Please donate to vCommunity Trust Inc. to help the economically challenged to obtain their technical education and certification

$
       
Posted by Picasa
 
Posted by Picasa
Finding potentially unused IP addresses or invalid DNS
Disco Dancing with iTach
Likewise Open Tips

Finding unused IP addresses and invalid DNS entries

The method used in the example below will not help eliminate all invalid DNS entries or find IPs that are live yet unused, however, it will provide a fairly efficient means of finding unused IPs that are not pingable at the moment and provide a list of potentially invalid reverse lookup entries which in turn would also give you clues you need to start looking for invalid A records, etc.

For this example I am going to assume we want to find unused IP addresses and potentially invalid DNS entries for the network range 192.168.1.1-100

From the prompt of your linux host with nmap installed run:

nmap -v -sP 192.168.1.1-100|grep down |for i in `awk '{print $2}'`;do host $i;done

  • nmap -v -sP 192.168.1.1-100 performs ping scan and returns status for specified range
  • grep down - filters the list to only return non-pingable hosts
  • for i in `awk '{print $2}'` - filters the list further to only return the IP addresses in a loop to do the host [ip address] lookup for each IP returned

One could easily substitute host with nslookup or dig but I chose host to streamline the output for readability.

Bottom line is that if you see output similar to the following:

Host 5.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

Then you can probably safely use 192.168.1.5 for a new device and DNS entry although it would be safer to scan the DNS table by IP for forward lookup entries first.

On the other hand, if you see output similar to:

5.1.168.192.in-addr.arpa domain name pointer name.domain.com

Then you most likely have a system that is shutdown at the moment which uses that address or an invalid/outdated DNS entry to clean up.

One could easily schedule this command to run with cron and send output to an email or ticketing system for regularly scheduled DNS maintenance

Generate Wildcard SSL for Apache 2.x using OpenSSL
openssl req -new -newkey rsa:2048 -nodes -keyout star.domain.key -out star.domain.csr
Convert an Apache Cert and Key to IIS format
openssl pkcs12 -export -out star.domain.pfx -inkey star.domain.key -in star.domain.crt
Import Key into IIS from pfx format:
  1. Start > Run
  2. Type in MMC and click GO
  3. Go into the Console Tab > select Add/Remove Snap-in
  4. Click on Add > Double Click on Certificates and click on Add > OK
  5. Select Computer Account
  6. Select Local Computer
  7. Click the + to Expand the Certificates Console Tree
  8. Right click on the Personal Certificates Store
  9. Choose > ALL TASKS > Import
  10. Follow the Certificate Import Wizard to import your Primary Certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.
  11. In your IIS manager, right-click on the site that you would like to use the certificate and select properties.
  12. Click on the Directory Security Tab and hit the Server Certificate Button. This will start the server certificate wizard.
  13. If you are asked what you want to do with the current certificate on the site, choose to remove it, finish the wizard, and click the server certificate button to run the wizard again.
  14. Choose to 'Assign an existing certificate' to the site and choose the new certificate that you just imported and supply the password used to create the pfx file.
  15. Finish the certificate wizard.
  16. Restart the server.

Extract values within quotes from com...

Extract values within quotes from command output on Linux using perl

For example:
To obtain all values within quotes from the output of a jstack command you could

 ./jstack <pid> |perl -lne 'print $1 if (/"(.*)"/)' 

and if you wanted a count of how many quoted values there are

 ./jstack 23545 |perl -lne 'print $1 if (/"(.*)"/)' |wc -l

Oracle on Linux RMAN from Netbackup t...

Oracle on Linux RMAN from Netbackup to Avamar Backup Client


I recently migrated some Oracle 10g and 11g RHEL 5 VM’s and Physical boxes from Netbackup based clients to Avamar clients with the RMAN plugin. I will create a separate post regarding automation of the AvamarClient setup and focus on the RMAN configuration for event/client driven backup here.

First thing I did before automating any of the processes was to download the required docs and binaries from the Avamar web interface. There is a Documents and Downloads link at the bottom of the page of the following sample url:

http://avamarservernameorip

Then I downloaded the Avamar Oracle Client User Guide and the appropriate binaries for the platform from the right hand column, for example:

AvamarClient-linux-rhel4-x86_64-5.0.101-32.rpm

AvamarRMAN-linux-rhel4-x86_64-5.0.101-32.rpm

Also, ask your friendly EMC Avamar installer to provide a copy of AvOracleRMAN.pdf and AvOracleDatabasePrep.pdf which provide a lot more detail than the Client User Guide.

Installation and registration of the Avamar Client

1. As root cd to location of downloaded rpms

2. Type rpm -ivh AvamarClient-linux-rhel4-x86_64-5.0.101-32.rpm

3. Type /usr/local/avamar/bin/avregister

4. Enter the fqdn of the Administrator server when prompted [avamarserver.domain.com]

5. Enter the Avamar server domain [clients] when prompted

6. The Avamar Client installation is now complete

Installation of the AvamarRMAN Plugin

1. As root cd to location of downloaded rpms

2. Type rpm -ivh AvamarRMAN-linux-rhel4-x86_64-5.0.101-32.rpm

3. Update iptables with following rules to allow secure backups and also update any firewalls to allow backup through these ports:
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 28002 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 27000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 29000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 8672 -j ACCEPT

4. Create a new user account that will have access to backup/restore jobs on the domain containing the Oracle backup jobs using the Avamar Administrator Console.

5. Create a my-avtar-flags.txt file for linux in /usr/local/avamar/bin containing:
–pidname=Oracle
–pidnum=1002
–logfile=/usr/local/avamar/var/avtar.log
–vardir=/usr/local/avamar/var
–id=[userid from prior step]
–ap=[password from prior step]
–path=[/domain/oracleservername]
–expires=[number in days]

6. Create RMAN scripts (avorabackup and avorarestore) that can be launched with cron or scheduler of your choosing, examples below:

launch this example backup script from a file named avorabackup as follows:


       rman target / nocatalog @avorabackup


run {

configure device type sbt clear;

allocate channel c1 type ‘SBT_TAPE’ PARMS=”SBT_LIBRARY=/usr/local/avamar/lib/libobk_avamar64.so, ENV=(PATH=/bin:/usr/bin:/usr/local/avamar/bin)” format ‘%d_%U’;

send ‘”–flagfile=/usr/local/avamar/bin/my-avtar-flags.txt” ‘;

send ‘”–sysdir=/usr/local/avamar/etc” “–bindir=/usr/local/avamar/bin” “–vardir=/usr/local/avamar/var”‘;

configure retention policy to recovery window of 10 days;

configure retention policy to redundancy 2;

backup database plus archivelog;

delete noprompt obsolete;

crosscheck backupset;

release channel c1;

}


launch this example restore script from a file named avorarestore as follows:


     rman target / nocatalog @avorarestore


run {

allocate channel c1 type ‘SBT_TAPE’ PARMS=”SBT_LIBRARY=/usr/local/avamar/lib/libobk_avamar64.so, ENV=(PATH=/bin:/usr/bin:/usr/local/avamar/bin)” format ‘%d_%U’;

send channel=’c1′ ‘”–flagfile=/usr/local/avamar/bin/my-avtar-flags.txt” ‘;

send ‘”–sysdir=/usr/local/avamar/etc” “–bindir=/usr/local/avamar/bin” “–vardir=/usr/local/avamar/var”‘;

restore database;

recover database;

release channel c1;

}


NTP Update PoSH for ESX

NTP Update PoSH for ESX

$Cluster = "<cluster name>"
$Hosts = Get-Cluster $Cluster | Get-VMHost
ForEach ($Host in $Hosts)
{
Remove-VmHostNtpServer -NtpServer "x.x.x.x" -VMHost $Host | Out-Null
Remove-VmHostNtpServer -NtpServer "x.x.x.x" -VMHost $Host | Out-Null
Add-VmHostNtpServer -NtpServer "ntp0.sysxperts.com" -VMHost $Host | Out-Null
Add-VmHostNtpServer -NtpServer "ntp1.sysxperts.com" -VMHost $Host | Out-Null
Get-VMHostService -VMHost $Host | Where-Object {$_.key -eq "ntpd"} | Restart-VMHostService Confirm:$false | Out-Null
write "NTP Server was changed on $host"
}

Enabling a VirtualBox Win7 guest to connect to 8021x

Enabling a VirtualBox Win7 Guest to Connect to 802.1x Corporate Network


Disable everything but the VirtualBox Bridged Networking Driver on the interface connected to the corp. LAN and also disable authentication as this will be handled by the guest OS.


 image


image



Disable VirtualBox on the interface connected to your Internet enabled network

image



Create 1 bridged interface and 1 host only interface on your VirtualBox Guest under Virtual Box Settings then power on Guest and go to Network Connections to verify

image

  image



On the bridged interface you will enable authentication for 802.1x and edit settings as follows.

image

 

 

Settings - edit servernames with your own Domain Controllers/802.1x auth providers

image



Additional settings - Set to User Authentication and replace credentials with your Domain auth in the form DOMAINNAME\username

On the Host Only interface set it to a static IP in the same range as that which is configured on the Host as shown under File > Preferences > Network


image

 

image



Now you should be able to join your Windows 7 guest to the domain and access corporate resources with 802.1x authentication.

And your shared local drive too if you added under Devices > Shared Folders

image


Enabling a VirtualBox Win7 guest to connect to 8021x

Enabling a VirtualBox Win7 Guest to Connect to 802.1x Corporate Network


Disable everything but the VirtualBox Bridged Networking Driver on the interface connected to the corp. LAN and also disable authentication as this will be handled by the guest OS.


 image


image



Disable VirtualBox on the interface connected to your Internet enabled network

image



Create 1 bridged interface and 1 host only interface on your VirtualBox Guest under Virtual Box Settings then power on Guest and go to Network Connections to verify

image

  image



On the bridged interface you will enable authentication for 802.1x and edit settings as follows.

image

 

 

Settings - edit servernames with your own Domain Controllers/802.1x auth providers

image



Additional settings - Set to User Authentication and replace credentials with your Domain auth in the form DOMAINNAME\username

On the Host Only interface set it to a static IP in the same range as that which is configured on the Host as shown under File > Preferences > Network


image

 

image



Now you should be able to join your Windows 7 guest to the domain and access corporate resources with 802.1x authentication.

And your shared local drive too if you added under Devices > Shared Folders

image


vDR locks snapshots upon failed backup

vDR locks snapshots upon failed backup

So if you've reviewed all the snapshot troubleshooting on the web and still have not found a solution to your problem you might be the victim of a bad vDR configuration.

We decided to give vDR a try in our Test and Dev environment to reduce backup licensing costs and ran into problem where if the vDR backup failed the snapshots would fill up the LUNs and we had no luck removing or consolidating them using any of the methods available.

The quick fix ended up being as follows:
1) Shut down the vDR appliance
2) Detach the disks with orphaned snapshots from the appliance
3) Verify and correct for space requirements on target LUNs
4) Create a new snapshot with vSphere client (or service console)
5) Delete snapshot with vSphere client (or service console)
6) All went well and we were back in business at this point

Investigating preventative measures at the moment, will update with findings.

OpenVPN

OpenVPN

This installation of OpenVPN applies to Ubuntu 9.10

sudo apt-get install openvpn  # to intall the openvpn server


Copy the required example files to /etc/openvpn 
cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0

Build the Certificate Server
. ./vars
./clean-all
./build-ca

The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:

# ./build-ca
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [MN]:
State or Province Name (full name) [Minnesota]:
Locality Name (eg, city) [Andover]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:openvpn1.sysxperts.com
Email Address [me@myhost.mydomain]:
Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "openvpn1.sysxperts.com".

Now build the OpenVPN server certificate and key
./build-key-server openvpn1
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "openvpn1".  Two other queries require positive YES responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Build client certificates and keys
./build-key pvalentino
./build-key user2
Remember to type the appropriate Common Name for each client when prompted, i.e. "username1", "client2", or "server3". Always use a unique common name for each client.

For greater security, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client.

Build the required Diffie-Hellman parameters for the OpenVPN server
./build-dh

Now we will find our newly-generated keys and certificates in the keys subdirectory (/etc/openvpn/easy-rsa/2.0/keys). Here is an explanation of the relevant files:
FilenameNeeded ByPurposeSecret
ca.crtserver + all clientsRoot CA certificateNO
ca.keykey signing machine onlyRoot CA keyYES
dh{n}.pemserver onlyDiffie Hellman parametersNO
openvpn1.crtserver onlyServer CertificateNO
openvpn1.keyserver onlyServer KeyYES
pvalentino.crtpvalentino onlypvalentino CertificateNO
pvalentino.keypvalentino onlypvalentino KeyYES
user2.crtuser2 onlyuser2 CertificateNO
user2.keyuser2 onlyuser2 KeyYES
server3.crtserver3 onlyserver3 CertificateNO
server3.keyserver3 onlyserver3 KeyYES

-rw-r--r-- 1 root       root 4003 2010-01-22 17:41 openvpn1.crt
-rw------- 1 root       root  887 2010-01-22 17:41 openvpn1.key


Copy sample configuration files to /etc/openvpn for server side configuration
cd /usr/share/doc/openvpn/examples/sample-config-files
gzip -d server.conf.gz
cp server.conf /etc/openvpn/

Edit /etc/openvpn/server.conf as follows:
In my environment I'm using the following:
192.168.1.206 is the OpenVPN server interface and my internet access device is configured to NAT forward port 1194 udp to that address.  These settings can typically be found under Port Forwarding on a Netgear router or under Applications and Gaming Settings on a Linksys router.
10.8.18.0  is my VPN subnet
10.1.1.0 is another private subnet on my network

# Which local IP address should OpenVPN
# listen on? (optional)
local 192.168.1.206

port 1194

# TCP or UDP server?
;proto tcp
proto udp

;dev tap
dev tun

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key  # This file should be kept secret

dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

server 10.8.18.0 255.255.255.0

ifconfig-pool-persist /etc/openvpn/ipp.txt


# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 10.1.1.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"

keepalive 10 120

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status /etc/openvpn/openvpn-status.log

verb 3

mute 20


OpenVPN iptables rules to allow traffic to local subnets attached to eth0 and eth1 on the OpenVPN server
without the need for a bridging config

iptables --append FORWARD --in-interface tun0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE

iptables-save > /etc/iptables.rules

Then modify /etc/network/interfaces like so in my case (NOTE the pre-up line)
This restores my iptables nat rules after a reboot:

auto eth0
iface eth0 inet static
    address 192.168.1.206
    netmask 255.255.255.0
    network 192.168.1.0
    gateway 192.168.1.1
        pre-up iptables-restore < /etc/iptables.rules
auto eth1
iface eth1 inet static
    address 10.1.1.200
    netmask 255.255.255.0
    network 10.1.1.0


For client configuration email, scp, or sftp a copy of client.conf to yourself for editing and providing to the clients ensuring that configuration is compatible with server side.  Below is example Tunnelblick client.conf which works with the server.conf above.  This client.conf is for a Mac using Tunnelblick with it's config stored under /Users/pvalentino/Library/Application Support/Tunnelblick/Configurations/client.conf.  Be sure to secure your private key on each client as well by removing group and other access with chmod go-rwx client.conf.

Tunnelblick for OSX client example: 
client

;dev tap

dev tun
;dev-node MyTap

;proto tcp
proto udp



# for me i use dyndns.org dyndns updater to keep my dhcp comcast address in sync with domain name
# you can get a free dyndns.org hostname and download the updater for free as well
remote openvpn1.sysxperts.com 1194

nobind

user nobody
group nogroup

persist-key
persist-tun


mute-replay-warnings

# Note that these files must be provided - ca.crt and client cert must come from openvpn server and key may come from server or from client depending on how you generate csr
ca /Users/pvalentino/ca.crt
cert /Users/pvalentino/pvalentino.crt
key /Users/pvalentino/pvalentino.key

ns-cert-type server

;tls-auth ta.key 1

;cipher x

comp-lzo

verb 3
mute 20

OpenVPN Windows client example:
For example, on Windows 7 64bit client install the OpenVPN client with default options, change the network connection name to MyTap under change adapter settings for the TAP-Win32 Adapter V9 interface.  Then create and save the file below into c:\Program Files(x86)\openvpn\config as client.ovpn.

client

;dev tap
dev tun

dev-node MyTap

;proto tcp
proto udp

remote openvpn1.sysxperts.com 1194

nobind

# Not valid on windows
;user nobody
;group nogroup

persist-key
persist-tun


mute-replay-warnings

# Note the use of double backslashes on a windows client and I put them in a folder I manually created under my users folder
ca C:\\Users\\pvalentino\\openvpncerts\\ca.crt
cert C:\\Users\\pvalentino\\openvpncerts\\client2.crt
key C:\\Users\\pvalentino\\openvpncerts\\client2.key

ns-cert-type server


comp-lzo

verb 3
mute 20

When you run the openvpn client on windows be sure to right-click and select run as administrator or the software will not be able to create necessary routing configurations for the tunnel.

After saving config and starting the application with administrator privileges you will have a new icon in your system tray.  Simply right-click and select connect to establish the tunnel.

If there are problems right-click the same icon and choose View Log to start the troubleshooting process.