# Linux Tips

General book for all Tips i found over the time.  
Mainly for fixes i needed.

# Common Commands

# Server Administration

## Smartctl

* check all attributes about a drive  
`sudo smartctl -i /dev/sdX -a`

* megaraid controllers (LSI something)  
`sudo smartctl -d megaraid,X -i /dev/sda -a`  
The drive polled (`/dev/sda`) doesn't seem to make a difference here

# LVM - Add new disk and extend FS

### Rescan for newly added disks without rebooting:

The command will iterate over all found host adapters and trigger a rescan.
```
>> for host in /sys/class/scsi_host/*; do echo "- - -" | sudo tee $host/scan; ls /dev/sd* ; done
- - -
/dev/sda  /dev/sda1  /dev/sda2  /dev/sdb  /dev/sdb1  /dev/sdb2  /dev/sdc  /dev/sdc1
- - -
/dev/sda  /dev/sda1  /dev/sda2  /dev/sdb  /dev/sdb1  /dev/sdb2  /dev/sdc  /dev/sdc1
- - -
/dev/sda  /dev/sda1  /dev/sda2  /dev/sdb  /dev/sdb1  /dev/sdb2  /dev/sdc  /dev/sdc1  /dev/sdd
- - -
/dev/sda  /dev/sda1  /dev/sda2  /dev/sdb  /dev/sdb1  /dev/sdb2  /dev/sdc  /dev/sdc1  /dev/sdd  /dev/sdd1
```
The output shows when a new drive has been discovered.

### LVM add "physical" disk and extend FS

* Make sure there is a Partition Table and a Partition for LVM  
```
fdisk /dev/<disk>
>> create new gpt table: g
>> create new partition: n
>> set type of partition to lvm: t 
>> show partition codes: L
>> insert type: <type from L (Linux LVM)>
>> write changes: w
```
* Expand existing LVM VG
```sh
pvcreate /dev/<disk-partition>
vgextend <existing-vg> /dev/<disk-partition>
```

* Expand existing LVM LV
```sh
# find the correct logical volume
lvdisplay | grep Path 

# expand found lv
lvresize -l +100%free <lv path>
```

* Expand the ext4 filesystem on it
```sh
resize2fs <lv path>
```

#### Sources:
* Add disk: [https://tylersguides.com/guides/how-to-add-a-disk-to-lvm/]()
* Extend FS: [https://www.systutorials.com/extending-a-mounted-ext4-file-system-on-lvm-in-linux/]()

# SSD Secure Erase

### Secure erase commands:

Check current status of the disk:
```
>> sudo hdparm -I /dev/sdX

-----
Security:
	Master password revision code = 65534
		supported
	not	enabled   	
	not	locked
	not	frozen
	not	expired: security count
		supported: enhanced erase
```

The disk needs to be not locked, not frozen but enabled.
To enable secure erase set a password for the master user on the disk.

```
>> sudo hdparm --user-master u --security-set-pass password /dev/sdX

-----
security_password: "password"

/dev/sdd:
 Issuing SECURITY_SET_PASS command, password="password", user=user, mode=high
```

If something else appears, like I/O errors or so, check if you are connected to a motherboard port that supports these ATA commands.
e.g. my USB Sata adapter did not, thus the commands could not be sent to the drive.

Afterwards we can erase the drive
```
sudo hdparm --user-master u --security-erase password /dev/sdX

-----
security_password: "password"

/dev/sdd:
 Issuing SECURITY_ERASE command, password="password", user=user
```

After this, the drive should appear unformated and without a partition table.

# User Management

### SSH2 Public Key to OpenSSL format for SSH Server

To convert a given Public Key to a useful format for SSH servers use the following command.
It will print out the expected format to use.

```bash
ssh-keygen -i -f /path/to/file
```

# Software Installs

# XFCE Shortcut problems

After installing XFCE i had multiple Problems with my hotkeys.

I installed XFCE on Ubuntu with  
`sudo apt-get install xubuntu-desktop`

Every step can be added at  
`Open Menu -> Settings -> Keyboard -> Tab Application Shortcuts.`


# Media Keys

## Next Track
Command: 
`dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2  org.mpris.MediaPlayer2.Player.Next`
Key:  
Press the `Next Track` Media key. 

## Previous Track
Command: 
`dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2  org.mpris.MediaPlayer2.Player.Previous`
Key:  
Press the `Next Track` Media key. 

## Play/Pause Track
Command: 
`dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.PlayPause`  
Key:  
Press the `Play/Pause` Media key.

## Stop Track
Command: 
`dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Stop`  
Key:  
Press the `Stop` Media key.

Source : [man42.net Blogpost](https://www.man42.net/blog/2014/04/debian-xfce4-spotify/)

# Lockscreen and WhiskerMenu

## Lockscreen

Command:  
`xflock4`  
Key:  
Press the `Super + L` Combo for Windows Like Lock

## WhiskerMenu open on Super

Command:  
`xfce4-popup-whiskermenu`  
Key:  
Press the `Super` Key    

Note: `Super L` will be displayed as Key, works still as intended.

# ElasticSearch Tips

On error  
```[1]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]```  
you need to increase the value not on the guest, but on the host server, as the guest has no access to kernel variables.

Append  
```vm.max_map_count = 262144```  
in /etc/sysctl.conf


### too many open files:

    Increase ulimits -Hn and ulimits -Sn to more than 200000
    and restart elasticearch

# Programs for QOL [WIP]

Following page will list programs i use on a daily base.  

##### ZSH

##### OhMyZSH

##### Powerlevel9k

##### Guake

##### WorkRave

##### MysqlWorkbench

##### ConEmu (Windows)
Listed cause it's the next best thing to guake on windows.  
Supports Bash for Windows, cmd, powershell and more.  
[ConEmu on GitHub](https://conemu.github.io/)

# Arch

# Basic Setup

Missing japanese / non ascii characters: 
```
yay -S noto-fonts-cjk noto-fonts-emoji noto-fonts
```



# nextcloud-client

To get nextcloud-client working with the keychain you need to install following packages:

* libgnome-keyring
* qtkeychain
* gnome-keyring

Otherwise nextcloud-client will ask every login for credentials. 

# Splash Screen

Using plymouth & plymouth-encrypt  
Src: [Archwiki](https://wiki.archlinux.org/index.php/Plymouth)

# Grub2

# Schenker XMG P407

#### Installing Xubuntu on the P407

I stumbled across some big problems with nouveau, like i could not login or even turn of the pc properly.

First fix already happens on booting the live-cd.   
You need to change the boot entry for the Installer from:
```
linux options options ... 
to
linux options options nouveau.blacklist=1
```
Press F10 to apply and continue booting.
 
If it still does not work you need to add `acpi=off` additionally.   
If it *still* does not work try `acpi_osi=! acpi_osi=\"Windows 2009\"`

Now install xubuntu to your liking, it **might** not be able to turn off successfully, just ignore that and hard reset the laptop, it should boot normally.  
You need to add the same lines again to the grub bootloader as to the live-cd, so if the grub menu doesn't appear for you, boot from a live cd again and skip the next step. 

Search again for the linux line and add the nouveu.blacklist=1 to the end
```
linux options options ... 
to
linux options options nouveau.blacklist=1
```
Press F10 to apply and continue booting.

Now login and add `/etc/default/grub` as root.  
There you look for the line 
```
GRUB_CMDLINE_LINUX_DEFAULT=options
```
and replace it to 
```
GRUB_CMDLINE_LINUX_DEFAULT=options noveau.blacklist=1
```
and apply it with sudo update-grub2.

Now to installing the latest drivers:

Remove all existing drivers on your system and update the cache. 
```
sudo apt-get purge nvidia*
sudo apt-get update
```

Now look for the latest nvidia driver via apt-cache
```
sudo apt-cache search nvidia binary
```
and install the latest one (a.k.a the one with the highest number).
There **might** be stability issues, so research a bit if there is a recommended, older one.
In my case i had to install nvidia-384.
```
sudo apt-get install nvidia-384
``` 
The system should now be working.

### Arch/Manjaro on P407

Basically the same as above, i used Manjaro Architect to get a nice i3 feeling going.  
As it does not boot into a Window Manager, i had no problem with boot parameters, might need to add the noveau blacklisting and acpi if problems ensure (see above).  

Use the manjaro mhwd tool to configure bumblebee and the nvidia drivers for you, easy as 
`sudo mhwd -a pci nonfree 0300`.  

To actually get the nvidia card, your window manager (lightdm or so) and x11 to work together, the acpi settings need to be set to `acpi_osi=! acpi_osi=\"Windows 2009\"`.  
This is done in `/etc/default/grub`, my grub cmdline:
```
GRUB_CMDLINE_LINUX_DEFAULT="quiet udev.log_priority=3 audit=0 acpi_osi=! acpi_osi=\"Windows 2009\""
```


#### the headphone amp is not working

Use the following package to enable the headphone amp  
Also supports predefined equalizer effect  
[GitHub init-headphones](https://github.com/Unrud/init-headphone)

# Surface Pro 3 Grub Boot

How to install grub2 in efi after it failed to install it automatically

1. Boot into Ubuntu LiveCD

2. Open a Terminal, access sudo
3. 	```
	modprobe efivars
	``` 

4. 
   Mount the installed ubuntu partition on /mnt 
   ```
   mount /dev/sdaX /mnt
   for i in /dev /dev/pts /proc /sys; do mount --bind $i /mnt$i; done
   ```
   Mount the efi partition in the ubuntu system partition  
   ```
   mount /dev/sdaX /mnt/boot/efi
   ```
   
5. Chroot into mnt
	chroot /mnt
	
6. 
	Check if you got access to the efi boot manager entries  
	```
    efibootmgr -v
    ```
	**If you get errors like Input/Output error for Boot0003 or so you have to enter the entries manually later.** 
	
7. install grub:
	```
	apt-get update && apt-get install --reinstall grub-efi
	grub-install 
	update-grub
	```
    
	**If you got no error you should be done.**   
	**If you got an error on efibootmgr before you are NOT done.**
	
8. Open another terminal with sudo access

9. 	Look up all boot entries with 
	```
    efibootmgr -v
    ```
	delete all unused entries with 
    ```
    efibootmgr -b <X> -B
    ```  
	
    * -b X defines the Boot000X number 
    * -B removes

10. Àdd the boot entry for your system  
	```
    efibootmgr -c -d /dev/sda -p X -L "BootEntryName" -l "\efi\ubuntu\grubx64.efi"
    ```
	* -c creates new entry -d is the disk -p is the sdaX entry of the EFI partition
	* -L is the shown Name on the Grub Loader -l is the path on the EFI Partition to the loader
	
    on ubuntu it **SHOULD BE** `\efi\ubuntu\grubx64.efi` but verify first!  
	**YES BACKSLASHES NEEDED**

# Fixing missing EFI Boot Entry on mainboard firmware

Somehow my laptop did not want to boot into my Arch Linux installation anymore. The only message i received was an "No Operating System found" error.
After backing up the data on the disk, i booted into an Ubuntu live image to investigate further.

First, I verified that a valid EFI parition was on the disk and if the EFI/GRUB/grubx64.efi file was on it.
EFI boot partition looked fine, however, the laptop itself did not have any valid UEFI selection entry for the disk except the entire disk itself.

Using the tool 'efibootmgr', I check all UEFI entries for the laptop, and surprise, there was none for Arch Linux. So I added one using the following efibootmgr command. 

```
sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "Arch Linux" --loader \\EFI\\GRUB\\grubx64.efi
```

Relevant text from source on reddit: 

```
Not sure if it's the same problem, but I think it's worth checking anyway.
I had trouble booting from an SSD when I tried to put it into another PC and it wouldn't see it as a bootable device.
Turns out I had to add a corresponding boot entry to the so-called NVRAM on the motherboard.
You may have skipped this step during the installation process somehow.
Try running efibootmgr from a live environment to see the current entries. 
If it's not listed there, you can create it by doing something like this:
sudo efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "Arch Linux" --loader \\EFI\\GRUB\\grubx64.efi
where /dev/nvme0n1 is the device with the EFI partition, and \\EFI\\GRUB\\grubx64.efi is the path to your loader's EFI application.
```

# Hardening

# SSHD Hardened config [2018]

```
#	

# This is Havoks hardened sshd_config
# Settings have been taken from https://infosec.mozilla.org/guidelines/openssh

Port 22
#ListenAddress 0.0.0.0
#ListenAddress ::

Protocol 2
# keys are default generated, but might need new keys as e.g. rsa is only 2048 bits long
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

# only use strong ciphers and macs
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

# Logging
LogLevel VERBOSE
Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO

# Disable Root Login
PermitRootLogin no
PermitEmptyPasswords no
MaxAuthTries 3

# only enable pubkey
AuthenticationMethods publickey

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
UsePAM yes

X11Forwarding no
PrintMotd no

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
AllowUsers markus 

IgnoreRhosts yes
```