Scratchpad for : xxvAwesome tools for sysadmin tasks:
- Pretty noisy by default, but I've been working on a quieter version of logcheck which some of the more common-to-disabled things disabled
- easy, incremental, encrypted backups
- for communicating to your users by way of their external email addresses
- block ssh scanners
- prevent your users from setting stupid passwords. As Linux's weaknesses come from getting user-level access to a machine, it's generally a good idea to prevent attackers from getting in to start.
- Dumps tons of useful information about a machine's hardware including things like used slots, model numbers, and system capabilities.
check file md5sums against known-good package md5sums
debsums -c -r /mnt/mountpath
find all un-owned executable files that are in the path
find `echo $PATH|sed -e 's/:/ /g'` -type f -perm +ogu=x |xargs dpkg -S |sed -re 's/dpkg: (.*) not found\./\1/ p; d'
find all unowned binaries in the whole system
find / -type f -executable -print0 |xargs -0 dpkg -S 2>&1 |sed -re 's/dpkg: (.*) not found\./\1/ p; d'
find all unowned binaries in the whole system, where /mnt is your FS's mountpoint
find /mnt -type f -perm +ogu=x |sed -e 's/\/mnt//' |xargs dpkg --root=/mnt -S 2>&1 |sed -re 's/dpkg: (.*) not found\./\1/ p; d'
find all files and directories writable by www-data
find / -user www-data -perm /u+w,g+w
fix all htaccess or php scripts, so they can't be written by a compromised www server.
find / -name .htaccess -or -name \*.php -user www-data -print0 | xargs -0 chown root
find all files writable by www-data that are potentially unsafe
find / -type f -user www-data -perm /u+w,g+w -print0 |xargs -0 file |grep -v -E '((GIF|JPEG|PNG) image data|CSS|ASCII English text|ASCII text|PDF document|HTML document text|ASCII mail text|Macromedia Flash data|Macromedia Flash Video)'