:::: MENU ::::

Posts Categorized / Linux

  • Oct 18 / 2017
  • 0

Update CA trusted root certificates on Linux server

If you’re getting many “unstrusted issuer” alerts in your app logs, it might be due to some CA trusted certificates outdated.
To fix that, just perform an update:

For Ubuntu/Debian


For CentOS/RedHat

update-ca-trust extract
  • Oct 04 / 2017
  • 0

Write multiple lines to file in bash (script)

If you need to push multiple lines to one file through a bash script, you can simply use that syntax:

cat > /etc/ntp.conf << _NTPconf_

Tip: Be aware that if you’re using indentation, last line should not be indented (this would lead you to some errors).

If you want to add line instead of overwriting file (like we did in the previous example), just replace the “>” with “>>” after cat command.

cat >> /etc/ntp.conf << _NTPconf_
  • Sep 09 / 2017
  • 0

Find IPs connecting to a postfix server through logs

There’s no easy way to list all the IPs connecting to your postfix server for sending mail. But you can easily extract them from all your postfix logs.

For our example, we will consider the logs from postfix to be as default and located in /var/log/maillog

Here is what a postfix log look like when a connection is received:

Sep  1 10:22:32 mail-server-01 postfix/smtpd[700]: connect from ha-lb-03[]

For extracting exclusively the IPs, we will use a combination of commands:

$ grep " connect from " /var/log/maillog |cut -d '[' -f3 |cut -d ']' -f1 |sort -u
  • grep ” connect from ” /var/log/maillog will extract every lines containing a connection attempt
  • cut -d ‘[‘ -f3 |cut -d ‘]’ -f1 will extract the IP from the line (which is contained between [] )
  • sort -u will sort the output by unique values

Here is what we will get as a result once the command is executed (nothing will appear until it finished):

$ grep " connect from " /var/log/maillog |cut -d '[' -f3 |cut -d ']' -f1 |sort -u

You can obviously re-use this command for any log file that you want to filter out by updating the filtering.

  • Aug 02 / 2017
  • 0

Connect to serial/console terminal with MacOS using screen

It’s possible to connect to serial console with MacOS without using a specific app but only screen.

First, you need to find the correct device you will use to connect to the serial console. Depending on your installation and your adapter, you’ll can find it under different names with one these commands:

$ ls /dev*/usb*
ls: /dev*/usb*: No such file or directory
$ ls /dev/tty*usb*

Here, we can see that our device is available on /dev/tty.usbserial

If you have any doubt with the screen command, you can check the documentation, with the specific part regarding the console connection:

If  a  tty  (character  special  device)  name  (e.g.  "/dev/ttya") is specified as the first parameter, then the window is directly connected to this device.  This window type is similar to "screen cu -l /dev/ttya".  Read and write access is required on the device node, an exclusive open is attempted on the node to mark the connection line as busy. An optional parameter is allowed consisting of a comma separated list of flags in the notation used by stty(1):
    [1200,9600,19200] - First parameter is the baud rate        
        Usually 300, 1200, 9600 or 19200. This affects transmission as well as receive speed.
    cs8 or cs7
        Specify the transmission of eight (or seven) bits per byte.
    ixon or -ixon
        Enables (or disables) software flow-control (CTRL-S/CTRL-Q) for sending data.
    ixoff or -ixon
        Enables (or disables) software flow-control for receiving data.
    istrip or -istrip
        Clear (or keep) the eight bit in each received byte.

For example, if you want to connect to serial port with those parameters:

  • 9600 bps
  • 8 data bits
  • flow control

You can just use this command:

$ screen /dev/tty.usbserial 9600,cs8,ixon

Hint: Note that if you’re using a specific adapter (like an adapter DB9/RS232 to USB), you will probably need to install the driver first to get the device available.

  • Jul 22 / 2017
  • 0

Get CPU/RAM usage per process on Linux

When you’re facing performance issues, it’s always useful to check CPU/MEM usage per process to see if you have an issue with a specific process. For that, you can use ps and some sorting commands.

Tip: You can shrink the results to the first lines by using head

Memory analysis

We’re using the –sort -rss attributes to get the results sorted by RSS in the desc order (use –sort rss for the asc order)

$ps auxw --sort -rss | head -n5
mysql      604  0.2  8.4 1628428  177968 ?        Ssl  Jun30  71:59 /usr/sbin/mysqld
phpuser   9625  0.1  1.9  239588   40896 ?        S    Jul12  12:35 php-fpm: pool www
phpuser  14625  0.1  1.8  239572   39668 ?        S    Jul12  12:08 php-fpm: pool www
named     1849  0.0  1.2  299868   25984 ?        Ssl  Jun30   0:11 /usr/sbin/named -f -u bind
root       252  0.0  0.5  82868    12096 ?        Ss   Jun30   1:19 /usr/sbin/syslog-ng -F

CPU analysis

We’re using the –sort -%cpu attributes to get the results sorted by CPU in the desc order (use –sort %cpu for the asc order)

ps auxw --sort -%cpu | head -n5
named     1849  0.9  0.1  299868  25984 ?        Ssl  Jun30   0:21 /usr/sbin/named -f -u bind
root      1668  0.5  0.0  259000  10332 ?        Sl   Jun23 195:48 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
postfix   9889  0.4  0.0  102368   7736 ?        S    05:44   0:00 smtpd -n smtp -t inet -u -o stress=
mysql      604  0.2  8.4 1628428 177968 ?        Ssl  Jun30  72:09 /usr/sbin/mysqld
phpuser   7960  0.1  1.8  238572  38780 ?        S    Jul17   4:35 php-fpm: pool www


Once you got the results, it’s time for you to investigate further and analyze what’s happening with those processes! Good luck!

  • Jul 05 / 2017
  • 0

Generate self-generated SSL certificate (cert/key pair)

Here is a simple script with configuration file to generate a self-generated SSL certificate (cert/key pair).

First define a config file openssl.cnf containing the certificate informations:

[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)

# State or Province Name (full name)

# Locality Name (eg. city)

# Organization (eg. company)

# Organizational Unit Name (eg. section)
OU=My SSL server

# Common Name (*.example.com is also possible)

# E-mail contact
[email protected]

[ cert_type ]
nsCertType = server

Then, create the bash script makessl.sh and configure your own parameters (directories, cert filename and validity duration):


# Generates a self-signed certificate.
# Edit openssl.cnf before running this.

umask 077

# Define SSL directory
# Define SSL config file
# Define crt/key directories
# Define crt/key file
# Define validity duratin for the cert

# Check that directories exist or create themt
if [ ! -d $CERTDIR ]; then
  mkdir -p $CERTDIR
if [ ! -d $KEYDIR ]; then
  mkdir -p $KEYDIR

# Check that the files do not exist or move them
if [ -f $CERTFILE ]; then
if [ -f $KEYFILE ]; then

# Generate crt/key files
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days $DAYS || exit 2
chmod 0600 $KEYFILE
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

Now, execute the bash script:

$ bash makessl.sh
Generating a 2048 bit RSA private key
writing new private key to '/opt/private/mynewssl.key'

subject= /C=FR/ST=IdF/L=Paris/O=MyOrg/OU=My SSL server/CN=my.domain.com/[email protected]
SHA1 Fingerprint=F0:B1:B3:DF:F9:4D:A0:97:4E:71:E0:7F:8E:DA:13:F9:D5:E8:AF:88

Let’s check your freshly created certificate and double check the information:

$ openssl x509 -in /opt/certs/mynewssl.pem -noout -dates -subject
notBefore=Jul  5 19:45:17 2017 GMT
notAfter=Jul  5 19:45:17 2018 GMT
subject= /C=FR/ST=IdF/L=Paris/O=MyOrg/OU=My SSL server/CN=my.domain.com/emailAddress=postma[email protected]
Question ? Contact