Q1.tcpdump?
it captures live tcp/ip packets. we can analyze the packets in wireshark

examples:
tcpdump -D    (shows current ethernet adapter status)
tcpdump -i eth0    (shows tcp/ip live packets on the eth0)
tcpdump -c 100 -i eth0    (it will show 100 live packets on eth0)
tcpdump -c 100 -w /tmp/sar.tcpdump -i eth0 src 172.17.221.92 dest 172.17.221.93 22


Q2. How to collect SAR?

CPU Usage = sar -u 1 3
Memory Usage = sar -r  1 3
Swap Usage  = sar -S 1 3
I/O activity = sar -b 1 3
load average = sar -q 1 3


Q4 SELinux?
Security Enhanced Linux, it is access control system built into Linux kernel. it is used to enforce the resource policies that define what level of access users, programs and services have on a system.

default mode is enforcing. SELinux will deny any log any unauthorized attempts to access any resources. explicit permission must be givn to user or program

Q5 ulimit?
it can set or report the resource limit of the current user.

#ulimit -a


Q7 linux server hardening examples?

disable unused file systems(hfs, hfsplus, udf, )
ensure /tmp is configured with tempfs filesystem
ensure nodev option is set on /tmp
Ensure cron daemon is enabled and running
use different port for ssh
Ensure SSH access is limited
Ensure SSH MaxAuthTries is set to 4 or less
Ensure SSH root login is disabled
Ensure SSH PermitEmptyPasswords is disabled
Ensure SSH Idle Timeout Interval is configured
Ensure SSH MaxSessions is limited



Q8 How to check which process is utilizing more CPU?

#top
#htop
M – sort task list by memory usage
P – sort task list by processor usage
N – sort task list by process ID
T – sort task list by run time



Q10 Linux server is running slow what you will check?
run top command

check io wait, cpu idle time
if io wait and cpu idle time is low then check cpu user time
check swap uses
check if any appliation is consuming lots of CPU or RAM


Q11 Unable to take ssh?

ping server
take ssh,
try to login with root,
check if ssh service is up and running
check iif ssh port 22 is opened
check if users password is expired or lock
check if users shell is set to nologin
try to take console with VM or iLO or IDRAC and see for the error


Q12 Collect Sar report for last 10 days?

go to /var/log/sa and you will get multiple folders with sa1, sa2 etc. check last 3rd days log with below command

sar -f /var/log/sa/sa03

Note: We can get sar logs for max 30 days



Q13 how to calculate load average in linux?

top, uptime, glances, cat /proc/loadavg
we see load average for 1, 5 and 10 mins
if we have 1 core cpu and load average is 2 0.5 0.6
it means 1 process is running and 1 process is waiting for the CPU in last 1 min
CPU was not being utilized and was available 50% in last 5 min
CPU was available 40% for utilization in last 15 mins



Q14 How to check how many inodes are available?
df -ih


Q15 what to do when the disk inode is full?

check if inode is full or not with df -ih command. either you can delete the unused files to free up some inodes or you can increase the filesystem size to increase the fre node.
you can use find command to find the directory with most of the files

Note for inode:

It’s quite easy for a disk to have a large number of inodes used even if the disk is not very full.
An inode is allocated to a file so, if you have gazillions of files, all 1 byte each, you’ll run out of inodes long before you run out of disk.
It’s also possible that deleting files will not reduce the inode count if the files have multiple hard links.
As I said, inodes belong to the file, not the directory entry. If a file has two directory entries linked to it, deleting one will not free the inode.
Additionally, you can delete a directory entry but, if a running process still has the file open, the inode won’t be freed.
for freeing up the inodes, delete the files then reboot or check with lsof command to see if any files are deleted but still open. if its open the kill those process and it will free up the space



Q18 filesystem size is same after deleting the file?

so we can check if all the deleted files are properly deleted or not. sometimes those files are still open so it will consume the storage.
use lsof /mountpoint to check open files. if you see deleted or removed message for the files that you deleted then kill those process or reboot linux system to reclaim the process.



Q19 how to increase the priority of any process?
use renice command to change the priority

-20 - for highest priority
+19 - for lowest priority

#renice -n 15 -p 77982
#renice -n -20 -p 77982
-p is the pid



Q20 symlink and hardlink?

hardlink:

it acts as a copy of the selected file.
-it uses the same inode number
not allowed for directories
can not be used across file system
-if original file is removed then hard link will still work
-its comparatively faster
softlink:

it acts as a pointer or reference to the file
it uses the different inode number
it can be used for linking directories
it can be used across systems
if the original file is removed then the link will not work
its slower than hardlink


Q21 ping command is not working?

it may be possible ping is not installed(not sure).
if you are pinging domain name then it may be possible that it is not getting dns server


Q22 what is the kernel version in 6 and 7?

rhel 6 – 2.6.x.x, ext4
rhel 7 – 3.10.x.x, xfs


Q26 How to activate or deactivate the LVM?

Activate:
#lvchange -ay lvname or /dev/sda/lvm

Deactivate:
#lvchange -an lvmname or /dev/sda/lvm



<!-- wp:code -->
<pre class="wp-block-code"><code>examples:
tcpdump -D    (shows current ethernet adapter status)
tcpdump -i eth0    (shows tcp/ip live packets on the eth0)
tcpdump -c 100 -i eth0    (it will show 100 live packets on eth0)
tcpdump -c 100 -w /tmp/sar.tcpdump -i eth0 src 172.17.221.92 dest 172.17.221.93 22


Q2. How to collect SAR?

CPU Usage = sar -u 1 3
Memory Usage = sar -r  1 3
Swap Usage  = sar -S 1 3
I/O activity = sar -b 1 3
load average = sar -q 1 3


Q4 SELinux?
Security Enhanced Linux, it is access control system built into Linux kernel. it is used to enforce the resource policies that define what level of access users, programs and services have on a system.

default mode is enforcing. SELinux will deny any log any unauthorized attempts to access any resources. explicit permission must be givn to user or program

Q5 ulimit?
it can set or report the resource limit of the current user.

#ulimit -a


Q7 linux server hardening examples?

disable unused file systems(hfs, hfsplus, udf, )
ensure /tmp is configured with tempfs filesystem
ensure nodev option is set on /tmp
Ensure cron daemon is enabled and running
use different port for ssh
Ensure SSH access is limited
Ensure SSH MaxAuthTries is set to 4 or less
Ensure SSH root login is disabled
Ensure SSH PermitEmptyPasswords is disabled
Ensure SSH Idle Timeout Interval is configured
Ensure SSH MaxSessions is limited



Q8 How to check which process is utilizing more CPU?

#top
#htop
M – sort task list by memory usage
P – sort task list by processor usage
N – sort task list by process ID
T – sort task list by run time



Q10 Linux server is running slow what you will check?
run top command

check io wait, cpu idle time
if io wait and cpu idle time is low then check cpu user time
check swap uses
check if any appliation is consuming lots of CPU or RAM


Q11 Unable to take ssh?

ping server
take ssh,
try to login with root,
check if ssh service is up and running
check iif ssh port 22 is opened
check if users password is expired or lock
check if users shell is set to nologin
try to take console with VM or iLO or IDRAC and see for the error


Q12 Collect Sar report for last 10 days?

go to /var/log/sa and you will get multiple folders with sa1, sa2 etc. check last 3rd days log with below command

sar -f /var/log/sa/sa03

Note: We can get sar logs for max 30 days



Q13 how to calculate load average in linux?

top, uptime, glances, cat /proc/loadavg
we see load average for 1, 5 and 10 mins
if we have 1 core cpu and load average is 2 0.5 0.6
it means 1 process is running and 1 process is waiting for the CPU in last 1 min
CPU was not being utilized and was available 50% in last 5 min
CPU was available 40% for utilization in last 15 mins



Q14 How to check how many inodes are available?
df -ih


Q15 what to do when the disk inode is full?

check if inode is full or not with df -ih command. either you can delete the unused files to free up some inodes or you can increase the filesystem size to increase the fre node.
you can use find command to find the directory with most of the files

Note for inode:

It’s quite easy for a disk to have a large number of inodes used even if the disk is not very full.
An inode is allocated to a file so, if you have gazillions of files, all 1 byte each, you’ll run out of inodes long before you run out of disk.
It’s also possible that deleting files will not reduce the inode count if the files have multiple hard links.
As I said, inodes belong to the file, not the directory entry. If a file has two directory entries linked to it, deleting one will not free the inode.
Additionally, you can delete a directory entry but, if a running process still has the file open, the inode won’t be freed.
for freeing up the inodes, delete the files then reboot or check with lsof command to see if any files are deleted but still open. if its open the kill those process and it will free up the space



Q18 filesystem size is same after deleting the file?

so we can check if all the deleted files are properly deleted or not. sometimes those files are still open so it will consume the storage.
use lsof /mountpoint to check open files. if you see deleted or removed message for the files that you deleted then kill those process or reboot linux system to reclaim the process.



Q19 how to increase the priority of any process?
use renice command to change the priority

-20 - for highest priority
+19 - for lowest priority

#renice -n 15 -p 77982
#renice -n -20 -p 77982
-p is the pid



Q20 symlink and hardlink?

hardlink:

it acts as a copy of the selected file.
-it uses the same inode number
not allowed for directories
can not be used across file system
-if original file is removed then hard link will still work
-its comparatively faster
softlink:

it acts as a pointer or reference to the file
it uses the different inode number
it can be used for linking directories
it can be used across systems
if the original file is removed then the link will not work
its slower than hardlink


Q21 ping command is not working?

it may be possible ping is not installed(not sure).
if you are pinging domain name then it may be possible that it is not getting dns server


Q22 what is the kernel version in 6 and 7?

rhel 6 – 2.6.x.x, ext4
rhel 7 – 3.10.x.x, xfs


Q26 How to activate or deactivate the LVM?

Activate:
#lvchange -ay lvname or /dev/sda/lvm

Deactivate:
#lvchange -an lvmname or /dev/sda/lvm



Q27 how to increase or reduce swap?

increasing or reducing the swap means increasing or reducing the storage size of the disk or LVM.
incase of LVM simply increase or decrease the size as we increase or decrease in lvm by lvextend and lvreduce


Q28 how to turn off or on swap?

#swapoff -a
#swapon -a


Q29 What is NFS?

n/w file sharing
works on udp port 2049 in rhel6 and works on tcp 2049 on rhel 7
used for sharing linux to linux
it is not secure, it doesn’t require authentication
its faster


Q32 how to add the disk to linux system?

create and add the disk in case of VM. Attach new drive in case of physical server
Scan the drive
#echo “- – -” > /sys/class/scsi_host/host0/scan
use fdisk -l command to check the drive and then click fdisk /dev/sdX command to create the partition


Q33 where is user info is saved?

/etc/passwd – public info
/etc/shadow – password hashes, hidden from everyone except root
/home/username – it will contain users actual file


Q34 how to check status of any user?

#passwd -S username
PS-password is set
LK - password is not set or account locked
Date before 1970 - password is expired



Q34 how to add user in any other group?

#usermod -aG username groupname



Q35 how to check dependencies of any packages with yum and RPM?


Q36 how to create yum server?

there are total 5 steps for creating the yum server.

add new disk or create a new directory or mount point
copy all the packages from os drive to the above directory
create repo
#createrepo -v /packages/location 

this will create repomd.xml file

4. create .local file in /etct/yum.repos.d directory

[local]
name=local
baseurl=file:///packages/location
enabled=1
gpgcheck=0
5. Verify repo list

#yum repolist 


Q37 how you do patching?

we have a RedHat Linux server which is internet facing. we first download all the packages to the RedHat server. we have made this server as our local repo. We have created local repository on our other servers.
so we are using this server for patching. we use the yum command to patch the server.


Q38 what pre-requisites do you take before patching?

take the backup of server
check if /, /var, /boot is not completely utilized
check if server is not rebooted within 100 days.


Q39 How to check which lvm is mounted with which devices?

#lvdisplay



Q40 What is cve patch in Linux?

its a common vulnerability patch. it is scanned by our security team by nessus tool and they provide us the list of CVE patches so we run it manually on the servers


Q41 The server did not come up after patching?

-ping, ssh, take console and see the error, check if you have snapshot or backup
-if its physical then try to boot into maintenance mode and check for error



Q44 how to generate sosreport?

#sosreport
Q45 Why different mount point is required?

Q46 In what situation do you call redhat??

Q47 How to compare file of two directory?

use diff command
#diff file1 file2
Q48 Can we recover passwd file if deleted?

yes we can recover. passwd file gets backedup as /etc/passwd-
-boot into single mode
#mount -o rw,remount /
#cp /etc/passwd- /etc/passwd
#pwconv this will create /etc/shadow file for above passwd file
#passwd root
#shutdown -r now
Q49 How dns works?
when we browse any domain, DNS follows the below stps

it check the local cache for the IP
then it checks the /etc/hosts file
then it checks the resolv.conf file
then it checks the local dns or goes to the public DNS server that I have provided
then it public dns sends the requests to top level domain
then top level domain checks what is the domains TLS and sends it to respective TLD’s dns(.com, .org, .mil etc)
then it gets resolved to IP and it does everything in reverse order to show the website
Q50 Difference between bin and sbin?
/bin : For binaries usable before the /usr partition is mounted. This is used for trivial binaries used in the very early boot stage or ones that you need to have available in booting single-user mode. Think of binaries like cat, ls, etc.

/sbin : Same, but for binaries with superuser (root) privileges required.
/usr/bin : Same as first, but for general system-wide binaries.
/usr/sbin : Same as above, but for binaries with superuser (root) privileges required.

Q51 Difference between rpm and yum?

yum:

yellow dog updater modified. it is a package manager for RPM-based Linux system. it is high level frontend for linux distros
resolves and installs dependencies automatically
it installs packages and shows it if it is already installed
RPM:

it is low level package manager
does not resolve dependencies
it needs exact name for installing the packages
difficult to manage when comes to installing and upgrading packages
Q52 Write script for fetching all hardware info?

uname, 
lscpu - for cpu info
lshw - lists hardware info cpu, ram, disk. it extracts info from /proc
lspci - lists pci buses and details device connected to them
lsscsi - lists scsi devices
lsusb - lists usb
lsblk - lists block devices(hard drive partitions, storage devices)
df  - disk space of file system
free - check the memory
dmidecode - shows hardware info
haparm - it shows stata drive info
Q53 Difference between ssh and telnet?

SSH:

used to access network devices
developed by SSH communication Security lts
It provides strong authentication and secure communications over insecure channels.
runs on port 22 but we can change it
communication is encrypted, it is extremely difficult to decrypt and read the data
uses public key for authentication
Telnet:

used to access local devices
sends data in plain text
runs on port 23
it does not use any key for authentication hence its not secure
Q54 what is the difference between fstab & mtab?

/etc/fstab is a created by the user. It contains list of volumes to be mounted by mount.
/etc/mtab is a created by the system. It contains a list of currently mounted devices.

Q55 How you will revert your centos to the previous version?

#yum list kernel*
this will list all the kernel's on your system.

if you don't see your kernel listed then install the kernal
#yum install kernel-3.10.0-862.el7

Once Kernel is installed then reboot your system and use below commands after reboot to downgrade the kernel.
#yum downgrade redhat-release
Q56 yum command is failing?

it may be possible that another user is running the yum command
run #Clear yum cache
check repo list is proper or not
Q57 pasword less authentication is configured, will scp will work without id and password?

yes, because scp uses ssh

Q58 other than ping command whcich command you can use to check connectivity between servers?
telnet, nmap, nc

Q59 password less authentication is set but its not working?
it may be possible that private and public key got regenerated and client machine doesn’t have latest public key hence its not working.

Q60 when you create snapshot on vm then which file gets created in backend?
.vmsn

Q61 how to compare if file got copied or not?
check md5sum value of both the files

Q62 Command to find the most recently modified files ?
use find command with -mtime or -mmin flag.

find . -mtime +2
it will search file older than 2 days.

find . -mtime -2
it will search file created within 2 days.

find . -mmin +2 or -2
Q63 How do you clear the contents of the file without opening file?

> filename.log
or
true > filename.log
or
cat /dev/null > filename.log
or
cp /dev/null filename.log
or
echo "" > filename.log
or
echo > filename.log
Q64 What are MAJOR and MINOR numbers of special files?

Q65 When you need to edit a file by a system command (like crontab -e) how do you change the default editor that the system opens the file with to nano?

The system will use the editor defined in your EDITOR environment variable and can be set by export EDITOR=nano

Q66 How to see the list of mounted devices on Linux?

#mount -l
Q67 What is a sparse file ?
Sparse files are files that have large amounts of space preallocated to them, without occupying the entire amount from the filesystem. The term “sparse file” is used to mean one containing “holes”; it is easy to recognize one on a running system because its disk usage is less than its size.

# ls -lh /var/log/lastlog
-rw-r--r--. 1 root root 286K Dec  3 04:50 /var/log/lastlog

# du -sh /var/log/lastlog
12K     /var/log/lastlog

size is showing as 286K but actual disk size is 12k 
Q68 What is run-queue and how do you use it ?



Q75 How will you check how many users are getting connected to your website?


we can check nginx access logs. We can send logs to elk or prometheus by using exporter and we can get user access details. We can enable stats in nginx conf file.


Q77 are you using generic login or user-based login?
We are using generic login. our servers are behind the open VPN. Everyone first connects to the VPN and then they connect to the server. For some clients, we are using Jump box servers and from jumpbox we take the ssh of the servers.


Q80 What is IO wait?
Percentage of time that the CPU or CPUs were idle during which the system had an outstanding disk I/O request.
Therefore, %iowait means that from the CPU point of view, no tasks were runnable, but at least one I/O was in progress. iowait is simply a form of idle time when nothing could be scheduled. The value may or may not be useful in indicating a performance problem, but it does tell the user that the system is idle and could have taken more work.


Q81 What are the CPU states in Linux?
A CPU can be in one of four states: user, sys, idle, or iowait. Tools such as vmstat, iostat, sar, etc., print out these four states as a percentage. The kernel maintains this information using counters for each of the states and more. On each clock interrupt, the kernel checks the CPU state and increments the appropriate counter. The user can check the counters in /proc/stat.


Q82 Lets say you have made wrong entry on EC2 VM instance and now VM is not coming up…what you will do?
we can correct the entry of FSTAB by the below 2 steps.

Detached EBS
create New VM
Attached EBS to new VM
Mount EBS of old VM into New VM
Cd /mnt/name
Vi /mnt/name/etc/fstab
then correct the entry
another way is we can use EC2 Serial Console to access the GRUB menu and recover from boot failures.

https://aws.amazon.com/blogs/compute/using-ec2-serial-console-to-access-the-grub-menu-and-recover-from-boot-failures/



Q83 prometheus is push based or pull based?
it is pull based

Q84 What is LAMP Stack?
it is open source software used for web deployment.

Linux Operating System: backbone of Lampstack. everything runs on this.
Apache HTTP Server: its a web server, runs on Linux, it process the request and transmits information through the internet.
MySQL database management system:
PHP programming language
Q85 Tell me a few server hardening examples?

Keep Linux Kernel and Software Up to Date
enable SELinux
Linux User Accounts and Strong Password Policy
Set Up Password Aging For Linux Users For Better Security
Restricting Use of Previous Passwords on Linux
Locking User Accounts After Login Failures
Make Sure No Non-Root Accounts Have UID Set To 0
Disable root Login
Disable Unwanted Linux Services
Check listening Network ports
Separate Disk Partitions For Linux System


Q87 Why shell script files need execute permission?
if you know your interpreter then you don’t need the execute permission the script. you can execute the script that have only read permissions (#bash /path/to/script)




Q88 log analysis in Linux?
Log analysis is a crucial activity for server administrators who value a proactive approach to IT. By tracking and monitoring Linux log files, administrators can keep tabs on server performance, discover errors, detect potential threats to security and privacy issues and even anticipate future problems before they ever occur. Linux keeps four types of logs that system administrators can review and analyze: Few log types are: Application logs, Event Logs, Service Logs, System Logs etc.

Q89 what is tcp stack?
tcp stack is nothing but tcp/ip model. it has 5 layers.

Q90 What is NAT and PAT?
NAT: NAT is a process where a router or firewall, translates one IP (Private) into another IP (Public) or vice versa. Specifically, a router translates an internal host’s private IP address into its public IP address for outgoing traffic. NAT is of 2 types.

Static NAT:
Dynamic NAT:
PAT: Each host on a LAN is translated to the router’s WAN-Side public IP address, with a different port number assignment

Q91 What is port forwarding?
In this we only have only public IP. when accessing internal resources from the internet, we use port numbers to forward the request on specific internal resource. lets say our public ip is 180.5.4.3 and if anyone wants to access ftp with IP and port as 180.5.4.3:21 then this request will be redirected to internal FTP server with any internal IP 192.168.0.10:21


Q92 What is a “/proc” file system?
Proc file system is a pseudo or virtual file system that provides an interface to the kernel data structure. It generally includes useful information about processes that are running currently. It can also be used to change some kernel parameters at runtime or during execution. It is also regarded as a control and information center for the kernel. All files under this directory are named virtual files.

Q93 is hard drive involved when reading content of /proc?
There is no hard drive involved. When you read from /proc, the kernel generates content on the fly.

Q94 How to check which all files are getting used by top command in the backend?

strace top >/dev/null
this will show that it uses all the files like cpuinfo, meminfo, process id files from /proc directory.



Q95 How to secure an nginx web server?
You can use few of the below steps to secure nginx web server

Use nginx CIS bencmark to secure it
Disable Any Unwanted nginx Modules
Disable nginx server_tokens
Control Resources and Limits 
Disable Any Unwanted HTTP methods
Set Up and Configure nginx Access and Error Logs
Monitor nginx Access and Error Logs
Update Your Server Regularly
Q96 why DNS record first check /etc/host not in /etc/resolv.conf?
There is one file /etc/nsswitch.conf, in this file name server search sequence is mentioned. We can change the sequence.
/etc/nsswitch: The Name Service Switch (NSS) configuration file, /etc/nsswitch. conf, is used by the GNU C Library and certain other applications to determine the sources from which to obtain name-service information in a range of categories, and in what order. Each category of information is identified by a database name.


Q100 How to find primary group of user?

id -gn user_name
Q101 How to find all the groups of current user or any other user?
We can use “groups” command to find all the groups

groups
or
groups username



Q103 How to change the user password in one line?

# echo "linuxpassword" | passwd --stdin linuxuser
or
# echo -e "linuxpassword\nlinuxpassword" | passwd linuxuser
Q104 How to run multiple processes simultaneously in Linux?
We can use xargs command to run multiple processes parallelly.

#seq 1 3 | xargs -I{} -n 1 -P 3 wget https://storage.googleapis.com/test-bucket-sarath/junkfile{}
Now run below command and verify that 3 processes are running.

#ps aux|grep wget



Q105 I have a domain mycomany.com and I have created multiple subdomains like hr.mycompany.com, payroll, finance, blog etc. Now I when I am pinging subdomains internally without FQDN then it is failing. What changes needs to be made in order to ping without FQDN?

We can make the search entry in /etc/resolv.conf file as below.


Now if I ping any subdomain without FQDN then too we will get the ping response internally.



Q105 I have a domain mycomany.com and I have created multiple subdomains like hr.mycompany.com, payroll, finance, blog etc. Now I when I am pinging subdomains internally without FQDN then it is failing. What changes needs to be made in order to ping without FQDN?

We can make the search entry in /etc/resolv.conf file as below.


Now if I ping any subdomain without FQDN then too we will get the ping response internally.


Q106 What is ARP?
ARP (Address Resolution Protocol) is used to identify the hardware address of a host on the local network (i.e: the same subnet). If A (IP 10.0.1.2/24) wanted to communicate with another host (C) with IP address 10.0.1.5, then the following happens if this host in not in the cache:

A broadcasts an “ARP Request“
Using the broadcast MAC Address (ff:ff:ff:ff:ff:ff)
Asking for any host with the IP Address 10.0.1.5 to respond
If the remote host (C) receives this packet, then it responds with it’s correct MAC Address.
ARP Cache from one of the VM.