VHCS On Ubuntu

July 17, 2008 bsdman Leave a comment

I was given the project of DNS entries for several customers. After playing around with BIND9 for several hours (I actually got it to work for all sites EXCEPT http://sitename.tld – it worked fine for subdomains), a colleague suggested that I try VHCS. VHCS is a free software suite that allows for Virtual Hosts, DNS, and other web related items to be shared and easily managed between several groups. You can grab more data here: VHCS.net

I also chose to put this on Ubuntu because debian packages are easy to install, Ubuntu is fully supported by a huge user base, and Ubuntu also uses a very small footprint.

Once you download the suite, follow the Install directions all the way until you get an error similar to this:
If specified by -literal_key, then the key length must be equal to the chosen cipher's key length of 56 bytes at /var/www/vhcs2/engine/setup/../vhcs2_common_code.pl line 1443 Compilation failed in require at ./vhcs2-setup line (line whatever).

Here’s the fix:
nano /var/www/vhcs2/engine/vhcs2_common_code.pl
Control + W and search for db_pass_key
Any time you see 'key' => $main::db_pass_key fill in the following ABOVE the line:
'keysize' => 32,

Then rerun the script ./vhcs2-setup

P.S. By the way even, the instructions don’t really mention that you have to copy some folders over. Make sure you copy everything in the vhcs2-2.4.7.1/configs folder to /etc/vhcs2/ otherwise it will fail out. If you get some postfix errors, that’s probably ok.

P.S. Part 2 There is a much easier product to setup: ISPConfig. You can find it at ISPConfig.com. I recommend using ISPConfig as it is actively maintained.

Linux

Webmin Install Ubuntu 8.04 Server

July 9, 2008 bsdman Leave a comment

1.) Log into your server. You can use SSH or your TTY.
2.) wget http://prdownloads.sourceforge.net/webadmin/webmin_1.340_all.deb
3.) sudo dpkg -i webmin_1.340_all.deb
4.) If you get errors, just type sudo apt-get install -f (this will install all the required pre-reqs)

EDIT: I had this as 8.06 server, when in fact it’s 8.04. My mistake. And since I always seem to install this right after installing the server, it’s a good idea to apt-get update, then apt-get upgrade

EDIT PT 2: The newest package is webmin_1.430_all.deb

EDIT PT3: if you’re installing on a CENTOS 5 box (like I am right now), you’ll need to wget http://downloads.sourceforge.net/webadmin/webmin-1.430-1.noarch.rpm
and then rpm -i webmin-1.430-1.noarch.rpm

EDIT PT4: Newest package is webmin_1.470_all.deb (http://prdownloads.sourceforge.net/webadmin/webmin_1.470_all.deb)

EDIT PT 5: Newest is webmin_1.490_all.deb (http://prdownloads.sourceforge.net/webadmin/webmin_1.490_all.deb)

Linux

CentOS and VMWare Server 1.0.6/2.0.0

June 25, 2008 bsdman Leave a comment

It was a toss up between a 64bit Ubuntu Server (8.04) and a 64bit CentOS Server (5.1). I couldn’t decide between the two, except for the fact that more people have installed VMWare server on CentOS than Ubuntu. And most of those people have been successful. Yay!

The server is a Dell PowerEdge 2850, 2X 3.0GHz Intel Xeon Processors (800FSB), 12GB RAM, 6X 300GB SCSI HD in RAID10 (1+0). It’s a beast. Why didn’t I go with a 32 bit OS? Because of the 2 to 4GB limitations imposed upon single processes. Take MySQL for example:
64Bit OS MySQL will use up as much RAM as you have (actually it uses up roughly 8 out of 12GB in another server)
32Bit OS MySQL will use up to 2GB RAM in the same spec server.

So I want to use VMWare to it’s full potential.
Install CentOS with most of the defaults. I didn’t choose to install support for virtualization.

First thing is first: UPDATE your server. yum update
Next we have to install GCC. yum install gcc
Then install the developer kernel yum install kernel-devel
Reboot your system. This will make the new kernel active.
Download VMWare Server from vmware.com
tar xvfz vmware*.tar.gz
cd vmware
/etc/init.d/xinetd start
./vmware_install.pl

If you ever update the kernel you will need to run the vmware configuration again /usr/bin/vmware_config.pl

Getting Samba to work was a whole different matter. Issues… Issues… Issues.

************************************************

2.0.0 is the same, but I made the mistake of installing the xen kernel on the development machine. VMWare will not work with the xen kernel – you will get an error:
You cannot install VMware Server on a system running a xen kernel

So then you must:

yum install kernel
yum remove xen kernel-xen
nano /boot/grub/grub.conf

and then make sure that in the grub.conf menu that it’s trying to load the kernel and not the xen kernel. It probably does this automatically, but a few seconds here fixes issues down the road.

Microsoft

Exchange 2007 Self-Signed Certificate

June 18, 2008 bsdman 1 Comment

This will probably never come up in my ventures as the Administrator here at my job, but it has come up with one of our customers. They do not have a Certificate Authority (CA) and do not pay for an outside certificate. They also use Exchange 2007. I’m not privy to all the ins and outs of their network, but they’re a standard small business with 4 or 5 servers. And it’s been 53 weeks since they installed Exchange 2007.

Why is 53 a number you should scoff at? Every 52 weeks (365 days, 12 months, 1 year, 1/10th of a decade…) you have to resign the self-signed certificate that Exchange gives itself. Why do I even need a certificate, you ask. The certificate is required for all TLS communication. Anything that’s even remotely secured uses TLS. Outlook uses TLS. If the certificate is invalid or non-existent, Outlook will refuse to send and receive emails from your Exchange server. Not good. I’m not sure why their server lasted 53 weeks and not 52, but maybe the guy got it wrong (he’s fairly technical though).

Here’s a quick and easy way of renewing your certificate:
1.) On your Exchange 2007 server, open up the Exchange Management Shell
2.) Type “get-exchangecertificate” and hit enter. This will show all installed certificates.
Type “get-exchangecertificate | fl *” to show everything about the installed certificates.
Type “get-exchangecertificate | fl services, thumbprint” to show only the services with the thumbprint for each certificate.
3.) Type “get-exchangecertificate -thumbprint thumbprint_of_cert | new-exchangecertificate
4.) Type “enable-exchangecertificate -thumbprint thumbprint_of_new_cert -services “IMAP,POP,SMTP,IIS”
5.) Test the services
6.) Remove the old certificate. Type “remove-exchangecertificate – thumbprint thumbprint_of_old_cert

You’ll have to do this every year if you use the self-signed certs. If you use a CA, the issued certificate will last anywhere from 1 to 5 years. You can also use your internal CA to issue new signed-certificates. You can use the standard website template, and then use the Exchange Management Shell to add the services to the new certificate (enable-exchangecertificate -thumbprint thumbprint -services “imap,pop,smtp”. You can leave out IIS since it *should* already be there.

**** EDIT ****

New-ExchangeCertificate -SubjectName "DC=domain, DC=com, CN=server.domain.com" -DomainName server.domain.com,mail.domain.com -IncludeAcceptedDomains -IncludeAutoDiscover -Services "SMTP" -PrivateKeyExportable $true
This updates the certificate to cover all domains used by Exchange. You can also specify other domains like mail.domain, webmail.domain etc.

Get-ExchangeCertificate
Get-ExchangeCertificate | FL
These allow you to find the thumbprint of the certificate you created.

Enable-ExchangeCertificate -Thumbprint THUMBPRINT -Services SMTP,IMAP,POP,IIS
This will turn on the services for your thumbprinted certificate. Obviously you can choose which services to allow.

Export-ExchangeCertificate -Thumbprint THUMBPRINT -BinaryEncoded:$true -Path C:\SSCert.pfx -Password:(Get-Credential).password
This exports your personal certificate PFX file with the password you choose at the prompt. This can then be pushed out to users to trust this file. Check for root certificate installations for other details.

OR, if you have your own Certificate Authority:

New-ExchangeCertificate -GenerateRequest -SubjectName "o=My, o=Site, cn=MyServer.MyDomain.com" -IncludeAcceptedDomains -Path c:\MyServer.MyDomain.com.req
Open this file using notepad or the like, and copy the information between the start and end of the certificate.
Now log into your Certificate Authority
http://CAServer/certsrv
Click Request a certificate
Submit an advanced certificate request
Submit a certifcate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
Paste the certificate information from earlier
Change the Certificate Template to Web Server
Click submit

You should now have a certificate issued. You’ll probably want to download it – so select Base64 encoded and download the certificate. I always choose to download the full path AND the general cert.

Copy your newly issued/downloaded certificate to your Exchange server.
Import-ExchangeCertificate -Path c:\2009mycert.cer | Enable-ExchangeCertificate -Services SMTP,POP,IMAP,IIS

If you already have a certificate that’s the default one on Exchange, you’ll notice that the SMTP and IIS settings DO NOT STAY.
You’ll have to:
Enable-ExchangeCertificate -Thumbprint MYTHUMBPRINT -Services SMTP,IIS
Exchange will ask if you want to overwrite the current certificate with Y for yes.
You’re done!

Linux, Microsoft, Miscellaneous

Forgotten Passwords

June 18, 2008 bsdman Leave a comment

I can’t tell you the number of people that come up to me and ask if I can retrieve their password. For certain devices I can either reset the password or I can figure out a way to reset the password. Several websites give options to reset your password. Several Instant Messaging programs give the option to reset your password. I’m really just trying to see how many times I can type “reset your password”.

So here’s the lowdown on what can be reset, and a mostly “how-to” do it:

Mac OS 6.* – 8.5: If you set up a password you’re a fool. The OS doesn’t support native passwords and is a single user OS. You set one? Reformat and start from scratch. Or just live with it.
Mac OS 8.6 – 9.*: Read above. The OS was meant to be a single user Operating System, but somewhere along the line someone decided it would be a good idea to include basic password login protection. Usually a reboot will yield an “auto login” situation where you can change the preferences of a screen saver password. Otherwise you’ll have to reformat once again.
Mac OS X.*: Here’s the really easy part – Apple has included the utility to reset the password for you. It’s on the Apple Installation Disc. Don’t have the disc? You’ll have to download or buy one then. Have the disc? Boot off of it (press and hold C while turning on the computer), and then when you see a menu at the top of the screen click on Utilities. You’ll now see a “reset password” option. You can get the rest from there.

Windows 95/98: Press ESC instead of trying to login.
Windows ME: Burn your computer and that crappy Operating System and buy a new one.
Windows 2000/NT/XP/2003/Vista: Find a linux boot disc (knoppix should work) that can edit SAM files and reset administrator passwords.

Ubuntu: Press ESC at the grub prompt, Press E for edit, Select the line that begins with Kernel and press E, Go to the very end of the line and add “rw init=/bin/bash” without the quotes, Press enter and then B to reboot. This will give you full root shell access, so then type “passwd ” to reset that user’s password.

A lot of people work in corporations with Active Directory Microsoft Windows computers. Here’s a couple things that people should know:
1.) Administrators do NOT know your password for your login to the computer. We can reset it, but we can’t retrieve it (with normal means)
2.) Administrators do NOT know your password for your personal chatting application. We, like EVERY OTHER PERSON, can go to the provider’s website (ie yahoo.com/aim.com/msn.com) and have them send a reset password email to the registered email address.
3.) Administrators do NOT know the POP server or IMAP settings to your personal email. I actually block access to POP and IMAP so I don’t have to hear this one daily.

Miscellaneous

No I Will Not Fix Your Computer

June 4, 2008 bsdman Leave a comment

I stole this from another site (http://www.broowaha.com):

The real reason your companyâ€™s computer guy doesnâ€™t want to work on your personal PC.

â€œIâ€™m sorry, I donâ€™t work on personal PCâ€™s. Itâ€™s nothing personal, I promiseâ€.

Have you ever heard these words come from the lips of your companyâ€™s in house IT guy? Have you ever asked and been rebuffed? Well donâ€™t fret. Rest assured dear user, it really isnâ€™t personal. A lot of us computer guys just donâ€™t work on personal PCâ€™s.

â€œBut why not?â€ you ask. A computer is a computer right? If itâ€™s broke you can certainly fix it and maybe make a little money on the side. It shouldnâ€™t take you long, youâ€™re an expert.

As tempting as tax free money on the side sounds, it usually just isnâ€™t worth the hassle. Thatâ€™s right, I said it. Itâ€™s a hassle for us to work on personal PCâ€™s. The laundry list of why it is a hassle is long, but I will try to just touch on the most significant aspects of it.

First off you have to realize that people that work in a corporate or government IT dept are used to dealing with standardized hardware and software configurations and being in total control over the goings on of their network. We know the hardware and software inside and out. We are in control of the inventory, we know what types of printers we have, and know what the most common problems are that occur with our standardized hardware and software. We like to be in control. When you bring us your personal PC from home, we donâ€™t know what kind of software you have installed, where it came from, or what kind of hardware you may have connected to it that may or may not be causing your issues.

Secondly, we donâ€™t like to have to â€œoverlookâ€ stuff you may have on your computer that may or may not be â€œlegalâ€. Is that copy of Office 2007 you have installed on your PC properly licensed? Did you pay for the thousands of mp3â€™s you have in your â€œMy Musicâ€ folder? It honestly bothers us to work on somebodyâ€™s computer and see software like Limewire or the likes of it, because we then know you are illegally downloading music. Honestly we want no part of that. We donâ€™t want to know because many of us possess professional technical certifications from Microsoft and others, and with those designations come ethical responsibilities and the like. These companies are our bread and butter if you will, and we don’t like to see them ripped off. Plus when you get sued by the RIAA, we donâ€™t want to be called on to testify against you.

Thirdly, we honestly canâ€™t charge you what our time is actually worth. When you bring in your PC loaded down with viruses and trojans, we could literally have to spend hours cleaning it up, and even then we may not be able to successfully clean it. Nasty infections are generally very difficult to get rid of and usually require that the operating system be reinstalled from scratch, which just adds time to our task.

Fourthly, (is that even a word?) we donâ€™t enjoy working on computers as much as you might think. You know those guys you see on TV that are always messing with computers and talking about the latest whiz bang graphics card that renders a bajillion polygons per second? Guess what. Weâ€™re not them. We are IT professionals. We are usually highly specialized in our fields and concentrate on one area of expertise. We usually donâ€™t know about the latest graphics card unless one of our AutoCAD users is getting a new machine and it requires a high end graphics processing unit. To us computers are just a job, a way to make a living. When we go home at night, we want to spend time with our families, chilling in front of the tube and eating dinner. We donâ€™t want to spend all evening trying to figure out why your ipod wonâ€™t talk to your computer.

Please understand Iâ€™m not trying to be rude. Iâ€™m just trying to make it easier for you to understand that itâ€™s really not personal, itâ€™s not that we donâ€™t like you. We really just donâ€™t like to work on personal PCâ€™s.

Microsoft, Troubleshooting

Virus EXE Rundll32 Issue

June 3, 2008 bsdman Leave a comment

I love it when people bring in their virus-laden machines for me to look at. They always come up with some silly excuse for why it’s not working or how it’s broken: “I let [insert name of child here] play on it the other day and now it’s running slow” or “I haven’t been able to use email for the last few months but thought nothing of it until the computer started deleting my files and randomly rebooting”. GOLD!

I’m usually pretty good at getting rid of a virus if it’s in the early stages. Adware, malware, popups, backdoor trojans, they’re all pretty easy to dispose of. Some of the hijack programs that take over the homepage for IE are pretty tough though.

The steps I go through are usually the same:
1.) MSconfig and remove all non-microsoft programs
2.) Install nod32 and kick the crap out of whatever was installed

Although a lot of times I’m not able to run any commands. Recently I couldn’t open any EXE files on a system. It kept looking for rundll32.exe and not finding it (windows\system32\rundll32.exe). So then msconfig, add remove programs (control appwiz.cpl), and even the system information (windows key + pause/break) didn’t work. I couldn’t even open cmd.exe without problems – lucky for me it was an associated filetype for exe files.

So then, with the command line open:
1.) Download The EXE Registry Fix and import it into your registry
2.) SFC /scannow (this requires either the i386 folder or the windows installation media to check and see if all the required microsoft files are in place)
3.) MRT (microsoft’s malicious removal tool)
4.) msconfig and uncheck any non-microsoft related items

Someone also told me that the exe file associated could have broken this computer. I didn’t try it since I only imported the registry key and it worked. But here’s the steps to do that too:

1.) CMD
2.) assoc.exe=exefile

IT.TheLibrarie.Com