#! /bin/bash
# backup-postgresql.sh
# this script is public domain. feel free to use or modify as you like.
DUMPALL=”/usr/bin/pg_dumpall”
PGDUMP=”/usr/bin/pg_dump”
PSQL=”/usr/bin/psql”
# directory to save backups in, must be rwx by postgres user
BASE_DIR=”/var/backups/postgres”
YMD=$(date “+%Y-%m-%d”)
DIR=”$BASE_DIR/$YMD”
mkdir -p $DIR
cd $DIR
# get list of databases in system , exclude the tempate dbs
DBS=$($PSQL -l -t | egrep -v ‘template[01]‘ | awk ‘{print $1}’)
# first dump entire postgres database, including pg_shadow etc.
$DUMPALL -D | gzip -9 > “$DIR/db.out.gz”
# next dump globals (roles and tablespaces) only
$DUMPALL -g | gzip -9 > “$DIR/globals.gz”
# now loop through each individual database and backup the schema and data separately
for database in $DBS; do
SCHEMA=$DIR/$database.schema.gz
DATA=$DIR/$database.data.gz
# export data from postgres databases to plain text
$PGDUMP -C -c -s $database | gzip -9 > $SCHEMA
# dump data
$PGDUMP -a $database | gzip -9 > $DATA
done
# delete backup files older than 30 days
OLD=$(find $BASE_DIR -type d -mtime +30)
if [ -n "$OLD" ] ; then
echo deleting old backup files: $OLD
echo $OLD | xargs rm -rfv
fi
Tuesday, November 16, 2010
Monday, November 15, 2010
"proc" File System RedHat /CentOS /Ubuntu
Inside the /proc directory, you’ll see two types of content — numbered directories, and system information files.
/proc is not a real file system, it is a virtual file system. For example, if you do ls -l /proc/stat, you’ll notice that it has a size of 0 bytes, but if you do “cat /proc/stat”, you’ll see some content inside the file.
Several Linux commands access the information from /proc, and displays in a certain format.
1. /proc Directories with names as numbers
Do a ls -l /proc, and you’ll see lot of directories with just numbers. These numbers represents the process ids, the files inside this numbered directory corresponds to the process with that particular PID.
Following are the important files located under each numbered directory (for each process):
* cmdline – command line of the command.
* environ – environment variables.
* fd – Contains the file descriptors which is linked to the appropriate files.
* limits – Contains the information about the specific limits to the process.
* mounts – mount related information
Following are the important links under each numbered directory (for each process):
* cwd – Link to current working directory of the process.
* exe – Link to executable of the process.
* root – Link to the root directory of the process.
2. /proc Files about the system information
Following are some files which are available under /proc, that contains system information such as cpuinfo, meminfo, loadavg.
* /proc/cpuinfo – information about CPU,
* /proc/meminfo – information about memory,
* /proc/loadvg – load average,
* /proc/partitions – partition related information,
* /proc/version – linux version
Some Linux commands read the information from this /proc files and displays it. For example, free command, reads the memory information from /proc/meminfo file, formats it, and displays it.
To learn more about the individual /proc files, do “man 5 FILENAME”.
* /proc/cmdline – Kernel command line
* /proc/cpuinfo – Information about the processors.
* /proc/devices – List of device drivers configured into the currently running kernel.
* /proc/dma – Shows which DMA channels are being used at the moment.
* /proc/fb – Frame Buffer devices.
* /proc/filesystems – File systems supported by the kernel.
* /proc/interrupts – Number of interrupts per IRQ on architecture.
* /proc/iomem – This file shows the current map of the system’s memory for its various devices
* /proc/ioports – provides a list of currently registered port regions used for input or output communication with a device
* /proc/loadavg – Contains load average of the system
The first three columns measure CPU utilization of the last 1, 5, and 10 minute periods.
The fourth column shows the number of currently running processes and the total number of processes.
The last column displays the last process ID used.
* /proc/locks – Displays the files currently locked by the kernel
Sample line:
1: POSIX ADVISORY WRITE 14375 08:03:114727 0 EOF
* /proc/meminfo – Current utilization of primary memory on the system
* /proc/misc – This file lists miscellaneous drivers registered on the miscellaneous major device, which is number 10
* /proc/modules – Displays a list of all modules that have been loaded by the system
* /proc/mounts – This file provides a quick list of all mounts in use by the system
* /proc/partitions – Very detailed information on the various partitions currently available to the system
* /proc/pci – Full listing of every PCI device on your system
* /proc/stat – Keeps track of a variety of different statistics about the system since it was last restarted
* /proc/swap – Measures swap space and its utilization
* /proc/uptime – Contains information about uptime of the system
* /proc/version – Version of the Linux kernel, gcc, name of the Linux flavor installed.
/proc is not a real file system, it is a virtual file system. For example, if you do ls -l /proc/stat, you’ll notice that it has a size of 0 bytes, but if you do “cat /proc/stat”, you’ll see some content inside the file.
Several Linux commands access the information from /proc, and displays in a certain format.
1. /proc Directories with names as numbers
Do a ls -l /proc, and you’ll see lot of directories with just numbers. These numbers represents the process ids, the files inside this numbered directory corresponds to the process with that particular PID.
Following are the important files located under each numbered directory (for each process):
* cmdline – command line of the command.
* environ – environment variables.
* fd – Contains the file descriptors which is linked to the appropriate files.
* limits – Contains the information about the specific limits to the process.
* mounts – mount related information
Following are the important links under each numbered directory (for each process):
* cwd – Link to current working directory of the process.
* exe – Link to executable of the process.
* root – Link to the root directory of the process.
2. /proc Files about the system information
Following are some files which are available under /proc, that contains system information such as cpuinfo, meminfo, loadavg.
* /proc/cpuinfo – information about CPU,
* /proc/meminfo – information about memory,
* /proc/loadvg – load average,
* /proc/partitions – partition related information,
* /proc/version – linux version
Some Linux commands read the information from this /proc files and displays it. For example, free command, reads the memory information from /proc/meminfo file, formats it, and displays it.
To learn more about the individual /proc files, do “man 5 FILENAME”.
* /proc/cmdline – Kernel command line
* /proc/cpuinfo – Information about the processors.
* /proc/devices – List of device drivers configured into the currently running kernel.
* /proc/dma – Shows which DMA channels are being used at the moment.
* /proc/fb – Frame Buffer devices.
* /proc/filesystems – File systems supported by the kernel.
* /proc/interrupts – Number of interrupts per IRQ on architecture.
* /proc/iomem – This file shows the current map of the system’s memory for its various devices
* /proc/ioports – provides a list of currently registered port regions used for input or output communication with a device
* /proc/loadavg – Contains load average of the system
The first three columns measure CPU utilization of the last 1, 5, and 10 minute periods.
The fourth column shows the number of currently running processes and the total number of processes.
The last column displays the last process ID used.
* /proc/locks – Displays the files currently locked by the kernel
Sample line:
1: POSIX ADVISORY WRITE 14375 08:03:114727 0 EOF
* /proc/meminfo – Current utilization of primary memory on the system
* /proc/misc – This file lists miscellaneous drivers registered on the miscellaneous major device, which is number 10
* /proc/modules – Displays a list of all modules that have been loaded by the system
* /proc/mounts – This file provides a quick list of all mounts in use by the system
* /proc/partitions – Very detailed information on the various partitions currently available to the system
* /proc/pci – Full listing of every PCI device on your system
* /proc/stat – Keeps track of a variety of different statistics about the system since it was last restarted
* /proc/swap – Measures swap space and its utilization
* /proc/uptime – Contains information about uptime of the system
* /proc/version – Version of the Linux kernel, gcc, name of the Linux flavor installed.
Create your own social network site like Facebook :)
Elgg is an award-winning social networking engine, delivering the
building blocks that enable businesses, schools, universities and
associations to create their own fully-featured social networks and
applications. Organizations with networks powered by Elgg include:
#yum install mysql mysql-server httpd php php-mysql php-gd php-imap php-ldap php-odbc php-pear php-xml php-xmlrpc phpmyadmin
#service httpd start
#service mysqld start
#mysql_secure_installation (set up root password)
open firefox http://localhost/phpmyadmin and create a elgg-db database.
#wget http://elgg.org/getelgg.php?forward=elgg-1.7.4.zip
#unxip elgg-1.7.4.zip -d /var/www/html/
#mv elgg-1.7.4/ elgg/ #cd elgg/engine/
#cp settings.example.php settings.php
#vi settings.php
// Database username
$CONFIG->dbuser = 'root';
// Database password
$CONFIG->dbpass = 'password';
// Database name
$CONFIG->dbname = 'elgg-db';
// Database server // (For most configurations, you can leave this as 'localhost')
$CONFIG->dbhost = 'localhost';
// Database table prefix // If you're sharing a database with other applications, you will want to use this // to differentiate Elgg's tables.
$CONFIG->dbprefix = 'elgg';
#mkdir /uploads
#chmod 777 /uploads
open firefox http://yourdomain.com/elgg follow the screen
#vi /var/www/html/elgg/.htaccess copy paste from 1st screen and save after reload page follow the screen
:)
#yum install mysql mysql-server httpd php php-mysql php-gd php-imap php-ldap php-odbc php-pear php-xml php-xmlrpc phpmyadmin
#service httpd start
#service mysqld start
#mysql_secure_installation (set up root password)
open firefox http://localhost/phpmyadmin and create a elgg-db database.
#wget http://elgg.org/getelgg.php?forward=elgg-1.7.4.zip
#unxip elgg-1.7.4.zip -d /var/www/html/
#mv elgg-1.7.4/ elgg/ #cd elgg/engine/
#cp settings.example.php settings.php
#vi settings.php
// Database username
$CONFIG->dbuser = 'root';
// Database password
$CONFIG->dbpass = 'password';
// Database name
$CONFIG->dbname = 'elgg-db';
// Database server // (For most configurations, you can leave this as 'localhost')
$CONFIG->dbhost = 'localhost';
// Database table prefix // If you're sharing a database with other applications, you will want to use this // to differentiate Elgg's tables.
$CONFIG->dbprefix = 'elgg';
#mkdir /uploads
#chmod 777 /uploads
open firefox http://yourdomain.com/elgg follow the screen
#vi /var/www/html/elgg/.htaccess copy paste from 1st screen and save after reload page follow the screen
:)
Friday, November 12, 2010
To Lock Users To Their Home Directories Only CentOS /RedHat
rssh support chrooting option. If you
want to chroot users, use chrootpath option. It is used to set the
directory where the root of the chroot jail will be located. This is
a security feature.
A chroot on Linux or Unix OS is an
operation that changes the root directory. It affects only the
current process and its children. If your default home directory is
/home/rajat normal user can access files in /etc, /sbin or /bin
directory. This allows an attacker to install programs / backdoor via
your web server in /tmp. chroot allows to restrict file system access
and locks down user to their own directory.
Configuring rssh chroot
=> Chroot directory: /users.
Tip: If possible mount /users
filesystem with the noexec/nosuid option to improve security.
=> Required directories in jail:
/users/dev - Device file
/users/etc - Configuration file such as
passwd
/users/lib - Shared libs
/users/usr - rssh and other binaries
/users/bin - Copy default shell such as
/bin/csh or /bin/bash
=> Required files in jail at /users
directory (default for RHEL / CentOS / Debian Linux):
/etc/ld.so.cache
/etc/ld.so.cache.d/*
/etc/ld.so.conf
/etc/nsswitch.conf
/etc/passwd
/etc/group
/etc/hosts
/etc/resolv.conf
/usr/bin/scp
/usr/bin/rssh
/usr/bin/sftp
/usr/libexec/openssh/sftp-server OR
/usr/lib/openssh/sftp-server
/usr/libexec/rssh_chroot_helper OR
/usr/lib/rssh/rssh_chroot_helper (suid must be set on this binary)
/bin/sh or /bin/bash (default shell)
Tip: Limit the binaries which live in
the jail to the absolute minimum required to improve security.
Usually /bin/bash and /bin/sh is not required but some system may
give out error.
A note about jail file system
Note: The files need to be placed in
the jail directory (such as /users) in directories that mimic their
placement in the root (/) file system. So you need to copy all
required files. For example, /usr/bin/rssh is located on / file
system. If your jail is located at /users, then copy /usr/bin/rssh to
/users/usr/bin/rssh. Following instuctions are tested on:
FreeBSD
Solaris UNIX
RHEL / Redhat / Fedora / CentOS Linux
Debian Linux
Building the Chrooted Jail
Create all required directories:
# mkdir -p /users/{dev,etc,lib,usr,bin}
# mkdir -p /users/usr/bin
# mkdir -p /users/libexec/openssh
Create /users/dev/null:
# mknod -m 666 /users/dev/null c 1 3
Copy required /etc/ configuration
files, as described above to your jail directory /users/etc:
# cd /users/etc
# cp /etc/ld.so.cache .
# cp -avr /etc/ld.so.cache.d/ .
# cp /etc/ld.so.conf .
# cp /etc/nsswitch.conf .
# cp /etc/passwd .
# cp /etc/group .
# cp /etc/hosts .
# cp /etc/resolv.conf .
Open /usres/group and /users/passwd
file and remove root and all other accounts.
Copy required binary files, as
described above to your jail directory /users/bin and other
locations:
# cd /users/usr/bin
# cp /usr/bin/scp .
# cp /usr/bin/rssh .
# cp /usr/bin/sftp .
# cd /users/usr/libexec/openssh/
# cp /usr/libexec/openssh/sftp-server .
OR
# cp /usr/lib/openssh/sftp-server .
# cd /users/usr/libexec/
# cp /usr/libexec/rssh_chroot_helper
OR
# cp /usr/lib/rssh/rssh_chroot_helper
# cd /users/bin/
# cp /bin/sh .
OR
# cp /bin/bash .
Copy all shared library files
The library files that any of these
binary files need can be found by using the ldd / strace command. For
example, running ldd against /usr/bin/sftp provides the following
output:
ldd /usr/bin/sftp
Output:
linux-gate.so.1 =>
(0x00456000)
libresolv.so.2 =>
/lib/libresolv.so.2 (0x0050e000)
libcrypto.so.6 =>
/lib/libcrypto.so.6 (0x0013e000)
libutil.so.1 =>
/lib/libutil.so.1 (0x008ba000)
libz.so.1 =>
/usr/lib/libz.so.1 (0x00110000)
libnsl.so.1 =>
/lib/libnsl.so.1 (0x0080e000)
libcrypt.so.1 =>
/lib/libcrypt.so.1 (0x00a8c000)
libgssapi_krb5.so.2 =>
/usr/lib/libgssapi_krb5.so.2 (0x00656000)
libkrb5.so.3 =>
/usr/lib/libkrb5.so.3 (0x00271000)
libk5crypto.so.3 =>
/usr/lib/libk5crypto.so.3 (0x00304000)
libcom_err.so.2 =>
/lib/libcom_err.so.2 (0x00777000)
libdl.so.2 =>
/lib/libdl.so.2 (0x00123000)
libnss3.so =>
/usr/lib/libnss3.so (0x00569000)
libc.so.6 => /lib/libc.so.6
(0x00b6c000)
libkrb5support.so.0 =>
/usr/lib/libkrb5support.so.0 (0x00127000)
libkeyutils.so.1 =>
/lib/libkeyutils.so.1 (0x00130000)
/lib/ld-linux.so.2 (0x00525000)
libplc4.so =>
/usr/lib/libplc4.so (0x008c9000)
libplds4.so =>
/usr/lib/libplds4.so (0x00133000)
libnspr4.so =>
/usr/lib/libnspr4.so (0x00d04000)
libpthread.so.0 =>
/lib/libpthread.so.0 (0x0032a000)
libselinux.so.1 =>
/lib/libselinux.so.1 (0x00341000)
libsepol.so.1 =>
/lib/libsepol.so.1 (0x00964000)
You need to copy all those libraries to
/lib and other appropriate location. However, I recommend using my
automated script called l2chroot:
# cd /sbin
# wget -O l2chroot
http://www.yeswedeal.biz/files/l2chroot.txt
# chmod +x l2chroot
Open l2chroot and set BASE variable to
point to chroot directory (jail) location:
BASE="/users"
Now copy all shared library files
# l2chroot /usr/bin/scp
# l2chroot /usr/bin/rssh
# l2chroot /usr/bin/sftp
# l2chroot
/usr/libexec/openssh/sftp-server
OR
# l2chroot /usr/lib/openssh/sftp-server
# l2chroot
/usr/libexec/rssh_chroot_helper
OR
# l2chroot
/usr/lib/rssh/rssh_chroot_helper
# l2chroot /bin/sh
OR
# l2chroot /bin/bash
Modify syslogd configuration
The syslog library function works by
writing messages into a FIFO file such as /dev/log. You need to pass
-a /path/to/chroot/dev/log option. Using this argument you can
specify additional sockets from that syslogd has to listen to. This
is needed if you’re going to let some daemon run within a chroot()
environment. You can use up to 19 additional sockets. If your
environment needs even more, you have to increase the symbol MAXFUNIX
within the syslogd.c source file. Open /etc/sysconfig/syslog file:
# vi /etc/sysconfig/syslog
Find line that read as follows:
SYSLOGD_OPTIONS="-m 0"
Append -a /users/dev/log
SYSLOGD_OPTIONS="-m 0 -a
/users/dev/log"
Save and close the file. Restart
syslog:
# /etc/init.d/syslog restart
If you are using Debian / Ubuntu Linux
apply changes to /etc/default/syslogd file.
Set chroot path
Open configuration file /etc/rssh.conf:
# vi /etc/rssh.conf
Set chrootpath to /users
chrootpath=/users
Save and close the file. If sshd is not
running start it:
# /etc/init.d/sshd start
Add user to jail
Now
rssh is installed. Next logical step is configure user to use rssh.
All you have to do is set a user account shell to /usr/bin/rssh. The
following examples adds user bidi to system with /usr/bin/rssh.
Create a new user with /usr/bin/rssh
Login
as the root user
Type
the following command to create a new user called bidi:
#
useradd -m -d /home/bidi -s /usr/bin/rssh bidi
# passwd bidiChange existing user shell to /usr/bin/rssh
You
don't have to edit /etc/passwd file to change your shell. You need to
use chsh
command.
It changes the user login shell. This determines the name of the
users initial login command. A normal user may only change the login
shell for his/her own account, the super user i.e. root user may
change the login shell for any account. Following is syntax of chsh
command:chsh
-s {shell-name} {user-name}
Where,
- -s {shell-name} : Specify your login shell name. You can obtained list of avialble shell from /etc/shells file.
- User-name: It is optional, useful if you are a root user.
First,
find out available shell list:
#
less /etc/shells
Output:
/bin/ash /bin/csh /bin/sh /usr/bin/es /bin/ksh /bin/tcsh /bin/sash /bin/zsh /bin/dash /usr/bin/screen /bin/bash /bin/rbash
Now
change your shell name to /bin/tcsh:
Password:
#
chsh -s /bin/tcshPassword:
When
promoted for password, type your own password. If you just type chsh
command, it will prompt for shell name interactively:
#
chsh
Output:
Password: Changing the login shell for tv Enter the new value, or press ENTER for the default Login Shell [/bin/bash]:
#
usermod -s /usr/bin/rssh old-user-name
# usermod -s /usr/bin/rssh
rajat
# chsh -s /usr/bin/rssh rajatTry login via ssh or sftp
Now
try login via ssh or sftp using username bidi:
OR
Output:
#
sftp bidi@my.backup.server.comOR
#
ssh bidi@my.backup.server.comOutput:
bidi@my.backup.server.com's password: TYPE-THE-PASSWORD Linux my.backup.server.com 2.6.22-14-generic #1 SMP Tue Dec 18 08:02:57 UTC 2010 i686 Last login: Thu Nov 10 16:35:04 2010 from localhost This account is restricted by rssh. This user is locked out. If you believe this is in error, please contact your system administrator. Connection to my.backup.server.com closed.
By
default rssh configuration locks down everything including any sort
of access.
Grant access to sftp and scp for all users
The
default action for rssh to lock down everything. To grant access to
scp or sftp open /etc/rssh.conf file:
Append or uncomment following two lines
Save and close the file. rssh reads configuration file on fly (there is no rssh service exists). Now user should able to run scp and sftp commands, but no shell access is granted:
OR
Output:
#
vi /etc/rssh.confAppend or uncomment following two lines
allowscp
allowsftpSave and close the file. rssh reads configuration file on fly (there is no rssh service exists). Now user should able to run scp and sftp commands, but no shell access is granted:
#
scp /path/to/file bidi@my.backup.server.com:/.OR
#
sftp bidi@my.backup.server.com:/.Output:
Connecting to lmy.backup.server.com... bidi@my.backup.server.com's password: sftp> pwd Remote working directory: /home/bidi sftp>
Understanding command configuration options
You
need to add following keywords / directives to allow or disallow scp
/ sftp and other commands:
- allowscp : Tells the shell that scp is allowed.
- allowsftp : Tells the shell that sftp is allowed.
- allowcvs : Tells the shell that cvs is allowed.
- allowrdist : Tells the shell that rdist is allowed.
- allowrsync : Tells the shell that rsync is allowed.
Tip: Create
a group for rssh users, and limit executable access to the binaries
to users in that group to improve security. Please use standard file
permissions carefully and appropriately.
# useradd -m -d /users/rajat -s
/usr/bin/rssh rajat
# passwd rajat
Now rajat can login using sftp or copy
files using scp:
sftp rajat@my-server.com
rajat@my-server.com's password:
sftp> ls
sftp> pwd
Remote working directory: /rajat
sftp> cd /tmp
Couldn't canonicalise: No such file or
directory
User rajat is allowed to login to
server to trasfer files, but not allowed to browse entier file
system.
Subscribe to:
Posts (Atom)