Wednesday, 15 September 2010

Ubuntu 10.10 Intel video issue

Well here i am again with some tip's on cutting edge software.
recently decided to give ubuntu 10.10 beta a spin drive and must say a like it, however did find a problem with my intel graphics card on first boot, but its working fine now, so here is how I fixed the problem.

Normally I would goto the recovery console directly by pressing Esc at boot and selecting it but since I had a USB keyboard that isn't detected at that point so I wan't able to change it, hence I was forced to take the long way via command line.

first gnome never loaded up so I pressed Ctrl + Alt + F1 to drop to command line. logged in as your normal user and then run the following.
sudo nano /boot/grub/menu.lst
then scroll down to the ## ## End Default Options ##

Now place a hash in front of the first title, root, kernel, initrd and quiet this will force the next boot to the next option below (recovery mode)

then Ctrl + X and save the file over the existing one.
now reboot the PC sudo reboot

From the Recovery Menu select the failsafeX you will then get a warning message, click passed it and select Reconfigure Graphics

On the next many select Create new configuration for this hardware this will take you to the same screen after its selected but the job is done now.

Cancel out and then select Exit to console login this will take you back to the recovery menu. scroll to the bottom and select root

Now again edit the boot menu sudo nano /boot/grub/menu.lst to unhash the values you hashed out before ie the title, root, kernel, initrd and quiet this will allow it to boot normally once more. Then Ctrl + X and save the file over the existing one. Now reboot the PC sudo reboot

You should now be met with the normal logon screen.

Saturday, 7 August 2010

Gnome issues

Gnome a nice clean and cute interface however from time to time it can have a few problem.

Maybe some of your customized settings are causing your gnome-panel to crash or window buttons (close, minimize) disappear. Well luck for us gnome isn't windows where you'd need to tweak the registry or recreate the user profile to fix that annoying bug.

In fact it can be solved in minutes, if you don’t have access to your graphical (GUI) desktop to delete these folders in Nautilus or you’re stuck at the login screen, drop to a terminal by hitting CTRL + ALT + F1, login to your account.

Once logged in you can remove the files that store the desktop settings,

rm -rf .gnome .gnome2 .gconf .gconfd .metacity

Then logout by typing logout or Ctrl+d
Get back to your GUI desktop by hitting CTRL + ALT + F7. now this won't fix any video issues however the principle is the same.

Sunday, 18 July 2010

Hosting Environments

Hosting environments are some of the most challenging environments to work within due to the 24/7 nature of the service.

Public facing websites can be very hard to support as a result. Most common fault I’ve seen is the placing of too many services onto a single server whether that be physical or virtual, resulting in problem with updating service on that server or single point of failure when it’s down.

So here are my Top Tips on design of a hosting environment.

1) load only what is needed to run the webpages on the front end, too often backend services or application become loaded on the front end and this results in slow down of the web servers and also means more patches are required to these servers, in simple keep database and job service on separate systems.

2) Job servers are great and having automated tasks that clean up the environment is always a good idea, with careful scripting this can be used to take servers out of load balancers before patching of other maintenance tasks are done.

3) Even high availability systems such as clusters can be point of failure from time to time so don’t put all of your databases into a single system, as poor code that crashes the system would take down the environment, so try to spread the load over large number of systems to avoid single points of failure.

4) keep the environment simple with no more than one version behind the current release as unsupported environments are impossible to trouble shoot with vendors if the worst happens.

5) have a capacity sizing calculation, sometimes this means doing load test on each sites to see how it performs, an example load of one user and one hundred are not the same, as some issues in code such as untimely ending query’s doesn’t show until there is enough load.

Assuming you have all of these followed you should have a stable environment, I’ve worked on a number of hosted application environments now an almost all of them have just one issue related to not being able to work on the system while its running, leaving them with outages every time something needed updating/patching or fixing.

Sunday, 11 April 2010

Branch Office Router Config

Branch or not to branch that is the question?
I've been asked a few times this week for a branch office router configuration, now I'm not a big fan of branch offices as I would rather have one big office because it's easier to support. Nevertheless I agree to show how this can be done, so branch office and the problems with them.

1) There is most likely no IT staff onside so they can be a pain for hardware configuration, if something breaks you have to send someone to fix it.
2) Staff at branch office offen are unregualted and therefor install anything they like, making them more likely to contract malware and virus, not to mention ilegal downloading.

However there are ways around this.

So lets get down to the basics before you can start you need to setup you security on the router, now I personaly like to use privilege levels to make sure only good admins have access however if your the only admin you might use just enable passwords.

You might also want to turn off the web server for configuration as its a security risk but for this example I've left it on (up to you really)

service password-encryption
hostname [Router-Name]
enable secret [Some-Password]
enable password [Some-Other-Password]
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
ip http server
ip http secure-server
line con 0
password [Some-Password]
line vty 0 4
password [Some-Password]
ip domain name [Domain-name]
no ip domain lookup
username [Your-username] privilege 15 password [Your-password]

so these are your basic steps, so you should now have enable password and console password protection at least and TELNET/SSH password as well.

Now we have a secure system we can start to add the configuration first is most likely to be DHCP service if you don't have a DHCP server in the branch office then you'll need to set this up.

Now in our example we are going to have two VLAN's so will need to scopes also know as pools, another thing to note is the "import all" this takes Imports DHCP settings for DNS from your ISP (doesn't work for PPPoE) you might not want to do this and can use dns-server if you want to manually configure it and there are sometimes you might want to do this, but that is too much detail for this blog.

ip dhcp excluded-address [Start-exclude-10] [End-exclude-10]
ip dhcp excluded-address [Start-exclude-20] [End-exclude-20]
service dhcp
ip dhcp pool VLAN10
network [Network10-ID] [Subnet-mask-10]
default-router [Gateway-10]
import all
domain-name [Domain-name]
lease 4
ip dhcp pool VLAN20
network [Network20-ID] [Subnet-mask-20]
default-router [Gateway-20]
import all
domain-name [Domain-name]
lease 4

So now you should have your two DHCP pools, remember the gateway should be the VLAN interfaces we are about to set up and the IP ranges should match the VLAN IP's

Before you can do that you need to setup dialer interface, now this time I'm going to use PPPoE however depending on how your internet is pressented you could be using PPPoA

PPPoE example
vpdn enable
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username [DSL-Username] password [DSL-Password]
ppp ipcp dns request
ppp ipcp address accept
access-list 1 permit [Network10-ID] [Reverse-mask-10]
access-list 1 permit [Network20-ID] [Reverse-mask-20]
dialer-list 1 protocol ip list 1
ip nat inside source list 1 interface Dialer1 overload
ip access-list extended Guest-ACL
deny ip any [Network10-ID] [Reverse-mask-10]
permit ip any any
interface FastEthernet4
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
ip route 0.0.0.0 0.0.0.0 Dialer1


PPPoA example
interface ATM0
dsl operating-mode auto
exit
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
exit
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap sent-username [DSL-Username] password [DSL-Password]
ppp ipcp dns request
ppp ipcp address accept
access-list 1 permit [Network10-ID] [Reverse-mask-10]
access-list 1 permit [Network20-ID] [Reverse-mask-20]
dialer-list 1 protocol ip list 1
ip nat inside source list 1 interface Dialer1 overload
ip access-list extended Guest-ACL
deny ip any [Network10-ID] [Reverse-mask-10]
permit ip any any
ip route 0.0.0.0 0.0.0.0 Dialer1

Next we are going to assign the switch ports to VLAN, now you might have FastEthernet4 in use as well depending on if you are using PPPoE or not

interface FastEthernet0
switchport access vlan 20
spanning-tree portfast
interface FastEthernet1
switchport access vlan 10
spanning-tree portfast
interface FastEthernet2
switchport access vlan 10
spanning-tree portfast
interface FastEthernet3
switchport access vlan 10
spanning-tree portfast


Since we have WLAN on this example I'm also going to use a bridge interface so that both fastethernet ports and Dot11Radio0 can act as one on each VLAN, if you didn't have a WLAN then you could use the VLAN interfaces to assign the IP addresses too.

Before all of that you'll need to setup the wireless if your router has one, in this example it does, and we are going to set two SSID's

bridge irb
interface Dot11Radio0
encryption vlan 10 mode ciphers tkip
encryption vlan 20 mode ciphers tkip
ssid [WLAN20]
vlan 20
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii [WPA-secret-for-guests]
ssid [WLAN10]
vlan 10
authentication open
authentication key-management wpa
wpa-psk ascii [WPA-secret-for-internal]
channel [BG-channel]
no cdp enable
no dot11 extension aironet
interface Dot11Radio0.10
encapsulation dot1Q 10
no snmp trap link-status
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio0.20
encapsulation dot1Q 20
no snmp trap link-status
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding

Now we need to create the bridge interface that will be used for access list and VLAN assignment.

interface BVI20
description Bridge to Guest Network
ip address [Gateway-20] [Subnet-mask-20]
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly
interface BVI10
description Bridge to Internal Network
ip address [Gateway-10] [Subnet-mask-10]
ip nat inside
ip virtual-reassembly
bridge 10 route ip
bridge 20 route ip


next we need to create the VLAN's and assign them to the bridge interfaces.

interface Vlan10
description Internal Network
ip nat inside
ip virtual-reassembly
bridge-group 10
bridge-group 10 spanning-disabled
interface Vlan20
description Guest Network
ip nat inside
ip virtual-reassembly
bridge-group 20
bridge-group 20 spanning-disabled
interface BVI20
description Bridge to Guest Network
ip address [Gateway-20] [Subnet-mask-20]
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly
interface BVI10
description Bridge to Internal Network
ip address [Gateway-10] [Subnet-mask-10]
ip nat inside
ip virtual-reassembly
bridge 10 route ip
bridge 20 route ip

And finally the ACL and firewall, but I won't go into deep detail as I've covered this is other postings.

ip inspect name MYFW tcp
ip inspect name MYFW udp
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
int dialer1
ip inspect MYFW out
ip access-group Internet-inbound-ACL in

And this is now the end of the example however their is one more thing I'd like to add that I never like to give guess networks full speed access to the internet at the expense of others so I've added one list point about setting rate-limit

interface BVI20
rate-limit output access-group 102 16000 1000 2000 conform transmit exceed drop
rate-limit input access-group 102 16000 1000 2000 conform transmit exceed drop


102 = the access-list
16000 = bits/second
1000 = burst bytes
2000 = max burst bytes

The above example would limit anything matched in ACL 102 (imaginary) to approx 2kbytes/second, that's a bit low I know but its an example normally I limit to around 512kbytes.

Saturday, 20 March 2010

Scripting Services

Yes I'm back... sorry was so long between posts but cloud computing can keep even me busy.

OK down to business when dealing with Windows services and scripting it isn't always as easy as it first sounds, today I'm going to show you how to use SC command as this is the Swiss army knife of service in windows.

First of all you need to know if the service needs to be interact or not (Hear the question what does he mean) well an example of this is some Java applications that need to run Java Virtual Machine in order to run, however this can not be done as JVM runs in user session (interact) so you would need to start it with interactively this is something that NET START doesn't have the option for.

Note If you are not sure what service are running this way you can use sc query type= interact to list them.

The point to this is that simple NET START DEMO_SERVICE won't work as this doesn't have access to user sessions, so although you can stop the service using NET STOP DEMO_SERVICE it won't start again NET START

Now to fix this problem we have SC command example
sc start demo_service
SC command can also be used for changing the service startup type something that can't be done with simple NET START and STOP commands

For example we want to change demo_service to auto from disabled we can use
sc config demo_service start= auto
Or if you wanted to disable it you could use disabled instated of auto and demand (demand means manual)
sc config demo_service start= disabled

Now I'm sure some of you are thinking this is great but when would I even use all this?

Well now for the real world example lets say you have 200 servers using a service account Domain\java_user that starts the Java application you believe that the password has been compromised, now as you can imagine this would be a few hours work to change the password on each server manually.

So using your PSEXEC command has shown in previous postings to run sc config app_service password= NewPa55W0rd to change the service account password on all affected servers.

then you run
sc stop app_service
again with PSEXEC against all the servers and finally
sc start app_service
to start the services again.

result 200 servers with password changed and applied in less then 20 minutes with only 3 command lines.

Note when doing this in real world you would have them done in maybe two groups or more on load balanced network so you don't create an outage of the application when doing this.