daily

Onboarding.md

@@ -113,8 +113,8 @@ https://haveibeenpwned.com/
 ### Cyber security
 
 - Spam filtering
-- Protection against malware and phishing attacks
+- Protection against malware and phishing attacks (**credential stealing**)
 - Against mobile malware
 - Ransomware mitigation
-- Data breach prevention
-- Incident response plan
+- Data breach prevention (in the application)
+- Incident response plan (outage, security incident)

debian-setup-starter.sh

@@ -2,7 +2,7 @@
 #
 # Start debian-setup.sh remotely.
 #
-# VERSION       :0.2.2
+# VERSION       :0.2.3
 #
 # - Domain registrar
 # - DNS provider
@@ -27,11 +27,11 @@ ssh()
 
 # Copy configuration file
 test -r "$SERVER_CONFIGURATION" || exit 10
-ssh "cat > /root/server.yml" < "$SERVER_CONFIGURATION" || exit 11
+ssh -- bash -c "cat > /root/server.yml" < "$SERVER_CONFIGURATION" || exit 11
 
 
 # Save script for Session #1
-ssh "cat > /root/debian-setup-starter1.sh; chmod +x /root/debian-setup-starter1.sh" <<"EOT"
+ssh -- bash -c "cat > /root/debian-setup-starter1.sh; chmod +x /root/debian-setup-starter1.sh" <<"EOT"
 export LC_ALL=C.UTF-8
 SELF="$(realpath "${BASH_SOURCE[0]}")"
 cd /root/
@@ -53,7 +53,7 @@ EOT
 
 
 # Save script for Session #2
-ssh "cat > /root/debian-setup-starter2.sh; chmod +x /root/debian-setup-starter2.sh" <<"EOT"
+ssh -- bash -c "cat > /root/debian-setup-starter2.sh; chmod +x /root/debian-setup-starter2.sh" <<"EOT"
 export LC_ALL=C.UTF-8
 SELF="$(realpath "${BASH_SOURCE[0]}")"
 cd /root/debian-server-tools-master/

monitoring/syslog-errors-infrequent.sh

@@ -13,7 +13,8 @@
 # LOCATION      :/usr/local/sbin/syslog-errors-infrequent.sh
 # CRON.D        :17 */3	* * *	root	/usr/local/sbin/syslog-errors-infrequent.sh
 
-Exceptions() {
+Exceptions()
+{
     grep -E -v 'rngd\[[0-9]+\]: stats: FIPS 140-2 failures: 0$' \
     | grep -E -v 'courierd: SHUTDOWN: respawnlo limit reached, system inactive\.$' \
     #| grep -E -v 'rngd\[[0-9]+\]: block failed FIPS test: 0x0[248]$' \

monitoring/syslog-errors.sh

@@ -13,7 +13,8 @@
 # LOCATION      :/usr/local/sbin/syslog-errors.sh
 # CRON-HOURLY   :/usr/local/sbin/syslog-errors.sh
 
-Exceptions() {
+Exceptions()
+{
     grep -E -v 'rngd\[[0-9]+\]: stats: FIPS 140-2 failures: 0$' \
     | grep -E -v 'courierd: SHUTDOWN: respawnlo limit reached, system inactive\.$' \
     #| grep -E -v 'rngd\[[0-9]+\]: block failed FIPS test: 0x0[248]$' \

mysql/create-mysqldump-user.sql

@@ -0,0 +1,18 @@
+-- This user has enough privileges to run mysqldump.
+
+-- EDIT
+SET @dumper_user = "'sql-user'";
+SET @dumper_object = "`database-name%`.*";
+
+SET @dumper_query = CONCAT("GRANT SELECT, LOCK TABLES, EVENT ON ", @dumper_object,
+    " TO ", @dumper_user, "@'localhost'",
+    " IDENTIFIED WITH unix_socket");
+
+-- SET @dumper_query = CONCAT("REVOKE SELECT, LOCK TABLES, EVENT ON ", @dumper_object,
+--     " FROM ", @dumper_user, "@'localhost'");
+
+PREPARE dumper_stmt FROM @dumper_query;
+EXECUTE dumper_stmt;
+DEALLOCATE PREPARE dumper_stmt;
+
+FLUSH PRIVILEGES;

mysql/createdb-unix_socket.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+#
+# Create database and database user with sokcet authentication.
+#
+# VERSION       :0.1.0
+# DATE          :2018-07-19
+# AUTHOR        :Viktor Szépe <viktor@szepe.net>
+# LICENSE       :The MIT License (MIT)
+# URL           :https://github.com/szepeviktor/debian-server-tools
+# BASH-VERSION  :4.2+
+# LOCATION      :/usr/local/bin/createdb.sh
+
+Get_var() {
+    local VAR="$1"
+    local DEFAULT="$2"
+
+    if [ -z "$DEFAULT" ]; then
+        read -r -e -p "${VAR}? " DB_VALUE
+    else
+        read -r -e -i "$DEFAULT" -p "${VAR}? " DB_VALUE
+    fi
+    if [ -z "$DB_VALUE" ]; then
+        echo "Cannot set variable (${VAR})" 1>&2
+        exit 20
+    fi
+    echo "$DB_VALUE"
+}
+
+hash mysql 2> /dev/null || exit 10
+
+# Check database access
+mysql --execute="EXIT" || exit 11
+
+DBNAME="$(Get_var "DB_NAME")"
+DBUSER="$(Get_var "DB_USER")"
+DBHOST="$(Get_var "DB_HOST" "localhost")"
+DBCHARSET="$(Get_var "DB_CHARSET" "utf8")"
+# "DB_COLLATE"
+
+# Exit on non-UTF8 charset
+[[ "$DBCHARSET" =~ [Uu][Tt][Ff]8 ]] || exit 12
+
+echo "Database: ${DBNAME}"
+echo "User:     ${DBUSER}"
+echo "Password: <unix_socket>"
+echo "Host:     ${DBHOST}"
+echo "Charset:  ${DBCHARSET}"
+echo
+read -r -p "CREATE DATABASE? " -n 1
+
+if [ "$DBHOST" != localhost ]; then
+    echo "Connecting to ${DBHOST} ..." 1>&2
+fi
+
+mysql --default-character-set=utf8 --host="$DBHOST" <<EOF || echo "Couldn't setup up database (MySQL error: $?)" 1>&2
+CREATE DATABASE IF NOT EXISTS \`${DBNAME}\`
+    CHARACTER SET 'utf8'
+    COLLATE 'utf8_general_ci';
+-- "GRANT ALL PRIVILEGES" creates the user
+GRANT ALL PRIVILEGES ON \`${DBNAME}\`.*
+    TO '${DBUSER}'@'${DBHOST}'
+    IDENTIFIED WITH unix_socket;
+FLUSH PRIVILEGES;
+EOF

webserver/apache-sites-available/Prg-local-site.conf

@@ -34,6 +34,7 @@ Listen 127.0.0.1:8080
         Options FollowSymLinks
         #AllowOverride All
         AllowOverride None
+        Require all granted
     </Directory>
 
     # phpMemAdmin