Rolfsa's Weblog

Managing Exchange Folders and Item Counts

2011-12-08T11:34:00.001-05:00

So in my last blog entry I talked about the PAL tool and how it can help you get a handle on your servers performance. Today I’d like to discuss PFDAVAdmin. This is a tool free tool that you run on your Exchange server (2000 or 2003) to get a look inside of all your mailboxes and folders to get things like the total number of items in a folder inside a mailbox. Here are the details to do just this.

Download the tool
Install the tool on the Exchange server
Connect to the server, global catalog server and select All Mailboxes
On the Tools menu select Export Properties
On this window put in a destination for the location you want the output file to be dropped (it will be in tab delimited format)
Select these three check boxes:

PR_CONTENT_COUNT
PR_DISPLAY_NAME
PR_FOLDER_PATHNAME

Hit Ok
Grab much needed caffeine while you wait.
The server will begin processing you you will get an output tab delimited file that you can load into excel and pretty up showing the users ID, folder name and number of items in the folder for each mailbox on the server.

This helped us identify those “offenders” that never delete or move anything. After we identified and cleaned up some of our users our exchange 623 and 1022 errors started getting less and less frequent. The latest Microsoft support person (who speaks English as a first language….note it takes 4 weeks to get one btw) says that we still have a large number of items in our “search folders” that we need to deal with. I can see the search folders in the tab delimited file but there are multiple ones to deal with. Some are Blackberry search folders, some are Cisco Unity Search folders, some are Finder search folders and others are something called MS-OLK-BGPooledSearchFolder search folders. We were told Blackberry search folders could be cleaned with the MFCMapi tool. There’s also a reg fix which I believe is for the MS-OLK-BGPooledSearchFolder folders. I haven’t run these fixes yet but I’ll let you know how it turns out.

These issues have reinforced something I’ve been saying for years. There are two evils in IT….printers and email. You’ll never completely rid yourselves of issues with either one.

PAL – Performance Analysis of Logs

2011-12-02T23:13:00.001-05:00

Wow…been a long time for an update eh?! Well most of this year I’ve been working on our Windows 7/Office 2010 rollout. Also been working on a massive shift from Zantaz/Autonomy EAS to Mimecast…but that’s another whole story…

After we upgraded one of our sites from Outlook 2003 to Outlook 2010 we coincidentally had huge issues with Exchange 2003. We started getting 623 errors in event logs followed by 1022 errors which ended up raping, pillaging and plundering our Exchange information stores. So after weeks of the Microsoft Advanced Diagnostics team, which seems to be based out of somewhere in India, said our issues were caused by too many mailboxes with message counts greater than 5000 in folders. No shit..really?! Still working on this issue so I’ll let you know how it turns out.

So back to PAL. During my research into Exchange performance I found the PAL tool at codeplex.com. PAL is a tool that will look at your perfmon counter logs and tell you what’s up with your server. Unlike, the Baseline Analyzer tools, it reacts to running conditions on your servers and lets you know what seems to be running “out of bounds”. Turns out a bunch of subject matter experts at Microsoft got together and set some rules in the PAL tool to alarm/alert just like a traditional expert system would. Very cool stuff.

So here’s the quick and dirty on getting started with PAL:

Download PAL from here
Install PAL
Run PAL and go to the Threshold File Tab
Pick the type of analysis you want to run…Start with System Overview…it will get you started (Threshold File Title)
Now click on “Export to Perfmon Template File”
Now if it’s a 2003/XP system save the filetype as .htm, if it’s 2008/Win7 save the filetype as .xml.
Copy the template to the system to be monitored
Run perfmon
(Note: The rest of this is steps for 2008/Win7..if you are on 2003/xp figure it out for yourself. ;P)
Go to Data Collector Set
Right click on “User Defined”
New Collector Set
Pick a name and select “from template”
Browse for the template
Hit Finish
Right click on the collector and start it
Run it for awhile and stop it
Take the results file back to your PAL workstation and start from the first tab.
On counter tab, select the resultant file
On Threshold file Tab reselect the one you started with
On Questions Tab, answer the 4 questions about the system you were monitoring
Output Options Tab, leave it at auto for now
File Output Tab, leave defaults
Queue Tab, leave defaults
Execute Tab, select Execute and hit finish
Wait…it takes awhile to process
Enjoy your html output file and analysis of what was up with your server

One last thing to note…scroll through your Threshold File Titles…there’s a lot to choose from. You can run some very specific tests. These all relate to specific counters to “watch” in perfmon so it’s a great learning tool just looking at what’s important to watch.

Enjoy.

Chromebook CR-48

2011-05-25T15:31:00.001-04:00

Guess who got a Chromebook today?! So far I really like it. I’m trying to get my stuff all “in the cloud” but it’s taking awhile to figure out the best way to move everything.

The great things about the notebook are:

it’s size – Nice and thin…could be lighter but not bad at all. Perfect size for a “workable” machine. They didn’t try an be an iPad clone and I appreciate that.
physical appearance – It’s one sexy beast. Love the simplified keyboard and the fact that all the buttons look the same.
simplicity – This is more a comment about the OS, but it’s dead simple to use and figure out.
guest mode – Nice touch. I like that I can give it to anyone and they can mess with my stuff.
easy of use – Goes hand in hand with simplicity, but it’s worth commenting that they really went the extra mile to make it simple to use.
potential – This device is the future. That’s clear to me now.
battery life – nuff said. 8+ hours and still cranking along

The things I’ve found that need improvement are:

remote connections – Gotta give me vnc, ssh and rdp. You just have too. It’s not workable as a tool for me unless I can remotely control a “real” machine.
Java, Javascript or something – Come on, this thing would be a powerhouse with a little client side intelligence.
Wireless signup with Verizon – I still haven’t been able to figure out how to sign up. Guys…there money lying on the table…go get it.
More Apps – App store for chrome looks anemic
Mouse pad – works ok, but right click action with 2 fingers is difficult to pull off.
Google cloud printing is good, but needs improvement. Need to find a way to set up a “shared” printer in a reception area so that guests can print easily to it over the web. That’s not easy with Google cloud printing.
Flash support – Just gotta have it.

So after my first 48 hours with it…that’s my view.

iperf

2011-05-03T20:17:00.001-04:00

iperf is a tool for testing the throughput of a network pipe. It came in handy today as I was testing out the throughput of our WAN lines. We have T3’s at each site and one site in particular always “seemed” slow when transferring files but I didn’t know why. I installed iperf on linux (yum install iperf) and set one side as a server.

iperf –s

Then on another box on the other side of the wire I installed iperf and ran it as a client":

iperf –c x.x.x.x –d (Where x.x.x.x is the ip address of the box running as a server.)

The I got the following result:

C:\>iperf -c x.x.x.x -d
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 8.00 KByte (default)
------------------------------------------------------------
------------------------------------------------------------
Client connecting to x.x.x.x, TCP port 5001
TCP window size: 8.00 KByte (default)
------------------------------------------------------------
[1840] local y.y.y.y port 1552 connected with x.x.x.x port 5001
[1816] local y.y.y.y port 5001 connected with x.x.x.x port 46524
[ ID] Interval       Transfer     Bandwidth
[1816] 0.0-10.0 sec   439 MBytes   8.5 Mbits/sec
[1840] 0.0-10.0 sec   321 MBytes   6.7 Mbits/sec

This is a full duplex T3 line so I expect something higher than 8.5 and 6.7. After some inspection I noticed that switchport on the backbone switch was set for Auto-10 instead of just Auto. That was restricting it to Ethernet speeds. I changed it to Auto and it picked right back up (~30Mbits/sec). I did this while other traffic was on the wire so it couldn’t entirely fill the pipe by itself.

Cool tool!

CentOS NIC Settings (Speed & Duplex)

2011-03-17T11:21:00.001-04:00

We ran into an issue with the speed and duplex settings on one of our CentOS boxes during a recent upgrade of our infrastructure to HP ProCurve 8112zl switches. Because I futz with this about once a year I figured I’d write it down so I could look up up next time…

Step 1: Determine what NIC is in your CentOS box so you can see it’s capabilities.

#lspci | grep Ethernet

This should give you something like (excuse the wrap):

0a:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 02)

Step 2: Check how the nic is currently set:

#ethtool eth0:

This should give you something like:

Settings for eth0::
        Supported ports: [ TP ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Half 1000baseT/Full
        Supports auto-negotiation: Yes
        Advertised link modes: 10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Half 1000baseT/Full
        Advertised auto-negotiation: Yes
        Speed: 1000Mb/s
        Duplex: Full
        Port: Twisted Pair
        PHYAD: 1
        Transceiver: internal
        Auto-negotiation: on
        Supports Wake-on: g
        Wake-on: g
        Current message level: 0x000000ff (255)
        Link detected: yes

Step 3: Force the speed to say, 100Full (just for grins):

Edit /etc/sysconfig/networking-scripts/ifcfg-eth0
Add the line:

ETHTOOL_OPTS="speed 100 duplex full autoneg off"

The bounce the network service:

#service network restart

That’s it. Also be sure to check the config on the switch so it matches. And remember… always be consistent on both sides of the setup. If the server is auto, set the switch to auto. If the server is 100Full, force the switch port to 100Full.

Another Legal iPad App

2011-01-21T17:11:00.001-05:00

This one looks pretty good too. It’s called Exhibit A. What I like about this app is that it’s not a linear presentation like PowerPoint or Keynote. It lets you pick a slide easily and present in what ever order works for you.

Even More Legal iPad Apps

2011-01-07T15:19:00.001-05:00

After my last post, I found another bunch of good stuff.

Fastcase (free) is a legal research tool.

LawStack (free) is basically a mini legal library. It contains:

US Constitution
Federal Rules of Federal of Civil Procedure
Federal Rules of Appellate Procedure
Federal Rules of Evidence
Federal Rules of Bankruptcy Procedure
Federal Rules of Criminal Procedure
More stuff that’s downloadable inside the app

PocketJustice (Free) is an app that include voting alignments and biographical sketches for all 100 justices at the US Supreme Court. It also has 100 constitutional law cases.

Black’s Law Dictionary, 9th Edition. ($54.99)

The Essential Law Dictionary ($9.99)....yet another legal dictionary.

Nolo’s Plain English Law Dictionary. (Free) Yep…another one.

Legal News Reader ($0.99) A Legal specific news reader pulling from multiple sources (CNN, HUD, Law.com, LexisNexis, etc…)

ABA Journal (Free) the American Bar Association’s iPad app for legal news.

Court Days ($0.99) A date calculator assisting to calculate the number of court or calendar days before or after a given date.

US Code (Free) is an app that has the entire US Code for all federal statues available for viewing on your iPad.

Enjoy…

iPad apps for the Attorney

2011-01-06T16:57:00.001-05:00

So I got an iPad last year. As skeptical as I am about gadgets…I gotta tell ya I love it! My role in our Firm is to evaluate new technology so that the good stuff eventually ends up in the hands of our Attorney’s. Once you get past the eye candy, what can an iPad really do for an Attorney? Well, so far I’ve only found a few legal specific apps. Here they are:

iJuror is a juror selection tool. It keeps track of people during the jury selection process allowing you to keep track of their details and what you did/didn’t like about them.

iCle, made by the same people that make iJuror helps an Attorney keep track of their CLE credits. This is a very basic app and seems more like a simple note taking replacement.

JuryTracker looks interesting. It replaces the sticky notes Attorney’s often user to keep track of Juror information at trial. You can easily keep track of generic case data, each juror’s details like their chair position in court, their mood, etc. There is even a timer built in to keep track of the time used in court by the Plaintiff and the Defendant. Definitely worth a look…

TrialPad looks like it’s going to be really useful. It’s a case preparation and presentation tool which looks to compete with tools like Trial Director and Sanction. It certainly doesn’t have as much functionality at this point, but it will be interesting to see what happens as this tool matures.

Those are the main tools I’ve found so far for the legal profession. There are tons of other tools on the fringe like PDF editors, document review tools and financial tools but I wanted to focus specifically on legal tools. If you’ve found any others please hit me up in the comments and let me know.

PDQ Deploy

2011-01-05T16:54:00.001-05:00

I ran into a cool tool today for installing software on a remote box. It’s called PDQ Deploy and it’s from the fellas over at Admin Arsenal. We use Prism Deploy for our Firm, but I can see using this tool in a pinch for even faster deployments. Prism Deploy clients (which require and agents) are set to “check in” every 5 minutes for new stuff. With this tool I can truly push software to machines on demand and not worry about the client having the agent.

Halloween Fun

2010-10-27T22:38:00.001-04:00

Ok…toying around yesterday looking at all things Halloween I found a really cool app. It’s a digital face that you can control and by using a little slight of hand, make it look like a talking mirror. You can use a microphone to “throw” your voice and really entertain the kids this year. The Mirror app can be found here. Have fun and Happy Halloween!!!

Soluto–Tracking login times

2010-10-13T11:36:00.001-04:00

One of the common complaints we get about our customized computer image is the long boot up time. In an effort to better understand what’s going on, I did some research and found an app called Soluto which does a great job of breaking down the boot time into a graphical representation of the process. It’s very cool, easy to set up and free. Running Soluto on our standard Windows 7 image yielded this analysis:

Ok…It’s a little hard to see here but trust me this thing is packed with information about the boot process. It identifies many (in is in Beta after all) items and provides great detail into how much memory they take, how long they took to run, what exe and dll files were called and much more. For the applications it knows about you also have the choice to pause or delay the loading of the item so that you can tune your boot process. This tool is very helpful for us as we are working on a new standard image. Definitely a tool to keep handy in your IT Toolbox.

Enjoy.

Regshot – Registry Compare Tool

2010-09-16T09:43:00.001-04:00

Been working hard on Windows 7 this week. Specifically group policy stuff. In the process I’ve been needing to get in and out of the registry comparing keys to see if changes are taking place. I usually use a tool called Prism Deploy (pictaker) to run a check on the registry to look for changes but for simple changes it’s a bit much. Don’t get me wrong, I’m a huge Prism fan. I’ve been using it for years and it’s our main software deployment tool. However, for this work it’s a bit overwhelming. I found a cool little tool called regshot at Sourceforge that does the smaller registry compare jobs really well and it seems to run even quicker than Prism. The tool looks like this:

To make a compare, just run the tool and click on “1st shot”. Make the registry changes (in my case I do a grpupdate for force group policy changes) and then run “2nd shot”. When it completes hit the “cOmpare” button and you’ll get a text file or html file of the changes that were made to the registry. Works well, is stupidly simple and because it’s open source there’s no serial numbers or licensing to worry about.

Enjoy.

TOR – Anonymous Web Browsing

2010-09-08T22:31:00.001-04:00

TOR is a tool I’ve known about for some time but never really had a chance to check out. Tonight I sat down and spent a few minutes with it. It’s very cool. I downloaded the TOR browser bundle which is basically a minimalist way to check it out. The bundle includes a TOR client as well as a version of Firefox portable. By expanding it into a folder or even onto a USB drive you can run TOR and see what it’s like to browse the net anonymously. So why would you want to browse the web anonymously you ask? Well I can think of plenty of reasons. I often want to check some of the web sites I run from a remote connection to test firewalls and connectivity. TOR basically relays your connection out and around the net. That makes it possible to remotely test websites without having to use a remote tool to connect to a remote computer. What I found out about this little bundle is quite cool. It has a built in bandwidth monitor, the ability to check out the nodes on the TOR network, the ability to dynamically change your network identity and the ability to make yourself a TOR relay. Pretty cool stuff.

I fired up the Firefox portable browser with TOR and went to www.myipaddress.com to check out what was being reported as my IP. It came back with an IP address in Germany. When I went to Google sure enough I was sent to the German version of Google. Very cool.

So I only have you one reason for browsing anonymously but I’m sure you have your own reason. It’s a very cool tool and will now takes it’s place on my USB utility belt.

Monitoring Internet Health

2010-09-03T14:19:00.001-04:00

It seems that there was a rather large issue at Level3 today on the Internet. Our provider was down for an hour or so while they rerouted traffic. We were on it and rerouted our Firm’s traffic through an alternate site within a few minutes of the outage. I’m always clamoring for more information as to how well things are running and how wide spread an outage is. Here are a few links that are useful in investigating Internet issues:

http://www.internethealthreport.com/

http://www.internettrafficreport.com/

http://isc.sans.edu/index.html

Do you have any sites you use for this? If so, hit me up in the comments.

Interesting Scheduling Tool

2010-08-12T08:51:00.001-04:00

I ran into an online tool to help people schedule meetings. It’s called When Is Good. It’s surprisingly simple and straightforward to use. When you want to have a meeting with multiple people and are unaware of their schedules When is Good allows you to graphically pick blocks of time when you are free and then let everyone else choose from these times. You can see from the responses if there are any overlapping times that would work for a meeting. Not clear enough?!?!

You see this:

Highlight the times you are free. They see this:

After everyone chooses a good time you see this:

It can all be done through web links anonymously so that’s pretty cool as well. The technique is a great idea and it stops a lot of the back and forth in group emails to get people on the same page. Now…if only we could get the big vendors involved to build this into their products…..

Offline Antivirus Tool

2010-08-05T20:11:00.001-04:00

So has this happened to you? You get a computer from a friend/client that is seriously infected with malware or a virus and it’s actually running up to date antivirus and antimalware tools….and the tools find squat?! Well it happened to me yesterday. Signs of the virus were internet connection issues and “weird” behavior. After poking around a bit I remembered a tool I had seen from AVG for offline scanning a computer that was booted from a USB based Linux distro with antivirus tools. So I downloaded it and tried it out.

I downloaded the zip file for USB creation, popped in a USB drive and took off. After extracting the contents to the freshly FAT32 formatted drive I ran the makeboot tool to make the USB drive bootable. I rebooted the PC from the USB drive and did a quite Internet update to updated the program and virus definitions. Then I kicked of a scan and walked away for a few hours.

The USB bootable drive found 12 virus infected files including one loaded as isaphp.sys which was loading as a system driver. When I removed it the box wouldn’t boot because it needed that driver. I went to a known good machine copied the driver onto the rescue USB drive, booted from it and used Midnight Commander which was baked into the rescue distro from the utilities menu to put it in the drivers folder on the box. Very cool and I didn’t need the Microsoft XP restore disk which is what is usually required. It also found some infections deep inside some Java Jar class files that the others couldn’t see. Good stuff to add to the toolbox…

Checking The Security Of Your Browser

2010-07-22T22:21:00.001-04:00

As we update Windows 7 images at the Firm, I’m always running around trying to verify all the components are up to date. From a browser perspective, I found a neat on-line site to check all the web components. The Qualys site does a pretty good job. Check it out.

MDT 2010 & Office 2007

2010-07-19T14:29:00.001-04:00

As this blog is generally a place for me to remember things…I figured I’d add a tidbit about Office 2007 integration with MDT2010. I’ve set up Office 2007 as a deployable application via MDT for new images and I wanted to figure out how to slip stream Office 2007 SP2 into the Office 2007 install. Turns out it was much easier then I thought. Simply expand the SP2 files into the folder called “Updates” that already exists in the source folder for Office 2007 and you’re done! Easy peasy! If only operating system upgrades were this easy!

Speeding up a MAC

2010-06-10T09:23:00.001-04:00

So I bought my wife a MAC a few years ago and she loves it. She grew up with MAC and she is an educator and artist so it fits like a glove. However, over time it’s performance has become abysmal. I’ve done what I could do from an OS perspective cleaning things up but I’ve never been able to put the new computer smell and performance back into the machine. A friend of mine gave me a copy of Diskwarrior to try. Man did it do the trick! It was painfully slow to load the tools but once it completed it really brought back the “snappiness”. I wasn’t missing any documents before I ran the tool but it found a number of filesystem issues with the primary disk drive. I wish I could have screen captured the completed summary screen, but as it runs under it’s own OS (It kinda boots like a Knoppix disk) I couldn’t find a way to do that. If you’ve got a MAC and it’s slowing down with old age, give Diskwarrior a shot. I’m off to buy my own copy today.

Lansweeper

2010-06-08T11:14:00.001-04:00

I’ve discussed Lansweeper before, but we just upgraded to the latest version and man…it’s way cool. There are a ton of useful features in this package and for the price it can’t be beat. The feature I like the most are:

Consolidated Event Logging
Custom actions
Licensing compliance monitoring
Custom reports
Ease of use

I had a high school senior in doing his senior project and I turned him loose on the upgrade. (Shout out to Ben for a job well done!) So here is a smart kid with a little computer know-how able to install and configure one of the most useful tools we use in the department. That should say something about how easy this is to set up and use. No disrespect to Ben… he’s a really smart kid…but he doesn’t really have any system engineering experience.

Custom actions are really cool. There’s a few written up in the forums so definitely check there to get started. But to just give you a flavor of what you can do, I set up custom actions for the following:

Get a resultant set of policies from a client workstation or server
Get the IE history of a remote computer
Connect to a remote computer with UltraVNC on an encrypted connection
Open up a command prompt to a remote computer
List the processes on a remote computer
List the service and their state on a remote computer

That’s just a few things we did. There are plenty more we plan on adding. It’s a very useful tool and definitely worth a look.

At least a take a look at the demo.

Blackberry anti-virus, backup and location services

2010-05-06T09:57:00.001-04:00

I found a cool little suite of Blackberry apps (all in one) that handle anti-virus, backup and location services. The app is call Lookout from http://www.mylookout.com. I loaded it up and it seems to work pretty well. For the moment it’s a free app, but I’m sure they will begin charging for it at some point. Here’s a quick list of features:

Backup (You can do this remotely in case you lose your device)
Anti-virus (can be scheduled)
Location (Log into the website and have it find your phone on a map)
Scream (Set off an alarm on your device so you can find it by the audible tone)
Nuke (Remote wipe your device in case you lose it…might wanna back it up first. :) )

Lot’s of this stuff can already be done with BES but the beauty is this way users can control their own settings. In our Firm the devices are owned by the users so there’s a fine line of confidentiality that we need to ride. This app might be a solution for a few of the more….sensitive users.

Enjoy!

Windows 7 Software Deployment Script Tool

2010-04-29T14:00:00.001-04:00

As you can see by my infrequent posts…I’ve been busy. One of my projects is to develop and test out all our software distribution and imaging tools so that we can begin the rollout/upgrade of Windows 7. To put it bluntly, it’s been painful. Windows 7 is just different enough to be a real pain in the butt. One of my main concerns is our automated build process. We use Prism Deploy as our software distribution tool. A clean Windows 7 build is loaded from Windows Deployment Services (a whole lotta setup involved there) and then we run a Prism Deploy script to load all our standard apps. The problem is UAC gets in the way even as an administrator. Even though you can turn it off you can’t stop it from prompting for some programs that write to HKEY_LocalMachine or to folders like C:\Program Files. For example this line of the script to load FireFox works great for XP but now under Windows 7 it isn’t silent anymore:

/Run /Wait %comspec% /c %installdir%\firefox\FirefoxSetup3.6.3.exe -ms

The trick to get it to work involves the Elevation PowerToy…specifically the ElevateCommand PowerToy. Installing this tool let’s me run the same command but it works with no GUI interruption:

/Run /Wait %comspec% /c elevate %installdir%\firefox\FirefoxSetup3.6.3.exe -ms

(Watch the wrap on that, it wasn’t intentional.) Now the script works as intended. There is one thing to note. The elevate command seems to shell out to a separate process so the current command windows closes. For me this is an issue because my “/wait” directive in the Prism script no longer waits for the install to finish. If you have software dependencies that are written out in your script you’ll need to figure out a way to wait until things finish before moving on to the next install.

Good luck…happy installing.

Identify Traffic On Your Wan

2010-03-17T11:27:00.001-04:00

We are in the process of looking deeper into our traffic patterns both on the LAN and on the WAN. We run a number of tools (Nagios, Cacti, WireShark, etc.) to keep an eye on overall traffic and performance but to get beyond this and dig deeper you need tools like NetFlow and NBAR. I figured I’d start with our smallest office and get a feel for how things are flowing over the WAN. We’ve got a Cisco 2821 on site connected to a T1 over our MLPS network. I figured I’d enable NBAR first and do a simple discovery of what traffic is flowing. Here are the steps I took:

Login to the router.
Verify it isn’t overloaded before doing anything. I ran a “show process cpu” to verify all is well. My router was running an 1% before I began any NBAR processes and I had plenty of free memory so I figured it was safe to enable.
Perform a “wr” to make sure the current config is written. You’ll also want to back up the config if you don’t have an automated way of doing this already. (I use CatTools….highly recommend.)
OPTIONAL STEP: Set your router to reload in 10 minutes. (reload in 10) That way if you enable NBAR and something goes wrong in 10 minutes your router will reboot with the last known good configuration before you enabled NBAR. If everything is ok cancel the reload (reload cancel)
Enable NBAR on your serial interface.

Router(config)#interface Serial0/0 Router(config-if)#ip nbar protocol-discovery

Again, check out your router performance with “show process cpu”. If it’s taking a huge hit use the “no” form of the above statement to disable NBAR.
To see the results use the command “show ip nbar protocol-discover”. You’ll see something like:

If the list is long you can just return the Top 10 with: “show ip nbar protocol-discover top-n 10”
To keep an eye on how many resources are used by NBAR use the command “show ip nbar resources”

That’s pretty much it. You can get a lot of information about what’s happening this way. To really roll up the numbers you’ll need netflow tools which I’ll discuss in another post.

Enjoy!

LifeSize Videoconference System Troubleshooting

2010-03-16T09:18:00.001-04:00

As you can tell by my infrequent posts….I’ve been a little busy. :) We are nearly done with our videoconferencing system upgrade. We went from a Tandberg infrastructure to LifeSize HD. I really like the LifeSize system, but it hasn’t been a smooth road. We’ve had a number of issues with ISDN, some with the LifeSize Networker and some with our PBX and we still haven’t completely figured them out. However, I have learned a whole lot about LifeSize and HD Videoconferencing that I didn’t know before. For one, LifeSize has a few diagnostic screens buried in the interface that do tend to help. The biggest find was https://YourLifeSizeIPAddr/support This part of the built-in web interface allows you to change a number of settings, pull an IP (tcpdump) trace for analysis and even run some extended logging. Oh yeah, you’ll be prompted to provide a username and password. The default username is “cli” and password is “lifesize”. You can change those from default if you ssh into the box and use their command line tools…which unfortunately aren’t regular Linux tools. They’ve got their own shell running that I haven’t figured my way around yet. Anyhow, the first tool here on this page is the Coroner page. That will run the equivalent of a Cisco “show tech support” on a router dumping logs and data to a file you can send to support for analysis. The file is called coroner.dat and seems to be some type of a tar file but I’ve been unable to uncompress it….but then I haven’t tried very hard. :) The second link you see is for the ISDN troubleshooting page. This page is great for ISDN troubleshooting. It gives you a much better picture into what is happening on the LifeSize Networker. Just like the main support page there are a number of knobs and switches to throw here. I haven’t seen any documentation on what each of the settings and controls do (the tech notes describing them are pretty thin) but if you’ve been around videoconferencing and networking you can figure out most of the stuff without issue.

All in all I really like the LifeSize gear. Once we get our new routers in (we’re planning a WAN upgrade as well) I’m going to implement LLQ/CBWFQ for video and voice traffic. That should help out immensely with the dropped packets we are seeing now. It won’t help over the Internet of course, but at least site to site calls will be better.

Oh yeah, when you do run a coroner capture it lists out what it’s grabbing as it works and it sure looks like some flavor of Linux under the hood. Gotta love it!

Quickest way to setup a test machine

2010-02-16T23:36:00.001-05:00

So I set up a lot of test machines. A lot. It’s always a pain to load all the basic tools over and over again along with doing all the Microsoft updates and reboots. I found a cool website that expedites the setup of many of the tools I use. Take a quick look at Ninite.com and you won’t be sorry. It basically allows you to select many commonly used applications and download and install them all at once. Very cool and very useful.

iptstate – Who you talkin’ to Willis?!?!

2010-02-05T15:36:00.001-05:00

I was playing around with iptables today on some new boxen and found an old tool I had forgotten about. iptstate is like top for iptables. It’s a cool tool used to see who is connecting to your linux pc. Here’s an example of the output (with the ip addresses and ports changed to protect the innocent!):

                          IPTables - State Top
Version: 1.4          Sort: SrcIP           s to change sorting
Source              Destination         Proto   State        TTL
10.0.10.48:43081    12.18.123.135:7666 tcp    TIME_WAIT    0:01:08
10.4.17.49:59253    92.16.123.155:9666 tcp    TIME_WAIT    0:00:56
10.23.14.147:1900   15.18.61.105:12     tcp    ESTABLISHED 119:59:59
10.6.12.106:1549    213.168.1.105:89    tcp    TIME_WAIT    0:00:00
12.34.34.113:42343 121.138.1.103:87    tcp    ESTABLISHED 72:35:23
21.15.2.26:3404     107.168.1.102:80    tcp    ESTABLISHED 6:56:27
22.16.14.120:3783   145.168.1.120:77    tcp    ESTABLISHED 29:13:09
23.154.11.20:2517   123.18.1.100:8080   tcp    ESTABLISHED 15:41:32
24.184.14.12:1511   155.168.1.100:34    tcp    ESTABLISHED 40:02:34

Enjoy!

Big A$$ Backups to Removable Media

2010-01-21T09:11:00.001-05:00

Ever asked to backup a boatload of files to DVD? Been stymied time after time adding just one too many files to a folder and it won’t fit on DVD/CD? Enter Capacity. A tool to break up that big job into just the right size chunks saving you time and heartache!

Enjoy!

You are ready for DNSSEC right?!?!?

2010-01-19T23:04:00.001-05:00

If you’ve not heard, time is growing short. A massive rollout of DNSSEC will begin next week. Learn more about it here. I’m sure the change won’t be seamless and it will probably slow name resolution for awhile. Might be a good time to start reading if you haven’t begun already….

http://www.dnssec.net/

http://www.root-dnssec.org/

http://net.educause.edu/ir/library/pdf/EST1001.pdf

SELinux Issues

2010-01-13T22:38:00.001-05:00

I had a few issues on a CentOS box today that I upgraded from 4 to 5. Syslog wouldn’t start if SELinux was in enforcing mode. I had to do a filesystem-wide relabel to get it all working. It was pretty straight forward to do but here was the procedure that worked for me.

First make sure SELinux is up to date with a yum update
Put SELinux into Permissive mode (setenforce 0)
Now set it so that it won’t turn on after a reboot by editing /etc/selinux/config and setting the line SELINUX=permissive
reboot (not sure this is required but I did)
set the system to autorelabel (touch /.autorelabel)
now reboot again (this one is required and it may take a little while if you’ve got a big filesystem)
now run setenforce 1 and edit /etc/selinux/config and set it back to SELINUX=enforcing

That was pretty much it. A “service syslog restart” got it all going again.

I’m still learning about SELinux. Here is a great PowerPoint on it.

Enjoy.

Windows 7 GodMode Folder

2010-01-04T09:14:00.001-05:00

Happy New Year!

As you can tell I’ve been on vaca for a few weeks so I haven’t posted much. I’ve been reading up on Windows 7 so I’ll be releasing some of what I’ve found over the next few updates. As I this is my first day back to work in two weeks I’ll keep this one simple. You may have seen this around the net already but I thought it was kinda cool. In Windows 7, there is the ability to create a “Control Panel-like” folder that has all the admin stuff that seems awfully hard to find in the new “forced” view of control panel. (I say that because the took the damn classic view of control panel completely out of Windows 7. Damnit.) Anyhow on any drive create a new folder and call it:

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

Now when you access that folder the goodies inside let you have a central location to go find a bunch of admin goodies.

Enjoy!

LogMeIn Express

2009-12-14T11:17:00.001-05:00

It’s no secret that I love me some LogMein. The simple, free version is excellent and I really depend on it for connecting to a few machines I have out on the Internet. Now they’ve come out with LogMeIn Express which is a no frills screen sharing tool. I’ve played with it a little this morning and I see huge potential for this tool. It offers shared remote control and the ability to send files between people in the meeting. It’s still in beta at this point but let’s hope they release this tool without a price tag. This will even be useful as a replacement for CrossLoop since it’s download component is all browser based. Nice work LogMeIn! Try not to ruin it with a monthly fee!

GoogleDNS

2009-12-03T21:20:00.001-05:00

I've posted before about how much I like OpenDNS. Well it seems that Google wants some of that business now so in early December they created their own public DNS servers. Here's a nice little writeup on it. Is this good news??! Well, as a consumer I'd say yes. For me more is always better. In the past I always used 4.2.2.1 (which I think is Level 3) for DNS and had great luck with it. I know that it uses IP Anycast so it always pulls from a sever geographically close to you. I'm not sure any of the others do that but I can say that I've seen the best name resolution performance from OpenDNS...even when you use their filtering. So now it seems that their is a host of DNS servers to choose from:

Level3 (4.2.2.1 - 4.2.2.6)

Google (8.8.4.4 & 8.8.8.8)

OpenDNS (208.67.222.222 & 208.67.220.220)

DNSAdvantage (156.154.70.1 & 156.154.71.1)

An added benefit of Google's DNS is that it responds to pings and 8.8.8.8 is an easy address to remember. :)

Here's a nice blog post from the founder of OpenDNS on Google's public DNS announcement.

Blackberry Bold 9700

2009-11-30T15:00:00.001-05:00

Well I finally upgraded from my 2007 Samsung BlackJack (which I had hacked to Windows Mobile 5.1) to a Blackberry Bold 9700 and I love it. I’ve been very pleased with the phone quality and the trackpad kicks ass. I was always a bit hesitant with Blackberry devices because of the trackball but the trackpad is nothing if it’s not elegant. The phone has pretty much everything I need. WiFi rocks, camera rocks, email rocks, it’s encrypted and there are even enough apps to wet my appetite. Apps are where the platform is lacking, but all the common ones exist in one from or another so I’ll get along just fine without a fake lighter. I would have liked to have seen the Motorola Droid as that would have been a tougher choice, but since I’m family plan bound with AT&T I didn’t have to make that decision. So far my favorite app is Viigo. Check it out if you haven’t already. Now if only there were open source apps for the berry….

Windows 7 First Look

2009-11-20T08:46:00.001-05:00

I’ve been extremely busy lately with budgeting, reviews and plans for 2010 so I haven’t had as much time to mess with the fun stuff. However, Windows 7 and Office 2007 are in the plans for next years project list. Having been an MCSE since 1995 and having been recertified 3 times as the operating systems change I’ve developed quite a background in Windows. I’ve lived through rollouts of every flavor of Microsoft desktops operating system (except that nasty Vista) by the hundreds. From what I’m reading so far Windows 7 does seem to be a significant upgrade from XP and seems to be well worth the effort. In particular the features that seem most compelling to me are DirectAccess, Problem Steps Recorder, booting from a VHD file, Bitlocker enhancements, integrated Biometric software (thank God…3rd party apps here in XP and Vista have always been painful) and believe it or not….searching in the UI. Searching for files and data has always been weak in Windows (they really need an updatedb & locate equivalent) but from what I’ve seen with search filters Windows 7 looks pretty good. Since they have now removed the Classic interface completely I’ll need to spend some time to find out where they’ve hidden everything. (Damn them.)

We will undoubtedly use MDT 2010 for image development and distribution but I haven’t seen a whole lot of compelling changes in MDT. So far, it looks like they’ve made some work-arounds to the existing pain points but nothing revolutionary. Multicasting will be a nice addition but heck that’s been around for over 10 years in other software distribution products like Ghost anyhow.

I think I’ve decided to move on and get certified as a MCITP: Enterprise Administrator. I don’t believe certifications make you a better engineer, but I do believe the process allows you to take some time to really learn the products and features. This is if you say away from the braindump sites and focus on the learning instead of the testing. I remember back when I got my MCSE 3.51 on NT…It took me 6 months. I read every book I could get my hands on, demo’ed every feature in my lab and worked with the product in my job on a daily basis. That is my plan here as well. The things I learned have stuck with me throughout my IT career and have shaped and molded my ability to understand and consume new technology. I’ll get off my soapbox now…

Stay tuned and I plan to blog about the cool new stuff as I run across it in my studies…

OpenVPN misfire

2009-10-26T22:03:00.001-04:00

I spent the weekend testing out OpenVPN-AS and ran into one problem. After an hour or two the connection would die and not restart until I completely exited the software and got back in. Once and awhile I noticed that it would lock out my account. After some mulling around, I figured out that it had something to do with the SecurID authentication. I moved from PAM to RADUIS authentication on Friday in hopes that our users could use their keyfobs and not have to remember a separate username/password combo. Although I got it all working, it seems that there is some kind of reauthentication happening during the session on a frequent basis. I'm guessing there is some kind of a timing issue because everyone once and awhile the attempt fails and the session dies. Moving back to PAM (that's basically Linux authentication against the local databasse) seems to have resolved the issue. Time to get WireShark out and see what's happening. Stay tuned...

OpenVPN-AS

2009-10-20T14:02:00.001-04:00

Today I set up our first OpenVPN-AS server and man is it cool. A lot of the things I didn’t like about regular OpenVPN (managing certificates, difficult authentication mechanisms, command line management, etc.) are addressed in OpenVPN-AS. You couldn’t ask for better licensing either….$5 per concurrent connection. That’s a software model I can buy into!

First I set up a CentOS server. It’s ver 5.3 with minimal stuff loaded. The I downloaded and ran the rpm right from OpenVPN.net. After a few small configs in pfSense to port forward https over the box I was up and running. I even got RADIUS authentication working of my SecurID box. For testing I just registered for the free 2 user license but I plan on purchasing more after our pilot is complete. If you want VPN for your business the cost is way worth the effort on this package. The difference between configuring OpenVPN and OpenVPN-AS is huge. OpenVPN-AS is way easier to set up and deal with both as an administrator and a user. Now…if they could only include OpenVPN-AS as a package in pfSense…..

Super Video conversion

2009-10-14T17:24:00.001-04:00

Every once and awhile you hit a cool tool that you’ve seen before but forgotten completely. I ran into Super today while researching video conversion tools and forgot about how useful this tool is. Super is a video conversion program that will let you re-encode video files from one format to another. I even like it better then…choke…sniff…VLC…for some conversions even though it’s not Open Source. :) I ran into this tool a few years ago and it got me out of a tight spot and it’s even better now. What I really like is it’s simplicity. VLC tends to force you to learn all about audio and video codecs if you want to get power out of the tool. Super allows you to pick an “output container” like mpg, wmv, etc. and if does all the hard work picking out the settings for you. It’s great for the video-challenged peeps like me. Enjoy!

pfsense DNS Forwarding and Overrides

2009-10-09T09:42:00.001-04:00

I ran into a small DNS issue when I first rolled out our pfsense firewall. I had 4 active interfaces: inside, outside, dmz and wireless. On the PIX I had the wireless segment go directly to the Internet for name resolution. Requests for “inside” services (on the inside or dmz interfaces) were NAT’ed so that the outside public addresses worked correctly. Not wanting to mess with all that NATing again, I was stuck because the rules I wrote were based on private ip addresses which wouldn’t be resolved correctly by a public DNS server. So after messing around a little I found that when set up as a DNS forwarder, the pfsense box will allow you override specific DNS entries or even an entire domain. Very very cool. I simply added the names I wanted to resolve to the override list with their internal ip addresses and bang! The only requirement was DNS forwarding had to be enabled and the pfsense box was acting as the DHCP server on the wireless interface. Simply leave the DNS values empty and pfsense will advertise itself as the DNS server to DHCP clients.

pfsense rocks the house!

Another successful pfsense rollout

2009-10-05T08:09:00.001-04:00

This morning, I rolled out pfsense at our biggest site. It was actually the third try, but that’s not pfsense’s fault. A combination of a bad hub and an extremely long arp timeout period on the ISP’s switch scrubbed the first two attempts. (It was really scary to hear the ISP tech say “Sure I can clear the arp cache for you…can you tell me what to type?” Egads!) All in all it went well. One thing I forgot about was access to remote subnets on our WAN. I purposely left them out of the routing table on the firewall thinking I’d use IPSEC tunnels as a failover mechanism to our WAN. Unfortunately, I completely forgot that they get to the DMZ from the inside to see our website. A few quick static routes fixed that in short order.

My biggest surprise was the fact that I disabled bogon login detection on a previous attempt at getting things running so I had to turn that back on. Turns out that doing that will reset the state table and break everyone’s existing connections! Luckily I found that early during the scheduled downtime so no one was the wiser.

Right now I’m backing up the config as I make changes so I need to automate the backup on a scheduled basis like I did with the PIX. I’m sure I can work something out with Cattools for this.

All in all a successful venture. Two more sites to go and all our firewalls will be pfsense!

Windows XP Remote Command Line Backup

2009-09-22T10:03:00.001-04:00

I had the need today to connect out to a PC and run a backup on it. Turns out this is trivial to do even with the standard windows NTBackup program. From another machine logged in with admin rights to the target machine run the following command:

c:>ntbackup backup \\remotePCnamehere\c$ /j “PC backup name here” /f “c:\backup.bkf”

This will backup the C: drive on the pc named remotePCnamehere locally to your C: in a file called backup.bkf on the box running the command. I can’t believe I haven’t had need for this more often.

Enjoy!

Want

2009-09-14T21:51:00.001-04:00

Big honkin server

Data Destruction Fun

2009-09-04T11:33:00.001-04:00

We often have the need to destroy data on old equipment including hard drives, floppy drives, backup tapes, CD’s, etc. This has always been painful for me because we used to rely on our recycling vendor to assure us that data was being disposed of properly...and I don’t trust anyone. :) For hard drives I like Darik’s Boot-n-Nuke, but it’s a pain to use on loads of removable media. So I went out and bought an Erase-o-Matic 3. How cool is this thing?! No power required because it uses rare earth magnets to suck the data life right out of the media. It literally takes seconds to wipe disks. So far I am very happy with this device in it’s simplicity, effectiveness and cost. A similar electron magnet eraser was almost $10K! I haven’t had a chance to fully test this thing yet on all media types but so far so good!

Enjoy the destructive goodness!!!

Technology Conferences

2009-08-28T18:02:00.001-04:00

I just returned today from ILTA's 2009 conference in Washington D.C. The conference is always a great opportunity to network and find Legal Technology specific information. This was my fifth year, and although attendance was impacted by the economy the education and networking didn't suffer a bit.

So what take away's did I walk away with? Well there were many. Email management still seems to be a painful topic for most law firms. Time and time again I heard from firms struggling with these issues:

Lack of firm email retention polices. Conflicting and rapidly changing requirements result in firms talking but doing nothing. Save everything forever ends up being the standard.
Lack of tools to satisfy the needs of complex policies that require different retention/archival times based upon areas of law, groups of attorneys or specific industry requirements.
Lack of scalable archival tools. There are some on the market but things like archival indexes and two tiered storage options leave firms wanting more.
Huge software maintenance costs and low value. Say no more...
Slow Outlook performance due to "Save everything forever"
Issues upgrading Exchange because of compatibility issues with plug-in/s for meta data removal, virus scanning, dms integration, encryption, unified messaging, etc....
Records management as it pertains to email. Even simple point and click tools are too much of a pain for an attorney if he/she can't do it from their berry.

Surprisingly, spam and antivirus weren't huge issues as they once were. Thanks to the development of cloud and appliance based tools you can actually buy your way out of these problems today.

Lots of talk about SharePoint and other portals. Many firms have committed to SharePoint and they pay quite a pretty penny to keep it running and keep specialists on board. Others are frustrated by it's limitations and have developed ways "around" SharePoint. Personally I don't like either answer. Our extranet provider has turned out to be a utter disappointment in regard to flexibility and performance so I'll need to work on this a bit.

Social Networking also was a new topic picking up interest....both in what to do about it and and to use it to your advantage. Although I didn't sit in all the sessions, I didn't hear specific answers to these questions but it was great to toss around the topic with others.

E-discovery raised it's ugly head again (sorry that's just how I feel abouit it) but not too much new in this arena. I'm sure the e-discovery vendors would tell you otherwise but it seemed to me like they are still catching up on features that people need and are still "behind" the curve. Hopefully in the next year or two they will move from reactive to preventative. Isn't it interesting that they spend all their time worry about old data and they don't submit tips on how to keep corporations out of trouble? They already know what not to do but they don't communicate that effectively. It would be a whole new market for them if they looked at what their clients wanted. There was a great reference of this by a speaker one morning showing a picture of a drill. When the CEO of the company asked his employees what it was they said it was what they made... they said they were the world's best power tool supplier (or something like that). Then he had a slide with a picture of a hole in a wall. The CEO told his company that this is what people actually wanted...not the drill. A very insightful observation...

There were many more topics covered and I'll try and write a second edition of this post after I review my notes more. This is just a summary of the topics I found most compelling.

ShoreTel Firmware Upgrade and Lessons Learned

2009-08-18T17:32:00.001-04:00

So we did an upgrade on our ShoreTel server, switches and phones a few weeks ago and had one small issue. Some (most) of the phones were reporting a “Firmware Version Mismatch” when viewed through ShoreWare Director’s IP Phone Maintenance screen. (To get to this screen go to QuickLook, then pick your site, then pick your switch….about 1/2 way down the screen you see the link to “IP Phones Maintenance”.) The problem ended up being that the DHCP options on the VOIP vlan (192.168.19.x/24) didn’t include the option for the ftp server on the ShoreWare server. (Option 156…read the docs) They were included on the user vlan (192.168.10.x/24) so the first time the phone boots and gets the DHCP options they did the upgrade and placed themselves in the correct vlan. However, on subsequent reboots (and upgrades) they picked up a DHCP address and options from the VOIP vlan and since the ftp server was missing they couldn’t auto upgrade themselves. It was an easy fix once I understood the issue. Clear as mud right?!?!

One other cool thing I learned is that you can telnet into a ShoreTel phone and look at it’s options. To do this you need to use a tool called “phonectl” which is part of the ShoreTel server. Here is how you do it:

From the Shoretel Server directory run the following commands:

1. phonectl -pw <phone password> -telneton <ip address of phone>
2. telnet <ip address of phone>
3. Now, to see the config run “printSysInfo” from the telnet prompt.

Cool.

Microsoft Word is Toast

2009-08-12T13:42:00.001-04:00

http://blog.seattlepi.com/microsoft/archives/176223.asp

Long Live Open Office!!!

I’m saying this in jest…I’m sure Microsoft will ~~buy~~ find their way around this mess and Word will be just fine. It still makes me chuckle.

Microsoft Licensing Rant

2009-08-10T16:58:00.001-04:00

It’s always nice when you pay a vendor top dollar for product and then have them slap you in the face with their licensing restrictions and complicated activation processes. I fondly remember my first run-in with this nonsense…the dongle. As in “the dongle that broke Autocad’s back.” (For those of you that remember, way back when… Autocad required a dongle. Their sales dropped significantly as users shied away from their systems to use alternatives that weren’t hobbled with software protection.)

I’ve been reviewing the changes in Microsoft’s Volume Licensing procedures and the whole process still strikes me as a sign that Microsoft has lost as much confidence in their customers as their customers have lost in them. Don’t get me wrong, I believe that for commercial software vendors to work and make a buck they should be paid. However, hamstringing customers that are actually paying the bill is like a waiter spitting in your food as he hands it to you because you “might” run out before you pay the check.

So it turns out that very little has changed with Microsoft licensing. They still force you to use KMS (and have your pc check in every 180 days) or MAK (and burn a license that can never be recovered should you ever have need to rebuild the box from the ground up).

They give these examples of why this is process is “good” for you:

It reduces the risk of running counterfeit software. Um…s’cuse me but if I paid for it I did my part. It’s Microsoft’s burden to hunt down counterfeit outfits not mine. What they are really saying is it makes Microsoft’s job easier by making it harder (not impossible) for counterfeit software to exist. Again…why am I paying for this, why do I have to do all this extra work setting up KMS servers and why is this my concern?
It assures that your copy of Windows is genuine. Once again…why do I care if I’ve already paid for it? What they are really trying to say is that we don’t trust you. To top that off if you aren’t running genuine software you don’t get to talk to Abu in India if you run into any problems with our software. But…if you can prove to us that you actually paid for the software we will provide support to you by an untrained technician from another country in another time zone who talks with a thick accent and is sure to walk you through at least one reboot before kicking the call up to his buddy that had the 2 week training course. Thanks. That makes me feel better.
Activation = Greater piece of mind. Um… No it doesn’t. The ability to support my users around the world with software that’s not gonna nag them or spontaneously combust into a flurry of license warnings and reduced functionality= greater piece of mind. Wait..that’s not fair. They got rid of the reduced functionality part. Sorry.
Assists with license compliance. Really? For licensing compliance I have to run multiple reports and then I have to compare what I bought to what the reports say. Then I have to verify that my payments were for the right products and made on time. Then I have to verify that my KMS server or MAK proxy has a clear line of sight to Microsoft at all times so the whole kit and kaboodle doesn’t tip over while I’m worried actually getting non-licensing related work done. How is that assisting me again?

The product key way of doing licensing was bad, but these approaches are worse. They are harder to administer, more likely to leave users unable to work and a huge slap in the face of paying customers.

On a final note, I bet that the restrictions on licensing in Windows 7 (and Windows Server 2008 R2 for that matter) will limit the amount of counterfeit installations. I bet it also will help to sway businesses (especially ones that couldn’t afford Microsoft software anyhow) over to Open Source software solutions. This has and will continue to be detrimental to the sales of Microsoft products. That my friends is Technology karma at it’s best.

</End Rant>

Port Listener for firewall testing

2009-08-06T10:30:00.001-04:00

I found this cool little tool today for testing ports open through a firewall. In my lab, I’m trying to simulate my pfsense firewall and it’s a pain to setup a box as a mail server, an http server, an ftp server, an https server, etc… just so that I can test each rule. This little utility runs and lets you pick a port to “listen” on. Then to test, say port 25, just run a “telnet 10.1.1.1 25” and you’ll get a “Hello” response if the port is active. Simple, effective and elegant tool to add to your toolbox.

Port Listener v1.01

pfsense Monitoring (rate vs. darkstat vs. bandwidthd)

2009-08-05T11:21:00.001-04:00

So now that we have our first pfsense box up and running, I’ve been comparing and contrasting what options I have as far as monitoring goes. I’ve loaded rate and darkstat on one box and bandwidthd on another.

I’ve had a lot of trouble with rate. It installs ok, but it seems temperamental in regards to browser. (Firefox seems to work way better then IE here.) This may be due to the requirement for the Adobe SVG viewing plugin, but I can’t really tell. Unlike the other two tools that add themselves as new option to the menus, rate plugs into the built in Status –> Traffic Graph item. When it’s working it’s ok, but the numbers seem to change so fast that it’s not as useful as the other tools which are more focused on long term trending. As Adobe has discontinued support for the Adobe SVG viewer I’d probably lean away from this tool anyhow.

darkstat is nice, but as it runs on port 666 it’s generally something I only open up from the inside interface. That limits it a bit for me as I do a fair amount of remote monitoring. However, it has a “hosts” page which breaks down traffic by IP which is very useful. You can even sort by traffic in, traffic out and total traffic. You can find it under diagnostics, darkstat.

image courtesy of the dartstat website

bandwithd is probably my favorite of these tools. It’s nests itself under the https port so you can use it remotely. It drops your top 20 IP’s in a list for easy inspection and it breaks the traffic down into individual graphs for a variety of services.

As you can see there are quite a few options to slice data in pfsense. The built in Status –> RRD Graphs are also excellent for long term trending. pfsense has proven to provide more capabilities in regard to traffic monitoring and collection then I had with my old PIX.

Happy firewalling!

TrueCrypt Hacked at Blackhat Conference

2009-07-30T14:46:00.001-04:00

If you’ve been following the news today, some 18 year old genius has supposedly hacked TrueCrypt. After reading how has hack works, I’m not all that concerned. The attack runs as a shim between the OS and the TrueCrypt interrupt request. To get that installed on a box you need either physical access or admin rights on the machine…both of these are needed while the machine is running. Um..sk’use me… but if you give someone admin rights or physical access to your PC while it’s running THEY OWN YOUR BOX ANYHOW!!!!! Come on guys this isn’t an attack!?!? It’s somewhat concerning that this code is out there but it seems to me that simple precautions like antivirus, malware protection, XP’s firewall, etc.. all severely limit how effective this attack would be in the real world.

On to some real news….did you see that the project manager for CentOS is MIA? That concerns me more then this hack…

Take your Linux Server’s Temperature

2009-07-27T12:29:00.001-04:00

If you are running server class hardware, you can run the following command to tell the temperature of your CPU:

cat /proc/acpi/thermal_zone/THM0/temperature

Open Source Based Penetration Testing

2009-07-27T09:13:00.001-04:00

I did some work this weekend involving some penetration testing. I used a LiveCD called BackTrak (which is Ubuntu based). It comes loaded with a ton of tools and really makes it easy to do some pretty intensive testing. I won’t got into the details on what all I tested, but suffice it to say this will be added to my “must have” live CD collection which include:

Knoppix – pretty much the standard in LiveCD’s
Damn Small Linux – used for quick access to stuff while on other people’s systems
pfsense – Built in sniffer makes this a really easy remote tool to use for grabbing traces.
gparted live– Used for partition management
SystemRescueCD – Great little system rescue tool
Darik’s Boot –n- Nuke – Easily erase hard drives
SMART – Data forensics (Used to love Helix but now you gotta pay for it. )
CloneZilla – Disk cloning at it’s best.

How ‘bout you? Got Tools? What’s your fav?

Open Source Software in Production

2009-07-20T17:26:00.001-04:00

I was talking to a friend on the phone today about Open Source Software. He was wondering what stuff I actually use in production. I figured I’d take a minute and document the stuff that I personally use and we as a Firm use. Here’s the list I came up with after a few minutes. I’m sure we use more…this is just the stuff I could think of:

nagios
cacti
pfsense
syslogd
phplogcon
wireshark
nmap
mediawiki
apache
php
FireFox
TrueCrypt
putty
FileZilla
FileTransfer Device
greenshot
VLC
UltraVNC
UltraVNC SC
7Zip
Audacity
NotePad++
WinSCP
Snare
Alfresco
OpenOffice
MySQL
PHPMyAdmin
OpenVPN
Password Safe
IPTables
OSSEC
Logwatch
PDFCreator
Blat!

We are pretty much standardized on CentOS as our distro of choice. I won’t get too religious on the reasons why other then to say the decision was made based upon cost, performance, security and what is built into the kernel as far as drivers go. The two commercial apps we run on CentOS are CommVault (media agents) and Kayako SupportSuite.

So there you have it.

Open Source Forensics

2009-07-17T10:37:00.001-04:00

I used to really like the Helix package for forensic purposes. Unfortunately, they are now charging for that software so I’ve had to look for alternatives. So far I’ve found two: PlainSight and SMART. I’ve played with SMART in the past and liked it a lot, but it didn’t have all the features of Helix. PlainSight looks decent too, but not quite where I’d like it to be. I guess we just gotta wait a bit longer to find a decent replacement. Have you found any Open Source forensic tools you like better? Hit me up in the comments…

Attention Printer Manufacturers

2009-07-10T08:33:00.001-04:00

You guys kill me…you really do. You’ve been in the market longer then the PC manufacturers and you still fail to look around a learn a lesson about how the market works. Printers have become one of the two evils in IT (printing and email). Here is what your customer base wants…do these things and you’ll become the market leader:

Design a “line” of printers that all use the same damn toner cartridge. I only want to stock and buy 1 type of toner cartridge. Save your money on the manufacturing end and design a universal print cartridge that works in a family of printers and stick with the damn thing when new models come out. Ok…why is this so damn important? Here’s why
Design a line of printers that all work with the same print driver. OH THE HORROR!!!! Yes. Printer drivers haven’t been reliable since HP had the HPIII. At that point all printers were made compatible with that driver and everyone was happy. Forget compatibility….unify the driver. It’s less for you to test and prove and it’s easier for the customer to load everywhere.
Have a thin driver for each model. We could really give a shit about another systray icon eating up system resources just to tell us we are almost out of toner. Use regular logging (eventlog in Windows and syslog in Unix)…we are looking there already on a daily basis.
Build in cost recovery and authentication features. As one of the remaining hard costs associated with printing, help us keep track of it so we can charge the right people. It helps us justify buying that bigger printer for those people that need it.
Have the printer phone home when something dies and send us parts automatically if we have a support contract. Take a lesson from Data Domain on this one. They’ve got it right.
Build in reporting. The web interfaces are ok, but what I want is a print detail report each month showing total pages printed and how much it changed from last month. Keep a running graph of monthly/weekly/yearly usage.
Don’t build a tabletop printer that can’t hold at least one ream of paper. Seriously, why is this so hard?
Use universal parts for as many components as you can in a printer family. Power supplies, paper trays, heck even fusers should be portable across a family line of printers. I’ll pay extra for a printer that I can use for spare parts later.
Be honest about the actual life cycle of a printer. When I buy a printer I want to know how many pages it’s going to print in it’s lifetime. Figure it out and tell me. That helps me develop my ROI.

That’s it for now….but I’m sure I could think of more if I had time. Printers are nothing but a pain in the ass right now and your service stinks…all of you. Fix it already.

</End Rant>

VLC 1.0.0 is out

2009-07-08T00:07:00.001-04:00

VLC is one of my favorite Open Source tools. It's a media player that comes with a ton of codecs and features. It's been particularly useful to me playing video streams, capturing stills from video files and converting videos from one format to another. It's a very cool and useful tool that should be in everyone's toolbox.

Enjoy...

Basic pfsense to pfsense IPSEC tunnel config

2009-07-01T10:19:00.001-04:00

Part of my security redesign this year is to replace our aging Cisco PIX boxes with pfsense. Yesterday I spent the day setting up a simulated environment for 3 of our offices over an Internet connection. I was able to get the IPSEC tunnel up and running between two pfsense boxes pretty quick. Here’s a quick and dirty process for getting it all to work:

Site 1: Outside IP: 200.200.200.201/29
Outside Gateway: 200.200.200.202
Inside IP: 192.168.1.0/24

Site 2: Outside IP: 100.100.100.100/29
Outside Gateway: 100.100.100.101
Inside IP: 192.168.2.0/24

Note: I assume everything is wired correctly and there is a router which will provide connectivity between 200.200.200.202/29 and 100.100.100.101/29. Also, if you are faking Internet addresses like I am above, be sure they aren’t in the bogon list that pfsense uses. Otherwise you’ll have to remove the bogon firewall rules on the WAN interface.

Step 1: Install pfsense and set local IP’s on both firewalls.

Step 2: Logon to the web interface for pfsense on each box and assign the WAN addresses.

Step 3: Enable IPSEC (VPN->IPSEC->Enable IPSec). Do this on both firewalls.

Step 4: Add a tunnel on Site 1’s firewall to Site 2 by adding a tunnel and changing only the following items:
* Remote Subnet: 192.168.2.0/24
* Remote Gateway: 100.100.100.100
* Phase 1 Lifetime: 28800
* PreShared Key: thisisasecretdon’ttell
* PFS Key Group: 2
* Phase 2 Lifetime: 3600

Now hit the save button

Step 5: Add a tunnel on Site 2’s firewall to Site 1 by adding a tunnel and changing only the following items:
* Remote Subnet: 192.168.1.0/24
* Remote Gateway: 200.200.200.201
* Phase 1 Lifetime: 28800
* PreShared Key: thisisasecretdon’ttell
* PFS Key Group: 2
* Phase 2 Lifetime: 3600

Now hit the save button

Step 6: Be sure to “Apply Changes” when prompted on each firewall.

NOTE: SEE COMMENTS…STEP 7 IS NOT NEEDED…

Step 7: Allow Authenticated Headers (TCP/51) and ISAKMP (UPD/500) with Firewall rules so that IPSEC can pass. Firewall->Rules: WAN Tab.
Rule 1
* Source IP: Any
* Destination IP: WAN Address
* Protocol: TCP
* Port: 51 (Other)
Hit Save
Rule 2
* Source IP: Any
* Destination IP: WAN Address
* Protocol: UDP
* Port:500 (isakmp)
Hit Save

Do this on both firewalls and Apply Changes when prompted

Step 8: Allow all traffic to pass through the IPSEC tunnel. Firewall->Rules : IPSEC Tab
Rule 1
* Source IP: Any
* Destination IP: Any
* Protocol: Any
* Port Range: Any
Hit Save

Do this on both firewalls and Apply Changes when prompted

That’s pretty much it. You should now be able to ping inside interfaces between firewall with the ping diagnostic tool. From here you can further restrict traffic with firewall rules as needed.

If something goes wrong, use the Status-> System Logs to check out what is going on both on the firewall and on the IPSec tabs. Note that any firewall denies for the IPSEC interface appear as enc0 as the interface on the Firewall tab of System Logs.

Enjoy!

mtr…the love child of ping and traceroute

2009-06-29T10:19:00.001-04:00

Just a quick note to tell you to check out mtr if you haven’t already. It combines the features of ping and traceroute in kind of an interpreted mode that runs until you quit. There are a few command line switches as well to make life easier for automation. Here’s a generic example of it’s output going out to Google:

My traceroute [v0.75]
centos.mydomain.com (0.0.0.0)             Mon Jun 29 10:10:25 2009
Keys: Help   Display mode   Restart statistics   Order of fields   quit
                                                                                            Packets              Pings
Host              Loss%   Snt Last   Avg Best Wrst StDev
1. 192.168.1.1    0.0%     6    0.3   0.4   0.3   0.6   0.1
2. 66.53.18.65    0.0%     6   37.7 21.2   7.4 37.7 12.8
3. ???

I’ve changed the IP addresses above to protect the innocent, but it should give you a general idea of what to expect. For years as a network engineer I used “ping –t” to watch for downed gear to come back online. This tool gives you that ability and much more as it keeps track of numerous interesting and useful statistics.

Filetransfer Appliance

2009-06-24T17:16:00.001-04:00

Our Firm constantly gets requests to send large data files back and forth between clients. Up until now, we’ve been using a mixture of email attachments and a locked down FTP site. For a number of reasons that are too many to mention we needed a better way. Lance from ILTA (thanks Lance) turned me on to a device from Allardsoft that takes this pain away. The device isn’t completely Open Source, but it is based on Open Source tools. The Filetransfer appliance contains a web server which can be used to post a file/files and address it to a user. External users can only send files to internal users, but internal users can send files to anyone. The recipient of the email gets a single link that they use to retrieve the file. All files are deleted automatically after a set time and user’s can’t see each others files. The whole process is done behind SSL, secured by a certificate and is logged. Very cool. It looks like they are even working on a plug-in for Outlook. That alone is worth the price of admission. The appliance isn’t free, but even at it’s maximum unlimited users configuration it’s only $499. If your email server if busting at the seems be sure to take a look.

Cool and Different Presentations

2009-06-17T10:44:00.001-04:00

Having worked in the IT sector now for about 20 years I have a finely tuned bullshit monitor. This is especially true of presentations. Most hour long presentations I sit in on have 5 valuable minutes of new or interesting material. We all know “cool” when we see it and we all know what the other 55 minutes of the presentation are for….to fill time. So when I saw my first Google I/O Ignite presentation I about fell out of my chair. The presentations are 5 minutes long each with 20 PowerPoint slides. Oh yeah and they are rotated every 15 seconds so the speaker isn’t in control…he/she has to keep up. I love this format. It forces the speaker to cut the the raunchy essence of the topic and eliminate the bs. My hat is off the folks at Google on this. I’m presenting a small piece of an open source firewall talk at ILTA this year (pfsense…yeah baby!) and I may very well steal this concept for that presentation.

As an avid viewer of TED presentations, I’m always intrigued by new and different presentation styles. This presentation is done in a style that I’ve copied a few times and had much success with. It’s based on the “Lessig Method” (example here) which I find drives the listener to pay attention just to keep up. At last years ILTA, I did a presentation on Wireshark in this format and it was well received. This is my presentation style of choice if my presentation is a tutorial or training session.

What presentations styles have knocked your socks off? Hit me up in the comments and let me know. I’m all ears.

Linux System Maintenance and Setup

2009-06-11T15:03:00.001-04:00

There are a few things I like to do on all my Linux servers when the box is set up and from time to time to verify all is well. Here is a short list of some of these items:

Remove rights for root to login via ssh.
In /etc/ssh/ssh_config change "PermitRootLogin yes" to "PermitRootLogin no". Then restart ssh
Boot into command line mode instead of the Gui (runlevel 3 instead of 5)
In /etc/inittab change the line
"id:5:initdefault:" to "id:3:initdefault:"
Setup logwatch to email you daily logs of what's happening each day
In /usr/share/logwatch/default.conf/logwatch.conf change
"MailTo = root" to
"MailTo = yourname@youremail.com"
Better yet...send all mail for root to your email email account.
Edit /etc/mail/aliases and change
"#root: marc" to "root: yourname@youremail.com". Now you need to run /usr/bin/newaliases to recreate the aliases.db file.
Update your box nightly at midnight...but skip kernel updates as they may break stuff
Edit your cron jobs file (crontab -e) and add the line:
0 0 * * * yum --exclude=kernel* -y update
Reboot your machine weekly (Reboot every Sunday at 1am)
Edit your cron jobs files (crontab -e) and add the line:
0 1 * * 0 /sbin/shutdown -r now
Adjust the time for forced disk checks to once a quarter because it can take a long time to boot with large drives.
Run something like
"tune2fs -c 12 -C 0 /dev/VolGroup00/LogVol00"
Assuming you reboot once a week this will force a check once a quarter.
Get a good look at the processes and what started them on your system
Run "ps auxwww"
Get a good baseline of your hard drives performance and age before you go live. Note that this wont' work on a VM and you will need check /dev/hda1 to machine your machines config.
Run "smartctl --all /dev/hda1"
Determine what ports are open and listening
Run "netstat -anp --tcp --udp | grep LISTEN"

What things to do you do?

I’m working on authoring a system maintenance document outlining things that should be done for maintenance on a daily, weekly, monthly, quarterly and annual schedule. Let me know what you are doing and I’ll email you a copy of my document when it’s done.

More on SELinux

2009-06-05T11:34:00.001-04:00

Yesterday I posted about some issues I had with SELinux after a kernel update to CentOS. My post was commented on by Dan Walsh, a top notch security guy from Red Hat. I clicked on his name and found his blog which turned out to be a goldmine for me. In reading his blog I found a link to the best resource I’ve seen on SELinux for a system admin. It’s the Security-Enhanced Linux User Guide. I read the whole thing in about 90 minutes and it provided some insight into SELinux that I’ve found nowhere else. This is why I love Open Source and the Internet. I’m sure if I posted a note about some feature in Windows I’d never hear back from anyone in the developer community at Microsoft about how to fix my problem. Heck, I didn’t even post my note to a newsgroup…just my humble blog. It’s great to see people so involved and interested in what they do that they go looking for issues just to help people and keep up to date on what others are saying.

Thanks Dan. I truly appreciate it.

CentOS Kernel upgrade breaks SELinux

2009-06-04T16:47:00.001-04:00

So last night I did a yum update on one of our web servers which included a kernel update. All went well until the reboot at which time SELinux was preventing httpd from starting. Dropping SELinux into permissive mode (setenforce permissive) allowed httpd to start and things went well except for the banter of SELinux messages in my logs bitching about one thing after another. At first I thought about a system-wide relabel of the drive…but I’m truthfully a bit concerned that the hammer approach might break too many things. After some research on the web I took this approach instead:

Grep out the line items from /var/log/messages that seem to be creating a problem. I ran something like: tail /var/log/messages | grep avc > fix1
Use the audit2allow script to build a file of fixes that could be applied to SELinux (audit2allow –M fix1a < fix1). This creates a file called fix1a.bb.
Run fix1a.bb against the semodule command (semodule –i fix1a.bb)

That’s it. I had to do this a few times as errors popped up, but it seems to have fixed the problem. Be sure to read through the offending lines in the messages log to verify that things that are being denied should actually be working.

Here is an example of some of the errors I was getting:

Jun 4 16:15:45 MY-WEB01 kernel: type=1400 audit(1244197545.492:6268): avc: denied { append } for pid=10103 comm="httpd" path="/var/log/httpd/access_log" dev=dm-0 ino=851362 scontext=root:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file

Jun 4 16:12:29 MY-WEB01 kernel: type=1400 audit(1244112349.412:6262): avc: denied { search } for pid=9737 comm="httpd" name="mysql" dev=dm-0 ino=851641 scontext=root:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

I’m still in favor of SELinux although I think I’ll be taking more precautions (like snapshoting a machine) before I update kernels. Once I got past the errors I restarted SELinux (setenforce enforcing).

Conky is Cool

2009-05-29T11:33:00.001-04:00

Conky is a tool used to display performance metrics of a Linux box in an active window or right on the background of the computer. If you’ve used Sysinternal’s BGInfo it’s kinda like that, but better because it updates in real time. It’s very configurable, but usually looks something like this:

That’s a bit hard to read so here is an example of the kind of data it can provide:

The configuration for this is pretty easy on Centos. Here’s how I did it:

yum install libX11-devel libXext-devel libXdamage-devel libXft-devel glib2-devel

* watch the wrap…that’s all 1 line

Then download conky here. Expand this somewhere like /usr/bin or ~ and run:

./configure
make
make install

Now you need to make a file named .conkyrc and drop it in your home directory. I used one I found online, but there are a ton of them available here with screenshots showing with they look like.

To start it under Gnome open a command line and type conky. If that bothers you that it’s spawned from the window add this script to your machine (/usr/bin/startconky.sh and chmod it to 755) and put a link to it in your panel or on your desktop.

#!/bin/sh
# by: ??
# click to start, click to stop

if /sbin/pidof conky | grep [0-9] > /dev/null
then
  exec killall conky
else
  sleep 1
  conky
  exit
fi

*Note…script blatantly stolen from here.

Now when you click on the conky icon in your panel it will start and stop conky.

Pretty cool stuff.

How I Backup MySQL

2009-05-22T08:46:00.001-04:00

I’m documenting this mostly for my benefit, but I figured it may be of use to others. This is how I backup my mysql servers.

Create a backup directory. I use /backup
Verify mysqldump exists under /usr/bin
Verify user account with rights in MYSQL to the database you want to backup. In this example I will backup a data base called bluedb. For this demo I’ll use the username “Joe” and the password “Shmoe”
Create a script directory under /backup
Create the backup script. Here’s mine (largely written by my friend Jason):

BACKUP_DIR=/backup
DUMP=/usr/bin/mysqldump
DATE=`date +%Y%m%d`

# DATABASE INFO
DB=bluedb

# First we will backup the structure of the database
${DUMP} --user=Joe --password=Shmoe --no-data ${DB} > ${BACKUP_DIR}/${DATE}_${DB}_backup_structure.sql

# Now we will backup the database itself
${DUMP} --user=Joe --password=Shmoe --add-drop-table ${DB} > ${BACKUP_DIR}/${DATE}_${DB}_backup.sql

# Now we will remove files that are older than 3 days
find ${BACKUP_DIR} -type f -mtime +3 -exec rm {} \;

*Note: There is some serious line wrapping going on above.

Name the script something like mysqlbackup.sh and drop it in /backup/script
Change rights on the mysqlbackup.sh so it has rights to execute (chmod 755 mysqlbackup.sh)
Now you can test it by running: /backup/script/mysqlbackup.sh
Next I generally edit my cron jobs (crontab –e) and add the line 0 0 * * * /backup/script/mysqlbackup.sh

That’s it . The script dumps both the data and the structure of the database and it keeps 3 days worth of backups. From here my main backup script for the box picks these up during it’s normal daily file level backup.

Enjoy the backup goodness!!!

Data Domain is the Bee’s Knees

2009-05-20T10:01:00.001-04:00

Last year when I was budgeting for 2009 I decided to take a leap and move our online backups from regular disk storage (a SATABeast) over to a compressed and deduped device. After looking at a few options (namely Exagrid and Data Domain) I chose Data Domain. Basically because the landing zone concept of Exagrid gets under my skin. So far I’ve been very impressed with the Data Domain system. It’s behaving better then I had expected. Here’s a graph of one of our sites and how well it is working:

So here we see that the raw backup (the red line) is about 15.6TB. After compression (the blue line) the data takes up about 10.6TB. After deduplication (the green line) it’s only 2.8TB. As I’m replicating this across the country it sure makes life better. So yes, I love my Data Domain system.

Doing more with less

2009-05-19T11:58:00.001-04:00

If you are like me, a Windows convert, you are probably popping open nano, emacs or some other command line editor a lot as you are looking through configuration files. Yeah I can use vi when I have to but I’m happier and more productive in a full screen text editor. Anyhoo, I’ve used the “more” command in Linux and Windows for quite a long time and I like it for quick checks, but now that I’ve been playing with Linux a lot I’ve been seen how much more powerful the “less” command is.

To see the contents of a file just type “less filename.txt”. It automatically displays the file on the screen and magically the page up, page down, home and end keys all work for navigation. Even better, you can run a simple search by proceeding the search term with a forward slash. For example, to search a file for the word “apple” while in a less session just type “/apple”. Cool. You even get the benefit of text highlighting to make the search more effective. (If you hate the highlighting just hit Esc-u to turn it off.) Once you are in a search, the letter n takes you to the next found word and a capital N takes you to the previous found word. Pretty cool. To exit a less session just type q for quit. Of course the beauty of all this is that you aren’t actually editing the file so you can do no harm.

To see what line you are on or how far you are reading into a file start the program with the –M switch (less –M filename.txt) Here are some other cool tricks (from a shameless cut and paste):

Quit at end-of-file: To make less automatically quit as soon as it reaches the end of the file (so you don't have to hit "q"), set the -E option.
Verbose prompt: To see a more verbose prompt, set the -m or -M option. You can also design your own prompt; see the man page for details.
Clear the whole screen: To make less clear and repaint the screen rather than scrolling when you move to a new page of text, set the -C option.
Case-less searches: To treat upper-case and lower-case letters the same in searches, set the -I option.
Start at a specific place in the file: To start at a specific line number, say line 150, use "less +150 filename". To start where a specific pattern first appears, use "less +/pattern filename". To start at the end of the file, use "less +G filename".
Scan all instances of a pattern in a set of files: To search multiple files, use "/*pattern" instead of just "/pattern". To do this from the command line, use "less '+/*pattern' ...". Note that you may need to quote the "+/*pattern" argument to prevent your shell from interpreting the "*".
Watch a growing file: Use the F command to go to the end of the file and keep displaying more text as the file grows. You can do this from the command line by using "less +F ...".
Change keys: The lesskey program lets you change the meaning of any key or sequence of keys. See the lesskey man page for details.
Save your favorite options: If you want certain options to be in effect whenever you run less, without needing to type them in every time, just set your "LESS" environment variable to the options you want. (If you don't know how to set an environment variable, consult the documentation for your system or your shell.) For example, if your LESS environment variable is set to "-IE", every time you run less it will do case-less searches and quit at end-of-file.

Happy viewing!!!

Diving into Wiki’s

2009-05-15T11:52:00.001-04:00

A recent project popped up at the Firm in regard to the storage and retrieval of unstructured, uncategorized data. The request was to have a piece of software help to keep track of websites, contact information, client history and government programs related to a specific area of law. After looking a numerous products including mind mapping tools, data tree tools, $harePoint and databases I picked a wiki as the best method to use to get started. After reading and reviewing what was out there, I decided to try both phpwiki and MediaWiki. After a failed attempt at getting phpwiki going I tried MediaWiki and had things up in minutes. No surprise here…there’s just a ton more information available about MediaWiki so I was able to get it going faster. I probably could have gotten phpwiki going given enough time, but MediaWiki was good enough.

The entire MediaWiki install took roughly 15 minutes. I won’t blog about the process because it’s already in plain English here. What I really liked about MediaWiki was (1) the fact that it’s what Wikipedia is hosted on (2) there are a ton of already developed plug-ins (3) the documentation is really good and abundant and (4) any idiot can edit it as proven by Wikipedia (shout out to Jerry on phrasing that point so eloquently!).

So far so good. The basic product is pretty simple to use although the Wiki editing requires some inline html/Wordstar-like editing skills. I’ll let you know how it goes but so far it’s been pretty cool.

OSSEC Active Responses

2009-05-12T09:51:00.001-04:00

So I’ve been playing around a lot with OSSEC. Active responses are one of my favorite features. They remind me of the old firewall days when countermeasures existed whereby the firewall would detect an ongoing attack and fight back flooding the source IP with syn attacks or malformed packets. Yeah…sneaky goodness….but in the world of botnets and script kiddies those kinds of things are no longer effective. However, one use of active responses is to let you “tune” your firewall to situations at hand. It seems a little easier to work in local mode as the active responses are already set up, but it is possible to get them to work in the agent-server configuration as well.

Here is how they work…

The ossec.conf file lists both commands and active-responses. I’m going to describe how the firewall-drop active-response detects and drops attempts to login too many times to your server. The command configuration is shown here:

<command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
</command>

Now this is stock code included with OSSEC so you can get this working in minutes. Notice that the file structure is XML. That not only makes it easy to find and understand the code but it makes it simple to extend with any text editor as well.

Here we see the declaration of a command firewall-drop. It’s tied to a shell script called firewall-drop.sh (which lives at /var/ossec/active-response/bin on my server). This script and pretty much all scripts return (expect) a number of variables for you to use. The first is the action (add or delete) which is used to tell the script to add a firewall rule or delete a firewall rule. The second variable is the username (user) which isn’t actually used in this specific script. The third variable is the source ip address (srcip) which in our case is the ip of the guy trying to login unsuccessfully. The timeout_allowed goes hand in hand with the action variable. A timeout lets you put a rule in for say…600 seconds and then remove it again. This will thwart attackers automated attacks while not completely locking out the forgetful or fat-fingered admin.

The active response configuration in the ossec.conf file looks like this:

<active-response>

<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>

The first part in between the <!—and –!> is just a descriptive comment. The command matches up with the command defined above. The location tells the script where to run the rule. In this case, this is a local installation of OSSEC so it’s set to local. The level is the trigger which kicks off this event. There are a set of predefined rules (in /var/ossec/rules) which categorize different detected events. One of these triggers is the detection of a brute force ssh password attack. There are numerous levels so I can’t go into all them here but you can easily drop in a look at the rules files on a standard installation for more info. Additionally, you can trigger on multiple types of things not just levels. There is a predefined rules group name called “sshd” so I could have used something like that as well. Unfortunately, the sshd rules group fires for successful and unsuccessful attempts so I couldn’t use that in this example.

Once things are configured a simple restart of the ossec system (/var/ossec/bin/ossec-control restart) will put it all into action.

So here is how it works. Someone tries to brute force attack the server on ssh and logs are generated in the secure log. OSSEC watches those logs, uses the rules file to detect the attack and sets the rule level. The the rule level fires off the active response script firewall-drop.sh which adds a rule to the iptables config effectively blocking the source ip address. After 600 seconds, the script is called again with the “delete” action and the rule is removed and all is well.

OSSEC is very powerful and this example just scrapes the surface. This has rapidly become one of my favorite open source tools of all time.

Building a BDD/Microsoft Deployment USB Boot drive from XP

2009-05-07T14:38:00.001-04:00

In my earlier post about using Microsoft Deployment off a USB drive I gave instructions for using the Diskpart tool to format, partition and set the USB drive as active. Turns out that only works under Vista. Under XP, when you do a “list disk” in diskpart it can’t even see the drive. So…as a work around here is what we did. First off I’m using a SAN cruzer 8GB stick but they are all about the same. First I uninstall the U3 autoloading nonsense. This will end up reformatting the drive which is just fine. The I use a copy of bootsect.exe from the WAIK kit (installed under c:\Program Files\Windows AIK\Tools\PETools\x86) and I run:

bootsect /nt60 f:

Then I copy the contents of the .iso created from the Microsoft Deployment point (the media one) onto the drive. From here it boots and all is well.

SSH Protection in IPTables

2009-05-05T16:48:00.001-04:00

So now that we are off of Windoze IIS as our main production web server and onto Linux, I’ve been watching the logs very closely to verify all is well. I’ve got OSSEC, Logwatch and a few “custom” scripts installed for this purpose. One thing I noticed was the daily SSH brute force/dictionary attacks. I’m only password protecting the service because I’ve still got a few developers working remotely and dealing with them and certificates is a little more pain then I want right now. So, to slow down the attacks I’ve added two lines to my iptables config to keep attempted logins down to 3 per minute. Here are the two lines (watch the wrap):

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

Essentially, a timer is kicked off at each attempt to login. On the forth attempt, the IP is banned until the first attempt times out at over 60 seconds. If someone runs a script against the server the first 3 will be denied because of incorrect passwords and the rest will be banned because of repeated attempts. Since the timer resets with each attempt they can keep sending user/pass combos but until they back off for 60 seconds they will just be denied. Not a perfect solution, but one to certainly stop the madness I’m currently seeing. After we get out of developer mode I’ll probably increase it to 10 minutes.

I also looked at two scripts fail2ban and one called protect-ssh. Both looked like they worked ok, but they were a little more difficult then the two lines above which did pretty much what I wanted. When I get some more time I’ll probably look into both of them again.

Enjoy.

GMER Rootkit detection tool

2009-05-01T13:54:00.001-04:00

I ran across this cool little free tool for Windows based root kit detection today. There are actually two tools on the site, catchme.exe and gmer.exe. Catchme.exe seems to be a command line tool for root kit detection and gmer.exe (whose name changes on each download to thwart malware from detecting it on the way down) is a gui app. As I’ve never had a root kit infection I can’t comment on how well they work but they look like pretty good tools and they are recommend in the book on OSSEC so that can’t be all that bad. :)

Enjoy!

OSSEC rocks my socks

2009-04-29T16:41:00.001-04:00

OSSEC is a security tool which can be best classified as a host intrusion detection system. It can be installed in three modes: local, agent or server. I installed it as a local install on my test box so that I could see how it worked. What a cool app! It installs in seconds and when enabled, sits in the background watching your log files, changes made to executable files and a bunch of other stuff. If it sees any funny business it drops you an email to let you know. It can even be configured to automatically add IPTables firewall rules when it detects people running attacks against your server. The default settings detected things like incorrect password attempts, initial logins by users and the creation of new users and groups. It even detects things like the existence of root kits on Linux. Most of it runs from the command line but there is a web gui as well.

I’ve been hitting the research hard looking for log analysis tools for apache and linux and this tool is going to be very useful. This may even remove the need for my centralized syslog box as it parses out the good info from the bad. We will see…. I haven’t dropped this on my production web server yet, but I will soon.

Two thumbs up for this useful tool…

Oh yeah…there is a agent for Windoze boxes as well. ;)

Show all users cron jobs

2009-04-28T16:21:00.001-04:00

Just a quick one today…it’s been a busy busy few days. :) Here’s a quick way (when logged in as root) to see all the cron jobs configured on a system:

for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done

Watch the line wrap and enjoy!

Housecleaning Linux Style

2009-04-21T16:07:00.001-04:00

It’s been quite a busy few days here at the Firm. We’ve gone live with a new website (hosted on Linux of course), exchanged a ton of electronic files with one of our vendors ala TrueCrypt and finished off our monthly reboots (thanks Microsoft). So the web server was probably the most fun. During the process I enabled Google Analytics, awstats, logwatch, selinux and iptables. Google Analytics is great for getting the quick on dirty stats for your web server. This is the first time I’ve enabled it site wide and it has really been eye opening. Do yourself a favor and use it on your site to track where people are going. I even enabled it on my blog and it seems my posts on Equallogic and HP Procurve are my top hits.

Awstats is a perl script the parses your Apache access_log and reports back on your web site statistics in a meaningful way. (It can do other apps like ftp as well, but I’m only using it for httpd.) Lots of great info here but it takes a bit more tuning to get running they way you want it. I’m still tweaking the output but I hope to get it all done soon.

Logwatch is a tool built in to most distros that parses your log files and rolls up some really basic, but important statistics which it then optionally emails to you. You are probably running this tool already and don’t even know it. Do yourself a favor and edit your logwatch.conf file (mine is under /usr/share/logwatch/default.conf) and add your email address to the “MailTo =” line. As this is a web server I’m interested in who is logging in remotely and logwatch details out SSHD login info :

sshd:
   Authentication Failures:
      root (192.168.31.111): 216 Time(s)
      unknown (192.168.51.11): 48 Time(s)
   Invalid Users:
      Unknown Account: 48 Time(s)
   Sessions Opened:
      root: 27 Time(s)

Failed logins from:
xx.xxxx.xx.xxx: 216 times
root/password: 216 times

Illegal users from:
xx.xxx.xx.xxx: 48 times
oracle/password: 48 times

Users logging in through sshd:
    root:
       xx.xxx.xx.xx(aserver.ontthenet.com): 21 times
       xx.xx.xx.xxx(anotherserver.onthenet.com): 3 times
       xx.xx.xx.xx(ahost.outtheresomewhere.com): 2 times
       xx.xx.xxx.xxx(anotherhost.outtheresomewhere.com): 1 time

Received disconnect:
11: Bye Bye
xx.xxx.xx.xxx : 264 Time(s)

SFTP subsystem requests: 21 Time(s)

Logwatch will summarize much more then just the sshd logs, but I wanted to give you a sample of it’s power.

SELinux is of course an application layer firewall. It will keep services/daemons contained in their own “space” so that they all get along. Should something get hacked, SELinux will keep the hacker from accessing data beyond what the compromised service has rights to. It’s a little hard to get your arms around, but it’s well worth the time invested learning how it works.

iptables is a very flexible and useful firewall. One thing that I learned how to do was to restrict the number of login attempts so that hackers will be blacklisted by IP address if they try and run something like rainbow tables against your sever. Here’s the quick and dirty :

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m
recent --set --name SSH

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m
recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

This lines are wrapped here, but you can use that as a head start. Lots and lots of buttons and knobs to turn that’s for sure.

Enjoy.

NTOP on CentOS 5.3 for Netflow Monitoring

2009-04-14T16:47:00.001-04:00

I did an NTOP install on CentOS 5.3 today and it was a little different then I’ve done before. The SecurityTeam.US repository doesn’t seem to contain ntop anymore so I had to switch repositories. I did the following:

Install a repository that has the ntop package available: “rpm –Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm”
Install ntop “yum install ntop”
Run ntop “ntop”
When asked, you’ll need to supply a password for the default admin account. It get’s a little lost in the start up noise but if you scroll back you should see the request.
run “service ntop start”
run “chkconfig ntop on”
Now it should be up and running and should restart at the next reboot as well.
Allow ports 3000/tcp and 2055/udp if you have firewalling enabled. Port 3000 is for ntop and port 2055/ubp is for netflow.
From another PC web browse http://yourserverip:3000
Now, enable Netflow: From the menus select Plugins, Netflow, Enable
Now make sure you are monitoring on the correct interface. Admin, Switch NIC. For me the interface was NetFlow-device.2 [id=1].
Now set your Netflow defaults. Plugins, Netflow, View/Configure.

Select the device you want, Hit the Edit Netflow Device button.
I left the name alone as NetFlow-device.2
Change local collector udp port to 2055 (the default port).
Hit the Set Port button
Virtual Netflow Interface is the interface on the router (indicated as the flowexport source interface below) that will be sending you the netflow stream of data. Also put it’s mask. (For me this was 192.168.1.1/255.255.255.0)
Hit the Set Interface Address button
Aggregation – none (This was my preference)
Hit the Set Aggregation Button
The only other thing I changed was debug. I turned it off.
Hit the Set Debug button

So the next step was to configure our router to point to the ntop box.

Login to privileged mode on the router
(config)#ip flowexport source <interface number>
(config)#ip flowexport version 5 peeras
(config)#ip flowexport destination<ip address> <port number>
(config)#ip flowcache timeout active 1
Not change to the interface you want to monitor
(config-if)# interface <interface>
(config-if)# ip routecache flow
(config-if)# bandwidth 1544
(config-if)# wr

In the above example I used a few abbreviations: <interface number> is the local interface you want to use to send the data from (faste 0/0 for me). It’s NOT the one you want to monitor. <ip address> and <port number> are the ip address and the port that ntop will be listening on. The default port is 2055 udp. The bandwith of 1544 which is the speed of a T1 line. You’ll have to adjust that for your line speed.

Ok pop back to the web interface and look at the Netflow Statistics. (Plugins, Netflow, Statistics). You should eventually see the Packets Received number start to grow. If it’s growing you’re getting data. Now you should be able to browse through the menus and start to look at your data. It takes awhile for the data to build and be meaningful but it’s pretty cool.

Drop me a comment if you are interested and I’ll run through what some of the data means.

Portable Ubuntu for Windows

2009-04-06T11:53:00.001-04:00

One of my beefs with VmWare on my main workstation is that it adds virtual networks and some services which slow and bloat the system even if I don't have a VM up and running. Over the weekend I ran into a cool little...well I guess it's a distro...called Portable Ubuntu for Windows. It loads as any other Windows app so when you close it, it's gone. No footprint beyond the disk space it uses. Plus, unlike a VM it docks a bar on your current desktop. It's like having the VM act as an extension to your Windows environment. Very cool. You can access your local hard drive as /mnt/C so you can have all the Linux tools at your finger tips (grep, chron, sed, vi, etc...) I've only used this for a day or two but it seems like it's going to be very helpful. Oh yeah the root password is 123456.

Happy Ubuntuing!

Safe and Reliable DNS

2009-04-03T08:32:00.001-04:00

If you haven't heard about OpenDNS and ScrubIT, you should really to take a look at them. Both services are DNS servers on the Internet that will help protect you computer from connecting to known compromised hosts. In addition to that, you can set up the servers to block access to adult sites and run some basic content control. I've been using ScrubIT at home on my kids computers for over a year now and it's been working great. I'm wondering if it is still going to be available because the homepage is nothing more then a logo these days. OpenDNS on the other hand lets you have much greater control over content. By setting up a free account you can list your IP addresses or even your dynamic DNS name and set a profile of settings to control what is and isn't available. We switched over at work to OpenDNS to protect against viruses like conficker and since we did we've noticed that their DNS servers seem to respond quicker then the ones provided by our ISP. The bonus is you even get some performance metrics showing your DNS use.

Happy surfing!!!

phpLogCon on Orange JeOS

2009-04-01T13:00:00.001-04:00

Now that we have rsyslog working on Orange JeOS it sure would be nice to get phpLogCon working so that we could see the logs via a web browser. Because my application of rsyslog is firewall specific, it deals with a ton of traffic. So much traffic in fact, that I don’t wanna mess with MySql back end. MySql tends to slow things down too much. So, I set up rsyslog to store it’s data to /var/log/syslog and I’m going to set up phpLogCon to pick it up from there. Here’s the play by play:

yum install httpd php php-gd
edit /etc/httpd/conf/httpd.conf and set the “Servername” variable to the name or IP of your machine.
service httpd start
chkconfig httpd on
Allow httpd (port 80) in iptables with ”iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT”
wget http://www.phplogcon.org/Downloads-req-getit-lid-54.phtml
cd ~
tar –zxvf phplogcon-2.6.2.tar.gz
cd phplogcon-2.6.2
mkdir /var/www/html/syslog
cp –a src/* /var/www/html/syslog
cp contrib/configure.sh /var/www/html/syslog
cd /var/www/html/syslog
chmod 777 configure.sh
./configure.sh (This will create a file called config.php)
rm configure.sh
chmod 666 config.php
chcon –Rv –type=httpd_sys_content_t /var/www/html/syslog (Note: This changes the selinux config to allow the syslog folder to work with the httpd daemon.)
chcon –Rv –type=httpd_sys_content_t /var/log/syslog
chmod 644 /var/log/syslog
Browse (on another computer) to http://yourservername/syslog . You should see this screen:

Click the word “here” above to begin the configuration.

Now click the Next button.

Again, click the Next button

I took the defaults above to get started. Click the Next button.

The defaults were fine again. Click Next

Finish up with a “chmod 644 config.php”

We’re done. Now click the word “here” in the above screen and you should see you syslog data.

Good luck and happy logging!

rsyslog on Orange JeOS

2009-03-31T17:19:00.001-04:00

I’ll skip the pomp and circumstance and get right to it. Here are my steps for getting rsyslog to work on Orange JeOS:

Load Orange JeOS
login as root (password is qwerty)
fix ip & mask in /etc/sysconfig/network-scripts/ifcfg-eth0 to match you network settings
fix hostname & gateway in /etc/sysconfig/network
fix nameserver in /etc/resolv.conf
service network restart
yum update
shutdown –r now
login as root again
yum install ntp
chkconfig ntpd on
ntpupdate pool.ntp.org
service ntpd start
yum install rsyslog
add “*.* /var/log/syslog” as the last line in /etc/rsyslog.conf
add “-r” to SYSLOGD_OPTIONS in /etc/sysconfig/rsyslog
service syslog stop
service rsyslog start
chkconfig syslog off
chkconfig rsyslog on
iptables –I RH-Firewall-1-INPUT 3 –p udp –dport 514 –j ACCEPT
/etc/init.d/iptables save

That’s it. rsyslog should be running, iptables should allow incoming upd traffic and the log file /var/log/syslog should start to have data in it. You can pipe the data to mysql if you want, but that’s another config. :)

Enjoy the logging goodness!

lvm2 on Orange JeOS (Extending the root partition)

2009-03-30T11:47:00.001-04:00

So after messing with Orange JeOS a bit, I kept bumping my head on the fact the there just wasn’t a whole lot of disk space to play with. Both the core version and the esx version of Orange JeOS used lvm2 and limit the root partition to around 2GB…that doesn’t leave a whole lot of space for logs. I’m still learning about lvm2 so I figured this was a good opportunity to figure it all out. So…the quick and dirty is that I was unable to resize the Physical Volume (PV) that Orange JeOS was on without breaking it. I tried doing it from a live cd with the lvm2 tools and all but it turned out to be a real hassle. So instead, I created another partition on the disk to fill the remaining space, created a 2nd PV, added it to the Volume Group, extended out the existing Logical Volume to include it and then resized my partition. (Um…yeah…pretty meaty work…) Here’s the play by play:

Load Orange JeOS (whatever flavor or however you want)
Log in as root (default password is qwerty)
Verify you current disk and partition sizes with “df”
Boot from Qparted Live CD
Create an ext3 partition on the remaining disk space
Boot back into Orange JeOS and login as root
Do a “pvcreate /dev/hda3” replacing hda3 with the partition name you created in the last step. This creates the new lvm2 Physical Volume.
Do a “vgextend /dev/VolGroup00 /dev/hda3” replacing both the volume group name (VolGroup00 is the default in Orange JeOS with yours) and the partition name you used above
Do a “lvextend –L +4G /dev/VolGroup00/LogVol00” to extend the logical volume. As before replace the pieces you need to. I increased the size by 4GB above because that was the size of my new physical volume.
Finally run a “resize2fs /dev/VolGroup00/LogVol00” to extend the file system out to use the new space. I’m on ext3 but ext2 should work as well. If you picked something else as your filesystem your mileage may vary.

That’s pretty much it. From here I was able to see the new space in a “df” from the command line. I’m sure there were other options (including a way to partition the rest of the disk from inside Orange JeOS) but that’s how I did it.

There’s a pretty good reference to lvm2 on line here.

WireShark Presentation Links

2009-03-26T13:54:00.001-04:00

For my ILTA friends….

Here is a link to my Wireshark resources post:

http://rolfsa.blogspot.com/2008/09/i-love-me-some-wireshark.html

I hope you enjoyed the call. See you at Conference where I’ll be covering TrueCrypt!

Setting up Orange JeOS with httpd and Webmin

2009-03-26T09:01:00.001-04:00

After some messing around I was able to get Orange JeOS running as a basic web server. I also threw on the ultracool Webmin tool. Webmin is a web based administration tool for Linux. It makes it easy to get down and dirty with the OS without having to use the command line and without having to load a full GUI. It’s simple to setup and is great for people just learning Linux. As my staff doesn’t have many Linux admins, I’m planning on using it as a tool to get the rest of them up to speed and productive in a short period of time. Anyhoo…here’s how I did it.

Load Orange JeOS on the box from the iso I talked about in the last post. (The root password is “qwerty” if you can’t find it.)
Change the IP address in /etc/sysconfig/network-scripts/ifcfg-eth0
Change the default gateway and hostname in /etc/sysconfig/network (my config had two hostname lines..not sure why…so I deleted one)
Change the DNS Sever in /etc/resolv.conf
Bounce the nic with “service network restart”. You should now have network connectivity.
Do a “yum update” to get the box up to speed with all the updates.
install httpd and perl “yum install perl httpd” (You need perl for webmin)
Download webmin by doing a “wget http://prdownloads.sourceforge.net/webadmin/webmin-1.470-1.noarch.rpm”
install webmin “rpm –i webmin-1.470-1.noarch.rpm”
start httpd with “service httpd start”
start webmin with “service webmin start”
Allow httpd (port 80) in iptables with ”iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT”
Allow Webmin (port 10000) in iptables with “iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j ACCEPT”
Save the iptables changes “/etc/init.d/iptables save” so the rules are there after a reboot.

You should now have a fully functional Orange JeOS webserver with Webmin loaded. The URL for webmin is http://yourboxip:10000 where “yourboxip” is the IP you assigned or the hostname (if you set it up on your DNS server).

Next I’ll load rsyslog and phpLogCon and my syslog appliance will be complete. (It’s trickier then it sounds…I’ll need to expand the physical volume on LVM as Orange JeOS only has 4GB configured and 2GB in the current logical volume for / .)

Enjoy!!!

Orange JeOS is pretty cool

2009-03-24T14:29:00.001-04:00

So I found a new distro that’s pretty cool….Orange JeOS. This distro based on the mantra “Just Enough Operating System” and it is a streamlined version of CentOS. It’s released as a scripted build (not as an ISO) from the site, but being the lazy bastard that I am, I did find a site that performed all the heavy lifting for me. They release a few different ISO’s based on your intended hardware. There’s even a version with a GUI, but that kinda defeats the purpose in my view. What I wanted this for was to be able to build a small syslog server without a lot of overhead. I tried the VMWare appliance called SyslogAppliance but the damn thing was like 64GB in size. So much for an appliance…

Anyhoo, I was able to load the core install on an old Toshiba Salellite Pro 4600 for testing. From here I downloaded the VMWare version and put it on ESXi. That took some work because it’s built on VMServer so I had to download the stand alone converter from VMWare and then convert it over. When I first booted up it failed to mount the disk. I took a shot in the dark and increased the size of the virtual disk and then it all worked ok. So far so good.

So if you’re really interested on what’s installed by default…running a “yum list installed” on the base build (oj-1.8.7-11.iso) yields:

MAKEDEV.i386                             3.23-1.2               installed
SysVinit.i386                            2.86-14                installed
atk.i386                                 1.12.2-1.fc6           installed
audit-libs.i386                          1.6.5-9.el5            installed
audit-libs-python.i386                   1.6.5-9.el5            installed
authconfig.i386                          5.3.21-3.el5           installed
basesystem.noarch                        8.0-5.1.1.el5.centos   installed
bash.i386                                3.2-21.el5             installed
beecrypt.i386                            4.1.2-10.1.1           installed
binutils.i386                            2.17.50.0.6-6.el5      installed
bzip2.i386                               1.0.3-4.el5_2          installed
bzip2-libs.i386                          1.0.3-4.el5_2          installed
cairo.i386                               1.2.4-5.el5            installed
centos-release.i386                      10:5-2.el5.centos      installed
centos-release-notes.i386                5.2-2                  installed
checkpolicy.i386                         1.33.1-4.el5           installed
chkconfig.i386                           1.3.30.1-2             installed
coreutils.i386                           5.97-14.el5            installed
cpio.i386                                2.6-20                 installed
cracklib.i386                            2.8.9-3.3              installed
cracklib-dicts.i386                      2.8.9-3.3              installed
cryptsetup-luks.i386                     1.0.3-2.2.el5          installed
cups-libs.i386                           1:1.2.4-11.18.el5_2.3 installed
curl.i386                                7.15.5-2.el5           installed
cyrus-sasl-lib.i386                      2.1.22-4               installed
db4.i386                                 4.3.29-9.fc6           installed
dbus.i386                                1.0.0-7.el5_2.1        installed
dbus-glib.i386                           0.70-5                 installed
device-mapper.i386                       1.02.24-1.el5          installed
device-mapper-event.i386                 1.02.24-1.el5          installed
device-mapper-multipath.i386             0.4.7-17.el5           installed
diffutils.i386                           2.8.1-15.2.3.el5       installed
dmidecode.i386                           1:2.7-1.28.2.el5       installed
dmraid.i386                              1.0.0.rc13-15.el5_2.1 installed
e2fsprogs.i386                           1.39-15.el5            installed
e2fsprogs-libs.i386                      1.39-15.el5            installed
ed.i386                                  0.2-39.el5_2           installed
elfutils-libelf.i386                     0.125-3.el5            installed
ethtool.i386                             5-1.el5                installed
expat.i386                               1.95.8-8.2.1           installed
file.i386                                4.17-13                installed
filesystem.i386                          2.4.0-1.el5.centos     installed
findutils.i386                           1:4.2.27-4.1           installed
fontconfig.i386                          2.4.1-7.el5            installed
freetype.i386                            2.2.1-20.el5_2         installed
gawk.i386                                3.1.5-14.el5           installed
gdbm.i386                                1.8.0-26.2.1           installed
glib2.i386                               2.12.3-2.fc6           installed
glibc.i686                               2.5-24.el5_2.2         installed
glibc-common.i386                        2.5-24.el5_2.2         installed
gnupg.i386                               1.4.5-13               installed
gnutls.i386                              1.4.1-3.el5_2.1        installed
grep.i386                                2.5.1-54.2.el5         installed
grub.i386                                0.97-13.2              installed
gtk2.i386                                2.10.4-20.el5          installed
gzip.i386                                1.3.5-10.el5.centos    installed
hal.i386                                 0.5.8.1-35.el5         installed
hdparm.i386                              6.6-2                  installed
hicolor-icon-theme.noarch                0.9-2.1                installed
hwdata.noarch                            0.213.6-1.el5          installed
info.i386                                4.8-14.el5             installed
initscripts.i386                         8.45.19.1.EL-1.el5.cen installed
iproute.i386                             2.6.18-7.el5           installed
iptables.i386                            1.3.5-4.el5            installed
iptables-ipv6.i386                       1.3.5-4.el5            installed
iputils.i386                             20020927-43.el5        installed
kbd.i386                                 1.12-20.el5            installed
kernel.i686                              2.6.18-92.1.22.el5     installed
kernel.i686                              2.6.18-92.1.13.el5     installed
keyutils-libs.i386                       1.2-1.el5              installed
kpartx.i386                              0.4.7-17.el5           installed
krb5-libs.i386                           1.6.1-25.el5_2.2       installed
kudzu.i386                               1.2.57.1.17-1          installed
less.i386                                394-5.el5              installed
libX11.i386                              1.0.3-9.el5            installed
libXau.i386                              1.0.1-3.1              installed
libXcursor.i386                          1.1.7-1.1              installed
libXdmcp.i386                            1.0.1-2.1              installed
libXext.i386                             1.0.1-2.1              installed
libXfixes.i386                           4.0.1-2.1              installed
libXfont.i386                            1.2.2-1.0.3.el5_1      installed
libXft.i386                              2.1.10-1.1             installed
libXi.i386                               1.0.1-3.1              installed
libXinerama.i386                         1.0.1-2.1              installed
libXrandr.i386                           1.1.1-3.1              installed
libXrender.i386                          0.9.1-3.1              installed
libacl.i386                              2.2.39-3.el5           installed
libattr.i386                             2.4.32-1.1             installed
libcap.i386                              1.10-26                installed
libfontenc.i386                          1.0.2-2.2.el5          installed
libgcc.i386                              4.1.2-42.el5           installed
libgcrypt.i386                           1.2.3-1                installed
libglade2.i386                           2.6.0-2                installed
libgpg-error.i386                        1.4-2                  installed
libhugetlbfs.i386                        1.2-5.el5              installed
libidn.i386                              0.6.5-1.1              installed
libjpeg.i386                             6b-37                  installed
libpng.i386                              2:1.2.10-7.1.el5_0.1   installed
libselinux.i386                          1.33.4-5.el5           installed
libselinux-python.i386                   1.33.4-5.el5           installed
libsemanage.i386                         1.9.1-3.el5            installed
libsepol.i386                            1.15.2-1.el5           installed
libstdc++.i386                           4.1.2-42.el5           installed
libsysfs.i386                            2.0.0-6                installed
libtermcap.i386                          2.0.8-46.1             installed
libtiff.i386                             3.8.2-7.el5_2.2        installed
libusb.i386                              0.1.12-5.1             installed
libuser.i386                             0.54.7-2.el5.5         installed
libvolume_id.i386                        095-14.16.el5          installed
libxml2.i386                             2.6.26-2.1.2.7         installed
libxml2-python.i386                      2.6.26-2.1.2.7         installed
lockdev.i386                             1.0.1-10               installed
lvm2.i386                                2.02.32-4.el5_2.1      installed
m2crypto.i386                            0.16-6.el5.2           installed
mingetty.i386                            1.07-5.2.2             installed
mkinitrd.i386                            5.1.19.6-28            installed
mktemp.i386                              3:1.5-23.2.2           installed
module-init-tools.i386                   3.3-0.pre3.1.37.el5    installed
nash.i386                                5.1.19.6-28            installed
ncurses.i386                             5.5-24.20060715        installed
net-tools.i386                           1.60-78.el5            installed
newt.i386                                0.52.2-10.el5          installed
nsa_lockdown.noarch                      1.0-3                  installed
nspr.i386                                4.7.3-2.el5            installed
nss.i386                                 3.12.2.0-4.el5.centos installed
oj-postinstall.noarch                    1.0-2                  installed
openldap.i386                            2.3.27-8.el5_2.4       installed
openssh.i386                             4.3p2-26.el5_2.1       installed
openssh-server.i386                      4.3p2-26.el5_2.1       installed
openssl.i686                             0.9.8b-10.el5_2.1      installed
pam.i386                                 0.99.6.2-3.27.el5      installed
pango.i386                               1.14.9-3.el5.centos    installed
passwd.i386                              0.73-1                 installed
pciutils.i386                            2.2.3-5                installed
pcre.i386                                6.6-2.el5_1.7          installed
pm-utils.i386                            0.99.3-6.el5.centos.19 installed
policycoreutils.i386                     1.33.12-14.el5         installed
popt.i386                                1.10.2-48.el5          installed
prelink.i386                             0.3.9-2.1              installed
procps.i386                              3.2.7-9.el5            installed
psmisc.i386                              22.2-6                 installed
pycairo.i386                             1.2.0-1.1              installed
pygobject2.i386                          2.12.1-5.el5           installed
pygtk2.i386                              2.10.1-12.el5          installed
pygtk2-libglade.i386                     2.10.1-12.el5          installed
python.i386                              2.4.3-21.el5           installed
python-elementtree.i386                  1.2.6-5                installed
python-iniparse.noarch                   0.2.3-4.el5            installed
python-numeric.i386                      23.7-2.2.2             installed
python-sqlite.i386                       1.1.7-1.2.1            installed
python-urlgrabber.noarch                 3.1.0-2                installed
readline.i386                            5.1-1.1                installed
redhat-logos.noarch                      4.9.99-8.el5.centos    installed
rhpl.i386                                0.194.1-1              installed
rootfiles.noarch                         8.1-1.1.1              installed
rpm.i386                                 4.4.2-48.el5           installed
rpm-libs.i386                            4.4.2-48.el5           installed
rpm-python.i386                          4.4.2-48.el5           installed
sed.i386                                 4.1.5-5.fc6            installed
selinux-policy.noarch                    2.4.6-137.1.el5        installed
selinux-policy-targeted.noarch           2.4.6-137.1.el5        installed
setools.i386                             3.0-3.el5              installed
setserial.i386                           2.17-19.2.2            installed
setup.noarch                             2.5.58-1.el5           installed
shadow-utils.i386                        2:4.0.17-13.el5        installed
slang.i386                               2.0.6-4.el5            installed
sqlite.i386                              3.3.6-2                installed
sudo.i386                                1.6.8p12-12.el5        installed
sysklogd.i386                            1.4.1-44.el5           installed
tar.i386                                 2:1.15.1-23.0.1.el5    installed
tcl.i386                                 8.4.13-3.fc6           installed
tcp_wrappers.i386                        7.6-40.4.el5           installed
termcap.noarch                           1:5.5-1.20060701.1     installed
tzdata.noarch                            2008i-1.el5            installed
udev.i386                                095-14.16.el5          installed
usermode.i386                            1.88-3.el5.1           installed
util-linux.i386                          2.13-0.47.el5          installed
vim-minimal.i386                         2:7.0.109-4.el5_2.4z   installed
vixie-cron.i386                          4:4.1-72.el5           installed
wget.i386                                1.10.2-7.el5           installed
wireless-tools.i386                      1:28-2.el5             installed
xorg-x11-filesystem.noarch               7.1-2.fc6              installed
yum.noarch                               3.2.8-9.el5.centos.2.1 installed
yum-fastestmirror.noarch                 1.1.10-9.el5.centos    installed
yum-metadata-parser.i386                 1.1.2-2.el5            installed
zlib.i386                                1.2.3-3                installed

More on this later as I continue to build my Open Source Security setup with PFSense, rsyslog, phplogcon, OpenVPN and ESXi. (It’d be Xen if I that the time…really…)

Lansweeper – Inventory Tool Extraordinaire

2009-03-20T16:17:00.001-04:00

Lansweeper is a free and very cool tool for network inventory purposes. There is a Premium Version that provides some extras that are well worth the investment. I’ve been using it for a few months now and it’s become one of my favorite tools. What I like about it is that it’s very extendable and it’s pretty easy to create your own reports. I’ll let you check out the basics for yourself on their demo site, but I thought I’d walk you through how to extend the reporting functionality. To do this you need lsbuilder, which is part of the Premium Version. However, lsbuilder is just an easy way to create your own SQL queries so you could probably do that with the standard SQL tools. I wanted a report of Computer Manufacturer, Computer Name, Computer Model and the last logged in user. Unfortunately, this report didn’t exist in the base tool, so I created it on my own. First open up lsbuilder:

As you can see I’ve got SQL Express loaded on locally so it’s pointing back to itself. Make sure you are logged on here with enough rights in SQL to do the magic you need.

You’ll notice the Report Output tab and the Report Builder Tab…we wanna go to the Report Builder Tab. After messing around a bit I found you could drag and drop tables from the table list over to the builder piece. Selecting the items from the tables will produce those items in the final report. After some poking around I found the values I wanted in the tblComputersytem and tblComputers tables.

As you can see above, I’ve linked to tables together with a join by dragging Computername from one table to the other. If you click the SQL tab from the builder windows you can see the resulting code.

One thing you’’ll see is that I had to rename Computername in the tblComputersystem.Computername to Computername1 because there was a collision on this name between the two tables. No big deal really. Since the SQL is off the page I’ll drop it here for you to see better:

SELECT
tblComputersystem.Manufacturer,
tblComputersystem.Model,
tblComputersystem.Computername AS Computername1,
tblComputers.Username,
tblComputers.Computername
FROM
tblComputers
INNER JOIN tblComputersystem ON (tblComputers.Computername = tblComputersystem.Computername)

Now just hit the disk icon to save the report to the report list. Now you can click the Report Output tab to get your list:

This gives me the exact report I was looking for with Manufacturer, Model, Computer Name and the last logged in user. Using the “Export to Excel” button I was able to manipulate the report further (by removing the duplicated ComputerName field) and to pretty it up for printing. Yeah..I know there’s a way to remove the duplicate computername with the SQL code directly but this is just a quick and dirty example and I’m trying to be brief. :)

Hit me up on the comments if you find/develop any other cool and useful reports.

Ubuntu Ultimate 2.0

2009-03-18T16:57:00.001-04:00

So we seem to have coughed up a few old Dell D800 laptops last year after upgrading some of our users. When I heard we had a few available, I remembered that they had pretty nice screens and a medium grade video card baked in so I thought it might make a nice box to try Ubuntu Ultimate on. You see, I like Ubuntu for the desktop, but having to load all the goodies on is a real pain in the butt. That’s why I like this distro so much. It’s got tons of toys and tools and it’s all preloaded. So I downloaded, burned and kick started the iso. Everything went pretty smooth all things considered. There was a little tweaking with System-Preferences-Appearance (to crank up the video effects) which prompted it to download some NVidia drivers, but that went smooth. The box is a little slow as it’s only got 512MB of RAM but it’s sufficient to test out all the cool stuff like Beryl/Compbiz, Wine, Filezilla, Wireshark, etc…

So it’s been about a week so far and I’ve only found one issue and I’m sure it’s just me being dense. I can’t seem to create or delete items from the desktop. (Yes, I check perms and they all look good). I’m sure I’ll figure it out once I sit down and put my mind to it.

Next up is testing Orange JeOS. I’ve got to find a minimal CentOS/Red Hat install to use as a VMWare image for syslog collection and it looks pretty tight. It kind of reminds me of my old favs OpenNA and Trustix…

Two Sites Packed Full of Goodies

2009-03-12T21:20:00.001-04:00

Time after time I use two sites in my daily work for a multitude of tools. These to sites are SysInternals (now a Microsoft site) and NirSoft. SysInternals is well known by many Windoze folks for it's tools FileMon and RegMon which let you see exactly what files and registry keys a program is accessing. However there are many tools on this site that are useful for troubleshooting Windoze issues. NirSoft has a collection of password recovery tools, network monitoring tools, web browser tools, Video/Audio tools, IP tools, programmer's tools, system utilities, command line tools, desktop tools and much more. Trying to talk about each one of the tools could take days. Tell ya what...go investigate the sites for yourself and enjoy the free goodness.

Outlook NK2 Annoyances

2009-03-11T11:44:00.001-04:00

If you use Outlook (ok who doesn’t?) and you are troubled by it’s use of autocompletion of email addresses when sending messages this post is for you. When you send emails, Outlook remembers (well it tries to remember) all the email addresses so that they are available as autocomplete entries later. They don’t get added to your Contacts (or Outlook Address Book), but they are cached in and nk2 file on your hard drive….which is profile specific. This is a problem because profiles are problematic. Many things can cause a profile to become corrupt, unavailable and just outright die. Let’s face it, profiles suck. So to get around this it’d be nice to have a tool that could fix or recreate these nk2 files. Enter the Rebuild Outlook Autocomplete Cache tool. This free (but not Open Source) tool will allow you to recreate a NK2 file from reading the addresses on messages in your Sent items folder or any other folder in your Outook mailbox. When combined with the NK2.info tool you can even recreate your existing, corrupted cache. NK2.info dumps your existing cache (even if it’s corrupt) to a csv file which you can suck back into your Outlook Address Book. Then use the rebuild tool on that contact list to pre-populate the nk2 autocomplete file.

Oh yeah…one more tip. Have you ever wanted to reset all your Outlook contacts “File As” properties so they are all “lastname, firstname” or “firstname lastname”? Well it not easy, but here is link to a Microsoft doc telling you how to do it.

Good stuff….good luck.

Sniffing Shoretel Calls

2009-03-11T09:50:00.001-04:00

Awhile back, after I did my Wireshark presentation for ILTA, someone asked me about using Wireshark to capture ShoreTel VOIP calls. It turns out that capturing the call was easy, but as there is no codec for Wireshark translating the call session to a WAV file or other audio file was a little more tricky. Before you jump all over me about privacy and security concerns….the issue here is about call troubleshooting not eavesdropping. Sometimes you want to be able to capture a call so that you can understand exactly what a user is hearing. Voice Echo, call quality and extra garbled noises as all acceptable reasons to want to be able to capture and play back a call. So if you’re gonna do some funny business and listen in on someone’s calls…you are on your own. I don’t condone eavesdropping for any reason. On with the show…

So after spending a few hours looking at codecs for WireShark that would work with Shoretel I ran into a forum post about how someone accomplished the same objective with Cain.

Cain & Abel is a popular password cracking tool but it also contains a full blown sniffer. Using this tool I was successfully able to record a call from my ShoreTel IP230G phone. Here are the quick and dirty instructions if you are interested:

Install Cain
Run Cain
Hit Configure on the menu at the top
Select your nic from the list and hit Ok
Select the Sniffer tab
On the BOTTOM of the screen select the VOIP tab
Hit the "start/stop sniffer" button in the button bar
Make a call (you'll see it recording in the interface)
End the call
Wait for the interface to show that it’s captured the call in it’s entirety.
Double click the recorded call it hear it. It's also saved as a wav under c:\program files\cain\voip

I have all the codecs supported by Shoretel loaded, but for my test call I was using L16/16000. Also note that you need to use a network TAP or a switchport monitor capturing both directions if you want capture both sides of the call.

Enjoy the packet capture goodness.

TrueCrypt

2009-03-10T10:36:00.001-04:00

As much as I despise the topic of computer security (and computer security people in general for that matter), I truly love TrueCrypt. Some open source software seems unfinished, beta or kludgey. Rarely do you get a gem like TrueCrypt that seems as good as or better then commercial software.

TrueCrypt is an encryption software package that encrypts static data (i.e. data on hard drive, thumb drives, etc.). You can encrypt files, folders or even an entire hard drive. It supports numerous software encryption algorithms (AES, Blowfish, Serpent, etc..), hashing algorithms (Whirlpool, SHA-512, etc…), operating systems (OSX, Windoze, Linux, etc…) and authentication mechanisms (smart cards, tokens, certificates, etc..). I’m so impressed with it’s capabilities that I’ll be presenting a seminar on TrueCrypt at this year’s ILTA conference.

This year we have to decided to encrypt all our laptops with TrueCrypt. After looking at multiple programs, both open source and commercial, I feel that TrueCrypt best meets our needs. Making any decision requires trading offs. In our case, I first looked at hardware encryption vs. software encryption. Here are a few of the subtle differences:

Hardware:

Generally faster then software solutions and can usually be done at native speeds of the drive
Requires little effort on the part of the user
Can sometimes be tied in to other hardware security mechanisms like biometric fingerprint readers, usb keys and rfid keys (The BUSLink devices are really cool by the way. More on them later.)
Generally uses proprietary algorithms (so you’re not quite sure exactly what’s happening) and you generally don’t have a wide selection of algorithms to choose from.
Some enterprise tools are available for system deployment and management
Not available on workhorse models of Lenovo laptops

Software:

Numerous encryption/hashing algorithms to choose from
Little to no monetary investment
Slower to encrypt (and sometimes unencrypt) data
More granular control of what is and what isn’t encrypted
Possible plausible deniability to the existence of data (Hidden volumes and hidden operating systems)
Ability to encrypt external hard drives and flash drives
Generally requires additional software plug-ins to tie into hardware security mechanisms

I don’t really have the space to go into depth about why I liked TrueCrypt over other commercial and non-commercial packages, but suffice to it say the decision was based on simplicity for the user, cost to the organization, level of security provided by the software and ease of deployment. After I give the presentation I’ll see if I can drop a link to it here for all to see.

Tracking Stolen Computers

2009-03-02T15:19:00.001-05:00

Have you ever had a computer stolen? Wouldn’t you like to find out who the rat bastard was that took it? Well then you’d be interested in Adeona. Adeona installs on Linux, Mac OSX or Windows. It creates a daemon/service that “phones home” and stores the public IP address of the machine on a secure webserver. From any other machine, you can run the recovery tool, give it a date range and have it spit the ip addresses back to you so you know where and when the PC hit the Internet. The MAC version can even use the built in webcam to take snapshots of the rat bastard. Very interesting and very cool software…and of course…completely open source. Enjoy the techno-narking goodness!!!!

More movement to Open Source

2009-02-27T14:57:00.001-05:00

I’ve decided to take yet another leap, deep into the world of Open Source. This year I will be replacing all of our Cisco PIX and VPN infrastructure with pfSense and OpenVPN. I’ve been contemplating this for quite awhile, but have only recently decided to take the plunge. pfSense, if you haven’t heard of it, is an Open Source firewall based on FreeBSD.

After spending time reading about Untangle, Astaro, Smoothwall and m0n0wall I’ve decided that pfSense is probably the best based upon my needs. I’ll be running it from a repurposed server with VmWare ESXi. This will allow me some portability in case the box dies an untimely death as well as giving me the opportunity to put some other items on the same hardware for my dmz. I’m sure I’ll be blogging about this as I go so stay tuned as I squeeze more money out of my budget with great Open Source software.

Cheap and Dirty Security Camera

2009-02-26T09:17:00.001-05:00

When we recently opened of a satellite office and the question of site security came up. We decided as part of our security solution to install security cameras at each door. After careful consideration we chose the Axis M1031-W Network Camera. This camera was relatively cheap (~$260) and allows us great flexibility in how we handle security. We can stream directly to a centralized computer, we can take snapshots based on detected movement, we can take snapshots based upon PIR sensor movement (passive infrared..aka movement in the dark) or we can simply chose to stream based upon a set schedule. There are a multitude of options on this camera including a blinding light to illuminate the area if movement is detected and two way audio to scare the jeepers out of someone walking by. I choose to ftp snapshots to a Linux remote server. I wrote a simple shell script to keep only a certain number of days of photos. Here’s the script if you are interested:

#!/bin/bash
FTPDIR=”/home/camera”
DAYSOLD=90
find $FTPDIR –mtime +$DAYSOLD –exec rm {} \;
#eof

Easy peasy. Schedule that pup up by editing your crontab (crontab –e) to run every day ( 0 0 * * 0-6 /usr/bin/cleanftp) and you’re all set.

ShoreTel – Receptionist Phone Setup (Tricks and Tips)

2009-02-23T14:16:00.001-05:00

So how do you set up your receptionist’s phone with Shoretel? Our requirements were:

1. All calls to the main number should be directed to the receptionist phone during business hours.
2. The receptionist should have her own extension (outside) and voicemail.
3. When the receptionist steps away from her desk, she should be able to transfer the calls to a group of 3 secretaries. All the phones should ring simultaneously until the call is answered. If no one answers, the call should be placed in the general email box.

So how did we accomplish this? Well we started off by creating a regular user account for the receptionist. Then we created an Operators hunt group and and Operators-backup hunt group. The Operators hunt group it tied to the main outside line. The only member of the group is the receptionist. The second hunt group, the Operators-Backup group has all 3 secretaries as members and is set to simultaneously ring all phones (Distribution Pattern = Simultaneous). When the receptionist needs to leave her desk, she busy’s out the hunt group (*18<main-extension-number>) and all calls roll to the Operators-Backup group. This works because the “Call Stack Full” option in the Operators group points to the Operators-Backup group. When she gets back she just types in the same code and the Operator hunt group “unbusy’s” the line. Unbusy is a word, I swear. I just used it in a sentence.

So how did you do it? Hit me up in the comments.

Hard Disk Erasing Utility

2009-02-19T13:43:00.001-05:00

Got a stash of old drives or machines laying around for disposal? Don’t let them go out the door without stifling your secrets! Use Darik’s Boot and Nuke to wipe your files off the drive.

Let’s hope you do this sober because it’s a one way ticket to complete and utter destruction of the data on the drive. :) This Open Source Software tool allows you to create a boot floppy, CD or DVD image which can be used to boot the machine and wipe any and all partitions or drives on the machine. The software overwrites your data with random bits of data on a few different passes. Think of the disk as a chalkboard. When you wipe the chalk off a chalkboard using an eraser, sometimes a faint image can still be seen. If you wipe it multiple times the image gets less readable each time. Same deal with your data. Definitely a good tool for the old tool bag. Enjoy the tasty destructive goodness!

Snare - Log collection tool

2009-02-10T22:51:00.001-05:00

Too many logs to keep track of? Missing critical events because it's too much work to manually check the event logs on all your servers? Can't fix what you can't see?!?!? Try Snare. Snare "provides front end filtering, remote control, and remote distribution for Windows eventlog data." We use this tool on all our servers to forward event logs to a Linux box running syslog-ng. We also point all our infrastructure gear and linux servers (again with Snare) here. We view the logs via phpLogCon a web based front end. This combination works really well to centralize all of our logs. Snare is named after the pneumonic "System iNtrusion Analysis & Reporting Environment." There are versions of Snare for just about every operating system as well as a customized version called Epilog for IIS, ISA, Apache, Squid and Lotus Notes. If you haven't centralized your logging yet take a byte out of this tool!

WinSCP - The coolest ftp/sftp client out there

2009-02-04T22:13:00.001-05:00

Ok...there's like a gazillion ftp clients out there. WinSCP stands above all the rest. Why you ask? Well...because:

* It's Open Source
* It supports SFTP (which you should really be using if you are hosting files..but that's another discussion) and SCP
* It can be batched (so it can be scheduled) and it can be run from the command line
* It integrates with Putty's Pageant for SSH authentication
* It can run from removable media
* It has an integrated text editor
* It does the best job of directory synchronization I've seen in any ftp client (manual, semi-automatic and fully automatic)
* It has a Windows Explorer interface or optionally a Norton Commander interface (for you old farts that remember the DOS days)
* Supports Drag&Drop in Windows
* It supports files over 4GB for sftp and ftp
* Supports walking through directories on a Linux server allowing you to chmod files and directories recursively

Enjoy the Open Source Goodness!!!

AxCrypt - Open Source File Encryption

2009-01-23T21:05:00.001-05:00

I've been playing with Open Source encryption lately. Lots of cool stuff out there. In particular I really like both TrueCrypt and AxCrypt. As I'm still testing TrueCrypt I'll leave that to a later post after I have a little more hands on experience. However, AxCrypt is much easier to get a handle on and it's really useful. If you need to send a file to someone confidentially, this is a great tool.

You can take any type of a file and encrypt it with either a passphrase or a key file. Passphrases are basically long passwords so that's easy to understand. However key files are even cooler. Say you've got a copy of an mpg file, a large graphic file or heck even a large binary file. You can use those files as keys (think really long, complex passwords) for the encryption. The guy on the other end needs the same exact file to decrypt the message. This is a really powerful and AxCrypt can meet AES 128 bit file encryption standards. You even get compression during the process. One of my favorite features is that it can compress and encrypt the file inside of an exe package so the receiver doesn't need to have a copy of AxCrypt. Good stuff...check it out.

Go Live - ShoreTel Lessons Learned

2009-01-14T08:54:00.001-05:00

So our office in Denver is up and running. It was a pretty big project for us and I had 3 of my staff as well as myself on site for the first week to ease the transition. The ShoreTel system worked great. The users love the PC Software (especially the operator) and the voice quality is fine. The entire office is wired for 1GB POE. Most offices only have 1 live data connection which is shared between the phone and the PC. Here are a few lessons learned from the ShoreTel perspective:

The HP Switch worked great as a backbone switch for this office. I'll be looking to drop the rest of my Cisco switching gear in favor of HP.
We went with the new 230G phones (which are black and white) and they worked fine. I wanted gig at the phone so I'd have gig at the PC and that was a smart decision.
Don't concentrate on customizing buttons on the phone as much as customizing the Call Manager software that each user will use. They will get more mileage out of the software client.
We used a Bogen speaker system and amp for overhead paging. Still having a few issues with that (undoubtedly a wiring issue) but I think it will work well.
Music on hold turned out to be a little more expensive then I first thought. They said you could use any old iPod which is technically correct, but the low end ones (shuffle) can't charge and play at the same time. It ended up being cheaper to buy a IAPMp3 from http://ilaudio.com/digital-players.htm. It's about the same cost as an iPod would have been and it comes with 10 free styles of music so there's no copyright issues. It's simple to set up and highly recommended.
We had to deal with 10 digit dialing in Denver. All calls outside the area code (not outside the local calling area) had to be preceded by a 1. I bet there's a work around for this be we were unable to find one.
The IP 8000 conference phone works great. It's harder to set up in ShoreTel because it's a SIP phone, but it works just fine.
Make sure to explain the difference between parking and holding to your users. They are easily confused about these two features because they are so similar.
ShoreTel Director comes with a tool to troubleshoot trunks which lets you monitor all calls and digits dialed. This tool was immensely useful and is called the Trunk Test Tool. Oh how I wish we had this tool on our PBX!
Bite the bullet and get a spreadsheet of all phones, mac addresses and locations. You'll thank me later.
If you've got a small office, have the operator add all the extensions as contacts. That way they can drag and drop calls with very little effort.

All in all I'm very pleased with the ShoreTel solution. The fact that I don't need a dedicated "phone guy" to manage this system is a huge benefit as well. I can wait to get all my sites on ShoreTel.

LiveView - boot up a static disk image

2009-01-01T12:07:00.001-05:00

I just found this tool a few days ago and I haven't had time to fully test it, but it looks really cool. Basically, this tool (which is Open Source under GNU) will use VMWare to mount a dd-style disk image. I haven't really discussed dd on this blog, but it's kind of a Ghost like tool that takes a sector by sector image of a disk and stores it in a single (or set of) disk files. My favorite way to do this is by livecd like Helix or Knoppix-STD. Anywho, back to LiveView....

Here is the short and simple description right from their website:

"Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine.

Live View is capable of booting

Full disk raw images
Bootable partition raw images
Physical Disks (attached via a USB or Firewire bridge)
Specialized and closed image formats (using 3rd party image mounting software)

Containing the following operating systems

Windows 2003, XP, 2000, NT, Me, 98
Linux (limited support)

Behind the scenes, Live View automates a wide array of technical tasks. Some of these include: resolving hardware conflicts resulting from booting on hardware other than that on which the OS was originally installed; creating a customized MBR for partition-only images; and correctly specifying a virtual disk to match the original image or physical disk. "

Brought to you by :

I expect this tool to be great for security situations, but heck it's just as useful for daily admin tasks. For example, if your company had a policy to take and store a dd image of each departing persons hard drive you could theoretically boot that image at a later date without worry about compatible hardware and see the machine in the state it was the day they left the company. Even better, dd each person's machine before a rollout or rebuild. Then get back to their image if something isn't working after the changes.

Enjoy and have a Happy New Year!

Network Activity Tool

2008-12-30T22:26:00.001-05:00

I get calls from people all the time about "funny" stuff happening on their computers.

Many times it's due to adware, malware or viruses hiding out. Heck even stuff down in the systray phoning home (Acrobat, Java, etc.) can load a system temporarily causing things to slow and studder. So how can you tell what's happening? Well I use netstat. It's an old tool both on Windows and Linux that can reveal quite a bit about what's happening. So let's to this Q & A style....just like I get on the phone. :)

Q:How can I tell who my computers talking to?

A: netstat -a
This will list all listening ports and established connections.

Q: What program is using that port shown as listening?

A: netstat -b or netstat -bv (windows)
netstat -p (Linux...but you gotta be root)
This will show the windows executable holding the port open or with the -v switch the .dll's used as well. The linux switch -p shows the process, not necessarily the executable but hey....that's really what you want anyhow right?!??

That covers the basic topic I think. There are a slew of tools for stuff like this if you look around a little. I'll try and point some out and how they are used as questions arise.