How to optimize MySQL tables automatically using cron

Busy websites which has a lot of insert/delete transactions may introduce fragmentation in MySQL tables. Fortunately, users and optimize mysql tables with ‘OPTIMIZE TABLE’ command, but how to execute it automatically?

Here’s how:
The mysql-client package in Ubuntu installation comes with a tool called mysqlcheck which is handy for optimizing table in mysql. This command can be executed from bash and can be executed using cron.

to do that, just run this command.

[bash]
cron -e

#in the crontab file– add this line
59 23 * * * /usr/bin/mysqlcheck -o -v -u <mysql username> -h localhost <database_name> -p <password>
[/bash]

This will tell cron to execute mysqlcheck and optimize mysql table of the specified database exactly on 11:59pm, every day. You can change the setting to suit your need.

How to secure server from SYN-flood attack using iptables

SYN-flood attack is commonly utilized as a mean to disrupt network communication and it is a form of (Distributed Denial-of-Service) DDOS attack. RFC4987 details common mitigation to deal with SYN-flood attack.

However in this post, I’m going to share you the method that I use to reduce the risk of SYN-flood attack from my department computers, with iptables
[bash]
/sbin/iptables -N syn-flood
/sbin/iptables -A syn-flood -m limit –limit 100/second –limit-burst 100 -j RETURN
/sbin/iptables -A syn-flood -j LOG –log-prefix "SYN-flood attempt: "
/sbin/iptables -A syn-flood -j DROP
[/bash]

RFC4987 suggests the use of SYN-cookie for added protection. You can enable SYN-cookie protection in Linux by running this command (as root):
[bash]
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
[/bash]

hope that helps…

Note: I’m not a full-time sysadmin as I’ve a different dayjob, but I was put incharged in securing part of my school’s computer network, so there.

Rant: About Starting up an E-commerce Site….

A bit of advice when starting up an e-commerce (especially storefront) site, please use proper e-commerce software for the job. Do not ‘force’ a general-purpose (CMS) to be an e-commerce site via plugins (or *cough* *cough* ‘component’), it’s gonna be a pain-in-the-ass to secure ’em.

So do yourself (and the sysadmin guys) a favor, use a proper e-commerce software platform or just turn to blogger.com for selling your stuffs…

Public Domain vs Open Source License, which to choose ?

*Note that I’m not a legal expert or an attorney, this is just based on my personal experience and internet search*

There are people who asked me about why bother to release a piece of software or code under Open Source License instead of putting it in Public Domain.

First of all it is a matter of personal choice if write the code or the said work on your own, . But if you release your work under open license (open source or creative commons), you can still retains the copyright (ownership) of the materials that you’ve released. Technically, people who used your work has to adhere to the copyright license terms of your choosing, including freeing you from liabilities if the software is broken or causes harm. Licensing your work will acknowledge you as the owner and those who used your application, and you retain legal rights for your work.

On the other hand — once you have put your work on Public Domain, you will lose your rights on the work, as the work would have no copyright-owner and isn’t protected by copyright law. So people are free to use the materials without any restrictions at all, including to incorporate the material into their work and make it proprietary and subsequently copyrighted it without legal repercussion. You will lose the legal right on your work.

Public domain isn’t a license, it is merely a statement that the software was given to the public and to make things more complicated, some countries disallow public domain material, meaning that the writer will not be protected by the copyright law if the software causes harm to others (the ABSOLUTELY NO WARRANTY and LIMITED WARRANTY, or AS IS clause).

Remember: Public Domain is not recognized internationally and is not stipulated under Berne Convention and in some countries, the author can’t disclaim moral rights.

Therefore, it is more wise to release the the software under a permissive license (copyright), rather than releasing it under public domain right away.

References
1. Creative Commons vs Public Domain
2. Is Public Domain software Open-Source ?
3. Why the Public Domain isn’t a License?
4. Why public domain release is a bad idea

How to Secure SSH server from Brute-Force and DDOS with Fail2ban ( Ubuntu )

Fail2ban is a security tool used for preventing brute-force attack and Distributed Denial of Service (DDoS) attack to your GNU/Linux box.

Fail2ban monitors failed login attempts and subsequently blocks the ip address from further logins. Although Fail2ban can also be used to secure other services in Ubuntu server, in this post, I will only focus on securing SSH server.

Step 1: Install Fail2ban and (optionally) sendmail

sudo apt-get install fail2ban
sudo apt-get install sendmail-bin

Step 2: Setting up Fail2ban

Next, you need to configure fail2ban by creating a copy of ‘jail.conf’ to ‘jail.local’

cd /etc/fail2ban
sudo cp jail.conf jail.local

Step 3: General fail2ban configuration

Edit fail2ban configuration file using your favorite text-edito (I personally use ‘nano’)

sudo nano /etc/jail.local

You can set IP address for fail2ban to ignore, IP addresses can be separated by space.

Bantime is the duration of time that you want fail2ban to block suspicious attempt, the value is in seconds
Maxretry is the number of failed attempts before fail2ban block the IP-address, in this case 3600 means 1-hour ban

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.1.1
bantime  = 3600
maxretry = 3 

Step 4: Enabling ssh and ssh-ddos protection
Find ssh configuration under [ssh] heading, and enable it.

[ssh]
enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3 

Similarly, you can also enable [ssh-dos] protection by changing the enabled value to “enabled = true

[ssh-ddos]
enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 2

Step 5: Enable Sending Notification Email (optional)
Optionally you can have fail2ban sends you notification email in case of suspicious login detected. To do that, you need to locate destemail settings and changed it to your email

destemail = security@mypapit.net

Fail2ban can use ‘sendmail’ and ‘mail’ application to send notification email

Step 6: (Re-)start Fail2ban
After all is done, you may save the file, and (re)start the fail2ban service

sudo /etc/init.d/fail2ban restart

You can test the configuration by trying to login into your box. You may also check fail2ban log in /var/logs/auth.log (or in other directory specified in jail.local)

For more information about fail2ban, you can read : the official fail2ban manual

Recommended Reading

How to get Free Bitcoins from Bitcoin Faucet

Good news to those who are looking to get their hands on Bitcoins, beside setting up a mining rig, one can get free bitcoin from Bitcoin Faucet, a website dedicated to hand free bitcoin.

What you need is a Bitcoin receiving address, obtained by registering an account with either MyBitcoin, MTGox, or Vekja.

Additionally, you may donate your excess bitcoin to the Faucet in order to share it with the rest of the world.

p/s: Don’t be surprised if the amount you received is minuscule, hey — it’s free !