Thursday, 30 April 2009

Installing Open SSH on Ubuntu

By default when you install Open SSH you'll be running on port 22 along with some other things that are not considered to be best practice.

If you have taken over an existing SSH server then you'll need to know the version and port its running on.
run the sudo netstat -tulpn will give you a list of running application with internet port they are using and ssh -v will give you the version that is running.

If OpenSSH is running then you should see it when you run the sudo netstat -tulpn you can also check the package is installed by typing dpkg --list | grep openssh-server equally you might want to up date the package this is also easy to do using the sudo apt-get install openssh-server command, if there is a new version available you will be prompted to install it and if the package isn't installed the same command will prompt you to install it.

now lets get to work... first thing is its not a good idea to be running on well known port numbers so you'll need to edit the config file, some people use vi editor for this I like nano better, so if your used to using vi just put vi where you see nano... for those of you are used to using windows vi and nano are text editors much like notepad and edit from dos.

Editing the configuration file.
sudo nano /etc/ssh/sshd_config

With in the first few lines you will see Port 22 this you should change to something else this is no such thing as a good number but try to make sure you don't use a port you'll need for something else later.

Second you and change the IP addresses and interfaces OpenSSH will bind too... if like you have a mult IP network with a subnet just for network management then you'll most likely want it too bind only to the management IP simply remove the # from in front of ListenAddress and replace the with the IP you want to bind too.

If on the other hand you are using one IP for both the management and the public access then I'd recommend changing the Root access to NO this can be found on the line marked # Authentication: change the PermitRootLogin yes to PermitRootLogin no

I've never been happy with the standard 768 bit keys you can change the size and I often do to 2048 just change the list ServerKeyBits 768 to ServerKeyBits 2048

And lastly its best to use a Banner on the system as well reminding people that its against the law to hack or use systems without permission, to do this remove the # from the Banner line and point it too your banner file and example is like this Banner /etc/banner.txt

Now you've made your changes exit and save them, it will most likely be needed for you to restart you OpenSSH before all of the settings will take affect so you might need to use one or more of the following.

To stop ssh server sudo /etc/init.d/ssh stop
To start sshs server sudo /etc/init.d/ssh start
To restart ssh server sudo /etc/init.d/ssh restart

Wednesday, 29 April 2009

Windows installer cache

I was having fun the other day installing SQL service packs and I found this little fix that I'd like to share it with you all.

When you are missing file like the MSI or MSP from the windows installer cache you can have some problem with patching or even removing SQL 2005
Symptoms SQL 2005 service pack install fails/ SQL 2005 uninstall fails

Example we’ll pretend I have a SQL 2005 server with SP1 install and I’m going to install SP2… (Sounds simple enough right?) During the install some of the components fail in this example I’ll say it’s my SSIS but it could be any other component as well, Database engine, Notification Services etc.

So after it’s failed I open the hot fix log folder to see what happened in this case
C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\LOG\Hotfix\DTS9_Hotfix_KB921896_sqlrun_dts.msp

Now I start looking for errors first one of note is a line
MSI (s) (B8:1C) [13:28:24:254]: Original package ==> C:\WINDOWS\Installer\e893c17.msi

Check the c:\windows\installer folder to see if this file exists if it doesn’t find the sqlrun_dts.msi from the install CD and copy it to the windows installer folder and then rename it as the log name shows, this unique name is created at install time so the name will be different on each server, sometimes on the same server it can be different between instances as well.

When you are missing this file you will not be able to install or uninstall the Microsoft SQL 2005 equally you will need the MSP (Microsoft Patch) file as well, if its missing again your find the MSP file in the log

MSI (s) (B8:1C) [13:28:24:286]: Opening existing patch 'C:\WINDOWS\Installer\e893c8b.msp
Check it exist in the windows installer folder without it the install will fail.

If you are missing the MSP because I had SP1 before I need to get the MSP file from SP1 so in this case I need to run the service pack 1 with the /X switch to extract the files and once this is done copy the sqlrun_dts.msp from it to the windows installer directory and rename it as the name shows in the log, again this is unique to each server.

Now I’ve corrected all the missing files I run the service pack 2 again… and I have a successful install with no errors.
These steps also apply to all other SQL 2005 components and SharePoint services as well along with Microsoft office.

Linux in Enterprise

Why would you use Linux in your enterprise?
Well apart from the cost saving there are some really nice things that can be done but lets start at the beginning and work our way to that.

Most if not all Linux admins are former UNIX admins, and for them is a little strange to cross over to having GUI but frankly i don't know any admin in windows or UNIX that uses the GUI if he has a command line option to do the same thing.

Now those of you are windows admins will be asking yourself why would you use Linux.

1) the cost saving.

2) the access to open source solutions.

3) the security, Linux and UNIX have always been more secure than windows so for DMZ and public facing server they are stable and secure.... Microsoft has been working hard to catch up on this but frankly are still behind.

4) better resource management, unlike windows you won't be buying new hardware with each version.

5) if you are looking at visualization you want a stable host for your guests windows patching and reboots make it hard to do at a lower level, their high end products can do this well but if you don't have the budget then you might feel a little left out.

Now there are many versions of Linux and there is no such thing as a bad choice on this front but I'm going to just cover the two I like most SuSE and Ubuntu.

SuSE now owned by novel has picked up many of the Novel management tools such as Xen and makes it perhaps the strongest player in the large environment and deployment.

Ubuntu is missing the system management that SuSE has picked up from Novel but at the same time there are many open source tools that can be used to overcome this issue.

So what could you use Linux for well my top list of uses are web servers, DNS servers, email servers and database servers.

Apache on Linux is just great its simple and stable every little work needs to be done once it setup to keep it running something IIS7 is still trying to catch up on as even Microsoft added PHP support to IIS something Apache had for years.

Postfix/Sendmail are great mail server and better for edge deployment as you have them setup as I do with the second and third MX record so should exchange or domino be down in your domain you still have a mail server that is under your control that will store the mail until the problems with your normal mail system can be fixed. (something to many companies are lacking)

BIND is DNS server that is just perfect, its easy to backup and configure and can be move from one server to another quite easy something that can't be said for windows DNS server yet.

MySQL/Oracle Linux does support other database types as well but these are the most common and the performance of both can be seen every time you browse internet, even Google is powered by these. These are also database servers that scale up much better then Microsoft SQL 2008 even, there has been many talk about this failing from Microsoft but as yet no light at the end of the tunnel.

Linux might not yet be the desktop solution for you yet but I have to admit I have changed all my administration workstation over to running Linux and use virtual box to run application such as Microsoft office. (why would i do this i hear you say) well apart from the fact i don't want to spend all day fixing my workstation is also give me access to some great open source tools for problem finding that just don't work on windows, and as always you know the system best if you use it every day.

I would recommend all admins to use a Linux workstation and run a windows as a virtual PC for those windows application you just can't live without... and trust me there aren't that many once you start using it.

Sadly this posing is already to large to go into detail so I'll just have to cover more in the next posting.

Friday, 10 April 2009

Remote desktop software good or bad?

What is a good remote desktop management software, I heard this question this week so I'm forced to answer it.

Well like all good question there is no one answer, its like when some one asks me what is a good laptop? what do you need it for is always the question and the same applys to remote desktop management software.

here are some points to consider before you decided on the product to use.
1) most operating system have one or more forms of remote desktop already so are you using this just for legacy desktops and would it be more cost affective to upgrade them?

2) how is easy is the product to deploy, can it be scripted or automated to avoid large amount of administrative overhead? again most have this function now.

3) how secure is it, can you lock it down to admin groups and IP's as well as just encrypting the traffic, remember that was is easy for you to get onto desktops also makes it easier for other to get onto them too.

4) is there any mobile device support.

5) is it a peer to peer connection of is it a relay thought 3rd party provider? as these tools become more popular I expect the attempts to break into them will increase.

Now the scary bit, most if not all of these tool have file transfer very handy for your helpdesk and also very dangerous too, with one email or phone call i can setup a connection to any desktop in the world.

As a security test I setup a connection to a business a few weeks ago who told me that there was no way for anyone to get the data out of the building all USB's have been disable and email was scanned, and no FTP was permitted. The administrator seems quite sure i couldn't get the information out so after setting up a remove session with on friendly user I proved that any outside part that has just a little help from a user can not only access the system but then copy the data to any remove location using any open port on the firewall like HTTP.

After the demo of this the local team changed the firewall to ban all known remove desktop software company sites but there are more they haven't found yet and new ones spring up each week.

Best advice I can offer you is to permit only a limited number of sites and disable all ActiveX components on browsers in order to try and prevent this but frankly it an open door....

Try not to lose to much sleep over it.

Sunday, 5 April 2009

What message media do you trust?

If your a large enterprise then you undoubtedly have need of a mobile solution for email and contact solution, now one of the first thing I hear when I say this is Blackberry.

It it really a good idea to have a blackberry in your enterprise ?

Well I'm still undecided, but lets ask some question first do you allow business critical files to be sent to your customer over the internet unencrypted ?

Would you worry that someone could read them ?

Imagine for a moment that you have all of your email in a pop account and that your ISP could read it, are you happy to live with this?

Because blackberry is kind of the same its another middle man between your servers and the mobile device your using, now of most business they don't consider this to be a mission critical thing to secure there mobile devices but I am under the opinion that is another security hole.

Not to mention something that your administrator team have yet another program to look after, the simpler solution would be to use the extension of the messaging platform you have already.

Such as Microsoft Exchange Direct Push (was added to 2003 SP2) or IBM Lotus iNotes Ultra-light depending on your environment.

If on the other hand you need more than Microsoft Windows Mobile and Apple iphones for email then you could look at Intellisync from Nokia it again acts as a direct link and allow you to bring the wide range of Nokia phones into you list of enabled devices.

There are other products that offer these function as well but remember make sure the device is talking to the server directly, going thought a provider give you just another weakness in your network and this one is outside of your control.

Frankly I have allot of problem believing in most products out there as they do not ISO 27001 some have passed ISO 9001 but this is a very basic check.

So some simple rules for you messaging administrators out there use SSL with all devices no exceptions.

Make sure the product your using connect directly from device to server, not thought some third party infrastructure.

And finally ask the provider about what security standard the product has passed and if they can't tell you don't use it.

Thursday, 2 April 2009

DHCP automated failover

Today I had one of those better days that I'd like to share with you, there a nice tool call dhcpcmd you can get it from Microsoft it was release with NT4 and later with windows 2000 and its still works on vista and 2008 the nice this about this is that it can do something simple called "GetVersion" might not seem like a really important thing but lets explain what it can be used for.

There are three basic ways to setup DHCP first is two server with half the scope on each and if one fails remove the excluded range and continue to server the ip range from one server, this works but needs manual effort.

Second is to setup a cluster resource for you DHCP this works quite well but your DHCP jet database is not cluster aware so sometimes you need to restart your DHCP server service to get it working after it fails over, again that's manual effort.

Third option two servers setup and one with DHCP server service stopped until first server fails, and again manual effort to start it.

So far you start to see a theme and is allot of manual effort and like all manual effort it will need you to do this fail over at early morning for sure because that's how it goes in the IT world when something breaks.

Now when I came across DHCPCMD even just its ability to GetVersion was enough, let me show you with the first option where have the scope on two server with excluded ranges, I have the following in a script file on one server doesn't even have to be one of the nodes, and it has scheduled to check every 5 minutes using this script.

And as you'll see I've put some basic responses in for a failure.

@echo off
dhcpcmd GetVersion
if errorlevel 1 goto Server1_Failed
dhcpcmd GetVersion
if errorlevel 1 goto Server2_Failed

netsh dhcp server \\winserver-2 scope add excluderange
netsh dhcp server \\winserver-1 scope add excluderange
goto All_Done

rem --- alert
net send Administrator "Warning: DHCP server 1 failure failing over to second server"
netsh dhcp server \\winserver-2 scope delete excluderange
goto All_Done

rem --- alert
net send Administrator "Warning: DHCP server 2 failure"
netsh dhcp server \\winserver-1 scope delete excluderange
goto All_Done


Now the second and third option are almost the same where you want to start a service and or restart a service so here is an example

@echo off
dhcpcmd GetVersion
if errorlevel 1 goto Server1_Failed
goto All_Done

net send Administrator "Warning: DHCP server 1 failure failing over to second server"
psexec \\winserver-1 net stop dhcpserver
psexec \\winserver-2 net start dhcpserver
goto All_Done


Now you setup more complex responses to not being able to get something as simple as version information, but you can do this with almost anything that you can get an output from, and I have some nice ones for monitoring servers just using simple scripts.

My hope is that after reading this you will thing of another three or more services that you can do something smiler to and now you won't have to fix it in the night you can wait till morning.