Axeorcat.com

Would you prefer to be an axe or a cat? That is the question. // I Code. I Sysadmin. I Beer.
April 15, 2010

Linux Server Guide

A few notes for linux server maintenance.

Apache

Secure a vhost quickly by IP/hostname

Order deny,allow
deny from all
allow from somenameinmyhostsfile 10.0.1.

Secure a vhost by http password

Clearly SSL should be enabled when using http passwords.

AuthType Basic
AuthName “Restricted Directory”
AuthUserFile /etc/apache2/all.htpasswd
Require valid-user

GPG

gpg --gen-key
gpg --armor --export keys@example.org > nproject.pk
gpg --list-keys
gpg --encrypt --recipient nproject myfile
gpg --recipient nproject --encrypt-files myfi*.gz
gpg --out myfile --decrypt myfile.gpg


Iptables Firewall

Simple Example

#!/bin/bash

IPTABLES=/sbin/iptables

$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT  -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# an admin ip
#$IPTABLES -A INPUT -p TCP -m state --state NEW -s myip -m multiport --dports 22,80,443,587,995 -j ACCEPT

$IPTABLES -A INPUT -p TCP -m state --state NEW --dport 22 -j ACCEPT

$IPTABLES -A INPUT  -p UDP --sport 137 --dport 137 -j DROP
$IPTABLES -A INPUT  -p UDP --sport 138 --dport 138 -j DROP

$IPTABLES -A INPUT -m limit --limit 15/minute --limit-burst 10 -j LOG --log-prefix "IPTABLES REJECTED: "

$IPTABLES -A INPUT -j DROP


Load Balancing

On server A, add a virtual interface, disable arp on the real servers, then:

ipvsadm -D -t vip:80 ipvsadm -A -t vip:80 -s rr ipvsadm -a -t vip:80 -r pub12 -g

Each *real* server B, C, must have these sysctl set:

echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/all/arp_announce

and a dummy interface configured in /etc/network/interfaces for the virtual IP

auto dummy0 iface dummy0 inet static address 80.82.137.69 netmask 255.255.255.255 broadcast 80.82.137.69

MySQL

Run a “Check” on all mysql tables

Archive of this script I found to simply run “CHECK TABLE `tablename`” for each table listed in SHOW TABLES.
PHP Script to check all mysql tables (3rd party)

Dump mysql table(s) to a CSV file

If you get mysqldump: Got error: 1: Can’t create/write to file… then your mysql uid probably doesn’t have write access to the directory you specified to the –tab argument (hence why /tmp is usally a good bet).

mysqldump -p -u root --no-create-info --tab=/tmp --fields-enclosed-by=\" --fields-terminated-by=, dbname --tables table1 table2

MySQL to Postgres Migration

Dump your MySql db using the compatible arg

mysqldump -u dbuser --compatible=postgresql --skip-quote-names --skip-comments  --tab=mytablename dbname


Postgres

User Management

createuser --no-adduser --no-createdb --pwprompt --echo dbuser
alter user postgres with  password  'secret';

Create/Dump Databases

createdb -U postgres --owner=dbuser --encoding=UTF8 dbname
pg_dump -U postgres -h host dbname > dump.dbname.sql
cat dump.dbname.sql | psql -h localhost -U postgres dbname

Setup tsearch2 on pg 8.2

cat /usr/share/postgresql/8.2/contrib/tsearch2.sql | psql -U postgres  -h localhost dbname
update pg_ts_cfg set locale = 'en_GB.UTF-8' where ts_name = 'default';

SQL syntax

create sequence foo start with 102;
alter sequence foo restart with 1021;
grant all on schema public to dbuser;


ProFtp

Run it standalone. Settings that need changing from vanilla install:

proftpd.conf – common settings

UseIPv6                         off
ServerIdent                     off
IdentLookups                    off
DefaultRoot                     ~
PassivePorts                    43900 44000
PathAllowFilter \.(htm|html|JPG|jpg|jpeg|JPEG|gif|png|mov|MOV|mpeg|mpg|mp3|mp4|ppt|pdf|doc|xls|txt)$

proftpd.conf – database mode

# For DB docs see http://www.castaglia.org/proftpd/modules/mod_sql.html
# SQLLogFile /var/log/proftp-sql.log
AuthOrder  mod_sql.c  # DO NOT REMOVE THIS LINE!!
SQLAuthTypes            Plaintext
SQLAuthenticate         users*
SQLConnectInfo          db@<host> <user> <passwd>
SQLDefaultGID           65534
SQLDefaultUID           65534
SQLMinUserGID           31
SQLMinUserUID           1000
SQLNegativeCache        on
SQLUserInfo             ftpusers userid passwd uid gid homedir shell
SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "lastLoginTime=now(),logincount=logincount+1 WHERE userid='%u'" ftpusers
SQLLog RETR,STOR transfer1
SQLNamedQuery  transfer1 INSERT "'%u', '%f', %b, '%h', '%a', '%m', %T, now()" ftplog

proftpd.conf – for FILE based virtual authentication

# to set passwd use: ftpasswd --passwd --name=web --uid=33 --home=/var/www --shell=/bin/bash
AuthOrder mod_auth_file.c
AuthUserFile                    /etc/proftpd/ftpd.passwd


Samba

Samba can be useful temporarily but obviously must be firewalled.
Even then TRAFFIC IS UNENCRYPTED. If samba allows root connection (!) ensure /var/lib/samba/passdb.tdb is readable only by root. 

[global]
workgroup = WORKGROUP
dns proxy = no
name resolve order = host
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = no
security = user
encrypt passwords = true
passdb backend = tdbsam
unix password sync = no
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
pam password change = no
load printers = no
socket options = TCP_NODELAY
domain master = no
local master = no
preferred master = no
os level = 0
interfaces = eth1 lo
bind interfaces only = yes

[root]
path = /
browseable = yes
writable = no
create mask = 0745
directory mask = 0745


Sudo

Man page: http://www.linuxforum.com/man/sudoers.5.php

A not very good example: http://techrepublic.com.com/5110-6261-1031174.html

Cmnd_Alias MYOPS=\
/sbin/shutdown, \
/usr/bin/kill, \
/usr/sbin/tcpdump, \
/usr/bin/updatedb, \
/bin/netstat,\
/sbin/route,\
/sbin/ifup,\
/sbin/ifdown,\
/usr/bin/tail -f /var/log/*,\
/bin/cat /var/log/*,\
/usr/sbin/arp

root    ALL=(ALL) ALL

%myops ALL=(ALL) MYOPS