daily

monitoring/README.md

@@ -4,7 +4,7 @@
 
 - HTTP message body (aka HTML source code)
 - Visal change (visualping.io)
-- HTTPS cetificate and SSL settings (ssl-check.sh, ssllabs.com)
+- HTTPS certificate and SSL settings (ssl-check.sh, ssllabs.com)
 - File changes (tripwire-fake.sh)
 - Application log (laravel-report.sh)
 - Malware listing (sitecheck.sucuri.net)
@@ -28,8 +28,9 @@
 - SSH port (ssh-watch.sh, monit)
 - DNS resource records (dns-watch.sh)
 - SMTP port (monit)
-- SSL cetificates in responses (ssl-check.sh)
-- SSL cetificate files (cert-expiry.sh)
+- MySQL table corruption and optimization
+- SSL certificates in responses (ssl-check.sh)
+- SSL certificate files (cert-expiry.sh)
 - Apache logs (apache-4xx-report.sh, apache-xreport.sh)
 - File changes (siteprotection.sh)
 - Errors in syslog (syslog-errors.sh)

monitoring/dns-watch.sh

@@ -2,8 +2,8 @@
 #
 # Check foreign DNS resource records.
 #
-# VERSION       :0.2.9
-# DATE          :2016-02-07
+# VERSION       :0.3.0
+# DATE          :2017-03-17
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # URL           :https://github.com/szepeviktor/debian-server-tools
 # LICENSE       :The MIT License (MIT)
@@ -28,6 +28,7 @@
 #     DNS_WATCH=(
 #       domain.net:TYPE=value
 #       szepe.net:A=95.140.33.67
+#       95.140.33.67:PTR=szepe.net
 #     )
 #
 # Multiple RR-s - ","
@@ -119,6 +120,7 @@ Dnsquery_multi() {
 
     # -4 IPv4, -W 2 Timeout, -s No next NS, -r Non-recursive
     #DBG "LC_ALL=C host -v -4 -W 2 -s ${RECURSIVE} -t "$TYPE" "$HOST" ${NS} 2> /dev/null"
+    # shellcheck disable=SC2086
     OUTPUT="$(LC_ALL=C host -v -4 -W 2 -s ${RECURSIVE} -t "$TYPE" "$HOST" ${NS} 2> /dev/null)"
 
     if [ $? != 0 ] \
@@ -181,7 +183,7 @@ Dnsquery_multi() {
 Log() {
     local MESSAGE="$1"
 
-    if tty --quiet; then
+    if [ -t 0 ]; then
         echo "$MESSAGE" 1>&2
     else
         logger -t "${DAEMON}[$$]" "$MESSAGE"
@@ -210,8 +212,18 @@ Generate_rr() {
     local NS="$3"
     local RR
 
-    RR="$(Dnsquery_multi "$TYPE" "$DNAME" "$NS" | sort | paste -s -d";")"
-    [ $? == 0 ] && [ -n "$RR" ] && echo "${TYPE}=${RR}"
+    RR="$(Dnsquery_multi "$TYPE" "$DNAME" "$NS" | sort | paste -s -d ";")"
+    if [ $? == 0 ] && [ -n "$RR" ]; then
+        echo "${TYPE}=${RR}"
+    fi
+}
+
+Is_ipv4() {
+    local TOBEIP="$1"
+    #             0-9, 10-99, 100-199,  200-249,    250-255
+    local OCTET="([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])"
+
+    [[ "$TOBEIP" =~ ^${OCTET}\.${OCTET}\.${OCTET}\.${OCTET}$ ]]
 }
 
 Is_online
@@ -220,6 +232,13 @@ Is_online
 if [ $# == 1 ]; then
     DNAME="$1"
 
+    # PTR record
+    if Is_ipv4 "$DNAME"; then
+        # NS hack
+        Generate_rr PTR "$DNAME" " "
+        exit 0
+    fi
+
     FIRST_NS="$(Dnsquery_multi NS "$DNAME" | head -n 1)"
     if [ $? != 0 ] || [ -z "$FIRST_NS" ]; then
         MAIN_DOMAIN="$(sed 's/^.*\.\([^.]\+\.[^.]\+\)$/\1/' <<< "$DNAME")"
@@ -237,24 +256,31 @@ if [ $# == 1 ]; then
     exit 0
 fi
 
+
 # Generate configuration for a domain
 if [ "$1" == "-d" ] && [ $# == 2 ]; then
     DNAME="$2"
 
-    FIRST_NS="$(Dnsquery_multi NS "$DNAME" | head -n 1)"
-    if [ $? != 0 ] || [ -z "$FIRST_NS" ]; then
-        MAIN_DOMAIN="$(sed 's/^.*\.\([^.]\+\.[^.]\+\)$/\1/' <<< "$DNAME")"
-        FIRST_NS="$(Dnsquery_multi NS "$MAIN_DOMAIN" | head -n 1)"
-    fi
+    # PTR record
+    if Is_ipv4 "$DNAME"; then
+        # NS hack
+        DOMAIN_CONFIG="$(Generate_rr PTR "$DNAME" " ")"
+    else
+        FIRST_NS="$(Dnsquery_multi NS "$DNAME" | head -n 1)"
+        if [ $? != 0 ] || [ -z "$FIRST_NS" ]; then
+            MAIN_DOMAIN="$(sed 's/^.*\.\([^.]\+\.[^.]\+\)$/\1/' <<< "$DNAME")"
+            FIRST_NS="$(Dnsquery_multi NS "$MAIN_DOMAIN" | head -n 1)"
+        fi
 
-    DOMAIN_CONFIG="$(
-        Generate_rr NS "$DNAME" "$FIRST_NS"
-        Generate_rr A "$DNAME" "$FIRST_NS"
-        Generate_rr AAAA "$DNAME" "$FIRST_NS"
-        Generate_rr MX "$DNAME" "$FIRST_NS"
-        Generate_rr CNAME "$DNAME" "$FIRST_NS"
-        Generate_rr TXT "$DNAME" "$FIRST_NS"
-    )"
+        DOMAIN_CONFIG="$(
+            Generate_rr NS "$DNAME" "$FIRST_NS"
+            Generate_rr A "$DNAME" "$FIRST_NS"
+            Generate_rr AAAA "$DNAME" "$FIRST_NS"
+            Generate_rr MX "$DNAME" "$FIRST_NS"
+            Generate_rr CNAME "$DNAME" "$FIRST_NS"
+            Generate_rr TXT "$DNAME" "$FIRST_NS"
+        )"
+    fi
 
     if [ -z "$DOMAIN_CONFIG" ]; then
         echo "No RR-s found for ${DNAME}" 1>&2
@@ -266,7 +292,7 @@ if [ "$1" == "-d" ] && [ $# == 2 ]; then
     DOMAIN_CONFIG="${DOMAIN_CONFIG//\"/\\\"}"
     DOMAIN_CONFIG="${DOMAIN_CONFIG//;/\\;}"
 
-    echo -e "DNS_WATCH+=(\n  ${DNAME}:$(paste -s -d"," <<< "${DOMAIN_CONFIG}")\n)" >> "$DNS_WATCH_RC"
+    echo -e "DNS_WATCH+=(\n  ${DNAME}:$(paste -s -d "," <<< "${DOMAIN_CONFIG}")\n)" >> "$DNS_WATCH_RC"
 
     # Make me remember www domain
     if [ "$DNAME" == "${DNAME#www}" ]; then
@@ -276,6 +302,7 @@ if [ "$1" == "-d" ] && [ $# == 2 ]; then
     exit 0
 fi
 
+
 # Check all domains
 for DOMAIN in "${DNS_WATCH[@]}"; do
     DNAME="${DOMAIN%%:*}"
@@ -290,10 +317,15 @@ for DOMAIN in "${DNS_WATCH[@]}"; do
         DRETRY="1"
     fi
 
-    NSS="$(Dnsquery_multi NS "$DNAME")"
-    if [ $? != 0 ] || [ -z "$NSS" ]; then
-        MAIN_DOMAIN="$(sed 's/^.*\.\([^.]\+\.[^.]\+\)$/\1/' <<< "$DNAME")"
-        NSS="$(Dnsquery_multi NS "$MAIN_DOMAIN")"
+    if Is_ipv4 "$DNAME"; then
+        # NS hack
+        NSS=" "
+    else
+        NSS="$(Dnsquery_multi NS "$DNAME")"
+        if [ $? != 0 ] || [ -z "$NSS" ]; then
+            MAIN_DOMAIN="$(sed 's/^.*\.\([^.]\+\.[^.]\+\)$/\1/' <<< "$DNAME")"
+            NSS="$(Dnsquery_multi NS "$MAIN_DOMAIN")"
+        fi
     fi
     if [ $? != 0 ] || [ -z "$NSS" ]; then
         Alert "${DNAME}/NS" \
@@ -302,7 +334,7 @@ for DOMAIN in "${DNS_WATCH[@]}"; do
     fi
 
     # Check RR-s
-    while read -d "," RR; do
+    while read -r -d "," RR; do
         #DBG echo "$RR"
         if [ -z "$RR" ]; then
             echo "Empty RR in config for ${DNAME}" 1>&2
@@ -313,10 +345,21 @@ for DOMAIN in "${DNS_WATCH[@]}"; do
         RRVALUES_SORTED="$(sort <<< "$RRVALUES")"
 
         # All nameservers
-        while read NS; do
+        while read -r NS; do
 
             #[ "$NS" == ns.xoo.hu ] && continue
 
+            if Is_ipv4 "$DNAME"; then
+                # NS hack
+                ANSWERS="$(Dnsquery_multi PTR "$DNAME" " ")"
+                ANSWERS_SORTED="$(sort <<< "$ANSWERS" | paste -s -d ";")"
+                if [ "$ANSWERS_SORTED" != "$RRVALUES_SORTED" ]; then
+                    Alert "${DNAME}/PTR" \
+                        "Failed to query type PTR of ${DNAME}"
+                fi
+                continue
+            fi
+
             # Actual IP address of nameserver
             NS_IP="$(getent ahostsv4 "$NS" | sed -ne '0,/^\(\S\+\)\s\+RAW\b\s*/s//\1/p')"
             if [ -z "$NS_IP" ]; then
@@ -364,7 +407,7 @@ for DOMAIN in "${DNS_WATCH[@]}"; do
                         "Failed to query type ${RRTYPE} of ${DNAME} from ${NS}=${NS_IP} on protocol (${PROTO_TEXT}) at $((DRETRY - RETRY + 1)). retry"
                     continue
                 fi
-                ANSWERS_SORTED="$(sort <<< "$ANSWERS" | paste -s -d";")"
+                ANSWERS_SORTED="$(sort <<< "$ANSWERS" | paste -s -d ";")"
                 if [ "$ANSWERS_SORTED" != "$RRVALUES_SORTED" ]; then
                     #DBG "$ANSWERS_SORTED||$RRVALUES_SORTED"
                     Alert "${DNAME}/${RRTYPE}/${NS}/${PROTO}" \

monitoring/ocsp-check.sh

@@ -19,7 +19,7 @@
 #         exec 200<$0;flock --nonblock 200 || exit 0
 #         while ! /usr/local/bin/ocsp-check.sh "www.example.com" > /dev/null;do sleep 30;done;exit 0
 #     chmod +x /usr/local/bin/ocsp--SITE
-#     echo "05,35 *	* * *	nobody	/usr/local/bin/ocsp--SITE" > /etc/cron.d/ocsp-SITE-NO-DOTS
+#     echo -e "05,35 *\t* * *\tnobody\t/usr/local/bin/ocsp--SITE" > /etc/cron.d/ocsp-SITE-NO-DOTS
 
 HOST="$1"
 

mysql/README.md

@@ -1,7 +1,7 @@
 MariaDB upgrade error message: *Installation of system tables failed!*
 
 ```bash
-mcedit /var/lib/dpkg/info/mariadb-server-10.0.postinst:227
+mcedit /var/lib/dpkg/info/mariadb-server-10.0.postinst:224
 ```
 
 ### UNIX_SOCKET Authentication Plugin

security/cert-update-manuale-CN.sh

@@ -113,7 +113,7 @@ NGINX_DOMAIN="${NGINX_DOMAIN/\*./wildcard.}"
 NGINX_VHOST_CONFIG="/etc/nginx/sites-available/${NGINX_DOMAIN}"
 #
 # Use nginx.vhost
-[ -r nginx.vhost ] && NGINX_VHOST_CONFIG="/etc/nginx/sites-available/$(head -n 1 nginx.vhost)"
+[ -s ./nginx.vhost ] && NGINX_VHOST_CONFIG="/etc/nginx/sites-available/$(head -n 1 nginx.vhost)"
 #
 #NGINX_PUB="${PUB_DIR}/${NGINX_DOMAIN}-public.pem"
 #NGINX_DHPARAM="${PRIV_DIR}/${NGINX_DOMAIN}-dhparam.pem"

security/cert-update-config-CN.sh → security/cert-update-req-CN.sh

@@ -1,39 +1,63 @@
 #!/bin/bash
 #
-# Config file and loader for cert-update.sh
+# Config file and loader for cert-update.sh.
 #
-# VERSION       :0.1.0
+# VERSION       :0.2.0
 # DATE          :2016-09-23
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # LICENSE       :The MIT License (MIT)
 # URL           :https://github.com/szepeviktor/debian-server-tools
 # BASH-VERSION  :4.2+
-# CI            :shellcheck -e SC2034 cert-update-config-CN.sh
+# CI            :shellcheck -e SC2034 cert-update-req-CN.sh
 # DEPENDS       :/usr/local/sbin/cert-update.sh
 
 # Intermediate certificates and root certificates
 #
-# StartSSL Class 1 DV (Domain and Email Validation)
-#     https://www.startssl.com/root "Intermediate CA Certificates"
-#     wget https://www.startssl.com/certs/sca.server1.crt && dos2unix sca.server1.crt
-# StartSSL Class 2 IV (Identity Validation)
-#     wget https://www.startssl.com/certs/sca.server2.crt && dos2unix sca.server2.crt
-# StartSSL Class 3 OV (Organization Validation)
-#     wget https://www.startssl.com/certs/sca.server3.crt && dos2unix sca.server3.crt
-# Let’s Encrypt Authority X3
-#     wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
 # Let’s Encrypt
+#     wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
 #     https://letsencrypt.org/certificates/
 # ComodoSSL, EssentialSSL, PositiveSSL
 #     https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/620/0/which-is-root-which-is-intermediate
 # GeoTrust
 #     https://www.geotrust.com/resources/root-certificates/
+# RapidSSL
+#     https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=INFO1548
 # NetLock (HU)
 #     https://www.netlock.hu/html/cacrl.html
 # Microsec (HU)
 #     https://e-szigno.hu/hitelesites-szolgaltatas/tanusitvanyok/szolgaltatoi-tanusitvanyok.html
 # szepenet
-#     http://ca.szepe.net/szepenet-ca.pem
+#     wget http://ca.szepe.net/szepenet-ca.pem
+# StartSSL Class 1 DV (Domain and Email Validation)
+#     https://www.startssl.com/root "Intermediate CA Certificates"
+#     wget https://www.startssl.com/certs/sca.server1.crt && dos2unix sca.server1.crt
+# StartSSL Class 2 IV (Identity Validation)
+#     wget https://www.startssl.com/certs/sca.server2.crt && dos2unix sca.server2.crt
+# StartSSL Class 3 OV (Organization Validation)
+#     wget https://www.startssl.com/certs/sca.server3.crt && dos2unix sca.server3.crt
+#
+# $CN-openssl.conf
+#     [ req ]
+#     prompt = no
+#     default_bits = 2048
+#     default_md = sha256
+#     distinguished_name = req_distinguished_name
+#     req_extensions = v3_req
+#
+#     [ req_distinguished_name ]
+#     CN = EDIT
+#     C = EDIT
+#     ST = EDIT
+#     L = EDIT
+#     O = EDIT
+#     emailAddress = EDIT
+#
+#     [ v3_req ]
+#     subjectAltName = @alt_names
+#
+#     [ alt_names ]
+#     DNS.1 = EDIT
+#     DNS.2 = www.EDIT
 
 set -e
 
@@ -48,38 +72,50 @@ PRIV="priv-key-${TODAY}.key"
 PUB="pub-key-${TODAY}.pem"
 
 # Intermediate certificate file name
-INT="sca.server1.crt"
-#INT="sca.server2.crt"
-#INT="lets-encrypt-x3-cross-signed.pem"
-#INT="DigiCert-SHA2-EV-Server-CA.crt"
+INT="intermediate.pem"
 #INT="null.crt"; touch "$INT"
 
+# Certificate signing request
+CSR="request-${TODAY}.csr"
+
 # Storage directory from canonical name
 read -r -p "CN=" CN
-[ -n "$CN" ]
+#CN="example.com"
+
+test -n "$CN"
 CERT_DIR="/root/ssl/${TODAY}-${CN}"
-mkdir -m 0700 "$CERT_DIR"
+# shellcheck disable=SC2174
+mkdir -p -m 0700 "$CERT_DIR"
 cd "$CERT_DIR"
 
+# Generate private key
+openssl genrsa -out "$PRIV" 2048
+openssl rsa -in "$PRIV" -noout -text
+read -r -s -n 1 -p "Check private key and press any key ..."
+
 # Generate request
-PRIV_ENCRYPTED="priv-key-${TODAY}-encrypted.key"
-CSR="request-${TODAY}.csr"
-openssl req -newkey rsa:2048 -keyout "$PRIV_ENCRYPTED" -out "$CSR"
-##editor "$PRIV_ENCRYPTED"
-# Decrypt private key
-openssl rsa -in "$PRIV_ENCRYPTED" -out "$PRIV"
-# Display request
-cat "$CSR"
+editor "${CN}-openssl.conf"
+test -s "${CN}-openssl.conf"
+openssl req -out "$CSR" -new -key "$PRIV" -sha256 \
+    -config "${CN}-openssl.conf" -verbose
+openssl req -in "$CSR" -noout -text
+read -r -s -n 1 -p "Check request and press any key ..."
 
 # Get certificate from a CA!
 
+# HTTP validation file
+echo
+echo "editor DOC-ROOT/.well-known/pki-validation/fileauth.txt"
+read -r -s -n 1 -p "Create fileauth.txt and press any key ..."
+
 # Enter intermediate certificate
 editor "$INT"
-# Enter public key (the signed certificate)
+# Enter public key, the signed certificate
 editor "$PUB"
 # Verify signature
 openssl verify -purpose sslserver -CAfile "$INT" "$PUB"
 
+
 # Common variables
 CABUNDLE="/etc/ssl/certs/ca-certificates.crt"
 PRIV_DIR="/etc/ssl/private"
@@ -131,7 +167,7 @@ NGINX_DOMAIN="${NGINX_DOMAIN/\*./wildcard.}"
 NGINX_VHOST_CONFIG="/etc/nginx/sites-available/${NGINX_DOMAIN}"
 #
 # Use nginx.vhost
-[ -r nginx.vhost ] && NGINX_VHOST_CONFIG="/etc/nginx/sites-available/$(head -n 1 nginx.vhost)"
+[ -s ./nginx.vhost ] && NGINX_VHOST_CONFIG="/etc/nginx/sites-available/$(head -n 1 nginx.vhost)"
 #
 #NGINX_PUB="${PUB_DIR}/${NGINX_DOMAIN}-public.pem"
 #NGINX_DHPARAM="${PRIV_DIR}/${NGINX_DOMAIN}-dhparam.pem"