Port knocking script implemented at the TCP level. Includes the remoteip.c source code in case your (x)inetd does not define the REMOTE_IP environment variable. Best used with the fire alarm script below. Email me if you are implementing this and you have questions.

Emergency alarm for hostile network probes. Includes the localport.c source code. If you are using with port knocking, then uncomment the blacklist. Email me if you are implementing this and you have questions.


Encrypted file transfer server - wrap network tar in TLS with stunnel, launched from inetd. A two minute delay will be imposed by s_client after your upload file transfer is complete. A statically-linked tar binary must be placed in /home/tarjail/sbin - the busybox version works well, but compiling a tar with -static is likely safer. Access control is set with the verify=3/CAfile options - remove these and control with tcpd/hosts.deny for simpler address filtering if safety can be relaxed. The example illustrates the receiving server on port 5000, and the sending server on port 5001. Do not enable any compression options on tar, due to the CRIME attack on TLS.


RMAN backups for Oracle databases, with options for several related activities (stats, logminer dictionary, control file trace, etc.).


Oracle7-style backups with awk. Lately, this script seems to work better with Brian Kernighan's "One True Awk" than it does with the GNU version.


Joins the Linux "top" report with Oracle's v$session and v$process tables, providing visibility of remote users of your machine.


Oracle7-style backups, generated directly from sqlplus (pl/sql). Resulting script must be under a megabyte.


Force new database passwords to be at least 8 characters, and include letters, numbers, and allowed symbols (#$_).

Print a random, 8-character password, guaranteed to include a letter, a number, and the underscore symbol (_). Does not contain zero or the letter "O" for clarity. This is useful for account creation and password resets.

Flat file public-key cryptography with the OpenSSL command line tool. Hard link the script to the relevant names, then call to encrypt or decrypt a bundle. Requires a relevant key and password. For older openssl, change -sha256 to -sha1.


Linux startup/shutdown script for your Oracle database(s). In the filename of the script, replace "orcl" with the name of the SID that you would like to control. Make hard/soft links with different names to control different SIDs, all using the same physical script. Assumes that your database SIDs and home directories are documented in /etc/oratab. When shutting down a database, the script will kill all database connections that are marked with LOCAL=NO, so the PMON does not cause shutdown delays. Should be run as root.


DDL extractor (Korn shell script). Useful for moving tables with LONG columns (or moving any tables at all in v7, which lacks "ALTER TABLE MOVE"). Uses import/export to get table and index definitions, then SQL to get grants, triggers, and comments. It will not extract views (as they are not dropped when the table is dropped), and it will not disable any foreign key constraints. Best if the script is saved as "ADDLE" (for clarity of directory listings).


Convert the log-output from the Oracle export utility into SELECT statements to check that rowcounts match in newly-imported tables. Rowcounts from the export utility should be captured with "2>&1 | tee exp.log" - afterwards, run "checkrowcounts.awk exp.log" and pipe the output into sqlplus. Check for the @ character in the output ("fgrep @") to see problem tables.


Utility (requires ksh93) for concealing passwords from ps -ef reports.

Extracts the list of Oracle users from DBA_USERS, and attempts to login to each account using a password specified at runtime. If no password is specified, it attempts to login with a password that is the same as the username.


Generic script for sending electronic mail with gawk. Reads input file with email addresses in the first field. Several parameters in the script should be changed (SMTP server, local host name, FROM: address, message subject, message body, etc.). Requires (working) gawk network extensions.


Oracle alert log scanner. Brute force approach, written in awk. Requires the gnu date utility. Details in the script.


Revised alert log scanner, using GNU AWK's time extensions. Slightly different syntax.


Shrink all your rollback segments.


List all datafiles for tablespaces that are over 90% full.


Web interface for dbms_sqltune - pass it a sql_id and get Oracle's report.


Get the banner messages for telnet, mail, ftp, and ssh for a collection of hosts, which can be useful for a cursory network security scan. In general, banner messages should be modified to remove version number information. OS "fingerprinting" under the nmap utility might also be useful for network OS profiles. An interesting list of hosts in an Oracle environment can be obtained from an "Onames" server with:
namesctl dump_tnsnames list.txt
Remove the hostnames from the output and call the script thus (STDERR is noisy and is ignored below):
/path/to/bannerscan.bash < hostlist.txt 2>/dev/null


Create an 8i database using LMTs for everything (including rollback). This script must be edited (change SID, datafile locations). The init.ora must also have "compatible = 8.1.0" to use these features.


Create a 9i database. This script must be edited (change SID, datafile locations). The init.ora must also have UNDO settings in place (undo_management=auto, undo_tablespace=undo, undo_retention=86400), and the "compatible" parameter must be set to at least "9.0.0" ("9.2.0" may be a better choice).


This has all the features of the 9i creation script above, plus it creates the new, mandatory SYSAUX tablespace.


This script applies archived logs to a standby server only after they are 12 hours old, then moves the used log to a separate directory. Allows you to "alter standby database open read only" and examine your data from 12 hours in the past (which is useful if you cannot flashback because you aren't using UNDO). The logs must be in chronological order - if a log is transfered without preserving the file modification time, the script will not apply it properly, requiring manual intervention.


Helpful security steps, gained from past exposure to audits and automated security scanners.


Oracle's to_number function returns ORA-01722: invalid number upon finding non-numeric characters in a string. This function will return NULL when such characters are found, and otherwise will perform the to_number.

Script for root to set a user's account to a random password and force a password change at first login (similar to /usr/lbin/modprpw -x from HP-UX).


Script to combine data from MS SQL Server and Oracle. Requires a login shell capable of "here documents" in the Bourne style (tricky on Windows). Uses separate delimiter styles, and reads all contents into memory for gawk-style sorting (not appropriate for large result sets).


Excel spreadsheets, when pasted into a text editor, become tabbed-separated-value files. This script for GNU sed will convert them into HTML tables, in a format that is compatible with


Script to extract and cleanly display a table from a CTLIB server, such as Microsoft SQL Server or Sybase Adaptive Server/Enterprise. The table needs at least one row of data to display properly.


Convert FLAC files to mp3 format. This assumes that you have all album tracks with no gaps. For DOS/Windows users, make sure the paths to the flac and lame binaries are correct, then pipe a sorted list of the FLAC files to the script, like so:
dir /b *.flac | gawk -f flac2mp3.awk "Name of Artist" "Title of Album"