Archive for the ‘Backup’ Category


mysql databases backup script on cpanel servers

July 23, 2008

Daily mysql backup with 7 days retention period.

root@server1 [~]# cat /scripts/
Time=`date “+%Y.%m.%d-%A”`

yum -y dialog nmap ncurses

mkdir -p $bakdst/$Time

{ for I in 10 20 30 40 50 60 70 80 90 100 ; do
echo $I
sleep 1
echo; } | dialog –gauge ” Starting to backup all databases ” 6 70 0

ls -lhd  $baksrc/*_* | awk {‘print $9}’ | cut -d/ -f5 | grep -v ib_* > /root/mysqldd-list

for db in `cat /root/mysqldd-list` ;

{ for I in 10  50  100 ; do
echo $I
sleep 1
echo; } | dialog –gauge ” Creating backup of $db ” 6 70 0

$dumpdb $db > $bakdst/$Time/$db.sql  2> $bakdst/$Time/error.log

{ for I in 10  50  100 ; do
echo $I
sleep 1
echo; } | dialog –gauge ” Database : $db backup completed  ” 6 70 0

echo ” ……………..  $db backed up on `date “+%Y.%m.%d.%T-%A”`  …………………………

.. ”
sleep 3
echo ” …………….. working on the next db backup ………………………”
sleep 3
echo ” ……………… Taking some rest before that ……………………….”
sleep 3

$dumpdb  mysql > $bakdst/$Time/mysql.sql 2> $bakdst/$Time/error.log

echo ” All Databases backup up successfully to folder $bakdst/$Time/ ”
echo ” Check for any errors at : $bakdst/$Time/error.log ”
wall ” All Databases backup up successfully to folder $bakdst/$Time/ ”
wall ” Check for any errors at : $bakdst/$Time/error.log or the database backup ”
echo ” removing older backups”
sleep 2
echo ” hold on, let me work for 3 to 10 mins”
/usr/bin/find $bakdst -type d -maxdepth 1 -mtime +7 -exec rm -fr {} \;
echo ” …………….. Finishing up the entire process ”
sleep 3
echo ” …………….. Successfully Done ……………………….”
wall ” ***** Note Again **** Check for any errors at : $bakdst/$Time/error.log or the database backup ”
exit 0

root@server1 [~]#

root@server1 [~]# chmod +x /scripts/ ( make the script executable )
root@server1 [~]# /bin/sh /scripts/ (run script to make database backups )

Prevent non-root users from logging

May 9, 2007

Prevent non-root users from logging

Imagine that for some reason (i.e. maintenance tasks) you want to prevent non-root users from logging into the system. The next tip is a very simple way to achieve this goal.

If a file called /etc/nologin exists login will disable the begin of a session in this system. If you put some text into the file, users will be shown this text and their login attempts will be refused.

vi /etc/nologin

Server under maintenance. No access allowed at this moment.


How to install CVS

July 21, 2006


Compile it from source

Download from

$ gunzip cvs-x.x.tar.gz $ tar -xvf cvs-x.x.tar $ cd cvs-x.x/  $ ./configure $ ./make $ su -l (enter password)	#switch user to root # ./make install

check to make certain CVS is installed:

$ which cvs /usr/bin/cvs

Create the cvsroot for a user and master repository:

You can choose to place your cvsroot almost wherever you want. I’ve historically placed it in /home/ to make regular backups easier. You might have your own reasons to place it where you want.

$ su -l # adduser cvs # rm -rf /home/cvs # mkdir /home/cvs

It can be convenient to enable user permissions by creating a ‘cvs’ group in /etc/group, and then adding various users to that group. While adding permissions to the cvsroot directories to the group ‘cvs’.


You need to set the environment variables, so that CVS knows where to find the root library.

$ export CVSROOT=/home/cvs/		#for bash users > setenv CVSROOT '/home/cvs'		#for csh, or tcsh users # this can also be added to /etc/profile for system-wide access

This can also be set automatically upon login by adding a line to your ~/.bashrc file (or whichever stores your shell environment variables).

Check to make sure that it’s set properly:

$ echo $CVSROOT /home/cvs/

As you may have noticed, the CVSROOT variable is set by the client, and not the server. This enables you to easily use multiple CVSROOTs, based on permissions, partitioning, etc.

Remote access:

The CVS slient can also be configured to use a cvsroot on a remote server, and to tunnel through SSH. The remote client needs to have these entered at the command line, or read in from the .bashrc file:

export CVSROOT="user@host.domain.tld:/pathto/cvsroot" export CVS_RSH="/usr/bin/ssh"

All commands should operate as usual, but each will require a password in order to proceed.

Bad CVSROOT error:

A common, and frustrating error to run into while using this method, because it’s not well documented.

cvs checkout: is set for a remote access method but your cvs checkout: CVS executable doesn't support it cvs [checkout aborted]: Bad CVSROOT.

Your problem most likely exists with the client version of the cvs binary. It’s probably version 1.11.1 or previous, upgrading to 1.11.2 should take care of this.


Backup: Using Rsync and SSH

June 10, 2006

Using Rsync and SSH

Keys, Validating, and Automation

This document covers using cron, ssh, and rsync to backup files over a local network or the Internet. Part of my goal is to ensure no user intervention is required when the computer is restarted (for passwords, keys, or key managers).

I like to backup some logging, mail, and configuration information sometimes on hosts across the network and Internet, and here is a way I have found to do it. You’ll need these packages installed:

  • rsync
  • openssh
  • cron (or vixie-cron)

Please note these instructions may be specific to Red Hat Linux versions 7.3, 9, and Fedora Core 3, but I hope they won’t be too hard to adapt to almost any *NIX type OS. The man pages for ‘ssh’ and ‘rsync’ should be helpful to you if you need to change some things (use the “man ssh” and “man rsync” commands).

First, I’ll define some variables. In my explanation, I will be synchronizing files (copying only new or changed files) one way, and I will be starting this process from the host I want to copy things to. In other words, I will be syncing files from /remote/dir/ on remotehost, as remoteuser, to /this/dir/ on thishost, as thisuser.

I want to make sure that ‘rsync’ over ‘ssh’ works at all before I begin to automate the process, so I test it first as thisuser:

$ rsync -avz -e ssh remoteuser@remotehost:/remote/dir /this/dir/

and type in remoteuser@remotehost‘s password when prompted. I do need to make sure that remoteuser has read permissions to /remote/dir/ on remotehost, and that thisuser has write permissions to /this/dir/ on thishost. Also, ‘rsync’ and ‘ssh’ should be in thisuser‘s path (use “which ssh” and “which rsync”), ‘rsync’ should be in remoteuser‘s path, and ‘sshd’ should be running on remotehost.

Configuring thishost

If that all worked out, or I eventually made it work, I am ready for the next step. I need to generate a private/public pair of keys to allow a ‘ssh’ connection without asking for a password. This may sound dangerous, and it is, but it is better than storing a user password (or key password) as clear text in the script. And I can put some limitations on what connections made with this key can do. Anyway, I generate the key I will use on thishost (as thisuser):

$ ssh-keygen -t dsa -b 2048 -f /home/thisuser/cron/thishost-rsync-key
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase): [press enter here]
Enter same passphrase again: [press enter here]
Your identification has been saved in /home/thisuser/cron/thishost-rsync-key.
Your public key has been saved in /home/thisuser/cron/
The key fingerprint is:
2e:28:d9:ec:85:21:e7:ff:73:df:2e:07:78:f0:d0:a0 thisuser@thishost

and now we have a key with no password in the two files mentioned above [1]. Make sure that no other unauthorized user can read the private key file (the one without the ‘.pub’ extension).

This key serves no purpose until we put the public portion into the ‘authorized_keys’ file [2] on remotehost, specifically the one for remoteuser:


I use scp to get the file over to remotehost:

$ scp /home/thisuser/cron/ remoteuser@remotehost:/home/remoteuser/

and then I can prepare things on remotehost.

Configuring remotehost

I ‘ssh’ over to remotehost:

$ ssh remoteuser@remotehost remoteuser@remotehost’s password: [type correct password here] $ echo I am now $USER at $HOSTNAME I am now remoteuser at remotehost

to do some work.

I need to make sure I have the directory and files I need to authorize connections with this key [3]:

$ if [ ! -d .ssh ]; then mkdir .ssh ; chmod 700 .ssh ; fi
$ mv .ssh/
$ cd .ssh/
$ if [ ! -f authorized_keys ]; then touch authorized_keys ; chmod 600 authorized_keys ; fi
$ cat >> authorized_keys

Now the key can be used to make connections to this host, but these connections can be from anywhere (that the ssh daemon on remotehost allows connections from) and they can do anything (that remoteuser can do), and I don’t want that. I edit the ‘authorized_keys’ file (with vi) and modify the line with ‘’ information on it. I will only be adding a few things in front of what is already there, changing the line from this:

ssh-dss AAAAB3NzaC1kc3MAAAEBAKYJenaYvMG3nHwWxKwlWLjHb77CT2hXwmC8Ap+fG8wjlaY/9t4u
yJNej2Sia70fu3XLHj2yBgN5cy8arlZ80q1Mcy763RjYGkR/FkLJ611HWIA= thisuser@thishost

to this [4]:

from=”″,command=”/home/remoteuser/cron/validate-rsync” ssh-dss AAAAB3Nza
j2yBgN5cy8arlZ80q1Mcy763RjYGkR/FkLJ611HWIA= thisuser@thishost

where “” is the IP (version 4 [5]) address of thishost, and “/home/remoteuser/cron/validate-rsync” is a script that looks something like this [6] [7]:


echo “Rejected”
echo “Rejected”
echo “Rejected”
echo “Rejected”
echo “Rejected”
echo “Rejected”
rsync\ –server*)
echo “Rejected”

If thishost has a variable address, or shares it’s address (via NAT or something similar) with hosts you do not trust, omit the ‘from=”″,’ part of the line (including the comma), but leave the ‘command’ portion. This way, only the ‘rsync’ will be possible from connections using this key. Make certain that the ‘validate-rsync’ script is executable by remoteuser on remotehost and test it.

PLEASE NOTE: The private key, though now somewhat limited in what it can do (and hopefully where it can be done from), allows the possessor to copy any file from remotehost that remoteuser has access to. This is dangerous, and I should take whatever precautions I deem necessary to maintain the security and secrecy of this key. Some possibilities would be ensuring proper file permissions are assigned, consider using a key caching daemon, and consider if I really need this process automated verses the risk.

ALSO NOTE: Another security detail to consider is the SSH daemon configuration on remotehost. This example focuses on a user (remoteuser) who is not root. I recommend not using root as the remote user because root has access to every file on remotehost. That capability alone is very dangerous, and the penalties for a mistake or misconfiguration can be far steeper than those for a ‘normal’ user. If you do not use root as your remote user (ever), and you make security decisions for remotehost, I recommend either:

PermitRootLogin no


PermitRootLogin forced-commands-only

be included in the ‘/etc/ssh/sshd_config’ file on remotehost. These are global settings, not just related to this connection, so be sure you do not need the capability these configuration options prohibit. [8].


Now that I have the key with no password in place and configured, I need to test it out before putting it in a cron job (which has it’s own small set of baggage). I exit from the ssh session to remotehost and try:

$ rsync -avz -e “ssh -i /home/thisuser/cron/thishost-rsync-key” remoteuser@remotehost:/remote/dir /this/dir/

If this doesn’t work, I will take off the “command” restriction on the key and try again. If it asks for a password, I will check permissions on the private key file (on thishost) and on ‘authorized_keys’ and (on remotehost). If some cryptic ‘rsync’ protocol error occurs mentioning the ‘validate-rsync’ script, I will make sure the permissions on ‘validate-rsync’ (on remotehost) allow remoteuser to read and execute it. Hopefully, it will always just work flawlessly so I never have to extend the troubleshooting information listed here [9].

Cron Job Setup

The last step is the cron script. I use something like this:




because it is easy to modify the bits and pieces of the command line for different hosts and paths. I will usually call it something like ‘rsync-remotehost-backups’ if it contains backups. I test the script too, just in case I carefully inserted an error somewhere.

When I get the script running successfully, I use ‘crontab -e’ to insert a line for this new cron job:

0 5 * * * /home/thisuser/cron/rsync-remotehost-backups

for a daily 5 AM sync, or:

0 5 * * 5 /home/thisuser/cron/rsync-remotehost-backups

for a weekly (5 AM on Fridays). Monthly and yearly ones are rarer for me, so look at “man crontab” or here for advice on those.

Alright! Except for the everyday “keeping up with patches” thing, the insidious “hidden configuration flaws” part, and the unforgettable “total failure of human logic” set of problems, my work here is done. Enjoy!


[1] If remotehost only has SSH1 installed, you may need to use another key type. Instead of ‘dsa’ you will need to use ‘rsa1’. You can use ‘rsa’ instead of ‘dsa’, but it will still only be useful for a SSH2 connection. SSH2 connections are more secure than SSH1 connections, but you’ll have to look elsewhere for the details on that (“man ssh-keygen” and Google).

[2] Some configurations use the file ‘authorized_keys2’ instead of ‘authorized_keys’. Look for “AuthorizedKeysFile” in ‘/etc/ssh/sshd_config’.

[3] If you use a shell other than ‘bash’ (or other bourne compatible shell), like ‘csh’ or ‘tcsh’, the commands listed may not work. Before executing them, start up a ‘bash’ (or ‘sh’, or ‘ksh’, or ‘zsh’) shell using the ‘bash’ (or ‘sh’, or ‘ksh’, or ‘zsh’) command. After completing the commands, you will have to exit the ‘bash’ shell, and then exit the shell your host spawns normally.

[4] Remember not to insert any newlines into the “authorized_keys” file. The key information, and the inserted commands associated with that key, should all be on one line. The key you generate (the nonsensical stuff on the key line) will be different from the one here.

[5] I have seen one host ignore a properly presented IPv4 address and instead see the incoming connection as a IPv6-ish sort of address (“::fff:”). I found the address in ‘/var/log/messages’ on a Fedora Core 3 Linux host, and it does allow connections from that host with the IPv6-ish version in the ‘authorized_keys’ file.

[6] Another option for validation (and more) is the perl script located here:, though it is more complicated.

[7] By the time the ‘validate-rsync’ script runs, a SSH connection has been made with the SSH key you associated with this command in the ‘authorized_keys’ file. The script basically tries to return ‘Rejected’ to anything other than a command that starts with “rsync –server”, which is what rsync over ssh does on the other end of the connection (I found this out by running ‘ps auxw | grep rsync’ on the remote end of the connection after initialing a long running rsync job). The first six ‘Rejected’ lines try to elimate shell symbols that will allow a person to execute more than one command within a session (for example, a short rsync and some naughty command you don’t want running remotely).

[8] “PermitRootLogin no” does what it says: the root user is not allowed to login via SSH. “PermitRootLogin forced-commands-only” requires that all connections, via SSH as root, need to use public key authentication (with a key like ‘’) and that a command be associated with that key (like ‘validate-rsync’). For more explanation, use the “man sshd_config” command.

[9] Not likely.


Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license should be available here and here.
The current copy of this document should be available here.