Archive for the ‘ Linux ’ Category

Installing DenyHosts

Compiling and installing DenyHosts from source code on Centos 6.

[root@new denyhosts]# mkdir -p /root/Downloads/denyhosts
[root@new denyhosts]# cd $_
[root@new denyhosts]# wget http://downloads.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fdenyhosts%2Ffiles%2Fdenyhosts%2F&ts=1343373868&use_mirror=freefr
[root@new denyhosts]# tar xzf DenyHosts-2.6.tar.gz
[root@new denyhosts]# cd DenyHosts-2.6
[root@new denyhosts]# python setup.py install
[root@new denyhosts]# cd /usr/share/denyhosts/
[root@new denyhosts]# cp -a denyhosts.cfg-dist denyhosts.cfg
[root@new denyhosts]# vi denyhosts.cfg
[root@new denyhosts]# cp -a daemon-control-dist daemon-control
[root@new denyhosts]# chmod 700 daemon-control*
[root@new denyhosts]# cd /etc/init.d
[root@new denyhosts]# ln -a /usr/share/denyhosts/daemon-control denyhosts
[root@new denyhosts]# dir
[root@new denyhosts]# service denyhosts
[root@new denyhosts]# service denyhosts start
[root@new denyhosts]# chkconfig denyhosts on
[root@new denyhosts]# tail -a /etc/hosts.deny
[root@new denyhosts]# vi /etc/hosts.deny
[root@new denyhosts]# tail -a /etc/hosts.deny
[root@new denyhosts]# vi /etc/hosts.deny
[root@new denyhosts]# vi /etc/denyhosts.conf ; service denyhosts restart
[root@new denyhosts]# cd /usr/share/denyhosts/
[root@new denyhosts]# dir
[root@new denyhosts]# ln -a /usr/share/denyhosts/denyhosts.cfg /etc/denyhosts.conf
[root@new denyhosts]# vi /etc/denyhosts.conf ; service denyhosts restart

http://www.linuxvadapav.com/security/how-to-install-denyhosts-on-centos-5-x-ubuntu-rhel-fedora.html

2012
07/27
CATEGORY
Linux
Write comment

Backup database and rsync to offsite server

This is the current bash script for exporting the databases from each web server and sending them to the backup server.

#!/bin/bash
# db.sh
# Backup of database to offsite server
# Jason Bickley, Web Manager EWEA
# 9 JULY 2013

#==== RECEIVE VARIABLES FROM COMMAND LINE ====#
FREQ=$1
SERVER=$2

#==== SCRIPT OPTIONS ====#
USER=backup
PASS="mwbubCEsxCU6XVsW"
DIR=/root/backup/mysql/
FILE=localhost.sql.gz
DEST=backup.ewea.org
DATE=$(date +"%Y%m%d %T")
LOG=/var/log/backupDB_log

#==== EXCUTION OF COMMANDS ====#
# Change operating directory
cd $DIR

#==== Export database ====#
mysqldump -u$USER -p$PASS --all-databases --lock-all-tables | gzip > $SERVER.$FREQ.$FILE
chmod 600 $SERVER.$FREQ.$FILE

#==== rsync the export to offsite server ====#
rsync -aze "ssh -p 10022 -i /root/.ssh/"$SERVER"_prv_key" $SERVER.$FREQ.$FILE root@$DEST:/backups/$FREQ/$SERVER/db/

#==== delete the exported file ====#
rm -f $SERVER.$FREQ.$FILE

#==== Confirm success in log file ====#
echo $DATE Backup successful! $DEST:/backups/$FREQ/$SERVER/db/$SERVER.$FREQ.$FILE >> $LOG

To use it, you just have to run: db.sh {freq} {servername} {option}

cd /root/Scripts/backup/
./db.sh daily main
2012
07/09
CATEGORY
Bash
Linux
MySQL
TAGS






Write comment

Changing terminal colours

The default colours in linux are sometimes very hard to read, notably the blue on black:

We can change the default directory listing colours by editing this file:

/etc/DIR_COLORS

or

/etc/DIR_COLORS.xterm
(in Gandi CentOS 5)

My recommendation is to change the blue to yellow for directories. Change:

DIR 00;34       # directory (blue)
to
DIR 00;33       # directory (yellow)

The result looks like this:

For a full list of colours available, consult the list below:

# Attribute codes:
# 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed
# Text color codes:
# 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white
# Background color codes:
# 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white
2012
06/11
CATEGORY
Linux
TAGS




Write comment

Setting the time on Linux

To make sure your server always tells the correct time, follow these two instructions.

  1. Install the ntp daemon
    ntpd will make sure your system clock is regularly sync’ed against the nearest atomic clock.

    yum install -y ntp &&\
    chkconfig ntpd on &&\
    ntpdate pool.ntp.org &&\
    service ntpd start

  2. Make sure your time-zone is correct
    Set your time-zone to the right one with this command (for Central European Time)

    ln -sf /usr/share/zoneinfo/CET /etc/localtime

2012
03/23
CATEGORY
Linux
Write comment

Backup database and rsync to offsite server

THIS POST IS OUT OF DATE NOW. PLEASE CHECK THE NEW SCRIPT HERE:
https://itblog.windeurope.org/2012/11/06/backup-database-and-rsync-to-offsite-server-2/

This the script I am using to back up the servers to offsite.ewea.org

#!/bin/bash
#
# Backup of database to offsite server
# Jason Bickley, Web Manager EWEA
# March 19 2012
#
#==== DEFINE YOUR SERVER VARIABLES HERE ====#
SERVER=events
FREQ=daily

#==== SCRIPT OPTIONS ====#
USER=backup
PASS="mwbubCEsxCU6XVsW"
LOCALDIR=/root/backup/mysql/
FILE=localhost.sql.gz
DEST=offsite.ewea.org

#==== EXCUTION OF COMMANDS ====#
# Change opearating directory
cd $LOCALDIR

# Export database
mysqldump -u$USER -p$PASS --all-databases | gzip > $FREQ.$FILE
chmod 600 $FREQ.$FILE

# rscync the export to offsite server
rsync -aze "ssh -p 10022 -i /root/.ssh/"$SERVER"_prv_key" $FREQ.$FILE root@$DEST:/backups/$SERVER/db/$FREQ/

# delete the exported file
rm -f $FREQ.$FILE

The file is stored here: /root/Scripts/backup, and there are “daily”, “weekly” and “monthly” variations:
db_daily.sh
db_monthly.sh
db_weekly.sh

2012
03/20
CATEGORY
Linux
TAGS







Write comment

MySQL backup scripting

Today I set up a backup system for MySQL databases. 98% of our websites are using MySQL as the database that drives all the content for their CMS’s.
What I wanted was a script that would export all the database, zip it, then transfer it to the offsite web server. All this would be run as daily, weekly and monthly cron tasks.

First task:
Create a user with least possible access rights.

Using PhpMyAdmin, I created on each machine a user called “backup” with the password “*****************”.
For this user I gave the following permissions:

MySQL Privileges

 

Second task:
Write the script

#!/bin/bash

#==== DEFINE YOUR SERVER VARIABLES HERE ====#
SERVER=events
FREQ=daily

#==== SCRIPT OPTIONS ====#
USER=backup
PASS="*************"
LOCALDIR=/root/backup/mysql/
FILE=localhost.sql.gz
DEST=offsite.ewea.org

#==== EXCUTION OF COMMANDS ====#
# Change opearating directory
cd $LOCALDIR

# Export database
mysqldump -u$USER -p$PASS --all-databases | gzip > $FREQ.$FILE

# rscync the export to offsite server
rsync -aze "ssh -p 10022 -i /root/.ssh/"$SERVER"_prv_key" $FREQ.$FILE root@$DEST:/backups/$SERVER/db/$FREQ/

# delete the exported file
rm -f $FREQ.$FILE

 

2012
03/19
CATEGORY
Linux
Write comment

DHCP configuration of network card

From http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-dhcp-configuring-client.html

To configure a DHCP client manually, modify the /etc/sysconfig/network file to enable networking and the configuration file for each network device in the /etc/sysconfig/network-scripts directory. In this directory, each device should have a configuration file named ifcfg-eth0, where eth0 is the network device name.

The /etc/sysconfig/network file should contain the following line:

NETWORKING=yes

The NETWORKING variable must be set to yes if you want networking to start at boot time.

The /etc/sysconfig/network-scripts/ifcfg-eth0 file should contain the following lines:

DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes

A configuration file is needed for each device to be configured to use DHCP.

2012
03/02
CATEGORY
Linux
Write comment

Sample hosts.allow file

From http://lists.freebsd.org/pipermail/freebsd-questions/2007-January/139712.html

This is a sample file... What to REMOVE and What to ADD or KEEP?

# cat /etc/hosts.allow
#
# hosts.allow access control file for "tcp wrapped" applications.
# $FreeBSD: src/etc/hosts.allow,v 1.19.8.1 2006/02/19 14:57:01 ume Exp $
#
# NOTE: The hosts.deny file is deprecated.
#       Place both 'allow' and 'deny' rules in the hosts.allow file.
#       See hosts_options(5) for the format of this file.
#       hosts_access(5) no longer fully applies.

#        _____                                      _          _
#       | ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
#       |  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
#       | |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
#       |_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
#                                          |_|
# !!! This is an example! You will need to modify it for your specific
# !!! requirements!

# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
ALL : ALL : allow

# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny

# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny

# Allow anything from localhost.  Note that an IP address (not a host
# name) *MUST* be specified for rpcbind(8).
ALL : localhost 127.0.0.1 : allow
# Comment out next line if you build libwrap with NO_INET6=yes.
ALL : [::1] : allow
ALL : my.machine.example.com 192.0.2.35 : allow

# To use IPv6 addresses you must enclose them in []'s
ALL : [fe80::%fxp0]/10 : allow
ALL : [fe80::]/10 : deny
ALL : [2001:db8:2:1:2:3:4:3fe1] : deny
ALL : [2001:db8:2:1::]/64 : allow

# Sendmail can help protect you against spammers and relay-rapers
sendmail : localhost : allow
sendmail : .nice.guy.example.com : allow
sendmail : .evil.cracker.example.com : deny
sendmail : ALL : allow

# Exim is an alternative to sendmail, available in the ports tree
exim : localhost : allow
exim : .nice.guy.example.com : allow
exim : .evil.cracker.example.com : deny
exim : ALL : allow

# Rpcbind is used for all RPC services; protect your NFS!
# (IP addresses rather than hostnames *MUST* be used here)
rpcbind : 192.0.2.32/255.255.255.224 : allow
rpcbind : 192.0.2.96/255.255.255.224 : allow
rpcbind : ALL : deny

# NIS master server. Only local nets should have access
ypserv : localhost : allow
ypserv : .unsafe.my.net.example.com : deny
ypserv : .my.net.example.com : allow
ypserv : ALL : deny

# Provide a small amount of protection for ftpd
ftpd : localhost : allow
ftpd : .nice.guy.example.com : allow
ftpd : .evil.cracker.example.com : deny
ftpd : ALL : allow

# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
        : spawn (echo Finger. | \
         /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
        : deny

# The rest of the daemons are protected.
ALL : ALL \
        : severity auth.info \
        : twist /bin/echo "You are not welcome to use %d from %h."
--
2012
03/02
CATEGORY
Linux
Write comment

Useful inputrc

Place the following in ~/.inputrc or /etc/inputrc
While ~/.inputrc works sometimes, it doesn’t on all systems.

"\e[1~": beginning-of-line
"\e[4~": end-of-line
"\e[5~": beginning-of-history
"\e[6~": end-of-history
"\e[3~": delete-char
"\e[2~": quoted-insert
"\e[5C": forward-word
"\e[5D": backward-word
"\e\e[C": forward-word
"\e\e[D": backward-word
set completion-ignore-case On

All lines except the last enable nice readline & bash cursor movement (control + arrow keys and what not) while the last line turns on case insensitivity for tab-completion, enabling you to have folders and files of mixed case characters while not having to type the capital letters. (You can have a directory called “Documents” and tab-complete by tying “doc

From: http://linuxart.com/log/archives/2005/10/13/super-useful-inputrc/

2012
01/24
CATEGORY
Linux
Write comment

Recover corrupted RPM database

From http://honglus.blogspot.com/2011/09/recover-corrupted-rpm-database.html

RPM database consists of a number Berkeley DB files in /var/lib/rpm, the exception is __db.* files, which like cache files are updated for every rpm operation and they can be safely deleted.

#tested in Centos 5.5

$ ls /var/lib/rpm
Basenames __db.001 __db.003 Filemd5s Installtid Packages Provideversion Requireversion Sigmd5
Conflictname __db.002 Dirnames Group Name Providename Pubkeys Requirename Sha1header
$ file /var/lib/rpm/Packages
/var/lib/rpm/Packages: Berkeley DB (Hash, version 8, native byte-order)

If one of the DB files is partially corrupted and it is still readable by /usr/lib/rpm/rpmdb_dump, you can reload the DB file and rebuild db.

$cd /var/lib/rpm/
$rm -f __db*
$mv Packages Packages.orig
$/usr/lib/rpm/rpmdb_dump Packages.orig | /usr/lib/rpm/rpmdb_load Packages
$/usr/lib/rpm/rpmdb_verify Packages

#if you got this error: db_verify: PANIC: fatal region error detected; run recovery
#make sure /var/lib/rpm/__db.* are cleaned
#It is unlikely to rebuilddb if rpmdb_verify fails

$rpm -v –rebuilddb

If one of the DB files is completely corrupted and it is not readable by rpmdb_dump, you have to restore from backup,

$cd /var/lib/rpm
$cp Packages Packages.bak

#simulate a damaged RPM DB file

$ >Packages
$ cp Packages.bak  Packages

# Simply restoring from backup file won’t work
# file verification is successful

$ /usr/lib/rpm/rpmdb_verify Packages

#but any rpm operation fails

$rpm -qa error: rpmdbNextIterator: skipping h#     294 Header V3 DSA signature: BAD, key ID e8562897

#Even “rpm –rebuilddb” fails

$rm -f __db.*
$rpm –rebuilddberror: rpmdbNextIterator: skipping h#     294 Header V3 DSA signature: BAD, key ID e8562897

#Notice the error about signature: BAD? The Pubkeys have to be cleaned as well.

$ mv Pubkeys Pubkeys.bak

#all good after removing Pubkeys file, a new Pubkeys is generated automatically on “rpm –rebuilddb”

$ rm -f __db.*
$ rpm –rebuilddb
$ rpm -qa | head -2man-pages-2.39-15.el5_4bash-3.2-24.el5
2012
01/12
CATEGORY
Linux
Write comment