Please donate to vCommunity Trust Inc. to help the economically challenged to obtain their technical education and certification
Finding unused IP addresses and invalid DNS entries
The method used in the example below will not help eliminate all invalid DNS entries or find IPs that are live yet unused, however, it will provide a fairly efficient means of finding unused IPs that are not pingable at the moment and provide a list of potentially invalid reverse lookup entries which in turn would also give you clues you need to start looking for invalid A records, etc.
For this example I am going to assume we want to find unused IP addresses and potentially invalid DNS entries for the network range 192.168.1.1-100
From the prompt of your linux host with nmap installed run:
nmap -v -sP 192.168.1.1-100|grep down |for i in `awk '{print $2}'`;do host $i;done
- nmap -v -sP 192.168.1.1-100 performs ping scan and returns status for specified range
- grep down - filters the list to only return non-pingable hosts
- for i in `awk '{print $2}'` - filters the list further to only return the IP addresses in a loop to do the host [ip address] lookup for each IP returned
One could easily substitute host with nslookup or dig but I chose host to streamline the output for readability.
Bottom line is that if you see output similar to the following:
Host 5.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
Then you can probably safely use 192.168.1.5 for a new device and DNS entry although it would be safer to scan the DNS table by IP for forward lookup entries first.
On the other hand, if you see output similar to:
5.1.168.192.in-addr.arpa domain name pointer name.domain.com
Then you most likely have a system that is shutdown at the moment which uses that address or an invalid/outdated DNS entry to clean up.
One could easily schedule this command to run with cron and send output to an email or ticketing system for regularly scheduled DNS maintenance
- Start > Run
- Type in MMC and click GO
- Go into the Console Tab > select Add/Remove Snap-in
- Click on Add > Double Click on Certificates and click on Add > OK
- Select Computer Account
- Select Local Computer
- Click the + to Expand the Certificates Console Tree
- Right click on the Personal Certificates Store
- Choose > ALL TASKS > Import
- Follow the Certificate Import Wizard to import your Primary Certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.
- In your IIS manager, right-click on the site that you would like to use the certificate and select properties.
- Click on the Directory Security Tab and hit the Server Certificate Button. This will start the server certificate wizard.
- If you are asked what you want to do with the current certificate on the site, choose to remove it, finish the wizard, and click the server certificate button to run the wizard again.
- Choose to 'Assign an existing certificate' to the site and choose the new certificate that you just imported and supply the password used to create the pfx file.
- Finish the certificate wizard.
- Restart the server.
Extract values within quotes from com...
Oracle on Linux RMAN from Netbackup t...
Oracle on Linux RMAN from Netbackup to Avamar Backup Client
I recently migrated some Oracle 10g and 11g RHEL 5 VM’s and Physical boxes from Netbackup based clients to Avamar clients with the RMAN plugin. I will create a separate post regarding automation of the AvamarClient setup and focus on the RMAN configuration for event/client driven backup here.
First thing I did before automating any of the processes was to download the required docs and binaries from the Avamar web interface. There is a Documents and Downloads link at the bottom of the page of the following sample url:
http://avamarservernameorip
Then I downloaded the Avamar Oracle Client User Guide and the appropriate binaries for the platform from the right hand column, for example:
AvamarClient-linux-rhel4-x86_64-5.0.101-32.rpm
AvamarRMAN-linux-rhel4-x86_64-5.0.101-32.rpm
Also, ask your friendly EMC Avamar installer to provide a copy of AvOracleRMAN.pdf and AvOracleDatabasePrep.pdf which provide a lot more detail than the Client User Guide.
Installation and registration of the Avamar Client
1. As root cd to location of downloaded rpms
2. Type rpm -ivh AvamarClient-linux-rhel4-x86_64-5.0.101-32.rpm
3. Type /usr/local/avamar/bin/avregister
4. Enter the fqdn of the Administrator server when prompted [avamarserver.domain.com]
5. Enter the Avamar server domain [clients] when prompted
6. The Avamar Client installation is now complete
Installation of the AvamarRMAN Plugin
1. As root cd to location of downloaded rpms
2. Type rpm -ivh AvamarRMAN-linux-rhel4-x86_64-5.0.101-32.rpm
3. Update iptables with following rules to allow secure backups and also update any firewalls to allow backup through these ports:
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 28002 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 27000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 29000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 8672 -j ACCEPT4. Create a new user account that will have access to backup/restore jobs on the domain containing the Oracle backup jobs using the Avamar Administrator Console.
5. Create a my-avtar-flags.txt file for linux in /usr/local/avamar/bin containing:
–pidname=Oracle
–pidnum=1002
–logfile=/usr/local/avamar/var/avtar.log
–vardir=/usr/local/avamar/var
–id=[userid from prior step]
–ap=[password from prior step]
–path=[/domain/oracleservername]
–expires=[number in days]6. Create RMAN scripts (avorabackup and avorarestore) that can be launched with cron or scheduler of your choosing, examples below:
launch this example backup script from a file named avorabackup as follows:
rman target / nocatalog @avorabackup
run {
configure device type sbt clear;
allocate channel c1 type ‘SBT_TAPE’ PARMS=”SBT_LIBRARY=/usr/local/avamar/lib/libobk_avamar64.so, ENV=(PATH=/bin:/usr/bin:/usr/local/avamar/bin)” format ‘%d_%U’;
send ‘”–flagfile=/usr/local/avamar/bin/my-avtar-flags.txt” ‘;
send ‘”–sysdir=/usr/local/avamar/etc” “–bindir=/usr/local/avamar/bin” “–vardir=/usr/local/avamar/var”‘;
configure retention policy to recovery window of 10 days;
configure retention policy to redundancy 2;
backup database plus archivelog;
delete noprompt obsolete;
crosscheck backupset;
release channel c1;
}
launch this example restore script from a file named avorarestore as follows:
rman target / nocatalog @avorarestore
run {
allocate channel c1 type ‘SBT_TAPE’ PARMS=”SBT_LIBRARY=/usr/local/avamar/lib/libobk_avamar64.so, ENV=(PATH=/bin:/usr/bin:/usr/local/avamar/bin)” format ‘%d_%U’;
send channel=’c1′ ‘”–flagfile=/usr/local/avamar/bin/my-avtar-flags.txt” ‘;
send ‘”–sysdir=/usr/local/avamar/etc” “–bindir=/usr/local/avamar/bin” “–vardir=/usr/local/avamar/var”‘;
restore database;
recover database;
release channel c1;
}
NTP Update PoSH for ESX
Enabling a VirtualBox Win7 guest to connect to 8021x
Enabling a VirtualBox Win7 Guest to Connect to 802.1x Corporate Network
Disable everything but the VirtualBox Bridged Networking Driver on the interface connected to the corp. LAN and also disable authentication as this will be handled by the guest OS.
Disable VirtualBox on the interface connected to your Internet enabled network
Create 1 bridged interface and 1 host only interface on your VirtualBox Guest under Virtual Box Settings then power on Guest and go to Network Connections to verify
On the bridged interface you will enable authentication for 802.1x and edit settings as follows.
Settings - edit servernames with your own Domain Controllers/802.1x auth providers
Additional settings - Set to User Authentication and replace credentials with your Domain auth in the form DOMAINNAME\username
On the Host Only interface set it to a static IP in the same range as that which is configured on the Host as shown under File > Preferences > Network
Now you should be able to join your Windows 7 guest to the domain and access corporate resources with 802.1x authentication.
And your shared local drive too if you added under Devices > Shared Folders
Enabling a VirtualBox Win7 guest to connect to 8021x
Enabling a VirtualBox Win7 Guest to Connect to 802.1x Corporate Network
Disable everything but the VirtualBox Bridged Networking Driver on the interface connected to the corp. LAN and also disable authentication as this will be handled by the guest OS.
Disable VirtualBox on the interface connected to your Internet enabled network
Create 1 bridged interface and 1 host only interface on your VirtualBox Guest under Virtual Box Settings then power on Guest and go to Network Connections to verify
On the bridged interface you will enable authentication for 802.1x and edit settings as follows.
Settings - edit servernames with your own Domain Controllers/802.1x auth providers
Additional settings - Set to User Authentication and replace credentials with your Domain auth in the form DOMAINNAME\username
On the Host Only interface set it to a static IP in the same range as that which is configured on the Host as shown under File > Preferences > Network
Now you should be able to join your Windows 7 guest to the domain and access corporate resources with 802.1x authentication.
And your shared local drive too if you added under Devices > Shared Folders
vDR locks snapshots upon failed backup
vDR locks snapshots upon failed backup
So if you've reviewed all the snapshot troubleshooting on the web and still have not found a solution to your problem you might be the victim of a bad vDR configuration. We decided to give vDR a try in our Test and Dev environment to reduce backup licensing costs and ran into problem where if the vDR backup failed the snapshots would fill up the LUNs and we had no luck removing or consolidating them using any of the methods available. The quick fix ended up being as follows: 1) Shut down the vDR appliance 2) Detach the disks with orphaned snapshots from the appliance 3) Verify and correct for space requirements on target LUNs 4) Create a new snapshot with vSphere client (or service console) 5) Delete snapshot with vSphere client (or service console) 6) All went well and we were back in business at this point Investigating preventative measures at the moment, will update with findings. |
OpenVPN
OpenVPN
This installation of OpenVPN applies to Ubuntu 9.10
Copy the required example files to /etc/openvpn
Build the Certificate Server The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:
Now build the OpenVPN server certificate and key
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "openvpn1". Two other queries require positive YES responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]". Build client certificates and keys
Remember to type the appropriate Common Name for each client when prompted, i.e. "username1", "client2", or "server3". Always use a unique common name for each client. For greater security, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client. Build the required Diffie-Hellman parameters for the OpenVPN server Now we will find our newly-generated keys and certificates in the keys subdirectory (/etc/openvpn/easy-rsa/2.0/keys). Here is an explanation of the relevant files: Copy sample configuration files to /etc/openvpn for server side configuration
Edit /etc/openvpn/server.conf as follows: In my environment I'm using the following: 192.168.1.206 is the OpenVPN server interface and my internet access device is configured to NAT forward port 1194 udp to that address. These settings can typically be found under Port Forwarding on a Netgear router or under Applications and Gaming Settings on a Linksys router. 10.8.18.0 is my VPN subnet 10.1.1.0 is another private subnet on my network
OpenVPN iptables rules to allow traffic to local subnets attached to eth0 and eth1 on the OpenVPN server without the need for a bridging config
Then modify /etc/network/interfaces like so in my case (NOTE the pre-up line) This restores my iptables nat rules after a reboot: auto eth0 iface eth0 inet static address 192.168.1.206 netmask 255.255.255.0 network 192.168.1.0 gateway 192.168.1.1 pre-up iptables-restore < /etc/iptables.rules auto eth1 iface eth1 inet static address 10.1.1.200 netmask 255.255.255.0 network 10.1.1.0 For client configuration email, scp, or sftp a copy of client.conf to yourself for editing and providing to the clients ensuring that configuration is compatible with server side. Below is example Tunnelblick client.conf which works with the server.conf above. This client.conf is for a Mac using Tunnelblick with it's config stored under /Users/pvalentino/Library/Application Support/Tunnelblick/Configurations/client.conf. Be sure to secure your private key on each client as well by removing group and other access with chmod go-rwx client.conf. Tunnelblick for OSX client example: client ;dev tap dev tun ;dev-node MyTap ;proto tcp proto udp # for me i use dyndns.org dyndns updater to keep my dhcp comcast address in sync with domain name # you can get a free dyndns.org hostname and download the updater for free as well remote openvpn1.sysxperts.com 1194 nobind user nobody group nogroup persist-key persist-tun mute-replay-warnings # Note that these files must be provided - ca.crt and client cert must come from openvpn server and key may come from server or from client depending on how you generate csr ca /Users/pvalentino/ca.crt cert /Users/pvalentino/pvalentino.crt key /Users/pvalentino/pvalentino.key ns-cert-type server ;tls-auth ta.key 1 ;cipher x comp-lzo verb 3 mute 20 OpenVPN Windows client example: For example, on Windows 7 64bit client install the OpenVPN client with default options, change the network connection name to MyTap under change adapter settings for the TAP-Win32 Adapter V9 interface. Then create and save the file below into c:\Program Files(x86)\openvpn\config as client.ovpn. client ;dev tap dev tun dev-node MyTap ;proto tcp proto udp remote openvpn1.sysxperts.com 1194 nobind # Not valid on windows ;user nobody ;group nogroup persist-key persist-tun mute-replay-warnings # Note the use of double backslashes on a windows client and I put them in a folder I manually created under my users folder ca C:\\Users\\pvalentino\\openvpncerts\\ca.crt cert C:\\Users\\pvalentino\\openvpncerts\\client2.crt key C:\\Users\\pvalentino\\openvpncerts\\client2.key ns-cert-type server comp-lzo verb 3 mute 20 When you run the openvpn client on windows be sure to right-click and select run as administrator or the software will not be able to create necessary routing configurations for the tunnel. After saving config and starting the application with administrator privileges you will have a new icon in your system tray. Simply right-click and select connect to establish the tunnel. If there are problems right-click the same icon and choose View Log to start the troubleshooting process. |