# Netwerk & Server # MySQL - [recover mybb account](https://www.reeltoreel.nl/bookstack/books/archief/page/recover-mybb-account) - [OLD:How to secure an initial MySQL installation](OLD:How_to_secure_an_initial_MySQL_installation "wikilink") - [Database dump & restore](https://www.reeltoreel.nl/bookstack/books/homelab/page/database-dump-restore) - [Securing the initial mysql installation](https://www.reeltoreel.nl/bookstack/books/homelab/page/securing-the-initial-mysql-installation) - [How to check database](https://www.reeltoreel.nl/bookstack/books/homelab/page/how-to-check-database) - [How to repair a crashed table](https://www.reeltoreel.nl/bookstack/books/homelab/page/how-to-repair-a-crashed-table) - [Allowing access from other hosts](https://www.reeltoreel.nl/bookstack/books/homelab/page/allowing-access-from-other-hosts) - [How to get a list of permissions of mysql users](https://www.reeltoreel.nl/bookstack/books/homelab/page/how-to-get-a-list-of-permissions-of-mysql-users) - [Sample commands](https://www.reeltoreel.nl/bookstack/books/homelab/page/sample-commands) # Fixing CUPS login problems on SUSE Fixing CUPS login problems on SuSE SUSE: What Password Do I Use At The Web Interface? SuSE defaults to using Digest passwords and "RunAsUser yes", which means you have to use the lppasswd command to add accounts and passwords. To add a user named Steve: `     lppasswd -a Steve` Then enter and confirm a password. SUSE does not follow the normal CUPS defaults and the lppasswd information doesn't follow changes to the normal accounts, causing a lot of confusion. Any problems using this set up should be addressed to SUSE. To set SUSE to the standard default settings of CUPS: 1\) Goto /etc/cups/cups.conf 2\) Change in the AuthType: AuthType Basic 3\) Change RunAsUser to No. # CUPS - [How to make your CUPS server broadcast itself](https://www.reeltoreel.nl/bookstack/books/homelab/page/how-to-make-your-cups-server-broadcast-itself) - [Install Dymo Labelwriter in openSUSE](https://www.reeltoreel.nl/bookstack/books/homelab/page/install-dymo-labelwriter-in-opensuse) # How to make your CUPS server broadcast itself In order for your clients to automatically recognize the printers that CUPS has, add/edit the following setting in /etc/cups/cupsd.conf: `BrowseAddress @LOCAL` In this way, your clients won't have to do anything, as their (local) CUPS server will recognize the broadcasts from your (global) CUPS server! # Install a PXE boot server on 11.1 This document shows quick and dirty how to install a working PXE boot server on openSUSE We start of course with a working server with a static IP address and a working DHCP server somewhere (could be on your server or on your home router or something else). If you haven't got one already, please make sure that you get this working before you continue! - install the atftp and syslinux package s `#zypper in atftp syslinux` - possibly create the /tftpboot/pxelinux.cfg dir `#mkdir /tftpboot/pxelinux.cfg` - possibly open port in FireWall - copy the file /usr/share/syslinux/pxelinux.0 to /tftpboot `#cp /usr/share/syslinux/pxelinux.0 /tftpboot` - create the file /tftpboot/pxelinux.cfg/default (#vi /tftpboot/pxelinux.cfg/default) with the following content: `default linux` `prompt 1` `timeout 30` `label linux` `kernel linux` `append initrd=initrd splash=silent` `showopts` - or put file 'message' in /tftpboot with the following example content: `Welcome to Provisioning!` `Choose one of the following options and press ``.` ` sles10.2       - SUSE Linux Enterprise Server SP2 32 bit` ` sles10.2_64    - SUSE Linux Enterprise Server SP2 64 bit` ` opensuse11_32  - OpenSUSE 11, 32 bit` ` opensuse11_64  - OpenSUSE 11, 64 bit` ` hardy          - Ubuntu 8.04 (Hardy Heron)` ` thin           - Boot thin client` ` next           - Boot from next BIOS device (default) ` ` disk           - Boot from first BIOS disk` - put 2 files **initrd** and **linux** in the /tftpboot dir
32 bit: from the /boot/i386/loader directory on the CD/DVD
64 bit: from the /boot/x86\_64/loader directory on the CD/DVD
That should do the trick! # Apache en HTML ## Apache - [compare Apache conf files and Nginx conf files](https://www.reeltoreel.nl/bookstack/books/homelab/page/compare-apache-conf-files-and-nginx-conf-files) - [joomla migratie 1.x naar 1.5](https://www.reeltoreel.nl/bookstack/books/archief/page/joomla-migratie-1x-naar-15) - [embed video in html5](https://www.reeltoreel.nl/bookstack/books/homelab/page/embed-video-in-html5) - [certificate renewal apache](https://www.reeltoreel.nl/bookstack/books/homelab/page/certificate-renewal-apache) # How to connect to server on strange port, or when you're behind a firewall # Situation ``` cpuxxxx -> FW -> intermediateserver -> targetserver 22......-> 22 -> 22.................-> portnumber_on_targetserver ``` # Connect On cpuxxxx: `ssh -L portnumber_on_targetserver:targetserver:portnumber_on_targetserver username_on_intermediateserver@intermediateserver` **Leave terminal open!** Then on cpuxxxx again: `ssh -YC username_on_targetserver@localhost -p portnumber_on_targetserver` That's it!! # Copy files from here tot server: `scp -P portnumber_on_targetserver file user@localhost:/path/were/to/put/it/` from server to local: `scp -P portnumber_on_targetserver user@localhost:/path/were/to/get/it/from/ .` # mount filesystem over ssh using sshfs `sshfs user@localhost:/data/videos/ mnt/ -p portnumber` # Rsync from server to localdisk: `rsync -avz -e 'ssh -p PORTNUMBER' USER@localhost:/data/htdocs/motion/ /data/motion/` # Start Konversation from behind a firewall `ssh -L 6667:irc.freenode.org:6667 user@xs3.xs4all.nl` `konversation --server localhost` # Start Pidgin from home to wzs - in a terminal typ: `ssh -L 8300:gwmsg.wonen.amsterdam.nl:8300 root@wzs` - leave terminal open - start pidgin and fill in:
server: localhost
port: 8300
# reverse tunnel - From the machine at work, create a tunnel to your machine running ssh at home: `randolf@workserver:~$ ssh -vvv randolf@myhomeserver -R 44455:localhost:22` This will forward the remote port 44455 from your home server to port 22 (or whichever port ssh is listening on) on your work machine. - From home, check to see if anything is listening on 44455 `randolf@homeserver:~$ netstat -an | grep 44455` `tcp        0      0 127.0.0.1:44455         0.0.0.0:*               LISTEN ` - Next, to connect from home to your work machine, from your home server: `randolf@homeserver:~$ ssh localhost -p 44455` `Password: ******` From there you should be connected to your work machine via your tunnel. # Mounting remote directories using FUSE and sshfs on openSUSE `sshfs user@host: /mnt/` Once that’s done, the remote filesystem is mounted as the directory “rsync” and I can copy and move files just like they’re local. # MediaWiki - [Upgrade using patch](https://www.reeltoreel.nl/bookstack/books/homelab/page/upgrade-using-patch) - [installation MediaWiki](https://www.reeltoreel.nl/bookstack/books/archief/page/installation-mediawiki) - [Backup MediaWiki](https://www.reeltoreel.nl/bookstack/books/archief/page/backup-mediawiki) - [Upgrading to mediawiki 1.18](https://www.reeltoreel.nl/bookstack/books/archief/page/upgrading-to-mediawiki-118) - [File permissions](https://www.reeltoreel.nl/bookstack/books/homelab/page/file-permissions) # How to make a dump of a website # update 20210611 Best Version: `wget -m `[`https://`](https://) # original If you want to make a dump of a website, then you can do: `/usr/bin/wget -q --convert-links -E -m `[`http://website.nu.com.mp3`](http://website.nu.com.mp3) `wget --progress=bar --convert-links -E -m `[`ftp://ftp.studer.ch/Public/`](ftp://ftp.studer.ch/Public/) Actually, to download a single page and all its requisites (even if they exist on separate websites), and make sure the lot displays properly locally, this author likes to use a few options in addition to -p: `wget -E -H -k -K -p `[`http://`](http://)`/` -E adjust extention ??? -H also download from foreign hosts -p download all page requisites **PvdM version:** `wget -r -k -K -p `[`http://`](http://) -r recursive -k convert links -K backup converted # Iptables for dummies # Netfilter Elke Linux distributie gebruikt Netfilter (in de kernel) voor firewalling. De beheertool daarvoor is **'iptables**', via de commandline. Hoe werkt het? Er zijn drie soorten verkeer: INPUT, OUTPUT en FORWARD. Dit worden ook wel **'chains**' genoemd. - INPUT is alles op je interface binnenkomt - OUTPUT is alles wat je interface verlaat - FORWARD is als de computer als router is geconfigureerd, dus met meerdere netwerkkaarten Om te beginnen, moeten we de firewall service stoppen. Op openSUSE is dat `rcSuSEfirewall2 stop` # controle Vervolgens beginnen we met een schone lei. Verwijder alle firewall regels `iptables -F` Controleer dit met `iptables -L -v` # dichtzetten Hierna staat je firewall uit en is leeg, dus we gaan hem snel dichtzetten. We gebruiken hiervoor **'policies**'. `iptables -p INPUT DROP` `iptables -p OUTPUT DROP` `iptables -p FORWARD DROP` -p betekent hier policy, INPUT is de chain waarop hij werkt, en de **'target**' is **'drop**'. # targets Er zijn de volgende targets: - DROP: alle pakketjes worden gedropt, er is geen terugmelding - REJECT: het pakketje wordt verworpen, er gaat wel een melding terug - ACCEPT: het pakketje wordt geaccepteerd - LOG: er wordt een melding in syslog geschreven over het binnenkomende pakketje Nu is de computer potdicht, en er is dus niet mee te werken met communicatie naar buiten. We gaan hem zo inrichten dat er communicatie naar buiten mogelijk is. # loopback goedzetten Maar eerst moet er de loopback interface (lo) goed geconfigureerd worden. Hoewel niet strikt noodzakelijk, maar dit zorgt ervoor dat een hoop zaken goed verlopen. `iptables -A INPUT -i lo -j ACCEPT` `iptables -A OUTPUT -o lo -j ACCEPT` -A betekent 'append', aan het eind. De volgorde van de regels is belangrijk! De eerste 'hit' wordt uitgevoerd en er wordt daarna niet meer verder gekeken. -i is de interface -j (jump) naar welke target Hierna kan er gepinged worden naar de loopbackinterface: ``` PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.034 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.019 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.027 ms ``` # uitgaand verkeer toestaan We gaan nu alle uitgaande verkeer toestaan. `iptables -A OUTPUT -o eth0 -j ACCEPT` Dit zorgt voor uitgaande pakketjes, maar antwoorden hierop die binnenkomen, kunnen nog steeds niet de computer bereiken. `iptables -A INPUT -m state - state=ESTABLISHED,RELATED -j ACCEPT` creert een stateful filter. # How to get a list of permissions of mysql users # How to Get a List of Permissions of MySQL Users MySQL has advanced database access system. A database user can have access to the whole database, separate tables, or to separate columns of tables. Also there is a restriction for actions a user may perform with records. MySQL server uses several tables in a special database to organize such a complicated database access structure. The access policy is based on the values available in these tables. The database that MySQL server uses to store internal data about users is called mysql by default. There are tables for storing information about users’ accounts in this database: - ***user*** contains a list of all users of the MySQL server and their permissions to access the database; - ***db*** contains a list of databases with a matching list of database users and their privileges for executing operations; - ***tables\_priv*** contains a list of database tables (views) that a user has access to; - ***columns\_priv*** contains a list of columns from the database tables (views) a user has access to; - ***procs\_priv*** contains a list of database procedures (functions) a user has access to. To get the list of users’ privileges concerning data access, the following queries may be executed: **\* the list of global privileges:**
**SELECT** ` `mu.host `Host`, ` `mu.user `User`, ` `REPLACE(RTRIM(CONCAT( ` `IF(mu.Select\_priv = 'Y', 'Select ', ''), ` `IF(mu.Insert\_priv = 'Y', 'Insert ', ''), ` `IF(mu.Update\_priv = 'Y', 'Update ', ''), ` `IF(mu.Delete\_priv = 'Y', 'Delete ', ''), ` `IF(mu.Create\_priv = 'Y', 'Create ', ''), ` `IF(mu.Drop\_priv = 'Y', 'Drop ', ''), ` `IF(mu.Reload\_priv = 'Y', 'Reload ', ''), ` `IF(mu.Shutdown\_priv = 'Y', 'Shutdown ', ''), ` `IF(mu.Process\_priv = 'Y', 'Process ', ''), ` `IF(mu.File\_priv = 'Y', 'File ', ''), ` `IF(mu.Grant\_priv = 'Y', 'Grant ', ''), ` `IF(mu.References\_priv = 'Y', 'References ', ''), ` `IF(mu.Index\_priv = 'Y', 'Index ', ''), ` `IF(mu.Alter\_priv = 'Y', 'Alter ', ''), ` `IF(mu.Show\_db\_priv = 'Y', 'Show\_db ', ''), ` `IF(mu.Super\_priv = 'Y', 'Super ', ''), ` `IF(mu.Create\_tmp\_table\_priv = 'Y', 'Create\_tmp\_table ', ''), ` `IF(mu.Lock\_tables\_priv = 'Y', 'Lock\_tables ', ''), ` `IF(mu.Execute\_priv = 'Y', 'Execute ', ''), ` `IF(mu.Repl\_slave\_priv = 'Y', 'Repl\_slave ', ''), ` `IF(mu.Repl\_client\_priv = 'Y', 'Repl\_client ', ''), ` `IF(mu.Create\_view\_priv = 'Y', 'Create\_view ', ''), ` `IF(mu.Show\_view\_priv = 'Y', 'Show\_view ', ''), ` `IF(mu.Create\_routine\_priv = 'Y', 'Create\_routine ', ''), ` `IF(mu.Alter\_routine\_priv = 'Y', 'Alter\_routine ', ''), ` `IF(mu.Create\_user\_priv = 'Y', 'Create\_user ', ''), ` `IF(mu.Event\_priv = 'Y', 'Event ', ''), ` `IF(mu.Trigger\_priv = 'Y', 'Trigger ', '') ` `)), ' ', ', ') **AS**`**Privileges**` **FROM** ` `mysql.user mu **ORDER** **BY** ` `mu.Host, ` `mu.User
**\* the list of privileges for a database:**
**SELECT** ` `md.host `Host`, ` `md.user `User`, ` `md.db `**Database**`, ` `REPLACE(RTRIM(CONCAT( ` `IF(md.Select\_priv = 'Y', 'Select ', ''), ` `IF(md.Insert\_priv = 'Y', 'Insert ', ''), ` `IF(md.Update\_priv = 'Y', 'Update ', ''), ` `IF(md.Delete\_priv = 'Y', 'Delete ', ''), ` `IF(md.Create\_priv = 'Y', 'Create ', ''), ` `IF(md.Drop\_priv = 'Y', 'Drop ', ''), ` `IF(md.Grant\_priv = 'Y', 'Grant ', ''), ` `IF(md.References\_priv = 'Y', 'References ', ''), ` `IF(md.Index\_priv = 'Y', 'Index ', ''), ` `IF(md.Alter\_priv = 'Y', 'Alter ', ''), ` `IF(md.Create\_tmp\_table\_priv = 'Y', 'Create\_tmp\_table ', ''), ` `IF(md.Lock\_tables\_priv = 'Y', 'Lock\_tables ', ''), ` `IF(md.Create\_view\_priv = 'Y', 'Create\_view ', ''), ` `IF(md.Show\_view\_priv = 'Y', 'Show\_view ', ''), ` `IF(md.Create\_routine\_priv = 'Y', 'Create\_routine ', ''), ` `IF(md.Alter\_routine\_priv = 'Y', 'Alter\_routine ', ''), ` `IF(md.Execute\_priv = 'Y', 'Execute ', ''), ` `IF(md.Event\_priv = 'Y', 'Event ', ''), ` `IF(md.Trigger\_priv = 'Y', 'Trigger ', '') ` `)), ' ', ', ') **AS**`**Privileges**` **FROM** ` `mysql.db md **ORDER** **BY** ` `md.Host, ` `md.User, ` `md.Db
**\* the list of privileges for tables:**
**SELECT** ` `mt.host `Host`, ` `mt.user `User`, ` `CONCAT(mt.Db, '.', mt.Table\_name) `Tables`, ` `REPLACE(mt.Table\_priv, ',', ', ') **AS**`**Privileges**` **FROM** ` `mysql.tables\_priv mt **WHERE** ` `mt.Table\_name IN ` `(**SELECT** ` `**DISTINCT** `   `t.table\_name `tables` ` `**FROM** `   `information\_schema.tables **AS** t ` `**WHERE** `   `t.table\_type IN `   `('BASE TABLE', 'SYSTEM VIEW', 'TEMPORARY', '') OR `   `t.table\_type <> 'VIEW' AND `   `t.create\_options **IS** NOT NULL ` `) **ORDER** **BY** ` `mt.Host, ` `mt.User, ` `mt.Db, ` `mt.Table\_name;
**\* the list of privileges for views:**
**SELECT** ` `mv.host `Host`, ` `mv.user `User`, ` `CONCAT(mv.Db, '.', mv.Table\_name) `Views`, ` `REPLACE(mv.Table\_priv, ',', ', ') **AS**`**Privileges**` **FROM** ` `mysql.tables\_priv mv **WHERE** ` `mv.Table\_name IN ` `(**SELECT** ` `**DISTINCT** `   `v.table\_name `views` ` `**FROM** `   `information\_schema.views **AS** v ` `) **ORDER** **BY** ` `mv.Host, ` `mv.User, ` `mv.Db, ` `mv.Table\_name;
**\* the list of privileges for table columns:**
**SELECT** `  `mtc.host `Host`, `  `mtc.user `User`, `  `CONCAT(mtc.Db, '.', mtc.Table\_name, '.', mtc.Column\_name) `Tables Columns`, `  `REPLACE(mtc.Column\_priv, ',', ', ') **AS** `**Privileges**` **FROM** `  `mysql.columns\_priv mtc **WHERE** `  `mtc.Table\_name IN `  `(**SELECT** `  `**DISTINCT** `    `t.table\_name `tables` `  `**FROM** `    `information\_schema.tables **AS** t `  `**WHERE** `    `t.table\_type IN `    `('BASE TABLE', 'SYSTEM VIEW', 'TEMPORARY', '') OR `    `t.table\_type <> 'VIEW' AND `    `t.create\_options **IS** NOT NULL `  `) **ORDER** **BY** `  `mtc.Host, `  `mtc.User, `  `mtc.Db, `  `mtc.Table\_name, `  `mtc.Column\_name;
**\* the list of privileges for view columns:**
**SELECT** ` `mvc.host `Host`, ` `mvc.user `User`, ` `CONCAT(mvc.Db, '.', mvc.Table\_name, '.', mvc.Column\_name) `Views Columns`, ` `REPLACE(mvc.Column\_priv, ',', ', ') **AS**`**Privileges**` **FROM** ` `mysql.columns\_priv mvc **WHERE** ` `mvc.Table\_name IN ` `(**SELECT** ` `**DISTINCT** `   `v.table\_name `views` ` `**FROM** `   `information\_schema.views **AS** v ` `) **ORDER** **BY** ` `mvc.Host, ` `mvc.User, ` `mvc.Db, ` `mvc.Table\_name, ` `mvc.Column\_name;
**\* the list of privileges for procedures:**
**SELECT** ` `mp.host `Host`, ` `mp.user `User`, ` `CONCAT(mp.Db, '.', mp.Routine\_name) `Procedures`, ` `REPLACE(mp.Proc\_priv, ',', ', ') **AS**`**Privileges**` **FROM** ` `mysql.procs\_priv mp **WHERE** ` `mp.Routine\_type = 'PROCEDURE' **ORDER** **BY** ` `mp.Host, ` `mp.User, ` `mp.Db, ` `mp.Routine\_name;
**\* the list of privileges for functions:**
**SELECT** ` `mf.host `Host`, ` `mf.user `User`, ` `CONCAT(mf.Db, '.', mf.Routine\_name) `Procedures`, ` `REPLACE(mf.Proc\_priv, ',', ', ') **AS**`**Privileges**` **FROM** ` `mysql.procs\_priv mf **WHERE** ` `mf.Routine\_type = 'FUNCTION' **ORDER** **BY** ` `mf.Host, ` `mf.User, ` `mf.Db, ` `mf.Routine\_name;
# How to check database # Check a Specific Table in a Database If your application gives an error message saying that a specific table is corrupted, execute the mysqlcheck command to check that one table. The following example checks employee table in thegeekstuff database. `# mysqlcheck -c thegeekstuff employee -u root -p` `Enter password:` `thegeekstuff.employee    OK` # Check All Tables in a Database To check all the tables in a particular database, don’t specify the table name. Just specify the database name. The following example checks all the tables in the alfresco database. ``` # mysqlcheck -c alfresco -u root -p Enter password: alfresco.JBPM_ACTION OK alfresco.JBPM_BYTEARRAY OK alfresco.JBPM_BYTEBLOCK OK alfresco.JBPM_COMMENT OK alfresco.JBPM_DECISIONCONDITIONS OK alfresco.JBPM_DELEGATION OK alfresco.JBPM_EVENT OK .. ``` # Check All Tables and All Databases To check all the tables and all the databases use the “–all-databases” along with -c option as shown below. ``` # mysqlcheck -c -u root -p --all-databases Enter password: thegeekstuff.employee OK alfresco.JBPM_ACTION OK alfresco.JBPM_BYTEARRAY OK alfresco.JBPM_BYTEBLOCK OK .. .. mysql.help_category error : Table upgrade required. Please do "REPAIR TABLE `help_category`" or dump/reload to fix it! mysql.help_keyword error : Table upgrade required. Please do "REPAIR TABLE `help_keyword`" or dump/reload to fix it! .. ``` If you want to check all tables of few databases, specify the database names using “–databases”. The following example checks all the tables in thegeekstuff and alfresco database. `# mysqlcheck -c  -u root -p --databases thegeekstuff alfresco` `Enter password:` `thegeekstuff.employee                              OK` `alfresco.JBPM_ACTION                               OK` `alfresco.JBPM_BYTEARRAY                            OK` `alfresco.JBPM_BYTEBLOCK                            OK` `..` # Analyze Tables using Mysqlcheck The following analyzes employee table that is located in thegeekstuff database. `# mysqlcheck -a thegeekstuff employee -u root -p` `Enter password:` `thegeekstuff.employee   Table is already up to date` Internally mysqlcheck command uses “ANALYZE TABLE” command. While mysqlcheck is executing the analyze command the table is locked and available for other process only in the read mode. # Optimize Tables using Mysqlcheck The following optimizes employee table that is located in thegeekstuff database. `# mysqlcheck -o thegeekstuff employee -u root -p` `Enter password:` `thegeekstuff.employee         OK` Internally mysqlcheck command uses “OPTIMIZE TABLE” command. When you delete lot of rows from a table, optimizing it helps to get the unused space and defragment the data file. This might improve performance on huge tables that has gone through several updates. # Repair Tables using Mysqlcheck The following repairs employee table that is located in thegeekstuff database. `# mysqlcheck -r thegeekstuff employee -u root -p` `Enter password:` `thegeekstuff.employee        OK` Internally mysqlcheck command uses “REPAIR TABLE” command. This will repair and fix a corrupted MyISAM and archive tables. # Combine Check, Optimize, and Repair Tables Instead of checking and repairing separately. You can combine check, optimize and repair functionality together using “–auto-repair” as shown below. The following checks, optimizes and repairs all the corrupted table in thegeekstuff database. `# mysqlcheck -u root -p --auto-repair -c -o thegeekstuff` You an also check, optimize and repair all the tables across all your databases using the following command. `# mysqlcheck -u root -p --auto-repair -c -o --all-databases` If you want to know what the command is doing while it is checking, add the –debug-info as shown below. This is helpful while you are checking a huge table. ``` # mysqlcheck --debug-info -u root -p --auto-repair -c -o thegeekstuff employee Enter password: thegeekstuff.employee Table is already up to date User time 0.00, System time 0.00 Maximum resident set size 0, Integral resident set size 0 Non-physical pagefaults 344, Physical pagefaults 0, Swaps 0 Blocks in 0 out 0, Messages in 0 out 0, Signals 0 Voluntary context switches 12, Involuntary context switches 9 ``` # Additional Useful Mysqlcheck Options The following are some of the key options that you can use along with mysqlcheck. ``` -A, –all-databases Consider all the databases -a, –analyze Analyze tables -1, –all-in-1 Use one query per database with tables listed in a comma separated way –auto-repair Repair the table automatically it if is corrupted -c, –check Check table errors -C, –check-only-changed Check tables that are changed since last check -g, –check-upgrade Check for version dependent changes in the tables -B, –databases Check more than one databases -F, –fast Check tables that are not closed properly –fix-db-names Fix DB names –fix-table-names Fix table names -f, –force Continue even when there is an error -e, –extended Perform extended check on a table. This will take a long time to execute. -m, –medium-check Faster than extended check option, but does most checks -o, –optimize Optimize tables -q, –quick Faster than medium check option -r, –repair Fix the table corruption ``` # Nagios # check\_mk - download new version: [https://checkmk.com/download.php?HTML=yes](https://checkmk.com/download.php?HTML=yes) - \# yum/zypper install <##> - \# omd stop - \# omd update - \# omd start # Introduction This guide is intended to provide you with simple instructions on how to install Nagios from source (code) on openSUSE and have it monitoring your local machine inside of 20 minutes. No advanced installation options are discussed here - just the basics that will work for 95% of users who want to get started. These instructions were written based on an openSUSE 10.2 installation. # Required Packages Make sure you've installed the following packages on your openSUSE installation before continuing. You can use yast to install packages under openSUSE. - apache2 - C/C++ development libraries ### Create Account Information Become the root user. `su -l` Create a new nagios user account and give it a password. `/usr/sbin/useradd -m nagios` `passwd nagios` Create a new nagios group. Add the nagios user to the group. `/usr/sbin/groupadd nagios` `/usr/sbin/usermod -G nagios nagios` Create a new nagcmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group. `/usr/sbin/groupadd nagcmd` `/usr/sbin/usermod -a -G nagcmd nagios` `/usr/sbin/usermod -a -G nagcmd wwwrun` ### Download Nagios and the Plugins Create a directory for storing the downloads. `mkdir ~/downloads` `cd ~/downloads` Download the source code tarballs of both Nagios and the Nagios plugins (visit [http://www.nagios.org/download/](http://www.nagios.org/download/)for links to the latest versions). These directions were tested with Nagios 3.1.1 and Nagios Plugins 1.4.11. `wget `[`http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.2.3.tar.gz`](http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.2.3.tar.gz) `wget `[`http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.11.tar.gz`](http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.11.tar.gz) ### Compile and Install Nagios Extract the Nagios source code tarball. `cd ~/downloads` `tar xzf nagios-3.2.3.tar.gz` `cd nagios-3.2.3` Run the Nagios configure script, passing the name of the group you created earlier like so: `./configure --with-command-group=nagcmd` Compile the Nagios source code. `make all` Install binaries, init script, sample config files and set permissions on the external command directory. `make install` `make install-init` `make install-config` `make install-commandmode` Don't start Nagios yet - there's still more that needs to be done... ### Customize Configuration Sample configuration files have now been installed in the /usr/local/nagios/etc directory. These sample files should work fine for getting started with Nagios. You'll need to make just one change before you proceed... Edit the /usr/local/nagios/etc/objects/contacts.cfg config file with your favorite editor and change the email address associated with the nagiosadmin contact definition to the address you'd like to use for receiving alerts. `vi /usr/local/nagios/etc/objects/contacts.cfg` ### Configure the Web Interface Install the Nagios web config file in the Apache conf.d directory. `make install-webconf` Create a nagiosadmin account for logging into the Nagios web interface. Remember the password you assign to this account - you'll need it later. `htpasswd2 -c /usr/local/nagios/etc/htpasswd.users nagiosadmin` Restart Apache to make the new settings take effect. `service apache2 restart` `or` `systemctl restart apache2` Note Note: Consider implementing the ehanced CGI security measures described below to ensure that your web authentication credentials are not compromised. ### Compile and Install the Nagios Plugins Extract the Nagios plugins source code tarball. `cd ~/downloads` `tar xzf nagios-plugins-1.4.11.tar.gz` `cd nagios-plugins-1.4.11` Compile and install the plugins. `./configure --with-nagios-user=nagios --with-nagios-group=nagios` `make` `make install` ### Start Nagios Add Nagios to the list of system services and have it automatically start when the system boots. `chkconfig --add nagios` `chkconfig nagios on` Verify the sample Nagios configuration files. `/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg` If there are no errors, start Nagios. `service nagios start` `or` `systemctl start nagios` ### Login to the Web Interface You should now be able to access the Nagios web interface at the URL below. You'll be prompted for the username (nagiosadmin) and password you specified earlier. [http://localhost/nagios/](http://localhost/nagios/) Click on the "Service Detail" navbar link to see details of what's being monitored on your local machine. It will take a few minutes for Nagios to check all the services associated with your machine, as the checks are spread out over time. ### Other Modifications Make sure your machine's firewall rules are configured to allow access to the web server if you want to access the Nagios interface remotely. You can do this by: - Opening the control center - Select 'Open Administrator Settings' to open the YaST administrator control center - Select 'Firewall' from the 'Security and Users' category - Click the 'Allowed Services' option in the Firewall Configuration window - Add 'HTTP Server' to the allowed services list for the 'External Zone' - Click 'Next' and 'Accept' to activate the new firewall settings Configuring email notifications is outside the scope of this documentation. Refer to your system documentation, search the web, or look to the Nagios Support Portal or Nagios Community Wiki for specific instructions on configuring your openSUSE system to send email messages to external addresses. # Security This is intended to be an introduction for implementation of stronger authentication and server security focused around the CGI web interface. **Stronger Authentication using Digest Authentication.** If you have followed the quickstart guides, chances are that you are using Apache's Basic Authentication. Basic Authentication will send your username and password in "clear text" with every http request. Consider using a more secure method of authentication such as Digest Authentication which creates a MD5 Hash of your username and password to send with each request. **Forcing TLS/SSL for all Web Communication.** Apache provides TLS/SSL through the mod\_ssl module. TLS/SSL provides a secure tunnel between the client and server that prevents eavesdropping and tampering using strong publickey/privatekey cryptography. **Locking Down Apache Using Access Controls.** Consider locking down access to the Nagios box to your IP address, IP address range, or IP subnet. If you require access outside your network you could use VPN or SSH Tunnels. This is a easy and strong to limit access to HTTP/HTTPS on your system. ## Implementing Digest Authentication The implementation of Digest Authentication is simple. You will have to create the new type of password file using the 'htdigest' tool, then modify the Apache configuration for nagios (typically /etc/httpd/conf.d/nagios.conf). Create a new passwords file using the 'htdigest' tool. The difference that you will notice if you are familiar with 'htpasswd' tools is the requirement to supply a 'realm' argument. Where 'realm' in this case refers to the value of the 'AuthName' directive in the Apache configuration. `htdigest -c /usr/local/nagios/etc/.digest_pw "Nagios Access" nagiosadmin` Next, edit the Apache configuration file for Nagios (typically /etc/httpd/conf.d/nagios.conf) using the following example. ``` ## BEGIN APACHE CONFIG SNIPPET - NAGIOS.CONF ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin" Options ExecCGI AllowOverride None Order allow,deny Allow from all AuthType Digest AuthName "Nagios Access" AuthDigestFile /usr/local/nagios/etc/.digest_pw Require valid-user Alias /nagios "/usr/local/nagios/share" Options None AllowOverride None Order allow,deny Allow from all AuthType Digest AuthName "Nagios Access" AuthDigestFile /usr/local/nagios/etc/.digest_pw Require valid-user ## END APACHE CONFIG SNIPPETS ``` Then, restart the Apache service so the new settings can take effect. `/etc/init.d/httpd restart` ## Implementing Forced TLS/SSL Make sure you've installed Apache and OpenSSL. By default you should have mod\_ssl support if you are still having trouble you may find help reading Apache's TLS/SSL Encryption Documentation. Next, verify that TLS/SSL support is working by visiting your Nagios Web Interface using HTTPS (https://your.domain/nagios). If it is working you can continue on to the next steps that will force using HTTPS and block all HTTP requests for the Nagios Web Interface. If you are having trouble visit Apache's TLS/SSL Encryption Documentation and Google for troubleshooting your specific Apache installation. Next, edit the Apache configuration file for Nagios (typically /etc/httpd/conf.d/nagios.conf) by adding the 'SSLRequireSSL' directive to both the 'sbin' and 'share' directories. ``` ## BEGIN APACHE CONFIG SNIPPET - NAGIOS.CONF ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin" ... SSLRequireSSL ... Alias /nagios "/usr/local/nagios/share" ... SSLRequireSSL ... ## END APACHE CONFIG SNIPPETS ``` Restart the Apache service so the new settings can take effect. `/etc/init.d/httpd restart` ## Implementing IP subnet lockdown The following example will show how to lock down Nagios CGIs to a specific IP address, IP address range, or IP subnet using Apache's access controls. Edit the Apache configuration file for Nagios (typically /etc/httpd/conf.d/nagios.conf) by using the 'Allow', 'Deny', and 'Order' directives using the following as an example. ``` ## BEGIN APACHE CONFIG SNIPPET - NAGIOS.CONF ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin" ... AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.1 10.0.0.25 # Allow single IP addresses Allow from 10.0.0.0/255.255.255.0 # Allow network/netmask pair Allow from 10.0.0.0/24 # Allow network/nnn CIDR spec ... Alias /nagios "/usr/local/nagios/share" ... AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.1 10.0.0.25 # Allow single IP addresses Allow from 10.0.0.0/255.255.255.0 # Allow network/netmask pair Allow from 10.0.0.0/24 # Allow network/nnn CIDR spec ... ## END APACHE CONFIG SNIPPET ``` Important Notes - Digest Authentication sends data in the clear but not your username and password. - Digest Authentication is not as universally supported as Basic Authentication. - TLS/SSL has potential for "man-in-the-middle attacks". MITM attacks are vulnerable if an attacker is able to insert itself between the server and client such as in a Phishing attack, ISP monitoring, or corporate LAN firewall certificate resigning. So read up on certificate verification! - Apache access controls only protect the HTTP/HTTPS protocols. Look into IPtables for strong system wide firewall control. - Most importantly, Security is a moving target so stay informed and do research! Perhaps by listening to a Podcast such as "Security Now!". # Nmap - [brute force test wordpress](https://www.reeltoreel.nl/bookstack/books/homelab/page/brute-force-test-wordpress) # Brute force test wordpress `nmap -p 80 --script http-wordpress-brute --script-args http-wordpress-brute.threads=4,http-wordpress-brute.uri="/blog/wp-login.php"  ` # Bluetooth To enable the (powered down) bluetooth adapter on openSUSE 13.2: `rfkill unblock bluetooth` # blueproximity tweaking your settings should do the trick. Actually that's why I implemented a kind of testing mode. Open the preferences. Move to the second tab. The last control on that page "Measured atm (at the moment) shows the measured state. You can click on "Reset min/max" and leave the window open. If the window is open BlueProximity enters the simulation state which will not execute the action commands. It still measures the distances (on contrary to the pause mode which will completely disconnect the phone) and shows them at that control. Please note the text below the bar, which states "min" and "max" values - those are the min/max values of the measured distances after you pressed the Reset button last time. This information should give you a hint which values are to expect while you normally work in front of your computer. Remember to use all "poses" you normally use while using your computer. You should stay in those poses for at least 10 seconds so that the rssi value regulates on the new situation. That should give you realistic values for the locking distance. Use a value of at least 2 above the measured value and see if that already gives a secure setting for the distance. Also set the unlock distance to a value at least 2 smaller than the lock distance. Normally half of the lock distance gives a good result. You should play with the timer settings too. Don't put your lock timer to a value less than 5, at this moment my values are lock dist=7,dur=10. That is because I found out that sometimes unexpected com problems seem to exist between my phone and my pc - the rssi value drops to an unreasonable 8 but only for 5 seconds, it comes back to normal then which will never result in a value above 6 for longer than 10 seconds. My unlock time is also not set to 0 but to 2, the distance to 4. That way if I come back to my pc, the first of the two seconds below 5 is usually already passed and it takes about a second for me to sit down and once I sit down it unlocks almost immediately. This should also fix the screensaver problem as there is no immediate unlock possible. Please do note that using a fade out time for you screensaver, it should be set at least one second below the unlock timer so that the unlocking is never done while the locking is still in progress. It once rendered my whole desktop faded to grey which was eyefriendly for that time of the day but it wouldn't help in the office :-) The battery drain should be unnotable to phones that already had bluetooth activated. The explicit energy drain for an open bluetooth connection is specified to be 1 mW, my nokia has a 700mAh battery so it is ridiculously low in comparison :-) In other words, if you have bluetooth activated already you should not notice any difference at all. And btw, the visibility setting in your phone also has no effect on the battery too. Even though you would need to activate it only once to find your phone. After the mac address is entered you can switch your phone back to invisible if you like. This raises your phone's security a little bit. Hopefully this helps, # KVM Start a vm as non-root: `# virsh -c qemu:///system start tumbleweed` and view it: `# virt-viewer -c qemu:///system tumbleweed` # Raspberry Pi - [enable 3d acceleration](https://www.reeltoreel.nl/bookstack/books/archief/page/enable-3d-acceleration) # X11 forwarding for sudo users # Can’t start X11 applications after “su” or “su -” to another user To get access to the X client applications such as system-config-date, xclock, vncviewer we need to export the DISPLAY settings of a remote host to the local server. This is commonly done using below commands. `# ssh root@remotehost ` `remotehost# export DISPLAY=x.x.x.x:y.y` Where x.x.x.x:y.y – is the display settings of the system from which you connected to the remote host. You can also use the -X option with ssh to directly export the DISPLAY on the remote host. `# ssh -X root@remotehost` But now if you try to switch to another user on the remote system and export the display again, you would get and error – “Error: Can’t open display:”. `# ssh -X root@remotehost ` `# su - [username]` `# export DISPLAY=x.x.x.x:y.y ` `# xclock` `Error: Can't open display: x.x.x.x:y.y` # X11 forwarding for sudo users Just setting the DISPLAY is not enough. X authentication is based on cookies, so it’s necessary to set the cookie used by the user that initiated the connection. The following procedure allows a sudo user to use the ssh based X11 tunnel: 1\. Connect the remote host using the -X option with ssh. `# ssh -X root@remote-host` 2\. Now list the coockie set for the current user. `# xauth list $DISPLAY` `node01.thegeekdiary.com/unix:10  MIT-MAGIC-COOKIE-1  dacbc5765ec54a1d7115a172147866aa` `# echo $DSIPLAY` `localhost:10.0` 3\. Switch to another user account using sudo. Add the cookie from the command output above to the sudo user. `# sudo su - [user] ` `# xauth add node01.thegeekdiary.com/unix:10  MIT-MAGIC-COOKIE-1  dacbc5765ec54a1d7115a172147866aa` 4\. Export the display from step 2 again for the sudo user. Try the command xclock to verify if the x client applications are working as expected. `# export DISPLAY=localhost:10.0` `# xclock` # Ssh keygen `# ssh-keygen -t ecdsa -b 521` # Compare Apache conf files and Nginx conf files APACHE: ``` Apache Nginx test server { listen 80; ServerName yoursite.com ServerAlias www.yoursite.com server_name yoursite.com www.yoursite.com; DocumentRoot /path/to/root root /path/to/root; AllowOverride All (No Available Alternative) DirectoryIndex index.php index index.php; ErrorLog /path/to/log error_log /path/to/log error; CustomLog /path/to/log combined access_log /path/to/log main; Alias /url/ “/path/to/files” location /url/ { alias /path/to/files; ``` NGINX: ``` server { listen 8000; # We’re deliberately leaving this as-is to avoid conflict at the moment root /var/www; server_name your_site.com www.your_site.com; location / { try_files $uri $uri/ /index.html; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include fastcgi_params; } location /doc/ { alias /usr/share/doc/; autoindex on; allow 127.0.0.1; deny all; } location ~/\.ht { deny all; } } ``` # Enable wifi after suspend-resume # To enable wifi after resume, when it is turned off Create a systemd service “root-resume.service” in /etc/systemd/system with content: ``` [Unit] Description=Local system resume actions After=suspend.target [Service] Type=simple ExecStart=/usr/bin/nmcli radio wifi on [Install] WantedBy=suspend.target ``` and enable the newly created service: `# systemctl enable root-resume.service` # POSTFIX ## Inleiding Met het programma Postfix op een linux systeem kan mail verzonden en verstuurd worden. Er zijn een paar instellingen die soms gedaan moeten worden. Tevens het gebruik van het lokale mailprogramma wordt in deze hoofdstuk uitgelegd (mail,nail,mailx) ## De instellingen De instellingen die belangrijk zijn om via Postfix mail te kunnen versturen staan in '/etc/postfix/main.cf'. De volgende instellingen zijn belangrijk: `myhostname="fully qualified hostname"` `relayhost=bla.nl ` De laatste instelling is verplicht. Indien deze parameter niet gevuld is, wordt de mail niet verstuurd naar de ontvanger (postfix zoekt dan zelf de relayhost op via het 'mx-record' van het domein, wat een mail relay host teruggeeft die niet relayed -XXXXX ) ## Mail manipulaties Nu kan er dus mail verstuurd worden vanaf de host met het commando 'mail' of 'nail'. Dit kan interactief of scriptsgewijs. Een aantal voorbeeldscriptjes zijn: `nail -s "subject" -r "afzender"  "mailadres" -a "attachment" << EOF         bla body  bla  groetje EOF` `mail bla@amsterdam.nl -s 'hallootjes' -r joop@bla.tk < /proc/cpuinfo ` `mail bla@amsterdam.nl -s 'hallootjes' -r joop@bla.tk -a attachment < /proc/cpuinfo ` of simpeler: `mail -s "subject"  "mailadres" `` bewaar de gelezen mail, de uitvoer geeft aan waar de mail terechtkomt (bijv. '/root/mbox')` `help    --> geeft aan hoe je een mail kan versturen` `list    --> laat alle commando's zien (een soort help maar dan uitgebreider)` `next    --> ga naar het volgende mailtje` `d 1     --> delete mail 1` **`d 1-300 --> delete mail 1 t/m 300`** `header  --> laat de lijst met mail zien` `q       --> verlaat de applicatie` ## De mailboxen De postfix mailbox is opgeslagen in de directory '/var/spool/mail/"username". De gelezen en opgeslagen mail (gaat automatisch bij het afsluiten) staat in "user\_home\_dir"/mbox. ## De postfix deliveryqueue legen/flushen `#postqueue -f <-- waarschijnlijk niet het goede commando` `#postsuper -d ` Alles verwijderen: `#postsuper -d ALL` Het queueID kun je vinden met `#postqueue -p` ## Alle systeem mail for root verwijderen `echo 'd*' | mail -N` ## De postfix queue bekijken `#mailq` of `#postqueue -p` # Een werkende postfix configuratiefile main.cf Hier volgt een goed werkende file voor de transparent mail relay host cups: ``` relay_domains = $mydestination, hash:/etc/postfix/relay virtual_alias_maps = hash:/etc/postfix/virtual #virtual_uid_maps = static:303 #virtual_gid_maps = static:303 #virtual_minimum_uid = 303 #virtual_mailbox_base = /srv/maildirs #virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf #virtual_mailbox_limit = 0 #virtual_mailbox_limit_inbox = no #virtual_mailbox_limit_maps = hash:/etc/postfix/vquota #virtual_mailbox_limit_override = yes #virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf #virtual_transport = virtual ## Additional for quota support #virtual_create_maildirsize = yes #virtual_mailbox_extended = yes ### Needs Maildir++ compatible IMAP servers, like Courier-IMAP #virtual_maildir_filter = yes #virtual_maildir_filter_maps = hash:/etc/postfix/vfilter #virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf #virtual_mailbox_limit_override = yes #virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later. #virtual_maildir_limit_message_maps = hash:/etc/postfix/vmsg #virtual_overquota_bounce = yes #virtual_trash_count = yes #virtual_trash_name = ".Trash" ############################################################ # End MySQL from postfixwiki.org ############################################################ inet_protocols = all biff = no mail_spool_directory = /var/mail canonical_maps = hash:/etc/postfix/canonical virtual_alias_domains = hash:/etc/postfix/virtual relocated_maps = hash:/etc/postfix/relocated transport_maps = hash:/etc/postfix/transport sender_canonical_maps = hash:/etc/postfix/sender_canonical masquerade_exceptions = root masquerade_classes = envelope_sender, header_sender, header_recipient myhostname = bla.wzs.amsterdam.nl delay_warning_time = 1h message_strip_characters = \0 program_directory = /usr/lib/postfix inet_interfaces = xxx #inet_interfaces = localhost masquerade_domains = mydestination = $myhostname, localhost.$mydomain defer_transports = mynetworks = xxx #mynetworks_style = subnet disable_dns_lookups = no relayhost = smtprelay.basis.lan content_filter = mailbox_command = mailbox_transport = strict_8bitmime = no disable_mime_output_conversion = no smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_client_restrictions = permit_mynetworks smtpd_helo_required = no smtpd_helo_restrictions = strict_rfc821_envelopes = no smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination smtp_sasl_auth_enable = no smtpd_sasl_auth_enable = no smtpd_use_tls = no smtp_use_tls = no smtp_enforce_tls = no alias_maps = hash:/etc/aliases mailbox_size_limit = 0 message_size_limit = 0 ``` # How to make a webcam page with Apache on Linux (obsolete) How to make a page on your webserver displaying a picture of your webcam using Linux and Apache This document describes, in short, how to make a page on your webserver to display a semi-continuous image of your webcam. This document is in fact, the documentation of such an installation on my machine running openSUSE 11.2 x86\_64 The webcam involved is a Philips ToUCam Pro. In this example, it is connected directly to the webserver. But it is possible to have the image uploaded from another computer as well. This solution uses a 2 stage approach, which makes it modular. The first stage/module captures images from the device using the commandline tool webcam and places the image in a directory, and the second stage/module is the HTML-page that publishes this image on a regular interval using a java applet (or you can go for a more simple solution and use a static page). ## 1st step: Check webcam. check dmesg `pwc: Philips PCVC740K (ToUCam Pro)/PCVC840 (ToUCam II) USB webcam detected.` ## 2nd step: install motion. buildservice /etc/motion/motion.conf section image file output `output normal on -> off` section live webcam server `webcam port 8081` `webcam quality 80` `webcam localhost off` /var/run/motion/motion.pid `#mkdir /var/run/motion` `#chmod 777 /var/run/motion` # Enable monitoring of MD (software RAID) devices After you have created the RAID (via YAST): `#insserv -d mdadmd` to have mdadm run as a daemon in the background in the deafult runlevels (usually 3 and 5) monitoring your devices. Or you can run it manually using `#mdadm --monitor --scan --daemonise > /var/run/mdadm` this also writes the pid to /var/run/mdadm file. Also, check it by running: `#chkconfig -l mdadmd` `mdadmd                    0:off  1:off  2:off  3:on   4:off  5:on   6:off` # Database dump & restore make database dump: `mysqldump -u root -p –all-databases > pvdm.sql` `mysqldump -u root -p wikidb > pvdm.sql` restore the dump: `#mysql -u root -p` `mysql> create database xyz;` `mysql> quit;` `#mysql -u root -p [dbname] < pvdm.sql` delete database: `#mysql -u root -p` `mysql> drop database xyz;` # Stop SSH brute force attacks ## Stop ssh brute force attack using SuSEfirewall Edit /etc/sysconfig/SuSEfirewall2: do not open ssh ports here `FW_SERVICES_EXT_TCP=""` `FW_CONFIGURATIONS_EXT=""` add this rule `FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"` Restart firewall: `rcSuSEfirewall2 restart` Now attacker will just have three attempts to break in. # Securing the initial mysql installation When mysql is installed, the grant tables are created. - **accounts with the name root are created. The initial password are empty.** - On Unix, both root accounts are for connections from the local host. Connections must be made from the local host by specifying a host name of localhost for one of the accounts, or the actual host name or IP number for the other - **two anonymous-user accounts are created, each with an empty user name. The anonymous accounts have no password, so anyone can use them to connect to the MySQL server.** - On Unix, both anonymous accounts are for connections from the local host. Connections must be made from the local host by specifying a host name of localhost for one of the accounts, or the actual host name or IP number for the other. These accounts have all privileges for the test database and for other databases with names that start with test\_. ## root account password assignment: `shell> mysql -u root -p` `mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpwd');` `mysql> SET PASSWORD FOR 'root'@'host_name' = PASSWORD('newpwd');`
In the second SET PASSWORD statement, replace host\_name with the name of the server host. This is the same host name that you used when you assigned the anonymous account passwords.
If the user table contains an account with User and Host values of 'root' and '127.0.0.1', use an additional SET PASSWORD statement to set that account's password:
`mysql> SET PASSWORD FOR 'root'@'127.0.0.1' = PASSWORD('newpwd');` ## Anonymous Account Removal
If you prefer to remove the anonymous accounts instead, do so as follows:
`shell> mysql -u root` `mysql> DROP USER `**`'`**`'; (zonder spatie)`
The DROP statement applies both to Windows and to Unix.
## new users After connecting to the server as root, you can add new accounts. The following statements use GRANT to set up four new accounts: `mysql> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';` `mysql> GRANT ALL PRIVILEGES ON *.* TO 'monty'@'localhost'` `   ->     WITH GRANT OPTION;` `mysql> CREATE USER 'monty'@'%' IDENTIFIED BY 'some_pass';` `mysql> GRANT ALL PRIVILEGES ON *.* TO 'monty'@'%'` `   ->     WITH GRANT OPTION;` `mysql> CREATE USER 'admin'@'localhost';` `mysql> GRANT RELOAD,PROCESS ON *.* TO 'admin'@'localhost';` `mysql> CREATE USER 'dummy'@'localhost';` # Install a PXE boot server on 10.3 1. REDIRECT [Install a PXE boot server on 11.1](https://www.reeltoreel.nl/bookstack/books/mediawiki-import/page/install-a-pxe-boot-server-on-111) # How to make a webcam page with Apache on Linux 1. REDIRECT [How to make a webcam page with Apache on Linux (obsolete)](https://www.reeltoreel.nl/bookstack/books/mediawiki-import/page/how-to-make-a-webcam-page-with-apache-on-linux-obsolete) # How to automatically log in to remote ssh servers using public/private keypair As a user: `~>ssh-keygen -t dsa` and enter your way through the prompts The keys are stored in the .ssh/ directory in your home directory. `-rw-------  1 pm users  668 2009-10-24 15:58 id_dsa` `-rw-r--r--  1 pm users  601 2009-10-24 15:58 id_dsa.pub` id\_dsa.pub is the public keyfile we are gonna place on the remote server. `ssh-copy-id -i ~/.ssh/id_dsa.pub remoteserver` Enter your password for the remote server. You should get: `Now try logging into the machine, with "ssh 'remoteserver'", and check in:` ` .ssh/authorized_keys` `to make sure we haven't added extra keys that you weren't expecting.` Now try it for yourself: `ssh remoteserver` Et voila! # How to make an encrypted directory If you want to make an encrypted directory, for instance when you want to store private information, and you want to access it seamless on your computer, this is how to do it. It will be available after mounting it with a password. *This wiki is not about an encrypted filesystem.* # Installation Install the package 'encfs'. OpenSUSE: `#zypper in encfs` # Configuration Now you have to create 2 directories. 1. One will contain the **encrypted**, unreadable data. The files will be stored here. But do nothing with this directory. 2. The second will be used as a sort of 'mount point', where the **unencrypted** data will appear. You must **read and write** *this location.* You can use any name. Here I have chosen the following: `#mkdir ~/.encrypted ~/unencrypted` I choose a name starting with a period ('.') for the encrypted dir because this will hide it from normal viewing, as there is nothing to see anyway :) Now start the installation: `#encfs ~/.encrypted ~/unencrypted` ``` Creating new encrypted volume. Please choose from one of the following options: enter "x" for expert configuration mode, enter "p" for pre-configured paranoia mode, anything else, or an empty line will select standard mode. ``` Press \[enter\] for standard mode ``` Standard configuration selected. Configuration finished. The filesystem to be created has the following properties: Filesystem cipher: "ssl/aes", version 2:2:1 Filename encoding: "nameio/block", version 3:0:1 Key Size: 192 bits Block Size: 1024 bytes Each file contains 8 byte header with unique IV data. Filenames encoded using IV chaining mode. File holes passed through to ciphertext. Now you will need to enter a password for your filesystem. You will need to remember this password, as there is absolutely no recovery mechanism. However, the password can be changed later using encfsctl. New Encfs Password: Verify Encfs Password: ``` And there you have it! # Usage To use the encrypted directory, place some files in the unencrypted directory. You notice that the same amount of files are created in the encrypted directory, but with encrypted names and encrypted contents. You can use the unencrypted dir as you would with any normal dir. If you want to stop using the files, you can logout or unmount manually. Make sure that it is not the current directory. `#fusermount -u ~/unencrypted` To use it again: `#encfs ~/.encrypted ~/unencrypted` And that's it! # How to repair a crashed table I had a crashed searchindex table in my MediaWiki, so I: - Connect to the server `#mysql -u root -p` - Connect to the database `mysql> use wikidb;` - check data `mysql> check table searchindex;` `+--------------------+-------+----------+----------------------------+` `| Table              | Op    | Msg_type | Msg_text                   |` `+--------------------+-------+----------+----------------------------+` `| wikidb.searchindex | check | warning  | Table is marked as crashed |` `| wikidb.searchindex | check | status   | OK                         |` `+--------------------+-------+----------+----------------------------+` `2 rows in set (0.24 sec)` - fix it `mysql> repair table searchindex;` `+--------------------+--------+----------+----------+` `| Table              | Op     | Msg_type | Msg_text |` `+--------------------+--------+----------+----------+` `| wikidb.searchindex | repair | status   | OK       |` `+--------------------+--------+----------+----------+` `1 row in set (0.21 sec)` # How to test network speed - Install iperf [http://software.opensuse.org/search http://software.opensuse.org/search](http://software.opensuse.org/search_http://software.opensuse.org/search "wikilink") - start on server: `# iperf -s` - start on client: `# iperf -c [ip.of.server.address] -r -t 10` -r: test reverse also -t: time # How to convert an existing ext3 filesystem to ext4 1. Dismount the filesystem 2. tune2fs -O extents,uninit\_bg,dir\_index /dev/DEV 3. e2fsck -fpDC0 /dev/DEV # Using bridged networking in VirtualBox If you get an error when using bridged networking, type: `# insmod /lib/modules/2.6.31.8-0.1-desktop/updates/vboxnetflt.ko` That could help. Of course, substitute your current kernel. # Installation of openfire jabber xmpp server on openSUSE server - download the rpm form the website - install the rpm with `# zypper in openfire.rpm` - tidy the start script /etc/init.d/openfire. Paste this at the beginning of the file, replacing what is already there.... ``` #! /bin/sh # # openfire Stops and starts the Openfire XMPP service. # ### BEGIN INIT INFO # Provides: openfire # Required-Start: $network # Required-Stop: $network # Default-Start: 3 5 # Default-Stop: # Description: # description: Openfire is an XMPP server, which is a server that facilitates \ # XML based communication, such as chat. # config: /opt/openfire/conf/openfire.xml # config: /etc/sysconfig/openfire # pidfile: /var/run/openfire.pid # Short-Description: XMPP server ### END INIT INFO ``` - start the server `# /etc/init.d/openfire start` `# /etc/init.d/openfire status` - go to the admin url [http://](http://):9090 fill in the right data Before you can login for the first time, you may have to stop and start the service. - make it start automagically `# chkconfig -a openfire` # Troubleshooting Openfire admin password Find the sparkweb.xml file in the Conf directory, open it in your favorite text editor and place the following: ``` joe ``` Then restart the service!! Where "joe" is any user you want to use as the admin. This will allow you to login with an account you know. If this doesn't work, open the same sparkweb.xml file, find the entry near the bottom that says true and change it to false. Stop and start the service, open the admin console and you will be prompted to begin the setup again. You previous settings will be saved and you can press "save & continue" for most settings. When it asks for the admin account, fix it there. # Apache etc. (joomla etc.) 1. REDIRECT [Apache en HTML](https://www.reeltoreel.nl/bookstack/books/mediawiki-import/page/apache-en-html) # How to secure an initial MySQL installation 1. REDIRECT [OLD:How to secure an initial MySQL installation](OLD:How_to_secure_an_initial_MySQL_installation "wikilink") # Enlarge disks by removing reserve space on ext2/3/4 **Five** percent of a ext2/3/4 filesysteem is reserved for root. - With tune2fs this can be tweaked, even after the filesystem is created. `# tune2fs -m 1 /dev/sda1` this reserves 1 percent. `# tune2fs -m 0.2 /dev/sda1` this reserves 0.2 percent - On a filesystem that has no systemfiles, like homedirs, there is no use for any reserved space. You can make this 0 percent. # Allowing access from other hosts To allow access from your workstation (to use mysqladministrator?) you must allow access. ``` mysql> update user set host='10.125.0.3' where user='root' and host='localhost'; Query OK, 1 row affected (0.00 sec) Rows matched: 1 Changed: 1 Warnings: 0 mysql> flush privileges; Query OK, 0 rows affected (0.05 sec) ``` # Install openSUSE via SSH To install a server over SSH do the following: - insert CD/DVD into the machine and boot - on the kerneloptionsline type: `usessh=1 sshpassword=sdrtjgbskdhg hostip=1.1.1.1 netmask=255.255.255.0 gateway=1.1.1.1` - boot the machine - you van continue the installation using an SSH session from a workstation. # SSH filesystem SSH Filesystem Another way to get at files on remote hosts? The SSH Fuse filesystem. This effectively mounts remote filesystems using SSH. It's a bit complicated, but not bad. Here's how we do it (it's easier after the first time): 1. Make sure you have the sshfs and FUSE packages installed. If you install sshfs on Ubuntu, for instance, it should pull in the necessary packages. 2. Make sure that the fuse module is loaded. Check using lsmod | grep fuse and if it isn't loaded, run sudo modprobe fuse. 3. Make sure you're in the fuse group. May require a log out and in again. (adduser username fuse or just append your username to the fuse line in /etc/group.) 4. Now, make sure you have a directory to serve as a local mount point. I usually just use the server name. So I might make a local directory under my home directory called "kang" for a remote server called kang.zonker.net. 5. To mount the remote filesystem, run: sshfs hostname:/directory localdirectory. For example, I might run: sshfs jzb@kang.zonker.net:/home/jzb/ kang . That's it. Now you can browse the remote filesystem as if it were local. Naturally, like copying files over SFTP or scp, it's going to be slower. But this makes remote file management dead easy.