today

backup/README.md

@@ -52,7 +52,7 @@ cat github.repos|xargs -L 1 git clone
 ### S3QL flush before umount
 
 - synchronize: fsync(2)
-- upload: s3qlctrl flushcache
+- upload: sync && s3qlctrl flushcache
 - unmount: umount.s3ql
 
 ### Storage

backup/bck-dbz.sh

@@ -1,54 +1,111 @@
 #!/bin/bash
 #
-# Archive database dumps.
+# Backup a remote database.
 #
-
-#TODO: sqlite3 in ~/glacier/
-# site ID, swift container, export-one-db URL, secret key, user agent
-DBS=(
-# Fill in website details
-)
-WORKDIR="/home/bck/database/workdir"
-PRIVKEYS="/home/bck/database/privkeys"
-HUBIC="/usr/local/bin/hubic.py"
-EXP_O_DECRYPT="/usr/local/bin/exp-o-decrypt.php"
-ENCRYPT_PASS_FILE="/home/bck/database/.enc-pass"
-TODAY="$(date --rfc-3339=date)"
-
-# Decryption
+# VERSION       :1.4.3
+# DATE          :2015-08-15
+# AUTHOR        :Viktor Szépe <viktor@szepe.net>
+# URL           :https://github.com/szepeviktor/debian-server-tools
+# LICENSE       :The MIT License (MIT)
+# BASH-VERSION  :4.2+
+# DEPENDS       :https://github.com/puzzle1536/hubic-wrapper-to-swift
+# DEPENDS       :apt-get install openssl zpaq
+# LOCATION      :/home/bck/database/bck-dbz.sh
+# OWNER         :bck:bck
+# PERMISSION    :755
+# CRON.D        :03 3	* * *	bck	/home/bck/database/bck-dbz.sh
+# CONFIG        :/home/bck/database/.dbftp
+
+# List files
 #
-#hubic.py --swift -- download <CONTAINER> <PATH/FILE>
-#zpaq x "<PATH/FILE>.zpaq" -key "$(cat "$ENCRYPT_PASS_FILE")"
+#      hubic.py --swift -- list CONTAINER --long
+
+source "$(dirname "$0")/.dbftp"
+# site ID,swift container,export-one-db URL,secret key,user agent
+#declare -a DBS=(
+#)
+#WORKDIR="/home/bck/database/workdir"
+#PRIVKEYS="/home/bck/database/privkeys"
+#HUBIC="/usr/local/bin/hubic.py --config=/home/bck/database/.hubic.cfg"
+#EXP_O_DECRYPT="/usr/local/bin/exp-o-decrypt.php"
+#ENCRYPT_PASS_FILE="/home/bck/database/.enc-pass"
+
+# Local swift command
+PATH="${PATH}:/usr/local/bin"
 
+SWIFT_STDERR="$(mktemp)"
+trap "rm -f '$SWIFT_STDERR' &> /dev/null" EXIT
+
+# Get n-th field of a comma separated list
 E() {
     local ALL="$1"
     local FIELD="$2"
     cut -d "," -f "$FIELD" <<< "$ALL"
 }
 
-# Backup only to secure directoy
-[ "$(stat --format=%a .)" == 700 ] || exit 1
+# Communicate with object storage
+Swift() {
+    local -i RET="-1"
+    local -i TRIES="3"
+    local -i TRY="0"
+
+    while [ "$((TRY++))" -lt "$TRIES" ]; do
+        # Empty error message
+        echo -n "" > "$SWIFT_STDERR"
+
+        # Be verbose on console and on "swift stat"
+        if tty --quiet || [ "stat" == "$1" ]; then
+            ${HUBIC} -v --swift -- -v "$@" 2> "$SWIFT_STDERR"
+            RET="$?"
+        else
+            ${HUBIC} --swift -- -q "$@" > /dev/null 2> "$SWIFT_STDERR"
+            RET="$?"
+        fi
+
+        # OK
+        if [ "$RET" -eq 0 ] && ! grep -qv "^[A-Z_]\+=\S\+$" "$SWIFT_STDERR"; then
+            break
+        fi
+
+        echo -n "Swift ERROR ${RET} during ($*), error message: " >&2
+        cat "$SWIFT_STDERR" >&2
+        RET="255"
+        # Wait for object storage
+        sleep 60
+    done
+
+    return "$RET"
+}
+
+# Backup only to secure directory
+[ "$(stat --format=%a $(dirname "$WORKDIR"))" == 700 ] || exit 1
 
 # Interrupted backup
 [ -z "$(ls -A "$WORKDIR")" ] || exit 2
 
 cd "$WORKDIR" || exit 3
 
 # Check object storage access
-"$HUBIC" --swift -- stat > /dev/null || exit 4
-
+if ! Swift stat > /dev/null; then
+    echo "Object storage access failure." >&2
+    exit 4
+fi
 
-for DB in ${DBS[*]}; do
+for DB in "${DBS[@]}"; do
     ID="$(E "$DB" 1)"
     CONTAINER="$(E "$DB" 2)"
     URL="$(E "$DB" 3)"
     SECRET="$(E "$DB" 4)"
     UA="$(E "$DB" 5)"
 
-    tty --quiet && echo "${ID} ..."
+    if tty --quiet; then
+        echo "${ID} ..."
+    else
+        logger -t "bck-dbz[$$]" "Archiving ${ID}"
+    fi
 
-    # Export database dump
-    if ! wget -q -S --content-disposition --user-agent="$UA" \
+    # Download database dump
+    if ! wget -q -S --user-agent="$UA" \
         --header="X-Secret-Key: ${SECRET}" -O "${ID}.sql.gz.enc" "$URL" 2> "${ID}.headers"; then
         echo "Error during database backup of ${ID}." >&2
         continue
@@ -78,24 +135,41 @@ for DB in ${DBS[*]}; do
     fi
     rm "${ID}.sql.gz.enc"
 
+    # Download archive index
+    if ! Swift download --output "${ID}-00000.zpaq" "$CONTAINER" "${ID}/${ID}-00000.zpaq" \
+        || ! [ -s "${ID}-00000.zpaq" ]; then
+        echo "Archive index download failed ${ID}." >&2
+        continue
+    fi
+
     # Archive (compress and encrypt)
-    "$HUBIC" --swift -- -q download --output "${ID}-00000.zpaq" "$CONTAINER" "${ID}/${ID}-00000.zpaq" 2> /dev/null
-    if ! zpaq a "${ID}-?????.zpaq" "${ID}.sql" "${ID}.headers" -method 5 -key "$(cat "$ENCRYPT_PASS_FILE")" &> /dev/null; then
+    if ! zpaq add "${ID}-?????.zpaq" "${ID}.sql" "${ID}.headers" -method 5 -key "$(cat "$ENCRYPT_PASS_FILE")" &> /dev/null; then
         echo "Archiving failed ${ID}." >&2
         continue
     fi
     rm "${ID}.sql" "${ID}.headers"
 
-    # Upload archive
-    for ZPAQ in "$ID"-?????.zpaq; do
-        if ! "$HUBIC" --swift -- -q upload --object-name "${ID}/${ZPAQ}" "$CONTAINER" "$ZPAQ"; then
-            echo "Archive upload failed ${ID}/${ZPAQ}." >&2
+    # Upload archive parts
+    for ZPAQ in "$ID"-*.zpaq; do
+        if ! Swift upload --object-name "${ID}/${ZPAQ}" "$CONTAINER" "$ZPAQ"; then
+            echo "Archive upload failed ${ID}/${ZPAQ}, may cause inconsistency." >&2
+            continue
         fi
         rm "$ZPAQ"
     done
 done
 
-# swift full?
-[ $("$HUBIC" --swift -- stat | grep -m1 "Bytes:" | cut -d":" -f2) -gt 1000000000 ] && echo "swift FULL." >&2
+# Leftover files
+if ! [ -z "$(ls -A "$WORKDIR")" ]; then
+    echo "There was an error, files are left in working directory." >&2
+fi
+
+# Check object storage usage
+BYTE_LIMIT="$(( 10 * 1000 * 1000 * 1000 ))"
+SWIFT_BYTES="$(Swift stat)"
+SWIFT_BYTES="$(echo "$SWIFT_BYTES" | grep -m1 "Bytes:" | cut -d":" -f2)"
+if [ -n "$SWIFT_BYTES" ] && [ ${SWIFT_BYTES} -gt "$BYTE_LIMIT" ]; then
+    echo "Swift usage > 10 GiB." >&2
+fi
 
 exit 0

backup/restore-dbz.sh

@@ -0,0 +1,93 @@
+#!/bin/bash
+#
+# Restore database dumps.
+#
+# VERSION       :1.0.0
+# DATE          :2015-06-12
+# AUTHOR        :Viktor Szépe <viktor@szepe.net>
+# URL           :https://github.com/szepeviktor/debian-server-tools
+# LICENSE       :The MIT License (MIT)
+# BASH-VERSION  :4.2+
+# DEPENDS       :https://github.com/puzzle1536/hubic-wrapper-to-swift
+# DEPENDS       :apt-get install zpaq
+# LOCATION      :/home/bck/database/restore-dbz.sh
+# OWNER         :bck:bck
+# PERMISSION    :755
+
+# site ID,swift container,export-one-db URL,secret key,user agent
+declare DB="...,...,..."
+HUBIC="/usr/local/bin/hubic.py --config=/home/bck/database/.hubic.cfg"
+ENCRYPT_PASS_FILE="/home/bck/database/.enc-pass"
+
+# Local swift command
+PATH="${PATH}:/usr/local/bin"
+
+SWIFT_STDERR="$(mktemp)"
+trap "rm -f '$SWIFT_STDERR' &> /dev/null" EXIT
+
+# Get n-th field of a comma separated list
+E() {
+    local ALL="$1"
+    local FIELD="$2"
+    cut -d "," -f "$FIELD" <<< "$ALL"
+}
+
+# Communicate with object storage
+Swift() {
+    local -i RET="-1"
+    local -i TRIES="2"
+    local -i TRY="0"
+
+    while [ "$((TRY++))" -lt "$TRIES" ]; do
+        # Empty error message
+        echo -n "" > "$SWIFT_STDERR"
+
+        # Be verbose on console and on "swift stat"
+        ${HUBIC} --swift -- -v "$@" 2> "$SWIFT_STDERR"
+        RET="$?"
+
+        # OK
+        if [ "$RET" -eq 0 ] && ! grep -qv "^[A-Z_]\+=\S\+$" "$SWIFT_STDERR"; then
+            break
+        fi
+
+        echo -n "Swift ERROR ${RET} " >&2
+        cat "$SWIFT_STDERR" >&2
+        RET="255"
+        # Wait for object storage
+        sleep 60
+    done
+
+    return "$RET"
+}
+
+# Check object storage access
+if ! Swift stat > /dev/null; then
+    exit 4
+fi
+
+ID="$(E "$DB" 1)"
+CONTAINER="$(E "$DB" 2)"
+URL="$(E "$DB" 3)"
+SECRET="$(E "$DB" 4)"
+UA="$(E "$DB" 5)"
+
+echo "Restoring ${ID} ..."
+
+# Download
+FILE_LIST="$(Swift list "$CONTAINER" | grep "${ID}/${ID}-")"
+while read ZPAQ; do
+    echo "${ZPAQ} ..."
+    if ! Swift download "$CONTAINER" "$ZPAQ"; then
+        exit 10
+    fi
+done <<< "$FILE_LIST"
+
+# List all versions
+zpaq l "${ID}/${ID}-?????.zpaq" -key "$(cat "$ENCRYPT_PASS_FILE")" -all
+
+# Restore latest version
+if ! zpaq x "${ID}/${ID}-?????.zpaq" "${ID}.sql" -key "$(cat "$ENCRYPT_PASS_FILE")"; then
+    echo "Restore failed ${ID}." >&2
+    exit 11
+fi

backup/simple-backup.sh

@@ -34,13 +34,13 @@ Echo --$?--
 
 Echo "MySQL"
 if which innobackupex &> /dev/null; then
-    # full backup
-    #innobackupex ./sql
+    # Full backup first
+    #     innobackupex ./sql
     INNOBCK_BASE="mysql-All_<FULL-BACKUP-DATE>"
     nice innobackupex --incremental ./sql --incremental-basedir="./sql/${INNOBCK_BASE}" \
         || echo "fail: SQL" >&2
 else
-    /usr/bin/mysqldump --all-databases --single-transaction --events \
+    nice /usr/bin/mysqldump --all-databases --single-transaction --events \
         | nice gzip -1 > "./mysql-All_${TODAY}.sql.sz" || echo "fail: SQL" >&2
 fi
 Echo --$?--

debian-hardware-setup.sh

@@ -14,6 +14,10 @@ editor /etc/smartd.conf
 
 cat ${D}/monitoring/hdd-temps.sh >> /root/.bashrc
 
+# Entropy from TPM
+modprobe tpm-rng
+echo tpm-rng >> /etc/modules
+
 # monit
 # - smartmontools
 # - xenstored, xenconsoled

debian-setup.sh

@@ -434,6 +434,7 @@ cd /root/
 mkdir dist-mod && cd dist-mod/
 
 # Get pip
+apt-get install -y python3-dev
 wget https://bootstrap.pypa.io/get-pip.py
 python3 get-pip.py
 python2 get-pip.py
@@ -462,6 +463,14 @@ cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
 # Performance mode
 #     for SG in /sys/devices/system/cpu/*/cpufreq/scaling_governor;do echo "performance">$SG;done
 
+# Entropy - check virtio_rng on KVM
+cat /sys/devices/virtual/misc/hw_random/rng_available
+cat /sys/devices/virtual/misc/hw_random/rng_current
+[ -c /dev/hwrng ] && apt-get install -y rng-tools
+# Software based entropy source
+apt-get install -y haveged
+cat /proc/sys/kernel/random/entropy_avail
+
 # IRQ balance
 declare -i CPU_COUNT="$(grep -c "^processor" /proc/cpuinfo)"
 [ "$CPU_COUNT" -gt 1 ] && apt-get install -y irqbalance && cat /proc/interrupts

mail/README.md

@@ -173,10 +173,6 @@ https://unlocktheinbox.com/resources/adsp/
 
 Deprecated.
 
-#### SenderID
-
-?
-
 #### DMARC
 
 Specs: https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/?include_text=1
@@ -232,6 +228,7 @@ https://wordtothewise.com/isp-information/
 - https://litmus.com/blog/go-responsive-with-these-7-free-email-templates-from-stamplia
 - https://www.klaviyo.com/
 - https://litmus.com/subscribe
+- https://stamplia.com/
 
 ### Email tests
 
@@ -314,17 +311,22 @@ csi.cloudmark.com
 
 ##### Check RBL-s
 
-`cat anti-abuse.org.rbl|xargs -I%% host -tA $(revip "$IP").%% 2>&1|grep -v "not found: 3(NXDOMAIN)"`
+```bash
+cat anti-abuse.org.rbl | xargs -I %% host -tA $(revip "$IP").%% 2>&1 \
+    | grep -v "not found: 3(NXDOMAIN)"
+```
 
 ##### Trendmicro ERS
 
-`wget -qO- --post-data="_method=POST&data[Reputation][ip]=${IP}" https://ers.trendmicro.com/reputations \
-    | sed -n 's;.*<dd>\(.\+\)</dd>.*;\1;p' | tr '\n' ' '`
+```bash
+wget -qO- --post-data="_method=POST&data[Reputation][ip]=${IP}" https://ers.trendmicro.com/reputations \
+    | sed -n 's;.*<dd>\(.\+\)</dd>.*;\1;p' | tr '\n' ' '
+```
 
 Response: "IP Unlisted in the spam sender list None"
 
 ### Monitoring you server's IP reputation
 
 - https://www.rblmon.com/accounts/register/
 - https://www.projecthoneypot.org/monitor_settings.php
-- 
+

monitoring/cse/cse.php

@@ -6,7 +6,6 @@
 Snippet URI: https://github.com/szepeviktor/debian-server-tools
 License: The MIT License (MIT)
 Author: Viktor Szépe
-Author URI: http://www.online1.hu/webdesign/
 */
 
 // CSE address