Tuesday, September 27, 2016

Debian Jessie: installing MySQL Connector/J 5.1.39 into openjdk version 1.8

Install openjdk 1.8

Edit /etc/apt/sources.list

# /etc/apt/sources.list
...
deb http://ftp.debian.org/debian jessie-backports main
...

Install openjdk 1.8

# apt-get install openjdk-8-jdk

Download and configure MySQL Connector/J

Download

# wget http://dev.mysql.com/get/Downloads/Connecctor-J/mysql-connector-java-5.1.39.tar.gz

extract

# tar -xf mysql-connector-java-5.1.39.tar.gz

Copy binary jar into openjdk 1.8

# cp mysql-connector-java-5.1.39-bin.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/

Test Connection test.java

You  don't have to run this test.java as root user. MySQL Connector/J will available to all user.
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;

class test {
 Connection mycon = null;

 public static void main(String[] args) {
  System.out.println("Test");
  try {
   Class.forName("com.mysql.jdbc.Driver");
   mycon = DriverManager.getConnection("jdbc:mysql://localhost/test?user=test&password=test");
  } catch (SQLException e) {
   System.out.println(e.getMessage());
  } catch (ClassNotFoundException e) {
   System.out.println(e.getMessage());
  }
 }
}

Wednesday, September 21, 2016

Debian Jessie: add ssh key into remote server

Requirement:

  • openssh
  • rsync

Create key pair in your host is straight forward:

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/foo/.ssh/id_rsa):
Created directory '/home/foo/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/foo/.ssh/id_rsa.
Your public key has been saved in /home/foo/.ssh/id_rsa.pub.
The key fingerprint is:
XXXXXX foo@SERVER_A
The key's randomart image is:
....

You have to copy foo's public key into remote site

Method 1: Manual copy public key to remote

on host
$ scp -P 22 ./.ssh/id_rsa.pub bar@SERVER_B:/home/bar/
The authenticity of host '[SERVER_B]:22 ([SERVER_B]:22)' can't be established.
ECDSA key fingerprint is XXXXXX.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[SERVER_B]:22' (ECDSA) to the list of known hosts.
bar@SERVER_B's password:
id_rsa.pub                                    100%  390     0.4KB/s   00:00
on remote site
$ cat /home/bar/id_rsa.pub >> /home/bar/.ssh/authorized_keys

Method 2: Direct add public key to remote

$ ssh-copy-id -p 22 bar@SERVER_B
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
bar@SERVER_B's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -p '22' 'bar@SERVER_B'"
and check to make sure that only the key(s) you wanted were added.

Done, you can ssh using user bar @ SERVER_B without entering password (using your key), from foo @ SERVER_A.

References:

Tuesday, September 20, 2016

Debian Jessie: install and configure Kippo

Kippo requirements:

  • python-pycryptopp
  • zope
  • python-twisted
Install all requirements
# apt-get install python-pycryptopp zope python-twisted
You need to add a user to run kippo, for instant we create user kippo (you can use any non admin user to run kippo since this service run on port above 1024).
# useradd kippo

Login as kippo and download kippo from github

$ wget --no-check-certificate https://github.com/desaster/kippo/archive/master.zip
unzip it
$ unzip master.zip
change directory to kippo-master i.e. /home/kippo/kippo-master
$ cd kippo-master/
copy and edit kippo.cfg
$ cp kippo.cfg.dist kippo.cfg
$ vi kippo.cfg
...
ssh_port = 2222
...
hostname = test
...
port and hostname can be change anything you wish. use any unused port above 1024.

You need to execute command below as root to update kippo "system" file and create iptables rule

# cd /home/kippo/kippo-master/
# ./utils/createfs.py > fs.pickle
Doing stuff
# iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
Note to remove iptables above
# iptables -t nat -D PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

Use kippo user to start and stop kippo in directory /home/kippo/kippo-master/

to start kippo
$ ./start.sh
twistd (the Twisted daemon) 14.0.2
Copyright (c) 2001-2014 Twisted Matrix Laboratories.
See LICENSE for details.
Starting kippo in the background...
Generating new RSA keypair...
Done.
Generating new DSA keypair...
Done.
to stop kippo
$ ./stop.sh

References:

Sunday, September 18, 2016

Odoo 9: backup using wget

Additional requirement:

  • zip & unzip
  • rsync
  • openssh
URL to backup Odoo is https://[your_ip]//web/database/backup or http://[your_ip]:8069//web/database/backup.
We can use wget to backup Odoo from localhost or from remote without interrupting Odoo service.

for local server

# wget --post-data 'master_pwd=yourpassword&name=yourdatabase&backup_format=zip' -O backup.zip http://localhost:8069/web/database/backup

for remote server (Not Recomended: your password will send through internet in plain text)

# wget --post-data 'master_pwd=yourpassword&name=yourdatabase&backup_format=zip' -O backup.zip http://[your_ip]:8069/web/database/backup

for remote server via https reverse proxy

# wget --post-data 'master_pwd=yourpassword&name=yourdatabase&backup_format=zip' --no-check-certificate -O backup.zip https://[your_ip]/web/database/backup

Backup Option:

  • Use backup_format=zip to backup database and filestore
  • Use backup_format=dump to backup database only

Now we can create bash file to make it easier to backup

# vi myodoobackup.sh
#!/bin/bash
## created by dedetok Sept 2016
## last update 2016-09-21
## GNU GPL v3
# create file name
now=$(date +"%Y-%m-%d")
mfname="backup_$now.zip"
#echo "$mfname"
# perform Odoo backup to output file $mfname
wget --post-data "master_pwd=yourpassword&name=yourdatabase&backup_format=zip" --no-check-certificate -O "$mfname" https://[your_ip]/web/database/backup

The file name of the output will be backup_2016-09-18.zip.
If you use local server you can use http://localhost:8069//web/database/backup

Backup to remote server

You can synchronized your backup using rsync. You need to install rsync in host and remote server.
You need to create key in your host and put it in remote read here

Synchronized without delete (exist in remote but not exist in host)

$ rsync -avzh -e "ssh -p 22" /home/foo/test/ bar@SERVER_B:/home/bar/test/
sending incremental file list
./
test.txt

sent 389 bytes  received 38 bytes  854.00 bytes/sec
total size is 395  speedup is 0.93

Synchronized with delete (delete any file in remote folder if not exist in host)

$ rsync -avzh --delete -e "ssh -p 22" /home/foo/test/ bar@SERVER_B:/home/bar/test/

Modification bash script

#!/bin/bash
## created by dedetok Sept 2016
## last update 2016-09-18
## GNU GPL v3
now=$(date +"%Y-%m-%d")
dbname="dbname"
dbserver="localhost"
dbpass="dbpassword"
dbmode="zip"
mfname="full_"$dbname"_"$now".zip"
echo "backup $dbname @ $dbserver mode $dbmode into $mfname"
wget --post-data "master_pwd=$dbpass&name=$dbname&backup_format=$dbmode" --no-check-certificate -O "$mfname" "http://$dbserver:8069/web/database/backup"
# synchronized to remote
echo "syncronized backup to REMOTE_B"
rsync -avzh --delete -e "ssh -p 22" /home/foo/ bar@REMOTE_B:/home/bar/
Note: Single quotes won't interpolate anything, but double quotes will (for example variables, backticks, certain \ escapes, etc...)
"test $parm" equal to 'test '$parm

References:

Fail2ban: enabling ipset in Debian Jessie

Prerequisite:
  • fail2ban
  • iptable
  • ipset
To enable ipset in fail2ban edit /etc/fail2ban/jail.conf
# vi /etc/fail2ban/jail.conf
...
[ssh-iptables-ipset4]

enabled = true # change this
port     = ssh
filter   = sshd
banaction = iptables-ipset-proto4
logpath = /var/log/auth.log
maxretry = 3

[ssh-iptables-ipset6]

enabled = true # change this
port     = ssh
filter   = sshd
banaction = iptables-ipset-proto6
logpath = /var/log/auth.log
maxretry = 3
...
Restart your fail2ban
# /etc/init.d/fail2ban restart

Wednesday, September 14, 2016

Odoo 9 Apache2 Reverse Proxy SSL

Prerequisite: Apache2 enabled
Enabling Apache2 module
# a2enmod proxy_http headers remoteip rewrite
To enable Apache2 cache to disk
# a2enmod cache cache_disk
Edit Default Virtual Host for SSL
# vi /etc/apache2/sites-available/default-ssl.conf
...
ProxyRequests off
SSLProxyEngine on
SSLEngine on
RequestHeader set "X-Forwarded-Proto" "https"
SetEnv proxy-nokeepalive 1
Proxypass "/" "http://localhost:8069/" # 127.0.0.1
ProxyPassReverse "/" "http://localhost:8069/" # 127.0.0.1
ProxyErrorOverride off
...
Restart Apache2
# /etc/init.d/apache2 restart
Run Odoo for localhost only
# vi /etc/odoo/openerp-server.conf
...
proxy_mode = true
xmlrpc_interface = 127.0.0.1
...
Restart Odoo
# /etc/init.d/odoo restart
References:

Debian Jessie: enabling Apache2 SSL using self sign key

Install apache2
# apt-get install apache2 openssl
Create self sign key
# mkdir -p /etc/ssl/localcerts
# openssl req -new -x509 -days 365 -nodes -out /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key
# chmod 600 /etc/ssl/localcerts/apache*
Edit Apache default SSL
# vi /etc/apache2/sites-available/default-ssl.conf
...
#SSLCertificateFile     /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateFile      /etc/ssl/localcerts/apache.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateKeyFile /etc/ssl/localcerts/apache.key
...
Create link to enable default-ssl.conf
# ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/default-ssl.conf
Enabling Apacle SSL
# a2enmod ssl
Redirect all http request to https
# vi /etc/apache2/sites-available/000-default.conf 
...
#DocumentRoot /var/www/html # we don't need root document
...
Redirect permanent / https://www.example.com # redirect all request can replace with ip address
...
Restart Apache2
# /etc/init.d/apache2 restart
References: