import os,binascii
print binascii.b2a_hex(os.urandom(15))
python generate random string
Leave a reply
Monthly Archives: August 2014
apt-get install: dpkg was interrupted
dpkg –configure -a
linux: change all users passwords at once
If you suspect your server was compromised, you want immediately change all users passwords:
#!/bin/bash
password=`echo $RANDOM | md5sum | md5sum | cut -c1-10`
for i in `ls -A /home`; do echo -n $password | passwd --stdin $i; done
echo "Random password is:" $password
To change root password:
passwd
linux find files modified last 24 hours
find . -mtime -1
-1 the last 24 hours
-0.5 the last 12 hours
-0.25 the last 6 hours
+5 more than five days
openvz per-container disk I/O bandwidth and IOPS limiting
vzctl set 100 --iolimit 1M --save
vzctl enter 100
cat /dev/urandom | pv -c - > /tmp/test_io
NSX
Programmatically create, provision, snapshot, delete and restore complex networks all in software. VMware NSX™ breaks through current physical network barriers, enabling data center operators to achieve order of magnitude better speed, economics and choice.
csf block all traffic
csf -dr 0.0.0.0/0
XFS Quota Management
The XFS quota subsystem manages limits on disk space (blocks) and file (inode) usage. XFS quotas control or report on usage of these items on a user, group, or directory or project level. Also, note that while user, group, and directory or project quotas are enabled independently, group and project quotas are mutually exclusive.
When managing on a per-directory or per-project basis, XFS manages the disk usage of directory hierarchies associated with a specific project. In doing so, XFS recognizes cross-organizational “group” boundaries between projects. This provides a level of control that is broader than what is available when managing quotas for users or groups.
XFS quotas are enabled at mount time, with specific mount options. Each mount option can also be specified as noenforce; this will allow usage reporting without enforcing any limits.
Valid quota mount options are:
uquota/uqnoenforce – User quotas
gquota/gqnoenforce – Group quotas
pquota/pqnoenforce – Project quota
Once quotas are enabled, the xfs_quota tool can be used to set limits and report on disk usage. By default, xfs_quota is run interactively, and in basic mode. Basic mode sub-commands simply report usage, and are available to all users. Basic xfs_quota sub-commands include:
quota username/userID
Show usage and limits for the given username or numeric userID
df
Shows free and used counts for blocks and inodes.
In contrast, xfs_quota also has an expert mode. The sub-commands of this mode allow actual configuration of limits, and are available only to users with elevated privileges. To use expert mode sub-commands interactively, run xfs_quota -x. Expert mode sub-commands include:
report /path
Reports quota information for a specific file system.
limit
Modify quota limits.
MySQL cheats
Create, Drop, Rename MySQL User
Create a user that can access remotely from IP address 192.168.19.5
mysql> CREATE USER ‘my_user’@’192.168.19.5’ IDENTIFIED BY ‘my_password’;
Create a user that can access remotely from host.domain.com
mysql> CREATE USER ‘my_user’@’host.domain.com’ IDENTIFIED BY ‘my_password’;
Create a user that can access remotely from IP address 192.16.19.*
mysql> CREATE USER ‘my_user’@’192.16.0.5/255.255.255.0’ IDENTIFIED BY ‘my_password’;
Create a user that can access from any sub-domain of mydomain
mysql> CREATE USER ‘my_user’@’%.mydomain.com’ IDENTIFIED BY ‘my_password’;
Create a user that can access from any IP address
mysql> CREATE USER ‘my_user’@’%’ IDENTIFIED BY ‘my_password’;
Rename a MySQL user
mysql> RENAME USER old_username TO new_username;
Set MySQL user password
mysql> SET PASSWORD FOR ‘my_user’@’192.16.0.5’ = PASSWORD(‘mypassword’);
Drop a MySQL user
mysql> DROP USER my_user;
mysql> DROP USER ‘my_user’@’192.168.19.5′;
MySQL User Account Hardening
Display all user accounts
mysql> SELECT user, host, password FROM mysql.user;
NOTE:
For users without a password or anonymous user ( user=’ ‘ ):
mysql> SELECT user, host, password FROM mysql.user where password=”;
mysql> SELECT user, host, password FROM mysql.user where user=”;
Drop the user or
Add a password if it is empty
To control the maximum connections allowed for a account
max_user_connections
GRANT ALL ON db1.* TO ‘myuser’@’localhost’
WITH MAX_CONNECTIONS_PER_HOUR 10
MAX_USER_CONNECTIONS 5
MAX_QUERIES_PER_HOUR 20
MAX_UPDATES_PER_HOUR 20
Grant & Revoke MySQL User Privileges
Show MySQL grant privileges
mysql> SHOW GRANTS;
mysql> SHOW GRANTS FOR ‘name’@’host’;
mysql> SHOW GRANTS FOR CURRENT_USER();
Grant Privileges to MySQL User
For most web application user
mysql> GRANT SELECT,INSERT,DELETE,UPDATE,EXECUTE ON my_db.* TO ‘user’@’host’;
mysql> GRANT ALL ON *.* TO ‘user’@’host’;
mysql> GRANT ALL ON my_db.* TO ‘user’@’host’;
mysql> GRANT ALL ON my_db.tbl TO ‘user’@’host’;
mysql> USE my_db
mysql> GRANT ALL ON * TO ‘user’@’host’;
mysql> GRANT ALL ON tbl TO ‘user’@’host’;
mysql> GRANT SELECT, INSERT ON my_db.* TO ‘user’@’host’;
mysql> GRANT SELECT, INSERT ON my_db.tbl TO ‘user’@’host’ WITH GRANT OPTION;
GRANT OPTIONS allow the use to grant the same rights to other user
To flush the privileges
FLUSH PRIVILEGES;
Revoke MySQL User Privileges
mysql> REVOKE ALL ON *.* FROM ‘user’@’host’;
mysql> REVOKE ALL PRIVILEGES,GRANT OPTION FROM ‘user’@’host’;
mysql> REVOKE GRANT OPTION ON *.* FROM ‘user’@’host’;
Most Common Privileges
MySQL Privilege Meaning
DELETE DELETE
SELECT SELECT
INSERT INSERT
UPDATE UPDATE
EXECUTE Execute stored routines
USAGE Empty privilege
MySQL Privilege Meaning
CREATE Table creation
CREATE ROUTINE Create routine
CREATE TEMPORARY TABLES Create tmp tables
ALTER ROUTINE Altered or dropped stored routines
CREATE VIEW Create or alter view
EVENT Events for the Event Scheduler
INDEX Enable Create or drop indexes
SHOW VIEW SHOW CREATE VIEW
TRIGGER Create or drop trigger
MySQL Administrator privileges
MySQL Privilege Meaning
LOCK TABLES LOCK TABLES on tables for which you have the SELECT privilege
SHOW DATABASES SHOW DATABASES
REPLICATION CLIENT Locate master or slave servers
REPLICATION SLAVE Enable replication slaves
Do not grant the following privilege until absolutely needed.
Mis-used of those privileges can cause production issues.
MySQL Privilege Meaning
ALL Grant all privileges except GRANT OPTION
ALTER ALTER TABLE
CREATE USER CREATE USER, DROP USER, RENAME USER, and REVOKE ALL PRIVILEGES
FILE Read or write files
GRANT OPTION Grant user’s privileges to others
PROCESS Read information on server threads
RELOAD FLUSH
SUPER Operation task
DROP DROP
SHUTDOWN SHUTDOWN
Other MySQL Security Best Practices
Never use OS level root account to start mysqld
# Forcing UNIX to start mysqld with an OS account mysql
# It is the default during Ubuntu installation
[mysqld]
user=mysql
Data directory and its sub-directory (including all symbolics links) should have no access to group or others
sh> sudo find /var/lib/mysql -follow -print | xargs chown mysql
sh> sudo find /var/lib/mysql -follow -print | xargs chgrp mysql
Only allow “root” to access the “user” table in the DB “mysql”
Do not allow user access from any IP address: ‘user’@’%’
Do not allow anonymous user
All MySQL users must have an encrypted password
Make sure no one can access MySQL without password like this
% mysql -u root
Should not allow symbolic links
–skip-symbolic-links option
Do not grant File, process & super privilege to non-administrator
bind deny recursive queries
options {
recursion no;
};
diff 2 directories
diff -qr dir1/ dir2/
diff –brief –recursive dir1/ dir2/
Plop Linux
Plop Linux is a small distribution built from scratch that can boot from CD, DVD, USB flash drive (UFD), USB hard disk or from network with PXE. It’s designed to rescue data from a damaged system, backup and restore operating systems, automate tasks and more. You can use Plop Linux as Server and as Desktop Linux.
Ioncube encode
ioncube_encoder5 /projects/myproject –into /encoded-projects
ioncube_encoder5 –with-license key.php –passphrase yourpassphrasehere /projects/myproject –into /encoded-projects
with make_license:
./make_license –passphrase yourpassphrasehere –header-line ‘‘ –property “UserName=’Chuck Norris'”
or
/make_license –passphrase yourpassphrasehere –header-line ‘‘ \
–property “UserName=’Chuck Norris'” –allowed-server example.com,www.example.com
virt-sandbox
The virt-sandbox command is used to dynamically create sandboxes for running interactive / batch commands.
The libvirt guest is created when the virt-sandbox command starts
The libvirt guest is automatically deleted when the virt-sandbox command completes, or dies from a signal
The sandboxed command sees a read-only view of the entire host filesystem
Specific areas can be made writable by mapping in an alternative host directory
There is no network access inside the sandbox by default
Virtual network interfaces can be associated with libvirt virtual networks
The stdin/stdout/stderr file handles of the sandbox command will be connected to the controlling terminal.
The virt-sandbox support multiple virtualization drivers, so a URI should be specified when running them to choose the techology to use
lxc:/// – valid if the calling user is root
qemu:///session – valid if the calling user is non-root
qemu:///system – valid if the calling user is root. NB there are some current known issues with this driver which temporarily prevent its use
Sandboxes can be used to run interactive commands, such as shells
# virt-sandbox -c lxc:/// /bin/sh
Or output-only commands
# virt-sandbox -c qemu:///session /bin/cat /proc/cpuinfo
review directadmin datatasq
cat /usr/local/directadmin/data/task.queue