MySQL tips

Create database

create database employees;

Grant permisssions to database for user

GRANT ALL ON database.* TO user@localhost IDENTIFIED BY "password";

Set root password for the first time

mysqladmin -u root password NEWPASSWORD

Change user password

UPDATE mysql.user SET Password=PASSWORD('foobar') WHERE User='john' AND Host='localhost';
FLUSH PRIVILEGES;

Show information about table including engine and character set:

show create table table_name;

Change character set for table 

alter table table_name convert to character set utf8 collate utf8_general_ci;

Show character set and collation for database
select your database, use database and then type

show variables like "character_set_database";
show variables like "collation_database";

Restore database from sql file 

mysql -u user -pozttbNUfQx -h hostname database < dump.sql

Make a backup of database with mysqldump

mysqldump -u $mysql_u -p$mysql_p $databases > db.sql

Watch permissions:

show grants for user@host;

Grant reload privilege, it is impossible to grant it for one database, it's global privilege:

GRANT reload ON *.* TO user@localhost;

mysqlhotcopy programm needs the following user rights: SELECT, RELOAD, LOCK TABLES, for example:

grant lock tables, select on database.* to user@localhost;

grant reload on *.* to user@localhost;

Show users:

SELECT Host,User from mysql.user;

Delete user:

drop user user@host;

Revoke grants from user

revoke all on db.table from user@localhost;

Show MySQL error codes description:

perror number_of_code

Error 24If during mysqldump or mysqlhotcopy you recieve error 24, that file not found, you can resolve this issue in two ways. First, you can edit option open_files_limit in mysql.cnf. It's default value is 1024. Another way is to add --single-transaction to mysqlhotcopy.

Linux tips

User name maybe 32 characters maximum

Find all files older than 10 days in /var/backup folder and delete them, excluding folders /var/backup/server1 and /var/backup/servers/server2
find /var/backup \( -path '/var/backup/server1' -o -path '/var/backup/servers/server2' \) -prune -o -mtime +10 -exec rm {} \;

Change file creation date to 11 days ago
touch -d "11 days ago" filename

Show GID of user, that runs a process 
ps -eo uid,gid,args

Show detailed information about software raid array

mdadm --detail /dev/md1

When was the last reboot?

root#server:/#last reboot

Create list of directories in tar archive

tar -ztvf file.tar.gz | grep "^d" | awk '{ print $6}' | sort | uniq

Clone a partition table fast

sfdisk -d /dev/sda > partition.txt

Edit the text file to match the other disk (in this example /dev/sdb).

sfdisk /dev/sdb < partition.txt

Remount filesystem for writing

mount -o remount,rw /

Back for reading

mount -o remount,ro /

Add route
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 dev eth1
ip route add 192.168.1.0/24 via 192.168.1.1 dev eth1

Add proxy server temporally
export http_proxy=http://127.0.0.1:3128/

Add proxy server persistently
echo "export http_proxy=http://127.0.0.1:3128/" >> /etc/profile

Routers from box

• Endian
• pfSense
• ClearOS
• SmoothWall
• ipcop
• ebox
• ZeroShell
• Microtik

Permissions bits in Linux

SUID:
S instead of x in user permissions
It sets the process user owner to the file's user
It has no effect on directories
Set SUID:
chmod 4000 file
chmod u+s file

SGID:

S instaed of x in group permissions

It sets the process group owner to the file's group
Sets group for all new files in the directory, the same as directory's group
Set SGID:
chmod 2000 file
chmod g+s file

Sticky bit:
T instead of x in other permisiions
Files with sticky bit can be deleted onle by root ans files owner
Files in directory with sticky bit can be deleted only by root, file owner or directory owner, regardless of file permissions.
Set sticky bit:
chmod 1000 file
chmot o+t file

ProFTPd tips

Proftpd is very flexible FTP server. This post contains some ready-to-use examples of Proftpd configurations.

Hide FTP server version
ServerName "FTP"
ServerIdent on "FTP server"
DeferWelcome on

Allow only certain user to connect to Proftpd, no Anonymous access
<Limit LOGIN>
AllowUser barb
AllowUser dave
AllowGroup ftpusers
DenyAll
</Limit>

Script to add FTP user
This scripts is very simple and accepts two parameters: user's login and password
#!/bin/bash
useradd $1 -G ftpusers -d /ftp -s /bin/false
echo $1:$2 | chpasswd

Configure default user folder and allow /bin/false shell
DefaultRoot ~
RequireValidShell off

Allow writing files for only certain group
<Directory /ftp>
<Limit WRITE>
AllowGroup ftpusers
DenyAll
</Limit>
</Directory>

Deny writing and listing files during anonymous sessions
In <Anonymous ~ftp> section:
<Directory /ftp>
<Limit WRITE>
DenyAll
</Limit>
<Limit LIST NLST MLSD MLST STAT>
DenyAll
</Limit>
</Directory>

Forbid deleting files for a particular user in particular directory
<Directory /ftp/upload>
<Limit DELE>
      DenyUser ftpuser
</Limit>

</Directory>

DNS tips

Detect BIND version

dig @server_address -c CH -t txt version.bind

or via fpdns

fpdns server_address

Hide BIND version

version "DNS server";

Sample master server

/etc/bind/conf.local:

options

{

recursion no;

version "DNS server";

};

zone "domain" { 

type master;

file "/etc/bind/db.zone";
allow-transfer { slave_server;};
};

/etc/bind/db.zone
$TTL 3h
@ IN SOA ns1. email.domain (
2
12h
1h
1w
1h
)
@ IN NS ns1.
ns1 IN A 11.11.11.11
@ IN A 11.11.11.11
www IN A 11.111.11.111
@ IN MX 10 mx
mx IN A 11.111.11.111

• @ - alias for domain
• ns1 - name of NS server
• email - email address of administrator
• 2 - serial number
• 12h - update interval, that would be used by slave DNS server
• 1h - time between retries by slave to retrieve information, if connect failed
• 1w - indicates that zone data is no longer authoritive, used only by slaves. They stop responding queries, after this time expires and no contact with master
• 1h - this time interval determines how long ckients will store in cache error replies

Sample slave server
Create directory for backup file and grant permissions on it for user bind:

mkdir /var/bind
chown root:bind /var/bind
chmod 770 /var/bind

/etc/bind/conf.localoptions 

{

recursion no;

version "DNS server"; };
zone "domain" {
type slave;
file "/var/bind/db.zone";
masters { master; };
allow-transfer { none;};
};

Forward only server

/etc/bind/conf.local:
options {
directory “/var/named”;
forwarders { 10.9.16.30; 10.13.16.30; };
listen-on{ 192.168.1.1; 172.24.21.1; };
forward only;
recursion no;
version "DNS server";
};

Reverse zone sample

$TTL 1D

1.168.192.in-addr.arpa. IN SOA dns1.example.com. \ admin.example.com. 

( 2010022003 ; serial 3600 ; refresh 600 ; retry 604800 ; expire 86400 ; default_ttl ) 

1.1.168.192.in-addr.arpa. IN PTR dns1.example.com.
2 IN PTR horus.exmaple.com.
3 IN PTR ra.example.com.
@ IN NS dns1.example.com.

Monitor DNS requests
dnstop -l 3 eth0

http://www.zytrax.com/books/dns/

Bash

Links with good documentation about bash

• Linux Shell Scripting Tutorial (LSST) v2.0
• Advanced Bash-Scripting Guide
• Shell initialization files
• Great FAQ on BASH

Quoting in bash
There are two types of quoting: strong quotes(' ') and weak quotes(” ”). Strong quotes mean to treat all symbols inside them as literally symbols. Weak quotes treat some special characters as special characters… :) For example dollar sign:

echo "$SHELL" /bin/bash

Also, you can quote a single character using backslash(\), it's called backslash-escaping.

Hot keys in Bash

• Ctrl-z - suspend key, puts the currently running process in background and pause it
• Ctrl-c - kills the current command or process, by sending to it SIGINT(2) signal
• CTRL-\ - stops command
• Ctrl-d - kills the shell an End of file in commands
• Ctrl-m - similar to press enter
• To see al your control keys: stty -a

Builtin variables

• $! - PID of last background job
• $_ - final argument of previous command executed
• $? - exit status of last command
• $$ - Process ID (PID) of the script itself
• $# - amount of arguments
• $0 - the command itself

Read file line by line

while read line
do
echo "$line"
done

Create alias

For example to launch “ls –color” instead of “ls”.In .bashrc file:
alias ls="ls --color"
alias ..='cd ..'
alias d='ls -l | grep -E "^d"'

To redirect standard output and standard error to one file
program > file 2>&1

Logical operations

Double bars || mean logical OR.
For example command2 will be launched only if command1 fails:
command1 || command2

Double ampersands && mean logical AND.
For example, command 2 will be launched only if command1 is successful:
command1 && command2

Best security practices for Apache, PHP, MySQL server

Set permissions to all configuration files

root:root 600

Restrict access to service files
files *.bak
order deny, allow
deny from all
/files

Files *.tmp
order deny,allow
deny from all
/Files

Files *.log
order deny,allow
deny from all

/Files
Directory ~ ".*\.svn"
Order allow,deny
Deny from all
Satisfy All
/Directory

Disable autoindex module or disable directory index, in virtual host or directory context

Options -Indexes

Limit usage of methods

Order allow,deny
Allow from all Order deny,allow
Deny from all

Configure fault tolerance

Timeout 60KeepAlive
OnKeepAliveTimeout 12
LimitRequestBody 1000000

Options IncludesNoExec

Options SymLinksIfOwnerMatch

Configure file integrity monitoring

Disable magic_quotes_gpc, allow_url_fopen, display_errors  in php.ini

Set open_basedir in Virtual host context to document root of the site + some sites require to include /tmp dir to openbase_dir

Set max_connections in my.cnf to appropriate value, for example 100 for small site.
Set max_connect_errors in my.cnf to 10
Disable LOCAL INFILE syntax: set-variable=local-infile=0
Disable show databases command: skip-show-database

Hide Apache version

ServerTokens Prod
 ServerSignature Off

Disable TRACE method:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

or

TraceEnable off

Apache 2.0 Hardening Guide
About SSL cipher suite

Hide PHP version:

In php.ini:

expose_php = Off

Allow PHP to access only certain dirs

in Virtualhost:

php_admin_value open_basedir

php_admin_value upload_tmp_dir

php_admin_value session.save_path

But if just enable these options, PHP will publish Warnings to the page with undesireable information. To prevent it you need to disable warnings. First method is to write ”@” before function. Another method is to specify in php.ini:

display_errors = Off

Third method is to add to the script: ini_set('display_errors', 'Off');

allow_url_fopen=no

Filesystems, files

• ext2 - filesystem without journaling.


• ext3 - pre-allocates number of inodes at creation time.


• jfs - journaled file system from IBM


• xfs


• reiserfs - is a good choice for handling filesystems with many small files.


• FAT(12,16,32) - msdos name is used for variant of this filesystem, that supports only 8.3 filenames. vfat name designates version, that supports long names.


• NTFS


• HFS, HFS+ - Hierarchical File System from Apple


• ISO-9660 - The standard filesystem for CD-ROMs, Rock ridge extensions are available


• Joliet - filesystem for CD-ROM's was created by Microsoft for use by Windows


• UDF - The Universal Disc Format (UDF) is the next-generation filesystem for optical discs

Determine superblock location:

dumpe2fs /dev/sda1|grep -i superblock

Repair filesystem, using alternative superblock:

e2fsck -f -b 8193 /dev/sda1

XFS tools:
xfs_info - provides info about xfs partition, requires that the filesystem be mounted
xfs_metadump - copies the filesystem’s metadata (filenames, file sizes, and so on) to a file.
xfs_admin - tuning xfs partition

To tune ext2/ext3 filesystems you can use tune2fs utility

debugfs is a swiss army knife for ext2/ext3 file systems,This program provides the abilities of dumpe2fs, tune2fs, and many of Linux’s normal file-manipulation tools all rolled into one. It is possible to undelete files, extract files from damaged systems, get information and much more using this programm.

Get information about filesystem:

dumpe2fs -h /dev/sda1
or

tune2fs -l /dev/sda1

Search for bad blocks:

e2fsck -c
or

mkswap -c

There are several methods of locating files in linux:

• find - search files using your patterns(size, owner, name, mtime, atime)


• locate - search only names, it returns all names, containing the specified string. It works from a database that it maintains. Most distributions include a cron job that calls locate with options that cause it to update its database periodically, such as once a night or once a week. (You can also use the updatedb command to do this task at any time.) For this reason, locate may not find recent files, or it may return the names of files that no longer exist. If the database-update utilities omit certain directories, files in them won’t be returned by a locate query.


• whereis - searches for files in a restricted set of locations, such as standard binary file directories, library directories, and man page directories.


• which - searches your path for the command that you type and lists the complete path to the first match it finds.


• type - This command isn’t really a search command; instead, it tells you how a command you type will be interpreted—as a built-in command, an external command, an alias, and so on.

Finding files based on certain permission bits
To search files, containing certain permissions, we use find command:

find path -perm permissions
Permissions can be described in symbolic or octal form. By default find will search the exact permissions, you have defined, for example

find . -perm u=r
will search files with permissions 400. To perform more flexible search you can use / or - symbols. / means match any of permissions. - means exact match. + earlier used, but now is deprecated, / is used instead. For example:

find . -perm /og=r
will search files with o=r or g=r or both. And

find . -perm -og=r
will search only files with g=r and o=r.
Find files larger than 100 kilobytes:

find . -size +100k

Inode

As we know, in Linux everything is a file. Every file is described by inode (index node). Inode consist of:

• File type (executable, block, character, named pipe, socket, directory, link, etc)


• Permissions


• Owner


• Group


• File Size


• File access, change and modification time (UNIX or Linux never stores file creation time)


• File deletion time


• Number of links (soft/hard)


• Extended attribute such as append only or no one can delete file including root user (immutability)


• Access Control List (ACLs)

To see file's inode you can use command:

ls -i /etc/passwd 131260 /etc/passwd

To see all information you can use stat command:

stat /etc/passwd

Show inode usage of file system: 

df -i /dev/sda1

Timestamps
There are 3 types of types of timestamps:
Access timestamp(atime) - it is set during any read or write operation, you can see access time, using command:

ls -lu file
Change timestamp(ctime) - it is set during changing status of the file, for example changing permissions or ownership, you can see this time using command:

ls -lc file
Modification tymestamp(mtime) - it is set during any write operation, you can see this tyme using command:

ls -l file

Touch program is used to change atime and mtime to current or specified time. If you just run touch without options, it would change atime and mtime of the file to current time. To change only atime -a option is used: touch -a file

To change only mtime -m option is used:

touch -m file

If you want to change timestamps to specified time, you need to use -t or -d options:

touch -t 200812012300.23 file 

touch -d '25 Jan 2008 10:22' file

Tips

Delete file using it's inode:

find . -inum [inode-number] -exec rm -i {} \;

Show directory tree:

tree -d /etc | less

Change file/directory permissions separately:

Directories: 

find . -type d -exec chmod XXX {} \; 

Files: 

find . -type f -exec chmod XXX {} \;

Create hierarchy of directories:

mkdir -p dir1/dir2/dir3

Determine type of the file:

file filename

Create FAT32 partition:
mkdosfs -F 32 /dev/***

Find files, containing “text”
grep -Hlr "text" /path 

Delete old files:

find /backups/tars -mtime +10 -exec rm {} \;

Shared Libraries in Linux

The main administrative task for shared libraries is to tell programs how to find libraries. It can be done by setting a library path. You can set it systemwide or temporarily.
To change or add path systemwide, you need to add path or conf file, containing path, to /etc/ld.so.conf:/path include /etc/ld.so.conf.d/*.conf
For changes take effect you need to launch ldconfig
/lib and /usr/lib are always in library path, even if they aren't listed in /etc/ld.so.conf
To add or change path temporarily you need to set the LD_LIBRARY_PATH environment variable:
$ export LD_LIBRARY_PATH=/usr/local/testlib:/opt/newlib
You can use ldd command to see what libraries the program links to.

Linux kernel

• Kernel version consist of Major version.Minor version(even numbers for stable, odd numbers for develpment).Patch version. For example: 2.6.26


• Modules directory: /lib/modules


• Tools to control modules:


• insmod - insmod is a trivial program to insert a module into the kernel. This version of insmod is for kernels 2.5.48 and above. If it detects a kernel with support for old-style modules (for which much of the work was done in userspace), it will attempt to run insmod.old in its place. Most users will want to use modprobe(8) instead, which is cleverer.


• rmmod - simple program to remove a module from the Linux Kernel. Most users will want to use modprobe(8) instead, with the -r option.


• lsmod - is a trivial program which nicely formats the contents of the /proc/modules, showing what kernel modules are currently loaded. The lsmod command displays information only about kernel modules, not about drivers that are compiled directly into the Linux kernel.


• modinfo - program to show information about a Linux Kernel module.


• modprobe - program to add and remove modules from the Linux Kernel


• depmode - program to generate modules.dep and map files. Starts with a system.


• System.map file - is a listing of all symbols along with their address.


• Config file - kernel configuration file generated by make menuconfig/make xconfig/make gconfig


• initrd.img file - contains device drivers which are required to boot and load rest of operating system from disk. Usually SCSI and IDE drivers are stored in this file.


• /etc/modules file contains list of modules, that are loaded during system boot


• /proc/cmdline - options provided to kernel by bootloader

Linux boot

• Inside the Linux boot process
• Directories /etc, /bin, /sbin, /lib, and /dev—should never be placed on separate partitions. These directories host critical system configuration files or files without which a Linux system can’t function. For instance, /etc contains /etc/fstab, the file that specifies what partitions correspond to what directories, and /bin contains the mount utility that’s used to mount partitions on directories.
• Super GRUB disk
• System rescue CD

Hardware in Linux

Links

• Linux Device list


• The Hardware Compatibility List


• The OpenPrinting Database


• The Scanner Access Now Easy (SANE)


• The Advanced Linux Sound Architecture (ALSA)


• Hardware4linux

Devices

• Block devices - is an abstraction layer for any storage device that can be formatted in fixed-size blocks; individual blocks may be accessed independently of access to other blocks. Such access is often called random access.


• Character device


• ATA devices - /dev/hdx


• SATA devices - /dev/hdx or /dev/sdx


• SCSI devices - /dev/sdx


• ATA magnetic tape devices - /dev/htx or /dev/nhtx


• SCSI magnetic tape devices - /dev/stx or /dev/nstx

Information about hardware

• /proc/partitions - shows all block devices


• /proc/dma - shows which DMA channels are in use


• /proc/cpuinfo - all information about CPU


• The sysfs virtual filesystem, mounted at /sys, exports information about devices so that user space utilities can access the information.


• HAL -  Daemon The Hardware Abstraction Layer (HAL) Daemon, or hald, is a user space program that runs at all times (that is, as a daemon) that provides other user space programs with information about available hardware.


• D-Bus - The Desktop Bus (D-Bus) provides a further abstraction of hardware information access. Like hald, D-Bus runs as a daemon. D-Bus enables processes to communicate with each other as well as to register to be notified of events, both by other processes and by hardware (such as the availability of a new USB device).


• udev -  Traditionally, Linux has created device nodes as conventional files in the /dev directory tree. The existence of hotplug devices and various other issues, however, have motivated the creation of udev: a virtual filesystem, mounted at /dev, which creates dynamic device files as drivers are loaded and unloaded. You can configure udev through files in /etc/udev, but the standard configuration is usually sufficient for common hardware.

Tools

• lspci - lists all PCI devices.


• lspnp - display information about PnP devices


• lsusb - shows all usb devices


• usbmodules - list kernel driver modules available for a plugged in USB device


• hotplug - relies on kernel support added with the 2.4.x kernel series. This system uses files stored in /etc/hotplug to control the configuration of specific USB devices. In particular, /etc/hotplug/usb.usermap contains a database of USB device IDs and pointers to scripts in /etc/hotplug/usb that are run when devices are plugged in or unplugged. These scripts might change permissions on USB device files so that ordinary users can access USB hardware, run commands to detect new USB disk devices, or otherwise prepare the system for a new (or newly removed) USB device.


• usbmgr - a program that runs in the background to detect changes on the USB bus. When it detects changes, it loads or unloads the kernel modules that are required to handle the devices. This package uses configuration files in /etc/usbmgr to handle specific devices and /etc/usbmgr/usbmgr.conf to control the overall configuration.


• setserial - configures serial interface


• pnpdump - Dump ISA Plug-And-Play devices resource information


• sndconfig - easy configuration of sound card


• scsi_info, sginfo, sg_map - shows information about scsi device


• hdparm - dispalys information about hard drives and configure them.


• setpci - utility to directly query and adjust PCI devices’ configurations

Tips
If USB device is self disconnected during boot and you see for example the following in dmesg:
usb 2-1: USB disconnect, address 9
removing kernel module ehci_hcd can help you:
sudo modprobe -r ehci_hcd

Hiding open ports using SPA and port knocking

SPA(Single Packet Authorization) and port knocking are technologies with the same goal: hide Internet services. In most cases they are used to conceal remote management services such as SSH and RDP.
Both technologies have a common principle: you send specially created packet or packets to a host and host opens defined port or ports on its firewall. The main distinction between these two technologies consists of type of packets. In SPA technology you send an encrypted packet with information what to open. And in Port Knocking technology you send just empty packets with specific destination ports(you may use both TCP and UDP protocols) in particular order, server analyses the incoming traffic, recognises these packets and sends command to the firewall to open access for your IP address.
The great advantage of both technologies that they do not open any services during listening, they just sniff the traffic.
There are 2 main drawbacks of Port Knocking. Firstly, there is no encryption.  Sequence of packets can be sniffed. Secondly, it is not very reliable. Quite often some of packets are lost and you have to resend the whole sequence several times.

Example of port knocking configuration
In the capacity of port knocking daemon I used knockd
You can install it from standard Ubuntu repositories. Here is the example of main configuration file
/etc/knockd.conf:

[SSH]
sequence = 26515:tcp,8924:tcp,58666:tcp,32342:tcp,5427:tcp
seq_timeout = 15
start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --syn --dport 22222 -j ACCEPT
cmd_timeout = 60
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --syn --dport 22222 -j ACCEPT

[Osiris]
sequence = 9674:tcp,54190:tcp,25668:tcp,19684:tcp,35056:tcp
seq_timeout = 15
start_command = /conf/ssh %IP%
cmd_timeout = 60
stop_command = /conf/ssh_del


Sequence time out defines time limits in which server must get all packets. Command time out determines how long the door will be opened.

As you can see in the second section there are no iptables commands. This is because this section is for windows server. I didn't find appropriate knock daemon for windows that's why I had to create such workaround. User knocks to Linux server and subsequently Linux server sends firewall commands to Windows server via SSH. Here is the contents of ssh script:

/usr/bin/ssh -i /conf/id_rsa -l user 212.176.29.163 ipfw add 1000 allow tcp from $1 to me 3389 in setup

As you can see, ipfw for Windows is installed :) Very complicated scheme.

Example of SPA configuration based on passwords
A Comprehensive Guide to Strong Service Hardening with fwknop
Here we use fwknop-server. It is also available in Ubuntu repositories. Main configuration file /etc/fwknop/access.conf: 

SOURCE: ANY;
OPEN_PORTS: tcp/22
KEY: secret;
FW_ACCESS_TIMEOUT: 30;
SOURCE: ANY;
ENABLE_EXTERNAL_CMDS Y;
KEY: key;
EXTERNAL_CMD_OPEN /conf/ssh $SRC;
EXTERNAL_CMD_CLOSE /conf/ssh_del;
FW_ACCESS_TIMEOUT: 30;

Here everything is pretty simple. The second Source section again describes workaround for windows server with outward commands. Instead of knock sequences KEYs are used.
To send SPA packet we use fwknop client:

fwknop -D 192.168.1.1 -A tcp/22 -s 10.10.0.1

Linux security tips

Here are some general security tips concerning Linux

• /bin/false can be used as shell to prevent user to login, but other stuff will work


• An asterisk (*) or exclamation mark (!) instead of password in /etc/shadow file means that there is no password and account is locked


• To chroot users and disable ssh (allow sftp only) use rssh
  


• Top 20 OpenSSH Server Best Security Practices


• 20 Linux Server Hardening Security Tips

Kerberos auth for SSH via PAM
auth sufficient pam_unix.so
auth required pam_krb5.so

pwconv - converts passwd file to shadow file

sudo example
User_Alias users = %friends
Cmnd_Alias commands = /bin/test
users ALL = NOPASSWD: commands


Command line in Windows world

To delete files older than X days through command line Forfiles can be used:
forfiles /p s:\Backups /d -10 /c "cmd /c del @path"

To redirect error output to standard output:
mingw32-make 1 > output.txt 2>&1

Check error level:
if errorlevel 1 command

Change network configuration with netsh command Show configuration: 

netsh interface ip show config

Configure interface "LAN": 
netsh interface ip set address name="LAN" static 10.64.167.191 255.255.255.0 10.64.167.1 1

Dump configuration of interface:
netsh -c interface dump > c:\location1.txt

Load saved configuration:
netsh -f c:\location1.txt

Configure interface to DHCP mode:
netsh interface ip set address "LAN" dhcp

Configure DNS to DHCP mode:
netsh interface ip set dns "LAN" dhcp

Add scheduled task via command line:

schtasks /create /d thu /sc weekly /tn backup_thursday /tr f:\Admin\thursday_backup.bat

Copy directories:
xcopy F:\dir1 F:\Backup\dir2 /s /y

Show open ports on firewall:
netsh firewall show portopening ENABLE


Show user's OU and other information:
adfind -sc u:nagios dn

Configure NTP synchronisation with Linux

w32tm /config /update /manualpeerlist:"192.168.1.2,0x8" /syncfromflags:MANUAL
net stop w32time
net start w32time

NAT in Cisco IOS

Here I would like to describe some NAT variants based on real life example.
First, some definitions:

• Inside global - public ip address of NAT router. 
• Inside local - ip address of host in enterprise network. 
• Outside local - outside host with private address. 
• Outside global - public internet address.

For instance, we have a router with Internet address 1.1.1.1 and local address 192.168.1.1
In our internal network we have a web server with address 192.168.1.2
We need to forward port 1.1.1.1:80 to 192.168.1.2:80 that people from the Internet are able to reach our web server.
First, mark interface 1.1.1.1 as outside:
Router(config-if)#ip nat outside

Then mark interface 192.168.1.1 as inside:
Router(config-if)#ip nat inside

Next configure NAT for port forwarding:
ip nat inside source static tcp 192.168.1.2 80 1.1.1.1 80
That's all, port forwarding is ready.
I suppose, our web server will need to access the Internet as well, for example in order to get software updates. To configure it, we are going to use NAT overload or PAT(Port Address Translation).
In the beginning, we add an access list, where we define what networks can access the Internet via PAT:

Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255

In this case network 192.168.1.0/24 will have access.
After this we add NAT rule:
Router(config)#ip nat inside source list 1 interface FastEthernet 0/0 overload

Where FastEthernet 0/0 is the name of the interface which is connected to the Internet.
This is the end, now web server can reach Internet hosts.

To sum up, there are only 5 rows to configure port forwarding and Internet access via one public address. I consider this is quite simple. Based on this configuration it is possible to configure access to other servers form the Internet.