average admins

I’ve been a tech now for about 8 years. That being said, my focus was being told to make something work, and I made it work. I didn’t have to worry if it was licensed because there was a wonderful supervisor/manager to worry about that.

I’ve not been saying to much because I hate to sound boastful, but I’ve been a IT manager now for about about a month. I’ve signed on with a large machine shop in Madison, AL as their first IT employee and as IT manager, among other duties (www.falcianimachine.com). The network was set up by the book keeper a couple of years ago, and she has done a fine job, but now its time to go to the next level. It is a 2k3 domain, and everything is done in one server: DHCP, routing, file server, DNS, DC, … My questions are in the realm of Licensing. I hold in my hand CALs that have been purchased that correspond to the number of licenses that seem to show in the licensing MMC on the server, but something looks like it is wrong, and I don’t have the MS licensing experience to pull it all together, and I have been drowning in TechNet and MS knowledge base. Let me post the screen caps and someone please tell me if something is licensed wrong. It looks to me like it is.

Click on an image below for a larger view.

Originally posted at techsays.com on February 25nd, 2007.

As you might have read from an earlier post, I’ve been given the task of building a Proxy server and an Anti-Spam/Anti-Virus server for a client.

I haven’t picked a software application for the mail portion of this server, but I’m going to be using Squid for proxying web traffic. I’m also going to use Sarg to parse the Squid logs and make pretty graphs for me.

So let’s get right to it.

Squid Configuration
Here’s my Squid configuration template that I use:

cat /etc/squid/squid.conf

# /etc/squid/squid.conf

# To find what these entries mean, see /etc/squid/squid.conf.original

http_port 3128
# visible_hostname sub.domain.local

log_ip_on_direct off
log_fqdn on

error_directory /etc/squid/errors
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

# This entry means that by invoking squid -k rotate, the logfiles
# will get rotated. Remove the logrotate.d/squid file and call
# squid -k rotate after the sarg.monthly job
logfile_rotate 1

# These are default values from the original squid.conf file
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

#———-[ ACCESS LISTS
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT

# acl GROUP1_SRC src 1.1.1.102 # Chris

# acl GROUP2_SRC src 1.1.1.102 # Chris
# acl GROUP2_DST dstdomain .google.com # Give only group2 access to Google

#———-[ SPYWARE
acl SPYWARE_LIST_1 dstdomain “/etc/squid/spyware_list_1.txt”
acl SPYWARE_LIST_2 dstdomain “/etc/squid/spyware_list_2.txt”

#———-[ ALLOWED DOMAINS
acl ALLOWED_LIST_1 dstdomain “/etc/squid/allowed_domains.acl”

#———-[ ALLOWED PORTS
acl ssl_ports port 443
acl safe_ports port 80
acl purge method PURGE
acl CONNECT method CONNECT
no_cache deny all

#———-[ ALLOW/DENY LIST
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safe_ports
http_access deny CONNECT !ssl_ports
http_access allow localhost

#———-[ SPECIAL ALLOWS
# Block all access from this source
#http_access deny GROUP1_SRC all

# Normal allow lists
#http_access allow GROUP2_SRC GROUP2_DST
#http_access deny GROUP2_SRC all

# Allow everyone else access to whitelisted sites
#http_access allow ALLOWED_LIST_1

#———-[ DENY
# Deny everyone access to these sites

# This list is updated by an script that runs every night
http_access deny SPYWARE_LIST_1

# This list is updated manually by me
http_access deny SPYWARE_LIST_2

# Show these error messages
deny_info ERR_SPYWARE_ACCESS_DENIED SPYWARE_LIST_1
deny_info ERR_SPYWARE_ACCESS_DENIED SPYWARE_LIST_2

#———-[ DEFAULT ALLOW
# If you weren’t blocked, then you’re allowed out

http_access allow all
icp_access allow all

#———-[ MISC SETTINGS
coredump_dir /var/spool/squid
cache_mgr root

Blocking malicious sites
The purpose of the SPYWARE_LIST_1 and 2 are for automatically blocking bad sites that the MVPS group finds. They provide a list of malicious sites that they find and they create a HOSTS file for Windows that you can import to protect yourself. I’ve taken that list and wrote a parser that turns it into something Squid can use.

The difference between list 1 and list 2 is that list 1 is overwritten daily by the MVPS file and list 2 is manually updated by me. That way I can add custom hosts to block that I know will always be blocked.

The MVPS list is very similar to AdBlock for Firefox. If you visit a site that has a lot of advertisements, with AdBlock you can pick these advertisement sites out of the list to block. With my MVPS list, I don’t have to worry about keeping up with distributing these lists to all of my users running Firefox and, with the list being on the proxy, it also applies to the users running Internet Explorer, obviously.

I wrote a custom error message for the sites that get blocked by my spyware lists which simply consists of a bunch of blank lines. Without my custom error message, the blocked elements of a site will contain the Squid error message and with poorly written sites that don’t specify table sizes, the error message can take up a lot more space than the advertisement did. All you’ll see with my error message is a blank spot on the page. There are probably more elegant ways to pull this off, but I’ve been running my stuff this way for at least 2 years with no problems.

Thanks to Luke from http://terminally-incoherent.com/blog/ my snippet below actually looks like HTML code.

cat /etc/squid/errors/ERR_SPYWARE_ACCESS_DENIED

<html>
<head>
<title> </title>
</head>
<body topmargin=”0″ leftmargin=”0″ marginheight=”0″ marginwidth=”0″>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
</body>
</html>

The script that I use to download and parse the MVPS hosts file:

cat bin/update_spyware_rules.sh

#!/bin/bash

#———[ Changelog
# Created 2007.02.18 by Chris Davis

#———-[ Notes
# Here is the cronjob for this script
# Make sure the cronjob script is executable
# cat /etc/cron.d/update_spyware_rules
# 1 2 * * * root /home/user/bin/update_spyware_rules.sh

#———-[ Variables
URL1=http://everythingisnt.com/hosts
URL2=http://www.mvps.org/winhelp2002/hosts.txt
SPYWARE_DIR=/home/user/spyware/
TEMP_SPYWARE_LIST_2=$SPYWARE_DIR/temp_spyware_list_2.txt
SPYWARE_LIST_2=$SPYWARE_DIR/spyware_list_2.txt
SQUID_SPYWARE_LIST_2=/etc/squid/spyware_list_2.txt
EMAIL_THIS=$SPYWARE_DIR/email_this.txt
ADMIN_EMAIL=user@domain.local

#———-[ Script
# If the spyware directory doesn’t exist, create it.
if [ ! -e $SPYWARE_DIR ]
then mkdir $SPYWARE_DIR
fi

# Download the MVPS HOSTS file
wget $URL2 -O $TEMP_SPYWARE_LIST_2

# Parse the newly downloaded file to work with Squid
cat $TEMP_SPYWARE_LIST_2 | grep 127.0.0.1 | sed ’s/127.0.0.1 //g’ > $SPYWARE_LIST_2
cat $SPYWARE_LIST_2 | grep -v localhost | cut -d “#” -f 1 > $SQUID_SPYWARE_LIST_2

# Get a few stats about the new file and email them to the admin
wc -l $SPYWARE_LIST_2 > $EMAIL_THIS
echo “—- ” >> $EMAIL_THIS
ls -lt /etc/squid >> $EMAIL_THIS
cat $EMAIL_THIS | mail -s SQUID $ADMIN_EMAIL

# Reload Squid to load the new files
/etc/init.d/squid reload

If you don’t have the mail command, you can find it in the Debian mailx package.

Now that Squid is installed and configured, we need a way to create pretty HTML reports from the logs. I use a script called Sarg for this task.

I installed Sarg using Debian’s package management system so all of my files ended up in /etc/squid/. You’ll also need to manually download and edit the sarg-reports file here: http://www.initzero.it/products/opensource/sarg-reports/download/sarg-reports

Read the file for instructions on how to set everything up, including the cron job.

There are four jobs that are going to run: today, daily, weekly, and monthly.
The Today job runs every hour from 8am to 6pm. This keeps your Squid reports updated every hour.
The Daily job runs at midnight of every day.
The Weekly job runs on the first hour of the first day of every week.
The Monthly job runs on the 30th minute of the second hour of the first day of every month.

Since you’re going to be processing Monthly reports, it is very important to update your logrotation schedule to NOT rotate the logs on a daily basis.

After you edit the sarg-reports script, which I keep in /etc/squid with the rest of the squid files, you’ll need to edit the /etc/logrotate.d/squid file. Basically, I comment out everything in the logrotate.d/squid file. This way, an apt-get update won’t create the file without telling me, thus messing up my sarg logfile rotation. Debian’s apt-get is good about telling me when a conf file is about to be updated so by commenting out the contents of the file, I’m pretty sure that I’ll be notified if the file is ever updated.

I add the squid -k rotate job at the end of the monthly report creation to make sure the logs are rotated immediately afterwards.

grep sarg /etc/crontab

00 08-18/1 * * * root /etc/squid/sarg-reports today
00 00 * * * root /etc/squid/sarg-reports daily
00 01 * * 1 root /etc/squid/sarg-reports weekly
30 02 1 * * root /etc/squid/sarg-reports monthly && squid -k rotate

And you’re done. The only step left to do is to reconfigure your browser (I highly recommend SwitchProxy for Firefox) to use your new proxy.

[EDIT]

Oh yeah, I forgot to include the Webmin part of this. If you read the SoW that Jeff originally sent me, then you’ll know that they want to have control over what gets blocked and what doesn’t.

So I installed Webmin and the webmin packages for postfix and sarg. I don’t have access to a Linux box right now but if you search for them you’ll find them.

apt-cache search webmin postfix; apt-cache search webmin sarg

I just followed the defaults to install them.

The cool thing about Webmin is that you don’t need Apache to use it (for those that don’t want to run unnecessary services on your servers).

I had to edit the /etc/webmin/miniserv.conf file to give my IP access to the GUI. After editting the file make sure you restart Webmin using /etc/init.d/webmin restart.

And that’s literally it. I didn’t need to edit anything to make Webmin recognize my spyware config files. If you click on one of the filenames, Webmin opens its own text editor and lets you edit the files directly. Perfect for what the client needs.

Webmin is not pretty (by default, there are a lot of themes for it) but it definitely gets the job done.

[/EDIT]

Originally posted at techsays.com on February 25nd, 2007.

At work we have a rack mounted CD player that we’ve used for years to play music for people that get placed on hold.

In order to not burn up the thing, every morning we have to turn it on, wait for it to initialize, press play, wait for it to start playing, and then press repeat twice. Oh yeah, it’s mounted on the very bottom of a rack in the back of the data center. Every night we have to turn it off.

Since I just built a server for a client, I was in the mood to fix this small problem at work. I checked our existing servers to see if they had sound cards and not a single one does. We just replaced all of the client workstations at two of our remote locations and one of the systems we replaced, if you can believe it, was an OLD Optiplex GX100. I can’t believe the user of this workstation wasn’t complaining every single day about this thing. It’s OLD and SLOW! Perfect for an mp3 server.

After installing Debian on it I was off to find an mp3 daemon. I finally settled on MPD as the backend and ncmpc, and mpc as front ends.

When installing the software, I used the command (taking the defaults):

apt-get install mpd ncmpc mpc

I looked at a few of the web frontends but I couldn’t find any that I really liked. I didn’t look at Ampache, but I did try phpMp2 and couldn’t get it to create playlists without creating duplicates or just not working at all.

I don’t rip a lot of CDs so I just used Windows Media Player to rip the CDs into mp3 format. I don’t have any problems with the player as a video player or mp3 ripper, but I don’t care for it at all when put to the task of playing music. Winamp and Foobar both do a much better job of it.

After ripping the music, I SCP’d it to my home directory and moved it to /usr/share/mpd/music/.

I didn’t really spend the time to learn how to create playlists and such. Instead, I used a set of commands I found on some website:

mpc search artist elvis | mpc add -; mpc play

That works great, as long as you use id3 tags when ripping your music.

And finally, I wanted to make sure that music started playing automatically if the server was ever rebooted.

I wrote a small script and put it in /etc/init.d.

cat /etc/init.d/mpc.sh

#!/bin/bash
mpc clear
mpc search artist elvis | mpc add -
mpc play

I made sure to make the script executable with

chmod +x /etc/init.d/mpc.sh

And finally, with Debian, I made sure to create the symlinks in /etc/rc2.s:

upudate-rc.d mpc.sh defaults

Now I have a server that will play hold music for us automatically.

Originally posted at techsays.com on February 25nd, 2007.

Twice in the past week I’ve needed to start a script automatically if the server was ever rebooted.

I haven’t had to do that in quite a while so I had to look it up.

Lucky for me, a user of the JustLinux forums already answered the question for someone else. Except instead of just answering his question with a simple answer, he supplied a well written howto with great examples.

You can find his post here: http://justlinux.com/forum/showthread.php?t=40831

And if you know me, I don’t like relying on remote websites to have the information when I need it years from now. I like pulling the information down so if JustLinux crashes next month, I’ll still know how to do this.

Craig McPherson
01-11-2001, 11:31 PM
Alternate, more “standard” solutions:

If you want to run SSHD from your inetd server rather than as a standalone server (this is a good way to save memory if you’ll be accepting SSH connections only occasionally — the daemon is only started when a connection comes in, which makes the connection take a split second longer to establish, but saves memory when there’s no active SSH connection), just add an entry for it to your inetd configuration file.

For the standard inetd, in your inetd.conf:

ssh stream tcp nowait root /usr/sbin/sshd

(Adjust path accordingly, make sure “ssh” is in your /etc/services)

For xinetd, which cool people use, in your xinetd.conf:

service ssh
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/sshd
}

Restart your inetd program after changing its configuration file.

The ssh program on my system claimed it needed to be passed the “-i” flag to be run from inetd, but that wasn’t my experience. If it’s required with your version of ssh, just add -i to the inetd.conf, or the line “server_args = -i” to your xinetd.conf.

If you want to run your sshd as a standalone daemon, you should make an init script for it in /etc/init.d. A very simple /etc/init.d/ssh could be just this:

#!/bin/sh
/usr/sbin/sshd&

Of course, if you were going to do something that simple, you might as well just call your init script “/etc/init.d/local”, and add any other commands that you want run at bootup to it.

Then you just go to the init directory for the runlevel you boot into (check /etc/inittab for this), ie /etc/rc2.d for runlevel 2. Now create a symlink there pointing to your init script, and call it something like “S90local” or “S90ssh”. It has to start with a capital S, and the number following that determines when during the boot process the script should be run.

A more complex init script would be something like this, from the Debian SSH package:

#! /bin/sh

# /etc/init.d/ssh: start and stop the OpenBSDh “secure shell(tm)” daemon

test -x /usr/sbin/sshd | | exit 0
( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null | | exit 0

# forget it if we’re trying to start, and /etc/ssh/NOSERVER exists
if expr “$1″ : ‘.*start$’ >/dev/null && [ -e /etc/ssh/NOSERVER ]; then
echo “Not starting OpenBSD Secure Shell server (/etc/ssh/NOSERVER)”
exit 0
fi

# Configurable options:

case “$1″ in
start)
test -f /etc/ssh/sshd_not_to_be_run && exit 0
echo -n “Starting OpenBSD Secure Shell server: sshd”
start-stop-daemon –start –quiet –pidfile /var/run/sshd.pid –exec /usr/sbin/sshd
echo “.”
;;
stop)
echo -n “Stopping OpenBSD Secure Shell server: sshd”
start-stop-daemon –stop –quiet –oknodo –pidfile /var/run/sshd.pid –exec /usr/sbin/sshd
echo “.”
;;

reload|force-reload)
echo -n “Reloading OpenBSD Secure Shell server’s configuration”
start-stop-daemon –stop –signal 1 –quiet –oknodo –pidfile /var/run/sshd.pid –exec /usr/sbin/sshd
echo “.”
;;

restart)
echo -n “Restarting OpenBSD Secure Shell server: sshd”
start-stop-daemon –stop –quiet –oknodo –pidfile /var/run/sshd.pid –exec /usr/sbin/sshd
sleep 10
start-stop-daemon –start –quiet –pidfile /var/run/sshd.pid –exec /usr/sbin/sshd
echo “.”
;;

*)
echo “Usage: /etc/init.d/ssh {start|stop|reload|force-reload|restart}”
exit 1
esac

exit 0

Then symlink it as before.

Anyway, what you did broke a number of Linux and Unix standards. The Linux Standards Base people aren’t going to come to your door with a gun, but you might run into problems down the line.

1. Symlinks in the various rc boot directories (rc.boot, rcS.d, rc0-6.d) can’t point directly to binaries. They have to point to scripts, which generally in turn start binaries. Of course, nothing will break if you do this but it violates the standards.

2. You shouldn’t use rc.boot. I believe its use is deprecated and is only for backwards compatibility while programs finish switching over to the standards. rc.boot will probably be removed at some point. Use the normal runlevel rc directories (rc2.d through rc5.d) for normal stuff, rcS.d for stuff that will be started in EVERY runlevel, even single user mode (stuff like SSH should NOT start in single user mode), rc0.d and rc6.d should be used for stuff that needs to be run when shutting down or rebooting.

Clear enough?

——————
http://users.ipa.net/~cmcpher/paminv.gif DEBIAN (http://www.debian.org/) http://users.ipa.net/~cmcpher/paminv.gif
It turns girls into statues!

[This message has been edited by Craig McPherson (edited 11 January 2001).]

Originally posted at cocoacrusty.com on February 22nd, 2007.

I recently posted an entry titled “Using a Nokia E61 for internet Access in OS X” that discussed, you’ll never guess, how I got my Nokia E61 working with my Apple MacBook for Internet access when no WLAN or LAN is available.

I think the combination of the Bluetooth® phone and the MacBook works pretty well. I mean, think about it, this isn’t your primary Internet connection. When you’re out and about and need access to something on the Internet like e-mail, directions to a location, etc., it works great. Of course, with my phone, I can access this type of information directly from the Symbian OS based web browser, but when you want to sit down and use something a little more comfortable and familiar, this setup is more acceptable.

So, I did some preliminary testing of the data speeds using Speakeasy’s Speedtest site to see what kinds of speeds I am getting when using my phone as a modem with my MacBook. I figured this information would come in handy for anyone looking to use their phone in a similar fashion. It will also help you decide if the speeds are enough to warrant the extra money you’ll be forking out each month for an unlimited data plan with your cellular carrier.

Also, keep in mind that these data speeds are based on the cellular service here in the greater Texarkana area. Your performance will vary based on the coverage available in your area and the compression and speed options available through your carrier. Here comes the data:

As you can see, based on the testing that I did today from the house during lunch, I averaged 116.2 kilobytes per second down and 78 kilobytes per second up. That’s not too bad. It’s better than dial-up. It’s pretty close to a bonded ISDN line. However, when I was working at that client site the other night, which is located in the center of Texarkana right off of the Interstate, I had downstream speeds up to 212 kbps and upstream speeds nearing 114 kbps.

I think it is all going to depend on where you are in relation to the cell towers, what type of equipment you have around you that might be interfering with the Bluetooth&reg connection and the cellular reception, where your phone is located in relation to your laptop, and what type of data quality your carrier provides.

As for me, this will be a great alternative for accessing the Internet when a decent broadband connection is not available. I also look forward to using this type of connection in hotels when traveling. You don’t know how many times I have tried to get a hotel’s “free wireless Internet” service to work and have been unsuccessful, left with no connection to the digital extension of myself that is the Internet. I have to stay connected!

Until next time…

Originally posted at cocoacrusty.com on February 21st, 2007.

Last night, while working at a client site, I started messing around with my Nokia E61 and my MacBook so I could get Internet access while working at the client’s office without having to jack in to their local network. My phone and laptop are both Bluetooth® enabled so I figured why not give it a shot.

I did some quick research and found that it would be extremely easy to set this up within Mac OS X. When I first paired my phone with my MacBook I remembered it asking me if i wanted to use my phone for Internet access. At the time I said no but last night I kind of changed my mind.

The first and last site I stumbled upon was Ross Barkman’s home page. This site has a number of mobile phone scripts available for use within the Internet Connect software but I was unable to get any of those to work in my situation. I used the built-in Nokia Infared script and it worked like a champ. I did use a section of Ross’ site, located here, that has a lot of information for different carriers in multiple countries for the connection settings to use when logging on to the Internet through my cell phone’s GPRS connection.

If you’re using a newer Bluetooth® enabled phone and want to set it up as a modem for your Mac laptop or other machine, I say just give it a try. Find your carrier’s information in the link provided above, or here, and go for it! I think you’ll be impressed with how easy and painless the setup is within Mac OS X.

Until next time…

I found a machine in my organization a few days ago that never recieved the local admin password that is standard in my organization after taking it off the domain.  I paniced a little then went to the Google altar to save my tail.  The computer was very important to the business process.  Here is what Google turned up for me:  http://home.eunet.no/pnordahl/ntpasswd/.   Nice little ethical (or non-ethical) hacking tool if I ever did see one.  Enjoy.

Originally posted at cocoacrusty.com on Sunday, February 18th, 2007.

Last night, while playing World of Warcraft, I installed the latest version of Microsoft’s Windows operating system, Windows Vista Ultimate. Since I am a Mac “fanboy” now, I installed Vista on my MacBook using Parallels Desktop for Mac. Running the latest and greatest offering in the Windows realm on a virtual machine (VM) may seem crazy, but let me tell you, it runs great!

In order to install Vista in a VM on my Mac, I had to first install Windows XP because the version I have of Vista Ultimate is an upgrade version. The Vista installer has to be run from within the operating system you are upgrading. No more booting to the upgrade CD, showing it a full version CD and giving it a product key. Now it has to be installed from within the OS you’re upgrading. Oh, well. I installed another licensed version of Windows XP into a VM and as soon as the install was completed, popped the Vista DVD in and was on my way.

When installing Vista, make sure you have at least 16GB of disk space available for the OS to install itself and some room left over for installing applications and patches/updates. It is pretty beefy, but overall the install went very smoothly. I was impressed that the OS installed so painlessly in Parallels. Nice!

So, now to do some testing. I have little experience with Vista at this point and since it is the latest and greatest from Microsoft, I figure I should become familiar with it. You never know, Windows XP could be EOL‘d tomorrow and everyone would be forced to move to Vista or never receive another update for their OS. It has happened before, it could happen tomorrow, I’m just saying…

Again, while my experience with Vista is limited, I can tell you this about running Vista in a VM with Parallels: No Fancy 3D Eye Candy. All of the really nifty, 3D, Mac-like features Vista includes require DirectX 9.0 or greater. Either Parallels doesn’t have support for it or the video card in my MacBook can’t get down like that. Either way, the OS looks great and I am only missing eye candy, which I already get plenty of from my Mac. Everything else appears to work flawlessly.

Until next time…

http://scratchpad.wikia.com/wiki/Reverse_Engineering_Mentoring

Wow, this is very cool!

Didier Stevens has started a mentoring program to teach newbies how to reverse engineer software. The instructions are very well written and very easy to follow.

If you’re interested in RE, then this is a great place to start.

I found this on one of my “must-read” blogs, A Day in the Life of an Information Security Investigator

This particular entry is about an article from Redmond themselves describing the methods for doing forensics on Windows machines.

I haven’t read though it, yet, but if SecurityMonkey thinks it’s good enough for his site, then I’m definitely going to post it here.

And you can find his article here.