Scheduling Python Scripts in Obsidian Java Scheduler

While looking into Java Job Scheduler Obsidian, I had the little problem below.
The default option for Python “com.carfey.ops.job.script.PythonJob” works well but requires you to enter the content of your script directly into the scheduler (see http://obsidianscheduler.com/wiki/Scripting_Jobs for a quick overview), potentially leading to a duplication of functionality and complicating the maintenance of said scripts.
Using fileFTP.py as an example script, I tried (on a Windows machine) to use the generic “com.carfey.ops.job.script.ScriptFileJob” to call the python script but to no avail. I got it to work calling a .exe file but the different command line combinations I tried such as “python fileFTP.py”, “python C:/Scripts/python/fileFTP.py”, “C:/Python27/python.exe C:/Scripts/python/fileFTP.py”, “cmd /c start python C:/Scripts/python/fileFTP.py” and more along those lines just didn’t work, keep returning an error that “fileFTP.py cannot be found”.
In the end, in order to keep my python scripts out of the scheduler, I wrote a python job (using the “com.carfey.ops.job.script.PythonJob” option) to call my python script.
Python job as entered in the Obsidian scheduler (the 3 arguments and their values are defined within the scheduler as part of the job options)

import sys
sys.path.append( "C:/Scripts/python/" )
import fileFTP
fileFTP.main(arg1, arg2, arg3)

The fileFTP.py script is structured as below to allow it to run from both the command line and from Obsidian:

import sys
def main(arg1, arg2, arg3):
       #Do FTP stuff
if __name__ == "__main__":
       main(sys.argv[1], sys.argv[2], sys.argv[3])

Ubuntu Server Hardening

My take on what’s out there, specifically targeted at 12.04 LTS release.

Checklist
1- Reset root password

passwd

2- Enable sudo/set-up users (I use a generic user “deploy” and SSH keys rather than password authentication)

useradd deploy
mkdir /home/deploy
mkdir /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
vim /home/deploy/.ssh/authorized_keys
Add the contents of the id_rsa.pub on your local machine and any other public keys that you want to have access to this server to this file.
chmod 400 /home/deploy/.ssh/authorized_keys
chown deploy:deploy /home/deploy -R
passwd deploy (and change password to something else)
visudo
Comment all existing user/group grant lines and add the following lines:
root ALL=(ALL) ALL
deploy ALL=(ALL) ALL

3- Lock down SSH (change SSH port if standard, port 111111 in the example below), prevent root login, lock down to specific IP ranges)

vim /etc/ssh/sshd_config
Port 111111
PermitRootLogin no
PasswordAuthentication no (only if doing it through SSH keys!)
service ssh restart
AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)

4- Dont’ allow system users access to FTP server

Open "/etc/ftpusers"
Add system users to deny use of ftpd:
backup
bin
daemon
games
gnats
irc
libuuid
list
lp
mail
man
mysql
news
ntp
postfix
proxy
sshd
sync
sys
syslog
uucp
www-data

5- Minimize packages to only those needed
6- Shut off unneeded service (in rc.d, like DNS server/print server…)
7- Hardening Kernel – compile GRSecurity/Pax
Good tutorial at http://www.insanitybit.com/2012/05/31/compile-and-patch-your-own-secure-linux-kernel-with-pax-and-grsecurity/
8- Upgrade OS

apt-get update && apt-get -y -q upgrade
apt-get install language-pack-en-base -y -q

9- Turn on automatic security updates

apt-get install unattended-upgrades
vim /etc/apt/apt.conf.d/10periodic
Update the file to look like this:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
vim /etc/apt/apt.conf.d/50unattended-upgrades
Update the file to look like below. Keep updates disabled and stick with security updates only:
Unattended-Upgrade::Allowed-Origins {
 "Ubuntu lucid-security";
// "Ubuntu lucid-updates";
};

10- Sysctl Hardening
Check config example at http://joshrendek.com/2013/01/securing-ubuntu/#sysctl
11- Password protect GRUB bootloader
12- Secure shared memory (/tmp)

Open "/etc/fstab" and add the following line of code:
tmpfs /dev/shm tmpfs defaults,ro 0 0

13- Install/Set-up fail2ban

apt-get install -q -y fail2ban

Check http://joshrendek.com/2013/01/securing-ubuntu/#fail2ban for config example

14- Install/Set up ufw firewall

apt-get install -y ufw
ufw allow from {your-ip} to any port 22
ufw allow ssh (or ufw enable 111111/tcp if non standard port like 111111 in this example)
ufw allow http
ufw enable
ufw status

15- Install/Set up logwatch

apt-get -y install logwatch

16- Install/Set-up denyhosts (avoid SSH attacks)

apt-get install -q -y denyhosts

17- Install/Set-up tiger (system security scanner)

apt-get -y install tiger
tiger

18- Install/set-up psad (detect attempted intrusions)

apt-get -y install psad

19- Install/Set-up aide (file monitoring)

apt-get install aide -y -q
sed -i 's_COPYNEWDB=no_COPYNEWDB=yes_' /etc/default/aide
sed -i 's_FILTERUPDATES=no_FILTERUPDATES=yes_ ' /etc/default/aide
sed -s 's_FILTERINSTALLATIONS=no_FILTERINSTALLATIONS=yes_' /etc/default/aide
aideinit

20- Install/Set-up antivirus (ClamAV – http://www.clamav.net/lang/en/)
21- Install/Set-up rootkit detection (chkrootkit)

apt-get install -q -y chkrootkit

To set up a regular run in the crontab

sed -i 's/RUN_DAILY="false"/RUN_DAILY="true"/' /etc/chkrootkit.conf

Sources:

http://www.itsecurity.com/features/ubuntu-secure-install-resource/
https://www.hedgehogsecurity.co.uk/index.php/blog/hardening-an-ubuntu-server
http://www.insanitybit.com/2012/12/17/hardening-ubuntu-linux/
http://joshrendek.com/2013/01/securing-ubuntu/
http://1stpcb.com/?p=67
http://cs.ncs.nova.edu/DeathStarMediaWiki/index.php/Ubuntu_Server_Security_Hardening
http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers

Adding a plugin from local source in Grails 2.3.2

Now that the “grails install-plugin …” command is deprecated, I struggled to figure out how to add a local plugin to my Grails application (for stuff not in public repositories) and  this is what I came up with to get it to work.

– in grails-app/conf/BuildConfig.groovy

  • Change the value of grails.project.dependency.resolver from “maven” (default) to “ivy”
  • In the repositories section, add the following as the first repository defined (updating the actual path to the path the plugins you want to load are stored in on your own machine)
    flatDir name:’myRepo’, dirs:’C:/Sites/grails/plugins’
  • Add the call to your plugin in the plugins section as normal