Linux

BIND, DNS, Godaddy, Ubuntu

7 Comments

Customer purchased Comcast Business cable for their primary internet provider. They also purchase a domain name through godaddy. I used to think godaddy was a horrible/awful/pile of dung, but now that I’m starting to find out where everything is hidden they’re turning out to be moderately OK.

Background:
Ubuntu 10.04 x32 Server LAMP
BIND 9.7.0
Webmin 1.510
Sonicwall TZ180W Enhanced
Godaddy account information and domain name

I updated their ubuntu server from 9.04 to 9.10, then now to 10.04. I installed webmin as the customer wanted a GUI to be able to edit the config files. And, despite resistance from CLI users, webmin is a pretty powerful suite. I secured the server as much as I could. I then made sure that port 53 for UDP and TCP was opened for DNS to/from the server.

Now the fun part begins. Login on your webmin server (usually https://webminserver’sIPaddress:10000) and navigate to Servers > Bind DNS Server.

Create BIND Master Zone
Under Existing DNS Zones, Click on Create Master Zone.

Zone type: Forward
Domain Name/Network: yourdomain.tld
Records file: Automatic
Master server: yourdomain.tld, uncheck Add NS record for master server
Email address: admin@yourdomain.tld
Use zone template: No
IP Address for template records: Your PUBLIC IP address
Add reverses for template addresses: Yes
Leave the TTL as is, unless you want longer/shorter timeouts
Click Create

Add Name Records
Now you should be in the Address Records for your new domain. If not, navigate to Servers > BIND DNS Server > Existing DNS Zones > Yourdomain.tld > Address.
NOTE: Notice the ‘.’ at the end of the names.

Name: ns1.yourdomain.tld.
Time-To-Live: default
Address: Your PUBLIC IP address
Update reverse: Yes
Create
Name: ns2.yourdomain.tld.
Time-To-Live: default
Address: Your PUBLIC IP address
Update reverse: Yes
Create
Name: yourdomain.tld.
Time-To-Live: default
Address: Your PUBLIC IP address
Update Reverse: Yes
Create
Name: www.yourdomain.tld.
Time-To-Live: default
Address: Your PUBLIC IP address
Update Reverse: Yes
Create

Add Name Servers
Return to Record Types. Now click on Name Server.

Zone Name:
Time-To-Live: 300
Name Server: ns1.yourdomain.tld.
Create
Zone Name:
Time-To-Live: 300
Name Server: ns2.yourdomain.tld.
Create

Restart BIND
You have two ways to do this (well, more than that, but you know how it is):

1.) Login as root using SSH to your BIND Server. Run:
sudo /etc/init.d/bind9 restart
2.) On Webmin, Click on System > Bootup and Shutdown > bind9
Click on the Restart Now button

Test your configuration:

Login to your BIND Server using SSH
nano /etc/resolv.conf
search yourdomain.tld
nameserver 127.0.0.1
Add ‘#’ to any other name servers in the list
Save and Exit Nano
dig yourdomain.tld
Make sure the HEADER Flags have: qr aa rd ra. Well, the ‘aa’ is the most important part – that shows it’s that authority for this domain.

Change the DNS Servers of your Godaddy account

Login on your godaddy domain manager
I added the DNS entries for ns1.yourdomain.tld and ns2.yourdomain.tld in the custom DNS area. Point those both to your public IP address.
In the lower left corner of the Domain Manager screen (after you click on the domain you want to manage) you will see a Host Summary area.
Add NS1.yourdomain.tld with your PUBLIC IP
Add NS2.yourdomain.tld with your PUBLIC IP
I had to wait 5 minutes or so before everything was happy.

Now change the DNS servers from NSxx.DOMAINCONTROL.COM to NS1.YOURDOMAIN.TLD AND NS2.YOURDOMAIN.TLD.

If you get a message about your name servers not being registered, you probably forgot to add the domains into the Host Summary area. Either that or you haven’t waited long enough.

Miscellaneous

Happy 4th Anniversary

Leave a comment

Four Long Years.

I look back on some of my early posts and see a completely different style of writing. That added to the fact that most of the “issues” were fairly easy in nature, and you can see how far I’ve come.

I’m glad I could write all this up here. It’s helped me more than a few times. It’s helped others more than a few times. And it’s still free.

Says I’m at Post 488. I’ve gone through 3 style changes (well, the site, so not technically “me”), 2 jobs, and several life-changing events in the past 4 years. Hopefully the next 4 years are just as interesting.

Microsoft

Exchange 2007 3rd Party Certificate

Leave a comment

I’ve done plenty of new self-signed certificates for Exchange. Most places don’t mind if the certificate displays an error when users visit the webmail site (OWA), but they do mind if the users receive an error saying the certificate name is invalid when using Outlook.

Had the self-signed certificate installed on a standard Exchange 2007 server. CRM 4 requires an SSL/TLS connection. While we could have created another internal certificate with the export = $true key, the customer also wanted to rid themselves from the invalid certificate when browsing to the Outlook Web Access site.

Obviously replace “domain.tld” with your actual information.

Create the certificate request:

Open PowerShell on Exchange
New-ExchangeCertificate -DomainName webmail.domain.tld,other.domain.tld,autodiscover.domain.tld -FriendlyName "Site Webmail Certificate" -GenerateRequest:$True -Keysize 2048 -path c:\Webmailcertificate.txt -privatekeyExportable:$true -subjectName "c=US, o=CompanyName Inc., OU=IT, L=City, S=State, CN=webmail.domain.tld"

Purchase the site certificate:

Go to your favorite SSL supplier (Verisign, Thawte, etc.) and purchase an SSL Certificate. Standard is fine for this mostly internal-only site.
Paste the code from c:\Webmailcertificate.txt when applicable
After the certificate has been authorized, download the .crt certificate and the intermediary Certificate Authority files

Install your certificate:

Back on PowerShell for Exchange
Import-ExchangeCertificate -path c:\webmailcertificate.txt
Get-ExchangeCertificate
Copy the Thumbprint from the NEW certificate (probably the one with “…..” listed under Services
Enable-ExchangeCertificate -Services IMAP, POP, UM, IIS, SMTP -Thumbprint 896B74B2YourExchangeThumbprintFC6A7
Click Y for Yes if prompted to replace from an old(er) certificate

Now your webmail access (OWA) should no longer have a certificate issue. However, if the issued name on the certificate is DIFFERENT from your NETBIOS name of your email server, you will have issues INTERNALLY. Namely, all of your outlook clients will report a certificate is invalid error – that the names do not match. This is because the Exchange Server now has the certificate that points to webmail.domain.tld and your outlook clients are pointing to exchange07.domain.local.

To fix this issue:

Once again, use PowerShell for Exchange
Get-ClientAccessServer
Copy the servername
Set-ClientAccessServer -Identity SERVERNAMEHERE -AutodiscoverServiceInternalUri https://webmail.domain.tld/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory -Identity "SERVERNAMEHERE\EWS (Default Web Site)" -InternalUrl https://webmail.domain.tld/ews/exchange.asmx
Set-OABVirtualDirectory -Identity "SERVERNAMEHERE\oab (Default Web Site)" -InternalUrl https://webmail.domain.tld/oab
There is one final step required – recycle the MSExchangeAutodiscoverAppPool:
On Exchange 2007, Open IIS Manager
Navigate to Local Computer > Application Pools
Right-Click on MSExchangeAutodiscoverAppPool and select Recycle

That should be it. Everything works here after recycling.

Or you could always just put in the required domains on your certificate request:
NetBIOS name
FQDN external (if different)
autodiscover.domain.tld
autodiscover.domain.local (if applicable)
webmail.domain.tld (obviously change accordingly)

Computer Hardware, Microsoft

Change Floppy Drive Letter

Leave a comment

I had to update the BIOS of a very old computer so it could handle more RAM (128MB chips were the max at the time). But I needed to create a floppy disk to do so. Plugged in my trusty USB floppy drive to my i7 machine running Windows 7 x64. Tried to run the floppy drive installation program – Not compatible with your version of windows. Damn, must need 32bit.

Moved over to the laptop with Windows 7 32bit – not a valid 32bit application. Argh. Zero for two.

Use my vmware XP Pro image – but the application requires the use of Drive A: Dammit. Zero for three.

Here’s how to change the drive letters around:

regedit
HKLM\SYSTEM\MountedDevices
Rename \DosDevices\A: to \DosDevices\Q:
Rename \DosDevices\B: to \DosDevices\A:
Rename \DosDevices\Q: to \DosDevices\B:
Reboot

Now your USB floppy should be drive A:

Linux

Lock Users To Home Directory

Leave a comment

I needed to give access to a user (a web developer) but didn’t want them to be able to go anywhere but their home directory. The server is running Ubuntu 9.10 x32. No GUI.

A brief search found a shell called Iron Bars restricted SHell for linux (IBSH). This also allows you to prohibit certain commands from running.

wget http://downloads.sourceforge.net/project/ibsh/ibsh-binary/ibsh_debian_binary/debian_ibsh.deb?use_mirror=cdnetworks-us-1
dpkg -i debian_ibsh.deb
apt-get install -f
nano /etc/ibsh/globals.cmds

You can put whatever commands you want to allow in that file. Save it.

nano /etc/passwd
Change the shell of the user to /bin/ibsh

Login as the user and test it out. Try to cd /etc or rm -rf / and see what happens.

***EDIT***
The Link is http://downloads.sourceforge.net/project/ibsh/ibsh/ibsh-0.3a/ibsh-0.3a-i386-linuxbsd-src.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fibsh%2F&ts=1288626692&use_mirror=iweb

Linux

CentOS Install Apache

Leave a comment

I downloaded the DVD torrent for CentOS 5.4. It’s large. 3.72GB large. It’s the i386 version.

I needed it for testing as it’s closer to RHEL than Debian is. 🙂

So I selected install – generic install – but ONLY install the server portion. I don’t need that crazy GUI. Or do I?

After installation I ran the usual:
yum update
yum -y install httpd php mysql mysql-server php-mysql
/sbin/chkconfig httpd on
/sbin/chkconfig --add mysqld
/sbin/chkconfig mysqld on

Then I started the services:
/sbin/service httpd start
/sbin/service mysqld start

Opened up my browser to the IP of the new server. Page not found. Damn.

OK, let’s see if the server can access itself:
lynx http://127.0.0.1
Command not found

Damn. Install lynx:
yum install lynx
lynx http://127.0.0.1
Default CentOS page! Yay!

Well, by default, CentOS installs SELinux. I don’t care for MAC security as this is a pure test dev machine, so I’ll remove that:
nano /etc/selinux/config
SELINUX = disabled
Save, Reboot.

Page not found. Argh, must be the default firewall crap that is on by default. I shall remove that as well:
/sbin/service iptables save
/sbin/service iptables stop
/sbin/chkconfig iptables off
I rebooted once again by accident as I hit the power button on the wrong virtual machine. Oh well.

Default CentOS Page! Yay!

Miscellaneous

Comments

Leave a comment

I’m not a big fan of Captcha use – sometimes it’s just a pain in the buttock. But I am even more of a not-big-fan of SPAM comments. They actually serve no purpose whatsoever. About 70% of the SPAM is for a site that doesn’t exist. 10% is for sites that exist and run just fine. The other 20% is for a site that does exist, but isn’t actually in the comments section – it’s in the SPAM bot’s website. A lot of good those do, right? That means 10% of all those comments (over 400 just this year) actually work. Now it’s obvious that I have been moderating them so no one else can see, but 360 comments this year have been utter BS.

So, starting today, I finally implemented the Captcha service for signing up for new users/making comments on the site. But I also made it so that all new comments are posted without delay (hopefully), so no more moderation (also hopefully).

***EDIT***

I’ve noticed that bots are still getting through. So I made the Captcha difficulty Medium instead of Easy. I have also added XSS JAVA based blocking protocols to the site, so hopefully that curbs the SPAM a little more. I guess I’ll always have to moderate it at least a little.

Ramblings Of An IT Person