|
|
||||||
|
Reduce the impact of a running scrub on system I/O by setting it to idle class:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ionice -c 3 -p $(pgrep btrfs-scrub)
|
||||||
|
```
|
||||||
|
|
||||||
|
- `-c 3`: Idle class — only uses I/O when no other process needs it.
|
||||||
|
|
||||||
|
**Watch scrub status and device stats:**
|
||||||
|
|
||||||
|
Continuously display scrub progress and per-device error counters:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
watch -n 10 "btrfs scrub status <mountpoint>; echo ''; btrfs device stats <mountpoint>"
|
||||||
|
```
|
||||||
|
|
||||||
|
**Watch scrub status and all drive temperatures:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
watch -n 5 "btrfs scrub status <mountpoint> && echo '' && \
|
||||||
|
smartctl --scan | awk '{print \$1}' | while read dev; do \
|
||||||
|
echo -n \"\$dev: \"; \
|
||||||
|
smartctl -A \$dev | grep -iE 'Temperature|Airflow_Temp' | awk '\
|
||||||
|
/Temperature_Celsius/ {print \$10 \"°C\"} \
|
||||||
|
/Airflow_Temperature_Cel/ {print \$10 \"°C\"} \
|
||||||
|
/Temperature:/ {print \$2 \"°C\"}' | head -n 1; \
|
||||||
|
done && echo '' && btrfs device stats <mountpoint>"
|
||||||
|
```
|
||||||
|
|
||||||
## Snapshots
|
## Snapshots
|
||||||
|
|
||||||
### Create Snapshots
|
### Create Snapshots
|
||||||
@ -476,3 +593,46 @@ btrfs scrub cancel <mountpoint>
|
|||||||
```bash
|
```bash
|
||||||
btrfs restore -D <device>
|
btrfs restore -D <device>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Filesystem Check
|
||||||
|
|
||||||
|
Run offline consistency checks on an unmounted BTRFS filesystem.
|
||||||
|
|
||||||
|
**Check an unmounted filesystem:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
btrfs check <device>
|
||||||
|
```
|
||||||
|
|
||||||
|
- Must be run on an **unmounted** device. Running on a mounted filesystem risks corruption.
|
||||||
|
- Use the UUID path if needed: `/dev/disk/by-uuid/<uuid>`
|
||||||
|
|
||||||
|
**Force check (use with caution):**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
btrfs check --force <device>
|
||||||
|
```
|
||||||
|
|
||||||
|
- `--force`: Bypasses the mount check. Only use this if you are certain the filesystem is not mounted and understand the risks.
|
||||||
|
|
||||||
|
### Diagnosis
|
||||||
|
|
||||||
|
Filter system logs and kernel messages to diagnose BTRFS-related events.
|
||||||
|
|
||||||
|
**Search journal logs by date range:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
journalctl --since "<date>" --until "<date>" | grep -i btrfs
|
||||||
|
```
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
journalctl --since "2026-01-01" --until "2026-01-02" | grep -i btrfs
|
||||||
|
```
|
||||||
|
|
||||||
|
**Search kernel ring buffer for BTRFS events:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
dmesg | grep -i btrfs
|
||||||
|
```
|
||||||
|
|||||||
158
notes/linux.md
158
notes/linux.md
@ -14,6 +14,8 @@
|
|||||||
- [System Management](#system-management)
|
- [System Management](#system-management)
|
||||||
- [Change password of a tar/openssl archive](#change-password-of-a-taropenssl-archive)
|
- [Change password of a tar/openssl archive](#change-password-of-a-taropenssl-archive)
|
||||||
- [Verify two possibly identical folders recursively](#verify-two-possibly-identical-folders-recursively)
|
- [Verify two possibly identical folders recursively](#verify-two-possibly-identical-folders-recursively)
|
||||||
|
- [NFS](#nfs)
|
||||||
|
- [Network Diagnostics](#network-diagnostics)
|
||||||
- [Diagnosis](#diagnosis)
|
- [Diagnosis](#diagnosis)
|
||||||
- [Debian Upgrade Issues](#debian-upgrade-issues)
|
- [Debian Upgrade Issues](#debian-upgrade-issues)
|
||||||
- [Wayland Issues](#wayland-issues)
|
- [Wayland Issues](#wayland-issues)
|
||||||
@ -35,6 +37,32 @@ To gather detailed information about your hardware, use the following commands:
|
|||||||
- `dmidecode -t memory` for RAM details
|
- `dmidecode -t memory` for RAM details
|
||||||
- `dmidecode -t bios` for BIOS information
|
- `dmidecode -t bios` for BIOS information
|
||||||
|
|
||||||
|
**CPU information**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
lscpu
|
||||||
|
cat /proc/cpuinfo
|
||||||
|
grep -c 'model name' /proc/cpuinfo
|
||||||
|
```
|
||||||
|
|
||||||
|
- `lscpu`: Structured summary of CPU architecture, cores, threads, and NUMA topology.
|
||||||
|
- `cat /proc/cpuinfo`: Raw per-core details including model name, flags, and frequencies.
|
||||||
|
- `grep -c 'model name'`: Quick count of logical CPU cores.
|
||||||
|
|
||||||
|
**GPU information**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
lspci | grep -i vga
|
||||||
|
```
|
||||||
|
|
||||||
|
**CPU frequency scaling driver**
|
||||||
|
|
||||||
|
Check which driver is managing CPU frequency scaling (e.g., `intel_pstate`, `acpi-cpufreq`):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_driver
|
||||||
|
```
|
||||||
|
|
||||||
### Software Information
|
### Software Information
|
||||||
|
|
||||||
**Finding information on the Linux distribution**
|
**Finding information on the Linux distribution**
|
||||||
@ -257,6 +285,60 @@ ln -s /usr/share/zoneinfo/<timezone> /etc/localtime
|
|||||||
systemctl list-units --type=service | grep <service-name>
|
systemctl list-units --type=service | grep <service-name>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
**Bind mount a directory**
|
||||||
|
|
||||||
|
Make a directory available at another path, useful during chroot recovery or container setup:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mount --bind /dev /mnt/<newroot>/dev
|
||||||
|
```
|
||||||
|
|
||||||
|
**Chroot into another system**
|
||||||
|
|
||||||
|
Enter a mounted system's root as if it were the running OS. Useful for recovery, initramfs rebuilds, or bootloader fixes:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
chroot /mnt/<newroot>
|
||||||
|
```
|
||||||
|
|
||||||
|
Typically preceded by binding the required pseudo-filesystems:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mount --bind /dev /mnt/<newroot>/dev
|
||||||
|
mount --bind /proc /mnt/<newroot>/proc
|
||||||
|
mount --bind /sys /mnt/<newroot>/sys
|
||||||
|
chroot /mnt/<newroot>
|
||||||
|
```
|
||||||
|
|
||||||
|
**Rebuild initramfs**
|
||||||
|
|
||||||
|
After kernel or driver changes, rebuild the initramfs and refresh the GRUB configuration:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
update-initramfs -u
|
||||||
|
update-initramfs -u -k all
|
||||||
|
```
|
||||||
|
|
||||||
|
- `update-initramfs -u`: Rebuilds the initramfs for the currently running kernel.
|
||||||
|
- `-k all`: Rebuilds for all installed kernels.
|
||||||
|
|
||||||
|
**Rebuild initramfs for a specific kernel version:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
update-initramfs -c -k $(uname -r)
|
||||||
|
```
|
||||||
|
|
||||||
|
- `-c`: Create a new initramfs (instead of updating).
|
||||||
|
- `-k $(uname -r)`: Targets the currently running kernel version.
|
||||||
|
|
||||||
|
**Update GRUB:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
update-grub
|
||||||
|
```
|
||||||
|
|
||||||
|
- Scans for kernels and regenerates `/boot/grub/grub.cfg`.
|
||||||
|
|
||||||
### Change password of a tar/openssl archive
|
### Change password of a tar/openssl archive
|
||||||
|
|
||||||
**Decrypt the archive**
|
**Decrypt the archive**
|
||||||
@ -336,6 +418,60 @@ for file1 in $(find "$dir1" -type f); do
|
|||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## NFS
|
||||||
|
|
||||||
|
**Show NFS exports from a server:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
showmount -e <hostname>
|
||||||
|
showmount -e localhost
|
||||||
|
```
|
||||||
|
|
||||||
|
**List active exports and their options on the server:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
exportfs -v
|
||||||
|
```
|
||||||
|
|
||||||
|
## Network Diagnostics
|
||||||
|
|
||||||
|
**Measure HTTP response timing:**
|
||||||
|
|
||||||
|
Breaks down the full request lifecycle — useful for diagnosing DNS, TLS, or TTFB issues:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -o /dev/null -s -w \
|
||||||
|
'Lookup: %{time_namelookup}s\nConnect: %{time_connect}s\nAppConnect: %{time_appconnect}s\nTTFB: %{time_starttransfer}s\nTotal: %{time_total}s\n' \
|
||||||
|
https://<hostname>
|
||||||
|
```
|
||||||
|
|
||||||
|
- `time_namelookup`: DNS resolution time.
|
||||||
|
- `time_connect`: TCP connection time.
|
||||||
|
- `time_appconnect`: TLS handshake time.
|
||||||
|
- `time_starttransfer`: Time to first byte (TTFB).
|
||||||
|
- `-o /dev/null`: Discards the response body.
|
||||||
|
|
||||||
|
**High-frequency ping:**
|
||||||
|
|
||||||
|
Flood-style ping to stress-test latency or detect intermittent packet loss:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ping -i 0.002 <host>
|
||||||
|
```
|
||||||
|
|
||||||
|
- `-i 0.002`: Send a packet every 2ms. Requires root.
|
||||||
|
|
||||||
|
**Jumbo frame ping:**
|
||||||
|
|
||||||
|
Test whether the network path supports large MTU frames (useful for diagnosing MTU mismatches):
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ping -s 1472 -i 0.01 <host>
|
||||||
|
```
|
||||||
|
|
||||||
|
- `-s 1472`: Payload size of 1472 bytes (1472 + 28-byte IP/ICMP header = 1500-byte MTU).
|
||||||
|
- Increase `-s` to test jumbo frames (e.g., `-s 8972` for 9000-byte MTU).
|
||||||
|
|
||||||
## Diagnosis
|
## Diagnosis
|
||||||
|
|
||||||
### Debian Upgrade Issues
|
### Debian Upgrade Issues
|
||||||
@ -367,6 +503,28 @@ journalctl -b | grep -i "drm\|gpu\|display\|wayland\|monitor"
|
|||||||
journalctl -b | grep -i "gnome-shell"
|
journalctl -b | grep -i "gnome-shell"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
**Journal Filtering by Date and Keyword**
|
||||||
|
|
||||||
|
Search logs within a specific time window:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
journalctl --since "<date>" --until "<date>" | grep -i <keyword>
|
||||||
|
```
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
journalctl --since "2026-01-01" --until "2026-01-02" | grep -i btrfs
|
||||||
|
```
|
||||||
|
|
||||||
|
**Kernel microcode events:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
journalctl -k | grep -i "microcode"
|
||||||
|
```
|
||||||
|
|
||||||
|
- `-k`: Show only kernel messages (equivalent to `dmesg` output via the journal).
|
||||||
|
|
||||||
## Fonts
|
## Fonts
|
||||||
|
|
||||||
**Download and Install Fonts**
|
**Download and Install Fonts**
|
||||||
|
|||||||
324
notes/ssh.md
324
notes/ssh.md
@ -4,7 +4,9 @@
|
|||||||
|
|
||||||
- [SSH](#ssh)
|
- [SSH](#ssh)
|
||||||
- [Table of Contents](#table-of-contents)
|
- [Table of Contents](#table-of-contents)
|
||||||
|
- [Placeholders](#placeholders)
|
||||||
- [Connect with specific key](#connect-with-specific-key)
|
- [Connect with specific key](#connect-with-specific-key)
|
||||||
|
- [Skip Host Key Verification](#skip-host-key-verification)
|
||||||
- [SSH Key Management](#ssh-key-management)
|
- [SSH Key Management](#ssh-key-management)
|
||||||
- [Verbose](#verbose)
|
- [Verbose](#verbose)
|
||||||
- [Enable root login](#enable-root-login)
|
- [Enable root login](#enable-root-login)
|
||||||
@ -16,93 +18,124 @@
|
|||||||
- [Change SSH Port](#change-ssh-port)
|
- [Change SSH Port](#change-ssh-port)
|
||||||
- [Restart ssh](#restart-ssh)
|
- [Restart ssh](#restart-ssh)
|
||||||
|
|
||||||
|
## Placeholders
|
||||||
|
|
||||||
|
Replace the placeholders below with the appropriate values for your setup:
|
||||||
|
|
||||||
|
- **Connection**
|
||||||
|
- Username: `<username>` (e.g., john)
|
||||||
|
- Hostname: `<hostname>` (e.g., server.example.com)
|
||||||
|
- IP address: `<ip>` (e.g., 192.168.1.100)
|
||||||
|
- SSH port: `<port>` (e.g., 2222)
|
||||||
|
- SSH key: `<keyfile>` (e.g., ~/.ssh/id_rsa)
|
||||||
|
- Key comment: `<key-comment>` (e.g., john@example.com)
|
||||||
|
- Host alias: `<alias>` (e.g., myserver)
|
||||||
|
|
||||||
|
- **Paths**
|
||||||
|
- Local file: `<local-path>` (e.g., /home/user/file.txt)
|
||||||
|
- Remote path: `<remote-path>` (e.g., /home/user/file.txt)
|
||||||
|
- Local script: `<script-path>` (e.g., /home/user/script.sh)
|
||||||
|
- Project name: `<project>` (e.g., myapp)
|
||||||
|
|
||||||
## Connect with specific key
|
## Connect with specific key
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh -i /home/fabrice/.ssh/fabquenneville root@servername.fabq.ca
|
ssh -i <keyfile> root@<hostname>
|
||||||
ssh -i /home/fabrice/.ssh/fabquenneville fabrice@servername.fabq.ca
|
ssh -i <keyfile> <username>@<hostname>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Skip Host Key Verification
|
||||||
|
|
||||||
|
Useful for ephemeral machines, VMs, or hosts that are frequently rebuilt where saved known_hosts entries would cause conflicts:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null <username>@<hostname>
|
||||||
|
```
|
||||||
|
|
||||||
|
- `StrictHostKeyChecking=no`: Automatically accepts new or changed host keys without prompting.
|
||||||
|
- `UserKnownHostsFile=/dev/null`: Discards the host key entirely — nothing is saved to `~/.ssh/known_hosts`.
|
||||||
|
- ⚠️ Do not use on untrusted networks — this disables MITM protection.
|
||||||
|
|
||||||
## SSH Key Management
|
## SSH Key Management
|
||||||
|
|
||||||
**Generate a new RSA SSH key pair with a 4096-bit key length**
|
**Generate a new RSA SSH key pair with a 4096-bit key length**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh-keygen -t rsa -b 4096 -C "fabrice@fabq.ca" -f ~/.ssh/fabrice@fabq.ca
|
ssh-keygen -t rsa -b 4096 -C "<key-comment>" -f <keyfile>
|
||||||
```
|
```
|
||||||
|
|
||||||
- `ssh-keygen -t rsa -b 4096`: This command generates a new RSA SSH key pair with a key size of 4096 bits for enhanced security.
|
- `ssh-keygen -t rsa -b 4096`: Generates a new RSA SSH key pair with a key size of 4096 bits for enhanced security.
|
||||||
- `-C "fabrice@fabq.ca"`: This option adds a comment to the key, usually the email address of the key owner.
|
- `-C "<key-comment>"`: Adds a comment to the key, usually the email address of the key owner.
|
||||||
- `-f ~/.ssh/fabrice@fabq.ca`: This specifies the filename for the private key; the public key will be saved with the same name but with a `.pub` extension.
|
- `-f <keyfile>`: Specifies the filename for the private key; the public key will be saved with the same name but with a `.pub` extension.
|
||||||
|
|
||||||
**Copy the generated SSH keys to the remote server**
|
**Copy the generated SSH keys to the remote server**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
scp ~/.ssh/fabrice@fabq.ca* fabrice@servername.fabq.ca:~/.ssh/
|
scp <keyfile>* <username>@<hostname>:~/.ssh/
|
||||||
```
|
```
|
||||||
|
|
||||||
- `scp ~/.ssh/fabrice@fabq.ca*`: This command securely copies both the private and public keys to the remote server.
|
- `scp <keyfile>*`: Securely copies both the private and public keys to the remote server.
|
||||||
- `fabrice@servername.fabq.ca:~/.ssh/`: Specifies the destination path on the remote server where the keys will be copied.
|
- `<username>@<hostname>:~/.ssh/`: Specifies the destination path on the remote server where the keys will be copied.
|
||||||
|
|
||||||
**Install the public key on the remote server for passwordless authentication**
|
**Install the public key on the remote server for passwordless authentication**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh-copy-id fabrice@192.168.1.100
|
ssh-copy-id <username>@<ip>
|
||||||
ssh-copy-id fabrice@servername.fabq.ca
|
ssh-copy-id <username>@<hostname>
|
||||||
```
|
```
|
||||||
|
|
||||||
- `ssh-copy-id "fabrice@servername.fabq.ca"`: This command installs the public key on the specified remote server, allowing for passwordless SSH login.
|
- `ssh-copy-id`: Installs the public key on the specified remote server, allowing for passwordless SSH login.
|
||||||
|
|
||||||
**Install the public key on multiple servers using specific private key**
|
**Install the public key on multiple servers using a specific private key**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh-copy-id -i /home/fabrice/.ssh/fabquenneville root@192.168.1.100
|
ssh-copy-id -i <keyfile> root@<ip>
|
||||||
ssh-copy-id -i /home/fabrice/.ssh/fabquenneville fabrice@servername.fabq.ca
|
ssh-copy-id -i <keyfile> <username>@<hostname>
|
||||||
```
|
```
|
||||||
|
|
||||||
- `ssh-copy-id -i /home/fabrice/.ssh/fabquenneville`: This specifies which private key to use for authentication when copying the public key.
|
- `-i <keyfile>`: Specifies which private key to use for authentication when copying the public key.
|
||||||
- `root@192.168.1.100` and `fabrice@servername.fabq.ca`: These commands install the public key on the respective remote servers, allowing for secure, passwordless access.
|
|
||||||
|
|
||||||
**Install the public key on the remote server for passwordless authentication manually**
|
**Install the public key on the remote server for passwordless authentication manually**
|
||||||
This process is useful when ssh-copy-id is unavailable, or when you want more granular control over the manual setup of passwordless SSH authentication. The ssh-copy-id tool automatically installs your public key on the remote machine, but if you prefer or need to do it manually, these are the steps:
|
|
||||||
|
|
||||||
1. Create the .ssh directory if it doesn't exist and set proper permissions
|
This process is useful when `ssh-copy-id` is unavailable, or when you want more granular control over the setup. Follow these steps on the remote server:
|
||||||
|
|
||||||
```bash
|
1. Create the `.ssh` directory if it doesn't exist and set proper permissions:
|
||||||
mkdir -p /home/fabrice/.ssh
|
|
||||||
chmod 700 /home/fabrice/.ssh
|
|
||||||
```
|
|
||||||
|
|
||||||
2. Open the authorized_keys file in an editor and paste the public key (usually from ~/.ssh/id_rsa.pub on the local machine)
|
```bash
|
||||||
|
mkdir -p /home/<username>/.ssh
|
||||||
|
chmod 700 /home/<username>/.ssh
|
||||||
|
```
|
||||||
|
|
||||||
```bash
|
2. Open the `authorized_keys` file and paste the public key (usually from `~/.ssh/id_rsa.pub` on the local machine):
|
||||||
nano /home/fabrice/.ssh/authorized_keys
|
|
||||||
```
|
|
||||||
|
|
||||||
3. Set the correct permissions for the authorized_keys file
|
```bash
|
||||||
|
nano /home/<username>/.ssh/authorized_keys
|
||||||
|
```
|
||||||
|
|
||||||
```bash
|
3. Set the correct permissions for the `authorized_keys` file:
|
||||||
chmod 600 /home/fabrice/.ssh/authorized_keys
|
|
||||||
```
|
|
||||||
|
|
||||||
4. Ensure the ownership of the .ssh directory and its contents is set to the correct user
|
```bash
|
||||||
|
chmod 600 /home/<username>/.ssh/authorized_keys
|
||||||
|
```
|
||||||
|
|
||||||
```bash
|
4. Ensure the ownership of the `.ssh` directory and its contents is set to the correct user:
|
||||||
chown -R fabrice:fabrice /home/fabrice/.ssh
|
|
||||||
```
|
```bash
|
||||||
|
chown -R <username>:<username> /home/<username>/.ssh
|
||||||
|
```
|
||||||
|
|
||||||
## Verbose
|
## Verbose
|
||||||
|
|
||||||
- Use the 'ssh' command with the '-v' option to enable verbose mode, which provides detailed information about the connection process.
|
Use the `-v` option to enable verbose mode, which provides detailed information about the connection process:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh -i /home/fabrice/.ssh/fabquenneville -v root@servername.fabq.ca
|
ssh -i <keyfile> -v root@<hostname>
|
||||||
ssh -i /home/fabrice/.ssh/fabquenneville -v fabrice@servername.fabq.ca
|
ssh -i <keyfile> -v <username>@<hostname>
|
||||||
```
|
```
|
||||||
|
|
||||||
## Enable root login
|
## Enable root login
|
||||||
|
|
||||||
- Modify the SSH configuration file to allow root login.
|
Modify the SSH configuration file to allow root login:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
nano /etc/ssh/sshd_config
|
nano /etc/ssh/sshd_config
|
||||||
@ -123,284 +156,203 @@ PermitRootLogin yes
|
|||||||
firewall-cmd --permanent --zone=public --add-service=ssh
|
firewall-cmd --permanent --zone=public --add-service=ssh
|
||||||
```
|
```
|
||||||
|
|
||||||
- `firewall-cmd`: This is the command-line tool used to manage `firewalld`.
|
- `firewall-cmd`: The command-line tool used to manage `firewalld`.
|
||||||
- `--permanent`: This option ensures that the change persists across reboots.
|
- `--permanent`: Ensures that the change persists across reboots.
|
||||||
- `--zone=public`: Specifies the zone to which the rule applies. The "public" zone is typically used for untrusted networks.
|
- `--zone=public`: Specifies the zone to which the rule applies. The "public" zone is typically used for untrusted networks.
|
||||||
- `--add-service=ssh`: This adds the SSH service to the specified zone, allowing incoming SSH connections.
|
- `--add-service=ssh`: Adds the SSH service to the specified zone, allowing incoming SSH connections.
|
||||||
|
|
||||||
**Examples of configuring other Linux firewalls**
|
**Examples of configuring other Linux firewalls**
|
||||||
|
|
||||||
1. **Using UFW (Uncomplicated Firewall)**
|
1. **Using UFW (Uncomplicated Firewall)**
|
||||||
|
|
||||||
**Allow SSH traffic**
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ufw allow ssh
|
ufw allow ssh
|
||||||
```
|
```
|
||||||
|
|
||||||
- This command allows incoming SSH traffic through the firewall. UFW is designed to simplify the process of managing a firewall.
|
|
||||||
|
|
||||||
2. **Using iptables**
|
2. **Using iptables**
|
||||||
|
|
||||||
**Allow SSH traffic**
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
||||||
```
|
```
|
||||||
|
|
||||||
- `iptables`: This is a low-level tool for managing Linux firewalls.
|
|
||||||
- `-A INPUT`: Appends the rule to the INPUT chain.
|
- `-A INPUT`: Appends the rule to the INPUT chain.
|
||||||
- `-p tcp`: Specifies that this rule applies to TCP packets.
|
- `-p tcp --dport 22`: Matches TCP traffic on port 22.
|
||||||
- `--dport 22`: Indicates that this rule applies to traffic on port 22 (the default SSH port).
|
- `-j ACCEPT`: Accepts the specified traffic.
|
||||||
- `-j ACCEPT`: Instructs the firewall to accept the specified traffic.
|
|
||||||
|
|
||||||
3. **Using nftables**
|
3. **Using nftables**
|
||||||
|
|
||||||
**Allow SSH traffic**
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
nft add rule ip filter input tcp dport 22 accept
|
nft add rule ip filter input tcp dport 22 accept
|
||||||
```
|
```
|
||||||
|
|
||||||
- `nft`: The command-line tool for interacting with the nftables framework.
|
|
||||||
- `add rule ip filter input`: Adds a new rule to the input chain of the filter table.
|
- `add rule ip filter input`: Adds a new rule to the input chain of the filter table.
|
||||||
- `tcp dport 22`: Matches TCP packets directed to port 22.
|
- `tcp dport 22`: Matches TCP packets directed to port 22.
|
||||||
- `accept`: Specifies that the matching packets should be accepted.
|
- `accept`: Accepts the matching packets.
|
||||||
|
|
||||||
**Note:** Be sure to reload or restart the firewall service after making changes to apply the new rules effectively.
|
**Note:** Reload or restart the firewall service after making changes to apply the new rules.
|
||||||
|
|
||||||
## SCP (Secure Copy Protocol)
|
## SCP (Secure Copy Protocol)
|
||||||
|
|
||||||
- The `scp` command is used to securely transfer files and directories between local and remote systems over SSH.
|
The `scp` command securely transfers files and directories between local and remote systems over SSH.
|
||||||
|
|
||||||
**Copy Local File to Remote Server**
|
**Copy a local file to a remote server:**
|
||||||
|
|
||||||
To copy a file from your local machine to a remote server, use the following syntax:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
scp /local/file/path fabrice@servername.fabq.ca:/remote/file/path
|
scp <local-path> <username>@<hostname>:<remote-path>
|
||||||
```
|
```
|
||||||
|
|
||||||
- `/local/file/path`: Specify the path to the local file you want to copy.
|
**Copy a directory recursively:**
|
||||||
- `fabrice@servername.fabq.ca`: This is the user and remote server where the file will be copied.
|
|
||||||
- `/remote/file/path`: This is the destination path on the remote server.
|
|
||||||
|
|
||||||
**Copy a Directory**
|
|
||||||
|
|
||||||
To copy an entire directory, use the `-r` option, which stands for "recursive":
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
scp -r /home/fabrice/foldername/ root@servername.fabq.ca:/remote/parent/
|
scp -r <local-path>/ <username>@<hostname>:<remote-path>/
|
||||||
```
|
```
|
||||||
|
|
||||||
- `-r`: This option enables recursive copying of directories and their contents.
|
- `-r`: Enables recursive copying of directories and their contents.
|
||||||
- `/home/fabrice/foldername/`: The path to the local directory you wish to copy.
|
|
||||||
- `root@servername.fabq.ca:/remote/parent/`: The destination path on the remote server where the directory will be copied.
|
|
||||||
|
|
||||||
**Copy a Configuration File Using a Specific SSH Key**
|
**Copy a file using a specific SSH key:**
|
||||||
|
|
||||||
To copy a configuration file while specifying a particular SSH key for authentication, use the following command:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
scp -i /home/fabrice/.ssh/fabquenneville /mnt/workbench/webserver/projectname/config.ini fabrice@servername.fabq.ca:/mnt/workbench/projectname/
|
scp -i <keyfile> <local-path> <username>@<hostname>:<remote-path>
|
||||||
```
|
```
|
||||||
|
|
||||||
- `-i /home/fabrice/.ssh/fabquenneville`: This option specifies the identity file (private key) for authentication.
|
- `-i <keyfile>`: Specifies the identity file (private key) for authentication.
|
||||||
- `/mnt/workbench/webserver/projectname/config.ini`: The path to the local configuration file being transferred.
|
|
||||||
- `fabrice@servername.fabq.ca`: The user and server to which the file is being copied.
|
|
||||||
- `/mnt/workbench/projectname/`: The destination path on the remote server where the file will be stored.
|
|
||||||
|
|
||||||
## Send Remote Commands
|
## Send Remote Commands
|
||||||
|
|
||||||
**Execute Commands Directly on a Remote Server**
|
**Run a local script on a remote server:**
|
||||||
|
|
||||||
You can use the `ssh` command to execute various commands on a remote server. Here are some examples:
|
|
||||||
|
|
||||||
**Run a Local Script on a Remote Server**
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh fabrice@servername.fabq.ca 'bash -s' < /local/path/to/script.sh
|
ssh <username>@<hostname> 'bash -s' < <script-path>
|
||||||
```
|
```
|
||||||
|
|
||||||
- This command will execute the local script located at `/local/path/to/script.sh` on the remote server.
|
|
||||||
|
|
||||||
**Remove a file:**
|
**Remove a file:**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh fabrice@192.168.1.100 "rm /home/fabrice/filename.log"
|
ssh <username>@<ip> "rm <remote-path>"
|
||||||
```
|
```
|
||||||
|
|
||||||
**Mount all filesystems:**
|
**Mount all filesystems:**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh root@servername.fabq.ca "mount -a"
|
ssh root@<hostname> "mount -a"
|
||||||
```
|
```
|
||||||
|
|
||||||
**Reboot the remote server:**
|
**Reboot the remote server:**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh root@servername.fabq.ca "reboot -h now"
|
ssh root@<hostname> "reboot -h now"
|
||||||
```
|
```
|
||||||
|
|
||||||
**Connect using a host key alias:**
|
**Connect using a host key alias:**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh -o "HostKeyAlias=servername" root@192.168.1.100
|
ssh -o "HostKeyAlias=<alias>" root@<ip>
|
||||||
```
|
```
|
||||||
|
|
||||||
## Test Connection, Add Alias, and Update Known Hosts
|
## Test Connection, Add Alias, and Update Known Hosts
|
||||||
|
|
||||||
**Test Connection with Host Key Alias**
|
**Test connection with host key alias:**
|
||||||
|
|
||||||
Use the following commands to establish an SSH connection while specifying a host key alias. This helps avoid conflicts with existing entries in the `known_hosts` file.
|
Commands to establish an SSH connection while specifying a host key alias. This helps avoid conflicts with existing entries in the `known_hosts` file.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh -o 'HostKeyAlias=servername.fabq.ca' fabrice@192.168.1.100
|
ssh -o 'HostKeyAlias=<hostname>' <username>@<ip>
|
||||||
ssh -o 'HostKeyAlias=servername' fabrice@192.168.1.100
|
ssh -o 'HostKeyAlias=<alias>' <username>@<ip>
|
||||||
```
|
```
|
||||||
|
|
||||||
**Test Host Identity without Authenticating**
|
**Test host identity without authenticating:**
|
||||||
|
|
||||||
To test the identity of a remote server without fully authenticating and to check connectivity, use the following command:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=servername' fabrice@192.168.1.100 /bin/true
|
ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=<alias>' <username>@<ip> /bin/true
|
||||||
```
|
```
|
||||||
|
|
||||||
- `-e none`: Disables encryption for this command, which is useful in specific testing scenarios.
|
- `-e none`: Disables escape character processing.
|
||||||
- `-o 'BatchMode=yes'`: Ensures that SSH does not prompt for user interaction, making it suitable for scripts.
|
- `-o 'BatchMode=yes'`: Suppresses all prompts, suitable for scripts.
|
||||||
- `/bin/true`: Executes a simple command that always returns success, confirming the connection without further actions.
|
- `/bin/true`: Simple command that always returns success, confirming the connection without further actions.
|
||||||
|
|
||||||
This command allows you to verify that you can connect to the server while avoiding any authentication prompts.
|
**Retrieve public SSH keys from a remote server:**
|
||||||
|
|
||||||
**Retrieve Public SSH Keys**
|
```bash
|
||||||
|
ssh-keyscan -H <hostname>
|
||||||
To retrieve the public SSH keys from a remote server, use the following command:
|
|
||||||
|
|
||||||
```
|
|
||||||
ssh-keyscan -H servername.fabq.ca
|
|
||||||
```
|
```
|
||||||
|
|
||||||
- This command fetches the public SSH keys from the specified server, allowing you to add them to your `known_hosts` file.
|
- Fetches the server's public SSH keys without establishing a full session. Used to pre-populate `known_hosts`.
|
||||||
- It does not establish a full SSH session and is primarily used for key retrieval, which helps ensure secure connections in future interactions.
|
|
||||||
|
|
||||||
By using both commands, you can test connectivity to a remote server and gather its public SSH keys for secure authentication later.
|
**Add an alias to SSH config for easy access:**
|
||||||
|
|
||||||
**Add Alias to SSH Config for Easy Access**
|
|
||||||
|
|
||||||
To simplify your SSH connections, you can create an alias for your SSH connections by editing the `~/.ssh/config` file:
|
|
||||||
|
|
||||||
```ini
|
```ini
|
||||||
Host servername
|
Host <alias>
|
||||||
HostName servername.fabq.ca
|
HostName <hostname>
|
||||||
User fabrice
|
User <username>
|
||||||
IdentityFile ~/.ssh/fabquenneville
|
IdentityFile <keyfile>
|
||||||
```
|
```
|
||||||
|
|
||||||
- `Host servername`: This defines the alias you will use for the SSH connection.
|
|
||||||
- `HostName servername.fabq.ca`: This is the actual hostname of the remote server.
|
|
||||||
- `User fabrice`: This specifies the user to log in as.
|
|
||||||
- `IdentityFile ~/.ssh/fabquenneville`: This indicates the SSH key file to use for authentication.
|
|
||||||
|
|
||||||
## Remove Offending SSH Keys
|
## Remove Offending SSH Keys
|
||||||
|
|
||||||
When you encounter an "offending key" warning when connecting to a server, you can remove the old key from the `known_hosts` file. This is necessary if the server's host key has changed.
|
When a server's host key has changed, remove the old entry from `known_hosts`.
|
||||||
|
|
||||||
**View Known Hosts**
|
**View known hosts:**
|
||||||
|
|
||||||
To view the contents of your `known_hosts` file, use:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cat ~/.ssh/known_hosts
|
cat ~/.ssh/known_hosts
|
||||||
```
|
```
|
||||||
|
|
||||||
**Edit Known Hosts Manually (Optional)**
|
**Edit known hosts manually:**
|
||||||
|
|
||||||
You can edit the `known_hosts` file manually if you prefer:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
nano ~/.ssh/known_hosts
|
nano ~/.ssh/known_hosts
|
||||||
```
|
```
|
||||||
|
|
||||||
**Update Known Hosts File with SSH Key**
|
**Update known hosts with current server key:**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh-keyscan -H servername.fabq.ca >> ~/.ssh/known_hosts
|
ssh-keyscan -H <hostname> >> ~/.ssh/known_hosts
|
||||||
```
|
```
|
||||||
|
|
||||||
- This command retrieves the public key of the specified server and appends it to your `known_hosts` file, allowing SSH to recognize the server during subsequent connections.
|
**Remove offending key by hostname or IP:**
|
||||||
|
|
||||||
**Remove Offending Key by Hostname**
|
|
||||||
|
|
||||||
You can use the `ssh-keygen` command to remove specific keys from your `known_hosts` file. Here are examples for different scenarios:
|
|
||||||
|
|
||||||
- To remove the offending key for a specific server:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh-keygen -R "servername.fabq.ca"
|
ssh-keygen -R "<hostname>"
|
||||||
ssh-keygen -R "192.168.1.100"
|
ssh-keygen -R "<ip>"
|
||||||
```
|
```
|
||||||
|
|
||||||
- To specify the `known_hosts` file directly:
|
**Remove offending key specifying the known_hosts file:**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh-keygen -f "/home/fabrice/.ssh/known_hosts" -R "servername.fabq.ca"
|
ssh-keygen -f "/home/<username>/.ssh/known_hosts" -R "<hostname>"
|
||||||
ssh-keygen -f "/root/.ssh/known_hosts" -R "192.168.1.100"
|
ssh-keygen -f "/root/.ssh/known_hosts" -R "<ip>"
|
||||||
ssh-keygen -f "/etc/ssh/ssh_known_hosts" -R "servername.fabq.ca"
|
ssh-keygen -f "/etc/ssh/ssh_known_hosts" -R "<hostname>"
|
||||||
```
|
```
|
||||||
|
|
||||||
**Summary of Key Removal**
|
|
||||||
|
|
||||||
You can also use a shorthand command to remove the offending key without specifying the file:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
ssh-keygen -R servername.fabq.ca
|
|
||||||
```
|
|
||||||
|
|
||||||
This will automatically target the correct `known_hosts` file based on your user and system configuration.
|
|
||||||
|
|
||||||
## Change SSH Port
|
## Change SSH Port
|
||||||
|
|
||||||
To enhance security, you may want to change the default SSH port (22) to a custom port. Follow these steps:
|
**1. Edit the SSH configuration file:**
|
||||||
|
|
||||||
**1. Edit the SSH Configuration File**
|
|
||||||
|
|
||||||
Open the SSH daemon configuration file using a text editor:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
nano /etc/ssh/sshd_config
|
nano /etc/ssh/sshd_config
|
||||||
```
|
```
|
||||||
|
|
||||||
Edit the following line to set a new port (e.g., port 2222):
|
Set the desired port:
|
||||||
|
|
||||||
```ini
|
```ini
|
||||||
Port 2222
|
Port <port>
|
||||||
```
|
```
|
||||||
|
|
||||||
- Locate the line that specifies the port (usually `#Port 22`) and change it to your desired port number (e.g., `Port 2222`).
|
**2. Create directory for systemd override:**
|
||||||
- Make sure to uncomment the line by removing the `#`.
|
|
||||||
|
|
||||||
**2. Create Directory for Systemd Override**
|
|
||||||
|
|
||||||
If you're using systemd, create a directory for the SSH socket override:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
mkdir -p /etc/systemd/system/ssh.socket.d
|
mkdir -p /etc/systemd/system/ssh.socket.d
|
||||||
```
|
```
|
||||||
|
|
||||||
**3. Create an Override Configuration File**
|
**3. Create the override configuration file:**
|
||||||
|
|
||||||
Create or edit the override configuration file for the SSH socket:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
nano /etc/systemd/system/ssh.socket.d/override.conf
|
nano /etc/systemd/system/ssh.socket.d/override.conf
|
||||||
```
|
```
|
||||||
|
|
||||||
- Add the following lines to specify the custom port:
|
|
||||||
|
|
||||||
```ini
|
```ini
|
||||||
[Socket]
|
[Socket]
|
||||||
ListenPort=2222 # Replace with your desired port number
|
ListenPort=<port>
|
||||||
```
|
```
|
||||||
|
|
||||||
**4. (Optional) Edit the Sockets Target Configuration**
|
**4. (Optional) Edit the Sockets Target Configuration**
|
||||||
@ -411,32 +363,20 @@ You may also want to edit the sockets target configuration to ensure it points t
|
|||||||
nano /etc/systemd/system/sockets.target.wants/ssh.socket
|
nano /etc/systemd/system/sockets.target.wants/ssh.socket
|
||||||
```
|
```
|
||||||
|
|
||||||
- Make any necessary adjustments based on your custom port.
|
**5. Restart the SSH service to apply the changes:**
|
||||||
|
|
||||||
**5. Restart the SSH service to apply the changes**
|
|
||||||
|
|
||||||
After making changes, restart the SSH service to apply the new configuration:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
systemctl restart sshd
|
systemctl restart sshd
|
||||||
```
|
```
|
||||||
|
|
||||||
**6. (Optional) Verify the New Port**
|
**6. Verify the new port:**
|
||||||
|
|
||||||
To verify that SSH is listening on the new port, you can use:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
netstat -tuln | grep LISTEN
|
netstat -tuln | grep LISTEN
|
||||||
```
|
```
|
||||||
|
|
||||||
This will display the ports currently being listened to, allowing you to confirm that your changes were successful.
|
|
||||||
|
|
||||||
## Restart ssh
|
## Restart ssh
|
||||||
|
|
||||||
**Restart the SSH service to apply changes**
|
|
||||||
|
|
||||||
To restart the SSH service, use the following command:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
systemctl restart sshd
|
systemctl restart sshd
|
||||||
```
|
```
|
||||||
|
|||||||
216
notes/storage.md
216
notes/storage.md
@ -11,10 +11,15 @@
|
|||||||
- [Inspect fstab](#inspect-fstab)
|
- [Inspect fstab](#inspect-fstab)
|
||||||
- [Find Device Path from UUID](#find-device-path-from-uuid)
|
- [Find Device Path from UUID](#find-device-path-from-uuid)
|
||||||
- [Power On Hours](#power-on-hours)
|
- [Power On Hours](#power-on-hours)
|
||||||
|
- [Swap](#swap)
|
||||||
- [Partitions and Filesystems](#partitions-and-filesystems)
|
- [Partitions and Filesystems](#partitions-and-filesystems)
|
||||||
|
- [TRIM](#trim)
|
||||||
- [Mounting](#mounting)
|
- [Mounting](#mounting)
|
||||||
- [SMART Diagnostics](#smart-diagnostics)
|
- [SMART Diagnostics](#smart-diagnostics)
|
||||||
|
- [Hardware Monitoring](#hardware-monitoring)
|
||||||
|
- [Kernel Messages](#kernel-messages)
|
||||||
- [Badblocks](#badblocks)
|
- [Badblocks](#badblocks)
|
||||||
|
- [Hex Dump](#hex-dump)
|
||||||
- [Cloning drives and images with dd](#cloning-drives-and-images-with-dd)
|
- [Cloning drives and images with dd](#cloning-drives-and-images-with-dd)
|
||||||
- [Benchmarking](#benchmarking)
|
- [Benchmarking](#benchmarking)
|
||||||
- [USB Devices](#usb-devices)
|
- [USB Devices](#usb-devices)
|
||||||
@ -57,6 +62,14 @@ lsblk -f
|
|||||||
|
|
||||||
- `-f`: Add filesystem type, label, and UUID to the tree.
|
- `-f`: Add filesystem type, label, and UUID to the tree.
|
||||||
|
|
||||||
|
**Exclude loop devices from the listing**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
lsblk -e 7
|
||||||
|
```
|
||||||
|
|
||||||
|
- `-e 7`: Excludes device major number 7 (loop devices), keeping the output clean on systems with many snaps or loop mounts.
|
||||||
|
|
||||||
**Disk space usage for all mounted filesystems**
|
**Disk space usage for all mounted filesystems**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
@ -92,6 +105,7 @@ Using `blkid`:
|
|||||||
```bash
|
```bash
|
||||||
blkid | grep <uuid>
|
blkid | grep <uuid>
|
||||||
blkid -U <uuid>
|
blkid -U <uuid>
|
||||||
|
blkid <partition>
|
||||||
```
|
```
|
||||||
|
|
||||||
### Power On Hours
|
### Power On Hours
|
||||||
@ -100,6 +114,15 @@ Check power-on hours across multiple drives at once:
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
for dev in /dev/sd{a,b,c,d}; do echo -n "$dev: "; smartctl -a $dev | grep "Power_On_Hours"; done
|
for dev in /dev/sd{a,b,c,d}; do echo -n "$dev: "; smartctl -a $dev | grep "Power_On_Hours"; done
|
||||||
|
for dev in /dev/sd{a..d}; do echo -n "$dev: "; smartctl -a $dev | grep "Power_On_Hours"; done
|
||||||
|
```
|
||||||
|
|
||||||
|
### Swap
|
||||||
|
|
||||||
|
Check Swap currently used by the system:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
swapon --show
|
||||||
```
|
```
|
||||||
|
|
||||||
## Partitions and Filesystems
|
## Partitions and Filesystems
|
||||||
@ -116,6 +139,28 @@ fdisk -l <device>
|
|||||||
fsck <partition>
|
fsck <partition>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## TRIM
|
||||||
|
|
||||||
|
TRIM allows the OS to inform the drive which blocks are no longer in use, maintaining performance on SSDs and NVMe drives over time.
|
||||||
|
|
||||||
|
**Run TRIM once manually across all mounted filesystems:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
fstrim -av
|
||||||
|
```
|
||||||
|
|
||||||
|
- `-a`: Run on all mounted filesystems that support TRIM.
|
||||||
|
- `-v`: Verbose — reports how much space was freed per filesystem.
|
||||||
|
|
||||||
|
**Enable the weekly TRIM timer:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
systemctl enable --now fstrim.timer
|
||||||
|
```
|
||||||
|
|
||||||
|
- Debian/Ubuntu run this weekly by default once enabled.
|
||||||
|
- Check timer status with `systemctl status fstrim.timer`.
|
||||||
|
|
||||||
## Mounting
|
## Mounting
|
||||||
|
|
||||||
**Validate all `fstab` entries**
|
**Validate all `fstab` entries**
|
||||||
@ -141,6 +186,12 @@ findmnt <device>
|
|||||||
mount | grep <device>
|
mount | grep <device>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
**Check active mounts for a specific mountpoint:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cat /proc/mounts | grep <mountpoint>
|
||||||
|
```
|
||||||
|
|
||||||
**Apply fstab changes without rebooting**
|
**Apply fstab changes without rebooting**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
@ -168,6 +219,13 @@ smartctl -a <device>
|
|||||||
smartctl -i <device>
|
smartctl -i <device>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
```bash
|
||||||
|
for dev in /dev/sd[a-z] /dev/nvme[0-9]n[0-9]; do
|
||||||
|
echo "--- $dev ---"
|
||||||
|
smartctl -i $dev | grep -Ei "Model|Serial Number|Capacity"
|
||||||
|
done
|
||||||
|
```
|
||||||
|
|
||||||
**Run a short SMART test:**
|
**Run a short SMART test:**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
@ -192,6 +250,133 @@ smartctl -a <device>
|
|||||||
smartctl -A <device>
|
smartctl -A <device>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
**Filter for key health attributes:**
|
||||||
|
|
||||||
|
Check the most important failure indicators in a single line:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
smartctl -A <device> | grep -E "Reallocated|Pending|UDMA_CRC"
|
||||||
|
```
|
||||||
|
|
||||||
|
**Check multiple health attributes at once:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
smartctl -a <device> | grep -E "Power_On_Hours|Load_Cycle_Count|Reallocated_Sector_Ct"
|
||||||
|
```
|
||||||
|
|
||||||
|
**Check temperatures across all drives:**
|
||||||
|
|
||||||
|
Scans all SMART-capable devices and prints their temperature:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
smartctl --scan | awk '{print $1}' | while read dev; do \
|
||||||
|
echo -n "$dev: "; \
|
||||||
|
smartctl -A $dev | grep -iE 'Temperature|Airflow_Temp' | awk '
|
||||||
|
/Temperature_Celsius/ {print $10 "°C"}
|
||||||
|
/Airflow_Temperature_Cel/ {print $10 "°C"}
|
||||||
|
/Temperature:/ {print $2 "°C"}
|
||||||
|
' | head -n 1; \
|
||||||
|
done
|
||||||
|
```
|
||||||
|
|
||||||
|
**Watch drive temperatures continuously:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
watch -n 5 "smartctl --scan | awk '{print \$1}' | while read dev; do \
|
||||||
|
echo -n \"\$dev: \"; \
|
||||||
|
smartctl -A \$dev | grep -iE 'Temperature|Airflow_Temp' | awk '\
|
||||||
|
/Temperature_Celsius/ {print \$10 \"°C\"} \
|
||||||
|
/Airflow_Temperature_Cel/ {print \$10 \"°C\"} \
|
||||||
|
/Temperature:/ {print \$2 \"°C\"}' | head -n 1; \
|
||||||
|
done"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Hardware Monitoring
|
||||||
|
|
||||||
|
**Install lm-sensors:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
apt install lm-sensors
|
||||||
|
```
|
||||||
|
|
||||||
|
**Detect available sensor chips:**
|
||||||
|
|
||||||
|
Run once after installation to probe for hardware sensors:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sensors-detect
|
||||||
|
```
|
||||||
|
|
||||||
|
**Display current sensor readings:**
|
||||||
|
|
||||||
|
Shows CPU, GPU, and motherboard temperatures, fan speeds, and voltages:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sensors
|
||||||
|
```
|
||||||
|
|
||||||
|
## Kernel Messages
|
||||||
|
|
||||||
|
**Tail the most recent kernel messages:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
dmesg | tail -n 25
|
||||||
|
```
|
||||||
|
|
||||||
|
**Show only errors and warnings:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
dmesg --level=err,warn
|
||||||
|
```
|
||||||
|
|
||||||
|
**Show kernel messages with human-readable timestamps:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
dmesg -T
|
||||||
|
```
|
||||||
|
|
||||||
|
**Filter for NVMe events:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
dmesg | grep -i nvme
|
||||||
|
dmesg -w | grep -i nvme
|
||||||
|
```
|
||||||
|
|
||||||
|
- `-w`: Follow — print new messages as they arrive (like `tail -f`).
|
||||||
|
|
||||||
|
**Filter for ATA/SCSI/SATA/NVMe device events:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
dmesg | grep -i -E 'scsi|ata|nvme|sata'
|
||||||
|
```
|
||||||
|
|
||||||
|
**Filter for I/O errors:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
dmesg | grep -i "I/O error"
|
||||||
|
```
|
||||||
|
|
||||||
|
**Filter for ATA/SCSI/SATA/NVMe device errors:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
dmesg | grep -i -E 'scsi|ata|nvme|sata'
|
||||||
|
```
|
||||||
|
|
||||||
|
**Map ATA port number to block device name:**
|
||||||
|
|
||||||
|
When `dmesg` reports an error on e.g. `ata7` and you need to identify which physical drive that is:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ls -l /sys/class/block/ | grep ata<port-number>
|
||||||
|
dmesg -T | grep -iE "ata"
|
||||||
|
```
|
||||||
|
|
||||||
|
**Filter for BTRFS events:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
dmesg | grep -i btrfs
|
||||||
|
```
|
||||||
|
|
||||||
## Badblocks
|
## Badblocks
|
||||||
|
|
||||||
**Read-only test:**
|
**Read-only test:**
|
||||||
@ -221,6 +406,37 @@ Overwrites all data — use only on blank drives or drives to be deleted.
|
|||||||
badblocks -wsv <device>
|
badblocks -wsv <device>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Hex Dump
|
||||||
|
|
||||||
|
Inspect raw bytes on a device directly, useful for verifying partition tables, boot sectors, or investigating corruption.
|
||||||
|
|
||||||
|
**View the first 512 bytes (MBR / partition table):**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
hexdump -C -n 512 <device>
|
||||||
|
```
|
||||||
|
|
||||||
|
**View 1 MB of data starting at a specific offset:**
|
||||||
|
|
||||||
|
```bash
|
||||||
|
hexdump -C -s 1G -n 1M <device>
|
||||||
|
```
|
||||||
|
|
||||||
|
- `-C`: Canonical format — hex on the left, ASCII on the right.
|
||||||
|
- `-n <length>`: Number of bytes to read.
|
||||||
|
- `-s <offset>`: Skip to this offset before reading.
|
||||||
|
|
||||||
|
**Extract readable strings from a raw device:**
|
||||||
|
|
||||||
|
Useful for locating file paths, filenames, or metadata remnants directly on a block device:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
strings <device> | grep -C 200 "<search-term>" > <output-file>.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
- `-C 200`: Show 200 lines of context around each match.
|
||||||
|
- Redirect to a file — output can be very large on multi-TB drives.
|
||||||
|
|
||||||
## Cloning drives and images with dd
|
## Cloning drives and images with dd
|
||||||
|
|
||||||
**Clone a drive or create an image:**
|
**Clone a drive or create an image:**
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user