Port knocking script implemented at the TCP level. Includes the remoteip.c source code in case your (x)inetd does not define the REMOTE_IP environment variable. Best used with the fire alarm script below. Email me if you are implementing this and you have questions.

Emergency alarm for hostile network probes. Includes the localport.c source code. If you are using with port knocking, then uncomment the blacklist. Email me if you are implementing this and you have questions.


Encrypted file transfer server - wrap network tar in TLS with stunnel, launched from inetd. A two minute delay will be imposed by s_client after your upload file transfer is complete. A statically-linked tar binary must be placed in /home/tarjail/sbin - the busybox version works well, but compiling a tar with -static is likely safer. Access control is set with the verify=3/CAfile options - remove these and control with tcpd/hosts.deny for simpler address filtering if safety can be relaxed. The example illustrates the receiving server on port 5000, and the sending server on port 5001. Do not enable any compression options on tar, due to the CRIME attack on TLS.


File transfer client written in GNU AWK. Transfer text files to a remote web page that implements the RFC-1867 protocol. Please note that binary files cannot be transferred, and all files will be read into memory prior to processing (so don't use this on anything large).

Script to run SSH commands over a collection of hosts using a password-protected private key that is cached during the lifetime of the script in an SSH agent. Setting the "ARTANO=PARALLEL" environment variable will cause all of the commands to be issued as background jobs with their logs appended in /tmp (useful with time-sensitive activities, or if you require independent server logging). Options are passed to SSH for port forwarding to a yum proxy - modify the -R flag to your tastes. Examples are included in the commentary on key generation and patch maintenance.


RMAN backups for Oracle databases, with options for several related activities (stats, logminer dictionary, control file trace, etc.).

Shell functions to parse the .netrc file and set FTP_SRVR, FTP_USER, and FTP_PWD shell variables. Sometimes, the ftp binary will not properly recognize the .netrc file when the parent script is executed via sudo or su -c. Nobody should be using ftp anymore, but for those with problem customers, this can be quite helpful.


Script to randomize your MAC address. Uncomment your desired tool (ifconfig or ip link) and set the desired device.

Run an Oracle SQL command on several databases in succession (useful in scanning for user accounts or creating/dropping them, collecting data for audits, etc.). Your shell must handle arrays (the busybox version of bash doesn't). This assembles a full TNS descriptor that does not use onames/ldap, so you must know the SID, IP address and port number of all of your target instances.
Example call might be: ./ "select count(*) from dba_users;" SCOTT TIGER

Run a SQL statement against a Microsoft SQL Server or Sybase ASE. Requires SQSH and FreeTDS for maximum compatibility. Use a local interface file with the connection details for all the target servers.
Example call might be: ./ "select count(*) from sysusers" sa sa


Oracle7-style backups with awk. Lately, this script seems to work better with Brian Kernighan's "One True Awk" than it does with the GNU version.


Joins the Linux "top" report with Oracle's v$session and v$process tables, providing visibility of remote users of your machine.


Oracle7-style backups, generated directly from sqlplus (pl/sql). Resulting script must be under a megabyte.


Force new database passwords to be at least 14 characters, and include letters, numbers, and allowed symbols (#$_).

Print random passwords, guaranteed to include a letter, a number, and the underscore symbol (_). Does not contain zero or the letter "O" for clarity. Runs under any of the busybox shells, mksh, bash, Ubuntu dash, and also under Windows with a libressl binary. This is useful for account creation and password resets. The script generates two passwords, a 14 character password appropriate for a user's initial login, and a maximum-length 30-character password for a service account.

Flat file public-key cryptography with the OpenSSL command line tool. Hard link the script to the relevant names, then call to encrypt or decrypt a bundle. Requires a relevant key and password. For older openssl, change -sha256 to -sha1.

RSA-gnfs.bc RSA-NIST.bc

Compare RSA key sizes to equivalent symmetric algorithms using a General Number Field Sieve as previously used by NIST. Examples in the commentary.


Example stunnel configuration to wrap the rsync protocol in TLS encryption.


Linux startup/shutdown script for your Oracle database(s). In the filename of the script, replace "orcl" with the name of the SID that you would like to control. Make hard/soft links with different names to control different SIDs, all using the same physical script. Assumes that your database SIDs and home directories are documented in /etc/oratab. When shutting down a database, the script will kill all database connections that are marked with LOCAL=NO, so the PMON does not cause shutdown delays. Should be run as root.


DDL extractor (Korn shell script). Useful for moving tables with LONG columns (or moving any tables at all in v7, which lacks "ALTER TABLE MOVE"). Uses import/export to get table and index definitions, then SQL to get grants, triggers, and comments. It will not extract views (as they are not dropped when the table is dropped), and it will not disable any foreign key constraints. Best if the script is saved as "ADDLE" (for clarity of directory listings).


File transfer via sftp where the remote file size is checked against local and resent on any difference. Assumes ssh login without a password is in place, either with an agent or an open key. A limit of 500 transfers is enforced to prevent runaway cron jobs. Uses "coprocesses" from the Korn shell.


Minimal script to print a file on a Windows printer using smbclient. Uses awk to add carriage returns using a named pipe (easily changed to enscript or a2ps). Pulls settings from the environment, and prompts for missing credentials. Remove "-e -mSMB3" if you can't support encrypion over the latest protocol. Beware systems that expose environment variables to unrelated processes - under Linux, /proc will show passwords exported by a user's shell in all child processes (Solaris is also problematic).


Convert the log-output from the Oracle export utility into SELECT statements to check that rowcounts match in newly-imported tables. Rowcounts from the export utility should be captured with "2>&1 | tee exp.log" - afterwards, run "checkrowcounts.awk exp.log" and pipe the output into sqlplus. Check for the @ character in the output ("fgrep @") to see problem tables.


Verify the structural integrity of all tables and indexes in your Oracle database. Running the script will produce a valcas.sql script with all of your owner.tables explicitly listed (edit to taste). This is useful for disaster recovery testing to verify the quality of your backups and/or standby server. If you detect ORA-26040 errors, then NOLOGGING DML operations have likely impacted objects - if this isn't intentional and the objects are needed, consider FORCE LOGGING. This can also be detected with Oracle's DBVERIFY utility, but converting from file#/block# to owner.table/index is tedious, and this report is easier to grasp. Note this will take a long time - DBVERIFY is faster, but it can report false positives.


Utility (requires ksh93) for concealing passwords from ps -ef reports.

Extracts the list of Oracle users from DBA_USERS, and attempts to login to each account using a password specified at runtime. If no password is specified, it attempts to login with a password that is the same as the username.


Generic script for sending electronic mail with gawk. Supply recipient, sender, and subject as the first three command line arguments. Email body will be concatenated from STDIN and any further files specified as arguments. Subject MUST be specified (even if null) if any body text comes from files as arguments. Requires (functional) gawk network extensions (Cygwin on Windows works, but mingw does not).


Variant of awkmail that forces a monospace font via the HTML PREformat tag. Useful for mail clients that render raw email messages in times roman.


PHP port of the awkmail script, using the later sockets implementation.


Oracle alert log scanner. Brute force approach, written in awk. Requires the gnu date utility. Details in the script.


Revised alert log scanner, using GNU AWK's time extensions. Slightly different syntax.


For Oracle databases where the audit trail is set to generate OS files, this awk script will perform a case-insensitive search of the audit data, and generate an HTML-formatted tabular report. You should generate the Oracle audit action codes as detailed in the script, and an "exhaustive" list of 10g return codes is linked here.


Shrink all your rollback segments.


List all datafiles for tablespaces that are over 90% full.


Web interface for dbms_sqltune - pass it a sql_id and get Oracle's report.


Minimal SHA256 digest reporting, for older OS environments that do not include it. Requires library code specified in the source.


Get the banner messages for telnet, mail, ftp, and ssh for a collection of hosts, which can be useful for a cursory network security scan. In general, banner messages should be modified to remove version number information. OS "fingerprinting" under the nmap utility might also be useful for network OS profiles. An interesting list of hosts in an Oracle environment can be obtained from an "Onames" server with:
namesctl dump_tnsnames list.txt
Remove the hostnames from the output and call the script thus (STDERR is noisy and is ignored below):
/path/to/bannerscan.bash < hostlist.txt 2>/dev/null


Create an 8i database using LMTs for everything (including rollback). This script must be edited (change SID, datafile locations). The init.ora must also have "compatible = 8.1.0" to use these features.


Create a 9i database. This script must be edited (change SID, datafile locations). The init.ora must also have UNDO settings in place (undo_management=auto, undo_tablespace=undo, undo_retention=86400), and the "compatible" parameter must be set to at least "9.0.0" ("9.2.0" may be a better choice).


This has all the features of the 9i creation script above, plus it creates the new, mandatory SYSAUX tablespace.


This script applies archived logs to a standby server only after they are 12 hours old, then moves the used log to a separate directory. Allows you to "alter standby database open read only" and examine your data from 12 hours in the past (which is useful if you cannot flashback because you aren't using UNDO). The logs must be in chronological order - if a log is transfered without preserving the file modification time, the script will not apply it properly, requiring manual intervention.


Helpful security steps, gained from past exposure to audits and automated security scanners.


Bare-bones procedure to save the first 2,000 characters of a web page with UTL_FILE. This usually forms the core of some batch mechanism to access either a local shell or remote systems via an intermediate web server. The UTL_FILE_DIR init.ora parameter must be defined, and the directory parameter passed must be authorized with it.


Oracle's to_number function returns ORA-01722: invalid number upon finding non-numeric characters in a string. This function will return NULL when such characters are found, and otherwise will perform the to_number.

Script for root to set a user's account to a random password and force a password change at first login (similar to /usr/lbin/modprpw -x from HP-UX).

Check if the local IP address has changed for Dynamic DNS provided by ZoneEdit. Uses the "upnpc" utility to check the local router's external IP address, the dig utility to find a host's current dynamic IP, and issues a wget to update ZoneEdit if they differ.

CAMAC (inetd)

Reporting for MAC and IP address from xinetd on a Linux system. Useful in a server farm or large Linux thin client deployment to identify systems.


Script to combine data from MS SQL Server and Oracle. Requires a login shell capable of "here documents" in the Bourne style (tricky on Windows). Uses separate delimiter styles, and reads all contents into memory for gawk-style sorting (not appropriate for large result sets).


Excel spreadsheets, when pasted into a text editor, become tabbed-separated-value files. This script for GNU sed will convert them into HTML tables, in a format that is compatible with


Script to extract and cleanly display a table from a CTLIB server, such as Microsoft SQL Server or Sybase Adaptive Server/Enterprise. The table needs at least one row of data to display properly.


Korn shell script using Motif/X-Windows extensions to present a dialog box with a file selector. A shell command is passed to the script which is executed upon the selected file when the user confirms. See the script for example uses.


Convert FLAC files to mp3 format. This assumes that you have all album tracks with no gaps. For DOS/Windows users, make sure the paths to the flac and lame binaries are correct, then pipe a sorted list of the FLAC files to the script, like so:
dir /b *.flac | gawk -f flac2mp3.awk "Name of Artist" "Title of Album"