average admins

I use the MMC for various system management jobs but I’ve never thought about blogging about it. It’s just one of those things that I’ve never given a second thought.

Rob, from confessions of a freeware junkie, posted about how he has his setup. I have to say, his looks a lot more useful that the one I created.

http://maximillianx.blogspot.com/…-extending-power-of-your-management.html

One thing I do differently than Rob is that I launch the entire MMC with my domain admin credentials. This is what the Target: field of my shortcut looks like:

C:\WINDOWS\system32\runas.exe /user:domain\my-admin-acct “mmc C:\Chris\Microsoft Management Consoles\Domain Management.msc”

Note: If you want to save your password so you don’t have to type it in every time you launch the MMC add /savecred right after /user:domain\my-admin-acct.

Also, in order to add Active Directory Users and Computers, you’ll need the Windows Server 2003 Administration Tools Pack available here:
http://www.microsoft.com/downloads/…

While you’re at his site, take a look around. I monitor his RSS feed on Bloglines and he’s always posting cool stuff.

This is for you SAMBA people out there.

http://www.novell.com/coolsolutions/feature/18850.html

Original articles:

http://dmiessler.com/archives/1315
http://dmiessler.com/archives/176

Maybe I’m alone here, but I had no clue about Firefox’s quicksearch ability. Apparently, just by typing ‘g keyword’ in the URL bar, you’ll automatically search Google.

Back in 2005 Daniel Miessler expanded this feature by configuring FF to also search MSN and Technorati, which are also both very cool.

Well, now Google has added the ability to use command-line switches to their search feature such as /img to search images, /maps to search Google’s maps, /groups to search Google newgroups database, and so on.

You can find a great explanation for all the search functions here: http://projects.felipc.com/gcl/

To quote Daniel’s 2005 post, this is how you configure FF to also search MSN and Technorati:

1. Create a new bookmark in Firefox.
2. For the URL, add the text below for MSN:
“http://search.msn.com/results.aspx?q=%s&FORM=QBRE”
3. For the prefix, add “m” (or whatever you want to use).
4. Create another bookmark.
5. Add this for the URL:
“http://www.technorati.com/cosmos/search.html?rank=&url=%s”
6. Use “t” for the prefix (or whatever you want to use).

Thanks, Daniel, for bringing this to my attention. I can see myself using this ALL the time.

Later on I might create one big entry with my little Windows shortcuts, but for now I’m always wishing I had written these instructions down.

For the original article by Jeff, click here: http://www.averageadmins.com/blogentry.php?id=61

For now, I’m going to keep it simple and just add the two commands that, if you want, can be easily changed to match your situation.

netsh interface ip set address local static 192.168.1.254 255.255.255.0 192.168.1.1 1
netsh interface ip set dns local static 192.168.1.1

For a DHCP-enabled interface:

netsh interface ip set address local dhcp

Other resources include:
http://support.microsoft.com/?kbid=242468
http://www.microsoft.com/resources/…

Here’s the deal…my wife and I have maintained a site (blog) for my son since he was born. Now that he just turned a year old, I would like to go back and make a book out of the first year’s worth of posts. I would like an actual hard bound book, capable of having pictures.

I found a piece of software called BookSmart, made by the folks from Blurb. It looks like it might do what I want, but it has a limited number of templates and options. It does however have support for “Slurping”…basically if your blog is hosted at Wordpress.com, or a few other blogsites, it will go out and pull down all the posts/comments and automatically (if you choose) populate the book for you. However in practice, this didn’t work quite so well. I temporarily made a copy of our blog at Wordpress.com just for this feature. It ended up only getting the first couple months of posts, and no comments.

I have been looking for other options to do what I want, and the only other thing I have found is some Mac software (iLife I believe)…but alas, I don’t have a Mac.

Has anybody else done this, or heard of it being done? I wouldn’t be opposed to manually copying all the posts/comments myself if I HAVE to, but that would be a lot of work…and there may be a better option.

Originally posted at cocoacrusty.com on Monday, April 16th, 2007.

I have known about the Metasploit framework for quite some time but have never really known how to use it or taken the time to learn. Recently, Chris inspired me to try it by showing me a movie explaining how to exploit a vulnerability in Microsoft Windows related to the .ANI Header Stack Overflow Vulnerability (more on this in my next post).

Before I could begin working with this nifty little exploit in Metaspolit I had to get the framework installed on my MacBook. Metasploit is a suite of Ruby scripts and will run on virtually any Unix based operating system and Windows (with some minor tweaking). I checked the MacPorts for Metasploit and it was available as a port install but the latest version in the ports tree was 2.7. I needed at least version 3.0, and later determined I needed a development version, version 3.1, from the trunk to get the exploit I was after.

The first thing I did was upgrade my Subversion client on Mac OS X. I got the universal binary from here and installing and upgrading my Subversion was pretty painless. It installed like most other Mac applications from a package.

(more…)

This is from another one of my favorite blogs: Didier Stevens.

I found this entry enjoyable because it’s yet another one of those “Owned by MySpace” posts. It’s also really well written and very easy to follow (even for a newcomer).

Here’s a link to the blog entry:
http://didierstevens.wordpress.com/2007/03/12/p0wned-by-a-qt-movie/

Embedding JavaScript inside a Quicktime movie is nothing new as GNUCitizen discussed back in September but it’s good to actually see that in the wild.

I haven’t read all of this yet, but it looks like an awesome article describing the research involved in finding the vulnerabilities and in writing the exploit code.

http://isc.sans.org/diary.html?storyid=2375

Building a remote buffer overflow for the Snort 2.6.1 DCE/RPC flaw
Published: 2007-03-07,
Last Updated: 2007-03-07 13:35:22 UTC
by Arrigo Triulzi (Version: 1)
Every so often I get asked about buffer overflow research in practice and for once there is a lengthy, worked-out example for me to point at.

Trirat Puttaraksa recently blogged in two parts his work in turning the Snort 2.6.1 DCE/RPC flaw into a working exploit. The first part discusses the “easy bit”, that is to say how to turn the vulnerability into a denial-of-service attack whereas the second part discusses how to exploit it to actually execute code.

It is a very thorough write-up, including pretty pictures explaining how he uses the Snort source code to figure out the layout of the packets he is going to send, the setup of the packets to ensure that he triggers the fault and, in part 2, how to inject the payload to execute. The final result is that he runs calc.exe from Snort.

Originally posted at techsays.com on February 25nd, 2007.

As you might have read from an earlier post, I’ve been given the task of building a Proxy server and an Anti-Spam/Anti-Virus server for a client.

I haven’t picked a software application for the mail portion of this server, but I’m going to be using Squid for proxying web traffic. I’m also going to use Sarg to parse the Squid logs and make pretty graphs for me.

So let’s get right to it.

Squid Configuration
Here’s my Squid configuration template that I use:

cat /etc/squid/squid.conf

# /etc/squid/squid.conf

# To find what these entries mean, see /etc/squid/squid.conf.original

http_port 3128
# visible_hostname sub.domain.local

log_ip_on_direct off
log_fqdn on

error_directory /etc/squid/errors
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

# This entry means that by invoking squid -k rotate, the logfiles
# will get rotated. Remove the logrotate.d/squid file and call
# squid -k rotate after the sarg.monthly job
logfile_rotate 1

# These are default values from the original squid.conf file
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

#———-[ ACCESS LISTS
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT

# acl GROUP1_SRC src 1.1.1.102 # Chris

# acl GROUP2_SRC src 1.1.1.102 # Chris
# acl GROUP2_DST dstdomain .google.com # Give only group2 access to Google

#———-[ SPYWARE
acl SPYWARE_LIST_1 dstdomain “/etc/squid/spyware_list_1.txt”
acl SPYWARE_LIST_2 dstdomain “/etc/squid/spyware_list_2.txt”

#———-[ ALLOWED DOMAINS
acl ALLOWED_LIST_1 dstdomain “/etc/squid/allowed_domains.acl”

#———-[ ALLOWED PORTS
acl ssl_ports port 443
acl safe_ports port 80
acl purge method PURGE
acl CONNECT method CONNECT
no_cache deny all

#———-[ ALLOW/DENY LIST
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safe_ports
http_access deny CONNECT !ssl_ports
http_access allow localhost

#———-[ SPECIAL ALLOWS
# Block all access from this source
#http_access deny GROUP1_SRC all

# Normal allow lists
#http_access allow GROUP2_SRC GROUP2_DST
#http_access deny GROUP2_SRC all

# Allow everyone else access to whitelisted sites
#http_access allow ALLOWED_LIST_1

#———-[ DENY
# Deny everyone access to these sites

# This list is updated by an script that runs every night
http_access deny SPYWARE_LIST_1

# This list is updated manually by me
http_access deny SPYWARE_LIST_2

# Show these error messages
deny_info ERR_SPYWARE_ACCESS_DENIED SPYWARE_LIST_1
deny_info ERR_SPYWARE_ACCESS_DENIED SPYWARE_LIST_2

#———-[ DEFAULT ALLOW
# If you weren’t blocked, then you’re allowed out

http_access allow all
icp_access allow all

#———-[ MISC SETTINGS
coredump_dir /var/spool/squid
cache_mgr root

Blocking malicious sites
The purpose of the SPYWARE_LIST_1 and 2 are for automatically blocking bad sites that the MVPS group finds. They provide a list of malicious sites that they find and they create a HOSTS file for Windows that you can import to protect yourself. I’ve taken that list and wrote a parser that turns it into something Squid can use.

The difference between list 1 and list 2 is that list 1 is overwritten daily by the MVPS file and list 2 is manually updated by me. That way I can add custom hosts to block that I know will always be blocked.

The MVPS list is very similar to AdBlock for Firefox. If you visit a site that has a lot of advertisements, with AdBlock you can pick these advertisement sites out of the list to block. With my MVPS list, I don’t have to worry about keeping up with distributing these lists to all of my users running Firefox and, with the list being on the proxy, it also applies to the users running Internet Explorer, obviously.

I wrote a custom error message for the sites that get blocked by my spyware lists which simply consists of a bunch of blank lines. Without my custom error message, the blocked elements of a site will contain the Squid error message and with poorly written sites that don’t specify table sizes, the error message can take up a lot more space than the advertisement did. All you’ll see with my error message is a blank spot on the page. There are probably more elegant ways to pull this off, but I’ve been running my stuff this way for at least 2 years with no problems.

Thanks to Luke from http://terminally-incoherent.com/blog/ my snippet below actually looks like HTML code.

cat /etc/squid/errors/ERR_SPYWARE_ACCESS_DENIED

<html>
<head>
<title> </title>
</head>
<body topmargin=”0″ leftmargin=”0″ marginheight=”0″ marginwidth=”0″>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
<br><br><br><br><br><br><br>
</body>
</html>

The script that I use to download and parse the MVPS hosts file:

cat bin/update_spyware_rules.sh

#!/bin/bash

#———[ Changelog
# Created 2007.02.18 by Chris Davis

#———-[ Notes
# Here is the cronjob for this script
# Make sure the cronjob script is executable
# cat /etc/cron.d/update_spyware_rules
# 1 2 * * * root /home/user/bin/update_spyware_rules.sh

#———-[ Variables
URL1=http://everythingisnt.com/hosts
URL2=http://www.mvps.org/winhelp2002/hosts.txt
SPYWARE_DIR=/home/user/spyware/
TEMP_SPYWARE_LIST_2=$SPYWARE_DIR/temp_spyware_list_2.txt
SPYWARE_LIST_2=$SPYWARE_DIR/spyware_list_2.txt
SQUID_SPYWARE_LIST_2=/etc/squid/spyware_list_2.txt
EMAIL_THIS=$SPYWARE_DIR/email_this.txt
ADMIN_EMAIL=user@domain.local

#———-[ Script
# If the spyware directory doesn’t exist, create it.
if [ ! -e $SPYWARE_DIR ]
then mkdir $SPYWARE_DIR
fi

# Download the MVPS HOSTS file
wget $URL2 -O $TEMP_SPYWARE_LIST_2

# Parse the newly downloaded file to work with Squid
cat $TEMP_SPYWARE_LIST_2 | grep 127.0.0.1 | sed ’s/127.0.0.1 //g’ > $SPYWARE_LIST_2
cat $SPYWARE_LIST_2 | grep -v localhost | cut -d “#” -f 1 > $SQUID_SPYWARE_LIST_2

# Get a few stats about the new file and email them to the admin
wc -l $SPYWARE_LIST_2 > $EMAIL_THIS
echo “—- ” >> $EMAIL_THIS
ls -lt /etc/squid >> $EMAIL_THIS
cat $EMAIL_THIS | mail -s SQUID $ADMIN_EMAIL

# Reload Squid to load the new files
/etc/init.d/squid reload

If you don’t have the mail command, you can find it in the Debian mailx package.

Now that Squid is installed and configured, we need a way to create pretty HTML reports from the logs. I use a script called Sarg for this task.

I installed Sarg using Debian’s package management system so all of my files ended up in /etc/squid/. You’ll also need to manually download and edit the sarg-reports file here: http://www.initzero.it/products/opensource/sarg-reports/download/sarg-reports

Read the file for instructions on how to set everything up, including the cron job.

There are four jobs that are going to run: today, daily, weekly, and monthly.
The Today job runs every hour from 8am to 6pm. This keeps your Squid reports updated every hour.
The Daily job runs at midnight of every day.
The Weekly job runs on the first hour of the first day of every week.
The Monthly job runs on the 30th minute of the second hour of the first day of every month.

Since you’re going to be processing Monthly reports, it is very important to update your logrotation schedule to NOT rotate the logs on a daily basis.

After you edit the sarg-reports script, which I keep in /etc/squid with the rest of the squid files, you’ll need to edit the /etc/logrotate.d/squid file. Basically, I comment out everything in the logrotate.d/squid file. This way, an apt-get update won’t create the file without telling me, thus messing up my sarg logfile rotation. Debian’s apt-get is good about telling me when a conf file is about to be updated so by commenting out the contents of the file, I’m pretty sure that I’ll be notified if the file is ever updated.

I add the squid -k rotate job at the end of the monthly report creation to make sure the logs are rotated immediately afterwards.

grep sarg /etc/crontab

00 08-18/1 * * * root /etc/squid/sarg-reports today
00 00 * * * root /etc/squid/sarg-reports daily
00 01 * * 1 root /etc/squid/sarg-reports weekly
30 02 1 * * root /etc/squid/sarg-reports monthly && squid -k rotate

And you’re done. The only step left to do is to reconfigure your browser (I highly recommend SwitchProxy for Firefox) to use your new proxy.

[EDIT]

Oh yeah, I forgot to include the Webmin part of this. If you read the SoW that Jeff originally sent me, then you’ll know that they want to have control over what gets blocked and what doesn’t.

So I installed Webmin and the webmin packages for postfix and sarg. I don’t have access to a Linux box right now but if you search for them you’ll find them.

apt-cache search webmin postfix; apt-cache search webmin sarg

I just followed the defaults to install them.

The cool thing about Webmin is that you don’t need Apache to use it (for those that don’t want to run unnecessary services on your servers).

I had to edit the /etc/webmin/miniserv.conf file to give my IP access to the GUI. After editting the file make sure you restart Webmin using /etc/init.d/webmin restart.

And that’s literally it. I didn’t need to edit anything to make Webmin recognize my spyware config files. If you click on one of the filenames, Webmin opens its own text editor and lets you edit the files directly. Perfect for what the client needs.

Webmin is not pretty (by default, there are a lot of themes for it) but it definitely gets the job done.

[/EDIT]

Originally posted at techsays.com on February 25nd, 2007.

At work we have a rack mounted CD player that we’ve used for years to play music for people that get placed on hold.

In order to not burn up the thing, every morning we have to turn it on, wait for it to initialize, press play, wait for it to start playing, and then press repeat twice. Oh yeah, it’s mounted on the very bottom of a rack in the back of the data center. Every night we have to turn it off.

Since I just built a server for a client, I was in the mood to fix this small problem at work. I checked our existing servers to see if they had sound cards and not a single one does. We just replaced all of the client workstations at two of our remote locations and one of the systems we replaced, if you can believe it, was an OLD Optiplex GX100. I can’t believe the user of this workstation wasn’t complaining every single day about this thing. It’s OLD and SLOW! Perfect for an mp3 server.

After installing Debian on it I was off to find an mp3 daemon. I finally settled on MPD as the backend and ncmpc, and mpc as front ends.

When installing the software, I used the command (taking the defaults):

apt-get install mpd ncmpc mpc

I looked at a few of the web frontends but I couldn’t find any that I really liked. I didn’t look at Ampache, but I did try phpMp2 and couldn’t get it to create playlists without creating duplicates or just not working at all.

I don’t rip a lot of CDs so I just used Windows Media Player to rip the CDs into mp3 format. I don’t have any problems with the player as a video player or mp3 ripper, but I don’t care for it at all when put to the task of playing music. Winamp and Foobar both do a much better job of it.

After ripping the music, I SCP’d it to my home directory and moved it to /usr/share/mpd/music/.

I didn’t really spend the time to learn how to create playlists and such. Instead, I used a set of commands I found on some website:

mpc search artist elvis | mpc add -; mpc play

That works great, as long as you use id3 tags when ripping your music.

And finally, I wanted to make sure that music started playing automatically if the server was ever rebooted.

I wrote a small script and put it in /etc/init.d.

cat /etc/init.d/mpc.sh

#!/bin/bash
mpc clear
mpc search artist elvis | mpc add -
mpc play

I made sure to make the script executable with

chmod +x /etc/init.d/mpc.sh

And finally, with Debian, I made sure to create the symlinks in /etc/rc2.s:

upudate-rc.d mpc.sh defaults

Now I have a server that will play hold music for us automatically.