Astaro useful shell commands.

Hi to All.
I'm opening this thread so any of you which happens to run into useful Shell commands, can add it in here.
My goal is to create a document with many Astaro useful shell commands.
You are welcome to add, remark or reject any of the commands in here.
[:)]

This thread was automatically locked due to age.
[unlocked by: BAlfson at 2:53 PM (GMT -7) on 4 Jun 2021]

Top Replies

Goldy_01 over 14 years ago +1

Astaro Shell Commands

Remember:
Direct configuration of Astaro from the shell is unsupported, unless directed to by Astaro Support staff or official documentation.
For paid licenses, modifications done from the shell without direction or sanction may nullify your support agreement.[/I]

Run Astaro HTTP proxy database localy
1. ssh to ASG and login with loginuser
2. su - root
3. cc set http sc_local_db [disk][mem][none]  (Choose what you prefer)
4. /var/mdw/scripts/httpproxy restart
Websurfing will be extremely slow until the database has downloaded and been put into place. The time is link speed dependent.

View the link speed for the ASG's interfaces?
'ifstat'.

Bandwidth usage - IFTOP
Astaro also offers the command 'iftop' to see the live traffic and traffic statistics.
One can see the traffic live on an interface for Source Host, Destination Host, and Ports.
The peak and accumulative traffic is also displayed.
Run 'iftop'
Example:
root # iftop -i eth1

Host display:--------------------------General:
n - toggle DNS host resolution------P - pause display
s - toggle show source host---------h - toggle this help display
d - toggle show destination host-----b - toggle bar graph display
t - cycle line display mode-----------B - cycle bar graph average
--------------------------------------- T - toggle cummulative line totals
---------------------------------------- Port display:   j/k - scroll display
N - toggle service resolution---------f - edit filter code
S - toggle show source port----------l - set screen filter
D - toggle show destination port-----L - lin/log scales
p - toggle port display---------------- ! - shell command
q – quit
Sorting:
1/2/3 - sort by 1st/2nd/3rd column
- sort by dest name
o - freeze current order

Concurrent Connections:
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=86400

number of established connections:
less /proc/net/ip_conntrack | grep ESTA | wc -l
1907

number of all connections:
less /proc/net/ip_conntrack | wc -l
3315

number of connections with status WAIT (close_wait):
less /proc/net/ip_conntrack | grep WAIT | wc –l
39

Saving Snapshots of TOP automatically every half hour
create a cron job with,
top -b -n 1 >>/tmp/top-report.txt
An entry for each CPU core, and possibly another if the CPU(s) has hyperthreading:
cat /proc/cpuinfo

stopped and started again the HTTP proxy:
"/var/mdw/scripts/httpproxy stop" and "/var/mdw/scripts/httpproxy start"

Restarting MiddleWare:
service mdw restart
(from root)
Warning: it doesn't cause a complete reboot, but it does cause an HA failover, interruption of any up/downloads and VoIP calls, etc.

HD
Find what is taking the space type
df –h
df will only tell you how full the disk is.
du will tell you what files/folders are using the most space
I'd recommend:
cd /var/storage
du -sh *
find the offending directories

What kind of CPU
"cat /proc/cpuinfo"?

Determine if the disk is overloaded
vmstat -d 5
or
vmstat -d | head -2 ; vmstat -d 5 | grep hda
if hda is your hard disk; sda for scsi
That should have similar output.
The '5' is 5 second updates.
You'll have to look at the differences between the lines to figure out how many IO's you're getting in those 5 seconds, and whether you're saturating the disk or not.

See detailed info about your eth:
# ethtool eth1
OR
-mii-diag eth1

webadmin passwd lost
A user may use the following commands to reset the system passwords:
cc
RAW
system_password_reset
Ctrl c

Upon saving the file and exiting, the admin may immediately navigate to WebAdmin and re-specify all passwords for the system accounts of Astaro Security Linux.

DNS Flush cache option missing in V7
the current workaround is to restart the DNS proxy from the command line as root with the following command:
/var/mdw/scripts/named restart

To change version number
login as loginuser
su -
edit /etc/version
save the file
restart the ASG so the new version is displayed in Webadmin dashboard

Change NIC order
login as loginuser
su -
edit /etc/udev/rules.d/70-persistent-net.rules
save the file
restart the ASG so the new order is loaded.

Locked out - How to regain all logins
1) Shutdown the firewall and connect a screen and a keyboard to the firewall
2) Power on the firewall, wait until the GRUB-loader starts and press ‘ESC’
3) Select ‘Astaro Security Gateway 7.2’ (not previous or rescue!)
4) Press ‘e’ to edit and select the 2nd entry
5) Press ‘e’ once again and enter ‘init=/bin/bash’
6) Press ‘ENTER’ and ‘b’ to boot up
7) Now you are able to change the passwords for ‘loginuser’ and ‘root’
8) After that press CTRL + ALT + DEL to reboot the system and wait until you get the login prompt

Reset to factory settings
Login the command-line as 'loginuser', afterwards as 'root' and enter following commands to restore to factory settings:
1. cc [Press ENTER]
2. RAW [Press ENTER]
3. system_factory_reset [Press ENTER]

The system will automatically shutdown when it's finished.

Credits: Goldy, RFCat_VK
Jump to answer

angelo_ekz over 11 years ago in reply to skm

Hi

I'm Angelo, a new member of the board and this is my first post.
I have the following problem/idea and I would like to post it here. I would be really happy if somebody could help..

I set up a new SSL remote control profile for the remote support of a supplier. Everything is working fine, but I would like to have a very simple possibility to switch on/off the profile. The idea is that the supplier profile is normally inactive, so he can not log in. If there is the need, he will give us a call and an operator will activate the profile.

The activation/deactivation of the profile works fine through the Webadmin, but the problem is that I have to give to operators the rigths "Remote access manager" and "web protection manager". He can do to much with those rights...

Is there a way to write a small script in order so set the remote control profile active/inactive? If yes I would just make two buttons for the operators "on" and "off". The buttons will via shell do the rest..

Any help is welcome...Thank you.

Angelo
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
angelo_ekz over 11 years ago

Hi

In order to simplify my question I add a screenshot to show what I would like to do, but with shell commands:

Push the marked button in order to activate/inactivate the SSL VPN remote profile

Thank you.

Angelo
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
AlanT_01 over 11 years ago

@angelo there's two steps involved. First, you have to find the REF ID of the profile. In my case, it's called "Visitor":

     cc get_object_by_name ssl_vpn remote_access_profile "Visitors"

That will return something like this:
{
          'autoname' => 0,
          'class' => 'ssl_vpn',
          'data' => {
                      'aaa' => [
                                 'REF_AaaUseAlan'
                               ],
                      'auto_pf_in' => 'REF_PacPacAnyFromAlan',
                      'auto_pfrule' => 1,
                      'comment' => '',
                      'name' => 'Visitors',
                      'networks' => [
                                      'REF_DefaultInternalNetwork'
                                    ],
                      'status' => 1
                    },
          'hidden' => 0,
          'lock' => '',
          'nodel' => '',
          'ref' => 'REF_SslRemVisitors',
          'type' => 'remote_access_profile'
        }
The line  'ref' => 'REF_SslRemVisitors' tells us what we want. To turn it off, run:
    cc change_object REF_SslRemVisitors status 0

To turn it on, just change the 0 to a 1. To give your users a button to toggle it on or off, you'll need to automate connecting to the shell as root, and running the above commands. The REF ID won't change unless oyu delete and re-create the profile, so you don't necessarily have to automate finding that parameter, but depending on your coding abilities, wrapping this up to run remotely with a single click may still be a very large task.

It might be enough to simply give a user role-based administration rights for remote access settings. They can login to webadmin, but only see the remote access section, and they can just toggle the tunnel off and on from there.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
angelo_ekz over 11 years ago in reply to AlanT_01

Hi AlanT

I'm impressed. Thanx a lot.
The commands work fine and I'm able to change teh status. I logged in as loginuser and then changed to root, in order to be able to execute the command. The problem ist that I would like to implement a "fully-automatic" switch for some operators.
So I set up an ssh public key connection to the utm and I connected with putty as root. There I had the problem, I was not able to execute the cc command. The error was "bash: cc: command not found".

I solved this with the specific path to the compiler, so I replace cc change_obeject.....with /usr/local/bin/confd-client.plx change_object....

Now I only have to build a batch file and call the command line putty.exe with parameters -load "session-name" and -m "command" and I will have my "one-button" solution.

Thanx again.
Angelo
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
ratava over 11 years ago

I am wanting to create/delete backend users for use with hotspot authentication via ssh command line.

Are there existing command to manage users?

Thanks
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel

lmatt over 11 years ago in reply to ratava

For the frequent question: Is SID xyz active in the IPS?

dev-lmatt-02:/root # ips_patterninfo 

       _____ ____

     `----,\    )

      `--==\  /

       `--==\/

    .-~~~~-.Y|\_  Copyright (C) 2013 Sophos GmbH www.sophos.com

 @_/        /  66\_  Lukas.Matt@sophos.com 19.12.2013

   |    \   \   _(")

    \   /-| ||'--'

     \_\  \_\



   1517 of 20751 IPS rules currently configured



   /usr/local/bin/ips_patterninfo [options]



	--sid     - Search a specific rule ID

	--search  - Prints information for a global search pattern

	-h | --help        - Prints this help text



dev-lmatt-02:/root # ips_patterninfo --sid 480

Reading IPS information..



[480] PROTOCOL-ICMP PING speedera

* will not affect network traffic (alert-only)

* last modified Mon Nov 20 23:21:00 2006

* was categorized as 'Protocol Anomaly / Invalid Traffic'

* [DISABLED] has 2 filter active

  [FILTER] warnings are not active (alert-only)

  [FILTER] rule is too old (360 days)

The previous example shows you the reason why a specific rule is not active if it is available.

seroal over 11 years ago

Hi,

does somebody now how to easily resolve the network definitions? I want to get an output that shows me the network object, that are defined in the definitions. The webinterface has a very simple view on the ruleset and I would like to see something like a "resolved" version on the command line, where I see Networks, IP-Adresses or hostnames, that are building the network definition.

I hope you understand, what im looking for.

Best thanks for all the helpful commands, postet here.

Regards
Sebastian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Goldy_01 over 11 years ago

Hi guys.
Anyone know a shell command to load new NIC drivers?
I have just added a FO NIC to my UTM, and it doesn't recognize it.
It shows it as the system boot, but nothing in the Interface - Hardware.
I would like to avoid a clean install.
Thanks,
Goldy
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
BarryG over 11 years ago

Hi Goldy, in older versions, you could edit /etc/modules and/or /etc/modules.conf, but I'm not sure that still applies now that the system is using UDEV.

Barry
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
BAlfson over 11 years ago

Here's a prescription for activating ssh access from the console when unable to do so in WebAdmin.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel