2009年3月31日星期二

How to reset mysql root user password

/etc/init.d/mysql stop
mysqld_safe --skip-grant-tables &
mysql -u root

mysql> use mysql;
mysql> update user set password=PASSWORD("YOUR PASSWORD HERE") where User='root';
mysql> flush privileges;
mysql> quit

Kill mysql process
/etc/init.d/mysql start
mysql -u root -p

How to resend a mailbox file to recipient

cat $filename | /usr/sbin/sendmail -i -C /etc/mail/sendmail.cf -f sender@sender_domain recipient@recipient_domain

Mount standby database readonly

connect / as sysdba
shutdown
startup nomount;
alter database mount standby database;
alter database open read only;

GRUB related issue for SLSE 10

Background :

1. Since SLES 10 use a newer method for device mapping, new cloned OS cannot recognize orinignal device id. It cause new cloned OS cannot be boot.

Solution :

a. Boot from CD and choose installation.

b. When you reach the following screen :

1. New Install

2. Update

3. Other option

Choose "other option" and then choose "Boot from installed OS".(It may be different from actual wording, but it should be similar)

c. run the following command to reset the grub menu

grub-install /dev/sda

d. change directory to /dev/disk/by-id and record the new device id

e.g. scsi-SATA_SAMSUNG_HM250JIS0TVJD0Q219790-part3

c. modify the /boot/grub/menu.lst with the new device id

e.g. kernel /vmlinuz root=/dev/disk/by-id/scsi-SATA_SAMSUNG_HM250JIS0TVJD0Q219790-part3 vga=0x314 acpi=off resume=/dev/sda2 splash=silent showopts

d. reboot the server and it should be ok.

REMARKS :

we need to change all device id in /etc/fstab to /dev/sdx before we clone the OS. Otherwise, no linux parition cannot be found

If really linux partition cannot be found, you may

a. boot rescue mode
b. fsck /dev/sda1
c. fsck -y /dev/sda3
d. mount /dev/sda3 /mnt
e. modify /mnt/etc/fstab
f. mount /dev/sda1 /mnt
g. grub-install --root-directory=/mnt /dev/sda
h. modify /mnt/boot/grub/menu.lst

Check Oracle Database Size SQL

select sum(bytes)/1024/1024/1024 Size_GB from dba_data_files;

Apache Security Hints

1. Gathering Information from Header
Solution : Modify the Default Header
#define SERVER_BASEPRODUCT "Apache" -> #define SERVER_BASEPRODUCT "Koolweb"
#define SERVER_BASEREVISION "1.3.20" -> #define SERVER_BASEREVISION "3.7.1"
Compile and install
add ServerTokens Min to httpd.conf

2. Protecting Web Data with IP Restrictions
Solution(1) : Protecting Web Data with IP Restrictions
(Not Suitable : Reason - Allow all users in the internet to access)
Add "Deny from All"
Add "Allow from 192.168.1.100"
Add "Allow from 192.168.1.101" in httpd.conf

Current -> "Allow from All"

Solution(2) : Use HTTP Authentication to restricts user to access a particular directory
(Not Suitable : Reason - No password required for external users to access)

3. Snooping an HTTP Authentication Username/Password
Solution : User Secure HTTP Connections
(Not Suitable : Reason - No password required for external users to access)

4. Allowing ".." in the URL(a.k.a. the Double-Dot)
Solution : User Apache Web Server
(We are already using Apache!!!!)

5. Dangerous Symbolic Links
Solution : Securely Configuration Symbolic Links
Add
"
Options FollowSymLinks ->or Options SymLinkIfOwnerMatch
AllowOverride None
"
Current -> no symbolic links in "DocumentRoot /usr/local/apache/firstpage"

6. Obtaining Directory Contents
Solution : Preventing Directory Indexes
Remove all Indexes from all Option directives in httpd.conf

7. Security Through Obscurity" Is Neither
Solution : Don't Rely on Security Through Obscurity
Don't put the information that you don't want the world to access in the "PUBLIC AREA"
although you haven't create and hyperlink to "THEM"

8. Insecure CGI Configuration
Solution(1) : Restricting CGI to Certain Directories
Add ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/" in httpd.conf
Current -> It is already in httpd.conf

Solution(2) : Do Not Allow CGI Execution Based on File Name
Comment AddHandler cgi-script .cgi in httpd.conf
Current -> It is already comment

9. Excuting Older Versions of CGIs
Solution(1) : Restrict Access to files Based on Name
Add this in httpd.conf

Order allow,deny
Deny from all


Solution(2) : Don't Keep Old Copies of CGIs or any old version programs
Comment -> We should better choose this but i think we should move the old version programs
to unaccessiable directories(from outside) or to another server since we may need those
old programs for reference.

10. Insecure CGIs Affecting Other Web Sites
Solution : Run CGIs as Different Users -> Using suEXEC to do so
Current -> No Virtual Hosts is currently set
(Not Suitable - suEXEC require setuid and setgid but these two commands are not available in SuSE)

11. Attacking Poorly Configured HTTP Authentication
Solution(1) : Secure Use of .htaccess Files for HTTP Authentication
Add AllowOverride AutConfig in httpd.conf
Add AccessFileName .htaccess
Current -> AllowOverride None
Current -> AccessFileName .htaccess

If we want to do so, the "Files" option must be set

Order allow,deny
Deny from all


(Not Suitable : Reason - No password required for external users to access)

Solution(2) : Secure Use of httpd.conf for HTTP Authentication
Add this in httpd.conf

AuthType Basic
AuthName "My Private Directory"
AuthUserFile /usr/local/apache/misc/my_private_dir.htpasswd
require valid-user


(Not Suitable : Reason - No password required for external users to access)

12. Exploiting Default Configuration Problems
Solution(1) : Remove Online Manuals
Current -> No Online Manual

Solution(2) : Remove Default Welcome Pages

Solution(3) : Remove CGI Execution Based on File Name

Solution(4) : Securely Configuring Parsed HTML Files
comment the followings:
AddType text/html .shtml
AddHandler server-parsed .shtml
Current -> They are already comment

Solution(5) : Securely Configuring the Displaying of Server Status and Information
comment the followings:

SetHandler server-status
Order deny,allow
Deny from all
Allow from .your_domain.com

Current -> They are already comment

Solution(6) : Configuring public_html Directories
Turn off if not necessary
Current -> Turn off

13. Exploiting Default Proxy Configuration
Solution : Securing Proxy Server Directives
(Since we are not using the Web Server as HTTP Proxy, we should turn them off)
Current -> Turn off

CGI Problems
14. Exploiting Pre-Shipped and Downloadable CGIs
Solution : Delete Unnecessary CGI Program in cgi-bin

15. Assuming Input Fields Received Are the Only Ones Expected
Solution : Always Check Fields Received

16. Exploiting Trust in Hidden Fields
Solution : Use MD5 to Validate Hidden Fields

17. Exploiting Trust in the Length of User Input
Solution : Always Check the Length of Data

18. Exploiting Trust in Referer Headers
Solution : Don't Rely on Referer Headers

19. Exploiting Trust in Cookies
Solution(1) : Don't Rely on Cookies -> Check data from cookies

Solution(2) : User SSL When Using Cookies

20. Exploiting Trust in File Name Characters
Solution(1) : Open Files in Explicit Read Mode

Solution(2) : Verify the Characters in the File Name -> Don't Use Special Character

21. Posted Input Contains a Null Character
Solution : Verify the Character in the Input -> Accept expected character

22. Abusing JavaScript Preprocessing
Solution : Never Assume Preprocessing -> Check format of data(Modify if necessary)

23. Exploiting System Calls and Pipes
Solution(1) : Never Trust Form Input as Arguments for System Calls and Pipes -> check input with no special characters

Solution(2) : Execute system() As a List -> Seperate Input to list(divide them in pieces)

Solution(3) : Use fork() and exec() ->

24. Exploiting Web Farms
Solution : Choose an ISP Wisely

2009年3月29日星期日

FTP Control Example

1. Modify /etc/ftpaccess.ctl

################################################################################
# FTP Access Control -> Take Effect Immediately -> No Need to Restart Subsystem
################################################################################
#
# Read Only Folders -> No matter what the folder right is
# Read Only Folders -> No matter
#
# writeonly : disable get command to specific folders
# readonly : disable put/delete command to specific folders
# For all users include root
#
#readonly: /data
#writeonly: /data/test
readonly: /data/test
writeonly: /data
readwrite: NONE
#
# Deny Host Login
#
#deny: user1
#
# Symbolic Link Not Work For Both "useronly" and "puseronly"
#
#
# Anonymous Login -> Nth show to user but can upload files
# -> cannot change folders out of user home directory
#
# Cannot change home directory to / -> everything will be even by user
# -> i.e. useronly,puseronly not hide anything
# -> for users
#
#useronly: user1
#
# Need User Password -> Nth show to user but can upload files
#
#puseronly: user1,ftpuser

Reference Link

Basic Print Queue Control

-- To print
lp -disnp2 /tmp/test

-- To list the print queue
lpstat

-- To enable it if it is down
enable isnp2

-- To cancel a print job
cancel job_no.

How to add and modify print queue

Add :

1. smitty printer --> Print Spooling --> Add a Print Queue -->remote-->Standard processing

[Smitty Screen]
Add a Standard Remote Print Queue

Type or select values in entry fields.
Press Enter AFTER making all desired changes.

[Entry Fields]
* Name of QUEUE to add [isnp2]
* HOSTNAME of remote server [isnp2]
* Name of QUEUE on remote server [P2]

Modification :

1. smitty printer --> Print Spooling -->Programming Tools --> Queues and Queue Devices -->Queues --> Change / Show Characteristics of a Queue
--> choose print queue name e.g. isnp2

[Smitty Screen]
Change / Show Characteristics of a Queue

Type or select values in entry fields.
Press Enter AFTER making all desired changes.

[Entry Fields]
Name of queue isnp2
ACTIVATE the queue? yes +
Queuing DISCIPLINE first come first serv> +
ACCOUNTING FILE pathname [FALSE] /
HOSTNAME of remote server [isnp2]
Name of QUEUE on remote server [P2]
Pathname of the SHORT FORM FILTER for queue [/usr/lib/lpd/aixshort] +/
status output
Pathname of the LONG FORM FILTER for queue [/usr/lib/lpd/aixlong] +/
status output

Allow the user in wheel group to be able to login system

1. Add the following line in /etc/pam.d/login

Account required pam_access.so

2. Add the following line in /etc/security/access.conf

# Disallow logins to all but wheel
-:ALL EXCEPT wheel:ALL

3. Modify /etc/group as follow

wheel:x:10:user1,user2,user3,user4

Oracle 10G Installation Procedure in SuSE 9.3 Professional or SUSE Linux Enterprise Server 9

1. Install the following package in SUSE Linux Enterprise Server 9 :

binutils-2.15.90.0.1.1-32.5
gcc-3.3.3-43.24
gcc-c++-3.3.3-43.24
glibc-2.3.3-98.28
gnome-libs-1.4.1.7-671.1
libstdc++-3.3.3-43.24
libstdc++-devel-3.3.3-43.24
make-3.80-184.1
pdksh-5.2.14-780.1
sysstat-5.0.1-35.1
xscreensaver-4.16-2.6
openmotif-2.2.3
db1-1.85-89.1

compat-db-4.0.14(Will Prompt error But we cannot find in SuSE 9.3)

orarun-1.8-109.15.i586.rpm (For Oracle 9i Only)

2. Modify /etc/sysctl.conf

kernel.shmmax = 536870912
kernel.sem = 250 32000 100 128
net.ipv4.ip_local_port_range = 1024 65000
net.core.rmem_default = 1048576
net.core.rmem_max = 1048576
net.core.wmem_default = 262144
net.core.wmem_max = 262144
fs.file-max = 65536

For SuSE Only : /sbin/chkconfig boot.sysctl on

3. Add the following to /etc/security/limits.conf

* soft nproc 2047
* hard nproc 16384
* soft nofile 1024
* hard nofile 65536

4. Add the following to /etc/pam.d/login

session required /lib/security/pam_limits.so
session required pam_limits.so

5. Add the following to /etc/profile

ulimit -u 16384 -n 65536

6. Create user ora10g and group dba

7. Add the following to /home/ora10g/.profile

ORACLE_BASE=/disk1/oracle; export ORACLE_BASE
ORACLE_HOME=$ORACLE_BASE/product/10.2.0/db_1; export ORACLE_HOME
LD_LIBRARY_PATH=$ORACLE_HOME/lib; export LD_LIBRARY_PATH
NLS_LANG=AMERICAN_AMERICA.ZHT16BIG5; export NLS_LANG
NLS_DATE_FORMAT=dd/mm/yyyy
DISPLAY=192.168.1.123:0.0; export DISPLAY

PATH=$PATH:$ORACLE_HOME/bin; export PATH

ORACLE_SID=test_db
export ORACLE_SID

# For 8.1.7.3-4 and 9i export bugs
ORA_OCI_NO_OPTIMIZED_FETCH=1; export ORA_OCI_NO_OPTIMIZED_FETCH

8. mkdir /disk1 and change permission to ora10g:dba

9. Install DB

10. Install Compansion Option 2

11. Install Compansion Option 3(Apache Only)

12. mv /disk1/oracle/product/10.2.0/db_1/opmn/conf/ons.config /disk1/oracle/product/10.2.0/db_1/opmn/conf/ons.config.orig

How to drop datafile from tablespace in Oracle 8i

Oracle 8i
There is no direct sql command to drop datafile from tablespace.
In that case we need to drop tablespace after move all data to new tablespace.
1. create new tablespace
2. move all table to new tablespace
3. move all index to new tablespace
4. move all other objects to new tablespace
5. drop old tablespace with including contents;
6. through OS command remove all datafiles belongs to droped tablespace.

Well, one way may be :
1. create a new tablespace
2. move all objects from your old tbs to the new
3. drop your old tablespace
4. recreate your tablespace with the size as well
5. moveback objects to this last tbs
6. drop your tbs created on step 1
7. rebuild index.