Monthly Archives: November 2010

Miscellaneous

Firefox Saved Password Retrieval

Leave a comment

I sometimes save my password into firefox to make my life easier. Opera has a much better system for saving passwords, but I like my FF better.

I had a saved password and needed to retrieve the password (unmask it) for some documentation. Unfortunately I couldn’t remember which password I had used previously. Then I remembered a handy javascript that allows me to show the saved password.

Go to the site you want to retrieve the password
DO NOT login yet
Up at the address bar, overwrite what is there with:
javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j

Microsoft

IIS 7.0 Admin Failed To Connect

Leave a comment

I had a developer trying to connect to the admin panel of IIS7. They could open the MMC just fine, but when they clicked on the server (local server) it would give a failure:

There was an error connecting. Do you want to specify different credentials?

And then it would fail again.

Open a command prompt on the server:
%windir%\system32\inetsrv\appcmd list sites

So I edited the redirection.config file given, and found that one of the developers had put
Changed it to false, and yay it works! Oh, I had to close IIS Admin and reopen.

Linux

Install Nagiosgraph

Leave a comment

Install NagiosGraph

First of all, this is running on Ubuntu 10.04.1 LTS x32. I installed Nagios 3.2.0 from the source packages (see another post on this site), and will be installing NagiosGraph 1.4.3. I’ve also installed Nagios-Plugins-1.4.15.

This will probably be a lot of writing, but in the end it was definitely worth my time.

Update System and Install SNMPD:

su root
apt-get install update
apt-get install upgrade
apt-get install snmpd
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.org
nano /etc/snmp/snmpd.conf
rocommunity public
syslocation “MyLocation”
syscontact email@domain.tld
Save and close
nano /etc/default/snmpd
Change From:
# snmpd options (use syslog, close stdin/out/err).
SNMPDOPTS=’-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1′
To:
# snmpd options (use syslog, close stdin/out/err).
#SNMPDOPTS=’-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1′
SNMPDOPTS=’-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid -c /etc/snmp/snmpd.conf’
Save and close
/etc/init.d/snmpd restart

Test SNMPD:

snmpwalk -v 1 -c public -O e IP_OF_YOUR_MACHINE
You can use Localhost (127.0.0.1) in lieu of another IP address

Download Required Files:

cd /home/nagios
wget http://voxel.dl.sourceforge.net/project/nagiosgraph/nagiosgraph/1.4.3/nagiosgraph-1.4.3.tar.gz
apt-get install rrdtool perl libcgi-pm-perl librrds-perl libgd-gd2-perl

Extract Required Files:

tar xzvf nagiosgraph-1.4.3.tar.gz
cd nagiosgraph-1.4.3

Copy Files:

mkdir /etc/nagiosgraph
cp etc/* /etc/nagiosgraph

Edit Perl Scripts With FilePath:

nano cgi/*.cgi lib/insert.pl
Find “use lib” line (definitely on the first page of text) and edit it to be /etc/nagiosgraph
Save all files

Continue Copying Files:

cp lib/insert.pl /usr/local/nagios/libexec
cp cgi/*.cgi /usr/local/nagios/sbin
cp share/nagiosgraph.css /usr/local/nagios/share
cp share/nagiosgraph.js /usr/local/nagios/share

Edit The Nagiosgraph.conf File:

nano /etc/nagiosgraph/nagiosgraph.conf
Set the following:
perflog = /var/nagios/perfdata.log
rrddir = /var/nagios/rrd
mapfile = /etc/nagiosgraph/map
nagiosgraphcgiurl = /nagios/cgi-bin
javascript = /nagios/nagiosgraph.js
stylesheet = /nagios/nagiosgraph.css
logfile = /var/log/nagiosgraph.log
cgilogfile = /var/log/nagiosgraph-cgi.log

Set Permissions For RRD Directory, Log Files, CGI Files:

mkdir /var/nagios/rrd
chown 777 /var/nagios
chown nagios /var/nagios/rrd
chmod 755 /var/nagios/rrd
touch /var/log/nagiosgraph.log
chown nagios /var/log/nagiosgraph.log
chmod 664 /var/log/nagiosgraph.log
touch /var/log/nagiosgraph-cgi.log
chown www-data /var/log/nagiosgraph-cgi.log
chmod 664 /var/log/nagiosgraph-cgi.log

Edit Nagios.cfg:

nano /usr/local/nagios/etc/nagios.cfg
process_performance_data=1
service_perfdata_file=/var/nagios/perfdata.log
service_perfdata_file_template=$LASTSERVICECHECK$||$HOSTNAME$||$SERVICEDESC$||$SERVICEOUTPUT$||$SERVICEPERFDATA$
service_perfdata_file_mode=a
service_perfdata_file_processing_interval=30
service_perfdata_file_processing_command=process-service-perfdata

Edit Commands.cfg (make sure this is enabled/correct):

nano /usr/local/nagios/etc/objects/commands.cfg
define command {
command_name process-service-perfdata
command_line /usr/local/nagios/libexec/insert.pl
}

Restart Nagios:

/etc/init.d/nagios restart

Edit Apache Configuration:

This was already done for me from the Nagios install, but just verify it’s correct.
nano /etc/apache2/conf.d/nagios.conf
ScriptAlias /nagios/cgi-bin /usr/local/nagios/sbin

# SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
AuthName “Nagios Access”
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

There should be more below this, so just leave that alone.

Restart Apache:

apache2ctl restart

Test Your Site:

http://server/nagios/cgi-bin/show.cgi

You shouldn’t get any errors. If you get a 500 internal error, the issue is with Apache. If you get a “no rrd data found” error, then the configuration of nagiosgraph is incorrect OR you haven’t waited long enough.

You can try to run the script directly:

cd /usr/local/nagios/libexec
./insert.pl

Then verify that there is some data in the RRD directory:
ls /var/nagios/rrd/

To get it to work with Windows Clients:

Edit the map file:
nano /etc/nagiosgraph/map
Add the following to the END of the file:
# Service type: memory
# check command: check_nt -H Address -v MEMUSE -w 50 -c 90
#output: Memory usage: tootal:2467.75 Mb – used: 510.38 Mb (21%) – free: 1957.37 Mb (79%)
/perfdata:Memory usage=([.0-9])+Mb;([.0-9+);([.0-9+);([.0-9+);([.0-9]+)/
and push @s, [ntmem,
[memused, GAUGE, $1*1024**2 ]
];
# Service type: ntload
# Check command: check_nt -H Address -v CPULOAD -l1,70,90,5,70,90,30,70,90
# output: CPU Load 9% (5 min average) 11% (30 min average)
#perfdata: ‘5 min avg Load’=9%;70;80;0;100 ’30 min avg Load’=11%;70;90;0;100
/output:.*?(\d+)% .*?(\d+)% /
and push @s, [ ntload,
[ avg05min, GAUGE, $1 ],
[avg30min, GAUGE, $2 ] ];
# Service type: ntdisk
# check command: check_nt -H Address -v USEDDISKSPACE -lc -w 75 -c 90
# output: c:\ – total: 25.87 Gb – used: 4.10 Gb (16%) – free 21.77 Gb (84%)
# perfdata: c:\ Used Space=4.10Gb;19.40;23.28;0.00;25.87
/perfdata:.*Space=([.0-9]+)Gb;([.0-9]+);([.0-9]+);([.0-9]+);([.0-9]+)/
and push @s, [ ntdisk,
[ diskused, GAUGE, $1*1024**3 ],
[ diskwarn, GAUGE, $2*1024**3 ],
[ diskcrit, GAUGE, $3*1024**3 ],
[ diskmaxi, GAUGE, $5*1024**3 ] ];

Save and close the file, then restart nagios (/etc/init.d/nagios restart)

***EDIT***
Updated – had “.conf” instead of “.cfg” under “edit nagios.cfg”
Added chmod 777 for /var/nagios to allow perfdata.log to be written

Linux

Add SNMP To Ubuntu

Leave a comment

I was trying to add an HP printer to the mix and the printer is trying to utilize the service “check_hpjd”. Unfortunately, on my Ubuntu installation, the plugin was not installed in /usr/local/nagios/libexec.

A short amount of research showed that I had failed to install the required SNMP tools to utilize this plugin. And, because I actually installed Nagios and the plugins from the source rather than binaries, the configuration and make checked to see if the required tools would be available before actually installing them.

Long story short, here’s what I ended up doing (apt-get install net-snmp does not work):
apt-get install libsnmp-base libsnmp-python libsnmp15-dbg libsnmp-dev libsnmp-perl libsnmp15 snmp snmpd tkmib

Edit the SNMPD configuration:
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.org
nano /etc/snmp/snmpd.conf

rocommunity public
syslocation “USA”
syscontact myemail@domain.tld
Save and Close

Edit the SNMPD Daemon:
nano /etc/default/snmpd

Change “SNMPDOPTS=’-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1′”
To “SNMPDOPTS=’-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid -c /etc/snmp/snmpd.conf'”

Restart the SNMPD service:
/etc/init.d/snmpd restart

Test the SNMP:
snmpwalk -v 1 -c public -O e host/IPaddress
You should get some sort of feedback

Linux, Microsoft

Add SSL To Apache2 Ubuntu

Leave a comment

This uses a Microsoft Certificate Authority. If you want a self-signed SSL, check the bottom of the post.

I needed to create a way for end users to go to a site (http://callmanager) and be able to login to their Cisco Callmanager page without receiving any certificate errors. Unfortunately the call manager device was named “imcm1”, and cisco won’t let me create a certificate for anything besides the device name. Our users were trained to use “callmanager” as the name. So I had two options:
1.) Re-Train employees to no longer use the easier to remember “callmanager” name
2.) Utilize an Ubuntu webserver to redirect the users where I want them to be
Obviously I chose the much harder route – well it’s harder technically, but… yes.

Using Ubuntu 10.04.1 LTS x32. I installed LAMP and SSH. This is on a domain (company.local) running windows 2003 and AD. There is a Certificate Authority installed on one of the domain controllers (2003 Enterprise). I use Putty and WinSCP.

Update Ubuntu:
I run everything as root. So su to root.
apt-get update
apt-get upgrade
apt-get dist-upgrade

Create the CSR:
mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
openssl genrsa -out callmanager.key 1024
chmod 640 callmanager.key
openssl req -new -key callmanager.key -out callmanager.csr
Provide your information:

Country Name: US
State: IL
City: Chicago
Organization Name: Company
Organization Unit: IT
Common Name: FQDN_Here! I used “callmanager”, but you may be utilizing “callmanager.domain.local”
Email: blank
Challenge password: blank
Optional company: blank

Copy The Certificate To Your Certificate Authority:
cat callmanager.csr

Copy everything from “—–BEGIN CERTIFICATE REQUEST…” to “…END CERTIFICATE REQUEST—–”
Connect to your certificate authority: http://certificateserver/certsrv. My Win7 would not work with a 2003 Server CA so I had to run it local on the server (http://localhost/certsrv)
Click Request A Certificate
Click advanced certificate request
Choose the middle option (PKCS #10 or PKCS#7)
Paste what you copied above into the Saved Request area
Choose the certificate template “Webserver”
Click submit
Click Download certificate (DER encoding!)

Convert And Install The Certificate On Ubuntu:
Copy the .cer file (callmanager.cer) to your linux box in the /etc/apache2/ssl directory
chmod 640 callmanager.cer
openssl x509 -in callmanager.cer -inform d -out callmanager.pem
chmod 640 callmanager.pem

Edit Apache To Support SSL:
a2enmod ssl
apache2ctl restart
cp /etc/apache2/sites-available/default-ssl ../sites-enabled/
nano /etc/apache2/sites-enabled/default-ssl
Scroll down to “SSLCertificateFile /etc/ssl…”
Change the location to be /etc/apache2/ssl/callmanager.pem
Then, scroll down to “SSLCertificateKeyFile /etc/ssl…”
Change the location to be /etc/apache2/ssl/callmanager.key

Finish The Redirect:
Under the SSLCertificate edits, I added the following:
ServerName callmanager
Redirect permanent / https://imcm1/
Save the file
apache2ctl restart

Test! Works for me!

Create A Self-Signed Certificate:
Hopefully coming soon.

Linux

Redirect Websites

Leave a comment

Redirect websites using Apache web server!

On the server itself, you can edit the virtualhosts page:
nano /etc/apache2/sites-enabled/000-default

<VirtualHost *:80>
ServerName callmanager
ServerAlias *callmanager
ServerAlias callmanager*
Redirect permanent / https://iocm1/
</VirtualHost>

Or on the webpage itself:

<html>
<head>
<meta http-equiv=”Refresh” Content=”0; URL=http://redirecturl/dir/dir2/”>
</head>
<body>
Link to new page if browser does not support the redirection
</body>
</html>

http://www.yolinux.com/TUTORIALS/ApacheRedirect.html

Networking

Install SSL Certificate on Cisco ASA 5510 SSL VPN

4 Comments

It’s never good practice to have your users get used to seeing “Certificate Invalid” errors on secure sites. I know a lot of IT departments that train their users to just click past the errors. What happens when you enable a Man in the Middle attack? Cain and Abel anyone?

So after we had our load balanced ASA5510’s setup, we purchased some licenses for SSLVPN Users. Unfortunately that means the site must be secured AND have a certificate. The self-signed cert is only good for testing. Production requires an authenticated certificate from a globally trusted CA. For our internal-facing sites we utilize GoDaddy (cheap certs).

Create the CSR:
ASDM for Cisco login
Configuration, then Certificate Management, followed by Identity Certificates
Click Add
Click the radio button Add a new identity certificate
Click New… for a new key pair – I generally name it godaddy12 (vendor+year) and make it 2048 bit
In the Certificate Subject DN, Add the CN (vpn.domain.tld MUST BE FQDN), the OU, the O, the C, the St, and the L as appropriate
Click on the advanced button and make sure the FQDN is the same as the CN you entered before (vpn.domain.tld)
Now click on Add Certificate
Browse to where you want to save your CSR – I save it as ASA5510_12.csr.txt

Godaddy Cert
Purchase the cert and download the certificate using the “other” category. That way you get the CA cert (and intermediary) along with your identity certificate.
Log into your ADSM
Select Configuration
Select Device Management
Expand Certificate Management
Select CA Certificates
Click Add, select the gd_bundle.crt
Then select Identity Certificates
Click on your CSR Request and click the Install button
Select your SITENAME.crt

Now we need to apply these certificates to the SSL Site!
Under Configuration, Device Management still
Expand Advanced
Select SSL Settings
Click on the interface where your SSLVPN terminates (in my case it was outside)
Edit this interface
Select the Primary Enrolled Certificate and Load Balancing Enrolled Certificate (if applicable)
Apply the settings

Test your https://vpnsite
If everything tests OK, save the configuration