Category Archives: Linux

Howto’s, scripts and tips for Linux

MySQL automated database backup

This article describes a way to setup a regular backup for your MySQL databases. This method uses the crontab to schedule backup jobs (you could also use the logrotate method).

The database backups are stored in separate files. Once database backup is completed the file is zipped and password encrypted with openssl.

First create a .my.cnf file in your home directory with the following contents:

[client]
user=backup
password=1234567890

Make sure the file is only readable by your self:

chown 600 ~/.my.cnf

Next create a SQL user as shown below:

mysql> grant lock tables,select,reload,show databases,event on *.* to 'backup'@'localhost' identified by '1234567890';
mysql> flush privileges;

Create a folder in for example /var/backups/ and name it mysql

mkdir /var/backups/mysql

Create a script called backup_mysql_dbs.sh at a suitable location, for example your $HOME/cron/scripts folder (make it NOT world readable / writeable):

#!/bin/bash
BACKUPDEST=/var/backups/mysql

if [ ! -d "$BACKUPDEST" ]; then
echo "$BACKUPDEST does not exist, exiting"
exit 1
fi

# Remove backup files older dan 7 days
/usr/bin/find $BACKUPDEST/*.sql.gz.enc -type f -mtime +5 -exec rm {} \;

# Backup all mysql databases to separate files. The files are gzipped and encoded with a password.
umask 077
/usr/bin/mysql -Ne "show databases" | grep -v schema |
while read db; do
CDATE=`date '+%Y-%m-%d-%H%M%S'`
/usr/bin/mysqldump --skip-events --events $db | /bin/gzip | /usr/bin/openssl aes-256-cbc -salt -k $CDATE > $BACKUPDEST/$db.$CDATE.sql.gz.enc;
done

Now it is time to add a cron.d file; go to /etc/cron.d and add a crontab file, e.g. backup_mysql, with the following contents:

# /etc/cron.d/anacron: crontab entries for the anacron package
MAILTO=user@host.ext
M H * * * root /var/www/backup_mysql_dbs.sh

Replace the M and H with minute and hour you want the backup to be performed.

That’s it; your mysql databases are backedup at the sepcified interval.

 

Share

Setup Chroot SFTP in Ubuntu Linux

Chroot keeps the user in his login / home directory when logging in. This is not default behavior. In the default setup of SFTP you can CD anywhere on the system!

1. Create a new group

groupadd sftpusers

2. Create users who want to SFTP

useradd -g sftpusers -s /usr/sbin/nologin guestuser
passwd guestuser

3. Modify the the /etc/ssh/sshd_config file and comment out the following line:

Subsystem sftp /usr/libexec/openssh/sftp-server

4. Add the following line directly below the line you have commented out:

Subsystem sftp internal-sftp

5. Add the following lines at the end of /etc/ssh/sshd_config:

Match Group sftpusers
        ChrootDirectory /var/www/%u
        ForceCommand internal-sftp

6. Users start in the /var/www directory; this directory should be owned by root (see below) with chmod 755:

ll -ld /var/www
drwxr-xr-x 11 root root 4096 jun 30 13:39 /var/www/

7. Create a new directory with the same name as the username you just added:

mkdir /var/www/guestuser

8. Make sure that this new directory is also owned by root (see below):

ll -ld /var/www/guestuser
drwxr-xr-x 3 root www-data 4096 aug 14 18:18 /var/www/guestuser

10. Create a subfolder below /var/www/guestuser for example www and set user ownership to guestuser and groupowner ship to www-data. Set access right two 2755 ( 2=set group id, 7=rwx for owner (guestuser), 5=rx for group (www-data), 5=rx for world (including apache www-data user):

ll -ld /var/www/guestuser
drwxr-sr-x 2 guestuser www-data 4096 okt  1 17:02 /var/www/guestuser/www/

9. Restart the ssh server:

service sshd restart

If the directories have not the correct ownership a message will appear in /var/log/auth.log:

Aug 14 18:18:29 hostname sshd[24996]: fatal: bad ownership or modes for chroot directory "/var/www/guestuser"

 

Share

This article describes how to setup a basic firewall configuration on your linux box with iptables.

Check your current setup with:

sudo iptables -L

Reset the default firewall rules:

sudo iptables -F

Setup the most basic firewall with the script below. This script only allows ssh connections (which are being logged in /var/log/syslog); adjust the script to allow communications through other ports.

Both the OUTPUT and INPUT chain have a default log rule at the end of the chain.

#!bin/sh
IPTABLES=/sbin/iptables
$IPTABLES -F
### Set default policies for INPUT, OUTPUT and FORWARD chain to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
####### INPUT chain ######
### State tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for connections in
$IPTABLES -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH CONNECTION"
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT

### default INPUT LOG rule
$IPTABLES -A INPUT -j LOG --log-prefix "LOG " --log-ip-options --log-tcp-options

####### OUTPUT chain ######
### State tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for connections out
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT

### default OUTPUT LOG rule
$IPTABLES -A OUTPUT -j LOG --log-prefix "LOG " --log-ip-options --log-tcp-options

Saving your iptables configuration (answer Yes to both questions):

sudo apt-get install iptables-persistent

Start the persistency service:

sudo service iptables-persistent start

Changes to your configuration can be stored by using the command

sudo service iptables-persistent save

Or reload the current configuration:

sudo service iptables-persistent reload

More detailed information can be found here.

Share

Add SSL to localhost on apache / linux

Generate a Certificate Signing Request

1. Generate the keys for the Certificate Signing Request (CSR)

openssl genrsa -des3 -out server.key.secure 1024

2. Create the insecure key.

openssl rsa -in server.key.secure -out server.key.insecure

3. Create the CSR.

openssl req -new -key server.key.insecure -out server.csr

Fill in the appropriate information.

4. Create the self-signed certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

This creates server.crt

5. Install the self-signed certificate

sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

Now you can configure apache with the ability to use public-key cryptography to use the certificate and key files.

Configure Apache to use SSL on local host

6. Enable ssl

sudo a2enmod ssl

7. Edit your default-ssl site (make backup copy)

Change:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

To:

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

8. Enable the default-ssl site.

sudo a2ensite default-ssl

8. Restart the server.

sudo service apache2 restart

Navigate to https://localhost and examine your certificate details

Share

chmod to the max

Short and simple chmod reference. Use numbers to set file permissions.

400 read by owner
040 read by group
004 read by anybody (other)
200 write by owner
020 write by group
002 write by anybody
100 execute by owner
010 execute by group
001 execute by anybody

Make file readable for owner:
readable (4) owner = 400 => chmod 400 fname

Make file readable and writeable for owner:
readable + writeable (4 + 2) owner = 600 -> chmod 600 fname

Make file readable and writeable for group:
readable + writeable (4 + 2) owner = 60 -> chmod 60 fname

Make file readable and writeable for anybody:
readable + writeable (4 + 2) owner = 6 -> chmod 6 fname

Examples

# Set file permission to-rwxr-xr-x
# Read Owner 400
# Read Group 40
# Read Other 4
# Write Owner 200
# Write Group 100
# Write Other 010
# Exec  other 001

# Total = 400+040+004+200+100+010+001 = 755

chmod 755 thefile.cgi

# Read and write by everyone (444 + 222):

chmod 666 file.txt

# Change all directories to rwx by everyone:

find . -type d -exec chmod 777 {} +

# Change all files to rw by everyone:

find . -type f -exec chmod 666 {} +

 

Share

tar and untar

Create archive

  • -z: Compress archive using gzip program
  • -c: Create archive
  • -v: Verbose i.e display progress while creating archive
  • -f: Archive File name
tar -zcvf archive.tar.gz /home/dir_to_archive

 

Untar archive

  • -x: Extract files
tar -zxvf archive.tar.gz

 

List content of archive

tar -tvf file.tar

 

Share

mount webdav folder

To mount a webdav folder (for example your box.com drive) use the following command:
mount -tdavfs https://www.box.com/dav/ /mnt/box/
Type username and password when asked and voila; your box.com drive is available!

You could also add your username and password to the /etc/davfs2/secrets file and they
will be used by the mount command.

Share

perl locale warning

When execute, for example, the perl command the message below could be shown:

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = "en_US:en",
LC_ALL = (unset),
LC_PAPER = "nl_NL.UTF-8",
LC_ADDRESS = "nl_NL.UTF-8",
LC_MONETARY = "nl_NL.UTF-8",
LC_NUMERIC = "nl_NL.UTF-8",
LC_TELEPHONE = "nl_NL.UTF-8",
LC_IDENTIFICATION = "nl_NL.UTF-8",
LC_MEASUREMENT = "nl_NL.UTF-8",
LC_TIME = "nl_NL.UTF-8",
LC_NAME = "nl_NL.UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").

To get rid of this message compile the language locale as shown at “LC_NAME=” text. Compile the nl_NL.UTF-8 locale:

If the message persists check that all locale related environment variables have a valid value (ie they are not (unset)).

Valid values for example:
LANGUAGE="en_US:en"
LC_ALL="en_US.UTF-8"
LANG="en_US.UTF-8"

locale-gen nl_NL.UTF-8

perl

Share

Ubuntu Apache + MySQL + WordPress

Install devenv with Ubuntu + Apache + MySQL

Create a new virtual machine and mount your Ubuntu ISO as CDROM drive. Startup the new virtual machine and install Ubuntu with default options.

After Ubuntu installation is complete be sure to add the guest additions to your system (keep your original configuration when asked):

$>apt-get install virtualbox-guest-x11

Ubuntu windows appearing slow? See this url: http://askubuntu.com/questions/207813/why-does-an-ubuntu-12-10-guest-in-virtualbox-run-very-very-slowly/214968#214968

Upgrade and update your system to make sure you have the latest and the greatest software:

$>apt-get update
$>apt-get upgrade

Mandatory components for your development environment

$>apt-get install apache2
$>apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql
# Enter root password and press OK (twice)
# Install MySQL system tables:
$>mysql_install_db
# Secure your MySQL installation
$>/usr/bin/mysql_secure_installation
# Enter the root password choosen above
# Choose n (already have a password)
# Enter four times (everything default)
$>apt-get install php5 php5-xdebug libapache2-mod-php5 php5-mcrypt php5-cli php5-curl php5-gd
# Install your favorite editor for quick edits....
$>apt-get install vim

Optional (but useful tools)

WebMin server administration

apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.610_all.deb
dpkg --install webmin_1.610_all.deb

When you want to mount an external CIFS filesystem (for example your NAS) install the CIFS utility package.

$>apt-get install cifs-utils

Mount a cifs remote file system:

$>mkdir /mnt/share
$>mount.cifs //SERVER/share /mnt/share -o user=USER,uid=1000,gid=1000
# Enter your password
# Install netbeans
$>apt-get install netbeans
# Install chromium-browser
Install chrome browser
$>apt-get install chromium-browser
# Install the Gimp
$>sudo apt-get install gimp
# Install VIM
$>sudo apt-get install vim

Setup WordPress installatie

For pretty URL’s to work make sure the rewrite module is enabled in Apache. You can do this with the WebMin tool; in Webmin goto “Servers”, “Apache Webserver”, select the “Global configuration” tab, select “Configure Apache modules”, check the “Rewrite” module.

Changes take effect immediately.

$>cd /var/www/
$>mkdir demo
$>cd demo
$>wget http://wordpress.org/latest.tar.gz
$>tar -xzvf latest.tar.gz
$>mv wordpress www
$>rm latest.tar.gz
$>cd /var/www
$>chown -R www-data:www-data .

Setup the MySQL database

$>mysql -uroot -pXXXXXXX
mysql>create database wp_demo;
mysql>create user 'wp_demo'@'localhost' IDENTIFIED BY 'XXXXXXXXXX';
mysql> grant create,drop,select,insert,update,delete on wp_demo.* to 'wp_demo'@'localhost';
Share