Wednesday, 26 October 2016

Best WiFi setup

OK I don't want to be mean but I can't take the crazy talks about wifi posting, so here are some facts and debunked some of those myths floating around.

Number 1 better router equal better signal.

Wifi is like radio better signal needs to take place at both ends aka getting a better wifi router or access point helps but only so much.

Example lets say that you have 2 antenna's on your old router and you have 4 on the new one it will have a stronger signal and be able to pick up packets from the wifi guest better.  And now the question how much better? Well since I just happen to have two 802.11ac rated router's I did some testing than the answer is at close range ie five meters there is no difference with a steady 148mbps out of my 150mbps internet, however, once we put walls and range into the mix it starts to show.
In our benchmark, we placed them 13m and two non-supporting walls for our 2 antenna's we now have a stable 11mbps vs our 4 antenna model with 48mbps.

So we did the same test with 6 antenna router, that must be better right? well didn't see much of it.
the test showed about 51.5mbps and this was almost across the board with wifi so not much better for another 150 Euro router.

As we can see the range and the walls take a heavy hit on the performance, however, this was tested with a single antenna client what happens when I change the number of antenna of the clients?

Woohoo 4 antenna client on a 4 antenna router got 138mbps so as we can see it helps if both ends can be upgraded however if you have smart phones or tablets that can't have more antenna's fitted this won't help you, so keep in mind if you have an old router with one or two antenna's replacing it will help but if you have 4 or more you won't see the benefit as much as adding to the client and the client upgrade was less than 50 euro.

So the magic word here is MIMO 2x2 or better 4x4 if you can get it on the clients.

Number 2 new routers will help with SSID congestion.

No, they won't but what they do have is allot of smart features like finding the least congested channel, but that might not help, remember that it's checking for empty channels where it is placed not where your PC is so unless they are close by sometimes this won't help.



Example, lets say close to your router there are only three SSID on channel 2 and 6 so it picks 11 as being free, however, close to your PC there are five SSID and they are channel 9 and 11 mostly this means the signal your router will get from the PC will be very weak and being on channel 2 or 6 would, in fact, be better.

In these case's it's good to look at where you plan to have the PC and download to your smart phone something like WiFi analyser to check what is in use there vs where you plan to place the router.

In my case, all the channels are in use but the least used one at both ends was channel 10 with only one other SSID on it.

Number 3 Christmas trees and tinfoil.

This one is the best, placing your Christmas tree with lots of tinsel between your PC and the WiFi Router will impact the performance but honestly, if you are placing a tree next to your WiFi you are either living in a place so small it won't impact you or you just are being silly.
In the real world, we tested this and the effect at close range was less than 1mbps placing the tree next to the router and 10mbps at range, we also tested with the Christmas lights and well no change until was tried the scary lights that are hanging together with patched wires then we did seem some problems but frankly you shouldn't use those as they are a fire hazard and you might want to think about replacing your lights.

Now the tinfoil suggestion, some people have suggested putting tinfoil behind your wifi router so that signals from your neighbours that interfere are reduced signal strength, well sounds at first like a good idea but very quickly become impractical as without knowing exactly where the neighbours WiFi is placed and how many overlapping signals you have this might only work out if you cover all the walls with tinfoil and by the way if you do that it makes your WiFi crazy as its gets echoes from itself.  So I really don't recommend this.


If your WiFi looks like this go 5Ghz trust me there will be fewer SSID on it, as fighting over 2.4Ghz is over.



Number 4 the right settings.

Having a dual band WiFi does help as there are more channel than a single band, but most of us aren't getting the best out of it because of the way drivers work.

Example lets say you set your dual band WiFi router to 802.11ac only you will get some great performance, however, most of us have that one device that still can't go over anything better than 802.11n so we set it to mixed and the result is the better devices lost performance.
in some phones and tablets, this can be changed to use 5Ghz only and this does help.
For Windows, you can change this under the device manager and exploring the Network adapters properties where you can change Wireless mode to IEEE 802.11a/n/ac


To give you a real world example how much this helps when defaulted to auto sometimes the connection was 80mbps other times 40mbps when manually set to IEEE 802.11a/n/ac the speed was 138mbps more than 170% better for a one minute tweak.

Another tip is to turn off "allow the computer to turn off this device to save power" as that can have some strange disconnect from time to time.

These tweaks can also be done in Linux, however you'll have to check with the manual or support from the vendor how best to do this as there are to many to list here.

Number 5 Things to avoid.

There is a big list of things you should not put between your WiFi router and WiFi clients for the best signal here is a short list.

Kitchens and Bathrooms, since unshielded electrical appliances like hair dryers, food mixers and microwaves can cause disruption.



Other fun objects like fish tanks as the signal will have to travel in water, walls not just because it's a hard object but many walls have metal frames that reflect the signal.

Fans and other electric motors, this includes toy cars, drones and baby monitors.

Number 6 Things to do.

Let's make the assumption you live in a big house or flat, have more than one access point, don't use extenders as they will cut the bandwidth by 50% so a cable between them is best.

If you have a good smartphone basically anything since 2014 it should support dual band so use wifi app to see if the 5Ghz are in use if not then you might be the first and have good speed on dual band as 2.4Ghz is saturated these days, if you have no choice then at least pick channel with the least number of SSID running on it.

Upgrade your devices with better wifi as it's not always the routers fault.

Check from time to time if new SSID have appeared and what channel they are running, sometimes you might need to change the channel as one person moves out and another comes and uses another channel.

If you can place the router close to the most common area you are going to use then do it, as the best way to fight signal loss is staying close to the source.

Summary 
Hopefully, this has dispelled some of the faster WiFi issues and stopped some of you buying a new router for no reason.

If on the other hand, you are not running 802.11n or 802.11ac dual band then you should be, these are not expensive as most new routers with this are under 100 euro and some even under 50 euro.

Friday, 21 October 2016

Batch and Bash script

Scripting simple batch and bash script is by far the most time-saving thing any administrator can do.
These can also be useful to anyone that needs to repeat a task with only simple values change.

For example, let's say I want to start ten tomcat server at once on my desktop for testing.

Bash
for i in {80..90}; do docker run -d --name tomcat$i -p 80$i:8080 tomcat8.5/example; done

Batch
for /l %i in (80,1,90) do docker run -d --name tomcat%i -p 80%i:8080 tomcat8.5/example

I would now have ten tomcats named tomcat80 to tomcat90 with ports mapped 8080 to 8090 easy to remember and easy to create, this could be lxd or hyper-v guest, it is really down to if there is a batch or bash command for them.

It's also possible I could have used more than one for in the command line and had the port numbers and names created separately but for the moment this just an example, what I would like to focus on is how windows and Linux have some small changes between them even tho the code above does exactly the same thing.

So let's do another example, this time I'm going to ping a subnet and see what answers.

Bash
for i in {1..254}; do ping -c 1 192.168.0.$i |grep ttl; done >range.txt

Batch
for /L %i in (1,1,254) do ping -n 1 192.168.0.%i |find /i "ttl" >range.txt

So now we have done two example working with number how about with files, this could be a list of servers or just list of names.

Bash
for i in $(cat serverlist1.txt); do echo $i; done

Batch
for /f %i in (serverlist1.txt) do echo %i

What you might have noticed already is that while Bash doesn't care about the type and uses brackets and dollar signs to tell the type of data batch uses the backslash switch for file vs number ranges and no switch for just data.


Bash
for i in Mo Tu We Th Fr; do echo day$i; done

Batch
for %i in (Mo Tu We Th Fr) do echo %i

Now that you have the basics of the for command you can create loops on files ranges and text with easier, how you apply that to your work can be anything from running commands on more than one server or patching, checking up time memory usage available space the list goes on.

Setting up ssh on more than one server
ssh-keygen && for host in $(cat hosts.txt); do ssh-copy-id $host; done

For running commands on more than one server, however I recommend Ansible for farms
for host in $(cat hosts.txt); do ssh "$host" "$command" >"output.$host"; done

Patching windows servers
for /f %i in (c:\serverlist1.txt) do psexec -c -d \\%i Win2008R2SP1.exe /quiet /norestart /overwriteoem


Installing features

for /f %i in (c:\serverlist1.txt) do psexec -c \\%i ServerManagerCmd.exe -install Application-Server Hyper-V WAS -restart

Just to be clear yes I am using psexec in my examples and I have said you should migrate to Powershell before however this is a Batch vs Bash not Bash vs Powershell example.

Tuesday, 11 October 2016

Why Firewall a Server

I'm going to address something that came up in a talk I had the other day with some people that run data centres while they are putting firewalls between customers and what is exposed to the internet however not against traffic from one customer server to another.

When questioned on the subject the response I got is nothing can get in or out so it's secure, and it reduces administrative overhead.



Well, No, and I had to point out two things first if an infected client passes something to the server it's not secure anymore and such example of zero-day exploits are many, second if one server is compromised it allows hackers, virus and malware to spread faster when others nearby servers are not protected.  Finally the administrative overhead? that's a two-minute update to the provisioning script people nothing more.

In short, there is no real reason not to have a local firewall, both Linux and windows offer their own versions that can be easily customised to allow monitoring and remote access to trusted hosts during provisioning.

Now some of you are thinking well this is what happens with small cloud providers right?
Well you'd be wrong the people in question I am talking about are blue chip IT firms and household names, you see one of the reasons for this is that in these larger companies people doing the provisioning automation do not have any security training or any process in place for hardening, leaving this almost all down to the end customers that most of the time don't have the skills.

Do I think this is the right approach, well no and frankly this might be ok in an IaaS model but for a PaaS, this is something of a detail that is overlooked and leaves their customers exposed?

What is still more worrying is that many of them do note have a patching process either leaving you more exposed to over time and in my mind an even greater need for a firewall on the server.

Now I know that video below is only about AWS but please keep in mind this could happen to any cloud, and covers more details on styles of attack.
https://www.youtube.com/watch?v=dPSEjegiUCE&list=WL&index=13

Monday, 3 October 2016

Change Management

When is a change not a change ? Yes, this is a trick question, you see the sun coming up in the morning and going down in the evening is a change of state, however, it's one we expect, this is sometimes overlooked by change manager when they want a change request for what is expected behaviour like a move of a virtual server from one server in the farm to another.

Let us look at types of change first of all and compare them to real world examples.

Retrospective
Emergency
Normal

The retrospective should be the least used and really should only be used when a change was done to resolve a critical incident, a good example of this might be a software patch or firewall change to block an attack that was taking place.

The emergency change is used more than it should in my opinion, and should always be reviewed why it took place, some examples of this could be a zero-day exploit that you want to patch quickly, another could be last minute request from a business unit like a code change for a sales promotion.
In most if not all you have to ask if this could not have been foreseen and better planned.

The normal change is the one where you had a chance to tick all the boxes and should be most comfortable approving.

The questions that should have been asked in both normal and emergency change are as follows.
  • Has the change been tested?
  • Does the change affect other things, aka disaster recovery and service overview documents?
  • Other applications connected with it.
  • Have stakeholders from those affected applications taken place.
Next on the list is rollback plan.
  • Is there a rollback plan, if not then why not.
  • When is the rollback to take place aka the defined set of things that have or have not happened to trigger the rollback, and the expected time for the rollback to take place?
All of the information above should be available before the change advisory board review the change.
On the other hand when a server fails and as a result service fails over to the secondary this is not a change... this is expected behaviour, I have seen change managers ask for a change request for failovers and I have, to be honest, I've laughed at them.
When the primary is restored and we want to failover back to it "yes" that is a change... if something breaks and we have to change a setting to fix it "retrospective change" because you already have an incident.
However, we have to be clear, incident, in this case, needs to be service interrupting otherwise it can wait of emergency change, perhaps good example of this would be an overnight job is running and it will not finish in time and you need to change the import parameter to make it run faster, this is not yet a service impact, however, does require some urgency hence emergency if, on the other hand, this was going to finish this time but the trend is that in few weeks it will not complete in time as the jobs are getting slower that would be a Normal change.
Hopefully, this helps to understand when change management is used and when it can be informed after during impacting incidents.

Post Change Checks Automation

Checking changes, ever had one of those changes that should be simple then after something wasn't working and took hours to track down.

like when one server in the farm is not running because someone forgot to start it, or network subnet was wrong on a firewall change so some things work and others don't ?

Well if you have don't worry, your not alone, now if you've invested some time in good monitoring you might be able to check for those things quickly, or perhaps you could just add to the change process a post change check.

Today I'm going to show the benefits of scripting some post change checks.
like is the network connection ok, are is the application running, etc

Part one is the network ok.
There are normally a few things to check on the network level

1) DNS - this might not be important to you if the application server uses only IP resolution, however, I like to use names as it makes network changes more dynamic.

2) Packets/Ports - of you have ping that will tell you some basic network connection however if there is a firewall you need to know if the port the application is communicating with is open.

3) Are common services available, can you reach NTP, DNS, LDAP/Active Directory and Databases.

This can be done with batch script, for the most part, however, there are some limits on windows that you can't check if the ports are open, however, you can check most things, for example here is one to check that your local internet is working.

@echo off
cls
ping -n 1 192.168.0.1 | find "TTL"
if not errorlevel 1 set error=ok
if errorlevel 1 set error=fail
nslookup www.google.com | find "Addresses"
if not errorlevel 1 set error1=ok
if errorlevel 1 set error1=fail
ping -n 1 8.8.8.8 | find "TTL"
if not errorlevel 1 set error2=ok
if errorlevel 1 set error2=fail
nslookup www.google.com 8.8.8.8 | find "Addresses"
if not errorlevel 1 set error3=ok
if errorlevel 1 set error3=fail
cls
echo Result: Local connection %error%
echo Result: Local DNS %error1%
echo Result: Remote connection %error2%
echo Result: Remote DNS %error3%

One of the most common issues is when your ISP has DNS servers failing so you can see that not only do I check DNS on the router but I then check the result against Googles Open DNS server, proving local and remote connectivity.

If you have Windows 8 or Windows 2012 and higher you can use PowerShell Test-NetConnection this can check if ports are open, unlike batch without needing third party tools.

#check connection to dns
Test-NetConnection -ComputerName 8.8.8.8 -Port 53 -InformationLevel Detailed | Select-Object RemotePort, TcpTestSucceeded
#http lookup
Test-NetConnection -ComputerName www.yahoo.com -CommonTCPPort HTTP -InformationLevel Detailed | Select-Object RemotePort, TcpTestSucceeded
#dns lookup
Resolve-DnsName home.com -Server 8.8.8.8 –Type A | Select-Object IPAddress
#check running service
Get-Service -Name "vss" -ComputerName "localhost"
#check service account user is not locked out, and connection to active directory
Get-ADUser IIS_ServiceAccount -Properties * | Select-Object LockedOut

With Linux this can be done much easier using NetCat or Nmap to get the results, these can also be used with Windows, however, Nmap needs a reboot so I'd recommend using NetCat if you have the choice.

Now obviously the list of checks need to be custom to your needs however with these simple example hopefully, you will be able to create some quick post change checks.

For some of you, this will include message queues and status of jobs however, for the most part, you'll already have some monitoring to help you with this.