MySQL Backup and Compress – One Line command

Let’s consider a case where you have limited disk space available in your database server. In addition, you need a database backup quickly. However, you estimate that, the space available in the server for the backup is not enough.

Continue reading

Add EC2 Linux user using Cloud init user data in AWS

Consider a scenario where a customer has provided you with an access to a AWS console and needs you to recover a running EC2 linux instance for him. Let’s assume that the customer is not very tech savy and not in possession of any private keys to the instance.

You got two options at this point in gaining access to the instance and working on restoring the system.

Continue reading

Removing Pre-Routing NAT Rules in IPtables

To remove specific iptables rule from Pre-Routing chains, first display all Pre-Routing chains using a following iptables command:

iptables -t nat --line-numbers -L

This will display all Pre-Routing chains with relevant line numbers. To remove a specific Pre-Routing rule, you can use the corresponding line number. For example below command will remove Pre-Routing NAT chain with line number 1.

iptables -t nat -D PREROUTING 1

ipsec VPN tunnel between local private network (pfSense) to AWS private network (Openswan)

Scenario: A local private network and a private network in Amazon Web Service (AWS) needs to be connected securely over the internet through an ipsec VPN. In order to cover an expanded scope, VPN tunnel will be established between Openswan ipsec VPN from AWS to pfSense ipsec VPN in local network.

Main AWS VPC in this scenario “172.31.0.0/16” has 2 subnets, Backend (172.31.1.0/24) and Frontend (172.31.2.0/24) respectively. Application servers are hosted in Backend subnet while Openswan VPN server is hosted in Frontend. All traffic between these 2 subnets are allowed.
Continue reading

Apache access to Network Database on Custom port

If you have an Apache (httpd) application that needs to access a remote Database, you will have to change the SELinux policy as described bellow to allow Apache access to network databases. You have to edit the SELinux boolian settings for this.

First, check if the “httpd_can_network_connect_db” boolian set to “on”.

[root@testsrv ~]# getsebool -a | grep httpd_can_network_connect_db
httpd_can_network_connect_db --> off

By default, this is set to off. To enable network database access for Apache, execute bellow command.

setsebool -P httpd_can_network_connect_db on

Note, that “-P” is added to permanently change this setting therefore on system reboot this setting will be preserved.

If the database that the application is trying to reach is other than the default port (eg. mysql: 3306), you have to edit the SELinux Policy as described bellow.

Assume the application trying to connect to a mysql database and custom port is 1234. To get the current settings for mysql in SELinux policy,

semanage port -l | grep mysqld_port_t

To add new custom port to this mysql port group,

semanage port -a -t mysqld_port_t -p tcp 1234

Later on if you need to remove any custom port that entered in a port group, (eg: mysql:1234)

semanage port -d -t mysqld_port_t -p tcp 12345

 

Change permissions of files, folders and sub-folders in linux

Let’s assume we have a folder /opt/docs/ and we have to create bellow folder tree, which are used by Accounts, HR and Sales divisions. Each folder is accessible to respective devisions only and others must not have any access to it.

/opt/docs/
|-- Accounts
|       `-- Employee
|-- HR
|      `-- Employee
`-- Sales
`-- Customers

To make the folder strcuture,

mkdir -p /opt/docs/Accounts/Employee
mkdir -p /opt/docs/HR/Employee
mkdir -p /opt/docs/Sales/Customers

To change ownerships to respective divisions,

chown -R accounts:accounts /opt/docs/Accounts/Employee
chown -R hr:hr /opt/docs/HR/Employee
chown -R sales:sales /opt/docs/Sales/Customers

To set access permissions only to respective divisions,

find /opt/docs/ -type d -exec chmod -v 0770 ‘{}’ \; # directory permissions
find /opt/docs/ -type f -exec chmod -v 0660 ‘{}’ \; # file permissions

Configuring SFTP CHROOT service


Let’s consider a situation where you need to configure a secure FTP service in your Linux server without installing any new packages to the system. Easy way of achieving this scenario is by configuring a SFTP CHROOT service in your Linux system. By Default all Linux systems are pre configured with SSH service. There for you only need to edit the existing configuration for this purpose.

1) Modify “/etc/ssh/sshd_config” file to reflect bellow changes

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem       sftp    internal-sftp

Continue reading

Enable multiple users Read and Write permission for files within a folder

Lets assume we have two web developers working on the same web project and they will need a single shared location to store and collaborate their development work with each other. In bellow example I have taken “/var/web-dev” as the shared location and it’s owned by Apache user (www-data). Two developers, danny and penny, needs to store their development work in “/var/web-dev”.

Assuming we already has logins for danny and penny, we have to add them to Apache user group.

usermod -aG www-data danny
usermod -aG www-data penny

Continue reading