Port knocking script implemented at the TCP level. Includes the remoteip.c
source code in case your (x)inetd does not define the REMOTE_IP environment
variable. Best used with the fire alarm script below.
Email me if you are implementing this and you have questions.
Emergency alarm for hostile network probes. Includes the localport.c source
code. If you are using with port knocking, then uncomment the blacklist.
Email me if you are implementing this and you have questions.
Encrypted file transfer server - wrap network tar in TLS with stunnel, launched from inetd.
A two minute delay will be imposed by s_client after your upload file transfer
A statically-linked tar binary must be placed in /home/tarjail/sbin - the
busybox version works well, but compiling a tar with -static is likely safer.
Access control is set with the verify=3/CAfile options - remove these and
control with tcpd/hosts.deny for simpler address filtering if safety can be
relaxed. The example illustrates the receiving server on port 5000, and the
sending server on port 5001. Do not enable any compression options on tar,
due to the CRIME attack on TLS.
File transfer client written in GNU AWK. Transfer text files to a remote
web page that implements the RFC-1867 protocol. Please
note that binary files cannot be transferred, and all files will be read
into memory prior to processing (so don't use this on anything large).
Script to run SSH commands over a collection of hosts using a
password-protected private key that is cached during the lifetime of the script
in an SSH agent. Setting the "ARTANO=PARALLEL" environment variable will cause
all of the commands to be issued as background jobs with their logs appended in
/tmp (useful with time-sensitive activities, or if you require independent
server logging). Options are passed to SSH for
port forwarding to a yum proxy - modify the -R flag to your tastes.
Examples are included in the commentary on key generation and patch maintenance.
RMAN backups for Oracle databases, with options for several related
activities (stats, logminer dictionary, control file trace, etc.).
Shell functions to parse the .netrc file and set FTP_SRVR, FTP_USER, and
FTP_PWD shell variables. Sometimes, the ftp binary will not properly
recognize the .netrc file when the parent script is executed via sudo or su -c.
Nobody should be using ftp anymore, but for those with problem customers, this
can be quite helpful.
Script to randomize your MAC address. Uncomment your desired tool
ip link) and set the desired
Run an Oracle SQL command on several databases in succession (useful in scanning
for user accounts or creating/dropping them, collecting data for audits, etc.).
Your shell must handle arrays (the busybox version of bash doesn't).
This assembles a full TNS descriptor that does not use onames/ldap, so you must
know the SID, IP address and port number of all of your target instances.
Example call might be: ./sqlstorm-ora.sh "select count(*) from dba_users;" SCOTT TIGER
Run a SQL statement against a Microsoft SQL Server or Sybase ASE.
Requires SQSH and FreeTDS for maximum compatibility. Use a local interface
file with the connection details for all the target servers.
Example call might be: ./sqlstorm-tds.sh "select count(*) from sysusers" sa sa
Oracle7-style backups with awk. Lately, this script seems to work better with
Brian Kernighan's "One True Awk" than it does with the GNU version.
Joins the Linux "top" report with Oracle's v$session and v$process tables,
providing visibility of remote users of your machine.
Oracle7-style backups, generated directly from sqlplus (pl/sql). Resulting
script must be under a megabyte.
Force new database passwords to be at least 14 characters, and include letters,
numbers, and allowed symbols (#$_).
Print random passwords, guaranteed to include a letter, a number,
and the underscore symbol (_).
Does not contain zero or the letter "O" for clarity.
Runs under any of the busybox shells, mksh, bash, Ubuntu dash, and also under
Windows with a libressl binary.
This is useful for account creation and password resets.
The script generates two passwords,
a 14 character password appropriate for a user's initial login,
and a maximum-length 30-character password for a service account.
Flat file public-key cryptography with the OpenSSL command line tool. Hard link
the script to the relevant names, then call to encrypt or decrypt a bundle.
Requires a relevant key and password. For older openssl, change -sha256 to -sha1.
Compare RSA key sizes to equivalent symmetric algorithms using a General Number
Field Sieve as previously used by NIST. Examples in the commentary.
Example stunnel configuration to wrap the rsync protocol in TLS encryption.
Linux startup/shutdown script for your Oracle database(s). In the filename of
the script, replace "orcl" with the name of the SID that you would like to
Make hard/soft links with different names to control different SIDs, all using
the same physical script. Assumes that your database SIDs and home directories
are documented in /etc/oratab. When shutting down a database, the script will
kill all database connections that are marked with LOCAL=NO, so the PMON
does not cause shutdown delays. Should be run as root.
DDL extractor (Korn shell script).
Useful for moving tables with LONG columns
(or moving any tables at all in v7, which lacks "ALTER TABLE MOVE").
Uses import/export to get table and index definitions,
then SQL to get grants, triggers, and comments. It will not extract views
(as they are not dropped when the table is dropped), and it will not disable
any foreign key constraints. Best if the script is saved as "ADDLE" (for
clarity of directory listings).
File transfer via sftp where the remote file size is checked against local
and resent on any difference. Assumes ssh login without a password is in place,
either with an agent or an open key. A limit of 500 transfers is enforced to
prevent runaway cron jobs. Uses "coprocesses" from the Korn shell.
Minimal script to print a file on a Windows printer using smbclient.
Uses awk to add carriage returns using a named pipe (easily changed to enscript
Pulls settings from the environment, and prompts for missing credentials.
Remove "-e -mSMB3" if you can't support encrypion over the latest protocol.
Beware systems that expose environment variables to unrelated processes -
under Linux, /proc will show passwords exported by a user's shell in all child
processes (Solaris is also problematic).
Convert the log-output from the Oracle export utility into SELECT statements
to check that rowcounts match in newly-imported tables. Rowcounts from the
export utility should be captured with "2>&1 | tee exp.log" - afterwards,
run "checkrowcounts.awk exp.log" and pipe the output into sqlplus. Check for
the @ character in the output ("fgrep @") to see problem tables.
Verify the structural integrity of all tables and indexes in your Oracle
database. Running the script will produce a
- Written for GNU awk.
- You must define $LOGNAME and $DB_PWD, and these credentials must have
visibility for the relevant tables.
- Calling "otop m" will sort by memory rather than CPU usage.
- One top run with unchanged format excepting Oracle's detail lines.
- Pipe it to less (or more).
script with all of your owner.tables explicitly listed (edit to taste).
This is useful for disaster recovery testing to verify the quality of
your backups and/or standby server. If you detect ORA-26040 errors, then
NOLOGGING DML operations have likely impacted objects - if this isn't
intentional and the objects are needed, consider FORCE LOGGING.
This can also be detected with Oracle's DBVERIFY utility, but converting
from file#/block# to owner.table/index is tedious, and this report is
easier to grasp. Note this will take a long time - DBVERIFY is faster,
but it can report false positives.
Utility (requires ksh93) for concealing passwords from ps -ef reports.
Extracts the list of Oracle users from DBA_USERS, and attempts to login to
each account using a password specified at runtime. If no password is
specified, it attempts to login with a password that is the same as the
Generic script for sending electronic mail with gawk. Supply recipient, sender,
and subject as the first three command line arguments. Email body will be
concatenated from STDIN and any further files specified as arguments.
be specified (even if null) if any body text comes from files as arguments.
Requires (functional) gawk network extensions (Cygwin on Windows works,
but mingw does not).
Variant of awkmail that forces a monospace font via the HTML PREformat tag.
Useful for mail clients that render raw email messages in times roman.
PHP port of the awkmail script, using the later sockets implementation.
Oracle alert log scanner. Brute force approach, written in awk. Requires the
gnu date utility. Details in the script.
Revised alert log scanner, using GNU AWK's time extensions. Slightly different
For Oracle databases where the audit trail is set to generate OS files, this awk
script will perform a case-insensitive search of the audit data, and generate
an HTML-formatted tabular report. You should generate the Oracle
audit action codes as detailed in the script, and an "exhaustive" list of 10g
return codes is linked here.
Shrink all your rollback segments.
List all datafiles for tablespaces that are over 90% full.
Web interface for dbms_sqltune - pass it a sql_id and get Oracle's report.
Minimal SHA256 digest reporting, for older OS environments that do not include
it. Requires library code specified in the source.
Get the banner messages for telnet, mail, ftp, and ssh for a collection of
hosts, which can be useful
for a cursory network security scan. In general, banner messages should
be modified to remove version number information. OS "fingerprinting" under the
nmap utility might also be useful for network OS profiles.
An interesting list of hosts
in an Oracle environment can be obtained from an "Onames" server with:
namesctl dump_tnsnames list.txt
Remove the hostnames from the output and call the script thus (STDERR is noisy
and is ignored below):
/path/to/bannerscan.bash < hostlist.txt 2>/dev/null
Create an 8i database using LMTs for everything (including rollback).
This script must be edited (change SID, datafile locations). The init.ora
must also have "compatible = 8.1.0" to use these features.
Create a 9i database.
This script must be edited (change SID, datafile locations). The init.ora
must also have UNDO settings
in place (undo_management=auto, undo_tablespace=undo,
undo_retention=86400), and the "compatible" parameter
must be set to at least "9.0.0"
("9.2.0" may be a better choice).
This has all the features of the 9i creation script above, plus it creates
the new, mandatory SYSAUX tablespace.
This script applies archived logs to a standby server only after they are
12 hours old, then moves the used log to a separate directory.
Allows you to "alter standby database open read only" and examine your data
from 12 hours in the past (which is useful if you cannot flashback because
you aren't using UNDO). The logs must be in chronological order - if a
log is transfered without preserving the file modification time, the script
will not apply it properly, requiring manual intervention.
Helpful security steps, gained from past exposure to audits and automated
Bare-bones procedure to save the first 2,000 characters of a web page with
UTL_FILE. This usually forms the core of some batch mechanism to access either
a local shell or remote systems via an intermediate web server. The UTL_FILE_DIR
init.ora parameter must be defined, and the directory parameter passed must
be authorized with it.
Oracle's to_number function returns ORA-01722: invalid number upon finding
non-numeric characters in a string. This function will return NULL when
such characters are found, and otherwise will perform the to_number.
Script for root to set a user's account to a random password and force a
password change at first login (similar to
Check if the local IP address has changed for Dynamic DNS provided by ZoneEdit.
Uses the "upnpc" utility to check the local router's external IP address,
the dig utility to find a host's current dynamic IP, and issues a wget to update
ZoneEdit if they differ.
Reporting for MAC and IP address from xinetd on a Linux system. Useful in
a server farm or large Linux thin client deployment to identify systems.
Script to combine data from MS SQL Server and Oracle. Requires a login shell
capable of "here documents" in the Bourne style (tricky on Windows). Uses
separate delimiter styles, and reads all contents into memory for gawk-style sorting
(not appropriate for large result sets).
Excel spreadsheets, when pasted into a text editor, become
tabbed-separated-value files. This script for GNU sed will convert them into
HTML tables, in a format that is compatible with
Script to extract and cleanly display a table from a CTLIB server,
such as Microsoft SQL Server or Sybase Adaptive Server/Enterprise.
The table needs at least one row of data to display properly.
Korn shell script using Motif/X-Windows extensions to present a dialog box with a file
selector. A shell command is passed to the script which is executed upon the selected
file when the user confirms. See the script for example uses.
Convert FLAC files to mp3 format. This assumes that you have all album tracks
with no gaps.
For DOS/Windows users, make sure the paths
to the flac and lame binaries are correct, then pipe a sorted list of the FLAC
files to the script, like so:
dir /b *.flac | gawk -f flac2mp3.awk "Name of Artist" "Title of Album"