How To: List what Procs are using the Lib in Linux

LsOF

Find the Procs

After upgrading an important package in Linux -or other Unix variant- that provides a library used by many other processes. Instead of restarting the server for the new lib to take effect, the procs can be restarted -or HUPed- individually.

Before we begin, lsof needs to be installed.
# RHEL / CentOS
~$ yum install lsof

# Debian / Ubuntu
~$ apt-get install lsof

In the following example, we list what processes are using the libcrypto library in Raspbian.
~$ lsof /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 551 root mem REG 179,2 1418532 10074 /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0
ntpd 2321 ntp mem REG 179,2 1418532 10074 /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0
sshd 6643 root mem REG 179,2 1418532 10074 /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0
sshd 6649 meow mem REG 179,2 1418532 10074 /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0
openvpn 30044 nobody mem REG 179,2 1418532 10074 /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0

Next, the affected processes can be restarted:
~$ service [SERVICENAME] restart
~$ systemctl restart [SERVICENAME]
~$ kill -HUP 31337

How To: Encrypt/Decrypt File with OpenSSL

Encryption/Decryption

Encrypt/Decrypt File

When security and integrity of a file is critical, such as with x509 certificates or other important documents, OpenSSL or other variant can be used to secure the file. With strong encryption and -hopefully- a strong password.

OpenSSL is generally available on all UNIX variants, downloadable as an executable for Windows and is also used with many other applications through the LibCrypto library.

If you need help picking a strong password, I’d recommend StrongPasswordGenerator.Com. Never share the password with the receiving party over the same medium as the file transmission. Send it Out-Of-Band over a SMS or Telephone Call or similar.

In the following example, we take a file and encrypt it using AES-256-CBC, protecting it using a password and adding a salt for extra randomness. The output is added to a newly created file.

~$ openssl enc -salt -aes-256-cbc -in TuxPics.tgz -out TuxPics.tgz.enc
enter aes-256-cbc encryption password: q55Tc9Hp68-Ry4d
Verifying - enter aes-256-cbc encryption password: q55Tc9Hp68-Ry4d

The content of TuxFiles.tgz.enc is perceived as a random binary string to EVE when in transit on the open network.

In the next example, we do the reverse action. Decrypting the file using the same password and appending the output to a new file.

~$ openssl enc -aes-256-cbc -d -in TuxFiles.tgz.enc > TuxFiles.tgz
enter aes-256-cbc decryption password: q55Tc9Hp68-Ry4d

In case the file type is not known from the decrytion result (stdout), the “file” command can be used when running Linux.

Example:
~$ file TuxPics
TuxPics: gzip compressed data

Have fun!

How To: Run a Command Quickly on Remote Server using SSH

Linux "Cluster"

When working in a clustered Linux environment containing two or more servers, it is not uncommon to switch back and forth between the hosts. Even if it’s running one command.

SSH is a powerful tool, it can do allot more than act as remote shell or tunnel traffic. One of those features is sending a command string to the server and fetching the output.

Assuming that you have access and privileged user on the remote server, the command works as follows

Example:
~$ ssh user@gamma.example.com "netstat -tulpna|grep -i established"
user@gamma.example.com's password: *****
...Output...

For an even more awesome experience, consider authenticating using ssh-key’s.

How To: Linux – View Squid Proxy’s Active Cache Store

Squid Cache

Ever wanted to see whats going through Squid’s cache right at the moment? But get immediately discouraged with all the timestamps, SWAPOUT, RELEASE and other cache variables?

I have a one-line for you!
~ # tail -f /var/log/squid/store.log|grep -oE '\b(http?)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]'

This will print out visited links that passes by squid in real time, it can be added to a bash alias for quick access:
alias squidcache="tail -f /var/log/squid/store.log|grep -oE '\b(http?)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]'"

Or simply run as-is for whatever reason..
~ # grep -oE '\b(http?)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]' /var/log/squid/store.log

Confessions of a SysOP – Linux Enthusiasm in the Enterprise Environment

Dell RHEL 6

I used to be highly enthusiastic about open and free information technology, and I still am to some extent, but the workplace made me think critically in a new way.

Ever since my first introduction to Linux a couple of years ago, running as a Knoppix Live DVD on my parents old HP 3GHz Pentium 4, I’ve had a constant buzz from all the quirky and cool features. It didn’t take long until I discovered and familiarized myself with the shell, and learned about it’s place in the operating system. How could I have missed this?

Soon thereafter, I gathered the courage to install it for the first time. This time on an old Packard Bell laptop. Ubuntu 6.04 was my system of choice at the time, and to this day I don’t regret it. I’ve always felt that Debian has a more Human touch.

Fast-forward a couple of years and I’m studying this marvelous OS, for two years, full time. My initial experience was nothing short of a technological enlightenment. Linux or not, *Nix systems have a very colorful history, and has always had ha place in IT infrastructure. Here, I was taught what Linux does best, in the elusive Enterprise Environment (that phrase still gives me chills).

Business critical server services such as DNS, SMTP, SQL, HTTP, NFS, FTP, Certificate signing and various applications hosted -on none other than- Linux. What else? Who wouldn’t?

Then came, the work environment. There I learned, the hard way, that not everyone is so understanding.

Why, for example, would the web-developer ask me to “chmod 777” every file in the application directory and “./start-crappyenterpriseapp.sh”, while running and owned by user root (!!!).

Or, perhaps, order a publicly accessible file server and emphasize on security. Noting that user directories should be chrooted and not be able to access each other, Challenge Accepted. Two weeks later: “Could we make it so that user A can read/write in the home-directories of users C, D and E? Also, could we use FTP instead of that pesky sFTP? It’s time-consuming emailing keys” (…).

How about, receiving the request: “Could we add the zone company.local to your public authoritative name server?  All our servers, internal and public, already use it as their primary DNS server. Adding a couple company.local sub-domains there would be a quick fix. Right?” (… no).

Never let them see you bleed.