Unix/PHP shell scripts?

bluetiger · 10-02-2002, 06:15 PM

what's the best way to have a unix script (i.e. bourne shell, korn shell, perl ....etc.) to place the output of a script onto a different (Solaris) server within the same network?

One unix box will send out scripts to append/overwrite a text file on the web server that my PHP will use to display in a browser...any idea how to get a script written to run on one box to deposit its output on another box?

nashirak · 10-02-2002, 08:11 PM

The easiest way I could think of would be to run NTFS or SAMBA or something, and create basically a virtual filesystem on the computer. Then it would appear to the OS that it was just writing to its own filesystem. ANother way would be to do a keygen in ssh on both computers (this way you can ssh into another computer without sending your password) then use scp to secure copy files from 1 computer to another. This could be done automatically in some type of unix scripting.

Hope this Helps!

jetnet · 10-02-2002, 11:17 PM

Have you ever heard of securit issues? Do not ever use SAMBA in a production enviornment. There are to many risks, and to many disadvantages to putting a SAMBA server in a production Internet enviornment. Without some serious firewall protection, your just asking for problems. Even with most patches installed on SAMBA, it is still inharrently inseccure.

If you want a script to write a file, then have that file transfered over to another location, I would use something like scp. its secure, its encrypted, and its fast. Plus, if your doing this on a regular basis, you can build a script and put it on the cron tab, and it will do it for you on a regular basis.

If the cron tab is not the way to go, I would next suggest just ftping it across. Make a folder on the webserver that is not viewable to the general public, make it writtable but not readable by a username that you create for the simple process of ftping something to your server. Then use something like proftpd to use as your ftp server, and set the home directory of that user that you created to the folder you made, and then tell proftpd to lock that user in that folder. That will make it so that if for some reason, a server got hacked, and a password got sniffed, that you could keep their mischief down to zero use.

If that sounds to complicated, you can always leave it on the server that it writes it on, and have php pull the file off itself. There are meany differant ways that you can do that. ftp, http, you pick... But what ever you do, do not use samba or nfs.

nashirak · 10-03-2002, 02:30 AM

For one, it was my understanding that he was putting this under a local enviroment <cough>

Quote:

to place the output of a script onto a different (Solaris) server within the same network?

</cough>

, ie that he was on a local subnet and that he could reach the other server securly. If this is not the case, you can still use samba and or NTFS. The only difference? You have to install CIPE tunneling or some other type of secure software. If you do this, you can use NTFS or SAMBA, the only difference is all the packets going out are encrypted. Does this make everyone feel better?

BTW if you want to talk about security FTPing sends everything out in clear text....and is completly insecure IMHO.

Anyway my 2 more cents had to add and cover myself

.

jetnet · 10-03-2002, 10:20 AM

Yes I know FTP uses clear text usernames and passwords, thats why I said that you should create a username and password that can not access anything but that one folder. Thats why I went through the long process of telling him how to lock that user down.

But if you want to get into low security, SAMBA is the queen of that. Im not blaming SAMBA, its windows falut, samba just has to imulate it. But it is still not a good way to do it. A hacker could easily mount his own hard drive to your server, and then just transfer /etc/passwd and start a brute force attach on your server. I've seen that done first hand, or at least tried.

I am not going to play god here and say that none of our servers have ever been hacked. But before we started the new security policies we have adopted, our security was anything but tight. So I was not trying to get into a linux pissing match with you, I was simply saying that it does not follow a good security policy, and I would rethink the use of Samba on an internet production server. Thats all.

nashirak · 10-03-2002, 01:14 PM

A hacker could not mount the samba share if you secure it using cipe. Lets go through securing it.

First setup some crappy security:

Make samba only connect from 1 IP (true this can be spoofed)
Setup a passwd via samba (true this can be hacked)

Second install cipe

http://sites.inka.de/bigred/devel/CIPE-Protocol.txt
and
http://www.linuxpowered.com/archive/mini/Cipe+Masq.html

What does cipe do for you?

Well if you use this and ipchains or iptables a lot.
Cipe does 2 things, encrypts all packets coming from computer and going to computer B. Second, before Computer B would (running samba) even talk to an intruder, he would need to
-Spoof and IP address (and I think a route, cause it checks how the IP was routed)
-Spoof a 128bit encryption key
-Talk to that port encrypting the data in that key with the spoofed route
Since its a little hard to crack 128 bits and spoof

Then and only then will that particular port even think of talking to you.
. Samba can be secured, not 100% but then what can?

I hope this explains a little more about what I mean. Later guys.