tag:blogger.com,1999:blog-51681521685122657672024-02-19T01:37:54.388-06:00My Tech Notes and StuffVarious and sundry technical notes and instructions for myself or anyone who cares to decipher themPaul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.comBlogger164125tag:blogger.com,1999:blog-5168152168512265767.post-38231344757079886592011-08-10T22:27:00.000-05:002011-08-10T22:28:59.336-05:00<span class="Apple-style-span" style="color: rgb(51, 51, 51); font-family: 'Lucida Grande', 'Lucida Sans', Verdana, Arial, sans-serif; font-size: 13px; line-height: 19px; background-color: rgb(255, 255, 255); "><h3 xmlns="http://www.w3.org/1999/xhtml" id="sites-page-title-header" align="left" style="font-size: 1.8em; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-left: 10px; padding-right: 10px; font-family: Palatino, 'Palatino Linotype', serif; color: rgb(183, 100, 1); "><span id="sites-page-title" dir="ltr">How To Form A Nonprofit Public Charity In About 1 Year</span></h3><span class="announcementsPostTimestamp" id="afterPageTitleHideDuringEdit" style="font-size: 11px; margin-top: 0px; margin-right: 12px; margin-bottom: 0px; margin-left: 12px; color: rgb(102, 102, 102); ">posted <span xmlns="http://www.w3.org/1999/xhtml" dir="ltr">Aug 6, 2011 8:36 AM</span> by Paul Valentino <span id="sites-announcement-updated-time" class="updatedTime" style="font-weight: bold; ">[ updated <span timestamp="1313001598104" issitelocale="true" title="Aug 10, 2011 11:39 AM" dir="ltr">8 hours ago</span> ]</span></span><div id="sites-canvas-main" class="sites-canvas-main" style="background-color: transparent; min-height: 150px; padding-bottom: 5px; padding-top: 15px; "><div id="sites-canvas-main-content"><table xmlns="http://www.w3.org/1999/xhtml" cellspacing="0" class="sites-layout-name-one-column sites-layout-hbox" style="width: 1080px; table-layout: fixed; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><tbody><tr><td class="sites-layout-tile sites-tile-name-content-1" style="vertical-align: top; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; "><div dir="ltr"><div>It all started with an idea in the year 2010 at VMworld in San Francisco as outlined on the page:<a href="http://www.vcommunitytrust.org/origins" target="_blank" rel="nofollow" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">http://www.vcommunitytrust.org/origins</a></div><div>
</div><div>Even though we knew very little about nonprofit organizations we were confident that we would be able to figure things out with the help of the community. We were right; people like @clinek, @SirStan and others came forward to help review our 1023 Application as well as other business documentation. As a result of this assistance we were able to avoid many common pitfalls that companies face when starting a nonprofit organization. Also, keep in mind that the majority of our efforts were coordinated through social media such as twitter and facebook and continue to be to this very day. We have board meetings using Skype due to the distributed nature of our team; we use twitter, facebook, blogging and google apps extensively for providing updates, collaborating on documentation or disseminating information. We've even had the great pleasure of <a href="http://www.sysxperts.com/home/announce/cwtpodcastwithvcommunitytrustinc" target="_blank" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">participating in a podcast</a> with our good friend @Niketown588. We would not and could not exist in our current form without these social media resources.</div><div>
</div><div>The <a href="http://www.sos.state.mn.us/index.aspx?page=1089" target="_blank" rel="nofollow" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">Office of the Secretary of State</a> and <a href="http://www.minnesotanonprofits.org/" target="_blank" rel="nofollow" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">MN Council of Nonprofits</a> websites proved to be key resources for helping to determine requirements for establishing a nonprofit corporation in Minnesota. A wealth of information for establishing a 501(c)(3) nonprofit organization was also found at the <a href="http://www.irs.gov/charities/index.html" target="_blank" rel="nofollow" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">IRS </a>web site. Furthermore, one of the greatest forms of assistance came from reviewing examples of other nonprofit 1023 applications, Articles of Organization and Bylaws. Many were found on the web, by request (public charities must provide copies of certain documents for a small fee upon request if they don't already publish them online) and by friends who are members of private foundations and public charities. Of course, we needed to apply our own business plan and mission when drafting our business documents but the examples provided a wealth of direction for satisfying all of the required elements, especially in the case of the attachments to the 1023 Application.</div><div>
</div><div>After choosing our name we needed to confirm that it was available. Although it was only required that the name be available in MN, we did a more extensive search to ensure that we wouldn't have any conflicts with naming for companies in other states or countries. We also made sure that we wouldn't have any issues with registering our domain name. To confirm availability in MN we used the <a href="http://da.sos.state.mn.us/minnesota/corp_inquiry-find.asp?:Norder_item_type_id=9&sm=6" target="_blank" rel="nofollow" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">Name Availability</a> tool on the Secretary of State website. Once we felt comfortable that we wanted to move forward with the name we filed a <a href="http://www.sos.state.mn.us/Modules/ShowDocument.aspx?documentid=5255" target="_blank" rel="nofollow" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">name reservation</a> form online with the required fee of $45.00 at the time of our filing September 20, 2010. We also filed for our <a href="http://www.irs.gov/businesses/small/article/0,,id=102767,00.html" target="_blank" rel="nofollow" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">EIN</a> online with the IRS being careful to follow the instructions for a nonprofit.</div><div>
</div><div>We then spent the next three days researching the requirements for a nonprofit organizations Articles of Organization and Bylaws keeping in mind that we intended to apply for 501(c)(3) tax exempt status with the IRS. Amazingly, we had a fully drafted and reviewed set of documents which we submitted on September 23, 2010 with the $80.00 fee and obtained our <a href="https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B-Jw_S7LnADjZWJjZGJhZGItZjFhNS00NTk0LWI3NjgtYTNhNTIxYTFiYzFj&hl=en_US" target="_blank" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">Certificate of Incorporation</a> as a Minnesota nonprofit formed under 317A on September 24th. The key thing to remember with your business filing is that it must be renewed every year to maintain a nonprofit status; in our case we must go to the Minnesota Office of the Secretary of State site<a href="https://online.sos.state.mn.us/abr/corp_annual_filing.asp" target="_blank" rel="nofollow" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">Online Annual Renewal Filing</a> page to stay current with our filing (No fee required unless a name change, address change, or registered agent change dictates an Amendment to Articles and associated $45 fee is required for online filing). Similarly, we must file form <a href="http://www.google.com/url?sa=t&source=web&cd=1&ved=0CCwQFjAA&url=http%3A%2F%2Fwww.irs.gov%2Fpub%2Firs-pdf%2Ff990.pdf&ei=971CTrnXAYjgsQLP9OzYCQ&usg=AFQjCNFO9PtpZVPcG6zmI6puIiLXzKubxA" target="_blank" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">990 </a>annually with the IRS and may be eligible to file e-postcard<a href="http://www.google.com/url?sa=t&source=web&cd=1&sqi=2&ved=0CBYQFjAA&url=http%3A%2F%2Fwww.irs.gov%2Fcharities%2Farticle%2F0%2C%2Cid%3D169250%2C00.html&ei=xr1CToHtD4igsQK3jpm7CQ&usg=AFQjCNHGnoN6cAdQ8xOioLlQ6gn1Q7LfNg" target="_blank" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">990-N</a> if donations remain below $25,000 per year.</div><div>
</div><div><a href="https://docs.google.com/document/d/1ZIQ2HVBJwJYaQv5LryIwZ_VaAPMWLDAWwnVAEI2_Bp8/edit?hl=en_US" target="_blank" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">Articles of Incorporation</a></div><div>
</div><div><a href="https://docs.google.com/document/d/1pJUMMB67sMOIIN_Qx2UQXcZEnTI4e2exjBMfSUyAyoU/edit?hl=en_US" target="_blank" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">Bylaws</a></div><div>
</div><div>At this point the fun began. We spent the next three months completing the 1023 Application for 501(c)(3) and the associated attachments. When you view the document links below it will be fairly obvious why three months were required, especially considering that we are full-time employees and were doing as much as we possibly could in the off hours (wee hours of the night). With business plan in hand and all the examples we could muster out of the interwebs as well as friends, we plugged away and were able to file on January 11, 2011 with the required $400 fee (fee could be larger for company expecting greater income). Then the waiting game began; the IRS processes 1023 Applications on a first come first serve basis so the time to wait will vary based upon volume of applications.</div><div>
</div><div><a href="http://search.irs.gov/web/query.html?col=allirs&charset=utf-8&qp=&qs=-Wct%3A%22Internal+Revenue+Manual%22&qc=&qm=0&rf=0&oq=&qt=form+1023&search.x=0&search.y=0" target="_blank" rel="nofollow" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">1023 Application</a> and <a href="https://docs.google.com/leaf?id=0B-Jw_S7LnADjMjhkYjMzZjgtNTlkMy00Nzg0LWEyY2ItNjZlZjYzNmRiNjRk&hl=en_US" target="_blank" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">Attachments</a></div><div>
</div><div>Now it is worth noting that even if you file the appropriate change of address forms with the IRS, the department processing your 1023 application wont get that update and inevitably continue sending notifications to your old address, so be sure to send a copy of any change of address forms to the address you sent the 1023 Application to, or if you've already been assigned an agent you may send them a fax with the information (Can you tell that we don't know this from our personal experience :-). Once our agent was assigned, the process was rather painless as she proved to be very helpful. We simply needed to file one Amendment for Article IV (If you copy the verbiage from this Amendment rather than using what we submitted in original Articles above you can save this step and the $45 fee that goes with it) and answer a few simple questions. Once we faxed all the information back it was only a matter of a couple of weeks before we received our letter of determination. Once we did receive the letter it was only a matter of a couple days after providing the required documents to the merchants before we got our Donation buttons up and running again for both Google Merchant and PayPal.</div><div>
</div><div><a href="https://docs.google.com/a/vcommunitytrust.org/leaf?id=0B-Jw_S7LnADjZmFjNjM0MzAtNjMwYS00NjRhLTg3ZDktNTY4YzExMGE2ZGRm&sort=name&layout=list&num=50" target="_blank" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">1023 Responses</a> </div><div><a href="https://docs.google.com/leaf?id=0B-Jw_S7LnADjZTMzYjZhNTYtZjM2NS00OTc4LWI5MTUtMjhhNzU1OTNmOTE4&hl=en_US" target="_blank" style="color: rgb(51, 51, 51); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgb(231, 231, 231); font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">Amendment to Article IV required for response</a></div><div>
</div><div>
</div><div>Yay! On August 4th, 2011 the LOD arrived stating we are officially a tax exempt nonprofit public charity.</div><div><a href="https://docs.google.com/a/vcommunitytrust.org/leaf?id=0B-Jw_S7LnADjZDlmMjBlZjYtYWEwYy00YjIzLWI4MTAtZTUwOGQxNTI1NWY3&sort=name&layout=list&num=50" target="_blank" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">Letter of Determination</a></div><div>
</div><div>Some other considerations were the creation of a website and establishing nonprofit merchant accounts for accepting donations. We chose Google Sites and Google Apps in an effort to ensure no monthly administration fees and for its ease of use. So far we've been perfectly willing to accept the limitations for customization of our site because we'd much rather not have to rely on public donations to cover any expenses other than certification and training costs. In hindsight, it would have been better to wait for our letter of determination before establishing merchant accounts because they ended up disabling our ability to accept donations shortly after we were setup because we did not have a letter of determination yet. It did not help matters that we sent all of our filings and a copy of our submitted 1023 Application to the merchants either. </div><div>
</div><div>We wanted to ensure that public donations would primarily service the needs of the candidates and we're proud to say that less than $30 of our donations to date have been used for administrative expenses. The board of directors contributed all of the fees for the 1023 Application and all of the business filings; we only needed to utilize a small amount of the donations to obtain certified copies of our business documents for banking purposes. This is also a factor for choosing not seek paid professional services but rather volunteer professional services. Our primary purpose is to further the cause of education and get people certified in a way that ensures real world success; therefore, we gratefully accept volunteer assistance from qualified professionals to meet our goals.</div><div>
</div><div>
</div><div>We hope you find this information useful and of value. If so, please consider making a financial, software, and/or hardware donation. Every contribution helps tremendously. </div><div>
</div><div><a href="http://www.vcommunitytrust.org/donations" target="_blank" rel="nofollow" style="color: rgb(183, 100, 1); text-decoration: underline; background-image: url(http://www.gstatic.com/sites/p/42173f/system/app/themes/solitudespice/bg_link.gif); background-attachment: initial; background-origin: initial; background-clip: initial; background-color: initial; font-weight: bold; padding-top: 2px; padding-right: 2px; padding-bottom: 2px; padding-left: 2px; background-position: initial initial; background-repeat: repeat no-repeat; ">http://www.vcommunitytrust.org/donations</a></div><div>
</div><div>
</div><div>Regards,</div><div>
</div><div>Paul Valentino - Chairman</div><div>vCommunity Trust Inc.</div><div>@vcommunitytrust</div><div>@sysxperts</div></div></td></tr></tbody></table></div></div></span><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com3tag:blogger.com,1999:blog-5168152168512265767.post-26889030755361330052010-10-05T14:31:00.003-05:002010-10-05T14:37:58.977-05:00<p><strong>Please donate to vCommunity Trust Inc. to help the economically challenged to obtain their technical education and certification</strong></p>
<script type="text/javascript">
function validateAmount(amount){
if(amount.value.match( /^[0-9]+(\.([0-9]+))?$/)){
return true;
}else{
alert('You must enter a valid donation.');
amount.focus();
return false;
}
}
</script>
<form action="https://checkout.google.com/cws/v2/Donations/972047343592492/checkoutForm" id="BB_BuyButtonForm" method="post" name="BB_BuyButtonForm" onSubmit="return validateAmount(this.item_price_1)" target="_top">
<input name="item_name_1" type="hidden" value="vCommunity Trust Donation"/>
<input name="item_description_1" type="hidden" value="Donations to help the economically challenged attain their VCP (VMware Certified Professional) Certification."/>
<input name="item_quantity_1" type="hidden" value="1"/>
<input name="item_currency_1" type="hidden" value="USD"/>
<input name="item_is_modifiable_1" type="hidden" value="true"/>
<input name="item_min_price_1" type="hidden" value="0.01"/>
<input name="item_max_price_1" type="hidden" value="25000.0"/>
<input name="_charset_" type="hidden" value="utf-8"/>
<table cellpadding="5" cellspacing="0" width="1%">
<tr>
<td align="right" nowrap="nowrap" width="1%">$ <input id="item_price_1" name="item_price_1" onfocus="this.style.color='black'; this.value='';" size="11" style="color:grey;" type="text" value="Enter Amount"/>
</td>
<td align="left" width="1%">
<input alt="Donate" src="https://checkout.google.com/buttons/donateNow.gif?merchant_id=972047343592492&w=115&h=50&style=trans&variant=text&loc=en_US" type="image"/>
</td>
</tr>
</table>
</form><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-52663120851919933962010-08-06T22:23:00.000-05:002010-08-06T22:23:39.924-05:00<a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwxLvEAc7_v0rXq727kINrzGK0Fwx3uxJT1rtKo4mdhmxvyQlmFFyMiyUPJwUD9Fof4jYq9lleaDsjkx-r68QfxSJ9BEMJ8B6wjADI_qCHvPfpOLP1Cv-nKvKtL9AwrpDR6UYLV7V9IUU/s1600/001.JPG'><img src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwxLvEAc7_v0rXq727kINrzGK0Fwx3uxJT1rtKo4mdhmxvyQlmFFyMiyUPJwUD9Fof4jYq9lleaDsjkx-r68QfxSJ9BEMJ8B6wjADI_qCHvPfpOLP1Cv-nKvKtL9AwrpDR6UYLV7V9IUU/s400/001.JPG' border='0' alt='' /></a>
<a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKV9FpdLzLJC_8Ovfr2hktF_e14-7HAsb7aSofgw3v4cqteI96HXHLqRzha8UZQsTkpIHLFKGXWFRHVOWomjfhNg5EMEzBNkOGvSSf1wvdq5MUzIuvqBXs6w5wNLMQlE9xf0ZRsTp0Giw/s1600/002.JPG'><img src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKV9FpdLzLJC_8Ovfr2hktF_e14-7HAsb7aSofgw3v4cqteI96HXHLqRzha8UZQsTkpIHLFKGXWFRHVOWomjfhNg5EMEzBNkOGvSSf1wvdq5MUzIuvqBXs6w5wNLMQlE9xf0ZRsTp0Giw/s400/002.JPG' border='0' alt='' /></a>
<a href='http://4.bp.blogspot.com/_jrKWd_g_U9g/TFzRuPnxURI/AAAAAAAAZ4Q/T8Hpb_ZlUyM/s1600/003.JPG'><img src='http://4.bp.blogspot.com/_jrKWd_g_U9g/TFzRuPnxURI/AAAAAAAAZ4Q/T8Hpb_ZlUyM/s400/003.JPG' border='0' alt='' /></a>
<a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimhBARCmqPHBu2d422Zorcd_AmsvoqQCVOAvBKZHd22PHe9d7m7y1nNe24_tgRTbaqTsIRAreofOesQo_M8dZqdyxobmNWbP8a7yBXG-bsL-I1YVGRPIu4iRkEZ7xpnv2emrTdr1jMxZ8/s1600/004.JPG'><img src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimhBARCmqPHBu2d422Zorcd_AmsvoqQCVOAvBKZHd22PHe9d7m7y1nNe24_tgRTbaqTsIRAreofOesQo_M8dZqdyxobmNWbP8a7yBXG-bsL-I1YVGRPIu4iRkEZ7xpnv2emrTdr1jMxZ8/s400/004.JPG' border='0' alt='' /></a> <div style='clear:both; text-align:NONE'><a href='http://picasa.google.com/blogger/' target='ext'><img src='http://photos1.blogger.com/pbp.gif' alt='Posted by Picasa' style='border: 0px none ; padding: 0px; background: transparent none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;' align='middle' border='0' /></a></div><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com1tag:blogger.com,1999:blog-5168152168512265767.post-36740522393530558452010-08-06T22:20:00.001-05:002010-08-06T22:20:58.574-05:00<a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpZvbDDGlsiy4C__BD4pM40b59CDXoIEarleO0JniuuzE0n34EPpD7GBR1sRBCpe6FCir43tsb0wFroioqobAEK9nSFRgxvhFoLKI5wIq3qh6kzjXCWXhJXvA4PzDtEicaQMniJ6_yZQc/s1600/001.JPG'><img src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpZvbDDGlsiy4C__BD4pM40b59CDXoIEarleO0JniuuzE0n34EPpD7GBR1sRBCpe6FCir43tsb0wFroioqobAEK9nSFRgxvhFoLKI5wIq3qh6kzjXCWXhJXvA4PzDtEicaQMniJ6_yZQc/s320/001.JPG' border='0' alt='' /></a> <div style='clear:both; text-align:NONE'><a href='http://picasa.google.com/blogger/' target='ext'><img src='http://photos1.blogger.com/pbp.gif' alt='Posted by Picasa' style='border: 0px none ; padding: 0px; background: transparent none repeat scroll 0% 50%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;' align='middle' border='0' /></a></div><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-46312386059924842292010-07-15T21:01:00.006-05:002010-07-15T21:09:35.432-05:00<span style="font-weight:bold;"><span class="Apple-style-span" style="font-size: large;">Finding potentially unused IP addresses or invalid DNS</span></span><span class="Apple-style-span" style="font-size: large;">
</span>
<iframe src="https://docs.google.com/document/pub?id=1Erdu_iTEJNiyhjQkMrcRv74DaDIVCdBToGylvnAdJoQ&embedded=true" width="600" height="550"></iframe><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-62578356321875129462010-07-15T20:34:00.010-05:002010-07-15T20:54:31.616-05:00<span style="font-weight:bold;"><span class="Apple-style-span" style="font-size: large;">Disco Dancing with iTach</span></span>
<iframe src="https://docs.google.com/document/pub?id=1SeQ0NcFe02gMO46uYRde0kAvjV2dR3g4xRBziMRPkko&embedded=true" width="600" height="600"></iframe><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-40796706539392012002010-07-08T13:41:00.006-05:002010-07-15T20:53:49.021-05:00<span style="font-weight:bold;"><span class="Apple-style-span" style="font-size: large;">Likewise Open Tips</span></span>
<iframe src="https://docs.google.com/document/pub?id=1jQMWCGY1F2dIqgKV5G34Jpa2wd_3c0AFAhcbDzyGtgc&embedded=true" width="600" height="800"></iframe><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-7985281216786741402010-07-07T16:28:00.000-05:002010-07-07T16:29:14.989-05:00<span class="Apple-style-span" style="font-family: 'Times New Roman'; font-size: medium; "><div style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgb(255, 255, 255); font: normal normal normal 13px/19px Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; padding-top: 0.6em; padding-right: 0.6em; padding-bottom: 0.6em; padding-left: 0.6em; margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; background-position: initial initial; background-repeat: initial initial; "><p>Finding unused IP addresses and invalid DNS entries</p><p>The method used in the example below will not help eliminate all invalid DNS entries or find IPs that are live yet unused, however, it will provide a fairly efficient means of finding unused IPs that are not pingable at the moment and provide a list of potentially invalid reverse lookup entries which in turn would also give you clues you need to start looking for invalid A records, etc.</p><p>For this example I am going to assume we want to find unused IP addresses and potentially invalid DNS entries for the network range 192.168.1.1-100</p><p>From the prompt of your linux host with nmap installed run:</p><p mce_style="padding-left: 30px;" style="padding-left: 30px; ">nmap -v -sP 192.168.1.1-100|grep down |for i in `awk '{print $2}'`;do host $i;done</p><ul><li>nmap -v -sP 192.168.1.1-100 performs ping scan and returns status for specified range</li><li>grep down - filters the list to only return non-pingable hosts</li><li>for i in `awk '{print $2}'` - filters the list further to only return the IP addresses in a loop to do the host [ip address] lookup for each IP returned</li></ul><p>One could easily substitute host with nslookup or dig but I chose host to streamline the output for readability.</p><p>Bottom line is that if you see output similar to the following:</p><p mce_style="padding-left: 30px;" style="padding-left: 30px; ">Host 5.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)</p><p>Then you can probably safely use 192.168.1.5 for a new device and DNS entry although it would be safer to scan the DNS table by IP for forward lookup entries first.</p><p>On the other hand, if you see output similar to:</p><p mce_style="padding-left: 30px;" style="padding-left: 30px; ">5.1.168.192.in-addr.arpa domain name pointer name.domain.com</p><p>Then you most likely have a system that is shutdown at the moment which uses that address or an invalid/outdated DNS entry to clean up.</p><p>One could easily schedule this command to run with cron and send output to an email or ticketing system for regularly scheduled DNS maintenance</p></div></span><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-68904252699905174672010-06-21T07:30:00.004-05:002010-07-15T20:49:29.774-05:00<iframe src="http://docs.google.com/Doc?docid=0ARZQyWuGbQKkZGZ4amJ4Y2NfMjYyYzlieHc5Z3Q&hl=en" width="600" height=800></iframe><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-77723203276064979462010-05-25T12:15:00.003-05:002010-06-21T07:56:52.686-05:00Generate Wildcard SSL for Apache 2.x using OpenSSL
<div><span style="font-family:verdana, arial, helvetica, sans-serif;"><b style="background-color:transparent;background-image:initial;border-color:initial;border-style:initial;margin-left:0px;margin-right:0pxfont-family:Verdana, Arial, Helvetica, sans-serif;color:#000000;"><span style="font-size:85%;">openssl req -new -newkey rsa:2048 -nodes -keyout star.domain.key -out star.domain.csr</span></b></span>
</div><b style="background-color:transparent;background-image:initial;border-color:initial;border-style:initial;margin-left:0px;margin-right:0pxfont-family:Verdana, Arial, Helvetica, sans-serif;color:#000000;"><span style="font-size:85%;">
</span></b><b style="background-color:transparent;background-image:initial;border-color:initial;border-style:initial;margin-left:0px;margin-right:0pxfont-family:Verdana, Arial, Helvetica, sans-serif;color:#000000;"><span style="font-size:85%;">
</span></b><div><span style="background-image:initial;border-border-style:initial;margin-left:0px;margin-right:0pxcolor:initial;"><span style="font-family:verdana, arial, helvetica, sans-serif;"><span style="color:#000000;"><span style="font-size:85%;">Convert an Apache Cert and Key to IIS format</span></span></span></span></div><b style="background-color:transparent;background-image:initial;border-color:initial;border-style:initial;margin-left:0px;margin-right:0pxfont-family:Verdana, Arial, Helvetica, sans-serif;color:#000000;"><span style="font-size:85%;"><span style="font-family:tahoma, sans-serif;"><span style="color:#000000;"><span style="font-size:85%;">openssl pkcs12 -export -out star.domain.pfx -inkey <span style="font-family:verdana, arial, helvetica, sans-serif;"><span style="font-size:85%;">star.domain.key</span></span> -in <span style="font-family:verdana, arial, helvetica, sans-serif;"><span style="font-size:85%;">star.domain.crt</span></span></span></span></span>
</span></b>
<div>Import Key into IIS from pfx format:</div>
<ol start="1" type="1"><li><span style="font-family:tahoma, sans-serif;"><span style="color:#000000;"><span style="font-size:85%;">Start > Run</span></span></span></li><li style="color:black;"><span style="font-family:tahoma, sans-serif;"><span style="font-size:85%;">Type in MMC and click GO</span></span></li><li style="color:black;"><span style="font-family:tahoma, sans-serif;"><span style="font-size:85%;">Go into the Console Tab > select Add/Remove Snap-in</span></span></li><li style="color:black;"><span style="font-family:tahoma, sans-serif;"><span style="font-size:85%;">Click on Add > Double Click on Certificates and click on Add > OK</span></span></li><li style="color:black;"><span style="font-family:tahoma, sans-serif;"><span style="font-size:85%;">Select Computer Account</span></span></li><li style="color:black;"><span style="font-family:tahoma, sans-serif;"><span style="font-size:85%;">Select Local Computer</span></span></li><li style="color:black;"><span style="font-family:tahoma, sans-serif;"><span style="font-size:85%;">Click the + to Expand the Certificates Console Tree</span></span></li><li style="color:black;"><span style="font-family:tahoma, sans-serif;"><span style="font-size:85%;">Right click on the Personal Certificates Store</span></span></li><li style="color:black;"><span style="font-family:tahoma, sans-serif;"><span style="font-size:85%;">Choose > ALL TASKS > Import</span></span></li><li style="color:black;"><span style="font-family:tahoma, sans-serif;"><span style="font-size:85%;">Follow the Certificate Import Wizard to import your Primary Certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.</span></span></li><li style="color:black;"><span style="font-size:85%;"><span style="font-family:tahoma, sans-serif;">In your IIS manager, right-click on the site that you would like to use the certificate and select properties.</span></span></li><li style="color:black;"><span style="font-family:tahoma, sans-serif;"><span style="font-size:85%;">Click on the Directory Security Tab and hit the Server Certificate Button. This will start the server certificate wizard.</span></span></li><li style="color:black;"><span style="font-family:tahoma, sans-serif;"><span style="font-size:85%;">If you are asked what you want to do with the current certificate on the site, choose to remove it, finish the wizard, and click the server certificate button to run the wizard again.</span></span></li><li style="color:black;"><span style="font-family:tahoma, sans-serif;"><span style="font-size:85%;">Choose to 'Assign an existing certificate' to the site and choose the new certificate that you just imported and supply the password used to create the pfx file.</span></span></li><li style="color:black;"><span style="font-family:tahoma, sans-serif;"><span style="font-size:85%;">Finish the certificate wizard.</span></span></li><li style="color:black;"><span style="font-family:tahoma, sans-serif;"><span style="font-size:85%;">Restart the server.</span></span></li></ol><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com1tag:blogger.com,1999:blog-5168152168512265767.post-82836688704038881772010-05-21T10:28:00.001-05:002010-05-21T10:28:46.842-05:00Extract values within quotes from com...Extract values within quotes from command output on Linux using perl <br><br><div>For example:</div><div>To obtain all values within quotes from the output of a jstack command you could</div><br><div> ./jstack <pid> |perl -lne 'print $1 if (/"(.*)"/)' <br></div><br><div>and if you wanted a count of how many quoted values there are</div><br><div> ./jstack 23545 |perl -lne 'print $1 if (/"(.*)"/)' |wc -l<br></div><br><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-34769655661220125122010-05-06T13:06:00.001-05:002010-05-06T13:06:18.808-05:00Oracle on Linux RMAN from Netbackup t...<h2 style="color:#606060"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="5"><a href="http://sysxperts.wordpress.com/2010/05/06/oracle-on-linux-rman-from-netbackup-to-avamar-client/" rel="bookmark" style="color:#808080" title="Permanent link to Oracle on Linux RMAN from Netbackup to Avamar Client"><u><b>Oracle on Linux RMAN from Netbackup to Avamar Backup Client</b></u></a></font></font></font></h2><p class="date" style="margin-left:0px;margin-right:0px"><br></p><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">I recently migrated some Oracle 10g and 11g RHEL 5 VM’s and Physical boxes from Netbackup based clients to Avamar clients with the RMAN plugin. I will create a separate post regarding automation of the AvamarClient setup and focus on the RMAN configuration for event/client driven backup here.</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">First thing I did before automating any of the processes was to download the required docs and binaries from the Avamar web interface. There is a Documents and Downloads link at the bottom of the page of the following sample url:</font></font></font></p><blockquote style="margin-left:30px;margin-right:30px"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">http://avamarservernameorip</font></font></font></p></blockquote><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">Then I downloaded the Avamar Oracle Client User Guide and the appropriate binaries for the platform from the right hand column, for example:</font></font></font></p><blockquote style="margin-left:30px;margin-right:30px"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">AvamarClient-linux-rhel4-x86_64-5.0.101-32.rpm</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">AvamarRMAN-linux-rhel4-x86_64-5.0.101-32.rpm</font></font></font></p></blockquote><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">Also, ask your friendly EMC Avamar installer to provide a copy of AvOracleRMAN.pdf and AvOracleDatabasePrep.pdf which provide a lot more detail than the Client User Guide.</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">Installation and registration of the Avamar Client</font></font></font></p><blockquote style="margin-left:30px;margin-right:30px"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">1. As root cd to location of downloaded rpms</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">2. Type rpm -ivh AvamarClient-linux-rhel4-x86_64-5.0.101-32.rpm</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">3. Type /usr/local/avamar/bin/avregister</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">4. Enter the fqdn of the Administrator server when prompted [avamarserver.domain.com]</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">5. Enter the Avamar server domain [clients] when prompted</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">6. The Avamar Client installation is now complete</font></font></font></p></blockquote><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">Installation of the AvamarRMAN Plugin</font></font></font></p><blockquote style="margin-left:30px;margin-right:30px"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">1. As root cd to location of downloaded rpms</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">2. Type rpm -ivh AvamarRMAN-linux-rhel4-x86_64-5.0.101-32.rpm</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">3. Update iptables with following rules to allow secure backups and also update any firewalls to allow backup through these ports:<br>-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 28002 -j ACCEPT<br>-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 27000 -j ACCEPT<br>-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 29000 -j ACCEPT<br>-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 8672 -j ACCEPT</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">4. Create a new user account that will have access to backup/restore jobs on the domain containing the Oracle backup jobs using the Avamar Administrator Console.</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">5. Create a my-avtar-flags.txt file for linux in /usr/local/avamar/bin containing:<br>–pidname=Oracle<br>–pidnum=1002<br>–logfile=/usr/local/avamar/var/avtar.log<br>–vardir=/usr/local/avamar/var<br>–id=[userid from prior step]<br>–ap=[password from prior step]<br>–path=[/domain/oracleservername]<br>–expires=[number in days]</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">6. Create RMAN scripts (avorabackup and avorarestore) that can be launched with cron or scheduler of your choosing, examples below:</font></font></font></p></blockquote><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">launch this example backup script from a file named avorabackup as follows:</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2"><br> rman target / nocatalog @avorabackup</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font size="2"><br></font></p></div></div><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">run {</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">configure device type sbt clear;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">allocate channel c1 type ‘SBT_TAPE’ PARMS=”SBT_LIBRARY=/usr/local/avamar/lib/libobk_avamar64.so, ENV=(PATH=/bin:/usr/bin:/usr/local/avamar/bin)” format ‘%d_%U’;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">send ‘”–flagfile=/usr/local/avamar/bin/my-avtar-flags.txt” ‘;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">send ‘”–sysdir=/usr/local/avamar/etc” “–bindir=/usr/local/avamar/bin” “–vardir=/usr/local/avamar/var”‘;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">configure retention policy to recovery window of 10 days;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">configure retention policy to redundancy 2;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">backup database plus archivelog;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">delete noprompt obsolete;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">crosscheck backupset;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">release channel c1;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">}</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font size="2"><br></font></p></div></div></blockquote><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">launch this example restore script from a file named avorarestore as follows:</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2"><br> rman target / nocatalog @avorarestore</font></font></font></p><p style="margin-left:0px;margin-right:0px"><font size="2"><br></font></p></div></div><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">run {</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">allocate channel c1 type ‘SBT_TAPE’ PARMS=”SBT_LIBRARY=/usr/local/avamar/lib/libobk_avamar64.so, ENV=(PATH=/bin:/usr/bin:/usr/local/avamar/bin)” format ‘%d_%U’;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">send channel=’c1′ ‘”–flagfile=/usr/local/avamar/bin/my-avtar-flags.txt” ‘;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">send ‘”–sysdir=/usr/local/avamar/etc” “–bindir=/usr/local/avamar/bin” “–vardir=/usr/local/avamar/var”‘;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">restore database;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">recover database;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">release channel c1;</font></font></font></p></div></div><div class="entrytext"><div class="snap_preview"><p style="margin-left:0px;margin-right:0px"><font face="verdana, tahoma, arial, sans-serif"><font color="#2a2a2a"><font size="2">}</font></font></font></p></div></div></blockquote><br><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-56206308902421781822010-04-23T01:10:00.001-05:002010-04-23T01:10:32.693-05:00NTP Update PoSH for ESXNTP Update PoSH for ESX <br><br><div>$Cluster = "<cluster name>"</div><div>$Hosts = Get-Cluster $Cluster | Get-VMHost</div><div>ForEach ($Host in $Hosts)</div><div>{</div><div>Remove-VmHostNtpServer -NtpServer "x.x.x.x" -VMHost $Host | Out-Null</div><div>Remove-VmHostNtpServer -NtpServer "x.x.x.x" -VMHost $Host | Out-Null<br></div><div>Add-VmHostNtpServer -NtpServer "ntp0.sysxperts.com" -VMHost $Host | Out-Null</div><div>Add-VmHostNtpServer -NtpServer "ntp1.sysxperts.com" -VMHost $Host | Out-Null<br></div><div>Get-VMHostService -VMHost $Host | Where-Object {$_.key -eq "ntpd"} | Restart-VMHostService Confirm:$false | Out-Null</div><div>write "NTP Server was changed on $host"</div><div>}</div><br><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-10239368202644905502010-04-13T13:46:00.003-05:002010-04-13T13:46:41.577-05:00Enabling a VirtualBox Win7 guest to connect to 8021x<p class="Normal"><span class="Normal__Char"><b><u>Enabling a VirtualBox Win7 Guest to Connect to 802.1x Corporate Network</u></b></span></p><p class="Normal"><br></p><p class="Normal">Disable everything but the VirtualBox Bridged Networking Driver on the interface connected to the corp. LAN and also disable authentication as this will be handled by the guest OS.</p><p class="Normal"><br></p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal" style="text-align:left"> <a id="graphic0B" name="graphic0B"></a><img alt="image" height="365" src="http://docs.google.com/File?id=dfxjbxcc_242c3kmbnfv_b" width="281"></p></blockquote><p class="Normal"><br></p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal" style="text-align:left"><img alt="image" height="369" src="http://docs.google.com/File?id=dfxjbxcc_243q596x4cw_b" width="284"></p></blockquote><p class="Normal" style="text-align:left"><a id="graphic0C" name="graphic0C"></a></p><p class="Normal"><br></p><p class="Normal"><br></p><p class="Normal">Disable VirtualBox on the interface connected to your Internet enabled network</p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"><img alt="image" height="374" src="http://docs.google.com/File?id=dfxjbxcc_244fn5v62gk_b" width="288"></p></blockquote><p class="Normal"><a id="graphic0D" name="graphic0D"></a></p><p class="Normal"><br></p><p class="Normal"><br></p><p class="Normal">Create 1 bridged interface and 1 host only interface on your VirtualBox Guest under Virtual Box Settings then power on Guest and go to Network Connections to verify</p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"><img alt="image" height="239" src="http://docs.google.com/File?id=dfxjbxcc_245cs2wfcf5_b" width="329"></p></blockquote><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"> <img alt="image" height="239" src="http://docs.google.com/File?id=dfxjbxcc_246rbsxg8gd_b" width="329"></p><p class="Normal"><br></p><p class="Normal"><br></p></blockquote><p class="Normal"><a id="graphic0F" name="graphic0F"></a></p><p class="Normal">On the bridged interface you will enable authentication for 802.1x and edit settings as follows.</p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"><img alt="image" height="427" src="http://docs.google.com/File?id=dfxjbxcc_247769hs543_b" width="329"></p></blockquote><p class="Normal"><a id="graphic10" name="graphic10"></a></p><p class="Normal"> </p><p class="Normal"> </p><p class="Normal">Settings - edit servernames with your own Domain Controllers/802.1x auth providers</p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"><img alt="image" height="458" src="http://docs.google.com/File?id=dfxjbxcc_248g8jphnhn_b" width="320"></p><p class="Normal"><br></p><p class="Normal"><br></p></blockquote><p class="Normal"><a id="graphic11" name="graphic11"></a></p><p class="Normal">Additional settings - Set to User Authentication and replace credentials with your Domain auth in the form DOMAINNAME\username</p><p class="Normal">On the Host Only interface set it to a static IP in the same range as that which is configured on the Host as shown under File > Preferences > Network</p><p class="Normal"><br></p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"><img alt="image" height="152" src="http://docs.google.com/File?id=dfxjbxcc_249hp7qnwf7_b" width="255"></p></blockquote><p class="Normal"><a id="graphic12" name="graphic12"></a></p><p class="Normal"> </p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"><img alt="image" height="362" src="http://docs.google.com/File?id=dfxjbxcc_250fxqkp8cn_b" width="325"></p><p class="Normal"><br></p><p class="Normal"><br></p></blockquote><p class="Normal"><a id="graphic13" name="graphic13"></a></p><p class="Normal">Now you should be able to join your Windows 7 guest to the domain and access corporate resources with 802.1x authentication.</p><p class="Normal">And your shared local drive too if you added under Devices > Shared Folders</p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"><img alt="image" height="305" src="http://docs.google.com/File?id=dfxjbxcc_251dhpb7xch_b" width="406"></p></blockquote><p class="Normal"><a id="graphic14" name="graphic14"></a></p><br><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-2841221009515362132010-04-13T13:46:00.001-05:002010-04-13T13:46:40.033-05:00Enabling a VirtualBox Win7 guest to connect to 8021x<p class="Normal"><span class="Normal__Char"><b><u>Enabling a VirtualBox Win7 Guest to Connect to 802.1x Corporate Network</u></b></span></p><p class="Normal"><br></p><p class="Normal">Disable everything but the VirtualBox Bridged Networking Driver on the interface connected to the corp. LAN and also disable authentication as this will be handled by the guest OS.</p><p class="Normal"><br></p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal" style="text-align:left"> <a id="graphic0B" name="graphic0B"></a><img alt="image" height="365" src="http://docs.google.com/File?id=dfxjbxcc_242c3kmbnfv_b" width="281"></p></blockquote><p class="Normal"><br></p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal" style="text-align:left"><img alt="image" height="369" src="http://docs.google.com/File?id=dfxjbxcc_243q596x4cw_b" width="284"></p></blockquote><p class="Normal" style="text-align:left"><a id="graphic0C" name="graphic0C"></a></p><p class="Normal"><br></p><p class="Normal"><br></p><p class="Normal">Disable VirtualBox on the interface connected to your Internet enabled network</p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"><img alt="image" height="374" src="http://docs.google.com/File?id=dfxjbxcc_244fn5v62gk_b" width="288"></p></blockquote><p class="Normal"><a id="graphic0D" name="graphic0D"></a></p><p class="Normal"><br></p><p class="Normal"><br></p><p class="Normal">Create 1 bridged interface and 1 host only interface on your VirtualBox Guest under Virtual Box Settings then power on Guest and go to Network Connections to verify</p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"><img alt="image" height="239" src="http://docs.google.com/File?id=dfxjbxcc_245cs2wfcf5_b" width="329"></p></blockquote><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"> <img alt="image" height="239" src="http://docs.google.com/File?id=dfxjbxcc_246rbsxg8gd_b" width="329"></p><p class="Normal"><br></p><p class="Normal"><br></p></blockquote><p class="Normal"><a id="graphic0F" name="graphic0F"></a></p><p class="Normal">On the bridged interface you will enable authentication for 802.1x and edit settings as follows.</p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"><img alt="image" height="427" src="http://docs.google.com/File?id=dfxjbxcc_247769hs543_b" width="329"></p></blockquote><p class="Normal"><a id="graphic10" name="graphic10"></a></p><p class="Normal"> </p><p class="Normal"> </p><p class="Normal">Settings - edit servernames with your own Domain Controllers/802.1x auth providers</p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"><img alt="image" height="458" src="http://docs.google.com/File?id=dfxjbxcc_248g8jphnhn_b" width="320"></p><p class="Normal"><br></p><p class="Normal"><br></p></blockquote><p class="Normal"><a id="graphic11" name="graphic11"></a></p><p class="Normal">Additional settings - Set to User Authentication and replace credentials with your Domain auth in the form DOMAINNAME\username</p><p class="Normal">On the Host Only interface set it to a static IP in the same range as that which is configured on the Host as shown under File > Preferences > Network</p><p class="Normal"><br></p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"><img alt="image" height="152" src="http://docs.google.com/File?id=dfxjbxcc_249hp7qnwf7_b" width="255"></p></blockquote><p class="Normal"><a id="graphic12" name="graphic12"></a></p><p class="Normal"> </p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"><img alt="image" height="362" src="http://docs.google.com/File?id=dfxjbxcc_250fxqkp8cn_b" width="325"></p><p class="Normal"><br></p><p class="Normal"><br></p></blockquote><p class="Normal"><a id="graphic13" name="graphic13"></a></p><p class="Normal">Now you should be able to join your Windows 7 guest to the domain and access corporate resources with 802.1x authentication.</p><p class="Normal">And your shared local drive too if you added under Devices > Shared Folders</p><blockquote class="webkit-indent-blockquote" style="border:none;margin:0 0 0 40px"><p class="Normal"><img alt="image" height="305" src="http://docs.google.com/File?id=dfxjbxcc_251dhpb7xch_b" width="406"></p></blockquote><p class="Normal"><a id="graphic14" name="graphic14"></a></p><br><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com2tag:blogger.com,1999:blog-5168152168512265767.post-66654612420758953592010-03-16T10:56:00.001-05:002010-03-16T10:56:05.249-05:00vDR locks snapshots upon failed backup<h3 align="left" dir="ltr" id="n8uh" style="color:#b76401;margin-left:0px;margin-right:0px"><font color="#333333"><font size="6">vDR locks snapshots upon failed backup</font></font></h3><div class="sites-canvas-main" id="a03f" style="background-color:transparent"><table cellspacing="0" class="sites-layout-hbox sites-layout-name-one-column zeroBorder" style="margin-left:0px;margin-right:0px;width:643px"><tbody><tr><td class="sites-layout-tile sites-tile-name-content-1" style="vertical-align:top"><div dir="ltr"><font color="#333333">So if you've reviewed all the snapshot troubleshooting on the web and still have not found a solution to your problem you might be the victim of a bad vDR configuration.</font><br><br><div><font color="#333333">We decided to give vDR a try in our Test and Dev environment to reduce backup licensing costs and ran into problem where if the vDR backup failed the snapshots would fill up the LUNs and we had no luck removing or consolidating them using any of the methods available.</font></div><br><div><font color="#333333">The quick fix ended up being as follows:</font></div><div><font color="#333333">1) Shut down the vDR appliance</font></div><div><font color="#333333">2) Detach the disks with orphaned snapshots from the appliance</font></div><div><font color="#333333">3) Verify and correct for space requirements on target LUNs</font></div><div><font color="#333333">4) Create a new snapshot with vSphere client (or service console)</font></div><div><font color="#333333">5) Delete snapshot with vSphere client (or service console)</font></div><div><font color="#333333">6) All went well and we were back in business at this point</font></div><br><div><font color="#333333">Investigating preventative measures at the moment, will update with findings.</font></div></div></td></tr></tbody></table></div><br><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-30909476381369869172010-03-10T13:43:00.001-06:002010-03-10T13:43:01.063-06:00OpenVPN<h3 align="left" id="s_vh" style="color:#b76401;margin-left:0px;margin-right:0px"><font color="#333333"><font size="6"><span dir="ltr" id="o5j2">OpenVPN</span></font></font></h3><div class="sites-canvas-main" id="iqy6" style="background-color:transparent"><table cellspacing="0" class="sites-layout-hbox sites-layout-name-one-column zeroBorder" style="margin-left:0px;margin-right:0px;width:871px"><tbody><tr><td class="sites-layout-tile sites-tile-name-content-1" style="vertical-align:top"><div dir="ltr"><div><font color="#333333">This installation of OpenVPN applies to Ubuntu 9.10</font></div><br><blockquote style="border-color:initial;border-width:initial;color:#666666;margin-left:40px;margin-right:0px"><div><font color="#333333">sudo apt-get install openvpn # to intall the openvpn server</font></div></blockquote><br><div><font color="#333333">Follow <a href="http://openvpn.net/index.php/open-source/documentation/howto.html#quick" rel="nofollow" style="background-color:initial;background-repeat:repeat no-repeat;color:#b76401"><u><b>http://openvpn.net/index.php/open-source/documentation/howto.html#quick</b></u></a></font></div><br><div><font color="#333333">Copy the required example files to /etc/openvpn </font></div><blockquote style="border-color:initial;border-width:initial;color:#666666;margin-left:40px;margin-right:0px"><div><font color="#333333">cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/</font></div><div><font color="#333333">cd /etc/openvpn/easy-rsa/2.0</font></div></blockquote><br><div><font color="#333333">Build the Certificate Server</font></div><blockquote style="border-color:initial;border-width:initial;color:#666666;margin-left:40px;margin-right:0px"><div><font color="#333333">. ./vars</font></div><div><font color="#333333">./clean-all</font></div><div><font color="#333333">./build-ca</font></div><br></blockquote><font color="#333333">The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:<br></font><blockquote style="border-color:initial;border-width:initial;color:#666666;margin-left:40px;margin-right:0px"><br><div><font color="#333333"># ./build-ca</font></div><div><font color="#333333">Generating a 1024 bit RSA private key</font></div><div><font color="#333333">............++++++</font></div><div><font color="#333333">...........++++++</font></div><div><font color="#333333">writing new private key to 'ca.key'</font></div><div><font color="#333333">-----</font></div><div><font color="#333333">You are about to be asked to enter information that will be incorporated</font></div><div><font color="#333333">into your certificate request.</font></div><div><font color="#333333">What you are about to enter is what is called a Distinguished Name or a DN.</font></div><div><font color="#333333">There are quite a few fields but you can leave some blank</font></div><div><font color="#333333">For some fields there will be a default value,</font></div><div><font color="#333333">If you enter '.', the field will be left blank.</font></div><div><font color="#333333">-----</font></div><div><font color="#333333">Country Name (2 letter code) [MN]:</font></div><div><font color="#333333">State or Province Name (full name) [Minnesota]:</font></div><div><font color="#333333">Locality Name (eg, city) [Andover]:</font></div><div><font color="#333333">Organization Name (eg, company) [OpenVPN-TEST]:</font></div><div><font color="#333333">Organizational Unit Name (eg, section) []:</font></div><div><font color="#333333">Common Name (eg, your name or your server's hostname) []:openvpn1.sysxperts.com</font></div><div><font color="#333333">Email Address [me@myhost.mydomain]:</font></div><div><font color="#333333">Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "openvpn1.sysxperts.com".</font></div></blockquote><br><div><font color="#333333">Now build the OpenVPN server certificate and key</font></div><blockquote style="border-color:initial;border-width:initial;color:#666666;margin-left:40px;margin-right:0px"><div><font color="#333333">./build-key-server openvpn1</font></div></blockquote><div><font color="#333333">As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "openvpn1". Two other queries require positive YES responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".</font></div><br><div><font color="#333333">Build client certificates and keys</font></div><blockquote style="border-color:initial;border-width:initial;color:#666666;margin-left:40px;margin-right:0px"><div><font color="#333333">./build-key pvalentino</font></div><div><font color="#333333">./build-key user2</font></div></blockquote><div><font color="#333333">Remember to type the appropriate Common Name for each client when prompted, i.e. "username1", "client2", or "server3". Always use a unique common name for each client.</font></div><br><div><font color="#333333">For greater security, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client.</font></div><br><div><font color="#333333">Build the required Diffie-Hellman parameters for the OpenVPN server</font></div><blockquote style="border-color:initial;border-width:initial;color:#666666;margin-left:40px;margin-right:0px"><div><font color="#333333">./build-dh</font></div><br></blockquote><font color="#333333">Now we will find our newly-generated keys and certificates in the keys subdirectory (/etc/openvpn/easy-rsa/2.0/keys). Here is an explanation of the relevant files:<br></font><blockquote style="border-color:initial;border-width:initial;color:#666666;margin-left:40px;margin-right:0px"><table border="1" cellpadding="8" cellspacing="0" style="margin-left:0px;margin-right:0px"><tbody><tr><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font size="2"><b><font color="#4C1130">Filename</font></b></font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font size="2"><b><font color="#4C1130">Needed By</font></b></font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font size="2"><b><font color="#4C1130">Purpose</font></b></font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font size="2"><b><font color="#4C1130">Secret</font></b></font></font></td></tr><tr><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">ca.crt</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">server + all clients</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">Root CA certificate</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">NO</font></font></td></tr><tr><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">ca.key</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">key signing machine only</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">Root CA key</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">YES</font></font></td></tr><tr><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">dh{n}.pem</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">server only</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">Diffie Hellman parameters</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">NO</font></font></td></tr><tr><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">openvpn1.crt</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">server only</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">Server Certificate</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">NO</font></font></td></tr><tr><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">openvpn1.key</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">server only</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">Server Key</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">YES</font></font></td></tr><tr><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">pvalentino.crt</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">pvalentino only</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">pvalentino Certificate</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">NO</font></font></td></tr><tr><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">pvalentino.key</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">pvalentino only</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">pvalentino Key</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">YES</font></font></td></tr><tr><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">user2.crt</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">user2 only</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">user2 Certificate</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">NO</font></font></td></tr><tr><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">user2.key</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">user2 only</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">user2 Key</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">YES</font></font></td></tr><tr><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">server3.crt</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">server3 only</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">server3 Certificate</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">NO</font></font></td></tr><tr><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">server3.key</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">server3 only</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">server3 Key</font></font></td><td style="vertical-align:top"><font face="arial, helvetica, sans-serif"><font color="#4C1130">YES</font></font></td></tr></tbody></table><font size="2"><br></font><div><font face="arial, helvetica, sans-serif"><font color="#003366"><font size="2">-rw-r--r-- 1 root root 4003 2010-01-22 17:41 openvpn1.crt</font></font></font></div><div><font face="arial, helvetica, sans-serif"><font color="#003366"><font size="2">-rw------- 1 root root 887 2010-01-22 17:41 openvpn1.key</font></font></font></div><font size="2"><br></font><font size="2"><br></font></blockquote><font color="#333333">Copy sample configuration files to /etc/openvpn for server side configuration</font><blockquote style="border-color:initial;border-width:initial;color:#666666;margin-left:40px;margin-right:0px"><div><font color="#333333">cd /usr/share/doc/openvpn/examples/sample-config-files</font></div><div><font color="#333333">gzip -d server.conf.gz</font></div><div><font color="#333333">cp server.conf /etc/openvpn/</font></div><br></blockquote><div><font color="#333333">Edit /etc/openvpn/server.conf as follows:</font></div><div><font color="#333333">In my environment I'm using the following:</font></div><div><font color="#333333">192.168.1.206 is the OpenVPN server interface and my internet access device is configured to NAT forward port 1194 udp to that address. These settings can typically be found under Port Forwarding on a Netgear router or under Applications and Gaming Settings on a Linksys router.</font></div><div><font color="#333333">10.8.18.0 is my VPN subnet</font></div><div><font color="#333333">10.1.1.0 is another private subnet on my network</font></div><br><div class="sites-codeblock sites-codesnippet-block" style="background-color:#efefef"><blockquote style="border-color:initial;border-width:initial;color:#666666;margin-left:40px;margin-right:0px"><div><font color="#006000" face="monospace"># Which local IP address should OpenVPN</font></div><div><font color="#006000" face="monospace"># listen on? (optional)</font></div><div><font color="#006000" face="monospace">local 192.168.1.206</font></div><br><div><font color="#006000" face="monospace">port 1194</font></div><br><div><font color="#006000" face="monospace"># TCP or UDP server?</font></div><div><font color="#006000" face="monospace">;proto tcp</font></div><div><font color="#006000" face="monospace">proto udp</font></div><br><div><font color="#006000" face="monospace">;dev tap</font></div><div><font color="#006000" face="monospace">dev tun</font></div><br><div><font color="#006000" face="monospace">ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt</font></div><div><font color="#006000" face="monospace">cert /etc/openvpn/easy-rsa/2.0/keys/server.crt</font></div><div><font color="#006000" face="monospace">key /etc/openvpn/easy-rsa/2.0/keys/server.key # This file should be kept secret</font></div><br><div><font color="#006000" face="monospace">dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem</font></div><br><div><font color="#006000" face="monospace">server 10.8.18.0 255.255.255.0</font></div><br><div><font color="#006000" face="monospace">ifconfig-pool-persist /etc/openvpn/ipp.txt</font></div><br><br><div><font color="#006000" face="monospace"># Push routes to the client to allow it</font></div><div><font color="#006000" face="monospace"># to reach other private subnets behind</font></div><div><font color="#006000" face="monospace"># the server. Remember that these</font></div><div><font color="#006000" face="monospace"># private subnets will also need</font></div><div><font color="#006000" face="monospace"># to know to route the OpenVPN client</font></div><div><font color="#006000" face="monospace"># address pool (10.8.0.0/255.255.255.0)</font></div><div><font color="#006000" face="monospace"># back to the OpenVPN server.</font></div><div><font color="#006000" face="monospace">push "route 10.1.1.0 255.255.255.0"</font></div><div><font color="#006000" face="monospace">push "route 192.168.1.0 255.255.255.0"</font></div><br><div><font color="#006000" face="monospace">keepalive 10 120</font></div><br><div><font color="#006000" face="monospace">comp-lzo</font></div><br><div><font color="#006000" face="monospace">user nobody</font></div><div><font color="#006000" face="monospace">group nogroup</font></div><br><div><font color="#006000" face="monospace">persist-key</font></div><div><font color="#006000" face="monospace">persist-tun</font></div><br><div><font color="#006000" face="monospace">status /etc/openvpn/openvpn-status.log</font></div><br><div><font color="#006000" face="monospace">verb 3</font></div><br><div><font color="#006000" face="monospace">mute 20</font></div><br></blockquote></div><br><div><font color="#333333"><a href="http://openvpn.net/index.php/open-source/downloads.html" rel="nofollow" style="background-color:initial;background-repeat:repeat no-repeat;color:#b76401"><u><b>OpenVPN</b></u></a> iptables rules to allow traffic to local subnets attached to eth0 and eth1 on the OpenVPN server</font></div><div><font color="#333333">without the need for a bridging config</font></div><br><blockquote style="border-color:initial;border-width:initial;color:#666666;margin-left:40px;margin-right:0px"><div><font color="#333333">iptables --append FORWARD --in-interface tun0 -j ACCEPT</font></div><div><font color="#333333">iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE</font></div><div><font color="#333333">iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE</font></div><br><div><font color="#333333">iptables-save > /etc/iptables.rules</font></div></blockquote><br><div><font color="#333333">Then modify /etc/network/interfaces like so in my case (NOTE the pre-up line)</font></div><div><font color="#333333">This restores my iptables nat rules after a reboot:</font></div><br><div class="sites-codeblock sites-codesnippet-block" style="background-color:#efefef"><font color="#333333"><font face="Courier New">auto eth0</font><br><font face="Courier New">iface eth0 inet static</font><br><font face="Courier New"> address 192.168.1.206</font><br><font face="Courier New"> netmask 255.255.255.0</font><br><font face="Courier New"> network 192.168.1.0</font><br><font face="Courier New"> gateway 192.168.1.1</font><br><font face="Courier New"> pre-up iptables-restore < /etc/iptables.rules</font><br><font face="Courier New">auto eth1</font><br><font face="Courier New">iface eth1 inet static</font><br><font face="Courier New"> address 10.1.1.200</font><br><font face="Courier New"> netmask 255.255.255.0</font><br><font face="Courier New"> network 10.1.1.0</font></font></div><br><br><font color="#333333">For client configuration email, scp, or sftp a copy of client.conf to yourself for editing and providing to the clients ensuring that configuration is compatible with server side. Below is example <a href="http://code.google.com/p/tunnelblick/" style="background-color:initial;background-repeat:repeat no-repeat;color:#b76401"><u><b>Tunnelblick</b></u></a> client.conf which works with the server.conf above. This client.conf is for a Mac using <a href="http://code.google.com/p/tunnelblick/" style="background-color:initial;background-repeat:repeat no-repeat;color:#b76401"><u><b>Tunnelblick</b></u></a> with it's config stored under /Users/pvalentino/Library/Application Support/Tunnelblick/Configurations/client.conf. Be sure to secure your private key on each client as well by removing group and other access with chmod go-rwx client.conf.<br></font><br><div><font color="#333333"><a href="http://code.google.com/p/tunnelblick/" style="background-color:initial;background-repeat:repeat no-repeat;color:#b76401"><u><b>Tunnelblick</b></u></a> for OSX client example: </font></div><div class="sites-codeblock sites-codesnippet-block" style="background-color:#efefef"><font color="#333333"><font face="Courier New">client</font><br><br><font face="Courier New">;dev tap</font><br><br><font face="Courier New">dev tun</font><br><font face="Courier New">;dev-node MyTap</font><br><br><font face="Courier New">;proto tcp</font><br><font face="Courier New">proto udp</font><br><br><br><br><font face="Courier New"># for me i use dyndns.org dyndns updater to keep my dhcp comcast address in sync with domain name</font><br><font face="Courier New"># you can get a free dyndns.org hostname and download the updater for free as well</font><br><font face="Courier New">remote openvpn1.sysxperts.com 1194</font><br><br><font face="Courier New">nobind</font><br><br><font face="Courier New">user nobody</font><br><font face="Courier New">group nogroup</font><br><br><font face="Courier New">persist-key</font><br><font face="Courier New">persist-tun</font><br><br><br><font face="Courier New">mute-replay-warnings</font><br><br><font face="Courier New"># Note that these files must be provided - ca.crt and client cert must come from openvpn server and key may come from server or from client depending on how you generate csr</font><br><font face="Courier New">ca /Users/pvalentino/ca.crt</font><br><font face="Courier New">cert /Users/pvalentino/pvalentino.crt</font><br><font face="Courier New">key /Users/pvalentino/pvalentino.key</font><br><br><font face="Courier New">ns-cert-type server</font><br><br><font face="Courier New">;tls-auth ta.key 1</font><br><br><font face="Courier New">;cipher x</font><br><br><font face="Courier New">comp-lzo</font><br><br><font face="Courier New">verb 3</font><br><font face="Courier New">mute 20</font></font></div><br><div><font color="#333333"><a href="http://openvpn.net/index.php/open-source/downloads.html" rel="nofollow" style="background-color:initial;background-repeat:repeat no-repeat;color:#b76401"><u><b>OpenVPN</b></u></a> Windows client example:</font></div><div><font color="#333333">For example, on Windows 7 64bit client install the OpenVPN client with default options, change the network connection name to MyTap under change adapter settings for the TAP-Win32 Adapter V9 interface. Then create and save the file below into c:\Program Files(x86)\openvpn\config as client.ovpn.</font></div><br><div class="sites-codeblock sites-codesnippet-block" style="background-color:#efefef"><div><font color="#333333"><font face="Courier New">client</font></font></div><br><div><font color="#333333"><font face="Courier New">;dev tap</font></font></div><div><font color="#333333"><font face="Courier New">dev tun</font></font></div><br><div><font color="#333333"><font face="Courier New">dev-node MyTap</font></font></div><br><div><font color="#333333"><font face="Courier New">;proto tcp</font></font></div><div><font color="#333333"><font face="Courier New">proto udp</font></font></div><br><div><font face="monospace"><font color="#006000">remote openvpn1.sysxperts.com 1194</font></font></div><br><div><font color="#333333"><font face="Courier New">nobind</font></font></div><br><div><font color="#333333"># Not valid on windows</font></div><div><font color="#333333"><font face="Courier New">;user nobody</font></font></div><div><font color="#333333"><font face="Courier New">;group nogroup</font></font></div><br><div><font color="#333333"><font face="Courier New">persist-key</font></font></div><div><font color="#333333"><font face="Courier New">persist-tun</font></font></div><br><br><div><font color="#333333"><font face="Courier New">mute-replay-warnings</font></font></div><br><div><font color="#333333"># Note the use of double backslashes on a windows client and I put them in a folder I manually created under my users folder</font></div><div><font color="#333333"><font face="Courier New">ca C:\\Users\\pvalentino\\openvpncerts\\ca.crt</font></font></div><div><font color="#333333"><font face="Courier New">cert C:\\Users\\pvalentino\\openvpncerts\\client2.crt</font></font></div><div><font color="#333333"><font face="Courier New">key C:\\Users\\pvalentino\\openvpncerts\\client2.key</font></font></div><br><div><font color="#333333"><font face="Courier New">ns-cert-type server</font></font></div><br><br><div><font color="#333333"><font face="Courier New">comp-lzo</font></font></div><br><div><font color="#333333"><font face="Courier New">verb 3</font></font></div><div><font face="monospace"><font color="#006000">mute 20</font></font></div></div><br><div><font color="#333333">When you run the openvpn client on windows be sure to right-click and select run as administrator or the software will not be able to create necessary routing configurations for the tunnel.</font></div><br><div><font color="#333333">After saving config and starting the application with administrator privileges you will have a new icon in your system tray. Simply right-click and select connect to establish the tunnel.</font></div><br><div><font color="#333333">If there are problems right-click the same icon and choose View Log to start the troubleshooting process.</font></div></div></td></tr></tbody></table></div><br><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-55430147664405615832009-10-27T13:50:00.001-05:002009-10-27T13:50:35.846-05:00Update pam.d files with FISMA complia...<H4> Update pam.d files with FISMA compliant options</H4>
<DIV> </DIV>
<DIV>#!/usr/bin/perl</DIV>
<DIV>my $outpdir = '/etc/pam.d';<BR>my $inpdir = '/etc/pam.d';</DIV>
<DIV>opendir(my $pamd, $inpdir);<BR>my @pamddir = readdir($pamd);<BR>closedir($pamd);</DIV>
<DIV>foreach my $file (@pamddir) {<BR> my $fileabs = "$inpdir/$file";<BR> if (-r $fileabs && ! -d $fileabs) {<BR> print "Processing $file:\n";</DIV>
<DIV> open(PAMFILE, $fileabs) or die "Failed to open $fileabs: $!";<BR> my @pfLines = <PAMFILE>;<BR> close PAMFILE;</DIV>
<DIV> open(DESTFILE, ">$outpdir/$file") or die "Could not write $outpdir/$file: $!";</DIV>
<DIV> foreach my $line (@pfLines) {<BR> chomp $line;<BR> if ($line =~ /pam_rhosts_auth\.so/) { print DESTFILE "#$line\n"; }<BR> else { print DESTFILE "$line\n"; }<BR> }</DIV>
<DIV> close DESTFILE;<BR> }<BR>}<BR></DIV><br><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-77633976021655087022009-10-27T09:09:00.001-05:002009-10-27T09:09:53.356-05:00Perl script to update FISMA compliant...<H4>Perl script to update FISMA compliant kernel paramaters</H4>
<DIV> </DIV>
<DIV>#!/usr/bin/perl -w<BR>use strict;</DIV>
<DIV><BR># Make timestamped backup for sysctl.conf and limits.conf<BR>my $timestamp = `date +%Y%m%d%H%M`;<BR>system("cp /etc/sysctl.conf /etc/sysctl.conf.$timestamp");</DIV>
<DIV> </DIV>
<DIV>my $drpf = '1';<BR>my $arpf = '1';<BR>my $dasr = '0';<BR>my $tmsb = '4096';<BR>my $aasr = '0';<BR>my $dar = '0';<BR>my $aar = '0';<BR>my $dsr = '0';<BR>my $asr = '0';<BR>my $ieib = '0';<BR>my $dser = '0';<BR>my $aser = '0';<BR>my $tsyn = '1';</DIV>
<DIV> </DIV>
<DIV># Write out sysctl.conf<BR>open OUTP, '>/etc/sysctl.conf.fisma' or die "Cannot write /etc/sysctl.conf.fisma: $!";<BR>open SYSCTL, '/etc/sysctl.conf' or die "Cannot read sysctl.conf: $!";<BR> <BR>while (my $line = <SYSCTL>) {<BR> chomp $line;<BR> next if $line =~ /^net\.ipv4\.conf\.default\.rp_filter/;<BR> next if $line =~ /^net\.ipv4\.conf\.all\.rp_filter/;<BR> next if $line =~ /^net\.ipv4\.conf\.default\.accept_source_route/;<BR> next if $line =~ /^net\.ipv4\.tcp_max_syn_backlog/;<BR> next if $line =~ /^net\.ipv4\.conf\.all\.accept_source_route/;<BR> next if $line =~ /^net\.ipv4\.conf\.default\.accept_redirects/;<BR> next if $line =~ /^net\.ipv4\.conf\.all\.accept_redirects/;<BR> next if $line =~ /^net\.ipv4\.conf\.default\.secure_redirects/;<BR> next if $line =~ /^net\.ipv4\.conf\.all\.secure_redirects/;<BR> next if $line =~ /^net\.ipv4\.icmp_echo_ignore_broadcasts/;<BR> next if $line =~ /^net\.ipv4\.conf\.default\.send_redirects/;</DIV>
<DIV> next if $line =~ /^net\.ipv4\.conf\.all\.send_redirects/;<BR> next if $line =~ /^net\.ipv4\.tcp_syncookies/;<BR> </DIV>
<DIV> print OUTP "$line\n";</DIV>
<DIV><BR> }</DIV>
<DIV> </DIV>
<DIV>close SYSCTL;</DIV>
<DIV> </DIV>
<DIV>print OUTP "net.ipv4.conf.default.rp_filter = $drpf\n";<BR>print OUTP "net.ipv4.conf.all.rp_filter = $arpf\n";<BR>print OUTP "net.ipv4.conf.default.accept_source_route = $dasr\n";<BR>print OUTP "net.ipv4.tcp_max_syn_backlog = $tmsb\n";<BR>print OUTP "net.ipv4.conf.all.accept_source_route = $aasr\n";<BR>print OUTP "net.ipv4.conf.default.accept_redirects = $dar\n";<BR>print OUTP "net.ipv4.conf.all.accept_redirects = $aar\n";<BR>print OUTP "net.ipv4.conf.default.secure_redirects = $dsr\n";<BR>print OUTP "net.ipv4.conf.all.secure_redirects = $asr\n";<BR>print OUTP "net.ipv4.icmp_echo_ignore_broadcasts = $ieib\n";<BR>print OUTP "net.ipv4.conf.default.send_redirects = $dser\n";<BR>print OUTP "net.ipv4.conf.all.send_redirects = $aser\n";<BR>print OUTP "net.ipv4.tcp_syncookies = $tsyn\n";</DIV>
<DIV> </DIV>
<DIV>close OUTP;</DIV>
<DIV> </DIV>
<DIV># Write new file back to active config file<BR>system("mv /etc/sysctl.conf.fisma /etc/sysctl.conf");<BR><BR></DIV><BR><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-41013578958457108132009-10-26T21:04:00.001-05:002009-10-26T21:04:28.556-05:00One liners<div><h4>Bash One liners</h4><br><br>for path in `awk '($3 ~ "ext2|ext3") {print $2}' /etc/fstab`;do find $path -xdev -type d -perm -0002 ! -perm -1000 >> /tmp/sticks;done<br><br>Where /tmp/sticks contains directory listing one per line with world writeable permissions and no sticky bit set i.e.<br> /usr/openv/netbackup/logs/user_ops<br> /usr/openv/netbackup/logs/user_ops/nbjlogs<br><br>Read lines in file /tmp/sticks and echo them out<br> cat /tmp/sticks |while read dlist; do echo "${dlsit}";done<br><br>chmod the folders listed in the file by adding sticky bit (prevent other users with write from deleting anything but their own files)<br> <b>cat /tmp/sticks |while read dlist; do chmod +t "${dlist}";done<br></b><br><br>Read lines in file and echo them out<br> while read dlist; do echo "${dlist}";done < <(cat /tmp/sticks)<br><br>find files and echo their names<br> find /tmp -name 'sticks*' |while read tfile; do echo "${tfile}";done<br></div>
<div> </div>
<div>find world readable directories<br>for PART in `awk '($3 ~ "ext2|ext3") {print $2}' /etc/fstab`;do find $PART -xdev -type d -perm -0002 -a ! -perm -1000 >> /tmp/sticks ;done</div>
<div> </div>
<div>Change world readable directories to have sticky bit set<br>cat /tmp/sticks |while read dlist; do chmod +t "${dlist}";done</div>
<div> </div>
<div>rm -rf /etc/exports if not used:<br> if ! grep ^[^#] /etc/exports;then rm -rf /etc/exports; else mail -s "exports in use on `hostname`" <a href="mailto:pvalentino@sysxperts.com">pvalentino@sysxperts.com</a> < /etc/exports;fi</div>
<div> </div>
<div>User home directories should be 750 or less:<br>#!/bin/sh<br>find `awk -F: '($3 >= 500 && $1 != "nobody") {print $6}' /etc/passwd` -maxdepth 1 -type d -prune \( -perm -g+w -o -perm -o+r -o -perm -o+w -o -perm -o+x \) -ls</div>
<div> </div>
<div>Fix for home dir permissions:<br>find `awk -F: '($3 >= 500 && $1 != "nobody") {print $6}' /etc/passwd` -maxdepth 1 -type d -prune \( -perm -g+w -o -perm -o+r -o -perm -o+w -o -perm -o+x \) -exec chmod 750 {} \;</div>
<div> </div>
<div>Test for world writable files:<br>#!/bin/sh<br>for PART in `awk '($2!="/data" && $2!="/apps" && !/^#/ && $6 != "0") { print $2 }' /etc/fstab`; do<br> find $PART -xdev -type f \( -perm -0002 -a ! -perm -1000 \) -ls;<br>done</div>
<div><br>Fix world writable:<br>#!/bin/sh<br>for PART in `awk '($2!="/data" && $2!="/apps" && !/^#/ && $6 != "0") { print $2 }' /etc/fstab`; do<br> find $PART -xdev -type f \( -perm -0002 -a ! -perm -1000 \) -exec chmod o-w {} \;;<br>done</div>
<div> </div>
<div>Fix log permissions:<br>find /var/log -type f -exec chmod o-rx {} \;</div>
<div> </div>
<div>Find and log SUID/SGID System executables:<br>#!/bin/sh<br>for PART in `awk '(!/^#/ && $6 != "0") { print $2 }' /etc/fstab`; do<br> find $PART -xdev -type f \( -perm -04000 -o -perm -02000 \) ! -path /bin/su >> /tmp/sgidfiles;mail -s "SUID/SGID files on `hostname` <a href="mailto:pvalentino@sysxperts.com">pvalentino@sysxperts.com</a> < /tmp/sgidfiles ;<br>done</div>
<div> </div>
<div>Find unowned files:</div>
<div>#!/bin/bash</div>
<div>for PART in `awk '(!/^#/ && $6 != "0") { print $2 }' /etc/fstab`; do<br> find $PART -xdev \( -nouser -o -nogroup \) -ls;<br>done</div>
<div> </div>
<div>FIX unowned files:</div>
<div>#!/bin/bash<br>for PART in `awk '(!/^#/ && $6 != "0") { print $2 }' /etc/fstab`; do<br> find $PART -xdev \( -nouser -o -nogroup \) -exec chown root:root {} \;;<br>done<br><br>Ubuntu system account shell set to nologin:<br>rm -rf /tmp/sysaccts; awk -F:
'($1!="root" && $1!="halt" && $1!="sync" &&
$1!="shutdown" && $3<500 && $7!="/bin/false"
&& $7!="/bin/sh" && $7!="/usr/sbin/nologin") {print
$1}' /etc/passwd >> /tmp/sysaccts;cat /tmp/sysaccts |while read
slist;do usermod -s /usr/sbin/nologin $slist;done<br><br>Redhat system account shell set to nologin:<br>rm
-rf /tmp/sysaccts; awk -F: '($1!="root" && $1!="halt"
&& $1!="sync" && $1!="shutdown" && $3<500
&& $7!="/sbin/nologin") {print $1}' /etc/passwd >>
/tmp/sysaccts;cat /tmp/sysaccts |while read slist;do usermod -s
/sbin/nologin $slist;done<br><br></div><br><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-9098225096303377212009-10-20T12:55:00.001-05:002009-10-20T12:55:38.702-05:00TCP Wrappers Example<H3>TCP Wrappers Example</H3>
<DIV> </DIV>
<DIV>To log all access to vsftpd and limit all other wrapped services to local networks add something like this to /etc/hosts.allow</DIV>
<DIV><BR>
<BLOCKQUOTE id=h2bv>
<P>vsftpd : ALL \ </P>
<P>: spawn /bin/echo $(/bin/date) access granted to %c>>/var/log/vsftpd_access.log </P>
<P>ALL : LOCAL</P>
<P>ALL : 10.</P>
<P>ALL : 192.168.1. </P></BLOCKQUOTE></DIV>
<DIV>The options above allow access from anywhere in the world to vsftpd and logs that access but only permits access to remaining services from the Local machine, anything that starts with a 10. address and anything that starts with a 192.168.1 address.</DIV>
<DIV> </DIV>
<DIV>Then to enforce denial for all undefined addresses add the following to /etc/hosts.deny</DIV>
<DIV> </DIV>
<BLOCKQUOTE id=zd-9>ALL : ALL</BLOCKQUOTE>
<DIV>If none of the rules in /etc/hosts.allow are matched then the above rule ensures that access is denied, otherwise access would be granted by default.</DIV>
<DIV> </DIV>
<DIV><BR><B>To find wrapped services:<BR></B>[root@host]# strings -f /usr/sbin/* |grep hosts_access<BR>/usr/sbin/<B>in.tftpd</B>: hosts_access<BR>/usr/sbin/<B>sshd</B>: hosts_access<BR>/usr/sbin/<B>stunnel</B>: hosts_access<BR>/usr/sbin/stunnel: See hosts_access(5) manual for details<BR>/usr/sbin/<B>tcpd</B>: hosts_access_verbose<BR>/usr/sbin/<B>xinetd</B>: hosts_access</DIV>
<DIV>[root@host]# strings -f /sbin/* |grep hosts_access<BR>/sbin/<B>auditd</B>: hosts_access<BR>/sbin/<B>portmap</B>: hosts_access_verbose</DIV>
<DIV>If you were using quest authentication services formerly known as vintella authentication services you might also check this location:<BR>[root@host]# strings -f /opt/quest/sbin/* |grep hosts_access<BR>/opt/quest/sbin/<B>sshd</B>: @(#) hosts_access.c 1.21 97/02/12 02:13:22</DIV>
<P><BR>The following expansions are available within shell commands for use with the spawn or twist option as in my vsftpd example above. (The spawn option does not work with the ALL wildcard, hence why I specified the vsftpd separately) I've highlighted the most common and useful expansions below:</P>
<P> %a (%A) The client (server) host address.</P>
<P> <B> %c</B> Client information: <A href="mailto:user@host">user@host</A>, <A href="mailto:user@address">user@address</A>, a host name, or just an address, depending on how much information is available.</P>
<P> <B>%d</B> The daemon process name (argv[0] value).</P>
<P> <B>%h</B> (%H) The client (server) host name or address, if the host name is unavailable.</P>
<P> %n (%N) The client (server) host name (or "unknown" or "paranoid").</P>
<P> %p The daemon process id.</P>
<P> %s Server information: <A href="mailto:daemon@host">daemon@host</A>, <A href="mailto:daemon@address">daemon@address</A>, or just a daemon name, depending on how much information is available.</P>
<P> %u The client user name (or "unknown").</P>
<P> %% Expands to a single % character.</P><BR><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-68531567723795999232009-10-06T17:53:00.001-05:002009-10-06T17:53:28.455-05:00HugePages with Oracle example on...<DIV>
<H3>HugePages with Oracle example on RHEL 5 with 10g</H3></DIV>
<DIV> </DIV>
<DIV><B>Determine hugepages requirement and kernel parameters</B> (database should be running for this)</DIV>
<DIV>The perl script below will first backup the sysctl.conf and limits.conf files, write the new recommended and calculated values to a new version of each file, then write back the changes to the active files. See comments in script for details of what it does.</DIV>
<DIV> </DIV>
<DIV>create file hugemem.pl with content below and run with:</DIV>
<DIV> <B> perl hugemem.pl</B><BR><BR></DIV>
<DIV style="MARGIN-LEFT: 40px">#!/usr/bin/perl -w<BR>use strict;</DIV>
<DIV style="MARGIN-LEFT: 40px"># Make timestamped backup for sysctl.conf and limits.conf<BR>my $timestamp = `date +%Y%m%d%H%M`;<BR>system("cp /etc/sysctl.conf /etc/sysctl.conf.$timestamp");<BR>system("cp /etc/security/limits.conf /etc/security/limits.conf.$timestamp");</DIV>
<DIV style="MARGIN-LEFT: 40px"># Get kernel version<BR>my $kern = `uname -r`;<BR>$kern =~ /^(\d\.\d)/;<BR>$kern = $1;</DIV>
<DIV style="MARGIN-LEFT: 40px">my $hpg_sz = `grep Hugepagesize /proc/meminfo | awk '{print \$2}'`;<BR>my $num_pg = 1;<BR>my $min_pg = 0;</DIV>
<DIV style="MARGIN-LEFT: 40px"># Get oracle shared memory segments, initialize afterKey and smssum for the for loop below<BR>my @ipcs_out = `ipcs -m`;<BR>my $afterKey = 0;<BR>my $smssum = 0;</DIV>
<DIV style="MARGIN-LEFT: 40px"># Find total available mem from system<BR>my $mem = `free | grep Mem | awk '{print \$2}'`;<BR># Convert mem to bytes<BR>my $totmem = $mem * 1024;<BR># Get hugepagesize of architecture we're on<BR>my $huge = `grep Hugepagesize /proc/meminfo |awk '{print \$2}'`;<BR># Calculate the % of total memory for SHMMAX, in this case 75%<BR>my $max = ($totmem * 75) / 100;<BR># Calculate SHMALL by dividing SHMAX by Hugepagesize<BR>my $all = $max / $huge;<BR># Oracle recommended semaphores<BR>my $sem = '250 32000 100 142';<BR># Shared memory segments<BR>my $mni = '4096';<BR># File limits recommended by oracle<BR>my $fmax = '131072';<BR># Receive socket buffer size<BR>my $rmemd = '262144';<BR>my $rmemm = '4194304';<BR># Send socket buffer size<BR>my $wmemd = '262144';<BR>my $wmemm = '4194304';<BR># TCP socket buffer<BR>my $ipv4r = '4096 262144 4194304';<BR>my $ipv4w = '4096 262144 4194304';<BR># Port range<BR>my $ipv4p = '1024 65000';<BR># Frequency of keepalive packets when connection is not in use<BR>my $katime = '30';<BR># Kernel wait between probes<BR>my $kintvl = '60';<BR># Max probes<BR>my $kprobe = '9';<BR># SYN retries<BR>my $synr = '2';<BR># Memory settings<BR># Disable swapping for oracle<BR>my $swap = '0';<BR># % of active memory that can have dirty pages<BR>my $dirtyb = '3';<BR># % of total memory that can have dirty pages<BR>my $dirtyr = '15';<BR># 1/100th of seconds that page cache data is expired<BR>my $dirtye = '500';<BR># frequency pdflush will clean dirty pages<BR>my $dirtyw = '100';<BR># limits.conf recommended by oracle<BR>my $nproc = '131072';</DIV>
<DIV style="MARGIN-LEFT: 40px"># Find size of all shared memory segments<BR>foreach my $ipcsLine (@ipcs_out) {<BR> chomp $ipcsLine;<BR> next if ! $ipcsLine;</DIV>
<DIV style="MARGIN-LEFT: 40px"> if ($afterKey) {<BR> my @ipcsVals = split /\s+/, $ipcsLine;<BR> if (! $ipcsVals[6]) { $smssum += $ipcsVals[4]; }<BR> }</DIV>
<DIV style="MARGIN-LEFT: 40px"> $afterKey++ if $ipcsLine =~ /^key\s/;<BR>}</DIV>
<DIV style="MARGIN-LEFT: 40px"># Determine number of huge pages needed to hold all shared mem segments<BR>$min_pg = $smssum / ($hpg_sz * 1024);<BR>$num_pg = $min_pg + 1;</DIV>
<DIV style="MARGIN-LEFT: 40px"># Calculate HUHETBL_POOL size<BR>my $hugetbl_pool = ($num_pg * $hpg_sz) / 1024;</DIV>
<DIV style="MARGIN-LEFT: 40px"># Get oracle group id<BR>my $oracle_gid = `id -g oracle`;</DIV>
<DIV style="MARGIN-LEFT: 40px"># Calculate memlock for limits.conf based upon allocated huge pages<BR>my $memlock = $num_pg * 1024 * 2;<BR># Write out limits.conf<BR>open OUTPL, '>/etc/security/limits.conf.hugemem' or die "Cannot write /etc/security/limits.conf.hugemem: $!";</DIV>
<DIV style="MARGIN-LEFT: 40px">open LIMITS, '/etc/security/limits.conf' or die "Cannot read limits.conf: $!";</DIV>
<DIV style="MARGIN-LEFT: 40px">while (my $linel = <LIMITS>) {<BR> chomp $linel;</DIV>
<DIV style="MARGIN-LEFT: 40px"> next if $linel =~ /memlock/;<BR> next if $linel =~ /End/;<BR> next if $linel =~ /nproc/;</DIV>
<DIV style="MARGIN-LEFT: 40px"> print OUTPL "$linel\n";<BR>}</DIV>
<DIV style="MARGIN-LEFT: 40px">close LIMITS;</DIV>
<DIV style="MARGIN-LEFT: 40px">print OUTPL "oracle soft memlock $memlock\n";<BR>print OUTPL "oracle hard memlock $memlock\n";<BR>print OUTPL "oracle soft nproc $nproc\n";<BR>print OUTPL "oracle hard nproc $nproc\n";</DIV>
<DIV style="MARGIN-LEFT: 40px">close OUTPL;<BR># Write out sysctl.conf<BR>open OUTP, '>/etc/sysctl.conf.hugemem' or die "Cannot write /etc/sysctl.conf.hugemem: $!";</DIV>
<DIV style="MARGIN-LEFT: 40px">open SYSCTL, '/etc/sysctl.conf' or die "Cannot read sysctl.conf: $!";</DIV>
<DIV style="MARGIN-LEFT: 40px">while (my $line = <SYSCTL>) {<BR> chomp $line;</DIV>
<DIV style="MARGIN-LEFT: 40px"> next if $line =~ /^vm\.hugetlb_shm_group/;<BR> next if $line =~ /^kernel\.shmmax/;<BR> next if $line =~ /^kernel\.shmall/;<BR> next if $line =~ /^kernel\.sem/;<BR> next if $line =~ /^kernel\.shmmni/;<BR> next if $line =~ /^fs\.file-max/;<BR> next if $line =~ /^net\.core\.rmem_default/;<BR> next if $line =~ /^net\.core\.rmem_max/;<BR> next if $line =~ /^net\.core\.wmem_default/;<BR> next if $line =~ /^net\.core\.wmem_max/;<BR> next if $line =~ /^net\.ipv4\.tcp_rmem/;<BR> next if $line =~ /^net\.ipv4\.tcp_wmem/;<BR> next if $line =~ /^net\.ipv4\.ip_local_port_range/;<BR> next if $line =~ /^net\.ipv4\.tcp_keepalive_time/;<BR> next if $line =~ /^net\.ipv4\.tcp_keepalive_intvl/;<BR> next if $line =~ /^net\.ipv4\.tcp_keepalive_probes/;<BR> next if $line =~ /^net\.ipv4\.tcp_syn_retries/;<BR> next if $line =~ /^vm\.swappiness/;<BR> next if $line =~ /^vm\.dirty_background_ratio/;<BR> next if $line =~ /^vm\.dirty_ratio/;<BR> next if $line =~ /^vm\.dirty_expire_centisecs/;<BR> next if $line =~ /^vm\.dirty_writeback_centisecs/;</DIV>
<DIV style="MARGIN-LEFT: 40px"> if ($kern eq '2.4') {<BR> next if $line =~ /^vm\.hugetlb_pool/;<BR> } elsif ($kern eq '2.6') {<BR> next if $line =~ /^vm\.nr_hugepages/;<BR> }</DIV>
<DIV style="MARGIN-LEFT: 40px"> print OUTP "$line\n";<BR>}</DIV>
<DIV style="MARGIN-LEFT: 40px">close SYSCTL;</DIV>
<DIV style="MARGIN-LEFT: 40px">if ($kern eq '2.4') {<BR> print OUTP "vm.hugetlb_pool = $hugetbl_pool\n";<BR>} elsif ($kern eq '2.6') {<BR> print OUTP "vm.nr_hugepages = $num_pg\n";<BR>}</DIV>
<DIV style="MARGIN-LEFT: 40px">print OUTP "vm.hugetlb_shm_group = $oracle_gid\n";<BR>print OUTP "kernel.shmmax = $max\n";<BR>print OUTP "kernal.shmall = $all\n";<BR>print OUTP "kernal.sem = $sem\n";<BR>print OUTP "kernal.shmmni = $mni\n";<BR>print OUTP "fs.file-max = $fmax\n";<BR>print OUTP "net.core.rmem_default = $rmemd\n";<BR>print OUTP "net.core.rmem_max = $rmemm\n";<BR>print OUTP "net.core.wmem_default = $wmemd\n";<BR>print OUTP "net.core.wmem_max = $wmemm\n";<BR>print OUTP "net.ipv4.tcp_rmem = $ipv4r\n";<BR>print OUTP "net.ipv4.tcp_wmem = $ipv4w\n";<BR>print OUTP "net.ipv4.ip_local_port_range = $ipv4p\n";<BR>print OUTP "net.ipv4.tcp_keepalive_time = $katime\n";<BR>print OUTP "net.ipv4.tcp_keepalive_intvl = $kintvl\n";<BR>print OUTP "net.ipv4.tcp_keepalive_probes = $kprobe\n";<BR>print OUTP "net.ipv4.tcp_syn_retries = $synr\n";<BR>print OUTP "vm.swappiness = $swap\n";<BR>print OUTP "vm.dirty_background_ratio = $dirtyb\n";<BR>print OUTP "vm.dirty_ratio = $dirtyr\n";<BR>print OUTP "vm.dirty_expire_centisecs = $dirtye\n";<BR>print OUTP "vm.dirty_writeback_centisecs = $dirtyw\n";</DIV>
<DIV style="MARGIN-LEFT: 40px">close OUTP;<BR>system("mv /etc/sysctl.conf.hugemem /etc/sysctl.conf");<BR>system("mv /etc/security/limits.conf.hugemem /etc/security/limits.conf");<BR></DIV>
<DIV style="MARGIN-LEFT: 40px"></DIV>
<DIV style="MARGIN-LEFT: 40px"><BR></DIV>
<DIV style="MARGIN-LEFT: 40px"></DIV>
<DIV style="MARGIN-LEFT: 40px"></DIV>
<BLOCKQUOTE>
<DIV><BR></DIV></BLOCKQUOTE>
<DIV>/etc/sysctl.conf will be updated with similar output to below:</DIV>
<BLOCKQUOTE id=cbnf>
<P># Kernel sysctl configuration file for Red Hat Linux<BR>#<BR># For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and<BR># sysctl.conf(5) for more details.</P>
<P><BR># Controls IP packet forwarding<BR>net.ipv4.ip_forward = 0</P>
<P># Controls source route verification<BR>net.ipv4.conf.default.rp_filter = 1</P>
<P># Do not accept source routing<BR>net.ipv4.conf.default.accept_source_route = 0</P>
<P># Controls the System Request debugging functionality of the kernel<BR>kernel.sysrq = 0</P>
<P># Controls whether core dumps will append the PID to the core filename<BR># Useful for debugging multi-threaded applications<BR>kernel.core_uses_pid = 1</P>
<P># Controls the use of TCP syncookies<BR>net.ipv4.tcp_syncookies = 1</P>
<P># Controls the maximum size of a message, in bytes<BR>kernel.msgmnb = 65536</P>
<P># Controls the default maxmimum size of a mesage queue<BR>kernel.msgmax = 65536</P>
<P># Controls the maximum shared segment size, in bytes</P>
<P># Controls the maximum number of shared memory segments, in pages</P>
<P>vm.nr_hugepages = 4002<BR>vm.hugetlb_shm_group = 1034</P>
<P>kernel.shmmax = 28450271232<BR>kernal.shmall = 13891734<BR>kernal.sem = 250 32000 100 142<BR>kernal.shmmni = 4096<BR>fs.file-max = 131072<BR>net.core.rmem_default = 262144<BR>net.core.rmem_max = 4194304<BR>net.core.wmem_default = 262144<BR>net.core.wmem_max = 4194304<BR>net.ipv4.tcp_rmem = 4096 262144 4194304<BR>net.ipv4.tcp_wmem = 4096 262144 4194304<BR>net.ipv4.ip_local_port_range = 1024 65000<BR>net.ipv4.tcp_keepalive_time = 30<BR>net.ipv4.tcp_keepalive_intvl = 60<BR>net.ipv4.tcp_keepalive_probes = 9<BR>net.ipv4.tcp_syn_retries = 2<BR>vm.swappiness = 0<BR>vm.dirty_background_ratio = 3<BR>vm.dirty_ratio = 15<BR>vm.dirty_expire_centisecs = 500<BR>vm.dirty_writeback_centisecs = 100<BR></P>
<P><BR></P>
<DIV><B>sysctl -p #run this to activate new kernel parameters </B></DIV></BLOCKQUOTE>
<DIV><B>Example limits.conf output </B></DIV>
<DIV>
<BLOCKQUOTE id=wzlv>
<P>oracle soft nofile 4096<BR>oracle hard nofile 65536</P>
<P>oracle soft memlock 8196096<BR>oracle hard memlock 8196096<BR>oracle soft nproc 131072<BR>oracle hard nproc 131072</P></BLOCKQUOTE> </DIV>
<DIV><B>Reboot after these changes</B> to ensure that oracle can obtain the new hugepages settings and limits.conf settings etc.</DIV>
<DIV> </DIV>
<DIV>Also, if your sga is set too small and you need to update your spfile be sure to rerun this script after you've updated and restarted your database. You will most likely need to try various settings and run through a few iterations to obtain the best configuration/performance.</DIV>
<DIV> </DIV>
<DIV>vm.overcommit_memory settings #for VM's:</DIV>
<DIV> 0 = kernel estimates amount of free memory left when userspace requests more <BR></DIV>
<DIV> 1 = kernel pretends there is always enough until it runs out</DIV>
<DIV> 2 = never overcommit</DIV>
<DIV> </DIV>
<DIV>Check dirty pages and adjust vm.dirty_background_ratio and vm.dirty_ration on a VM accordingly</DIV>
<DIV> grep -A 1 dirty /proc/vmstat #the lower the numbers the better</DIV>
<DIV> </DIV>
<DIV><B>Example spfile for large memory system:</B></DIV>
<DIV>
<BLOCKQUOTE id=vff0>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal><SPAN style="COLOR: blue"><FONT color=#000000><FONT size=2>*._b_tree_bitmap_plans=false<BR>*._column_elimination_off=TRUE<BR>*.audit_file_dest='/oracle/admin/test/audit'<BR>*.audit_trail='os'<BR>*.background_dump_dest='/oracle/admin/test/bdump'<BR>*.compatible='9.2.0'<BR>*.control_files='/testdata01/test/testctrl1','/testdata01/test/testctrl2','/<BR>oracle/admin/test/cfile/testctrl3'<BR>*.core_dump_dest='/oracle/admin/test/cdump'<BR>*.db_block_size=32768<BR>*.db_cache_size=26214400000<BR>*.db_file_multiblock_read_count=32<BR>*.db_files=500<BR>*.db_keep_cache_size=21474836480<BR>*.db_name='test'<BR>*.java_pool_size=20971520<BR>*.job_queue_processes=4<BR>*.large_pool_size=10485760<BR>*.log_buffer=1048576<BR>*.O7_DICTIONARY_ACCESSIBILITY=true<BR>*.open_cursors=512<BR>*.optimizer_index_caching=10<BR>*.optimizer_index_cost_adj=80<BR>*.parallel_max_servers=12<BR>*.parallel_min_servers=0<BR>*.pga_aggregate_target=16777216000<BR>*.processes=125</FONT></FONT></SPAN></P><SPAN style="COLOR: blue"><FONT color=#000000><FONT size=2>*.query_rewrite_enabled='FALSE'<BR>*.query_rewrite_integrity='stale_tolerated'<BR>*.remote_login_passwordfile='EXCLUSIVE'<BR>*.resource_limit=true<BR>*.sga_max_size=45G<BR>*.shared_pool_size=125M<BR>*.star_transformation_enabled='true'<BR>*.timed_statistics=true<BR>*.undo_management='auto'<BR>*.undo_retention=18000<BR>*.undo_tablespace='undo'<BR>*.user_dump_dest='/oracle/admin/test/udump'</FONT></FONT></SPAN></BLOCKQUOTE></DIV><BR><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com2tag:blogger.com,1999:blog-5168152168512265767.post-22610386506462200142009-10-05T13:30:00.003-05:002009-10-05T13:30:05.608-05:00RecoverPoint Bookmark example<H3><FONT size=2>RecoverPoint Bookmark example<BR></FONT></H3>
<DIV> </DIV>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal>Copy Private Key in /home/user/.ssh/id_dsa on the db server </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal>-----BEGIN DSA PRIVATE KEY-----<BR>Key Here<BR>-----END DSA PRIVATE KEY----- </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal> </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal>put public key from id_dsa.pub into your Clariion management interface with: </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal> add_ssh_key # and enter name of your db server </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal> </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal> </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal>Test connectivity to the Clariion management interface from the DB server with:</P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal># ssh adminuser@<w.x.y.z> get_version </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal> </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal>Create a bookmark - this is for Oracle_DB example: </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal># ssh <A title=admin@10.3.1.124 href="mailto:admin@%3Cw.x.y.x"></A>adminuser@<w.x.y.z> bookmark_image</A> group=Oracle_DB bookmark=Test1_snap</FONT> </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal> </P>
<DIV style="MARGIN: 0in 0in 0pt" class=MsoNormal>So you could now do something like:</DIV>
<DIV style="MARGIN: 0in 0in 0pt" class=MsoNormal> </DIV>
<DIV style="MARGIN: 0in 0in 0pt" class=MsoNormal>alter database|tablespace begin backup;</DIV>
<DIV style="MARGIN: 0in 0in 0pt" class=MsoNormal>ssh adminuser@<w.x.y.z> bookmark_image</A> group=Oracle_DB bookmark=Oracle_7AM_snap</DIV>
<DIV>alter database|tablespace end backup;</DIV>
<DIV> </DIV>
<DIV>Then expose your recoverpoint luns to the server on DR side and perform the remaining backup steps there.<BR></DIV><BR><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-59825584880653955382009-10-05T13:30:00.001-05:002009-10-05T13:30:04.317-05:00RecoverPoint Bookmark example<H3><FONT size=2>RecoverPoint Bookmark example<BR></FONT></H3>
<DIV> </DIV>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal>Copy Private Key in /home/user/.ssh/id_dsa on the db server </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal>-----BEGIN DSA PRIVATE KEY-----<BR>Key Here<BR>-----END DSA PRIVATE KEY----- </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal> </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal>put public key from id_dsa.pub into your Clariion management interface with: </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal> add_ssh_key # and enter name of your db server </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal> </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal> </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal>Test connectivity to the Clariion management interface from the DB server with:</P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal># ssh adminuser@<w.x.y.z> get_version </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal> </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal>Create a bookmark - this is for Oracle_DB example: </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal># ssh <A title=admin@10.3.1.124 href="mailto:admin@%3Cw.x.y.x"></A>adminuser@<w.x.y.z> bookmark_image</A> group=Oracle_DB bookmark=Test1_snap</FONT> </P>
<P style="MARGIN: 0in 0in 0pt" class=MsoNormal> </P>
<DIV style="MARGIN: 0in 0in 0pt" class=MsoNormal>So you could now do something like:</DIV>
<DIV style="MARGIN: 0in 0in 0pt" class=MsoNormal> </DIV>
<DIV style="MARGIN: 0in 0in 0pt" class=MsoNormal>alter database|tablespace begin backup;</DIV>
<DIV style="MARGIN: 0in 0in 0pt" class=MsoNormal>ssh adminuser@<w.x.y.z> bookmark_image</A> group=Oracle_DB bookmark=Oracle_7AM_snap</DIV>
<DIV>alter database|tablespace end backup;</DIV>
<DIV> </DIV>
<DIV>Then expose your recoverpoint luns to the server on DR side and perform the remaining backup steps there.<BR></DIV><BR><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0tag:blogger.com,1999:blog-5168152168512265767.post-83101614484156789202009-10-05T01:00:00.001-05:002009-10-05T01:00:28.103-05:00#1 UNIX Tips<p id="j4_n"><font id="j4_n0" size="5"><b id="j4_n1">UNIX Random <a title="Tips" target="_blank" href="http://docs.google.com/View?docid=dfxjbxcc_39h7rfvd" id="y3:5">Tips</a> - sorry Linux Tips is what I really meant</b></font><br id="j4_n2"></p>
<div id="g:3w"><br></div><div id="wwx5"><b>Make dated backup files easy with a profile update</b></div><div id="jbn-">in /home/user/.bash_profile add:</div><div id="u_tn"><b>TIME</b>=$(date +%Y%m%d%H%M%S)</div><div id="hx62">export TIME</div><div id="hw:f"> of course change the date and time stamp to whatever format you prefer<br></div><div id="dr75"> then to backup a file with the timestamp just use:<br></div><div id="isc0">cp /path/to/file /path/to/backup/filename.<b>$TIME</b></div><div id="b5.s"> and file will be saved with the timestamp provided you have sourced your .bash_profile or logged in again.</div><div id="hh6u"><br></div><div id="c6a9">or even better use tar gzip:</div><div id="zs_p"><b>TIME</b>=$(date +%Y%m%d%H%M)</div><div id="dia6"><b>tarfile=bak/named-$TIME.tgz</b></div><div id="f7s_"><b>tar zcvf $tarfile /path/to/filesandfolders</b></div><div id="j3ar"><br><b>Test logrotate</b><br> logrotate -f /etc/logrotate.conf<br><br><b>Establish ssh tunnel to vncserver</b><br> ssh -L 5901:vncserver:5901 server<br> vncviewer localhost:5901 should result in tunneled connection to vncserver<br><br><b>Push ssh into background</b> and do not execute remote command:<br> ssh -Nf vncserver 5901:vncserver:5901<br><br>Kill vncserver with: vncserver -kill :1<br> <br><br></div><div id="n-1p"><b>Setting SGID and Sticky permissions</b> so that the group ownership on all files created in a directory will be set the the group owner and so that one user cannot remove another's files with:</div><div id="ut.c"> chmod 3770 /path/to/folder</div><h4>Check if a service is SELinux aware</h4><div> semanage fcontext -l |grep <service i.e. samba><br></div><div> check for booleans:<br></div><div> getsebool -a |grep <service><br></div><div> set booleans: <br></div><div> setsebool -P <boolean> on|off for example setsebool -P samba_enable_home_dirs on</div><div> ls -ZR /path # determine security context of directory or file<br><br><b>Service status</b> - service --status-all<br> chkconfig --list <br></div><h4>Useful man pages</h4><div><div id="m7y4"> man -k proxy |grep selinux</div><div id="xczp"> man -k http |grep selinux</div><div id="otac"> makewhatis &</div></div><h4>Check if service is libwrapped with TCP Wrappers </h4><div>ldd `which <service>` |grep libwrap or ldd ${which <service>} |grep libwrap</div><div>strings `which <service>` |grep hosts or strings ${which <service>} |grep hosts</div><div><br></div><h4>Remount a filesystem that has locks</h4><div>fuser -km /mountpount #kill active sessions and locks </div><div>umount /mountpoint #unmount (alternatively unmount the device with umount /dev/...)</div><div>mount -a # to remount</div>
<h4>SSH Tunneling Example</h4>
<div>on the shellserver run:</div>
<div> ssh -v -L 1110:popserver:110 shellserver</div>
<div> </div>
<div> nc localhost 1110</div>
<div>connects to popserver on port 100 via localhost 1110 to secure transmission to your pop server</div>
<div> </div>
<h4>Reverse SSH Tunnel Example</h4>
<div>add the following to ~/.ssh/config</div>
<div> </div>
<div> Host remoteserver #i.e. linux server at home</div>
<div> Hostname ip.of.rem.server</div>
<div> RemoteForward 2222 localhost:22</div>
<div> User pvalentino</div>
<div> </div>
<div> ssh remoteserver</div>
<div> </div>
<div> ping anotherserver #this helps keep the connection active</div>
<div> </div>
<div> ssh -p 2222 <a href="mailto:pvalentino@localhost">pvalentino@localhost</a></div>
<div> </div>
<div>you are now connected to the linux server in the office through the firewall with a secure shell</div>
<h4>Determine disk used versus available on Linux:</h4>
<div>df -Pkl |grep -v shm|awk ' { used += $3/1024/1024 } END { printf("%d Gb total used", used)}'<br id="k3j9">df -Pkl |grep -v shm|awk ' { avail += $2/1024/1024 } END { printf("%d Gb total avail", avail)}'</div>
<div>edit the grep -v command to exclude any directories that you don't want included i.e. grep -v 'shm backup' would exclude any directories with names including shm or backup. if that syntax doesn't work try adding a second grep -v as |grep -v shm|grep -v backup|.... also omit the "l" in df -Pkl for AIX<br><br><b>Sort user accounts are on server</b> - getent passwd |sort -t ":" -k 3 -g<br></div>
<h4>Speedier sftp transfer at the expense of security:</h4>
<p id="k3j92"><font id="k3j94" size="2" face="Arial">sftp -oCipher=blowfish-cbc</font><font id="k3j97" size="2" face="Arial"> host:/path</font></p>
<p id="k3j98"><br id="k3j911"></p>
<h4>Format a swap partition:</h4>
<p id="j4_n6">mkswap /dev/sda5</p>
<p id="j4_n7">in fstab add /dev/sda5 swap swap defaults 0 0</p>
<div id="j4_n8">swapon -a</div>
<div id="txta">or via a file:</div>
<div id="txta0">dd if=/dev/zero of=/swapfile bs=1M count=1024</div>
<div id="op9w">in fstab add /swapfile swap swap defaults 0 0</div>
<div id="txta1">mkswap /swapfile 1024<br id="txta2">swapon -a</div>
<p id="j4_n9"> </p>
<h4>Create a large 2GB file for test purposes:</h4>
<h4>dd if=/dev/zero of=largefile bs=1M count=2048</h4>
<p id="j4_n13"> </p>
<h4>Rsync example:</h4>
<p id="j4_n16">client initiated</p>
<p id="j4_n17">rsync -av -e ssh server1:/usr/local/cvsroot/ /usr/local/cvsroot >> /tmp/cvs_rsync_log</p>
<p id="j4_n18">server initiated</p>
<p id="j4_n19">rsync -av -e ssh /usr/local/cvsroot/ server1:/usr/local/cvsroot >> /tmp/cvs_rsync_log</p>
<p id="j4_n20"> </p>
<h4>Pattern replace for multiple files example:</h4>
<p id="j4_n23">to replace pattern server with pattern server-tst in all files containing .properties in the current directory and below:</p>
<p id="j4_n24">for i in `find . -name *.properties*`$i | sed -e 's/server/server-tst/' > $i.1 | mv -f $i.1 $i; done</p>
<p id="j4_n25"> </p>
<h4>Mail Attachments:</h4>
<p id="j4_n28">mutt -s "Subject" -a picture.jpg <a id="j4_n29" href="mailto:user@mydomain.com">user@mydomain.com</a></p>
<p id="j4_n30"> </p>
<h4>Count Files in a Directory recursively:</h4>
<p id="j4_n33">find YOURDIR -type f ¦ wc -l</p>
<p id="j4_n34"> </p>
<h4>Install Kernel Source and headers on Ubuntu:</h4>
<p id="j4_n37">use sudo passwd to give root a password and enable shell login</p>
<p id="j4_n38">su -</p>
<p id="j4_n39">apt-get install build-essential linux-headers-`uname -r`</p>
<p id="j4_n40"><br id="j4_n41"></p><h4>remove comments and blank lines with:</h4>grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'<br id="j4_n44"><br id="j4_n45"><h4>change uid example:</h4>lgroupmod -g 712 groupname<br id="j4_n48">usermod -u 712 -U username<br id="j4_n49"><br id="j4_n50"><h4>Create users with specific uid and groupid:</h4><p></p>
<p class="MsoNormal" id="j4_n53">To create an oracle user (only required on an Oracle server): </p>
<p class="MsoNormal" id="j4_n54"> <i id="j4_n55"> groupadd -g 502 oinstall ; useradd –m -u 500 -g oinstall oracle ; echo "password" |passwd --stdin oracle</i> </p>
<p class="MsoNormal" id="j4_n56"> </p>
<p class="MsoNormal" id="j4_n57">To create a standard user: </p>
<p class="MsoNormal" id="j4_n58"> <i id="j4_n59">groupadd -g 701 [groupname] ; useradd -m -u 701 -g [groupname] [username] ; echo "password"|passwd --stdin [username]</i></p><br id="j4_n60"><h4>CHANGE UID's and ownership of files on entire fs:</h4>find / -mount -user UID -print | xargs chown newowner<br id="j4_n63"><br id="j4_n64">This variation changes the group ownership:<br id="j4_n65">find / -mount -group GID -print | xargs chgrp newgroup<br id="j4_n66"><br id="j4_n67">Find files modified more than x days ago:<br id="j4_n68">find / -mount -mtime +3<br><br><b>Find faulty permissions</b><br> find / \( -nouser -o -nogroup \) # files and directories with no matching user or group in passwd<br> find / -type f -perm 002 #files writable by other group<br> find / -type d -perm -2 #directories writable by other<br id="j4_n69"><br id="j4_n70"><h4>Fixing Duplicate RPM's:</h4><i id="j4_n74">rpm -qa --queryformat "%{NAME}-%{VERSION}-%{ARCH} \\n" | grep <packagename> | sort</i><br id="j4_n75">then remove the one not needed - may need to fix the packagename a little for it to work....<br id="j4_n76"><i id="j4_n77">rpm -e bluez-libs-2.10-i386<br id="j4_n78">rpm -e bluez-libs-2.10-x86_64</i><br id="j4_n79">may needs to be changes to:<br id="j4_n80"><i id="j4_n81">rpm -e bluez-libs-2.10-2.i386<br id="j4_n82">rpm -e bluez-libs-2.10-2.x86_64<br id="j4_n83"><br id="j4_n84"><h4>Install megaraid driver from SRPM example:</h4></i>Install megaraid driver<br id="j4_n88"><br id="j4_n89">download driver from <br id="j4_n90"><br id="j4_n91">http://www-304.ibm.com/jct01004c/systems/support/supportsite.wss/license?filename=system_<br id="j4_n92">x/lsi_dd_megasas_00.00.03.06_rhel4_32-64.tgz&root=/systems/support/&brandind=5000008<br id="j4_n93"><br id="j4_n94">sftp the drivers over to server and extract them with tar zxvf *.tgz<br id="j4_n95"><br id="j4_n96">go to SRPM folder and install with <i id="j4_n97">rpm -ivh *.rpm</i><br id="j4_n98"><br id="j4_n99">cd to /usr/src/redhat<br id="j4_n100"><br id="j4_n101"><i id="j4_n102">export BUILD_KERNEL="2.6.9-55.ELsmp" #2.6.9-55.ELsmp is result of uname -r</i><br id="j4_n103"><br id="j4_n104"><i id="j4_n105">rpmbuild -bb SPECS/megaraid_sas.spec</i><br id="j4_n106"><br id="j4_n107">r<i id="j4_n108">pm -ivh /RPMS/x86_64/lsi-megaraid_sas-smp-00.00.03.06_2.6.9_55.EL-0.x86_64.rpm<br id="j4_n109"><br id="j4_n110">rpm -ivh /RPMS/x86_64/lsi-megaraid_sas-smp-debuginfo-00.00.03.06_2.6.9_55.EL-0.x86_64.rpm<br id="j4_n111"><br id="j4_n112"><h4>Copy or Cut and Paste in VIM</h4></i>Cut and Paste: <br id="j4_n117">
<ul id="j4_n118">
<li id="j4_n119">Place the cursor at the beginning of the block you want to CUT.
</li><li id="j4_n121">Mark it with md
</li><li id="j4_n123">Go to the end of the block.
</li><li id="j4_n125">Cut it with d'd
</li><li id="j4_n127">Go to the new location that you want to PASTE the text.
</li><li id="j4_n129">Enter P (shift-p). </li></ul><br id="j4_n132">Copy and Paste: <br id="j4_n133">
<ul id="j4_n134">
<li id="j4_n135">Place the cursor at the beginning of the block you want to COPY.
</li><li id="j4_n137">Mark it with my
</li><li id="j4_n139">Go to the end of the block.
</li><li id="j4_n141">Copy it with y'y
</li><li id="j4_n143">Go to the new location that you want to paste the text.
</li><li id="j4_n145">Press P (shift-p).</li></ul><h4>Replace one character with another for an entire file:</h4>cat <filename> | tr \" \' > <outfilename> # will replace all " with ' in <filename> and output to <outfilename><br id="j4_n154"><h4>Finding Services on my network i.e. Servers running MySQL:</h4>nmap -sV -p 3306 192.168.1-254 > MySQLhosts.out<br><b>nmap options</b><br> -sS #synchronous scan TCP<br> -sU #UDP scan<br> -sR #RPC/portmap<br> -A #OS and version detection<br> -v #verbose<br> -P0 #suppress pretest ping<br> -p #port<br id="j4_n157"><br id="j4_n158"> will locate all servers running mysql on default port 3306 on the class C 192.168.1.x network<br id="j4_n159"> Just open the MySQLhosts.out file to find hosts that are not in closed state<br id="j4_n161"><h4>Find files that are filling up disk space:</h4>cd to dir that is filling up <br id="j4_n165"> du -sk * | sort -nr | more<br id="j4_n166">list files and directories in order of space they occupy<br id="j4_n168"><h4>Updating Kernel parameters on Linux:</h4>Edit /etc/sysctl.conf for example:<br id="j4_n171">
<div id="j4_n172" style="margin-left: 40px;">kernel.sysrq = 0<br id="j4_n173">kernel.shmmax = 2147483648<br id="j4_n174">kernel.shmmni = 4096<br id="j4_n175">kernel.shmall = 2097152<br id="j4_n176">kernel.shmmin = 1<br id="j4_n177">kernel.shmseg = 10<br id="j4_n178">kernel.sem = 250 32000 100 128<br id="j4_n179">fs.file-max = 104032<br id="j4_n180">net.ipv4.ip_local_port_range = 1024 65000<br id="j4_n181">net.ipv4.tcp_fin_timeout = 15<br id="j4_n182">net.core.rmem_default = 1048576<br id="j4_n183">net.core.rmem_max = 16777216<br id="j4_n184">net.core.wmem_default = 262144<br id="j4_n185">net.core.wmem_max = 16777216<br id="j4_n186">net.ipv4.tcp_rmem = 4096 87380 16777216<br id="j4_n187">net.ipv4.tcp_wmem = 4096 65536 16777216<br id="j4_n188"></div>
<p id="j4_n189">Run <br id="j4_n190"> sysctl -p # this loads the parameters from changes made to sysctl.conf<br id="j4_n191"> ipcs -l # lists the parameters <br id="j4_n192"></p>
<h4>Set date and time:</h4>
<p id="j4_n195">date MMDDhhmm.ss<br id="j4_n196"></p>
<h4>Crontab:</h4>
<p id="j4_n199">* * * * * command to be executed<br id="j4_n200">- - - - -<br id="j4_n201">| | | | |<br id="j4_n202">| | | | +----- day of week (0 - 6) (Sunday=0)<br id="j4_n203">| | | +------- month (1 - 12)<br id="j4_n204">| | +--------- day of month (1 - 31)<br id="j4_n205">| +----------- hour (0 - 23)<br id="j4_n206">+------------- min (0 - 59)<br id="j4_n207"><br id="j4_n208"></p>
<h4>Changing linux prompt in profile</h4>
<div>in ~/.bash_profile add:</div>
<div>PS1="\[\033[1;32m\]\u@\[\033[1;33m\]\h \[\033[1;34m\]\${PWD} $\[\033[0m\] "<br><br><b>What is my ip?</b> /sbin/ifconfig or /sbin/ip addr<br><b>What is my mac?</b> /sbin/ip maddr<br><br><br></div><br><div class="blogger-post-footer">by Paul Valentino aka sysxperts</div>Paul Valentinohttp://www.blogger.com/profile/13675062483226550269noreply@blogger.com0