Simple way to secure a MySQL installation
May 27, 2013
I now know this script was there for years but I just found it some month ago, when I installed MySQL on a CentOS and it told me to use it. But I checked, it is also present on an old Ubuntu 8.04 LTS (released 5 years ago). The script is called:
/usr/bin/mysql_secure_installation
Here are the questions you get asked by it:
Change the root password? [Y/n]
Remove anonymous users? [Y/n]
Disallow root login remotely? [Y/n]
Remove test database and access to it? [Y/n]
Reload privilege tables now? [Y/n]
You really should run this program as it makes the basic securing of MySQL really easy.
Microsoft Remote Connectivity Analyzer
May 23, 2013
By pure luck I found the Microsoft Remote Connectivity Analyzer as I’m not into the Microsoft world. Anyway this web site lets you test easily if the Groupware server you’re using is configured correctly. For example if you’ve problems connecting/syncing with your mobile or tablet to a server via ActiveSync. This protocol is not just used by Exchange but also by some OpenSource Groupware applications. Anyway its a nice link to know.
How to get Tiny Tiny RSS running on a half-way secure PHP setup
May 20, 2013
As Google is discontinuing their Google Reader I needed to look for alternatives and after some looking I went for Tiny Tiny RSS, which I can run on one of my web servers. At least this was the theory :-). The problems I faced were that Tiny Tiny RSS seems to have problems with a half-way secure PHP setup, and I needed therefore to make some changes to get it working. As I didn’t find that much documentation on this topic and it seams the Tiny Tiny RSS developers are not really security affine.
1. open_basedir is not supported
I did as described in the Install Notes and went to the http://your.site.com/tt-rss/install/
URL to use the installer to configure my Tiny Tiny RSS, but I was prompted with this error message:
PHP configuration option open_basedir is not supported. Please disable this in PHP settings file (php.ini).
I searched through the Internet and it seams that some obscure errors can occur if you use open_basedir. But to me it seem more like: I (=developer) don’t have the problem and the user has it and he has open_basedir activated so this must be the problem. Anyway, open_basedir is an imported security measure for PHP hosting, do not ever disabled it, specially if you have more than one vhost. I running with enabled open_basedir for 2 weeks now without getting any obscure errors (or any errors at all). At the time of writing this blog post I was running PHP 5.3.23 and 5.3.25 on this server.
After these preliminary words – how did I get rid of this error messages? Simple I just commented raising of the exceptions out. For this open the install/index.php
in a text editor and search for the line containing “option open_basedir is not supported
“, comment it out like this:
And you need to do the same in the include/sanity_check.php
file:
2. passthru disabled
I wanted to call the ./update.php --daemon
command from the command line but I got following error message:
PHP Warning: passthru() has been disabled for security reasons in /var/www/xxxx/html/update.php on line 150
This is because a secure configured default php.ini
has following set:
disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source
I remove disabled functions per vhost so I don’t have the least common denominator for security. In this case needed to make sure that the update.php
called via the command line uses a custom made php.ini
. I therefore created this bash script.
#!/bin/bash
export PHPRC="/var/www/php/xxxx/"
./update.php --daemon
In this directory a special php.ini
is located which has passthru
enabled.
3. undefined function posix_getpid
I wanted to use the update_daemon2.php
script as it is recommended but I got following error message:
[09:48:30] [MASTER] installing shutdown handlers
PHP Fatal error: Call to undefined function posix_getpid() in /var/www/xxxx/html/update_daemon2.php on line 223
PHP Fatal error: Call to undefined function posix_getpid() in /var/www/xxxx/html/update_daemon2.php on line 236
PHP Fatal error: Call to undefined function posix_getpid() in /var/www/xxxx/html/update_daemon2.php on line 99
The solution on Centos/RHEL/SL is easy, just install the posix package for php:
yum install php-posix
I hope this post helps others which move to Tiny Tiny RSS and still want a reasonably secure PHP setup.
ncdu is better than calling “du -hs *” multiple times :-)
May 12, 2013
I was searching again for some directories or files on one of my servers, which were filling the hard disk. Normally I used du -hs *
starting via / and going downwards in the directory structure …. but not this time … I went on the search for a command line program which makes that easier … and I found it: Welcome NCurses Disk Usage.
On CentOS/RHEL/SL you need the EPEL repository and than just type yum install ncdu
. On Ubuntu just type sudo apt-get install ncdu
.
If you use it via SSH it is recommended to use the option -q
which does according to the manual:
-q Quiet mode. While calculating disk space, ncdu will update the screen .10 times a second by default, this will be decreased to once every 2 seconds in quiet mode. Use this feature to save bandwidth over remote connections.
And as I normally know on which partition I want to look (df -h
tells me which hard disk is getting full 🙂 ), I use following option too:
-x Only count files and directories on the same filesystem as the specified dir.
which leads to this output after starting it:
Powered by WordPress
Entries and comments feeds.
Valid XHTML and CSS.
29 queries. 0.065 seconds.