tag:blogger.com,1999:blog-52544789465804836942024-03-20T00:04:22.518-07:00a sysadmin'z hard dayzÉnhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.comBlogger90125tag:blogger.com,1999:blog-5254478946580483694.post-68776687463973089192021-01-12T04:46:00.001-08:002021-01-12T04:46:28.944-08:00How to find domain users who have never changed their passwords<p> Hey, I have not posted here since 2 years! But I'm still kickin hard, and alive. Just to save this blog from being forgotten, placing is a new entry. And... see you in 2 years again. ;)<br /></p><p> How to find users who have never ever freaking changed their passwords? (Those lazy bastards, in spec cases when forced pw change cannot be enabled on them.)<br /></p><p>Get-ADUser -Filter * -Properties PasswordLastSet,WhenCreated,lastlogondate | Where-Object {$_.Enabled -eq $true -and $_.Lastlogondate -ne $null -and ( $_.PasswordLastSet.datetime -eq ($_.WhenCreated.datetime) ) } <br /></p><p><br /></p>Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-52508089512534108782019-04-01T00:11:00.001-07:002019-05-07T07:52:18.666-07:00Systemd services command cheatsheet<pre class="lang-sql prettyprint prettyprinted"><code><span class="pln">List of all services and their status:</span></code></pre>
<pre class="lang-sql prettyprint prettyprinted"><i><code><span class="pln">service </span><span class="com">--status-all</span></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><code><span class="com">Another way:</span></code></pre>
<pre class="lang-sql prettyprint prettyprinted"><code><span class="com"><i><code>systemctl list-units --type service --all</code></i> </span></code><i><code><span class="com"> </span></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><code><span class="com"><code><span class="com"> </span></code></span></code></pre>
<pre class="lang-sql prettyprint prettyprinted"><code><span class="com"><code><span class="com">List just the enabled services</span></code><code><span class="com"><code> </code></span></code></span></code></pre>
<pre class="lang-sql prettyprint prettyprinted"><i><code><span class="com"><code><span class="com"><i><code>systemctl list-units --type service</code></i> </span></code><i><code><span class="com"> </span></code></i><i><code><span class="com"></span></code></i> </span></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><code><span class="com">or <i>systemctl -l –type service –all</i></span></code></pre>
<pre class="lang-sql prettyprint prettyprinted"><code><span class="com"> </span></code></pre>
<pre class="lang-sql prettyprint prettyprinted"><code><span class="com">Stop/Start/Restart a service</span></code><i><code><span class="com"> </span></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><i><code><span class="com">systemctl restart/start yourservicename</span></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><code> </code></pre>
<pre class="lang-sql prettyprint prettyprinted"><code>Enable/Disable the startup of a service at boot time</code></pre>
<pre class="lang-sql prettyprint prettyprinted"><code><i>systemctl enable/disable yourservicename</i> </code><i><code></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><i><code></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><i><code></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><i><code></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><i><code></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><code><span class="com"> </span></code></pre>
<pre class="lang-sql prettyprint prettyprinted"><code><span class="com">Is it enabled?</span></code><i><code><span class="com"> </span></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><i><code><span class="com">systemctl is-enabled yourservicename</span></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><code><span class="com"> </span></code></pre>
<pre class="lang-sql prettyprint prettyprinted"><code><span class="com">Uninstall/wipe a service</span></code><i><code><span class="com"> </span></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><i><code><span class="com">rm /etc/systemd/system/yourservicename</span></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><i><code><span class="com">systemctl daemon-reload</span></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><i><code><span class="com">systemctl reset-failed</span></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><code><span class="com"> </span></code></pre>
<pre class="lang-sql prettyprint prettyprinted"><code><span class="com">Find out the dependencies:</span></code><i><code><span class="com"> </span></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><i><code><span class="com"><code>systemctl list-dependencies --type service</code></span></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><i><code><span class="com"><code> </code></span></code></i></pre>
<pre class="lang-sql prettyprint prettyprinted"><code><span class="com"><code>Get the files related to the service:</code></span></code></pre>
<pre class="lang-sql prettyprint prettyprinted"><i><code><span class="com"><code><code>locate yourservicename.service</code> </code></span></code></i></pre>
<br /><pre class="lang-sql prettyprint prettyprinted">Disable the service and forbids the others from start it</pre>
<pre class="lang-sql prettyprint prettyprinted"><i><code><span class="com"><code>systemctl mask yourservicename</code></span></code></i></pre>
<br />
<pre class="lang-sql prettyprint prettyprinted">list systemd unit files and their states (enabled/disabled/etc)</pre>
<pre class="lang-sql prettyprint prettyprinted"><i>systemctl list-unit-files </i></pre>
<pre class="lang-sql prettyprint prettyprinted"></pre>
<pre class="lang-sql prettyprint prettyprinted">To see / set the default runlevel of the system</pre>
<pre class="lang-sql prettyprint prettyprinted"><i>systemctl get-defaults (set-defaults)</i></pre>
<pre class="lang-sql prettyprint prettyprinted">e.g. <code>multi-user.target or graphical.target</code></pre>
<pre class="lang-sql prettyprint prettyprinted"><code></code></pre>
<code><br /></code><pre class="lang-sql prettyprint prettyprinted"><code>systemctl isolate </code></pre>
<pre class="lang-sql prettyprint prettyprinted"><code>explained: (stolen from internet)</code></pre>
The word "isolate" means run the requested unit, and make sure
nothing else is running (with a few exceptions.) Since runlevels have been replaced by targets (which are more or less
just a set of services that you want to be running in a certain
situation, like for <code>multi-user</code> or <code>graphical</code>
usage), you can switch to a "runlevel" by starting the equivalent target
and stopping anything that is not part of the new target - using <code>isolate</code>.<br />
<code>systemctl isolate multi-user.target</code> is the modern way to unload the graphic shell, which was done by <code>init 3</code> previously. You are in runlevel 5 or to be precise in graphical.target. You do runlevel 3 or systemctl isolate multiuser.target. <br />
<br />
Another way to change target runlevel.<br />
<pre><code>systemctl set-default multi-user.target (then reboot)</code></pre>
<br />
<pre class="lang-sql prettyprint prettyprinted"><code> </code></pre>
<a aria-expanded="false" aria-label="Google-fiók: Tamas Eles
(eles.tamas@gmail.com)" class="gb_x gb_Da gb_f" href="https://accounts.google.com/SignOutOptions?hl=hu&continue=https://mail.google.com/mail&service=mail" role="button" tabindex="0"><span aria-hidden="true" class="gb_ya gbii"></span></a>Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-20793261911963760042018-11-23T04:57:00.001-08:002018-11-23T04:57:14.961-08:00How to rm -rf / your Azure infrastructure<pre><code class="lang-powershell" data-interactive="azurepowershell"><span class="hljs-pscommand">Never do this...</span></code></pre>
<pre><code class="lang-powershell" data-interactive="azurepowershell"><span class="hljs-pscommand">Get-AzureRmResourceGroup</span> | <span class="hljs-pscommand">Remove-AzureRmResourceGroup -Verbose -Force</span></code></pre>
Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-9133820592390007632018-07-24T05:45:00.002-07:002018-07-25T02:02:36.517-07:00MySQL monitoring with Zabbix 3.4 <div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
If you install Zabbix Server 3.4 there is a nice template supplied with it which is called " Template DB MySQL". That could be used for monitoring remote MySQL database performance. Unfortunately this will also not work out of the box... Your logs will get filled by " Error connecting to database: Access denied for user 'zabbix'@'localhost' to database" and...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgNclTQbWVp9QX13Ssi8XVpYqB8U03I2UOLY-nAAv_cXZOa2nOw6g5A-bzwOjLAbxRxMo86tIs4Lru7AhyphenhyphenSbSsy5DBo9ZOUZG6Q_bV28L8RDfn3NN4SmBhE-thodPDztOsbeDB0DZ3Og/s1600/Capture3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="175" data-original-width="893" height="76" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgNclTQbWVp9QX13Ssi8XVpYqB8U03I2UOLY-nAAv_cXZOa2nOw6g5A-bzwOjLAbxRxMo86tIs4Lru7AhyphenhyphenSbSsy5DBo9ZOUZG6Q_bV28L8RDfn3NN4SmBhE-thodPDztOsbeDB0DZ3Og/s400/Capture3.png" width="400" /></a> </div>
<br />
So you should first create a database on a _remote_ mysql server for the sake of zabbix. This could be painful if security is a high concern for you but actually doesn't hold much risk. <br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: x-small;"><br />mysql -u root -p<br />use mysql;<br />CREATE DATABASE `zabbix_db`;<br />GRANT ALL PRIVILEGES ON zabbix_db.* TO 'zabbixagent'@'localhost' IDENTIFIED BY 'XXXXXXYYX';<br />FLUSH PRIVILEGES;</span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: inherit;"> </span></span>Then create the required config files:<br />
<span style="font-size: x-small;"><span style="font-family: "Courier New", Courier, monospace;">mkdir /var/lib/zabbix </span></span># this is defined in /etc/zabbix/zabbix_agentd.conf.d/userparameter_mysql.conf file. You must have it.<br />
<span style="font-size: x-small;"><span style="font-family: "Courier New", Courier, monospace;">cd /var/lib/zabbix </span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Courier New", Courier, monospace;">touch .my.cnf</span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Courier New", Courier, monospace;">chown zabbix:zabbix /var/lib/zabbix -R </span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Courier New", Courier, monospace;">chmod 600 .my.cnf</span></span><br />
<br />
And here is the secret magic: its content should be:<br />
[mysql]<br />
user=zabbixagent<br />
password=XXXXXXXXXXYYX<br />
[mysqladmin]<br />
user=zabbixagent<br />
password=XXXXXXXXXXYYX<br />
<br />
Note:
no special rights needed for zabbixuser for "mysqladmin". In this way
all errors should be gone and you have a nice and clean MySQL
performance monitoring. Tadaam.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-vGiPK3zOu0UPp3rZhCCp2ABLJVHKsWqU-kRT4koiTqUgKGqE1pTCM4PBhz2ah2jS3d8LulRcneg6lweuoQtB29f4GEmroexLH8r256AzeuxYMk_-XTYkaWOCrLJberIuFoFibWoxfQ/s1600/Capture2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="393" data-original-width="1600" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-vGiPK3zOu0UPp3rZhCCp2ABLJVHKsWqU-kRT4koiTqUgKGqE1pTCM4PBhz2ah2jS3d8LulRcneg6lweuoQtB29f4GEmroexLH8r256AzeuxYMk_-XTYkaWOCrLJberIuFoFibWoxfQ/s640/Capture2.PNG" width="640" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj17W4g4PKcwuR-if6tnTEt3xK8m4X-PGa6peP3GOUUlT3LPZsIpcIbe7jUAa9HvTe9A3-XPKDsk63DQqnzyk4iE4NaWX1rif3Z7BSziN3v2aLbwJwCpJF3OHuDMPjCh4KortyNYukgMg/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="385" data-original-width="666" height="184" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj17W4g4PKcwuR-if6tnTEt3xK8m4X-PGa6peP3GOUUlT3LPZsIpcIbe7jUAa9HvTe9A3-XPKDsk63DQqnzyk4iE4NaWX1rif3Z7BSziN3v2aLbwJwCpJF3OHuDMPjCh4KortyNYukgMg/s320/Capture.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-4216035055408038832018-07-23T06:06:00.002-07:002018-07-23T06:08:54.296-07:00Zabbix agent upgrade from 2.x to 3.4It's not easy as it seems. After you execute the first steps...<br />
<span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;">wget http://repo.zabbix.com/zabbix/3.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.4-1+xenial_all.deb<br />dpkg -i zabbix-release_3.4-1+xenial_all.deb<br />apt update<br />apt install zabbix-agent -y</span></span><br />
You suddenly realize that something is definitely wrong because the agent dies.<br />
<br />
<i>Jul 23 14:52:22 sss systemd[1]: Failed to start Zabbix Agent.<br />Jul 23 14:52:22 </i><i><i>sss </i>systemd[1]: zabbix-agent.service: Unit entered failed state.<br />Jul 23 14:52:22 </i><i><i>sss </i>systemd[1]: zabbix-agent.service: Failed with result 'exit-code'.<br />dpkg: error processing package zabbix-agent (--configure):<br /> subprocess installed post-installation script returned error exit status 1<br />Processing triggers for libc-bin (2.23-0ubuntu10) ...<br />Processing triggers for systemd (229-4ubuntu21.2) ...<br />Processing triggers for ureadahead (0.100.0-19) ...<br />Errors were encountered while processing:<br /> zabbix-agent<br />E: Sub-process /usr/bin/dpkg returned an error code (1)</i><br />
<br />
Some investigation shows <i>/etc/zabbix/zabbix_agentd.conf.d </i>directory does not exists and that's where the new agent looks for its configs and foolishly it does not create it. But you may have existing userparameter configs in existing <i>/etc/zabbix/zabbix_agentd.d</i> so the best way to continue the installation with:<br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: x-small;">ln -s /etc/zabbix/zabbix_agentd.d /etc/zabbix/zabbix_agentd.conf.d<br />service zabbix-agent restart<br />service zabbix-agent status</span></span><br />
<br />
<br />Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-65460759605101717702018-06-11T04:33:00.000-07:002018-06-11T04:33:12.867-07:00The OWASP Top 10 these days, in realityThe other day I've came across a great article. This is just a bookmark referencing to it.<br />
<a href="https://www.hpe.com/us/en/insights/articles/the-owasp-top-10-is-killing-me-and-killing-you-1710.html">https://www.hpe.com/us/en/insights/articles/the-owasp-top-10-is-killing-me-and-killing-you-1710.html</a><br />
<br />Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-44940323438012400472018-05-11T05:35:00.001-07:002018-05-11T05:35:54.601-07:00Docker notes #2docker ps -a = List docker containers including the stopped ones<br />docker logs -f [ID] = Show the logs wrote in a container<br />docker logs --tail 200 [ID]<br /><br />docker commit [ID] (my_new_image) = Convert a container to image<br />(returns value: sha256:hash)<br /><br />docker save -o /path/my_new_image.tar = Save a docker image to be ready to imported<br />docker load -i /path/my_new_image.tar = Import (load) a foreign image<br />docker run -it sha256:hash /bin/bash = Spin up the image and run a command in it<br />(you are inside the container now)<br /><br />docker export [ID] > /path/ide.tar = Export a container into a .tar file<br />docker diff [ID] = Show the modified files inside a container since its start<br />docker cp [ID]:/var/log/apache2/access.log ./access.log = Copy a file from container to host<br /><br />docker-compose build = Build the correctly setup container (in its directory)<br />docker-compose up -d = Run it<br />docker rm [ID] = removes an instance of the container that was run<br />docker rm `docker ps -a -q` = remove all stopped containers<br />docker rmi image-name = removes the docker image and its dependencies<br /><br />docker inspect [ID] = See the details of a container<br />docker run -p 8080:80 = will redirect the container's port 80 to a port 8080 on the host machine's user port <br />docker port [ID] = will list the port mapping information<br /><br />docker top [ID] = See the running processes inside of a container<br />docker history [IMAGE-NAME] = See the commands the container was originally created byÉnhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-75203641866917946782018-03-26T04:36:00.001-07:002018-03-26T04:36:40.136-07:00Systemd over NTPEver wondered how to setup an NTP client controlled by systemd? Here are some short steps.<br />
Symptom:<br />
<br />
<span style="font-size: xx-small;">Mar 26 19:24:43 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from 118.189.177.157:123 (0.debian.pool.ntp.org).<br />Mar 26 19:24:54 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from 103.47.76.177:123 (0.debian.pool.ntp.org).<br />Mar 26 19:25:04 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from 128.199.123.83:123 (0.debian.pool.ntp.org).<br />Mar 26 19:25:14 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from 139.59.219.101:123 (0.debian.pool.ntp.org).<br />Mar 26 19:25:24 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from 202.156.0.34:123 (1.debian.pool.ntp.org).<br />Mar 26 19:25:35 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from 128.199.87.57:123 (1.debian.pool.ntp.org).<br />Mar 26 19:25:45 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from 128.199.169.185:123 (1.debian.pool.ntp.org).<br />Mar 26 19:25:55 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from 103.23.208.175:123 (1.debian.pool.ntp.org).<br />Mar 26 19:26:05 lokalhost systemd-timesyncd[403]: Timed out waiting for reply from 172.104.55.191:123 (2.debian.pool.ntp.org).</span><br />
<br />
Solution:<br />
1. nano <code>/etc/systemd/timesyncd.conf</code><br />
<code>2. Set your NTP server, e.g.: </code><code>NTP=172.16.36.67</code><br />
<code>3.</code><code> systemctl restart systemd-timesyncd.service </code><br />
<code>4. </code><code>timedatectl set-ntp true</code><br />
<code>5. Check with: </code><code>timedatectl status</code><br />
<code> </code><br />
<code> </code><br />
<code> </code><br />
<code></code>Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-40891884571003017952018-03-08T05:27:00.002-08:002018-03-08T05:27:55.307-08:00Powershell applet formIt's a little known fact that it is possible to build a complete application form with pure Powershell. (Being based on .NET.). Here is an awesome example, called login.ps1. This is an applet starts a window that cannot be closed with the regular control buttons (as they are disabled) and asks two data from the user. Then it validates the data and if the data found to be invalid, flashes the input fields with red and returns to the initial state. Yeah, this was the hardest part of the development. If the data are all OK, it flashes the input fields with green color and pushes the data to the event log. This is a very very very special use case and only useful for me, but may help someone out who is just looking for a similar data input solution and gets here with google.<br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing") <br />[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")<br />$objForm = New-Object System.Windows.Forms.Form <br />$objForm.Text = "Long Change Answer File Information"<br />$objForm.Size = New-Object System.Drawing.Size(455,265) <br />$objForm.StartPosition = "CenterScreen"<br /><br /># set this to $True to enable "close" button<br />$objForm.ControlBox = $false<br />$objForm.KeyPreview = $True<br /><br /># Add Ok Button<br />$OKButton = New-Object System.Windows.Forms.Button<br />$OKButton.Location = New-Object System.Drawing.Size(180,185)<br />$OKButton.Size = New-Object System.Drawing.Size(75,23)<br />$OKButton.Text = "OK"<br />$OKButton.Add_Click({<br /> # some tricky regex to validate our very custom input data<br /> If( $ChangeTextBox.Text -match "\b([Cc][0-9a-zA-Z]{9}|OST#?[0-9]{6})\b" -And $LoginTextBox.Text -match "\b[a-zA-Z]\w{2,19}\b") # Valid -match "^\d{0,10}$"<br /> {<br /> $LoginTextBox.BackColor = "lime";<br /> $ChangeTextBox.BackColor = "lime";<br /> Start-Sleep -Milliseconds 600;<br /><br /> $objForm.Close()<br /> }<br /> # we have two input fields and both are required to be validated<br /> ElseIf (-Not ($LoginTextBox.Text -match "\b[a-zA-Z]\w{2,19}\b") -And ($ChangeTextBox.Text -match "\b([Cc][0-9a-zA-Z]{9}|OST#?[0-9]{6})\b")) # Invalid<br /> {<br /> #$ErrorProvider.SetError($LoginTextBox, "Please enter valid name");<br /> $LoginTextBox.BackColor = "pink"; <br /> $ChangeTextBox.BackColor = "lime";<br /> }<br /> # strange logic but this is the simpliest way in this case, here we get back to reset the form<br /> ElseIf (-Not ($ChangeTextBox.Text -match "\b([Cc][0-9a-zA-Z]{9}|(OST|ost)#?[0-9]{6})\b") -And ($LoginTextBox.Text -match "\b[a-zA-Z]\w{2,19}\b"))<br /> {<br /> $ChangeTextBox.BackColor = "pink"; <br /> $LoginTextBox.BackColor = "lime";<br /> }<br /> Else<br /> {<br /> # visual warning to the user<br /> $ChangeTextBox.BackColor = "pink"; <br /> $LoginTextBox.BackColor = "pink"; <br /> }<br />})<br />$objForm.Controls.Add($OKButton) <br /><br /># Add Textbox Label<br />$FontBold = new-object System.Drawing.Font("Arial",8,[Drawing.FontStyle]'Bold' )<br /><br />#UserID label<br />$objLabel = New-Object System.Windows.Forms.Label<br />$objLabel.Location = New-Object System.Drawing.Size(10,20) <br />$objLabel.Size = New-Object System.Drawing.Size(425,20)<br />$objLabel.Font = $fontBold<br />$objLabel.text = "Please enter Your UserID"<br />$objForm.Controls.Add($objLabel)<br /><br />$objLabel1 = New-Object System.Windows.Forms.Label<br />$objLabel1.Location = New-Object System.Drawing.Size(30,47) <br />$objLabel1.Size = New-Object System.Drawing.Size(65,50) <br />$objLabel1.Text = "UserName:"<br />$objForm.Controls.Add($objLabel1)<br /><br />#UserID textbox<br />$LoginTextBox = New-Object System.Windows.Forms.TextBox<br />$LoginTextBox.Location = New-Object System.Drawing.Size(120,45)<br />$LoginTextBox.Size = New-Object System.Drawing.Size(260,20)<br />#$LoginTextBox.BackColor = "green"<br />$objForm.Controls.Add($LoginTextBox)<br /><br />#CH label<br />$objLabel2 = New-Object System.Windows.Forms.Label<br />$objLabel2.Location = New-Object System.Drawing.Size(10,100) <br />$objLabel2.Size = New-Object System.Drawing.Size(425,20)<br />$objLabel2.Font = $fontBold<br />$objLabel2.Text = "Please enter change number"<br />$objForm.Controls.Add($objLabel2)<br /><br />$objLabel3 = New-Object System.Windows.Forms.Label<br />$objLabel3.Location = New-Object System.Drawing.Size(30,120) <br />$objLabel3.Size = New-Object System.Drawing.Size(65,40) <br />$objLabel3.Text = "CH number:"<br />$objForm.Controls.Add($objLabel3)<br /><br />#CH textbox<br />$ChangeTextBox = New-Object System.Windows.Forms.TextBox<br />$ChangeTextBox.Location = New-Object System.Drawing.Size(120,120)<br />$ChangeTextBox.Size = New-Object System.Drawing.Size(260,20) <br />$objForm.Controls.Add($ChangeTextBox)<br /><br /># Add Validation Control<br />$ErrorProvider = New-Object System.Windows.Forms.ErrorProvider<br /><br />$objForm.Topmost = $True<br />$objForm.Add_Shown({$objForm.Activate()})<br />[void] $objForm.ShowDialog()<br /><br />$change= $ChangeTextBox.TEXT<br />$login = $LoginTextBox.TEXT<br /><br />Write-EventLog -Source "Winlogon" -LogName "Application" -EventId 666 -Message "Impersonated user logged as $login for $change implementation"</span>Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-5266899182181180162018-01-02T04:42:00.001-08:002018-04-05T09:38:30.853-07:00User import from foreign LDAP into own AD - PART2The script continues with STEP3<br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">$OutFile="C:\quser\ad-userimport-scripts\ujuserekerkeztek.txt"<br />$LogFile="C:\quser\ad-userimport-scripts\adderlog.txt"<br />$InFile="C:\quser\ad-userimport-scripts\opslistanevekkel.txt"<br />$WinUsers = "C:\quser\ad-userimport-scripts\winjumpusers.txt"</span><br />
<span style="font-size: x-small;"># we have some test users which must not be disabled<br />$ToIgnore = "user1","user2","user3","master1","master2"</span><br />
<span style="font-size: x-small;">$GrA = @() # needed!<br />$GrA = import-csv $InFile # external LDAP group members<br />$GrB = gc $WinUsers # external LDAP group members who has additional administrative permission to be imported here<br />$GrC=(Get-ADGroupMember -identity jumpusers).SamAccountName # members who are already in the local AD</span><br />
<span style="font-size: x-small;">$Gone = $GrC | where {$GrA.uid -notcontains $_ } # members who are already in the local AD but not in the foreign AD - seems like deleted there and already left the team</span><br />
<span style="font-size: x-small;">$ToDelete=(Compare-Object $Gone $ToIgnore).InputObject # generating the user list who are to be deleted locally</span><br />
<span style="font-size: x-small;"># some checks to avoid stupid errors - too short list means we caught only some error message</span><br />
<span style="font-size: x-small;"> $i=@(Get-Content $InFile).Length <br /> if ( $i -lt 15 ) {<br /> write-host "There is something wrong with the list, CHECK IT !" | Out-File $LogFile -Append<br /> exit 1<br /> }<br /> $i=@(Get-Content $WinUsers).Length <br /> if ( $i -lt 10 ) {<br /> write-host "There is something wrong with the list, CHECK IT !" | Out-File $LogFile -Append<br /> exit 1<br /> }</span><br />
<span style="font-size: x-small;"># logging</span><br />
<span style="font-size: x-small;">Get-Date | Out-File $LogFile -Append</span><br />
<span style="font-size: x-small;"># handling users who are gone meanwhile from the external LDAP<br />if ( $ToDelete -ne $null ) {<br /> $ToDelete | ForEach-Object {<br /> #Delete-ADaccount -Member $_ -Confirm:$false # delete<br /> #Remove-ADGroupMember -Identity jumpusers -Member $_ -Confirm:$false # removes from the group <br /> Disable-ADAccount -identity $_ # disable the user<br /> Write-Host "DISABLED:" $_ | Out-File $LogFile -Append<br /> }<br /> }<br /># Collecting the users into external data file who are not added yet locally. This is the trickiest part of the script because here we just find the loginID of the user. The first and the last names come from the second list! So the loginID (SAMaccount name) needs to be found in the second list and the realname comes with that from there. </span><br />
<span style="font-size: x-small;">$result = $GrB | Where {$GrC -NotContains $_}</span><br />
<span style="font-size: x-small;">$GrA.uid|ForEach-Object {<br /> $uidja = $_<br /> $ndx = [array]::IndexOf($GrA.uid,$uidja)<br /> $result|Foreach-Object {<br /> if ($_ -match $uidja ) {<br /> $GrA.FirstName[$ndx] $GrA.LastName[$ndx]<br /> $uidja+","+$GrA.FirstName[$ndx]+","+$GrA.LastName[$ndx] | Out-File $OutFile -Append<br /> }<br /> }<br /> }</span><br />
<br />
#STEP4<br />
# This is where the safe import is happening for the new users. The password is generated locally because that can't be exported from the external LDAP so won't be identical.<br />
[...]<br />
<br />
<br />Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-68792124616259286832018-01-02T04:31:00.001-08:002018-04-05T09:39:38.739-07:00User import from foreign LDAP into own AD - PART1Here is a rather complex script system I wrote. This is just for myself to remember and record my brilliant thoughts. I doubt if anyone else could use it. The goal is to get my users (including their login names and real names) from an external LDAP system and import them into my AD. (Windows based.) I'm doing the first step by using the ldapsearch from the opensource OpenLDAP package.<br />
<br />
<span style="font-size: x-small;"># STEP1: the raw list</span><br />
<span style="font-size: x-small;">C:\OpenLDAP\ClientTools\ldapsearch -D "cn=queryuser,dc=admin" -w "$$$$" -h 172.16.16.16 -b "dc=admin" -s sub "(&(objectclass=person)(|(gidnumber=100)(gidnumber=110)))" > C:\quser\ad-userimport-scripts\opslista.txt<br /><br /># STEP2: an annoying thing here, because in the list we have both Base64 encoded and normal usernames we need to decode only the encoded ones.<br />$source = Get-Content "C:\quser\ad-userimport-scripts\opslista.txt" | Select-String "cn:", "displayName" # <br />$OutFile="c:\quser\ad-userimport-scripts\opslistanevekkel.txt"<br />if (Test-Path $OutFile) { Remove-Item $OutFile } <br />"uid,FirstName,LastName" > $OutFile<br />$Name_list = @()<br />$uid_list = @()<br /><br />$source|ForEach-Object {<br /> if ($_ -match "displayName:: ")<br /> { <br /> $tem = ($_ -replace "displayName:: ","") <br /> $tam = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($tem))<br /> # $Base64_list += ($_ -replace "displayName:: ","") <br /> $Name_list += $tam<br /> }<br /> elseif ($_ -match "displayName: ")<br /> { <br /> $tum = ($_ -replace "displayName: ","")<br /> $Name_list += $tum<br /> }<br /> }<br /> <br />$source|ForEach-Object {<br /> if ($_ -match "cn: ")<br /> {<br /> ($_ -replace "displayName: ","")<br /> $uid_list += ($_ -replace "cn: ","")<br /> }<br /> }<br /><br /> for($i=0;$i-le $uid_list.length-1;$i++)<br /> { <br /> $Name_list[$i]=($Name_list[$i] -replace " ","")<br /> $uid_list[$i]+","+$Name_list[$i] | Out-File -filepath $OutFile -Append<br /> }<br /> </span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: x-small;"><br /></span></span>
<span style="font-size: x-small;"><span style="font-size: x-small;"> </span> </span>Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-19181260737458199302017-10-19T06:15:00.002-07:002018-07-05T06:26:08.819-07:00The RPC server is unavailable<pre class="Posh"><span style="background-color: orange;">Error 0x000006BA enumerating sessionnames
Error [1722]: The RPC server is unavailable.</span></pre>
<br />
Ever faced this error when tried to connect to a Windows 2012 R2 server from remote to query something ? Setting up an exception for RPC in the firewall may look easy. But... in fact, it isn't. See: <a href="https://technet.microsoft.com/en-us/library/cc947809(v=ws.10).aspx" target="_blank">Win7/2008</a> or <a href="https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc" target="_blank">Windows 10/Server 2016</a>.<br />
Luckily for you, for <u>Server 2012 R2</u> I give you the clue! <br />
Just enable this pre-definied rule:<br />
<span style="background-color: lime;">Remote Service Management (NP-In) </span><br />
<span style="background-color: white;">Tadaam. </span><br />
<span style="background-color: white;">And I bookmark <a href="http://www.hurryupandwait.io/blog/understanding-and-troubleshooting-winrm-connection-and-authentication-a-thrill-seekers-guide-to-adventure" target="_blank">this link </a>here, that's a funny reading.</span>Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-62750740843518532152017-10-04T02:37:00.003-07:002017-10-04T02:38:13.422-07:00A returning to this blogJust a small script to myself to remember. An elegant and playful way to internally daily backup a jira+confluence+gitlab machine - and avoid all the "unlikely happen" risks.<br />
<br />
#!/bin/bash<br />
BACKUPLOG=/var/log/backuplog<br />
exec > >(tee -ia $BACKUPLOG)<br />
exec 2> >(tee -ia $BACKUPLOG >&2)<br />
if [ ! -f /backup/MOUNTED ]; then # temp solution for further use<br />
echo FATAL_BACKUP_NOT_MOUNTED >> $BACKUPLOG<br />
exit 1<br />
fi<br />
<br />
date<br />
echo BACKUP_STARTED<br />
<br />
# CONFLUENCE<br />
MYPATH=/var/lib/confluence/backups<br />
FILE=backup-`date +%F|sed 's/-/_/g'`<br />
cp $MYPATH/$FILE.zip /backup/confluence<br />
[[ `ls $MYPATH|wc -l` -gt 15 ]] && find $MYPATH -mtime +15 -delete # purge old backups only if there are new ones !<br />
[[ `ls /backup/confluence|wc -l` -gt 60 ]] && find /backup/confluence/ -type f -mtime +60 -delete<br />
<br />
#JIRA<br />
MYPATH=/var/lib/jira/export/<br />
# another nice way<br />
rsync -avh $MYPATH /backup/jira/ # no autodelete!<br />
[ $? -ne 0 ] && echo RSYNC_ERROR_IN_BACKUP # temp set for further use<br />
[[ `ls $MYPATH|wc -l` -gt 41 ]] && find $MYPATH -type f -mtime +20 -delete # 2 backups daily! purge old backups only if there are new ones !<br />
[[ `ls /backup/jira|wc -l` -gt 120 ]] && find /backup/jira -mtime +60 -delete<br />
tar -czf /backup/jira/$FILE-data.tgz /var/lib/jira/data<br />
<br />
# MYSQL SIMPLE MIRROR BACKUP<br />
rsync -avh --delete /var/lib/automysqlbackup/ /backup/mysql/<br />
sleep 3<br />
<br />
# GITLAB<br />
/opt/gitlab/bin/gitlab-rake gitlab:backup:create<br />
sleep 3<br />
mv /var/opt/gitlab/backups/* /backup/gitlab/<br />
<br />
# etc<br />
rdiff-backup /etc /backup/etc<br />
rdiff-backup --remove-older-than 4W /backup/etc<br />
echo BACKUP_ENDED<br />
dateÉnhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-46903631604861924452016-10-19T01:50:00.001-07:002016-10-19T01:51:23.517-07:00SCCM in my test labOK that's not a big deal for anyone but for me it was a three day long battle with lots of dead-ended installs, undo's and redo's. So, at long last this is the famous screen I wanted to see so much! All green! /me happy now, thanks <a href="http://prajwaldesai.com/" target="_blank">Prajwal Desai </a><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9Wee8SDZuUQyEpQX7VtrShqZOO6OEFEF9gLk6DYIpcDbj5AFXKpskZiYzPYNyChsOm7CXfuLiGIXv2YxIIl9fr2T-pAEtfBj_8OLYRdQHqlfmpcT3YgMmBiRNAV3yqxKf_PWkDk2EJw/s1600/sccm.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9Wee8SDZuUQyEpQX7VtrShqZOO6OEFEF9gLk6DYIpcDbj5AFXKpskZiYzPYNyChsOm7CXfuLiGIXv2YxIIl9fr2T-pAEtfBj_8OLYRdQHqlfmpcT3YgMmBiRNAV3yqxKf_PWkDk2EJw/s320/sccm.PNG" width="320" /></a></div>
<br />
<br />Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-68859675141880791512016-09-19T06:58:00.001-07:002016-09-19T07:02:20.399-07:00Connect your Jira instance to a HipChatLast year I got the chance to manage an Atlassian Jira and Confluence server. That was fun so far. But last week I was given a new task: fire up a HipChat instance and connect it with Jira. I wasted some days figuring out what to do with that exactly so to anyone getting here with Google: you are so lucky that I can tell you everything that you never find in any Atlassian docs. Here are the steps I have done.<br />
1:<a href="https://www.hipchat.com/info/server_post_download" target="_blank"> download your HipChat </a>VM instance and import it to a Vmware host. (Change RAM, NIC etc. settings according your needs.)<br />
2: Start, login with admin / hipchat into your console (to su, type: sudo /bin/dont-blame-hipchat)<br />
3: Set your fix IP networking with such a command: hipchat network -m static -i 192.168.100.20 -s 255.255.255.0 -g 192.168.100.254 -r 192.168.100.254<br />
4: Open your /etc/hosts for edit and enter: 192.168.100.20 hipchat hipchat.mynetwork.local <br />
5: In your nameserver set a new record for hipchat, e.g. hipchat.mynetwork.local (192.168.100.20)<br />
6/a: generate a self signed SSL certificate<br />
6/b: request a certificate from an external cert provider (see below *)<br />
7: Finish your HC install using your (trial) licence and this certificate. (Certificate and hostname can be changed later)<br />
8: Install HipChat connect Add-On in your Jira<br />
9: Here comes the tricky part that drove me nuts. One can't simply force Jira connect to Hipchat because of Java engine in Jira won't trust HipChat's cert by default. You will notice that if you check catalina.out logfile in Jira: cat /opt/atlassian/jira/logs/catalina.out :<br />
<blockquote class="tr_bq">
/rest/hipchat/integration/latest/installation/complete [c.a.p.hipchat.rest.HipChatLinkResource] javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</blockquote>
<br />
So you have two choices.<br />
First: manually add your cert to the trusted java store. Get your server public key, <a href="https://confluence.atlassian.com/jira/connecting-to-ssl-services-117455.html#ConnectingtoSSLservices-commandline" target="_blank">detailed here</a>. Once got your pub key into a file, execute this command: (check your paths ofcoz')<br />
<blockquote class="tr_bq">
/opt/atlassian/jira/jre/bin/keytool -import -alias hipchat.mighty.org -keystore /opt/atlassian/jira/jre/lib/security/cacerts -file /certs/mypubhipchat.crt</blockquote>
It asks you for a password. What the heck, what kind of password, you might ask! That is the default password for Java cert storage and hopefully nobody changed it in your system, so enter: <b>changeit </b>for password. <br />
<br />
Second method: install SSL for Jira add-on. It's easier.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiccddvxKL2autY1i2OSLC8LuFzBJjmKzcTa4E4rFHQhGXRxQWpQUmtRywCajK5p1sYbVOLmi4mbRQulYJbqndG38yyZRZmPBd3CgL4ola2HCzCjz5K08QdnQXbOTIFQVeaXcORdlxhGQ/s1600/jirassl.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiccddvxKL2autY1i2OSLC8LuFzBJjmKzcTa4E4rFHQhGXRxQWpQUmtRywCajK5p1sYbVOLmi4mbRQulYJbqndG38yyZRZmPBd3CgL4ola2HCzCjz5K08QdnQXbOTIFQVeaXcORdlxhGQ/s200/jirassl.PNG" width="183" /></a></div>
<br />
See attached srceenshot: it assists you installing the server cert. It creates an updated but temporary java keystore file and you have to copy it in place of the production keystore later and then restart the whole Jira.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTSwErBwxLfgtJftMf-slJ8ufhbSEOiIEKf48jThNHrJQlwe1z3BnvFxICFL6hWqOTE8zA6UrvkyMHSD3ORSNmhTPbSTmeE8rz5tYoEip-ZtDY5JuXf4QepRpUC1E43xWGMQXMt2wf0w/s1600/addingssl.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTSwErBwxLfgtJftMf-slJ8ufhbSEOiIEKf48jThNHrJQlwe1z3BnvFxICFL6hWqOTE8zA6UrvkyMHSD3ORSNmhTPbSTmeE8rz5tYoEip-ZtDY5JuXf4QepRpUC1E43xWGMQXMt2wf0w/s320/addingssl.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2f0kbW38zSqFwavtlEyzicQV-9xTdHBzYC0z0C-NhT68fGhJzfDJTyNJl81DNwLzIxDxFNMbuDKgsvCILtl4XpALPFo270ixWun4pETao8WP0b9fW-KU660Vak5OeFxDfolzp3as9yg/s1600/addinghc2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2f0kbW38zSqFwavtlEyzicQV-9xTdHBzYC0z0C-NhT68fGhJzfDJTyNJl81DNwLzIxDxFNMbuDKgsvCILtl4XpALPFo270ixWun4pETao8WP0b9fW-KU660Vak5OeFxDfolzp3as9yg/s200/addinghc2.PNG" width="98" /></a></div>
<br />
10. Success ! (almost..)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX23RpMfN3NRYLoHq9SSeDBAzkilQJTwBthYN6Rh-x3z0Oscn5jA4_E75vgjS8bkrzFpTSsBmpx6UERDbLMUqzV5TAIWhle5zIV00IpCU5sDffdvapbucSLkri-vNGYdM44MgRIlW-zg/s1600/addinghc.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="199" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgX23RpMfN3NRYLoHq9SSeDBAzkilQJTwBthYN6Rh-x3z0Oscn5jA4_E75vgjS8bkrzFpTSsBmpx6UERDbLMUqzV5TAIWhle5zIV00IpCU5sDffdvapbucSLkri-vNGYdM44MgRIlW-zg/s320/addinghc.PNG" width="320" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgskh6aomsjbo-8Rr-XfKBPiP9VmiO-Otrcpqv7wxo4zgU9IVrt91OrjE4R-wcy4JZ3zZ6PLzs9lqIrHLL8apZjpnH1ozh8qLF2lQPleSfKrIn00c50G1l01-FkpztQF1kV4dkFaeC5YQ/s1600/hcready.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgskh6aomsjbo-8Rr-XfKBPiP9VmiO-Otrcpqv7wxo4zgU9IVrt91OrjE4R-wcy4JZ3zZ6PLzs9lqIrHLL8apZjpnH1ozh8qLF2lQPleSfKrIn00c50G1l01-FkpztQF1kV4dkFaeC5YQ/s400/hcready.PNG" width="400" /></a></div>
<br />
<br />
* 7/b: in this case you'll need an external FQDN so have to own a domain name. So for example if you own mighty.org domain name, do the following:<br />
- create a CSR for hipchat.mighty.org with your favorite linux home system.<br />
- request a trusted certificate at a trusted 3rd party cert provider for hipchat.mighty.org<br />
- in your INTERNAL(!) nameserver, create a new zone called hipchat.mighty.org and assing 192.168.100.20 to its @ value.<br />
<br />
<br />
<br />Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-38931779316543280772016-07-26T02:52:00.002-07:002016-07-26T03:08:36.410-07:00Howto setup Icinga2 and Icingaweb on CentOS<pre><span style="background-color: #ead1dc;">On your newly installed CentOS server:</span></pre>
<pre><span style="background-color: #ead1dc;"> </span></pre>
<pre><span style="background-color: #d9d2e9;"># this is my network setup for my own usage, won't fit yours :)</span></pre>
<pre>cat /etc/sysconfig/network-scripts/ifcfg-eth0
<span style="background-color: #eeeeee;">TYPE="Ethernet"
BOOTPROTO="static"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
NAME="eth0"
UUID="2ef9cace-1428-4dbf-aac7-7993463c359a"
DEVICE="eth0"
ONBOOT="yes"
IPADDR=192.168.183.235
NETMASK=255.255.254.0
NETWORKING=yes
HOSTNAME=s1
GATEWAY=192.168.183.254
NM_CONTROLLED=no</span> </pre>
<pre>yum -y install deltarpm
yum -y install wget net-tools bind-utils gcc mc</pre>
<pre>setenforce 0 <span style="background-color: #ead1dc;"># :(</span>
mcedit /etc/selinux/config
>> change enabled to SELINUX=disabled or SELINUX=permissive
yum -y update && yum -y upgrade
yum install -y epel-release
rpm --import http://packages.icinga.org/icinga.key
wget http://packages.icinga.org/epel/ICINGA-release.repo -O /etc/yum.repos.d/ICINGA-release.repo
yum makecache
yum install -y nagios-plugins-all icinga2 icinga2-ido-mysql icinga-idoutils-libdbi-mysql
yum install -y httpd php-cli php-pear php-xmlrpc php-xsl php-pdo php-soap php-gd php-ldap
mcedit /etc/php.ini
<span style="background-color: #ead1dc;">>> set date.timezone = Europe/YOURZONE</span>
systemctl enable httpd && systemctl start httpd
yum install -y mariadb-server
systemctl start mariadb
systemctl enable mariadb
netstat -nlp | grep 3306 #(check if it runs)
mysql -u root
> use mysql;
> update user set password=PASSWORD("root_password") where User='root';
> flush privileges;
> exit
systemctl restart mariadb
mysql -u root -p
>CREATE DATABASE icinga2;
>GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE ON icinga2.* TO 'icinga2'@'localhost' IDENTIFIED BY 'icinga2_password';
>flush privileges;
>exit
mysql -u root -p icinga2 < /usr/share/icinga2-ido-mysql/schema/mysql.sql
mcedit /etc/icinga2/features-available/ido-mysql.conf
>> change: user = "icinga2"
>> password = "icinga2_password"
>> host = "localhost"
>> database = "icinga2"
systemctl enable icinga2 && systemctl start icinga2
tail -f /var/log/icinga2/icinga2.log #(check if it runs)
icinga2 feature enable command
icinga2 feature list # (to check)
systemctl restart icinga2
yum -y install icingaweb2 icingacli
grep icingaweb2 /etc/group #check if it's icingaweb2:x:990:apache
touch /var/www/html/index.html
chown apache /var/www/html/index.html
icingacli setup config directory --group icingaweb2
icingacli setup token create <span style="background-color: #ead1dc;"># get the token to the clipboard</span>
icingacli setup token show # <span style="background-color: #ead1dc;">in case you missed it</span>
systemctl restart httpd
<span style="background-color: #ead1dc;"># open a browser and type the IP address or FQDN of your server. That will be icinga.infokom.local for my case.
#next, next, you should see everything green</span></pre>
<pre></pre>
<pre></pre>
<pre></pre>
<pre> <div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-KwSNzS4_r0k7UFGd6bNu21CCdE9cbK6cKtyI_E9NgouI2rEmYjOqFaE9C0mCjI9vVotR4LS7v4bK2aHiBoV8HZ9HBmQO-zrp2aCDGieVdCQPMyQm2XQcB2F5MsgRzrn0mVXbLYsaxw/s1600/w4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-KwSNzS4_r0k7UFGd6bNu21CCdE9cbK6cKtyI_E9NgouI2rEmYjOqFaE9C0mCjI9vVotR4LS7v4bK2aHiBoV8HZ9HBmQO-zrp2aCDGieVdCQPMyQm2XQcB2F5MsgRzrn0mVXbLYsaxw/s320/w4.png" width="320" /></a></div>
</pre>
<pre>>authentication : database
>Database type: MySQL
>Host: localhost
>Database name: icingaweb2
>Username: myself
>Password: *********
>Character set: utf8
<span style="background-color: #ead1dc;">#rest of the web based setup detailed<a href="http://linoxide.com/monitoring-2/setup-icinga-web-2-centos7-ubuntu-15/" target="_blank"> here with screenshot</a>s: </span></pre>
<pre><span style="background-color: #ead1dc;">#
#Now it's time to add your first node to your server.
#On the server, run:</span> </pre>
<pre> </pre>
<pre>icinga2 node wizard
<span style="background-color: #eeeeee;">Welcome to the Icinga 2 Setup Wizard!
We'll guide you through all required configuration details.
Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]: <span style="color: lime;">n</span>
Starting the Master setup routine...
Please specifiy the common name (CN) [icinga.infokom.local]: <span style="color: lime;">Press Enter</span>
Checking for existing certificates for common name 'icinga.infokom.local'...
Certificates not yet generated. Running 'api setup' now.
information/cli: Generating new CA.
information/base: Writing private key to '/var/lib/icinga2/ca/ca.key'.
information/base: Writing X509 certificate to '/var/lib/icinga2/ca/ca.crt'.
information/cli: Generating new CSR in '/etc/icinga2/pki/</span><span style="background-color: #eeeeee;"><span style="background-color: #eeeeee;">icinga.infokom.local</span>.csr'.
information/base: Writing private key to '/etc/icinga2/pki/</span><span style="background-color: #eeeeee;"><span style="background-color: #eeeeee;">icinga.infokom.local</span>.key'.
information/base: Writing certificate signing request to '/etc/icinga2/pki/</span><span style="background-color: #eeeeee;"><span style="background-color: #eeeeee;">icinga.infokom.local</span>.csr'.
information/cli: Signing CSR with CA and writing certificate to '/etc/icinga2/pki/</span><span style="background-color: #eeeeee;"><span style="background-color: #eeeeee;">icinga.infokom.local</span>.crt'.
information/cli: Copying CA certificate to '/etc/icinga2/pki/ca.crt'.
Generating master configuration for Icinga 2.
information/cli: Adding new ApiUser 'root' in '/etc/icinga2/conf.d/api-users.conf'.
information/cli: Enabling the 'api' feature.
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Dumping config items to file '/etc/icinga2/zones.conf'.
information/cli: Created backup file '/etc/icinga2/zones.conf.orig'.
Please specify the API bind host/port (optional):<span style="color: lime;">Press Enter</span>
Bind Host []: <span style="color: lime;">Press Enter</span>
Bind Port []: <span style="color: lime;">Press Enter</span>
information/cli: Created backup file '/etc/icinga2/features-available/api.conf.orig'.
information/cli: Updating constants.conf.
information/cli: Created backup file '/etc/icinga2/constants.conf.orig'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
Done.</span></pre>
<pre> </pre>
<pre><span style="background-color: #ead1dc;"># check the output if it's OK </span> </pre>
<pre>egrep 'NodeName|TicketSalt' /etc/icinga2/constants.conf </pre>
<pre>mcedit /etc/icinga2/zones.conf </pre>
<pre><span style="background-color: #ead1dc;"># change the string NodeName to your FQDN, in my case:</span></pre>
<pre>cat /etc/icinga2/zones.conf
<span style="background-color: #eeeeee;"><span style="background-color: #cccccc;">object Endpoint "icinga.infokom.local" {
}
object Zone ZoneName {
endpoints = [ "icinga.infokom.local" ]
}</span></span> </pre>
<pre>systemctl restart icinga2.service</pre>
<pre><span style="background-color: #ead1dc;"># to add my first client server named s2 i need a token</span> </pre>
<pre>icinga2 pki ticket --cn 's2.infokom.local'</pre>
<pre></pre>
<pre><span style="background-color: #ead1dc;"># On the client server:</span></pre>
<pre>yum install -y epel-release
rpm --import http://packages.icinga.org/icinga.key
wget http://packages.icinga.org/epel/ICINGA-release.repo -O /etc/yum.repos.d/ICINGA-release.repo
yum makecache</pre>
<pre>yum install icinga2 mc</pre>
<pre>setenforce 0 <span style="background-color: #ead1dc;"># :(</span> </pre>
<pre>mcedit /etc/selinux/config
>> change enabled to SELINUX=disabled or SELINUX=permissive</pre>
<pre>icinga2 node wizard
<span style="background-color: #eeeeee;">Welcome to the Icinga 2 Setup Wizard!
We'll guide you through all required configuration details.
Please specify if this is a satellite setup ('n' installs a master setup) [Y/n]:<span style="color: lime;">Enter</span>
Starting the Node setup routine...
Please specifiy the common name (CN) [s2.infokom.local]: <span style="color: lime;">Enter</span>
Please specifiy the local zone name [</span><span style="background-color: #eeeeee;"><span style="background-color: #eeeeee;">s2.infokom.local</span>]: <span style="color: lime;">Enter</span>
Please specify the master endpoint(s) this node should connect to:<span style="color: lime;">Enter</span>
Master Common Name (CN from your master setup): <span style="color: lime;">icinga.infokom.local</span>
Do you want to establish a connection to the master from this node? [Y/n]: <span style="color: lime;">y</span>
Please fill out the master connection information:<span style="color: lime;">Enter</span>
Master endpoint host (Your master's IP address or FQDN): <span style="color: lime;">192.168.183.235</span>
Master endpoint port [5665]: <span style="color: lime;">Enter</span>
Add more master endpoints? [y/N]: <span style="color: lime;">Enter</span>
Please specify the master connection for CSR auto-signing (defaults to master endpoint host):<span style="color: lime;">Enter</span>
Host [192.168.183.235]: <span style="color: lime;">Enter</span>
Port [5665]: <span style="color: lime;">Enter</span>
information/base: Writing private key to '/etc/icinga2/pki/</span><span style="background-color: #eeeeee;"><span style="background-color: #eeeeee;">s2.infokom.local</span>.key'.
information/base: Writing X509 certificate to '/etc/icinga2/pki/</span><span style="background-color: #eeeeee;"><span style="background-color: #eeeeee;">s2.infokom.local</span>.crt'.
information/cli: Generating self-signed certifiate:
information/cli: Fetching public certificate from master (192.168.183.235, 5665):
information/cli: Writing trusted certificate to file '/etc/icinga2/pki/trusted-master.crt'.
information/cli: Stored trusted master certificate in '/etc/icinga2/pki/trusted-master.crt'.
Please specify the request ticket generated on your Icinga 2 master.
(Hint: # icinga2 pki ticket --cn 's2.infokom.local'): <span style="color: lime;">faaec3b98221622841cc437ee74b09a1f44b1ab</span>
information/cli: Processing self-signed certificate request. Ticket 'faaec3b98221622841cc437ee74b09a1f44b1ab'.
information/cli: Created backup file '/etc/icinga2/pki/</span><span style="background-color: #eeeeee;"><span style="background-color: #eeeeee;">s2.infokom.local</span>.crt.orig'.
information/cli: Writing signed certificate to file '/etc/icinga2/pki/</span><span style="background-color: #eeeeee;"><span style="background-color: #eeeeee;">s2.infokom.local</span>.crt'.
information/cli: Writing CA certificate to file '/etc/icinga2/pki/ca.crt'.
Please specify the API bind host/port (optional):<span style="color: lime;">Enter</span>
Bind Host []: <span style="color: lime;">Enter</span>
Bind Port []: <span style="color: lime;">Enter</span>
Accept config from master? [y/N]: <span style="color: lime;">y</span>
Accept commands from master? [y/N]: <span style="color: lime;">y</span>
information/cli: Disabling the Notification feature.
Disabling feature notification. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Enabling the Apilistener feature.
Enabling feature api. Make sure to restart Icinga 2 for these changes to take effect.
information/cli: Created backup file '/etc/icinga2/features-available/api.conf.orig'.
information/cli: Generating local zones.conf.
information/cli: Dumping config items to file '/etc/icinga2/zones.conf'.
information/cli: Created backup file '/etc/icinga2/zones.conf.orig'.
information/cli: Updating constants.conf.
information/cli: Created backup file '/etc/icinga2/constants.conf.orig'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
information/cli: Updating constants file '/etc/icinga2/constants.conf'.
Done. </span></pre>
<pre><span style="background-color: #eeeeee;"></span></pre>
<pre><span style="background-color: #eeeeee;"></span>
</pre>
<pre><span style="background-color: #ead1dc;"># to check</span></pre>
<pre>grep 's2' /etc/icinga2/constants.conf</pre>
<pre>mcedit /etc/icinga2/zones.conf </pre>
<pre># change NodeName to your local machine name, in my case it's FQDN</pre>
<pre>mcedit /etc/icinga2/zones.conf
<span style="background-color: #eeeeee;">object Endpoint "icinga.infokom.local" {
host = "192.168.183.235"
port = "5665"
}
object Zone "master" {
endpoints = [ "icinga.infokom.local" ]
}
object Endpoint "s2.infokom.local" {
}
object Zone ZoneName {
endpoints = [ "s2.infokom.local" ]
parent = "master"
}</span>
service icinga2 restart && service icinga2 enable</pre>
<pre><span style="background-color: #ead1dc;"># wait a bit and back to the icinga server:</span></pre>
<pre>icinga2 node list </pre>
<pre><span style="background-color: #ead1dc;"># you SHOULD see your client server NOW</span></pre>
<pre><span style="background-color: #eeeeee;">Node 's2.infokom.local' (last seen: Wed Jul 27 09:36:11 2016)
* Host 's2.infokom.local'
* Service 'apt'</span></pre>
<pre>[...]</pre>
<pre>
icinga2 node update-config</pre>
<pre>systemctl reload icinga2.service </pre>
<pre><span style="background-color: #ead1dc;">Open your web GUI and see your new server, it's in PENDING state now. Wait a bit or click on CHECK NOW button in the
CHECK EXECUTION section.</span></pre>
<pre> <div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwzdb5flJ_HFZGlBHOjIef52Er5cKUCgFggdcSCfiIReIMkH_0AWoNs3CLUpzD8CtbPxfHSFFPPblnprx9rSfmMGbrSiPGUZ55BXKwnc-sdE_iYE2-oNfZSSs0TWkXsbfskTWi_dcNVQ/s1600/icinga.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwzdb5flJ_HFZGlBHOjIef52Er5cKUCgFggdcSCfiIReIMkH_0AWoNs3CLUpzD8CtbPxfHSFFPPblnprx9rSfmMGbrSiPGUZ55BXKwnc-sdE_iYE2-oNfZSSs0TWkXsbfskTWi_dcNVQ/s200/icinga.PNG" width="173" /></a></div>
</pre>
Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-20140548216597206852016-06-27T05:08:00.001-07:002016-06-28T03:40:08.135-07:00File access auditing on a Windows fileserver: Data Leakage PreventionHere is a clever script concept that helps company managers notifying someone's unusual amount of file reading. That's typical behaviour for an employee who is intended to quit and try to steal all the files of that company. Such auditing softwares are on the market for several hundred or thousand bucks!<br />
Luckily for you, I've written one in bash. OK that's not good news for ones who use only Windows. But it can be easily portable to any script language, for example, php so that it could be run directly in the Windows fileserver or DC by installing the proper runtime enviroment. (PHP, ruby, python, etc.)<br />
Exploring that thought further, now I'm going to translate that for myself. ;) But for now, it's enough to get it work in bash.<br />
<br />
The original idea is that we suppose that all the users open almost the same amount of files daily on their daily routines. This script always alerts when a statistical threshold percent reached per user. <br />
In the following example you are going to see a nice solution for lab use in which I transfer the logfile from the Windows server to a Linux server to be able to run the bash script on it. You can find detailed comments inside the script.<br />
<br />
Step-by-step installation:<br />
1: <a href="http://blogs.splunk.com/2013/07/08/audit-file-access-and-change-in-windows/" target="_blank"><b>Enable</b> audit log policy on your Windows Server, assign it to the target folders and test it</a><br />
(Note: in the above blog you can find an advanced example. In my case I look for <a href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663" target="_blank">event id 4663</a> because it just contains the information I need.) Set the audit rules according to your needs. <u>The less eventrule the better</u>. We need to trace file <b>reads </b>so the first rule is a must.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikL2peeBINhe4ehZm6sxFlB423T4M1-CYWbRKLJkF_0NiHSswUy_JkKhEmxPq-OnGKRQLnXiooCa91HK8DXuxBOD4D9CqEr0DQAyXlbKvFNvh5m_IagSgmt-Ux8tfWV8K0ptFxhwh3kg/s1600/audit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikL2peeBINhe4ehZm6sxFlB423T4M1-CYWbRKLJkF_0NiHSswUy_JkKhEmxPq-OnGKRQLnXiooCa91HK8DXuxBOD4D9CqEr0DQAyXlbKvFNvh5m_IagSgmt-Ux8tfWV8K0ptFxhwh3kg/s320/audit.png" width="320" /></a></div>
<br />
2: You need to <b>export</b> the specific events from the security log to a plain file. So <b>create</b> a <i>getsec.ps1</i> file in c:\script\ with the following content:<br />
<i>Get-EventLog security -After (Get-Date).AddDays(-1) -InstanceId 4663 |select Message|ft -AutoSize -Wrap > c:\auditing\report.txt</i><br />
3: Also, don't forget to <b>create </b>that <i>c:\auditing</i> folder and then <b>put </b>an empty file into it named: <i>mounted</i><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtJ7unA2wxwnoDmZ2KprhssFIfKCBxA4xwp9GNfxTBfkErO5-aUYLu3jgp0XLmOLwaFCH9gbZDHinr5iZAze4oAXlZYort8mZw6eQHMd8HQoBUxH5-l97KZ0RTheCIAXKnEDURLH50yg/s1600/audit2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="101" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtJ7unA2wxwnoDmZ2KprhssFIfKCBxA4xwp9GNfxTBfkErO5-aUYLu3jgp0XLmOLwaFCH9gbZDHinr5iZAze4oAXlZYort8mZw6eQHMd8HQoBUxH5-l97KZ0RTheCIAXKnEDURLH50yg/s200/audit2.PNG" width="200" /></a></div>
<i> </i>4: <a href="https://community.spiceworks.com/how_to/17736-run-powershell-scripts-from-task-scheduler" target="_blank"><b>Schedule </b>the script </a>to run at the end of the working hours or at midnight. The command is to be: (e.g.) <i>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</i> and the argument (e.g.): <i>-executionpolicy bypass -file c:\scripts\getsec.ps1 2>&1 > C:\scripts\log.txt</i><br />
5: <b>Share </b>c:\auditing folder with a dedicated user that is intended to be used only by the Linux server, e.g.: linuxsrv<br />
6: On your linux box, <b>install </b>the following packages: <i>cifs-utils dos2unix mutt iconv</i><br />
7: <b>Test </b>your connection:<br />
[ -f /mnt/mounted ] || mount.cifs //192.168.xx.xx/auditing/ /mnt/ -o username=linuxsrv,password=Sup3rS3cur3P4$$,domain=contoso<br />
8: Create the base directories in, e.g.<br />
<i>mkdir /root/auditor && cd /root/auditor</i><br />
<i>mkdir archive average stat users; echo "0" > counter</i><br />
<br />
Having succeeded, congratulations, now you are ready to track your file access activity and watch out for <b>possible </b>data stealing FOR FREE!<br />
<br />
<br />
<b><a href="https://www.dropbox.com/s/ksvkorhmy7w3vrn/auditor.sh?dl=0" target="_blank">Here is the mighty script. See comments inline!</a></b><br />
<br />Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com1tag:blogger.com,1999:blog-5254478946580483694.post-41368275835097903572016-06-21T03:19:00.004-07:002016-06-21T03:33:11.671-07:00More PowershellThe original idea was to ease the process of creating a new distribution group with one human member and an archive public folder regularly. These mail enabled security groups and public folders always get their names based on a company standard: <i>Contoso GROUPNAME</i> and <i>Contoso_Groupname_Archive</i>. The most exciting part of it is the waiting loop: we've got to make sure the the new group is created and replicated over the DCs in the domain before going on. Have to be run in an Exchange Shell.<br />
Two minor notes: <span style="font-size: x-small;"><i><span style="font-size: small;">pfviewer</span></i> </span>is a special company group in which all the viewer right assigned users are. Jane.manager1 and john.manager2 are the company head managers.<br />
<blockquote class="tr_bq">
<br />
<span style="font-size: x-small;">Import-Module activedirectory<br />$ShName = Read-Host "Please specify the new groupname, e.g.: TechGroup1"<br />$Name = "Contoso "+$ShName<br />if (!(dsquery group -samid $Name)){ NEW-ADGroup -name $Name -groupscope 2 -path "OU=ContMailLists,DC=co,DC=local" }else{Write-Host "WARNING: ADGroup already exists. PRESS CTRL+C to exit or take the consequences."}<br />$DotName ="contoso."+$ShName<br />$EmailADD = $DotName+"@contoso.com"<br />$PFName = "Contoso_"+$ShName+"_Archiv"<br />$Ember = Read-Host "Specify the login name of the user going to be a member of this group. E.g.: john.smith"<br />$FullPFName = "\"+$PFName<br />$PFEmail = "contoso"+$ShName+"Archiv@contoso.com"<br />$IfGroupExists = Get-DistributionGroup -name $Name -ErrorAction 'SilentlyContinue'<br /> if( $</span><span style="font-size: x-small;"><span style="font-size: x-small;">IfGroupExists</span>)<br /> {<br /> $IFSTOP = Read-Host "This distribution group already exists! Press CTRL+C-t to exit"<br /> }<br />Write-Host -NoNewline "Please wait a bit. Shouldn't take long"<br /> Do<br /> {<br /> If($Idx -gt 0) {Start-sleep -s 2}<br /> $r = Get-ADGroup -Filter {SamAccountName -eq $Name}<br /> Write-Host -NoNewline "."<br /> $Idx = $Idx + 1<br /> }<br /> Until($r)<br /><br />Enable-DistributionGroup -Identity "CN=$Name,OU=ContMailLists,DC=wt,DC=local" -Alias $DotName<br />Set-DistributionGroup -Identity $Name -ManagedBy co.local\Admin -BypassSecurityGroupManagerCheck<br />Set-DistributionGroup -Identity $Name -RequireSenderAuthenticationEnabled 0 -PrimarySmtpAddress $EmailADD -WindowsEmailAddress $EmailADD -EmailAddressPolicyEnabled 0 -Alias $DotName -GrantSendOnBehalfTo jane.manager1, john.manager2, $Ember<br />New-PublicFolder -Name $PFName -Path \ <br />Enable-MailPublicFolder -Identity $FullPFName -HiddenFromAddresslistsEnabled 1<br />Set-MailPublicFolder -Identity $FullPFName -EmailAddressPolicyEnabled 0 <br />Set-MailPublicFolder -Identity $FullPFName -EmailAddresses $PFEmail<br />Add-PublicFolderClientPermission -Identity $FullPFName -accessrights ReadItems,CreateItems,FolderVisible -user pfviewer<br />Remove-PublicFolderClientPermission -Identity $FullPFName -accessrights ReadItems,EditOwnedItems,DeleteOwnedItems,FolderVisible -user default -Confirm:$false<br />Add-DistributionGroupMember -Identity $Name -member $PFName<br />Add-DistributionGroupMember -Identity $Name -member $Ember</span></blockquote>
Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-16242292130048303242016-05-31T07:01:00.000-07:002016-06-01T06:31:05.025-07:00Docker minihowto<span style="font-size: x-small;">To start a new container. If does not exists locally, it downloads a stock one from dockerhub.<br /><b>docker run -i -t centos:latest /bin/bash </b><br />(-i: interactive mode) (-t: runs centos image) (starts a command, here a shell)<br />List running docker containers: <b>docker ps</b><br />List running docker containers + history : docker ps -a<br />List docker local images: <b>docker images</b><br />Escape from a container and put that running one in the background: CTRL-P+CTRL-Q - or run it with -exec: <b>docker exec -ti [CONTAINER-ID] bash</b><br />It starts a new process with bash shell, and you could escape from it by ^c directly, it won't affect the original process.<br /><br />On the host find the docker virtual files (aufs), confs, etc. here: /var/lib/docker<br />See details about an image: <b>docker inspect IMAGENAME</b>(e.g. centos:latest)OR ITS_RANDOM_NAME | less<br />To build a new container: <b>docker build -t MYIMAGENAME .</b> (<b>.</b>=where my DOCKERFILE is)</span><br />
<span style="font-size: x-small;">an example DOCKERFILE content looks like:</span><br />
<br />
<pre class=" language-bash" data-title="bash"><code class=" language-bash">FROM ubuntu:latest
RUN <span class="token function">apt-get</span> update
RUN <span class="token function">apt-get</span> <span class="token function">install</span> -y <span class="token function">wget</span>
RUN <span class="token function">apt-get</span> <span class="token function">install</span> -y build-essential tcl8.5
RUN <span class="token function">wget</span> http://download.redis.io/releases/redis-stable.tar.gz
RUN <span class="token function">tar</span> xzf redis-stable.tar.gz
RUN <span class="token function">cd</span> redis-stable <span class="token operator">&&</span> <span class="token function">make</span> <span class="token operator">&&</span> <span class="token function">make</span> <span class="token function">install</span>
RUN ./redis-stable/utils/install_server.sh
EXPOSE 6379
ENTRYPOINT <span class="token punctuation">[</span><span class="token string">"redis-server"</span><span class="token punctuation">]</span></code></pre>
<pre class=" language-bash" data-title="bash"><code class=" language-bash"><span class="token punctuation"> </span></code></pre>
<span style="font-size: x-small;">To see the standard output of a container: <b>docker logs CONTAINERNAME <br />docker run -d centos:latest -p 3000:3000 --name my-service </b>(starts in the background) (maps hosts's port 3000 (on all interfaces) to container's service port 3000)<br />To enter inside a container with bash: <b>docker exec -i -t my-service /bin/bash</b><br />Tag (set an alias name for) an image: <b>docker tag IMAGE_ID (seen in the output of docker images) REPONAME:TAG (e.g. mydockeruser/myrepo:2)</b><br />Now see what you have tagged: <b>docker images</b><br />Enter dockerhub with your dockerhub login: <b>docker login</b><br />Push your new built image into your pub repository: <b>docker push REPONAME:TAG</b><br />Remove an image from localhost repository: <b>docker rmi IMAGE_ID</b> (force with -f)<br />For example, to start a new mariadb instance:<br /><b>docker run --name mariadb-1 -p 3306:3306 -e MYSQL_ROOT_PASSWORD=mypass -v /home/ubuntu/db/db1:/var/lib/mysql -d mariadb</b><br />(with -v you mount your localhost's folder into your container)(with -e you pass an environment variable to the container.<br />Passing a global variable, for example: <b>docker run -i -t -e "WHOISTHEKING=me" ubuntu:14.04 /bin/bash -> echo $WHOISTHEKING)</b></span><br />
<span style="font-size: x-small;">Insert a file into the container directly from outside:</span><br />
<span style="font-size: x-small;"><b>docker insert CONTAINERNAME </b>http://ftp.drupal.org/files/projects/drupal-7.22.tar.gz /root/drupal.tar.gz </span><br />
<span style="font-size: x-small;">To commit your changes to the image: <b>docker commit -m "commit message" -a "Your Name" IMAGENAME username/my-redis:latest</b></span>
<span style="font-size: x-small;"><b>TO BE CONTINUED</b></span>Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-16623147966014015362016-05-19T06:19:00.001-07:002016-05-20T07:08:00.460-07:00GlusterFS in a simple wayHere is the story how I managed to install a 2 node glusterfs on CentOS and one client for test purposes.<br />
In my case the hostnames and the IPs were: <br />
<br />
192.168.183.235 s1<br />
192.168.183.236 s2<br />
192.168.183.237 c1<br />
<br />
Append these to the end of /etc/hosts to make sure that simple name resolution will work.<br />
Execute the followings on both servers. <br />
<br />
<span style="background-color: #d0e0e3;"><span style="font-size: x-small;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-size: xx-small;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-size: xx-small;"><span style="font-family: "courier new" , "courier" , monospace;">rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm</span></span></span></span><span style="font-size: xx-small;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-size: xx-small;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: xx-small;"><span style="font-family: "courier new" , "courier" , monospace;"> </span></span></span></span></span></span></span></span></span></span><br />
<span style="background-color: #d0e0e3;"><span style="font-size: x-small;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-size: xx-small;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-size: xx-small;"><span style="font-family: "courier new" , "courier" , monospace;">wget -P /etc/yum.repos.d http://download.gluster.org/pub/gluster/glusterfs/3.7/3.7.5/CentOS/glusterfs-epel.repo</span></span></span></span><span style="font-size: xx-small;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-size: xx-small;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: xx-small;"><span style="font-family: "courier new" , "courier" , monospace;"> </span></span></span></span></span></span></span></span></span></span><br />
<span style="background-color: #d0e0e3;"><span style="font-size: x-small;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-size: xx-small;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-size: xx-small;"><span style="font-family: "courier new" , "courier" , monospace;">yum -y install glusterfs glusterfs-fuse glusterfs-server</span></span></span></span></span></span></span></span><br />
<span style="font-size: small;"><br /></span>
<span style="font-size: x-small;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-size: xx-small;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-size: xx-small;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: small;"><span style="font-family: "times" , "times new roman" , serif;">It's no need to install any of samba packages if you don't intend to use smb<span style="font-family: "times" , "times new roman" , serif;">.</span></span></span> </span></span></span></span></span></span></span><br />
<br />
<span style="background-color: #d0e0e3;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">systemctl enable glusterd.service</span></span><br />
<span style="background-color: #fff2cc;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">Created symlink from /etc/systemd/system/multi-user.target.wants/glusterd.service to /usr/lib/systemd/system/glusterd.service.</span></span><br />
<br />
Both servers had a second 20G capacity disk named sdb. I created two LV's for two bricks.<br />
<br />
<span style="background-color: #d0e0e3;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[root@s2 ~]# lvcreate -L 9G -n brick2 glustervg</span></span><br />
<span style="background-color: #fff2cc;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Logical volume "brick2" created.</span></span><br />
<span style="background-color: #d0e0e3;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">[root@s2 ~]# lvcreate -L 9G -n brick1 glustervg</span></span><br />
<span style="background-color: #fff2cc;"><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> Logical volume "brick1" created.</span></span><br />
<span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #d0e0e3;">[root@s1 ~]# vgcreate glustervg /dev/sdb</span><br /><span style="background-color: #fff2cc;"> Volume group "glustervg" successfully created</span><br /><span style="background-color: #fff2cc;"></span><span style="background-color: #d0e0e3;">[root@s1 ~]# lvcreate -L 9G -n brick2 glustervg</span><br /><span style="background-color: #fff2cc;"> Logical volume "brick2" created.</span><br /><span style="background-color: #d0e0e3;">[root@s1 ~]# lvcreate -L 9G -n brick1 glustervg</span><br /><span style="background-color: #fff2cc;"> Logical volume "brick1" created.</span><br /><span style="background-color: #d0e0e3;">[root@s2 ~]# pvdisplay</span><br /><span style="background-color: #fff2cc;"><br /> --- Physical volume ---<br /> PV Name /dev/sdb<br /> VG Name glustervg<br /> PV Size 20.00 GiB / not usable 4.00 MiB<br /> Allocatable yes<br /> PE Size 4.00 MiB<br /> Total PE 5119<br /> Free PE 511<br /> Allocated PE 4608<br /> PV UUID filZyX-wR7W-luFX-Asyn-fYA3-f7tf-q4xGyU<br />[...]</span><br /><span style="background-color: #d0e0e3;">[root@s2 ~]# lvdisplay</span><br /><span style="background-color: #fff2cc;"><br /> --- Logical volume ---<br /> LV Path /dev/glustervg/brick2<br /> LV Name brick2<br /> VG Name glustervg<br /> LV UUID Rx3FPi-S3ps-x3Z0-FZrU-a2tq-IxS0-4gD2YQ<br /> LV Write Access read/write<br /> LV Creation host, time s2, 2016-05-18 16:02:41 +0200<br /> LV Status available<br /> # open 0<br /> LV Size 9.00 GiB<br /> Current LE 2304<br /> Segments 1<br /> Allocation inherit<br /> Read ahead sectors auto<br /> - currently set to 8192<br /> Block device 253:3<br /><br /> --- Logical volume ---<br /> LV Path /dev/glustervg/brick1<br /> LV Name brick1<br /> VG Name glustervg<br /> LV UUID P5slcZ-dC7R-iFWv-e0pY-rvyb-YrPm-FM7YuP<br /> LV Write Access read/write<br /> LV Creation host, time s2, 2016-05-18 16:02:43 +0200<br /> LV Status available<br /> # open 0<br /> LV Size 9.00 GiB<br /> Current LE 2304<br /> Segments 1<br /> Allocation inherit<br /> Read ahead sectors auto<br /> - currently set to 8192<br /> Block device 253:4<br />[...]</span><br /> </span></span><br />
<span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #d0e0e3;">[root@s1 ~]# lvdisplay</span><br /><span style="background-color: #fff2cc;"> --- Logical volume ---<br /> LV Path /dev/glustervg/brick2<br /> LV Name brick2<br /> VG Name glustervg<br /> LV UUID 7yC2Wl-0lCJ-b7WZ-rgy4-4BMl-mT0I-CUtiM2<br /> LV Write Access read/write<br /> LV Creation host, time s1, 2016-05-18 16:01:56 +0200<br /> LV Status available<br /> # open 0<br /> LV Size 9.00 GiB<br /> Current LE 2304<br /> Segments 1<br /> Allocation inherit<br /> Read ahead sectors auto<br /> - currently set to 8192<br /> Block device 253:2<br /><br /> --- Logical volume ---<br /> LV Path /dev/glustervg/brick1<br /> LV Name brick1<br /> VG Name glustervg<br /> LV UUID X6fzwM-qdRi-BNKH-63fa-q2O9-jvNw-u2geA2<br /> LV Write Access read/write<br /> LV Creation host, time s1, 2016-05-18 16:02:05 +0200<br /> LV Status available<br /> # open 0<br /> LV Size 9.00 GiB<br /> Current LE 2304<br /> Segments 1<br /> Allocation inherit<br /> Read ahead sectors auto<br /> - currently set to 8192<br /> Block device 253:3<br />[...]<br /> </span><br /><span style="background-color: #d0e0e3;">[root@s1 ~]# mkfs.xfs /dev/glustervg/brick1</span><br /> </span></span><br />
<span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #fff2cc;">meta-data=/dev/glustervg/brick1 isize=256 agcount=4, agsize=589824 blks<br /> = sectsz=4096 attr=2, projid32bit=1<br /> = crc=0 finobt=0<br />data = bsize=4096 blocks=2359296, imaxpct=25<br /> = sunit=0 swidth=0 blks<br />naming =version 2 bsize=4096 ascii-ci=0 ftype=0<br />log =internal log bsize=4096 blocks=2560, version=2<br /> = sectsz=4096 sunit=1 blks, lazy-count=1<br />realtime =none extsz=4096 blocks=0, rtextents=0</span><br /><br /><span style="background-color: #d0e0e3;">[root@s1 ~]# mkfs.xfs /dev/glustervg/brick2</span><br /><span style="background-color: #fff2cc;"><br />meta-data=/dev/glustervg/brick2 isize=256 agcount=4, agsize=589824 blks<br /> = sectsz=4096 attr=2, projid32bit=1<br /> = crc=0 finobt=0<br />data = bsize=4096 blocks=2359296, imaxpct=25<br /> = sunit=0 swidth=0 blks<br />naming =version 2 bsize=4096 ascii-ci=0 ftype=0<br />log =internal log bsize=4096 blocks=2560, version=2<br /> = sectsz=4096 sunit=1 blks, lazy-count=1<br />realtime =none extsz=4096 blocks=0, rtextents=0</span><br /><br /><span style="background-color: #d0e0e3;">[root@s1 ~]# mkdir -p /gluster/brick{1,2}<br />[root@s2 ~]# mkdir -p /gluster/brick{1,2}<br />[root@s1 ~]# mount /dev/glustervg/brick1 /gluster/brick1 && mount /dev/glustervg/brick2 /gluster/brick2<br />[root@s2 ~]# mount /dev/glustervg/brick1 /gluster/brick1 && mount /dev/glustervg/brick2 /gluster/brick2</span><br /><br /><span style="font-size: small;"><span style="font-family: "times" , "times new roman" , serif;"><br />Add the following to a newline in both /etc/fstab:</span></span><br /><br /><span style="background-color: #d0e0e3;">/dev/mapper/glustervg-brick1 /gluster/brick1 xfs rw,relatime,seclabel,attr2,inode64,noquota 0 0<br />/dev/mapper/glustervg-brick2 /gluster/brick2 xfs rw,relatime,seclabel,attr2,inode64,noquota 0 0</span><br /><br /><span style="background-color: #d0e0e3;">[root@s1 etc]# systemctl start glusterd.service</span><br /><br /><span style="font-size: small;"><span style="font-family: "times" , "times new roman" , serif;">Making sure:</span></span><br /><span style="background-color: #d0e0e3;">[root@s1 etc]# ps ax|grep gluster</span><br /><br /><span style="background-color: #fff2cc;"> 1010 ? Ssl 0:00 /usr/sbin/glusterd -p /var/run/glusterd.pid --log-level INFO</span><span style="background-color: #d0e0e3;">[root@s1 etc]# gluster peer probe s2</span><br /><span style="background-color: #fff2cc;">peer probe: success.</span></span></span><br />
<span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #fff2cc;"></span><br /><span style="background-color: #d0e0e3;">[root@s2 etc]# gluster peer status</span><br /><span style="background-color: #fff2cc;">Number of Peers: 1<br />Hostname: 192.168.183.235<br />Uuid: f5bdc3f3-0b43-4a83-86c1-c174594566b9<br />State: Peer in Cluster (Connected)</span><br /><br /><span style="background-color: #d0e0e3;">[root@s1 etc]# gluster pool list</span><br /><span style="background-color: #fff2cc;">UUID Hostname State<br />01cf8a70-d00f-487f-875e-9e38d4529b57 s2 Connected<br />f5bdc3f3-0b43-4a83-86c1-c174594566b9 localhost Connected</span><br /><span style="background-color: #d0e0e3;">[root@s1 etc]# gluster volume status</span><br /><span style="background-color: #fff2cc;">No volumes present</span><br /><span style="background-color: #d0e0e3;"><br />[root@s2 etc]# gluster volume info</span><span style="background-color: #fff2cc;">No volumes present</span><br /><br /><span style="background-color: #d0e0e3;"><span style="font-family: "courier new" , "courier" , monospace;">[</span>root@s1 etc]# mkdir /gluster/brick1/mpoint1<br />[root@s2 etc]# mkdir /gluster/brick1/mpoint1<br />[root@s1 gluster]# gluster volume create myvol1 replica 2 transport tcp s1:/gluster/brick1/mpoint1 s2:/gluster/brick1/mpoint1</span><br /><span style="background-color: #fff2cc;">volume create: myvol1: failed: Staging failed on s2. Error: Host s1 is not in 'Peer in Cluster' state</span></span></span><br />
Ooooops....<br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: x-small;"><span style="background-color: #d0e0e3;">[root@s2 glusterfs]# ping s1</span><span style="background-color: #fff2cc;">ping: unknown host s1</span></span></span><span style="font-size: xx-small;"><span style="font-family: "times" , "times new roman" , serif;">I</span></span> forgot to check name resolution. When i fixed this and tried to create it again, i got:<br />
<span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #d0e0e3;">[root@s1 glusterfs]# gluster volume create myvol1 replica 2 transport tcp s1:/gluster/brick1/mpoint1 s2:/gluster/brick1/mpoint1</span></span></span><br />
<span style="background-color: #fff2cc;"><span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;">volume create: myvol1: failed: /gluster/brick1/mpoint1 is already part of a volume</span></span></span><br />
<br />
WTF ??<br />
<span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #d0e0e3;">[root@s1 glusterfs]# gluster volume get myvol1 all</span><br /><span style="background-color: #fff2cc;">volume get option: failed: Volume myvol1 does not exist</span><br /><span style="background-color: #d0e0e3;">[root@s1 glusterfs]# gluster</span><br /><span style="background-color: #fff2cc;">gluster></span><br /><span style="background-color: #fff2cc;">exit global help nfs-ganesha peer pool quit snapshot system:: volume</span><br /><span style="background-color: #d0e0e3;">gluster> volume</span><br /><span style="background-color: #fff2cc;">add-brick bitrot delete heal inode-quota profile remove-brick set status tier<br />attach-tier clear-locks detach-tier help list quota replace-brick start stop top<br />barrier create get info log rebalance reset statedump sync</span><br /><span style="background-color: #d0e0e3;">gluster> volume l</span><br /><span style="background-color: #fff2cc;">list log</span><br /><span style="background-color: #d0e0e3;">gluster> volume list</span><br /><span style="background-color: #fff2cc;">No volumes present in cluster</span></span></span><br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="font-size: small;"><span style="font-family: "times" , "times new roman" , serif;">Tha</span>t's odd! </span><span style="font-size: small;">Hmm. I thought it'd work:<span style="font-size: x-small;"><span style="font-family: "times" , "times new roman" , serif;"> </span></span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-size: small;"><span style="font-size: x-small;"><span style="background-color: #d0e0e3;">[root@s1 /]# rm /gluster/brick1/mpoint1</span><br /><span style="background-color: #d0e0e3;">[root@s1 /]# gluster volume create myvol1 replica 2 transport tcp s1:/gluster</span><span style="background-color: #fff2cc;">/brick1/mpoint1 s2:/gluster/brick1/mpoint1volume create: myvol1: success: please start the volume to access data</span><br /><span style="background-color: #d0e0e3;"><br />[root@s1 /]# gluster volume list</span><br /><span style="background-color: #fff2cc;">myvol1</span></span></span></span></span><br />
Yep. Success. Phuhh.<br />
<span style="font-size: xx-small;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #d0e0e3;">[root@s1 /]# gluster volume start myvol1</span><br /><span style="background-color: #fff2cc;">volume start: myvol1: success</span></span></span></span><span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="font-size: xx-small;"><br /></span></span><span style="font-size: x-small;">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #d0e0e3;"><span style="font-size: xx-small;">[root@s2 etc]# gluster volume list</span></span></span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">myvol1</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #d0e0e3;"><span style="font-size: xx-small;">[root@s2 etc]# gluster volume status</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Status of volume: myvol1</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Gluster process TCP Port RDMA Port Online Pid</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">------------------------------------------------------------------------------</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Brick s1:/gluster/brick1/mpoint1 49152 0 Y 2528</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Brick s2:/gluster/brick1/mpoint1 49152 0 Y 10033</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">NFS Server on localhost 2049 0 Y 10054</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Self-heal Daemon on localhost N/A N/A Y 10061</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">NFS Server on 192.168.183.235 2049 0 Y 2550</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Self-heal Daemon on 192.168.183.235 N/A N/A Y 2555</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;"><br /></span></span></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Task Status of Volume myvol1</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">------------------------------------------------------------------------------</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">There are no active volume tasks</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;"><br /></span></span></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #d0e0e3;"><span style="font-size: xx-small;">[root@s1 ~]# gluster volume create myvol2 s1:/gluster/brick2/mpoint2 s2:/gluster/brick2/mpoint2 force</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">volume create: myvol2: success: please start the volume to access data</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #d0e0e3;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-size: xx-small;">[root@s1 ~]# gluster volume start myvol2</span></span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">volume start: myvol2: success</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #d0e0e3;"><span style="font-family: "times" , "times new roman" , serif;"><span style="font-size: xx-small;">[root@s1 ~]# gluster volume info</span></span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Volume Name: myvol1</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="color: red; font-size: xx-small;"><b><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Type: Replicate</span></span></b></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Volume ID: 633b765b-c630-4007-91ca-dc42714bead4</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Status: Started</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Number of Bricks: 1 x 2 = 2</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Transport-type: tcp</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Bricks:</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Brick1: s1:/gluster/brick1/mpoint1</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Brick2: s2:/gluster/brick1/mpoint1</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Options Reconfigured:</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">performance.readdir-ahead: on</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;"><br /></span></span></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Volume Name: myvol2</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="color: red; font-size: xx-small;"><b><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Type: Distribute</span></span></b></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Volume ID: ebfa9134-0e6a-40be-8045-5b16436b88ed</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Status: Started</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Number of Bricks: 2</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Transport-type: tcp</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Bricks:</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Brick1: s1:/gluster/brick2/mpoint2</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Brick2: s2:/gluster/brick2/mpoint2</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">Options Reconfigured:</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="background-color: #fff2cc;"><span style="font-size: xx-small;">performance.readdir-ahead: on</span></span></span><br />
<br />
<b>On the client:</b><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: x-small;"><br /></span></span>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #d0e0e3; font-size: x-small;"><span style="font-size: xx-small;">[root@c1 ~]# wget -P /etc/yum.repos.d http://download.gluster.org/pub/gluster/glusterfs/LATEST/CentOS/glusterfs-epel.repo</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: x-small;">[...] </span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #d0e0e3; font-size: x-small;"><span style="font-size: xx-small;">[root@c1 ~]# yum -y install glusterfs glusterfs-fuse</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: x-small;">[....] </span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #d0e0e3; font-size: x-small;"><span style="font-size: xx-small;">[root@c1 ~]# mkdir /g{1,2}</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #d0e0e3; font-size: x-small;"><span style="font-size: xx-small;">[root@c1 ~]# mount.glusterfs s1:/myvol1 /g1</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #d0e0e3; font-size: x-small;"><span style="font-size: xx-small;">[root@c1 ~]# mount.glusterfs s1:/myvol2 /g2</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #d0e0e3; font-size: x-small;"><span style="font-size: xx-small;">[root@c1 ~]# mount</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #fff2cc; font-size: x-small;"><span style="font-size: xx-small;">[...]</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #fff2cc; font-size: x-small;"><span style="font-size: xx-small;">s1:/myvol1 on /g1 type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072)</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #fff2cc; font-size: x-small;"><span style="font-size: xx-small;">s2:/myvol2 on /g2 type fuse.glusterfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072)</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #d0e0e3; font-size: x-small;"><span style="font-size: xx-small;">[root@c1 ]# df -h</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #fff2cc; font-size: x-small;"><span style="font-size: xx-small;">Filesystem Size Used Avail Use% Mounted on</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #fff2cc; font-size: x-small;"><span style="font-size: xx-small;">/dev/mapper/centos-root 28G 1.1G 27G 4% /</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #fff2cc; font-size: x-small;"><span style="font-size: xx-small;">devtmpfs 422M 0 422M 0% /dev</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #fff2cc; font-size: x-small;"><span style="font-size: xx-small;">tmpfs 431M 0 431M 0% /dev/shm</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #fff2cc; font-size: x-small;"><span style="font-size: xx-small;">tmpfs 431M 5.7M 426M 2% /run</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #fff2cc; font-size: x-small;"><span style="font-size: xx-small;">tmpfs 431M 0 431M 0% /sys/fs/cgroup</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #fff2cc; font-size: x-small;"><span style="font-size: xx-small;">/dev/sda1 494M 164M 331M 34% /boot</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #fff2cc; font-size: x-small;"><span style="font-size: xx-small;">tmpfs 87M 0 87M 0% /run/user/0</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #fff2cc; font-size: x-small;"><span style="font-size: xx-small;">s1:/myvol1 9.0G 34M 9.0G 1% /g1 <b><span style="color: red;">[9G,9G because of replicating (aka <span style="color: #274e13;">RAID1</span> over network)) </span></b></span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #fff2cc; font-size: x-small;"><span style="font-size: xx-small;">s2:/myvol2 18G 66M 18G 1% /g2 <b><span style="color: red;">(9G+9G because of distributing (aka <span style="color: #b00000;"><span style="color: #274e13;">J</span><span style="color: #b00000;"><span style="color: #274e13;">BOD</span> </span></span>over network))</span></b></span></span></span><br />
<br />
<span style="font-family: "times" , "times new roman" , serif;"><span style="color: #007600; font-size: small;"><span style="color: black;">What is the </span><span style="color: black;">difference between distributing and striping? Here are two short sniplets from glusterhacker <a href="http://glusterhacker.blogspot.hu/2013/01/volumes.html">blog</a>:</span></span></span><br />
<b>Distribute :</b> A distribute volume is one, in which all the data of
the volume, is distributed throughout the bricks. Based on an
algorithm, that takes into account the size available in each brick, the
data will be stored in any one of the available bricks. <span style="font-size: small;"><b>[...]</b></span> The default volume type is distribute, hence my myvol2 got distributed.<br />
<b>Stripe:</b> A stripe volume is one, in which the data being stored
in the backend is striped into units of a particular size, among the
bricks. The default unit size is 128KB, but it's configurable. If we
create a striped volume of stripe count 3, and then create a 300 KB file
at the mount point, the first 128KB will be stored in the first
sub-volume(brick in our case), the next 128KB in the second, and the
remaining 56KB in the third. The number of bricks should be a multiple
of the stripe count. <br />
<br />
<span style="font-size: small;">The very useable official howto is <a href="https://wiki.centos.org/HowTos/GlusterFSonCentOS">here.</a></span><br />
<b> </b><br />
<b>Performance test, split brain, <span style="font-size: x-small;"></span>to be continued....</b>Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-38097508689107145752016-04-11T07:15:00.001-07:002016-04-11T07:22:47.361-07:00A Mikrotik guest network can be more difficult than you may thinkIn recent RouterOS is a single click to set up a guest wifi AP. Saying guest I mean such a network that is fully or partly allowed to reach public internet but denied to reach the internal private network. Here is a <a href="http://jcutrer.com/howto/networking/mikrotik/mikrotik-tutorial-adding-a-2nd-wireless-ssid-virtual-access-point">simple howto</a> about adding a second wifi AP/ slave interface. The only problem with that is it's unsecure. :( A most common way is using the QuickSet method. Everyone knows what to do seeing this window:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihq0JQv4jYgVB0pI3CxWUWNJzsOEvgZw-wOo7DOZflkxeB2_4DjseJHdvaATONtsOSUmf0nU_uLPdn8qLeRKZjKyAzUCU779lFGX8E_JJPAae5-16AQOuXELuRr0biyUt0b6ridU1QXA/s1600/mikrotik1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihq0JQv4jYgVB0pI3CxWUWNJzsOEvgZw-wOo7DOZflkxeB2_4DjseJHdvaATONtsOSUmf0nU_uLPdn8qLeRKZjKyAzUCU779lFGX8E_JJPAae5-16AQOuXELuRr0biyUt0b6ridU1QXA/s320/mikrotik1.png" width="320" /></a></div>
So if you I build a second AP like this:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiEeGl5he8NWTa_w-8wjCXAJttcUkYm40cYcgHjdD9ZTHo576CCimvQQ06uDKOLf5uhF3YmOMDFxCGICCxEGsilVKQiFw1tSz9bZtaGoHODhqasumUdfynLu0MjXYZ7WAIOucPvKf4JQ/s1600/mikrotik1.5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="46" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiEeGl5he8NWTa_w-8wjCXAJttcUkYm40cYcgHjdD9ZTHo576CCimvQQ06uDKOLf5uhF3YmOMDFxCGICCxEGsilVKQiFw1tSz9bZtaGoHODhqasumUdfynLu0MjXYZ7WAIOucPvKf4JQ/s320/mikrotik1.5.PNG" width="320" /></a></div>
<br />
it's going to use the same DHCP server as the internal WIFI. Obviously, because it's on the same bridge (switch) interface. I always wondered how they are still separeted by the RouterOS? The answer is Mikrotik's genius Layer2 firewall called Bridge filtering.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrV1575ZNn-nQDRn47ZEaAH-RW8nirqcgu2edLn9QtJM6IS_IZfn7LqBfw4Tgfwzz8ml5R4Vqr48JJQeGzO_eCkT84forB41WzhQFL1jXJlUnTiKssy3l20qf_PonmREyzMCc_LjkcYw/s1600/mikrotik2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="117" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrV1575ZNn-nQDRn47ZEaAH-RW8nirqcgu2edLn9QtJM6IS_IZfn7LqBfw4Tgfwzz8ml5R4Vqr48JJQeGzO_eCkT84forB41WzhQFL1jXJlUnTiKssy3l20qf_PonmREyzMCc_LjkcYw/s320/mikrotik2.PNG" width="320" /></a></div>
<br />
But you discover an embarassing problem if you have more IP subnets (e.g. VPN networks over pub net) and also want to accept the guest wifi filtering to them. One simply can't utilize Layer2 filtering over Layer3 routing and, of course, there is no work vice versa.<br />
<br>Soution: forget the built-in bridge and create a new bridge only for your guest wifi.
<pre>/interface bridge add name=bridge-guestwifi</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsze1l_OZ1nGo8bn8PSbhpvSbx2OliizCCUsg_xGYOkpHWtdIz2ijPLvE1UadCB-X0awCRVLJYN83zRX7XaiNaQgZ7Bz5thFNfTFQpUlE1aqXe0rhzLHYXbl1OEmIcqpUWwK-EjVjOMQ/s1600/mikrotik3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsze1l_OZ1nGo8bn8PSbhpvSbx2OliizCCUsg_xGYOkpHWtdIz2ijPLvE1UadCB-X0awCRVLJYN83zRX7XaiNaQgZ7Bz5thFNfTFQpUlE1aqXe0rhzLHYXbl1OEmIcqpUWwK-EjVjOMQ/s320/mikrotik3.PNG" width="320" /></a></div>
Add a new security profile for guest if you happen to still doesn't have any:
<pre>/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=guestwifi wpa2-pre-shared-key=topsecretpassword</pre>
Add your new slave interface:
<pre> /interface wireless
add disabled=no mac-address=D6:CA:6E:4F:54:28 master-interface=wlan1 name=wlan2 security-profile=guest ssid="For Guests" wds-default-bridge=bridge-guestwifi</pre>
and link these 2 to each other.
<pre>/interface bridge port add bridge=bridge-guestwifi interface=wlan2</pre>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNDBloKLP2eX12yQ45sbzD7AUKWW2eJs3RtjMvBOF9dHfcLgrUCMPTQvKmLU_NUrNr4zmXbBHFTRAa-ZVsd3iZ4X606s8AqqvtYT7MgJrmZG6yBCIyI_dLRo7J7zESxdfbBNQuCjkYhg/s320/mikrotik4.PNG" width="314" /></div>
<br />
So far so good. Layer2 filtering is done now. But now the guests are totally separeted from your DHCP server so you need to create a new, dedicated DHCP pool for them. It requires a new address and subnet.
<pre>/ip address add address=192.168.100.1/24 interface=bridge-guest network=192.168.100.0
/ip pool add name=guest ranges=192.168.100.100-192.168.100.254
/ip dhcp-server add address-pool=guest disabled=no interface=bridge-guest name=guest
/ip dhcp-server network add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1</pre>
<br />
Lets suppose that you have such a source nating rule that nats anything that is going out to the internet:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwltmI477Rx5NlQp3eIOllGcLtRiOKTBD3A58K5DV351-mJNjVoiT4_Gwk9_-mypEaKDVq5q5gB0Zmdo1gyZIX-hOHneoXXNSXvziIOYlKNzbQFbQs4yZ4i3lnfZuWkJYc8noiB5cREw/s1600/mikrotik5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwltmI477Rx5NlQp3eIOllGcLtRiOKTBD3A58K5DV351-mJNjVoiT4_Gwk9_-mypEaKDVq5q5gB0Zmdo1gyZIX-hOHneoXXNSXvziIOYlKNzbQFbQs4yZ4i3lnfZuWkJYc8noiB5cREw/s320/mikrotik5.PNG" width="320" /></a></div>
In that case we have good news. You don't have to set up any more nat rule because the guest network will hit the above rule. But it's not secured yet. The following Layer3 high priority firewall rule will take care of them:<br />
<pre>/ip firewall filter
add action=drop chain=forward in-interface=bridge-guestwifi out-interface=!ether1-gateway</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjvEbaTFwbyb6iDm7KBlasFuqKO_REcec4hkQZFByr2kGOaK8kig_YZVGYUSSI2y5_SRJqV5Cj7FoCXSP4lIuM1um_tyTOhzeqcl_RGB8slXhN7Z4sgAXxkxwKD0Y2_1SQrHIgfKqvKw/s1600/mikrotik6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="78" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjvEbaTFwbyb6iDm7KBlasFuqKO_REcec4hkQZFByr2kGOaK8kig_YZVGYUSSI2y5_SRJqV5Cj7FoCXSP4lIuM1um_tyTOhzeqcl_RGB8slXhN7Z4sgAXxkxwKD0Y2_1SQrHIgfKqvKw/s320/mikrotik6.PNG" width="320" /></a></div>
So from now on, guests are denied to go anywhere but the public internet.Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-31122090082591360642016-04-07T05:20:00.001-07:002016-04-07T05:23:55.663-07:00Ban / reject users with freeradius based on MAC addressesFreeradius is a common tool if someone wants to set up an enterprise WiFi authentication. But if it's in a public institude, e.g. a school, sooner or later your WiFi users' passwords will leak out and after password changes your logs get full of incorrect logins from the mischievous studends. Solution: build a script that scan the logfile for incorrect logins and ban the MAC addresses of those devices. Here is a little help on how to start thinking:<br />
add the following to your /etc/freeradius/modules/files<br />
<br />
<span style="font-size: x-small;">files rejectmac {<br /> key = "%{Calling-Station-ID}"<br /> usersfile = ${confdir}/rejectmacaddress.txt<br /> compat = no<br /> }</span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;">add the following to authorize{} section of your /etc/freeradius/sites/sites-enabled/default</span> </span><br />
<span style="font-size: x-small;"></span><br />
<span style="font-size: x-small;">rejectmac<br /> if (ok) {<br /> reject<br /> }</span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;">create a new file /etc/freeradius/rejectmac.conf and add </span> </span><br />
<span style="font-size: x-small;">passwd rejectmac {<br /> filename = /etc/freeradius/rejectmacaddress.txt<br /> delimiter = ,<br /> format = "*Calling-Station-Id"<br />}</span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;">create a new file /etc/freeradius/rejectmacaddress.txt and fill it with the kiddies MACs like this</span> </span><br />
<span style="font-size: x-small;">78-F8-82-F3-8F-58,B4-CE-F6-4D-74-93,B0-45-19-C6-17-D1,50-F0-D3-1D-42-CE,00-5A-05-90-08-FE,88-07-4B-D1-17-15</span><br />
<br />
<span style="font-size: x-small;"><span style="font-size: small;">add this to the beginning of your radiusd.conf</span></span><br />
<span style="font-size: x-small;">$INCLUDE rejectmac.conf</span><br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;"><span style="font-size: small;">restart your freeradius daemon and get ready to go home.</span></span><br />
<span style="font-size: x-small;"></span><br />
<span style="font-size: x-small;"><br /></span>Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com2tag:blogger.com,1999:blog-5254478946580483694.post-37949635613089778272016-04-06T06:51:00.001-07:002016-04-18T04:20:37.466-07:00Debian Wheezy Mail Server – Postfix Dovecot Sasl MySQL PostfixAdmin and RoundCube Shamefully I didn't want to find my own way so the whole tutorial I followed is <a href="http://www.xenlens.com/debian-wheezy-mail-server-postfix-dovecot-sasl-mysql-postfixadmin-roundcube-spamassassin-clamav-greylist-nginx-php5/">here.</a><br />
For my personal further usage, I <a href="https://www.dropbox.com/s/ayhc99rtxlyq60r/example.tgz?dl=0">attached</a> the working nginx, dovecot, postfix and php5 config to this post. There are two minor differences from the original tutorial: I don't use spam filtering because at me it's done by a 3rd party provider. Second, I use an outgoing TLS smarthost via mail submission 587 port, detailed in the postfix/main.cnf.<br />
Note that sensitive infos are all removed and in the tgz there is a missing sock, obviously, because sockets can't be packed. (<i>tar example/php5/fpm/socks/ssl_example.com.sock: socket ignored.)</i><br />
Follow the <a href="http://www.xenlens.com/debian-wheezy-mail-server-postfix-dovecot-sasl-mysql-postfixadmin-roundcube-spamassassin-clamav-greylist-nginx-php5/">original </a>howto first.<br />
<i> </i><br />
Versions for my pack are<i>:</i><br />
<i>Linux box 3.2.0-4-amd64 #1 SMP Debian 3.2.73-2+deb7u3 x86_64 GNU/Linux</i><br />
<span style="font-size: x-small;">ii nginx 1.2.1-2.2+wheezy4 all small, powerful, scalable web/proxy server<br />ii nginx-common 1.2.1-2.2+wheezy4 all small, powerful, scalable web/proxy server - common files<br />ii nginx-full 1.2.1-2.2+wheezy4 amd64 nginx web/proxy server (standard version)<br />ii dovecot-common 1:2.1.7-7+deb7u1 all Transitional package for dovecot<br />ii dovecot-core 1:2.1.7-7+deb7u1 amd64 secure mail server that supports mbox, maildir, dbox and mdbox mailboxes<br />ii dovecot-gssapi 1:2.1.7-7+deb7u1 amd64 GSSAPI authentication support for Dovecot<br />ii dovecot-imapd 1:2.1.7-7+deb7u1 amd64 secure IMAP server that supports mbox, maildir, dbox and mdbox mailboxes<br />ii dovecot-ldap 1:2.1.7-7+deb7u1 amd64 LDAP support for Dovecot<br />ii dovecot-lmtpd 1:2.1.7-7+deb7u1 amd64 secure LMTP server for Dovecot<br />ii dovecot-mysql 1:2.1.7-7+deb7u1 amd64 MySQL support for Dovecot<br />ii dovecot-pgsql 1:2.1.7-7+deb7u1 amd64 PostgreSQL support for Dovecot<br />ii dovecot-pop3d 1:2.1.7-7+deb7u1 amd64 secure POP3 server that supports mbox, maildir, dbox and mdbox mailboxes<br />ii dovecot-sieve 1:2.1.7-7+deb7u1 amd64 sieve filters support for Dovecot<br />ii dovecot-sqlite 1:2.1.7-7+deb7u1 amd64 SQLite support for Dovecot<br />ii postfix 2.9.6-2 amd64 High-performance mail transport agent<br />ii postfix-mysql 2.9.6-2 amd64 MySQL map support for Postfix<br />ii php5-common 5.5.33-1~dotdeb+7.1 amd64 Common files for packages built from the php5 source<br />ii php5-fpm 5.5.33-1~dotdeb+7.1 amd64 server-side, HTML-embedded scripting language (FPM-CGI binary)<br />ii php5-imap 5.5.33-1~dotdeb+7.1 amd64 IMAP module for php5<br />ii php5-intl 5.5.33-1~dotdeb+7.1 amd64 internationalisation module for php5<br />ii php5-mcrypt 5.5.33-1~dotdeb+7.1 amd64 MCrypt module for php5<br />ii p</span><span style="font-size: x-small;">hp5-mysql 5.5.33-1~dotdeb+7.1 amd64 MySQL module for php5</span><br />
<br />
<br />Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-80694149650486566192016-03-09T06:31:00.003-08:002016-03-10T00:33:12.448-08:00Ubiquiti Unify nuisances and the attack of the MartiansSome weeks ago I was given a nice task. A client of ours wants us to set up two new Unify APs in its network with two new wireless networks: one for guest and one for internal use. They had a Vigor 2925 to be used for firewall and DHCP role. For those who are not familiar with the wireless products named ubiquiti unify APs, here are a few links to inform:<br />
<a href="https://www.reddit.com/r/Ubiquiti/comments/32ovll/how_do_i_configure_a_guest_network_on_unifi_ap/">How do I configure a "Guest Network" on UniFi AP?</a><br />
Instructive reading. Based on the infos here I finally decided not to use the internal "firewall" in the APs and let the Vigor do the network separation.<br />
<a href="https://help.ubnt.com/hc/en-us/articles/204959394-UniFi-Does-the-controller-need-to-be-running-at-all-times-">UniFi - Does the controller need to be running at all times?</a><br />
Official answer says "no, most of the times it is not necessary." Unfortunately this isn't entirely true with the latest firmwares. :/<br />
No worries, since the client already had a Linux server, it looked so simple to install the controler software and setup the nodes. Sadly, everything went a different way.<br />
For a mystical reason I couldn't make the controller software, running on the Linux, see its APs, even they were in the same subnet by their IPs and in the same broadcast domain, for the sake of Layer2 communications. I spent two days just on this riddle. Maybe it was a misconfiguration of the D-Link switches or maybe an insolvable incompatibility issue. I don't know why to this very day. :( I tried everything but the time run out so I had to find a quick solution. <br />
So I decided to use a different network card and a second subnet on the Linux only to control the APs.<br />
I ended up with this config:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3t3dNCa1ey2iecTtFjQtFsapRkQHanVNf0_wg5csE-aiJCBhPEZbqVW1V4hAqa479Wby4QhPK4FVoWajZrcKyaIDQT9ohmk5guY0kj_02MNOFP2yQG1H9ybGK2ceIuey18EiikZSj-g/s1600/Rajz1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3t3dNCa1ey2iecTtFjQtFsapRkQHanVNf0_wg5csE-aiJCBhPEZbqVW1V4hAqa479Wby4QhPK4FVoWajZrcKyaIDQT9ohmk5guY0kj_02MNOFP2yQG1H9ybGK2ceIuey18EiikZSj-g/s400/Rajz1.jpg" width="400" /></a></div>
My interfaces were:<br />
em1 Link encap:Ethernet HWaddr 00:25:90:xx:xx:xx<br />
inet addr:172.16.20.30 Bcast:172.16.20.255 Mask:255.255.255.0<br />
inet6 addr: fe80::225:90ff:fed3:930c/64 Scope:Link<br />
..<br />
em2 Link encap:Ethernet HWaddr 00:25:90:xx:xx:xx<br />
inet addr:192.168.3.200 Bcast:192.168.3.255 Mask:255.255.255.0<br />
inet6 addr: fe80::225:90ff:fed3:930d/64 Scope:Link<br />
..<br />
lo Link encap:Local Loopback<br />
inet addr:127.0.0.1 Mask:255.0.0.0<br />
..<br />
<br />
APs looked working. I think <i>Connected(limited)</i> state is normal in this case. Note that I didn't use the built-in "guest network" feature because it's just ridiculous.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZh2BxnNUhpRgNF_4jnUinktpoNvHLp8z7lM0VRkGq5dIK_E7wii61neZRlBFyyC6q7oY8Is9KBUHIfBteBJ_8pNMPo_A31zcHtDBYd56xMUgbzcYTT0DNBRUKJh1U4-lmf1LvJ7eokw/s1600/aps.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZh2BxnNUhpRgNF_4jnUinktpoNvHLp8z7lM0VRkGq5dIK_E7wii61neZRlBFyyC6q7oY8Is9KBUHIfBteBJ_8pNMPo_A31zcHtDBYd56xMUgbzcYTT0DNBRUKJh1U4-lmf1LvJ7eokw/s320/aps.PNG" width="320" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKwPv10ax3_WHI8k9iCt5lKyx8kTtmFHbdJ9leq7o7lrYwvdSo8OpSWNxN4I6cBXpSlZlny15cWSLzQ7N7aWAyHfTJ5yehsjZBaTfcY38MnwRXRbIIeCH7MFNCaUnSdPFgmR4FxfWslQ/s1600/network.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKwPv10ax3_WHI8k9iCt5lKyx8kTtmFHbdJ9leq7o7lrYwvdSo8OpSWNxN4I6cBXpSlZlny15cWSLzQ7N7aWAyHfTJ5yehsjZBaTfcY38MnwRXRbIIeCH7MFNCaUnSdPFgmR4FxfWslQ/s320/network.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
So everything seemed properly set. But to my greatest astonishment I coudn't reach network share of my server lying on 172.16.20.30 from my internal wifi client 192.168.3.11. When I started to ping and tcpdump'ed on the server I saw that echo requests came in but replies never went back. I thought to myself: Seeing the fact that the kernel wanted to reply on the other interface (192.168.3.x) it's hardly surprising that it didn't work.<br />
So I set IP policy routing: if the packet comes from 192.168.3.11 on em1, reply to it on the same interface -em1- instead of em2. You know, all the iptables mangle <span style="background-color: #fff2cc;">MARK</span> and <span style="background-color: #fce5cd;">ip route add default via 172.16.20.1 dev em1 table ... </span>stuff, etc. etc. etc.<br />
It didn't work either. Suddenly a light dawned on me. I turned on kernel martian packet logging with <span style="background-color: #fce5cd;">echo 1 > /proc/sys/net/ipv4/conf/all/log_martians</span><br />
and VOILA I saw:<br />
<br />
<span style="background-color: #fce5cd;">Mar 2 20:08:03 superserver kernel: [ 2755.407570] IPv4: martian source 192.168.3.11 from 192.168.3.200, on dev em1<br />Mar 2 20:08:03 superserver kernel: [ 2755.407590] ll header: 00000000: ff ff ff ff ff ff 00 25 90 d3 93 0d 08 06 .......%......<br />Mar 2 20:08:04 superserver kernel: [ 2756.424025] IPv4: martian source 192.168.3.11 from 192.168.3.200, on dev em1<br />Mar 2 20:08:04 superserver kernel: [ 2756.424048] ll header: 00000000: ff ff ff ff ff ff 00 25 90 d3 93 0d 08 06 .......%......<br />Mar 2 20:08:05 superserver kernel: [ 2757.421639] IPv4: martian source 192.168.3.11 from 192.168.3.200, on dev em1<br />Mar 2 20:08:05 superserver kernel: [ 2757.421661] ll header: 00000000: ff ff ff ff ff ff 00 25 90 d3 93 0d 08 06 .......%......</span><br />
It's a bit confusing isn't it ?!?! 192.168.3.200 is my own server!<br />
I tried to turn off the Martian protection with <span style="background-color: #fce5cd;">echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter</span><br />
but I learned: such a bad routing problem can not be solved with a simple fix like this.<br />
I was thinking very hard for an hour and finally I faked the kernel with an another subnet set on my second interface:<br />
<br />
<span style="background-color: #fce5cd;">auto em2<br />iface em2 inet static<br /> address 192.168.3.200<br /> netmask 255.255.255.<b>192</b></span><br />
<span style="background-color: #fce5cd;"></span><br />
Now it's working as expected:<br />
root@:/# route -n<br />
Kernel IP routing table<br />
Destination Gateway Genmask Flags Metric Ref Use Iface<br />
0.0.0.0 172.16.20.1 0.0.0.0 UG 0 0 0 em1<br />
172.16.20.0 0.0.0.0 255.255.255.0 U 0 0 0 em1<br />
192.168.3.192 0.0.0.0 255.255.255.192 U 0 0 0 em2<br />
<br />
These were all done on a:<br />
Linux 3.11.0-12-generic #19-Ubuntu SMP Wed Oct 9 16:20:46 UTC 2013 x86_64 x86_64 x86_64 GNU/LinuxÉnhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0tag:blogger.com,1999:blog-5254478946580483694.post-51817169755329791102016-01-25T03:11:00.000-08:002016-01-28T00:52:21.149-08:00Three small scripsHey there, long time no see. Nothing special news here, just wanted to see googlebots heading here. So here comes my first new year post, 3 minor scripts. First one is for Exchange: adds new email aliases for users from a .csv and makes it default address.<br />
<br />
<span style="background-color: #fce5cd;">Import-Csv c:\scripts\data.csv -Header UZER,ADDRZ| Foreach{</span><br />
<span style="background-color: #fce5cd;">Set-Mailbox $_.UZER -EmailAddressPolicyEnabled $false</span><br />
<span style="background-color: #fce5cd;"> $user = Get-Mailbox -Identity $_.UZER</span><br />
<span style="background-color: #fce5cd;"> $user.EmailAddresses+=$_.ADDRZ</span><br />
<span style="background-color: #fce5cd;"> Set-Mailbox $user -PrimarySmtpAddress $_.ADDRZ</span><br />
<span style="background-color: #fce5cd;">}</span><br />
<br />
<br />
<i>example of data.csv: (without any headers!)</i><br />
<span style="background-color: #fce5cd;">mgibson,mel.gibson@mighty.com</span><br />
<span style="background-color: #fce5cd;">ctom,tom.cruise@mighty.com</span><br />
<span style="background-color: #fce5cd;">cjoe,joe.cool@mighty.com</span><br />
<br />
<br />
Second one is a bit tricky. I wanted to list all my distribution groups and their members. There are lots of solutions for this, e.g. you can find an edifying blog <a href="http://www.oxfordsbsguy.com/2014/04/21/exchange-powershell-how-to-enumerate-distribution-lists-managers-and-members/">entry here</a>. Unfortunatelly most of these scripts don't work nowadays at Office365 Exchange because of this unpleasing nastiness:<br />
<span style="font-size: x-small;">Cannot process argument transformation on parameter 'Identity'. Cannot convert value to type "Microsoft.Exchange.Configuration.Tasks.DistributionGroupMemberIdParameter". Error: "Cannot convert hashtable to an object of the following type: Microsoft.Exchange.Configuration.Tasks.DistributionGroupMemberIdParameter. Hashtable-to-Object conversion is not supported in restricted language mode or a Data section." </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUBW3HflW4Sv0IWM4OZvM_Ae4Wrj1GgAgEV8BNeoqWIrW-Hq350sm38miLwf2kUwp5YyLl5gAK6edhPlRtXt5GiHufLZfMjVPYrMRB3d9IEjef-_HNY10vjzi7B_mTaVJCYYD6bcru_w/s1600/cut.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUBW3HflW4Sv0IWM4OZvM_Ae4Wrj1GgAgEV8BNeoqWIrW-Hq350sm38miLwf2kUwp5YyLl5gAK6edhPlRtXt5GiHufLZfMjVPYrMRB3d9IEjef-_HNY10vjzi7B_mTaVJCYYD6bcru_w/s640/cut.PNG" width="640" /></a></div>
Explained on reddit by <a href="https://www.reddit.com/user/PsTakuu">PsTakuu</a>: It's not the object being passed into the Get-DistributionGroupMember by
the pipeline that is causing the issue, it's that you are shoving an
entire object into the first positional parameter (Identity) and it
doesn't accept hash tables.<br />
Here's a way to recreate your issue:<br />
<pre><code><span style="background-color: #fce5cd;">Get-DistributionGroup | select -First 1 | %{Get-DistributionGroupMember $_}</span>
</code></pre>
Here's the way to fix:<br />
<pre><code><span style="background-color: #fce5cd;">Get-DistributionGroup | select -First 1 | %{Get-DistributionGroupMember $_.identity}</span> </code></pre>
<br />
So here is the final working solution: <br />
<pre><code><span style="background-color: #fce5cd;">foreach ($group in Get-DistributionGroup) { get-distributiongroupmember $group.displayname | ft @{expression={$_.displayname};Label="$group"}}</span></code></pre>
<pre><code><span style="background-color: #fce5cd;"></span></code></pre>
<pre><code><span style="background-color: #fce5cd;"></span></code></pre>
The results can be redirected to file like this:
<code><span style="background-color: #fce5cd;">$( foreach (............) )|out-file file.txt</span></code> <br />
or <br />
<pre><code><span style="background-color: #fce5cd;">$result = foreach (...)</span></code></pre>
<pre><code><span style="background-color: #fce5cd;">$result | out-file file.txt -append</span></code></pre>
<br />
A +1 powerlist, for bonus: <br />
<pre><code><span style="background-color: #fce5cd;">Get-DistributionGroup|format-table -wrap -property name,emailaddresses,hiddenfromaddresslistsenabled,RequireSenderAuthenticationEnabled > c:\groups.txt</span></code></pre>
<br /> The third supersimple linuxer script adds users to a linux system and into samba fileserver database. I don't care about real names, room numbers and so on. That also creates tricky .bat files to make it easier to attach the network drive to windows users later.<br />
<br />
<span style="background-color: #fce5cd;">#!/bin/bash</span><br />
<span style="background-color: #fce5cd;">while read line; do</span><br />
<span style="background-color: #fce5cd;">uzer=$(echo $line|cut -d ':' -f1)</span><br />
<span style="background-color: #fce5cd;">pazz=$(echo $line|cut -d ':' -f2)</span><br />
<span style="background-color: #fce5cd;">useradd -p $(openssl passwd -1 $pazz) $uzer --shell /bin/false --no-create-home --no-user-group</span><br />
<span style="background-color: #fce5cd;">echo -ne "$pazz\n$pazz\n" | smbpasswd -a -s $uzer</span><br />
<span style="background-color: #fce5cd;">echo "cmdkey /add:192.168.85.254 /user:workgroup\\$uzer /pass:$pazz" > /root/batz/$uzer.bat</span><br />
<span style="background-color: #fce5cd;">echo "net use m: \\\192.168.85.254\\workz /P:Yes" >> /root/batz/$uzer.bat</span><br />
<span style="background-color: #fce5cd;">done < users.txt</span><br />
<i><br /></i>
example of users.txt:<br />
<span style="background-color: #fce5cd;">melbigson:jydac3sS</span><br />
<span style="background-color: #fce5cd;">tomcruise:hEieafS</span><br />
<span style="background-color: #fce5cd;">joecool:nhi252ax</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNhqFuJg6GHE9OG4AGa1ZCasKdmJ4HgZZjg_DF9OUFcxPQh38WGK2eCuITnt3jmNR4SiZQc1XJGBXAfRWm6rFWSADjGslCz8lr2RJteerZYzq5lKX5cTt48H7PUbOElRU9BzxDJ-FWkQ/s1600/blank_computer_screen.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNhqFuJg6GHE9OG4AGa1ZCasKdmJ4HgZZjg_DF9OUFcxPQh38WGK2eCuITnt3jmNR4SiZQc1XJGBXAfRWm6rFWSADjGslCz8lr2RJteerZYzq5lKX5cTt48H7PUbOElRU9BzxDJ-FWkQ/s200/blank_computer_screen.png" width="200" /></a></div>
<br />Énhttp://www.blogger.com/profile/02382510591052302510noreply@blogger.com0