Cisco Catalyst 5500

August 21, 2012 in Cisco by JM Blowfish  |  Comments Off

More to come…the catalyst manual was getting a bit cumbersome.

Microsoft Exchange RPC Over HTTP & Certificates

April 27, 2012 in All Things Microsoft by JM Blowfish  |  Comments Off
STILL IN PROGRESS
First off let me just say to all of my faithful and excellent subscribers, sorry for taking so long to add new content.  It is a busy life as you know and we still aren’t paying all the bills with this company. (close though ;) )  Anyway, I have moved to a new job that keeps me busy but also has taught me a ton.  So, I have renewed energy to publish.  Hee goes!

Ok folks, here is my attempt at documenting my efforts in the past several months on a bunch of projects.  The first and biggest project was to deploy exchange services for customers as well as making it secure, easy to access, and providing native functionality with Outlook (RPC) without using VPNs or special connections.  I also am in the middle of an anti-spam filter solution using open source and some long hard hours figuring out how to deploy some promising software.

In order to accomplish this task you must attend to the following pieces:

1. Good working knowledge of Windows 2003 Server…especially IIS.

2.  Good working knowledge of Exchange Server….for my purpose 2003.

3.  Decent understanding of SSL and how certificates work in a Windows environment.

4. End User application configuration knowledge.

I will start this article by assuming a few things other than the above mentioned items.

a. A working installation of Windows 2003 Server SP2 or later.

b.  A registered domain name

c.  And, either a static IP address (public) or a working dynamicDNS account.

Ok, given these things I will now go into as much depth as I can about the process I followed using as much sequential skill as possible.

First things first:

Get your windows server and exchange server installed and working correctly.  This is not easy and takes a bit of work  there are many great tutorials and walk throughs at Microsoft and other sites that can help you if you run into trouble.  The main thing to remember is the follow the Exchange installation steps closely making sure each step is done successfully.  If you do that your Exchange installation will work.

Once you have Exchange installed run the Internet Mail Wizrd from the Exchange System Manager.  If your server is setup correctly and DNS is working properly you should pass the test for Internet email.  Once the wizard is finished you should now be able to send and receive emails from the outside world.  Very cool.  This is not anywhere near being done even though you are now sending mail successfully.

NOTE:  There are some compatibility issues with Exchange 2003 and Server 2003 (thanks for keeping it clean Microsoft) so sometimes the Internet Mail Wizard, even though completed does not receive email from the outside world.  Not to worry!  Microsoft always keeps us on our toes and then throws out a service pack to pacify the masses.  Check out the Service Pack 1 and Service Pack 2.  Usually I just install SP2 and am done with it.  However, I have found that, on occasion, it is helpful to install them both in sequence.  Having said that, unless you have to get this done today in a hurry, install them both. :)

This should fix the receiving mail problem.  The other resolution for this problem is to remove the SMTP virtual server connector under:

Administrative Groups>First Group>Servers>your server name>Protocols>SMTP.  Delete the connector and run the Internet Mail Wizard again.  (of course do this after you have installed the service packs…remember sequence!)

Getting Your Certificate Free and Effective (security)

Ok, if you are like me and don’t have money for anything extra you might enjoy getting into the big boy arena a little cheaper than usual.  If so here is what I did that really worked well. (don’t listen to people who say that Microsoft, Apple, and others will not function correctly without a signed certificate from a ‘Microsoft Approved’ signer.)

Go to https://startssl.com and make a free account.  Follow the website’s directions carefully and don’t take shortcuts.  You must register and get the authentication certificate installed onto your local machine using FireFox web browser.  Don’t try to do this in a different, custom, or unique way.  DO WHAT THEY SAY.  Trust me I did not follow directions well and wound up paying to have some certs revoked so I could start over.  Once you pay for your mistakes with real cash you tend to stop making them or you don’t finish your project. :)

Make sure you backup your newly installed certificate somehwere safe and secure.  Personally I would put it on a cheap old 256mb pendrive and put it in the top drawer of your desk and never move it unless you need it in the future to reauthenticate to startssl.com.  I lost mine and it is a real bummer fixing it TRUST ME!

Now, a couple of tips about doing this:

1. Make sure that you match the certificate’s COMMON NAME with the host name of your Windows 2003 Server. This is extremely important because the certificate will throw a signing error in Internet Explorer for all of your users if you don’t have a good clean match.  To me, I would use a self signed certificate if IE wouldn’t put up such a fuss.  I find it distracts users and also does not work properly all of the time.  So just to be clear using an example from one of my servers:

during the signing request the system asked for Common Name.  The W2k03 server name was Mailserver.  So I entered Mailserver for the common name.    Actually, the rest of the signing request process doesn’t matter much.  It is important to make a 2048 signing request for enhanced security; and startssl wants it this way.  Once you are done with the request you copy the code from the generated .csr file and past it into the text field on the startssl website.  Generation of the actual certificate is automated but it takes a little while. (i usually wait an hour then check it)  In the Control Panel go to Retrieve Certificates and you will see your new certificate waiting for you.  Get the code by copying it and go to your windows server IIS mmc and install the code into the pending request wizard.  (step by step certificate installation) Once your certificate is installed you can test it by opening up port 443 on your firewall, ensuring that the default web site in IIS is set to use port 443 and the new certificate.  Use your web browser (preferably IE since it is the most susceptible to SSL errors) and manually enter: https://yourdomainname.your extension.  You should get a white address bar and no certificate warnings or errors.  If you do get errors don’t worry.  Make sure you cn hit your web server from a browser that is strickly outside your network.  If you are sure that the errors persist from an outside hit then you need to redo the certificate making sure the common name and the server name match.  Also, read up on startssl website about making accurate certificates.

If all is working as expected then you are well on your way to having secure emails with full exchange features.

Testing OWA and Preparations for RPC over HTTP

Now that your certificate works you can also test OWA.  If you do not have a separate web server and plan to use IIS then you can simply type into a web browser http://yourdomainname.extension/exchange  This will bring up and authentication windows asking for username and password.  If you see this be HAPPY!

Using Rsync

May 4, 2011 in BlueOnyx Projects, CentOS, How To (s) by JM Blowfish  |  5 Comments

I was experimenting with Blueonyx the other day and found that I could use rsync over the internet with no problem. Remembering that BO has alias directories I made sure I created sites using the web GUI then I used rsync to simply move the data from the primary server to a secondary server at a different location. (Handy!)
1. Make sure you do these operations as root. Make a new user (unpriviledged) on the primary server and give that user read access to the files you wish to duplicate on the secondary server.

#useradd -d /home/anewuser -m -s /bin/bash anewuser -This will creeate anewuser with a profile directory of home/anewuser – create a password by entering #passwd anewuser
2. To test rsunc funtionality you have a couple more things to do.
-if the servers are connected through a LAN then nothing extra is necessary. If the servers have a firewall between them, such as across the internet, then you must open port 22 to allow ssh.
On the duplicate server, enter this command at a terminal prompt:
#rsync -avz -e ssh anewuser@server1.example.com:/directory_name_of_files/ /duplicate_directory_name/

You should get this (or something like this) for feedback:
The authenticity of host ‘server1.example.com (192.168.0.100)’ can’t be established.RSA key fingerprint is 32:e5:79:8e:5f:5a:25:a9:f1:0d:ef:be:5b:a6:a6:23.Are you sure you want to continue connecting (yes/no)?
3. enter ‘yes’
4. you will then be asked for anewuser’s password. Enter the password you made on the primary server and then you will see files being synced. (provided the connection is working correctly) If you have problems it is because the 2 machines are not talking to each other. Make sure to check your firewall. I have not tried this across different subnets but you should be able to do it provided you setup the correct routes on your router.

If you do not have rsync installed, (ubuntu or debian) you can enter the following command at a terminal prompt to install it:
#apt-get install rsync

Thats about it. Once you have connectivity and rsync works you can move on with more complex settings to automate rsync and duplicate your files. Have fun.

Security Groups

May 1, 2011 in All Things Microsoft by JM Blowfish  |  7 Comments

Hi all.  I just was wondering if someone could point me in the right direction for making security groups in Windows Server 2003.  Haven’t got that cert yet! :)   I know how to put in the object and all but how do you propigate the type of permissions you want to all other objects?  I know you can become members of built-in groups to effect change but I want to know how to create my own  custom permissions without using built-in groups to lean on.  Thanks.

virtualization Platforms

April 8, 2011 in Virtualizing by JM Blowfish  |  2 Comments

Hi there. I have been hosting web stuff for about 2 years and was wanting to get into Virtual Private Server but was not sure which way to go. As is the case for most people, I was hoping to find an open source solution to avoid the cost. I am a small business and want to provide good service without charging too much. So I explored OpenVZ, a great container based virtualization platform. It installs great on CentOS, which has the largest community support I found, and runs pretty quickly without having to have a tremendous amount of resources. If you can get the kernel to boot up right through the grub you are good to go. The main draw back, however, was that OpenVZ did not always funtion correctly, networking was difficult, and all the configuration was CLI. (except for a lightweight app call webvz which works ok but was extremely hard to install based on its very picky specific requirements for Ruby on Rails v. 2.1.0)

So, back to the drawing board I decided to explore other ideas. I still haven’t found a good way to virtualize Blueonyx, a server appliance that I love(check out links), but have found the best open source virtualization platform that runs great and has a much larger range of options including OpenVZ and KVM!

Proxmox VE: This has got to be, by far, the best solution I have found. I am not even running it on a 64 bit machine as of yet and it still runs container based virtualization quite well and efficiently. Getting the 64 bit option is coming soon so I can do KVM. Proxmox is the way to go. You can download it at: http://www.proxmox.com/downloads/proxmox-ve/iso-images/88-proxmox-ve-1 and start to play with it. The installation is easy self guiding and requires little technical expertise. If you are looking to virtualize, try Proxmox and have a great time!

Install LAMP on Ubuntu 8.04 Standard

April 8, 2011 in How To (s) by JM Blowfish  |  1 Comments

Installing all the components of a L(linux kernel), A(Apache web server), M(mysql server), and P(php scripting) on a Ubuntu Server (almost any build infact) is pretty simple. I continue to post these simple How To;s because I know what it was like when I first started using Linux and more specifically Ubuntu which is different then say CentOS (which uses yum – yellow dog update) or Red Hat (which uses an RPM system for updates).
To install LAMP on a standard Ubuntu build do the following:

1. Open a terminal window and login as Root.
2. At the command prompt type in (or copy and paste)
root@localhost:~#apt-get install apache2 php5-mysql libapache2-mod-php5 mysql-server

3. When prompted enter your root password for the mysql server. It will ask you to confirm it so don’t get enter happy. :)
4. Thats It! You should be good to go.
Please comment if you have any questions or problems.

Just as aside – if you are installing something like wordpress or one of the open source e-commerce packages on your server you will probably need to install GD extension as well so at the command prompt enter this:

apt-get install php5-gd

Make sure you restart apache when you are finished.
/etc/init.d/apache2 restart

Hope that helps!

New Online Payment System

April 7, 2011 in Web Site Questions by JM Blowfish  |  Comments Off

We just added our online PayPal payment system for our clients. The system is fully functioning and works great! This should make it easier to make recurring payments without making special arrangements. Thanks everyone.

Webmin 1.530 Easy Installation Steps

April 5, 2011 in How To (s), Ubuntu Projects by JM Blowfish  |  1 Comments

To install webmin on any Ubuntu Server follow these simple steps:

Open a terminal window and get root priviledge by typing su or using sudo. I have root access enabled on my servers so I don’t have to add the sudo at the beginning of each line.

1. wget http://code.google.com/p/kembangcybernet/downloads/detail?name=webmin-1.530.tar.gz&can=2&q=/webmin-1.530.tar.gz
2. tar xvf webmin-1.530.tar.gz
3. cd webmin-1.530
4. sh setup.sh
5. Follow terminal instructions. Going with defaults is fine except I would suggest changing the port from 10000 to something a little more unique and I would also change ‘admin’ to a more unique name as well.
5. When it is finished, and you miss the simle login instructions, go to:
http://yourhostname and/or IP address:port number(default 10000) Type in username and password.
6. You should probably update Webmin first once you are logged in. The update appears at the bottome of the initial system information screen. Enjoy!

Excellent CentOS 5.5 Firewall Script

April 4, 2011 in All Things Microsoft, BlueOnyx Projects, CentOS, Cisco, Hosting, How To (s), Virtualizing by JM Blowfish  |  5 Comments

accessed within our LAN and not over the Internet.

#!/bin/bash
# Explains how to setup iptables on the hardware node to allow selective access,
# but allow all traffic into the containers (VPS) so they may define their own iptables rules and
# therefore manage their own firewall.
# Author: Vivek Gite < http://www.cyberciti.biz/ >
# See tutorial : http://www.cyberciti.biz/faq/series/rhel-centos-openvz-virtualization/
# This script is under GPL v2.0 or above.
# --------------------------------------------------------------------------------------------------
IPT="/sbin/iptables"
MOP="/sbin/modprobe"
SYST="/sbin/sysctl"

### ******************************************************************************* ###
### Part 1 - Protect Hardware Node						    ###
### ******************************************************************************* ###

### HW Node Main IP ranges ###
SRVIP="123.xx.xx.yy"
ADMIN_RANGES="192.168.1.0/24"
SPOOFIP="127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32 168.254.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 192.0.2.0/24"

### Path to other scripts ###
[ -f /root/fw/blocked.ip.txt ] && BADIPS=$(egrep -v -E "^#|^$" /root/fw/blocked.ip.txt)

### Interfaces ###
PUB_IF="eth0"   # public interface
LO_IF="lo"      # loopback
VE_IF="venet0"

### start firewall ###
echo "Starting Firewall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

# Enable ip_conntrack
$MOP ip_conntrack

# DROP and close everything all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Unlimited lo access
$IPT -A INPUT -i ${LO_IF} -j ACCEPT
$IPT -A OUTPUT -o ${LO_IF} -j ACCEPT

# Allow Full Outgoing connection but no incomming stuff by default
$IPT -A OUTPUT -o ${PUB_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop bad stuff
# get all bad spam / scrap ips
if [ -f /root/fw/blocked.ip.txt ];
then
	$IPT -N spamlist
	for ipblock in $BADIPS
	do
		 $IPT -A spamlist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix "SPAM List Block"
		 $IPT -A spamlist -i ${PUB_IF} -s $ipblock -j DROP
	done
	$IPT -I INPUT -j spamlist
	$IPT -I OUTPUT -j spamlist
	$IPT -I FORWARD -j spamlist
done

$IPT -N spooflist
for ipblock in $SPOOFIP
do
 $IPT -A spooflist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix "SPOOF List Block"
 $IPT -A spooflist -i ${PUB_IF} -s $ipblock -j DROP
done
$IPT -I INPUT -j spooflist
$IPT -I OUTPUT -j spooflist
$IPT -I FORWARD -j spooflist

# Stop sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP

# Stop Fragments
$IPT -A INPUT -i ${PUB_IF} -f -j DROP

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP

# Stop NULL packets
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "NULL Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Stop XMAS
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "XMAS Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Stop FIN packet scans
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Fin Packets Scan"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Get rid of broadcast
$IPT  -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j DROP
$IPT  -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j DROP
$IPT  -A INPUT -i ${PUB_IF} -m state --state INVALID -j DROP

# allow SSH, HTTP, HTTPD and webmin ONlY from $ADMIN_RANGES
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 22 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 10000 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 80 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 443 -j ACCEPT

# Allow incomming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -m limit --limit 30/sec  -j ACCEPT
$IPT -A INPUT -i ${PUB_IF}  -p icmp -m icmp --icmp-type 3 -m limit --limit 30/sec -j ACCEPT
$IPT -A INPUT -i ${PUB_IF}  -p icmp -m icmp --icmp-type 5 -m limit --limit 30/sec -j ACCEPT
$IPT -A INPUT -i ${PUB_IF}  -p icmp -m icmp --icmp-type 11 -m limit --limit 30/sec -j ACCEPT

### ******************************************************************************* ###
### Part 1 - Protect Hardware Node END						    ###
### ******************************************************************************* ###

### ******************************************************************************* ###
### Part 2 - ALL VPS Specifc Config						    ###
### ******************************************************************************* ###

# Allow all ports for all VPS i.e. full access
# user can set their own firewall inside vps
$IPT -P FORWARD ACCEPT
$IPT -F FORWARD

### ******************************************************************************* ###
### Part 2 - ALL VPS Specifc Config END						    ###
### ******************************************************************************* ###

# drop and log everything else
$IPT -A INPUT -m limit --limit 5/m --limit-burst 7 -j LOG
$IPT -A INPUT -j REJECT --reject-with icmp-port-unreachable

exit 0
Install this script at /root/fw/firewall:
# chmod +x /root/fw/firewall
Call it from /etc/rc.local
# echo '/root/fw/firewall' >> /etc/rc.local