Oracle 11gR2 Rac GNS iptables

Well here goes another Oracle 11gR2 note for you all out there.  Let me just say Oracle’s documentation either does not exist or is so buried it’s impossible to find on this topic with 11gR2.

As always I want to lock down the system as much as possible which requires iptables.  Early in the process I gave up any chance of locking down communication between nodes and interconnects and focused on internal connections.  Like always any client needs to be able to talk to port 1521 TCP but GNS + 11Gr2 adds some new ports:

As may be aware GNS provides it’s own VIP equiped DNS server for it’s delegated subdomain.  So it’s critical that you open up DNS to your DNS systems.  So you need to open up 53 udp

-A INPUT -p udp -m udp --dport 53 -j ACCEPT

You might want to add a source port and lock it to your dns systems.

Otherwise it should work (providing your open up iptables between nodes)

Testing smtp manually

From time to time is really helps to be able to manually test smtp via good old telnet.   Every smtp command is provided via text commands.  Here is a simple connections:

telnet smtp.host.com 25

Send a hello command with your domain name

ehlo mail.myserver.com
250-linuxmonkey.localdomain
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Sender address

MAIL FROM: mail@domain.ext

Destination address

RCPT TO: mail@otherdomain.ext

Input your message:

DATA
SUBJECT: MY SUBJECT
MESSAGE STUFFF

.

And you have sent a message.

Command Line arguments to your shell script in linux

Passing command line arguments to shell scripts allow you to re-use a lot of scripts.  In shell scripts the command you execute is always the reserved variable of $0 each additional command is seperated by spaces.  So for example if you typed:

./max_it special cheese now

$0 = max_it

$1 = special

$2 = cheese

$3 = now

$n is the number of arguments passed on the command line starting with 0

When providing command line arguments it is best to providing some sanity checking:

if [ $n -nq 1 ]
        then
            echo "Usage : $0 IP_address 
            exit
        fi


Template for Generic Nagios Plugin

I love nagios it’s the perfect way to monitor linux.  Monitoring command can be written in almost any language: nagios expects a exit code and a exit string and it works.   I write most of my plugins in bash shell.  Here is a generic plugin template:

#!/bin/bash

# Sanity check
if [ $# -ne 2 ]; then
        echo "Usage: $0 commandline1 commandline2"
        exit
fi



COMMAND=`command_here`
E_SUCCESS="0"
E_WARNING="1"
E_CRITICAL="2"
E_UNKNOWN="3"


if grep -q "succeeded!" <<< $COMMAND; then
        echo "OK - $1 $2 working"
        exit ${E_SUCCESS}
        else
        echo "CRITICAL - $1 $2 not working"
        exit ${E_CRITICAL}
fi

Delete old recordings on MythTV

About once a year I have to delete a history of old recorded shows on my Myth box so I can record the show again.   You can do this via the frontend but I prefer to hack it out of the database.  All this information is stored in the oldrecorded table inside your myth database.   Before you start deleting make sure you have the correct information by using select statements (for example Stargate Atlantis)

SELECT * FROM oldrecorded WHERE title = ‘Stargate Atlantis’

You can also use wildcards to help locate the title:

SELECT * FROM oldrecorded WHERE title LIKE ‘Stargate%’

Once you are sure your select statement has narrowed down to an exact need then you can delete it

DELETE FROM oldrecorded WHERE title = ‘Stargate Atlantis’

And that’s it 🙂

Test TCP and UDP connections in Linux for firewalls

I am constantly having to check firewall rules for sevices I have not yet setup.  In this post I will reference the client (Source address) and server (Destination address).

Checking TCP

Server:

Open a tcp port with netcat so for example to open port 80 tcp I would use:

nc -l 80

Client:

Check the tcp port with telnet so to connect to port 80:

telnet destination_ip 80

Checking UDP

To open a udp (destination)listener on port 80 you would use the following command:

nc -lu 80

To Connect to your destination udp on port 80 use the following command from your source:

nc -zu destination_ip 80

Netcat fun

Netcat (nc) can also be used for a lot of other purposes.  It can also be used as a very fast basic port scanner:

To scan a range of UDP ports 80-4000

nc -zu destination_ip 80-4000

In order to get more information, you can add v, for more verbose, add another v

nc -vvzu destination_ip 80-4000

To scan a range of TCP ports 80-4000

nc -z destination_ip 80-4000

WMA to MP3 on Linux

WMA to MP3

I created this script to go through all *.wma files in a directory and convert them to mp3 files and then delete the wma files. I works great for my mp3 play that does not support wma. It takes the wma files and converts them to wav then converts them to mp3. It uses mplayer and lame to do the work.

#!/bin/bash
#Rip with Mplayer / encode with LAME
for i in *.wma ; do mplayer -ao pcm -vc dummy "$i" && lame --preset 128 audiodump.wav -o \
"`basename "$i" .wma`.mp3"; done; rm -f audiodump.wav
#Delete audiodump.wav
rm audiodump.wav 

Linux Password strength

It’s a pain to enforce password length it always causes you to reset passwords over and and over again but it does provide better security. So here is how you enforce it in Linux. Inside the /etc/pam.d/system-auth file you modify the pam_cracklib.so line:

pam_cracklib.so retry=3 minlen=10 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1

So these settings are: (retry=3) allow 3 login trys, (minlen=10) minimum password length 10, (lcredit=-1) Minimum number of lower case letters is 1, (ucredot=-1) Minimum upper case is 1, (dcredit=-1) Minimum number of digits is 1, (ocredit=-1) Minimum number of other characters is 1.

To remember old passwords then add a line to pam_unix.so (this will remember 10 past passwords and they cannot be used sooner than minimum password change length times passwords to remember.)

pam_unix.so remember=10

If you want to enforce that the new password has different characters than previous remembered ones then add the following to pam_cracklib.so. At least 2 characters

pam_cracklib.so difok=2

Locking Linux Accounts

In order to lock a linux account a change of the password is the best option. Linux provides an automated method for locking accounts. To Lock an account (change password to something that is not typeable puts a ‘!!’ in front of the password)

passwd -l username

To unlock the account (change the password back to original value)

passwd -u username

To display password information on user (root only) This will display seven fields (username, status, date of creation, minimum password age, maximum password age, Number of days before password expires, minimum password length) in addition RHEL adds a translation for status after the seventh field.

passwd -S username

jacko LK 2010-01-30 0 99999 7 -1 (Password locked.)

Linux password expiration and warnings

We all know changing your password every so often is a good idea. Along with the idea of changing your password come the idea of forcing users to change their password, because unless you force it they will never change it. In linux (redhat) this is handled by the chage command.

To set the minimum life of a password in days:

chage -m days username

To set the maximum life of a password to days:

chage -M days username

To set the number of days an account can be inactive (after password expire) before it’s locked:

chage -I days username

To set the date after which an account is inaccessable:

chage -E date username

To set an advanced warning, in days, of an upcomming password change:

chage -W days username

To display current expiration information (can be done by users)

chage -l username

All of this information is also stored inside /etc/login.defs for example a default file looks like:

# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7