Homepage of Sudhaker Raj

Unless you keep your computer disconnected from a network and under a secure lock; there will always be potentials for security compromise.

This article explains an isolated and much secure MySQL setup layout. The container VPS for “database node” was a centos-5-minimal (centos-5-i386-minimal.tar.gz) and not assigned any IP address for added security. Here is the complete solution.

To install mysql inside “database node”

[root@centos ~]# vzyum 103 install mysql-server -y

The article mentioned at OpenVZ Wiki was helpful in whole planning but I did not like the idea of cron-script.

• Expensive polling! it is a wastage of resources.
• There will be a downtime until next cron-run.

So, I kept on experimenting for better solution. I tried mounting /vz/private/103/var/lib/mysql/ into “web node” but it was not working flawlessly. My following attempt with common shared directory worked like charm.

I created a common shared location /vz/shared and had it mounted as /shared in each VPS using mount script (you must chmod them to 755).

Content of /etc/vz/conf/101.mount (web node)
Content of /etc/vz/conf/102.mount (web node)
Content of /etc/vz/conf/103.mount (database node)

#!/bin/bash
# Mount script to bind-mount /var/something into a VPS
# Suggested by Sudhaker Raj (http://sudhaker.com)

[ -f /etc/vz/vz.conf ] || exit 1
[ -f $VE_CONFFILE ] || exit 1

. /etc/vz/vz.conf
. $VE_CONFFILE

echo -n “Mounting shared directory inside $VEID…”
if [[ -d /vz/shared ]]
then
mkdir -p $VE_ROOT/shared
mount -n –bind /vz/shared $VE_ROOT/shared
echo ” done”
else
echo ” failed”
fi

Next step was to change the mysql socket location from /var/lib/mysql/mysql.sock to /shared/mysql/mysql.sock

Content of /vz/private/101/etc/my.cnf
Content of /vz/private/102/etc/my.cnf
Content of /vz/private/103/etc/my.cnf

[mysqld]
datadir=/var/lib/mysql
#socket=/var/lib/mysql/mysql.sock
socket=/shared/mysql/mysql.sock

[mysql.server]
user=mysql
basedir=/var/lib

[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

[client]
socket=/shared/mysql/mysql.sock

And do not forget to make relevant changes into php.ini and other applications using MySQL.

Bingo! Now both “web node” can communicate with the mysql server running inside isolated container as if it was local.

We also need correct permissions so that other processes can access the socket.

[root@vz103 ~]# chmod o+rx /shared/mysql
[root@vz103 ~]# ls -l /shared/
total 8
drwxr-xr-x 2 mysql mysql 4096 Apr 5 15:44 mysql
drwxr-xr-x 2 root root 4096 Apr 3 15:03 tmp

Cheers,
Sudhaker

Unless you keep your computer disconnected from a network and under a secure lock; there will always be potentials for security compromise.

Statement above is not to scare you from connecting your machine to network, but to give you an idea that there is nothing like a “perfectly secured and networked computer”. The best we can do is to harden the security and monitor it actively. Especially when it is a server system running 24×7 and serving your critical data to whole population.

Most part of this article is taken from my setup experience for my first dedicated server, which I tuned for my hosting needs. Thanks to my ISP, they hooked a KVM-IP switch to my box and allowed me to install my own true minimal CentOS with OpenVZ.

After many careful considerations and experiments, I decided to factor my hosting infrastructure into 3 VPS (virtual private server). Two counts of “web node” and one count of “database node” were configured to provide some level of fail-over and high availability.

Both “web node” are totally identical except their IP address. They both has a public IP assigned and run PowerDNS and “Lighttpd + PHP”. PowerDNS is configured for Round robin DNS and will redirect the request to any available “web node”. The “database node” has no IP assigned and provides communication over unix domain socket (or named socket). MySQL can not be reached over TCP hence adding one more layer of security from possible network attack.

Please check followings sub-articles for individual setup details.

• Lighttpd - Lighty setup
• PDNS - PowerDNS with MySQL backend
• MySQL - No network configuration

Cheers,
Sudhaker

My last article on working as non-admin works great in home environment. But it won’t allow access to any network resources (file share, printer, etc) in corporate environment. This happens because local administrator user are not part of Windows domain and so treated as anonymous user.

Following new version of “MyAdmin” AHK (AutoHotkey) script overcomes the problem mentioned above.

; Some default values
LocalAdminGroup = Administrators
; Settings for local administrator
LocalAdminUser = admin
LocalAdminPass = secret
; Settings for normal user
WindowsDomain = domain
NormalUser = user
NormalPass = password
RunTarget = C:\Program Files\ExplorerXP\ExplorerXP.exe
IfExist, %RunTarget%
{
; Add normal user to local admin group
RunAs, %LocalAdminUser%, %LocalAdminPass%
RunWait, NET LOCALGROUP %LocalAdminGroup% %WindowsDomain%\%NormalUser% /ADD, , Hide
RunAs ; Reset to normal behavior.
; Execute target with elevated administrator permissions
RunAs, %NormalUser%, %NormalPass%, %WindowsDomain%
Run, %RunTarget%
; Wait for 200 ms
Sleep, 200
; remove itself from local admin group
RunWait, NET LOCALGROUP %LocalAdminGroup% %WindowsDomain%\%NormalUser% /DELETE, , Hide
RunAs ; Reset to normal behavior.
}
IfNotExist, %RunTarget%
{
MsgBox, Target (i.e. %RunTarget%) does not exist.
}