Simple way to secure a MySQL installation

May 27, 2013

I now know this script was there for years but I just found it some month ago, when I installed MySQL on a CentOS and it told me to use it. But I checked, it is also present on an old Ubuntu 8.04 LTS (released 5 years ago). The script is called:

/usr/bin/mysql_secure_installation

Here are the questions you get asked by it:

Change the root password? [Y/n]
Remove anonymous users? [Y/n]
Disallow root login remotely? [Y/n]
Remove test database and access to it? [Y/n]
Reload privilege tables now? [Y/n]

You really should run this program as it makes the basic securing of MySQL really easy.

Microsoft Remote Connectivity Analyzer

May 23, 2013

By pure luck I found the Microsoft Remote Connectivity Analyzer as I’m not into the Microsoft world. Anyway this web site lets you test easily if the Groupware server you’re using is configured correctly. For example if you’ve problems connecting/syncing with your mobile or tablet to a server via ActiveSync. This protocol is not just used by Exchange but also by some OpenSource Groupware applications. Anyway its a nice link to know.

How to get Tiny Tiny RSS running on a half-way secure PHP setup

May 20, 2013

As Google is discontinuing their Google Reader I needed to look for alternatives and after some looking I went for Tiny Tiny RSS, which I can run on one of my web servers. At least this was the theory :-). The problems I faced were that Tiny Tiny RSS seems to have problems with a half-way secure PHP setup, and I needed therefore to make some changes to get it working. As I didn’t find that much documentation on this topic and it seams the Tiny Tiny RSS developers are not really security affine.

1. open_basedir is not supported

I did as described in the Install Notes and went to the http://your.site.com/tt-rss/install/ URL to use the installer to configure my Tiny Tiny RSS, but I was prompted with this error message:

PHP configuration option open_basedir is not supported. Please disable this in PHP settings file (php.ini).

I searched through the Internet and it seams that some obscure errors can occur if you use open_basedir. But to me it seem more like: I (=developer) don’t have the problem and the user has it and he has open_basedir activated so this must be the problem. Anyway, open_basedir is an imported security measure for PHP hosting, do not ever disabled it, specially if you have more than one vhost. I running with enabled open_basedir for 2 weeks now without getting any obscure errors (or any errors at all).  At the time of writing this blog post I was running PHP 5.3.23 and 5.3.25 on this server.

After these preliminary words – how did I get rid of this error messages? Simple I just commented raising of the exceptions out. For this open the install/index.php in a text editor and search for the line containing “option open_basedir is not supported“, comment it out like this:

tinytinyrss_open_basedir

And you need to do the same in the include/sanity_check.php file:

tinytinyrss_open_basedir2

2. passthru disabled

I wanted to call the ./update.php --daemon command from the command line but I got following error message:

PHP Warning:  passthru() has been disabled for security reasons in /var/www/xxxx/html/update.php on line 150

This is because a secure configured default php.ini has following set:

disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source

I remove disabled functions per vhost so I don’t have the least common denominator for security. In this case needed to make sure that the update.php called via the command line uses a custom made php.ini. I therefore created this bash script.

#!/bin/bash
export PHPRC="/var/www/php/xxxx/"
./update.php --daemon

In this directory a special php.ini is located which has passthru enabled.

3. undefined function posix_getpid

I wanted to use the update_daemon2.php script as it is recommended but I got following error message:

[09:48:30] [MASTER] installing shutdown handlers
PHP Fatal error: Call to undefined function posix_getpid() in /var/www/xxxx/html/update_daemon2.php on line 223
PHP Fatal error: Call to undefined function posix_getpid() in /var/www/xxxx/html/update_daemon2.php on line 236
PHP Fatal error: Call to undefined function posix_getpid() in /var/www/xxxx/html/update_daemon2.php on line 99

The solution on Centos/RHEL/SL is easy, just install the posix package for php:

yum install php-posix

I hope this post helps others which move to Tiny Tiny RSS and still want a reasonably secure PHP setup.

ncdu is better than calling “du -hs *” multiple times :-)

May 12, 2013

I was searching again for some directories or files on one of my servers, which were filling the hard disk. Normally I used du -hs * starting via / and going downwards in the directory structure …. but not this time … I went on the search for a command line program which makes that easier … and I found it: Welcome NCurses Disk Usage.

On CentOS/RHEL/SL you need the EPEL repository and than just type yum install ncdu. On Ubuntu just type sudo apt-get install ncdu.

If you use it via SSH it is recommended to use the option -q which does according to the manual:

-q Quiet mode. While calculating disk space, ncdu will update the screen .10 times a second by default, this will be decreased to once every 2 seconds in quiet mode. Use this feature to save bandwidth over remote connections.

And as I normally know on which partition I want to look (df -h tells me which hard disk is getting full 🙂 ), I use following option too:

-x Only count files and directories on the same filesystem as the specified dir.

which leads to this output after starting it:

ncdu

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 67 queries. 0.244 seconds.