Author Archive for Greg

Is a hardware firewall really a software firewall anyway?

Published
by
Greg
on March 5, 2008
in Internet, Linux, Networking and Security
. Comments

I love how people always say that a software firewall like IPCop is a “lesser” product than a hardware system. I ran into one site speaking of Netsentron as a hardware solution. I’d also include Endian Firewall and Untangle when we talk about a “linux based hardware firewall”. Well here’s my thought. These systems offer a hardware solution, but aren’t these products really the same thing as the downloaded software version they provide? And if so, these products are really only a “hardware/software bundle”, right? (I think they actually advertise them this way anyway, but my gripe is with all those techs out there under the notion that these are real hardware based products.)

I can’t comment on any Cisco or Sonicwall, hardware firewalls, because I have not used any of them. But are these also just software running on hardware? And the main thing I’ve heard from security people about the lesser quality software products is that they are not good at defending against DOS attacks. Is this really true? Even if so, in the last 10 years I’ve ran some sort of Linux based firewall, whether home-brewed or special firewall distribution, I’ve not once had a break in. I’ve not once had a DOD attack. (THIS IS NOT AN INVITATION!)

Now, I have had a DOD attack directly on and Exchange or IIS server that was port forwarded directly to the Internet. Not pretty! Which is a big reason why I don’t run these systems directly anymore. But this is off topic. (maybe another blog coming!)

I’ll do some of my own research, but maybe if someone out there can shed some light on the deficiencies of a Linux firewall, in particular IPCop or Smoothwall. For my use, IPCop with a few addons, make for a fantastic filtering firewall, provided we pick good hardware to run it, and configure it properly. Is Sonicwall truly better at providing security?

Ah, just thinking out loud again. I am sure someone out there will give me hell for saying things like this. I am not a security expert, not even close. But, sometimes I just wonder about things… J

OMA Service Unavailable

Published
by
Greg
on December 17, 2007
in Internet, Networking and Windows Server
. Comments

I found a ton of help on Google for this “Service Unavailable” issue on the OMA virtual directory for Exchange 2003. Unfortunately, this was not something readily available. Several sites will explain the proper config for all the virtual folders in IIS, which you should obviously follow, but they don’t mention one little thing… OMA uses ASP.net 1.1. If you go into the OMA properties in IIS, change it from ASP.net 2 to ASP.net 1.1. After that, it all worked beautifully!

Oh, and by the way, I ran into this issue while setting up some Windows Mobile devices with ActiveSync and Direct Push at a couple clients, one was running IIS5 on Windows 2000, and the most recent was running IIS6 on the Windows 2003. The solution was the same on both of them.

Fixing Grub and IPCop boot on Linux after cloning a hard drive

Published
by
Greg
on October 22, 2007
in Linux, PC Repair and Security
. Comments

First thing, when you clone your Linux hard drive with Ghost or Drive Image (or any other imaging software) you might not be able to load Grub. Usually just running some Grub commands off a Linux System Rescue CD will fix it. I think most any bootable Linux Live CD will work. You would run these commands:

After boot, run “grub”. (the following lines are from the “grub>” prompt.)

……………………

find /boot/grub/stage1

    (hd0,0)

root (hd0,0)

setup (hd0)

quit

……………………

You would replace “root (hd0,0)” with whatever is output from the find command above. The above assumes you have /boot on the same root partition.

On IPCop, boot is on a separate partition. So you need to be a little fancier. The key is to tell it what device to use. In the example below, we will assume we know what drive the boot record is on. (hd0,0). Also note, that IPCop because IPCop has boot on a separate partition, running the find command would be like so:

find /grub/stage1

Ok, so using the device command, and since we know our root is on hd0 …
(all on the grub prompt)

……………………

device (hd0) /dev/hda

root (hd0,0)

setup (hd0)

quit

……………………

 

Now grub should load ok. This would apply to most images/clones made, I think. But, now, what if your distro uses symlinks to represent your hard drives? I ask, because this stopped me from running IPCop off an image. Took me a while to realize two things.

  1. IpCop uses symlinks for /dev/harddisk instead of /dev/hda. (Can someone tell me why they do that? Why change that? Every other Linux distro I have used uses /dev/hda1 for the first partition on IDE drive.)
  2. When I cloned the system, the grub.conf (also known as menu.lst on other systems) listed the root filesystem as /dev/hda4, and yet, there was no hda4 in dev directory. It didn’t even exist on the old drive, so I have no idea how IpCop was booting!

Solution to #2 above was again to boot to a Linux Live CD, mount the boot partition on hda1, edit grub.conf and change all the /dev/hda4 entries to /dev/hda3, where the root filesystem actually resided.

On number #1 above, I don’t think fixing it actually caused the system to boot, but I did it anyway. While booted to the Live CD, I edited the /etc/fstab file on the hard drive and changed all the entries for /dev/harddisk1 through 3, to point to /dev/hda1 through 3. There is probably a reason for them doing this, but ya got me why. ?? Changing this might bite me it the butt some day, but for now, it boots beautifully!

Oh, and one might ask, why make a drive image of IPCop when they provide a backup and restore feature using floppy? Well, here’s why: 1. I have a ton of add-on programs installed, and they don’t backup. 2. I like an image better than a floppy!

IpCop is an awesome system, and I’ve had zero problems with it over many years now. But, it doesn’t do enough by itself. I mostly like the BlockOutTraffic addon you can install, giving you detailed control over all communication. I also modify the SSH setup to work the way I like it, using certificate auth and custom ports for several users tunneling into our networks. (works way better than VPN!) On some networks, I have to use PopTOP, the PPTP addon for Ipcop VPN. (not by my choice, it’s a requirement by an application we use.) All these might not backup to a floppy, and it’s so fast to make a Ghost image of the drive. You just have to spend a few extra minutes during restore.

Note: I was using IPCop 1.4.16 during all this.

EDIT 10/22 (later that evening…)

For IPCop, YOU MUST boot to an existing drive on /dev/hda that contains a working copy of IPCop and have your newly cloned drive operational as /dev/hdc. When you run grub, and then all the device, root and setup commands, you need to do it like so.

……………………

device (hd0) /dev/hdc

root (hd0,0)

setup (hd0)

quit

……………………

Notice the /dev/hdc above? Don’t ask me why, but when you try to run this from a Live CD, it won’t work. I really would like to know though, because the fact that it doesn’t work drives me nuts. There must be a simple explanation, and I know it’s just my ignorance of the grub boot loader, but this shouldn’t be needed. (and yet it is!) I just don’t have time to figure it out, when I can simply boot an IPCop as hda and run this quickly. Sometimes it is easier to not ask why, and move on. So make a note of this, YOU MUST boot to and IPCop OS with your new drive installed, then run the grub setup. Stupid, but at least it works.

IPCop 1.4.15 with PPTPd would not run because of libpcap link

Published
by
Greg
on October 3, 2007
in Linux, Networking, Security and Windows Vista
. Comments

I fought with this one for a while, like several hours. I installed the pptp addon for IPCop, which, by the way, you must Google for. I installed version 0.2.9 (pptpd_0.2.9.tar.gz) and found that on a forum somewhere. If you go to the addon’s from IPCop, you will only find 0.2.6, and that wont work with 1.4.13 or higher. (I might have that version a bit off, but I think that’s right) So Google for that file and you should find the file and ftp server IP. I don’t want to provide that, because I don’t have permission to do so.

Anyway, back to the problem. The pptp addon installed just fine on IPCop, and the admin web gui showed the correct items. I could not, however, get Windows to connect. I always got a 619 error, like that is helpful! On the IPCop /var/log/messages, I found this:
pptpd[5740]: GRE: read(fd=5,buffer=804dc00,len=8196) from PTY failed: status = -1 error = Input/output error

You can see the details on the pptpclient help page:

http://pptpclient.sourceforge.net/howto-diagnosis.phtml#read_eproto

 

I didn’t know how to do their troubleshooting, especially on IPCop. But then it occurred to me, find pppd, and ask it for help!

I ran this: /opt/pptp/sbin/pppd –help
Returned: /opt/pptp/sbin/pppd: error while loading shared libraries: libpcap.so.0.8.3: cannot open shared object file: No such file or directory

Ah-HA!!!

Run this on IPCop 1.4.15 while in the /usr/lib directory: ln -s libpcap.so.0.9.5 libpcap.so.0.8.3

BINGO! Windows can connect! From Vista no less!

Oh, and I know that PPTP is not the best as far as security goes, but it is the only thing I can use. I am running several Wifi Palm devices with a PPTP client on them for Hotsyncing on the Internet. I realize there is another product available that uses IPSec, but that is quite expensive per device. Plus that solution might run into a lot more hassle for the users while on the road trying to connect over hotspots, because IPSec may be blocked. PPTP is just more compatible. I’d really prefer to have an SSL based VPN on the Palm, but I don’t know of one available. So, for now, I’ll at least suffer with PPTP instead of opening my hotsync up to the world. Not perfect, but I can lock down the connection with IPcop too. (sounds like another blog… J )

Tell Firefox to show popups normally and not in a new tab

Published
by
Greg
on September 28, 2007
in Internet
. Comments

For some reason or other, Firefox does not have the option under the Tabs option items to “force links that open in new windows to open in:”. I have Firefox 2.0.0.7 now, and I don’t have that under Tabs options. But, if you open about:config in your address bar, you can change the setting manually.

Change: browser.link.open_newwindow

Mine was set to 3, which told the popups to always open in a new tab. I like that, mostly. But some web sites, TinyMCE editor in this case, like to open a popup and return you back the the original page. I keep losing that original popup. So I wanted to turn off my popup forced to new tab option. To make this behave normally, I set it to 2. All worked just peachy!

Browserfirefoxconfig

User name variables on home directory with ADModify.net

Published
by
Greg
on September 7, 2007
in Windows Server
. Comments

Took me a while, again, to figure this out. Thankfully not as long this second time.

When you use ADModify.net to set properties on groups of objects in Active Directory, you can use variables. Home directories, in my case, is a big one. When I moved to a new server, I didn’t want to set the new home directory on each user, so I used ADModify. Now, when you set the variable, this is what got me. You can use the normal: %username% (for example: \\server\homes\%username%) You have to use the AD way. Set it like this: \\server\Homes\%’sAMAccountName’% Notice the syntax: %’variable’%

You can get ADmodify here: http://www.codeplex.com/admodify/Wiki/View.aspx

It’s a lifesaver!

Edit: 10/24/07
NOTE… those are supposed to be apostrophe’s!  So you can’t copy and paste directly, you’ll need to replace those backticks with apostrophe’s. (wordpress seems to be replacing them on publish.)

Edit: 08/20/08

NOTE that Using ADModify.net OR WiseSoft’s Bulk Modify will NOT create the home directories for new users!  You must either manually create the directories, use AD Users and Computers to set the property (and therefore it will create the directory) which is the standard way of creating them, or script that somehow.   What this means is, you can use ADModify to chagne the HOme Folders property from 1 server to another, but if you are trying to create a bunch of new home folders, ADModify will not do this for you.  So, works great if you want to modify existing, like if you copy all the home directories to a new server and you need to update all the user accounts to reflect the new server name.

Active Directory recovery using a secondary offsite DC

Published
by
Greg
on September 1, 2007
in Networking and Windows Server
. Comments

The basics of this require that we setup a second CPU to take offsite. This system would have AD loaded, GC set, DNS, and all that stuff needed to run AD separately from the network. Here’s the catch, though. We can’t run this and be current. In a disaster, it would work great to be up and running, but it wouldn’t stay current.

So what do we do? We use a cheap PC, do all that DC stuff on it, and make sure it’s syncing good and working on the network (with the GC, DNS, WINS and stuff). IT SHOULD NOT have any FSMO roles. It’s purely a secondary.

BEFORE running DCpromo on that system, Make an image. And make sure we can recover it quickly. Save that image of the server in “stand alone server” install mode (not a DC or even member server yet), because this is what we’ll use to run this process over and over quickly.

AFTER we run the DCpromo and setup all the DC stuff, make another image. We’ll use this to drop back onto the system for offsite recovery of AD.

Here’s the steps to setup. (in general)

  1. Setup a stand-alone server, not member of domain. (include all needed SP’s and patches)
  2. Make an image. (PRELOAD image, save this!)
  3. Dcpromo and setup all needed AD and make sure NTFrs and syncing work perfectly.
  4. Make an image. (OFFSITE-DC image, save this!)
  5. Demote the server to a member server again and then remove from domain. (this is to remove it from AD as a DC, make AD cleaner and no NTfrs errors)
  6. Add OFFSITE-DC image to system again, BUT DO NOT CONNECT TO NETWORK.

Here’s the steps to run regularly to keep up to date.

  1. Take that offsite pc, image over it with the PRELOAD.
  2. Join this to the domain and do the DC stuff.
  3. Make your OFFSITE-DC image again.
  4. Demote the server, remove from domain.
  5. Load OFFSITE-DC image on again, BUT DO NOT CONNECT TO NETWORK.
  6. Take it offsite, seize the FSMO roles. You now have a DC ready to run in an emergency.

This process might take a day with all the imaging, but if you keep the drive loaded with ONLY the DC, it should be pretty quick. And consider that you won’t sit and watch it, you really should only spend like 2 or 3 hours running the process. Also consider that if you run this every month, or even every couple weeks, you’d get real fast at it. And this is what we want in a disaster recovery situation, fast recovery!

Why do all this? Couldn’t we just do an NTBackup recovery? Well, first of all, last I saw on a Microsoft KB article, recovering to alternative hardware on a DC was not supported. So, there’s one obstacle. Though, they do provide a good “how to” KB article, they say it’s not supported. (now I need to find that article again.) Second of all, I tried doing all of the Microsoft suggestions, and I was never able to recover my DC, whether it was the PDC or a backup, to alternative hardware. Of course, I was using Windows 2000, and recovering to 5 years newer hardware, maybe that might have something to do with it. But you know what, I have a lot of clients that would be in that boat. I’ll have more to say on this later.

Restoring a Drive Image XML to a server running host based RAID

Published
by
Greg
on September 1, 2007
in PC Repair, Windows Server and Windows XP
. Comments

Some RAID controllers are not what I call *true RAID* drive controllers. They may have a hardware controller, but they run kind of a fake RAID on the host OS. It’s not really software raid, but the RAID is dependant on the OS.

This, as you might guess, causes some problems when we want to do some fun stuff on the system drive while we are not actually booted into the OS. Like when we want to restore an image of the C: drive! That’s ok though, we’ve got a work-around.

BIG NOTICE, DISCLAIMER, OR WHATEVER….

This is based on a RAID1 mirror.
My RAID controller allowed me to build the array based on one of my drives, yours may not.
Do this at your own risk.
Make sure you have a backup. (DUH!)
If you lose your data, it’s your fault.
Your mileage may vary.

Assuming you have made your image successfully already, here’s what we do. The trick is that you must turn off the RAID functions and break the array first. So that your drives look like they are single drives in the system. Delete the partitions you will be reimaging over. On my server, it was just an onboard BIOS setting.

Boot the system into a PE boot disc. You can get a free one called: Ultimate Boot CD for Windows. It’s a doctored up PE Disc, but you’ll need to “build” it. They have great instructions for that on their site. (just Google it) Anyway, you boot into this, and right when the CD starts to boot, you see the “Press F6″ option, like you see when you do a new Windows install. Insert your floppy disc and load the drivers when it asks. Then it will boot to a custom version of XP.

The PE disc should load and see your C: drive. Make sure you open Drive Manager and create your C: drive again. Only DON’T FORMAT it or make a drive letter. Now open Drive Image XML and load the image you made, and recover it to that C: drive.

Reboot when complete and before Windows loads, open the BIOS or RAID controller and turn on the RAID again. On my controller, I was able to recreate the Mirror by building off the first drive. Let that process complete and reboot. Your system should boot right to that image.

The keys to making this work was:
Make the drive appear as a single drive again, turn off RAID in the BIOS or Controller.
Drive Image XML always crashed on me, even if I loaded the drivers at the F6 prompt. It couldn’t deal with that Host based RAID. (but it appeared fine!)
After image is restored, turn on RAID1 again and build your array based on the newly imaged disk BEFORE you boot back to that drive in Windows.

Disable the MSTSC RDP Credentials prompt

Published
by
Greg
on July 12, 2007
in Windows Vista and Windows XP
. Comments

MSTSC V6, both in XP and Vista, now asks for credentials EVERYTIME you connect! I want the server to ask, not the client! Add this line to the Default.rdp file located in your My Documents folder.

enablecredsspsupport:i:0

Also:

authentication level:i:0

You may need to save as another name, then

rename the Default.rdp and replace the file.

=========================

Below are the default.rdp contents as set above

=========================

screen mode id:i:2

desktopwidth:i:1024

desktopheight:i:768

session bpp:i:32

winposstr:s:2,3,0,0,800,600

full address:s:venus

compression:i:1

keyboardhook:i:2

audiomode:i:1

redirectprinters:i:0

redirectcomports:i:0

redirectsmartcards:i:1

redirectclipboard:i:1

redirectposdevices:i:0

displayconnectionbar:i:1

autoreconnection enabled:i:1

authentication level:i:0

prompt for credentials:i:0

negotiate security layer:i:1

remoteapplicationmode:i:0

alternate shell:s:

shell working directory:s:

disable wallpaper:i:1

disable full window drag:i:0

allow desktop composition:i:1

allow font smoothing:i:1

disable menu anims:i:0

disable themes:i:0

disable cursor setting:i:0

bitmapcachepersistenable:i:1

gatewayhostname:s:

gatewayusagemethod:i:0

gatewaycredentialssource:i:4

gatewayprofileusagemethod:i:0

drivestoredirect:s:

enablecredsspsupport:i:0

Shorten the download interval on the Exchange Server 2003 Pop3 Connector

Published
by
Greg
on July 9, 2007
in Networking, Registry and Windows Server
. Comments

The shortest interval to download user email with the Exchange Pop3 connector is 15 minutes. Too long for most people. To shorten that to 5 minutes, you have to update/add a registry value in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer\Network\POP3 Connector

Add Dword:

“ScheduleAccelerator”=dword:00000003

 

It works by dividing the default schedule interval by that value. For example, the server connector is set to 15 minutes, the lowest setting. Set the reg value to 3, so 15 divided by 3 equals 5. This makes it a 5 minute interval.