MySql: Secure

Remove root account from %. Just from local host or from specific ip

Do the same for any other account

Do not remove the line bind-address 127.0.0.1 from /etc/mysql/my.cnf. Remove it only if you want to access from other ip with MySQlWorkBench

(… under construction …)

 

SSH Access from client to linux server with putty & puttygen

I found the instructions in this link. In profile of putty, in the username field i must not add @hostname (ex user@srv1).

Notes

We create the keys with puttygen and we add the public key in the file  ~/.ssh/authorized_keys.

if you cannot connect and you receive this mesasge:

Authentication refused: bad ownership or modes for directory /home/user

change the permissions of the file authorized_keys:

chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Convert key for SSH android app

(… this section is under construction …)

Links

MySQL: Errors and problems

Error 10061 / Port 3306 appears to be closed on my Ubuntu server

The problem was that the server was listening internally only. Removing the line bind-address 127.0.0.1 from /etc/mysql/my.cnf solved the issue. In Ubuntu 16 and MYSQL 5.7, the configuration file was in:

/etc/mysql/mysql.conf.d/mysqld.cnf

Error 1045(28000) / Error connecting in console (local) / Access denied for user ‘root@localhost’ (using password: no )

if you want to make easier to access your mysql create .my.cnf in /root/ and put in it

[mysqladmin]
user = root
password = mysqlrootpassword
[mysql]
user = root
password = mysqlrootpassword
[mysqldump]
user = root
password = mysqlrootpassword

Fail to connect remotely from MYSQL Workbentch of the client (ex 192.168.0.30)

$ mysql -u root -p
Enter password:
mysql> use mysql
mysql> GRANT ALL ON *.* to root@'192.168.0.30' IDENTIFIED BY 'your-root-password'; 
mysql> FLUSH PRIVILEGES;

Error 2002 (HY000): Can’t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock’ (2)

Wrong Server ip in the /etc/mysql/my.conf

  1. Log in as super user or use sudo
  2. Open /etc/mysql/my.cnf using gedit
  3. Find bind-address, and change its value to the database server host machine’s IP address. For me, it was localhost or 127.0.0.1
  4. Save and close the file
  5. Come back to terminal and execute sudo service mysql start

MySql: management

Database Management

List database type the following command at mysql prompt
mysql> show databases;
Add database
CREATE DATABASE database_name;

User Management

List all users
mysql> select user, host from mysql.user
Add User and set privileges
mysql> CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';
mysql> GRANT ALL PRIVILEGES ON *.* TO 'monty'@'localhost' WITH GRANT OPTION;
mysql> CREATE USER 'monty'@'%' IDENTIFIED BY 'some_pass';
mysql> GRANT ALL PRIVILEGES ON *.* TO 'monty'@'%' WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;
Delete User
mysql> DROP USER 'testuser'@'localhost';
Give full privileges of a user to a database for localhost
mysql -u root
mysql > grant all privileges on mydatabase.* to myaccount@localhost ;
Change root password (insecure)
mysqladmin -u root -p'oldpassword' password newpass

Disk & Partition management on Linux

Mount & Fstab

Partitioning a disk tool from terminal
fdisk -l
cfdisk /dev/sdb
Permanent mount disk
/dev/sdb1 /mnt/backup_drive ext3  users,noatime,auto,rw,nodev,exec,nosuid 0 0
/dev/sdb1 /mnt/backup_drive ntfs  users,noatime,auto,rw,nodev,exec,nosuid 0 0
Fstab notes
  • /dev/sdb1 – media to mount
  • /mnt/backup_drive – location to mount to with a friendly name
  • ext3 – filesystem
  • users – allow all users, alternatively use user
  • noatime – don’t waste resources recording last access time or, if you want this info, change to atime.
  • auto – mount on boot
  • rw – read write access
  • nodev – prevents unauthorized device mounts
  • exec – execute programmes from disk
  • nosuid – do not allow set-user-identifier
Reload fstab και mtab
mount -a
List all mount points and mounted drives
df -h
Unmount

Firstly I will tell you how to unmount any filesystem you mount after trying these commands. Unmounting is done through the “umount” command, which can be given a device or a mount point so:

sudo umount /mnt
sudo umount /dev/hda1

Would both unmount the filesystem on /dev/hda1 if it is mounted on /mnt.

Remember that a filesystem cannot be in use when it is unmounted, otherwise umount will give an error. If you know it is safe to unmount a filesystem you can use:

sudo umount -l /mountpoint

To do a “lazy” unmount

Note that files are often stored temporarily in the RAM to prevent filesystem fragmentation and speed up access times for slow devices like floppy disks. For this reason you should always unmount filesystems before you unplug or eject the device or you may find that your files have not actually been written to your device yet.

Mount a server share

First we have to install CIFS package:

sudo apt-get install cifs-utils
sudo apt-get install smbfs

This is the mount command

mount -t cifs //your_server/folder_of_your_server /your_local_mount_folder -o user=your_user,password=your_password,workgroup=WORKGROUP,ip=192.168.1.1 

After you add the entry to /etc/fstab type:

sudo mount -a
This will (re)mount all entries listed in /etc/fstab.
Mount a password-protected share

Mounting unprotected (guest) network foldersFirst, let’s create the mount directory. You will need a separate directory for each mount.

sudo mkdir /media/windowsshare

Then edit your /etc/fstab file (with root privileges) to add this line:

//servername/sharename  /media/windowsshare  cifs  guest,uid=1000,iocharset=utf8  0  0
  • Where
    • guest indicates you don’t need a password to access the share,
    • uid=1000 makes the Linux user specified by the id the owner of the mounted share, allowing them to rename files,
    • iocharset=utf8 allows access to files with names in non-English languages. This doesn’t work with shares of devices like the Buffalo Tera Station, or Windows machines that export their shares using ISO8895-15.

Mount password protected network folders. The quickest way to auto-mounting a password-protected share is to edit /etc/fstab (with root privileges), to add this line:

//servername/sharename  /media/windowsshare  cifs  username=msusername,password=mspassword,iocharset=utf8,sec=ntlm  0  0

This is not a good idea however: /etc/fstab is readable by everyone and so is your Windows password in it. The way around this is to use a credentials file. This is a file that contains just the username and password.

Using a text editor, create a file for your remote servers logon credential:

gedit ~/.smbcredentials

Enter your Windows username and password in the file:

username=msusernamemount
password=mspassword

Save the file, exit the editor.

Change the permissions of the file to prevent unwanted access to your credentials:

chmod 600 ~/.smbcredentials

Then edit your /etc/fstab file (with root privileges) to add this line (replacing the insecure line in the example above, if you added it):

//servername/sharename /media/windowsshare cifs credentials=/home/ubuntuusername/.smbcredentials,iocharset=utf8,sec=ntlm 0 0 

Save the file, exit the editor.

Finally, test the fstab entry by issuing:

sudo mount -a

If there are no errors, you should test how it works after a reboot. Your remote share should mount automatically.

Create a folder and mount a NFS folder
sudo mount -t nfs4 192.168.X.X:/nfs-folde-name /mount-folder/
Display disk label
sudo e2label /dev/sda1
Change disk label
sudo e2label /dev/sda1 <<disk-label>>
Links

Disk & Folder size

Sizes of all subdirectories

if you want to see the sizes of all subdirectories of /var/log compared with each other. You can do the following:

du -h --max-depth=1
Check File System Disk Space Usage
df
df -h ; Show Disk Space Usage in Human Readable Format

Group & user management

Group & User management on Linux

About linux permission check this link.

A tool for converting numbers to RWX permissions.

Add new user
useradd <user>
Link: http://www.tecmint.com/add-users-in-linux/

Add user to group sudo
adduser YOURUSERNAME sudo
Change the primary group of a user
usermod -g nogroup Peter
Change the secondary group of a user
usermod -G nogroup Peter
Change Group ownership of a folders (and all subfolders)
chgrp -Rv USRGRP Media
View users of a group
getent group groupname
Change home of a user
usermod --home /var/www/ username
Create group
sudo addgroup groupname
Get primary group of a user
id -ng username
List all Users
cut -d: -f1 /etc/passwd

A user is not in the sudoers file

Solution 1:

Booting in recovery mode dropping into root console and

# mount -o rw,remount /

to get it writable

usermod -a -G sudo username

to get back a user into sudoers list

Solution 2:

Links: https://www.digitalocean.com/community/tutorials/how-to-add-and-delete-users-on-an-ubuntu-14-04-vps

ACL General Commands

Only for ACL type: NFSv4 ACL ENTRIES

Group & User Management

View users of a group:

getent group <groupname>
Example: getent group Managers

Add a user to a group

pw groupmod teamtwo -m db

Add permissions
User permissions to a file or folder
For example if you want a user (user1) to have write access to folderMedia, you can execute one of the following commands:

sudo setfacl -m u:user1:rwxcosW::allow MEDIA
sudo setfacl -m u:user1:rwxpDdacosW::allow /mnt/MEDIA
sudo setfacl -m u:user1:rwxpDda::allow /mnt/MEDIA

Set rights to a Group or to a folder:

setfacl -m g:USERS:rwxpDda::allow /mnt/MEDIA
find foldername/ -exec setfacl -m g:GROUPNAME:oprions::allow {} \;
Example:
find Music/ -exec setfacl -m g:AllUsers:rwxpDdacosW::allow {} \;
Full access: find Job/ -exec setfacl -m g:GRAMMATEIA:rwxpDdaARWcCos::allow {} \;
setfacl -x u:user1:rwxpDdacosW::allow /mnt/MEDIA
# file: MEDIA
# owner: <Owner>
# group: <Group of Owner>
owner@:rwxp--aARWcCos:------:allow
group@:rwxp--a-R-c--s:------:allow
everyone@:r-x---a-R-c--s:------:allow

Remove group <everyone>, : everyone@:rwxp–a-R-c–s:——:allow :

setfacl -x everyone@:rwxpDdacosW::allow /mnt/Share/Folder

Links

http://www.freebsd.org/cgi/man.cgi?query=setfacl&sektion=1http://bryan.ravensight.org/2010/01/linux-acl-management-functions/