Geek projects, tidbits and things I'm working on at the moment…

This one took a while. Essentially I had lost my other bootable USB flash drive and needed to make another one. I had previously used an HP utility which did the heavy lifting for me but I couldn’t find it on the interwebs nor my HD to save my life. I essentially had to use FreeDOS and SysLinux to get the job done. I’m pretty sure the wiki page I found was using an older version so I had to download FreeDOS 1.0 to find the fat32lba.bss file which was eluding me.

I will never lose this USB thumb drive…ever…bit of a nightmare really.

Useful links:

http://sourceforge.net/apps/mediawiki/freedos/index.php?title=USB

http://www.kernel.org/pub/linux/utils/boot/syslinux/ (I grabbed version 4.05!)

http://www.freedos.org/download/

Recently had a question at work about the maximum number of recipients Sendmail would allow thru our in-house server. I wasn’t sure but knew I hadn’t personally configured a hard limit. Did some quick searching and stumbled upon confMAX_RCPT_PER_MESSAGE as the answer. I haven’t set it to anything in our config but didn’t know what the default limit was in Sendmail so I did some digging. Stumbled upon the following links of value (to me at least!)

http://www.sendmail.com/sm/open_source/docs/m4/tweaking_config.html

Answer: infinite number. Sendmail doesn’t have a limit (now it does!)

Also stumbled upon Centos.org’s version 5 Deployment Guide on running the m4 macro command to build a new Sendmail.cf file.

http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s3-email-mta-sendmail-changes.html

So a couple of months ago I had to stand up a DOORS Web Access server for work. It was pretty straight forward except for the creation of a certificate in your Java Keystore and then using it inside of your Tomcat server’s server.xml file.

  To create the Java Keystore file you’ll first need to have downloaded Jetty which will do the command-line magic for you. I downloaded it from the codehaus.org website but you can find it by doing a Google for Jetty keytool. Once downloaded ensure your Java environment is setup correctly by issuing via command-line java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import . It should return back w/ usage information letting you know your Java environment is setup for command-line Java execution. Next, put your PFX file in the same directory where you are via command-line and then issue java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import <mycert>.pfx <myjavakeystorefile>.jks. You’ll be prompted for the password that allows you to use the PFX file, then you’ll be asked for a password for your JKS file. Once it’s done, you’ll have your Java Keystore and password.

Now, you need to open up your server.xml file and find the SSL part which needs to be modified to point to your Java Keystore file. When I found my server.xml file the https port was changed to 8443 which from what I hear is pretty common. I simply changed mine back to 443 so I wouldn’t have to do any firewall redirection. Now, I simply had to add SSLEnabled="true" keyAlias="server" keystoreFile="C:\path\to\keystore\file\mykeystorefile.jks" keypass="supersecretpasswordwhichI'mnotstupidenoughtoblogabout" . Once I had those attributes correctly set I simply stopped and restarted the Tomcat server.

All credit really goes to DigiCert & Entrust 🙂

Jetty tool kit explained:
http://www.entrust.net/knowledge-base/technote.cfm?tn=7925

Tomcat SSL certificate installation:
http://www.digicert.com/ssl-certificate-installation-tomcat.htm

Jetty’s website:
http://docs.codehaus.org/display/JETTY/Jetty+Wiki

Here’s a tidbit of information that I had to use last night on a Windows 2003 server which got hung up on a reboot in a remote location. I’ve used this a couple times before but always double check the “help shutdown” before proceeding. The shutdown command has been available on all Windows OSes since Windows 2000 came out and can be very useful when working with a virtualized server, a headless server or a box in a remote location. Last night’s server reboot somehow got hung; probably on some application that required user interaction (I could still ping the box remotely, couldn’t RDP back into it but could still access it via RPC.) I just issued a quick:

shutdown /r /f /m \\"IP ADDRESS HERE!"

And the box finished its reboot and I was back in business. If it hadn’t been for that command at 10pm last night I would have had to wait until morning to get it back up and running!

Here’s a couple useful links w/ more info.

http://www.computerperformance.co.uk/w2k3/shutdown.htm

http://www.shutdown.cc/

Moving lots of data:I do all sorts of networking related stuff and one of the few things I do often are server migrations. So eventually, there comes a time for me to copy a large amount of data from one server to another while maintaining the file permissions and structure. That’s where tar & ssh come into play. If I’m moving a users’ home directory from one server to another I usually use tar & ssh together via a pipe and let it copy off the files perfectly.

tar zcvf - jsmith | ssh "destinations IP" "cd /home/; tar zpxvf -"

Within seconds of the command starting off, you’ll be asked for the password for your ssh session. Then, the data will get flung across the network to the destination folder. Works great!

Verifying Apache Configuration:When adding additional Virtual Hosts to your Apache config file it’s nice to make sure they’ve been picked up correctly (or! that you’ve modified the right httpd.conf file!) A simple way of letting Apache tell you what it’s going to use is via the -t option.

httpd -t -D DUMP_VHOSTS

It parses the running configuration and dumps the virtual hosts a nice readable format. You can also use “DUMP_MODULES” to see a list of the modules it will use which can be useful for whether or not that database module is going to be loaded or not.

MySQL database dump:It never fails, when doing a migration you’re going to need to dump your databases from a MySQL DB into another DB on your newer system. If they’re the same version however you can run mysqldump w/ a couple command-line switches and then import them on the new server.

mysqldump -u root -p --databases "your DB here" > dbfilename.sql

After you’ve moved your database file to the new server you can then import it in via:

mysql -u root -p -D "your DB here" < /path/to/dbfilename.sql

Keep in mind, we’re assuming you’ve already created the database inside your new MySQL server and will assign it proper permissions so your end user can connect to it!

Just a couple quickies for today’s post.

As always, a couple useful links:

http://www.debuntu.org/how-to-create-a-mysql-database-and-set-privileges-to-a-user

http://www.webmasterworld.com/forum49/723.htm

http://dev.mysql.com/doc/refman/5.1/en/mysqldump.html

http://dev.mysql.com/doc/refman/5.0/en/default-privileges.html

This is the second part of my FTPES, vsftpd & CentOS article. In the first part I walked you thru how I built a certificate, sent the CSR off to my CA and finally, modified the vsftpd.conf file. In this part I’ll show you how to test the service via command-line so you can actually see the certificate and how to punch a hole thru your FW because the data part of your FTP session is now encrypted.

First, let’s talk about verifying the configuration. One of the obvious things you can do is open up a command prompt session and attempt to log into your ftp server. Once connected, does it accept an anonymous connection? Was that what you wanted? Also, was the plain jane ftp command allowing you to log in or did you get a 331 error, “Non-anonymous sessions must use encryption.” If you’ve configured it correctly it shouldn’t allow you to login at all. So how do you test it using encryption? By using openssl w/ s_client of course! Use…

openssl s_client -starttls ftp -connect yourserver.example.com:21

This will allow you to not only log into your server using encryption via command-line but also verify that you’ve got the proper certificate & certificate chain installed. I personally tried connecting w/ out the starttls option but wasn’t successful (instead I get a “SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol” error message. I beleive this is because I’m using vsftpd in explicit mode not impicit mode.) The openssl s_client command can also be used for a number of other encrypted services for debugging certificates which is extremely helpful!

So you’ve verified that FTPES does work on the local LAN but doesn’t seem to work thru your FW. This is where passive ftp comes into play because your FTP traffic is now encrypted and your FW can’t do an inspection to determine which port is going to be used next and open it up for you ahead of time. Most FWs come with some sort of FTP inspect feature but we just killed it because that data is totally encrypted now and it’s unable to sniff the FTP traffic and sense which port needs to be opened. You won’t have to turn on passive FTP because it’s on by default with vsftpd. You should specify the port range and I also turned on pasv_address too:

pasv_enable=YES
pasv_addr_resolve=YES
pasv_address=yourserverhere.example.com
pasv_min_port=63000
pasv_max_port=65535

Once done, this will force your vsftpd server to use a port range of 63000 to 65535 for data connections. Alot of the commands I used above can be found w/in the man page for vsftpd.conf (along with their default values!)

Now you just need to open up that same range on your FW device (NOTE: Each FW is going to be different!) On my Cisco Adaptive Security appliance (ASA) I’m defining an object-group first for the port range like such:

object-group service ftp_passive tcp
  description ftp passive range
  port-object range 63000 65535

Then I use that port range in my outside ACL for inbound traffic like such:

access-list outside_access_in extended permit tcp any host YOUR_PUBLIC_IP object-group ftp_passive
.
.
.

Just be sure to use your public IP address for ‘YOUR_PUBLIC_IP’ in the above ACE. Now when it comes to ACL rules there’s tons of different ways to allow traffic so I won’t go into much more detail here other than how I punched a hole thru my FW to allow the encrypted vsftpd data channel traffic through.

That’s about it folks. Remember, if you’re having problems with your configuration, break it down into simple pieces and troubleshoot it that way versus trying to eat the entire problem at once!

-Q

Oh, almost forgot. Here’s a couple links that might be helpful!

http://en.wikipedia.org/wiki/Ftp
http://en.wikipedia.org/wiki/FTPES
http://it.toolbox.com/blogs/unix-sysadmin/troubleshooting-ssltls-mail-services-29266
http://www.wowtutorial.org/tutorial/26.html
http://vsftpd.beasts.org/
http://www.openssl.org/docs/apps/s_client.html
http://blogs.iis.net/robert_mcmurray/archive/2008/11/10/ftp-clients-part-2-explicit-ftps-versus-implicit-ftps.aspx

So, for some time now I’ve worked w/ HTTPS and SSL and have had no real issues. Today however, I finally got a chance to put multiple SSL sites on one IIS 6.0 server which wasn’t very intuitive. HTTPS is funny in that the host header data that a web server needs to have access to is encrypted and can’t be used until it’s decrypted. Course for it to decrypt the packet, it must know which certificate to use and very quickly we’ve got a circular issue. Long story short, web servers CAN host multiple SSL websites so long as the sites are variations of  <something>.example.com and you use an apporpriate wild card certificate that will cover all the different sites on your HTTPS web server (such as an SSL certificate issued to *.example.com to cover all of the variations of <something>.example.com.) Ya, I know, confusing.

So while I was applying my craft to a Windows Server 2003 R2 box running IIS 6.0 I quickly encountered an error when I tried to put another website on port 443. Error was, “Cannot register the URL prefix https://*:443/ for site ‘<your site identifier here>’. The necessary network binding may already be in use. The site has been deactivated.” I believe it was event ID 1007 in the event viewer system logs. God I love logs 🙂

Quick search on Google reveals you’ve got to go command-line for this one by executing cscript.exe like so:

cd C:\Inetpub\AdminScripts
cscript.exe adsutil.vbs set /w3svc/Identifier/SecureBindings ":443:host header"

.
.
.
.

You can find your site identifier inside of IIS for the site you’re trying to attach on port 443 and just use your site’s FQDN for the host header field.

See this link for a more thorough walk thru:
http://www.digicert.com/ssl-support/configure-iis-host-headers.htm

So I’m playing around w/ a SAN for home use. We’ve virtualized about 80% of our infrastructure at work but most of our VM hosts are standalone with local storage only. So, I’m spending a lot of time at home recently building a SAN on OpenSUSE 11.3 with high hopes of getting iSCSI to play nice. Part of this equation is getting another box to run vCenter Server which will need access to the iSCSI LUNs the VM hosts see.

Hence the title. Windows has a utility called Diskpart.exe which will allow you to turn off auto mount BEFORE you connect your Windows’ iSCSI initiator to your iSCSI target.

Open up a command prompt and type:

C:\Users\yournamehere>diskpart


Once you’re in the diskpart tool, type ‘automount’.

DISKPART> automount
Automatic mounting of new volumes enabled.

Then finally, ‘automount disable’.


DISKPART> automount disable
Automatic mounting of new volumes disabled.

This will keep your OS from trying to mount your iSCSI volume and mess with your VMFS partition!

Keep in mind, this means any new volumes your system sees will need to be mounted manually w/in the disk partitioning tool.

While you’re in there, type just a ‘?’ and see the whole list of commands you can play with. See the Microsoft KB article below for a more thorough introduction!

http://support.microsoft.com/kb/300415

I do a lot of virtualization both at home and at work. Several times I’ve needed a way to extend the activation period of Window 7 because I’m not done w/ a project.

Enter Windows Software Licensing Management Tool.

If you open up a command prompt by right clicking it and selecting, “Run as administrator” you can run the slmgr.vbs command such as…


C:\Users\yournamehere>slmgr /rearm


This can buy you some valuable time before you delete that VM and start on something else. This command ‘rearms’ the activation period and I believe you can do it for a total of 3 times before it stops working. Also, try adding a /? on the end to see a handy dialog box w/ the other available options.