Tag Archives: ssh

SSH to multiple servers and run commands

Problem

You need to run a list of commands on a list of servers and record the output of each command.

Solution

Create a perl script using Net::SSH::Perl ( a ssh client written as a perl module ). This script will read a list of commands from a file, a list of servers form another file, will connect to each server, execute each command in in the commands file then go to the next server and do the same.

Installation

Download the script: SSH Batch-0.1 (1.5 KB)
install Net::SSH::Perl

  1. sudo perl -MCPAN -e "install Net::SSH::Perl"

Now you can decompress the script and configure it

  1. tar -xzpf ssh_batch-0.1.tar.gz
  2. cd ssh_batch-0.1

put the commands in commands.txt ( one command per line )
put the servers in servers.txt (one per line ) in this format: user@hostname:port,password

Now you can test the script: run ./ssh_batch.pl and look at the output in log.txt

Warning! You can destroy multiple servers with this script!

Yeah it can do that if you're not carefull about what commands you tell it to run and you log in with a user with too  much permissions. So make sure you know what you are doing before you run it on production servers.

HowTo: Shared Hosting as Socks Proxy

Problem

You need a proxy to connect to a service that would only accept connections from a certain location.

You have a shared hosting account on a server in location that is accepted by the service where you want to connect. Could you use it as a proxy server.?

You could install one of those proxy scripts made in php but that would only let you browse the web, what you want is be able to proxify any application and for that you need a socks server working with one of those proxifier applications  (like tsocks on linux/unix ).

So could you use a socks proxy on your shared hosting account?

Solutions

The solutions are listed starting with the most simple working on the most permissive hosting accounts and ending with the most complex suited for the least permissive accounts.
There will be further posts describing the solutions in detail. This post is mostly an introduction.

  1. SSH Tunnel

    This is the simplest but it assumes that your hosts allows ssh access to your account and they don't block ssh tunnels.

    1. ssh user@hosting-server.com -D1080

    This creates a socks server on your local host , then you can use it in the proxifyer app to forward all connections through it.

  2. Custom SSH Tunnel

    This is a solution for those hosting accounts that don't allow ssh tunneling, but allow you to connect over ssh and run a program ( antinat - a socks server ) once connected over ssh.

    ( One might wonder: why create a tunnel when you could just run antinat and connect directly to it? If you can do that then that's the best way to do it but most shared hosting servers would have all ports blocked so you would not be able to connect to any port other then the standard ones ( 80,443,25,110,143, etc ) but those are only available to root and are already busy anyway. )

    The idea is to forward the traffic from your computer to the proxy server through the actual ssh connection instead of using the standard tunneling mechanisms which are blocked by server's configuration.

    For this you would need a program on your host to act both as a socks server ( sort of ) and as a forwarder through a ssh connection. On the other side ( hosting account ) you would need another program that would receive data from the ssh connection and forward it to antinat. Both programs would actually have to forward data both ways.

    Both forwarders would have to multiplex connections and forward them through a single ssh connection because most hosting accounts only allow one connection / user

  3. Callback Socks server

    This is a solution in case your hosting account has no ssh access.

    It's similar to previous solution but in this case instead of having the local forwarder connect to the remote ( hosting ) forwarder through ssh, you eliminate the remote forwarder and just have the socks server connect back to the local forwarder and then forward everything through that connection.

    This would require modification to the socks server as antinat doesn't have this callback feature built in.

    Another requirement is that you are able to upload and run antinat on the server. Usually you can do this by just calling it in a php script ( eg.: system('antinat') ) or from a perl script if the host offers cgi access.

  4. Custom script ?

    What if for some reason (no cgi or php system() blocked ) you can't run antinat?

    Well in this case I'm guessing it would be possible to write a script that you could call over a http connection, and forward through it, but php's socket functions would need to be available and script's max execution time would limit your connection time so don't expect much of this.

I have used solution #1 and I wrote the software and patches required to make #2 and #3 work. In the following weeks I'll write the posts to describe them in more details.

You can subscribe to my RSS feeds or connect with me on one of the social networks listed in the sidebar if you want to be notified when they are posted.

If you know other ways of doing this or ideas about my solutions I'd love to read about them in the comments.

Recover plesk access

Here's a scenario: you're locked out of plesk admin, you forgot the password and can't recover cause your email address is not set in the contact details.

Still have ssh access as root (ssh keys or can still remember password for root ) ? Most of the time I use dsa keys for ssh authentication.
If you do then you can change the password for admin.

Plesk keeps it's password in the psa mysql database so you just have to change it in the psa.accounts table . But to have access to it you need access as root in mysql.
If you don't have the password for root ( most likely on plesk servers ) you'll have to stop mysql and start it without privilege verification.

  1.  
  2. /etc/init.d/mysql stop # stop mysql
  3. /usr/sbin/mysqld --skip-grant-tables & # start without privilege verification
  4. mysql -u root # log into mysql using the mysql client
  5.  

That would work on most linux distros , on some the stop script would be /etc/init.d/mysqld and on others the path to the mysql server might be /usr/libexec/mysqld .
use psa

Once you're logged in run this sql to change the password:

  1.  
  2. USE psa;
  3. UPDATE accounts SET password=md5('newpasswordhere') WHERE id=1 ;
  4.  

Now get out of the mysql client ( CTRL+C) and restart mysql to have privilege verification back or else everyone would be able to do what you just did:

  1.  
  2. killall -9 mysqld
  3. /etc/init.d/mysql start
  4.  

Now you can login to plesk with the new password.

vim arrows in MacOSX

I know vim gurus would criticize me for using arrows in vim's insert mode but it's really hard to give them up.

I have this problem when I connect from my linux box to a MacOSX or FreeBSD box over ssh. I find it one of the most annoying things when using vim. When you are in insert mode and hit one of the arrows to move around, instead of the expected action vim will just print A, B, C or D on a new line. This makes vim practically useless.

So either you are very careful and always exit the insert mode before you move or fix the keys.

I think it's hard to always remember to get out of insert mode and it's one extra operation you have to do that I find useless not to mention you will probably have to enter insert again a few seconds after that.

So here's the fix for the arrow keys.  Edit vimrc either the global vimrc ( I'm using vim from macports so my vimrc is /opt/local/share/vim/vimrc ) or ~/.vimrc like this:

$ vim ~/.vimrc
set t_ku= (now type Ctrl-V and press cursor up)
set t_kd= (now type Ctrl-V and press cursor down)
set t_kr= (now type Ctrl-V and press cursor right)
set t_kl= (now type Ctrl-V and press cursor left)

This solution was stolen from vim tips wiki. I posted it here to avoid looking for it again if I need it. It's the second time I am hit by this problem and every time I had to search through a few pages with solutions that didn't work for me