Monday, October 6, 2014

Updating openssl to latest

Updating openssl to latest


Download the latest openssl source, as of this writing, the latest is the one I installed.

https://www.openssl.org/source/

 Bytes      Timestamp       Filename
________ ____________________ ____________________________
 5149260 Sep 25 22:45:26 2014 openssl-1.0.2-beta3.tar.gz (MD5) (SHA1) (PGP sign)
 1404199 Aug 20 12:52:55 2014 openssl-fips-ecp-2.0.8.tar.gz (MD5) (SHA1) (PGP sign)
 1424766 Aug 20 12:52:46 2014 openssl-fips-2.0.8.tar.gz (MD5) (SHA1) (PGP sign)
 3727934 Aug  6 23:56:45 2014 openssl-0.9.8zb.tar.gz (MD5) (SHA1) (PGP sign)
 3994771 Aug  6 23:56:45 2014 openssl-1.0.0n.tar.gz (MD5) (SHA1) (PGP sign)
 4422117 Aug  6 23:56:45 2014 openssl-1.0.1i.tar.gz (MD5) (SHA1) (PGP sign)  [LATEST]
 4872101 Jul 22 22:53:02 2014 openssl-1.0.2-beta2.tar.gz (MD5) (SHA1) (PGP sign)
 1438620 Jul  4 01:21:08 2014 openssl-fips-2.0.7.tar.gz (MD5) (SHA1) (PGP sign)
 1417674 Jul  4 01:21:08 2014 openssl-fips-ecp-2.0.7.tar.gz (MD5) (SHA1) (PGP sign)
 



Login to your server as root.
wget https://www.openssl.org/source/openssl-1.0.1i.tar.gz
as root
tar xzvf openssl-1.0.1i.tar.gz
cd openssl-1.0.1i
./config
make
make test
make install
Installation is at /usr/local/ssl/bin/openssl
move old openssl
mv /usr/bin/openssl /root/openssl-old
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
check version

openssl version

OpenSSL 1.0.1i 6 Aug 2014


Though its better to recompile it as RPM on your build server so as to follow best practice that your production server particular to the one that facing internet should not contain any compiler.
Posted by at

Tuesday, June 25, 2013

Reversing SVN using good revision number

When updating the codes or code only using svn, below usually is the output:

-bash-3.2$ svn update --force
svn.user@192.168.1.1's password:
U    code01.php
Updated to revision 15701.








but if the dev team wants to revert that to previous revision because there was an error on the code, then the possible command is below:

say, the good revision is 15690 as per dev.


-bash-3.2$ svn merge -r HEAD:15690 code01.php
svn.user@192.168.1.1's password:
--- Reverse-merging r15701 through r15691 into 'code01.php':
U    code01.php











Now reverted back to a good revision.
Posted by at

Thursday, June 20, 2013

Monitoring a directory for new file, deleted file, modified file with inotifywait and send thru email

On my setup, I am using CentOS

Add epel repo

yum install inotify-tools

create a bash script at /usr/ocal/bin/inotify_daemon.sh with entry below:

#!/bin/bash
pgrep inotifywait > /dev/null
if [ $? -eq 0 ]
then
exit
else
inotifywait --format '%w%f %e %T' --timefmt '%Y/%m/%d-%H:%M:%S' -e create,delete,modify,move -mrq /path/to/folder/ |while read file;do echo $file | mail -s "activity alert" myuser@mydomain.com; done &
fi

then create a cron entry at crontab or root cron.

* * * * * /usr/ocal/bin/inotify_daemon.sh

The cron will run and if  inotify_daemon.sh get accidentally killed, it will run it again. If already running, then it will exit. 

I assume that the server has a working smtp and tested to relay email to a ligit and working email system.

Sample email body once it will work is below:

/path/to/folder/test2 DELETE,ISDIR 2013/06/20-05:11:09

the notification that the folder has been deleted.



Posted by at

Tuesday, June 18, 2013

chroot sftp

Please update the openssl-server at least
openssh-server-5-xx or
openssh-server-6-xx

CentOS 6.3 has openssh-server-5-xx already.

Ok, assuming that above version has been aquired.

below are my process.. some process are based on results if you google sftp + chroot, just make my self a note to remember.

I am creating a user.sftp user account and sftpusers group as sample.

 
1. create a group named sftpusers -- groupadd sftpusers
2. mkdir /ftp/sftpusers ---------> this will be my users root home directory.
3. add a user to be used for sftp
useradd -g sftpusers -d /ftp/sftpusers/user.sftp -s /sbin/nologin user.sftp
4. edit the file /etc/ssh/sshd_config

comment out the line that contains:

Subsystem sftp /usr/libexec/openssh/sftp-server

and replaced with:

#----
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
#----

then append the Match Group entry.

#----
Match Group sftpusers
ChrootDirectory /ftp/sftpusers/%u
ForceCommand internal-sftp
#----

5. create a folder inside /ftp/sftpusers/user.sftp/ and name it anything, here, I named it upload_dir

mkdir /ftp/sftpusers/user.sftp/upload_dir

6. ownership

chown root /ftp/sftpusers/user.sftp
chmod go-w /ftp/sftpusers/user.sftp
chown user.sftp:sftpusers /ftp/sftpusers/user.sftp/upload_dir
chmod u+rwX /ftp/sftpusers/user.sftp
chmod g+rx /ftp/sftpusers/user.sftp

check the owner, should be

drwxr-xr-x. 3 root sftpusers 4096 Jun 17 21:45 user.sftp

7. restart sshd service

when user is able to login via sftp client, if he tries to travserve to other dir..
error will be like below.

ftp> cd /etc/
Couldn't canonicalise: No such file or directory
sftp> ls


Posted by at

Wednesday, May 29, 2013

Postgresql and setting schema search path other than public

Example DB Server: 192.168.1.10
Example DB: company_live_prod
Default Schema: public
Other Schema: com_retail_store

Upon logging on postgres cli, default schema of public will take effect. The ff: will set to change the schema so you can check the tables under that other schema.


assuming that I am now login as postgres and able to access the db on default public schema.

company_live_prod=# \dt
                                List of relations
 Schema |                        Name                        | Type  |   Owner   
--------+----------------------------------------------------+-------+------------
 public | access_levels                                      | table | xuser
 public | to_for                 | table | xuser
 public | super_hierarchy                             | table | xuser
 public | sked01                         | table | xuser






so that I can see the tables for the other schema, below command will do.


company_live_prod=# SET search_path TO  com_retail_store;
SET
ces_live_final=# \dt
                    List of relations
     Schema      |         Name         | Type  |  Owner 
-----------------+----------------------+-------+---------
 com_retail_store | com_assign_module    | table | xuser
 com_retail_store | com_cart             | table | xuser
 com_retail_store | com_category         | table | xuser
 com_retail_store | com_item_storage     | table | xuser
 com_retail_store | com_manual_upload    | table | xuser
 com_retail_store | com_point_metrics    | table | xuser

(06 rows)







Default schema is now the none public schema.











Posted by at

Friday, May 24, 2013

How to Reset mysql root password if you forgot it

1. Login as root on the server
2. Stop the mysql service
3. start the mysql service on safemode
           command: mysqld_safe --skip-grant-tables
4. Login or if you have a ready alternate console, you can now do mysql command which will login with out password then do the sql command below:

           update mysql.user set Password=PASSWORD('NeWPassWord') WHERE User='root';


5. Exit and restart the mysql service as normal restart.
6. You can now login using the new password.
Posted by at

Friday, April 19, 2013

MYSQL Securing users password

A note on securing users password using hash on mysql

Login inside mysql shell

once login, issue the command

select password('internet');




assuming internet is the clear password

result below for the command:

mysql> select password('internet');
+-------------------------------------------+
| password('internet')                      |
+-------------------------------------------+
| *797420C584EBF42750EB523104268BA0FD87FBC8 |
+-------------------------------------------+                                                                                                               
1 row in set (0.00 sec)                


*797420C584EBF42750EB523104268BA0FD87FBC8 secure password that can be use

 upon granting DB rights.



 mysql> grant select,insert,update on dummy-db.* to 'testuser'@'%.%.%.%' identified by password '*797420C584EBF42750EB523104268BA0FD87FBC8';
Query OK, 0 rows affected (0.00 sec)
Query above will encrypt the defined password of user testuser on access to dummy-db and able to access from any remote ip. If you verify by using the mysql DB and select * from user;



| %.%.%.%            | testuser | *797420C584EBF42750EB523104268BA0FD87FBC8

 the cleartext password would be "internet".

Posted by at
Subscribe to: Posts (Atom)