Backup Script

Posted on by

#!/bin/sh
# Backup all files under home directory to a single # floppy
# Display message with option to cancel
dialog –title “Backup” –msgbox “Time for backup \ of home directory. \
Insert formatted 3-1/2\” floppy and press \ to start backup or \
to cancel.” 10 50
# Return status of non-zero indicates cancel
if [ “$?” != “0? ]
then
dialog –title “Backup” –msgbox “Backup was \ canceled at your
request.” 10 50
else
dialog –title “Backup” –infobox “Backup in \ process…” 10 50
cd ~
# Backup using tar; redirect any errors to a
# temporary file
# For multi-disk support, you can use the
# -M option to tar
tar -czf /dev/fd1 . >|/tmp/ERRORS$$ 2>&1
# zero status indicates backup was successful
if [ “$?” = “0? ]
then
dialog –title “Backup” –msgbox “Backup \
completed successfully.” 10 50
# Mark script with current date and time
touch ~/.backup
else
# Backup failed, display error log
dialog –title “Backup” –msgbox “Backup failed \ — Press

to see error log.” 10 50
dialog –title “Error Log” –textbox /tmp/ERRORS$$ 22 72
fi
fi
rm -f /tmp/ERRORS$$
clear
To run this automatically, I put these lines in my .profile file to call the backup script on login if more than 3 days has elapsed since the last backup was made:

# do a backup if enough time has elapsed
find ~/.backup -mtime +3 -exec ~/.backup \;

 

 

Nginx Php Msql NetBSD

Posted on by 
## Setting up a secure PHP webserver with NetBSD

Since [pkgsrc-2012Q2](http://mail-index.netbsd.org/pkgsrc-users/2012/07/02/msg016644.html), [pkgsrc](http://www.netbsd.org/docs/software/packages.html) has two major enhancements regarding [PHP](http://www.php.net/) and Web services in general: [PHP-FPM](http://php-fpm.org/) and the [naxsi](http://code.google.com/p/naxsi/) [nginx](http://wiki.nginx.org/Main) module.

[PHP-FPM](http://php-fpm.org/) is a _an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites._
As such, _PHP-FPM_ is often used as the _PHP_ backend for _nginx_ powered websites.
[naxsi](http://code.google.com/p/naxsi/) is a module for _nginx_ that provides basic-to-strong hardening to a dynamic website by protecting them _against attacks like SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions._

Setting up a _3NMP_ server (_NetBSD-Nginx-Naxsi-MySQL-PHP_) is straightforward and will provide performance and security to your _PHP_ website within minutes.

### PHP-FPM

The simpler approach here would be using [pkgin](http://www.pkgin.net) in order to install _php-fpm_'s binary package plus its dependencies.

	# pkgin in php53-fpm

You may also want to install it via _pkgsrc_, in which case you'll have to fetch it:

	# cd /usr && cvs -d anoncvs.netbsd.org:/cvsroot co pkgsrc

And then build it:

	# cd /usr/pkgsrc/www/php-fpm
	# make install clean clean-depends

Note that this method can take a long time depending on your computer.

### Nginx + naxsi

Again, having _nginx_ "naxsi-ready" can be achieved by using a repository that enables _naxsi_ in _nginx_'s build or by installing _nginx_  from _pkgsrc_.
We, at [NetBSDfr](http://www.NetBSDfr.org), have setup a couple of repositories with "naxsi-enabled" _nginx_ [for 6.0/i386](http://amd64.packages.netbsdfr.org/stable/6.0/i386/packages/) or [5.1/amd64](http://amd64.packages.netbsdfr.org/stable/5.1/packages/). More architectures are in the way.
When using those repositories, just install _nginx_ with _pkgin_:

	# pkgin in nginx

If you wish to use _pkgsrc_, please add the following to */etc/mk.conf*:

	PKG_OPTIONS.nginx+=     naxsi

And proceed with _nginx_ build the usual way:

	# cd /usr/pkgsrc/www/nginx
	# make install clean clean-depends

### Nginx + PHP-FPM

_Nginx_ by itself is not capable of handling _PHP_, it must communicate with an external process using a local UNIX socket or a TCP stream. _Nginx_'s default configuration file (*${PREFIX}/etc/nginx/nginx.conf*) already has an example of how to achieve this, but here is the complete syntax:

	location ~ \.php$ {
	    root           html;
	    # for a local UNIX socket
	    # fastcgi_pass unix:/tmp/php-fpm.sock;
	    # for a TCP stream
	    fastcgi_pass   127.0.0.1:9000;
	    fastcgi_index  index.php;
	    fastcgi_param  SCRIPT_FILENAME  /your/documentroot/www$fastcgi_script_name;
	    include        /usr/pkg/etc/nginx/fastcgi_params;
	}

By default, the _php-fpm_ package is configured to listen on a TCP stream and to run withe the *www* user, we must change the latter to *nginx* in *${PREFIX}/etc/php-fpm.conf*:

	user = nginx
	group = nginx

Once done, we just have to enable those two services in */etc/rc.conf*:

	php_fpm=YES
	nginx=YES

And start them:

	# /etc/rc.d/php_fpm start
	# /etc/rc.d/nginx start

### Configuring Naxsi

Having a basic security ruleset is pretty simple. Now that _nginx_ is aware of _naxsi_'s features, we will add the following in the _http_ section:

	include	/usr/pkg/etc/nginx/naxsi_core.rules;

And append the following to the location you want to secure:

	DeniedUrl "/moo.txt";
	SecRulesEnabled;

	CheckRule "$SQL >= 8" BLOCK;
	CheckRule "$RFI >= 8" BLOCK;
	CheckRule "$TRAVERSAL >= 4" BLOCK;
	CheckRule "$EVADE >= 4" BLOCK;
	CheckRule "$XSS >= 8" BLOCK;

Every query matching those scores will be redirected to the *moo.txt* file. Using another *location* may be also a wise choice.

Of course, you are encouraged to carefully read [naxsi's Wiki](http://code.google.com/p/naxsi/wiki/TableOfContents).

### There you go !

Enjoy your secure PHP webhosting.

CentOS under NetBSD/xen in 15 minutes

Posted on by

The NetBSD site has a howto page on setting up Xen. It runs to… quite a few pages of detail for differing versions and is rather involved.

Recently I needed a test CentOS box and decided to put an underutilised NetBSD/amd64 box to use as my first Xen DOM0 host.

Setup turned out to be surprising simple, so I decided to jot down some brief notes on how to quickly turn a NetBSD-6 box into a Xen DOM0 running a CentOS 5.8 VM. (This covers amd64, but i386 should be almost the same).

 

Converting an existing NetBSD install to Xen DOM0

  • Install xenkernel41 and xentools41 from pkgsrc
  • Extract  kern-XEN3_DOM0.tgz into /netbsd.dom0 (leave /netbsd alone)
  • Add the following to /boot.conf – adjust 512M to the amount to reserve for the DOM0

menu=Xen 512M:load /netbsd.dom0 console=pc;multiboot /usr/pkg/xen41-kernel/xen.gz dom0_mem=512M noreboot

  • Add the following to /etc/rc.conf

xenbackendd=YES
xend=YES
xendomains=YES
xenwatchdog=YES

  • Create /etc/ifconfig.bridge0 with the following – replace bge0 with a suitable Ethernet interface

create
!brconfig $int add bge0 up

  • Reboot and select the Xen option
  • Edit /boot.cfg and change the default= entry to the number of the Xen option

To mis-quote Ken Arnold: “Now that we have a NetBSD DOM0, it would be nice to do something with it, unless you have the social life of a kumquat in which case just running the DOM0 may be enough in itself :)”

Onto setting up the DOMU!

 

Setting up a CentOS DOMU

CentOS provide an Installing CentOS DomU page which was quite helpful for these notes

dd if=/dev/zero of=centos.img bs=1m count=16384

  • Create a config file ‘centos.cfg’ for installing
name = "centos"
memory = "512"
kernel = "/opt/xen/centos/vmlinuz"
ramdisk = "/opt/xen/centos/initrd"
disk = [ 'file:/opt/xen/centos/centos.img,0xca00,w', ]
vif = [ mac=02:00:00:00:00:01, 'bridge=bridge0', ]
vcpus = 1
on_reboot = 'destroy'
on_crash = 'destroy'
  • Start the domain to install, and then connect to the console. Remember Ctrl+] to exit the console

xm create centos
xm console centos

  • Complete the CentOS install, then adjust centos.cfg as vmlinuz & initrd are not needed

name = “centos”
memory = “512”
bootloader = “/usr/pkg/bin/pygrub”
disk = [ ‘file:/opt/xen/centos/centos.img,0xca00,w’, ]
vif = [ mac=02:00:00:00:00:01, ‘bridge=bridge0’, ]
vcpus = 1

 

Points to note

  • NetBSD/xen does not yet handle modules. If you need pf or ipf you will need to compile your own DOM0 kernel
  • Not all X drivers run as well under DOM0, the above was done on a server where X was not required
  • If the original NetBSD installation was before 5.0 and has been upgraded you will need to ensure the boot program must be updated

 

 

Servidor DHCP NetBSD

Posted on by

Configurando un servidor DHCP es simple. NetBSD incluye ISC DHCP en el sistema base, asi que no es necesario instalar software adicional.

La configuracion de dhcpd radica en el archivo /etc/dhcpd.conf, la forma basica:

deny unknown-clients;
ddns-update-style none;
subnet 192.168.1.0 netmask 255.255.255.0 {
       range 192.168.1.50 192.168.1.100;
       default-lease-time 28800;
       max-lease-time 86400;
       option broadcast-address 192.168.1.255;
       option domain-name "mi-dominio.com";
       option domain-name-servers 200.33.146.241, 200.33.146.249;
       option routers 192.168.1.1;
       host www-server {
               hardware ethernet 00:00:00:00:00:00;
               fixed-address 192.168.1.3;
               }
}

En la configuracion anterior, tenemos direcciones IP asignadas pr DHCP desde 192.168.1.50 hasta 192.168.1.100, ademas un gateway en 192.168.1.1 y una direccion fija para el host www-server 192.168.1.3 identificada por su MAC (00:00 es supuesto)

Editamos /etc/rc.conf para activar dhcpd al momento del arranque, asi como dhcpd_flags

dhcpd=YES
dhcpd_flags="-q fxp0"

dhcpd_flags pasa el parametro al servidor dhcpd para definir la interfaz que escuchara las solicitudes de IP, en nuestro caso es una intel 10/100 (fxp0)

Antes de iniciar el servidor dhcpd, es necesario crear el archivo /var/db/dhcpd.leases

# touch /var/db/dhcpd.leases

Iniciamos el servidor:

# /etc/rc.d/dhcpd start

Si todo va bien, en este momento NetBSD esta actuando como servidor DHCP a la red interna.

 

 

Theo de Raadt

Posted on by

Theo de Raadt (nacido el 19 de mayo de 1968 en Pretoria, Sudáfrica) es un ingeniero de software que actualmente reside en Calgary, Alberta, Canadá. Es el fundador y líder de los proyectos OpenBSD y OpenSSH. Antes, fue miembro fundador del proyecto NetBSD.

De Raadt es conocido por sus formas beligerantes y confrontativas, lo que le ha llevado a varias disputas con la comunidad de software libre, aunque su mayor y más conocida discusión fue la que tuvo con el equipo de NetBSD y que lo llevó a crear el proyecto OpenBSD. Debido a esto, se ha ganado fama de decir siempre su opinión sin importarle lo que los demás piensen, o las consecuencias de sus palabras.