Monday, September 12, 2011

How to configure a new Cisco router or switch


Environment: Cisco 2960G switch 48ports
Objective: Configuring it as a managable switch and use port 48 as monitoring port for SNORT server use.

Steps:

1. Use Putty to specify COM1 to connect to switch console, then power on the switch.
2. waiting  for the switch startup, it takes some time.
3. follow the default configuration wizard
4. specify vlan1 as management port, to specify IP address etc
5. specify ssh username and password

username root secret yourpassword

6. configuring the rest
no enable password
no ip domain-lookup

ip domain-name yourdomain.com
crypto key generate rsa (then give 1024)
note: above 2 lines are for enabling ssh server function

clock timezone SGT 8 (not in conf t prompt)
service password-encryption

no ip http server
no ip http secure-server
snmp-server community public RO
line con 0
line vty 0 4
  login local
  transport input ssh
line vty 5 15
  login local  (using local authentication, not remote authentication server)
  transport input ssh  (only accept ssh incoming connection)

7. configuring monitoring information
monitor session source vlan 1
monitor session 1 destination interface GigabitEthernet0/48

8. configuring ntp servers
ntp server 1.2.3.4

note: if you don't set the ntp server, after router's power is off and power it on again, it will lose clock information. If there's ntp server available, it will get the correct time from NTP server immediately after power on

9. setting clock
clock set 14:28:00 20 OCT 2009 (in conf t prompt)

10. save
wr

11. disable logging message
no logging console
no logging monitor  (This command disables logging for terminal lines other than the system console)
logging buffered 16384
logging trap notifications  (This command provides notification (level 5) messaging to the specified syslog server. The default logging level for all devices (console, monitor, buffer, and traps) is debugging (level 7). Leaving the trap logging level at 7 produces many extraneous messages that are of little or no concern to the health of the network. It is recommended that the default logging level for traps be set to 5. )

note:
You can synchronise the logging messages with your command prompt as follows:

Router(config)# line con 0
Router(config-line)# logging synchronous
Router(config)# line aux 0
Router(config-line)# logging synchronous
Router(config)# line vty 0 4
Router(config-line)# logging synchronous


12. some other useful commands
show clock
show monitor
show ssh
show line

hostname 48PortCiscoSwitch
ip name-server 1.1.1.1

13. the example of configuration
-----------------------------
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec

service password-encryption
!
hostname 48PortCiscoSwitch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$7zZ5$91N7FPR68YbLyRO4NE3jr/
!
username root secret 5 $1$2IEN$wmDzCnXsatjHtaPMrss4e.
no aaa new-model
clock timezone SGT 8
system mtu routing 1500
ip subnet-zero
!
no ip domain-lookup
ip domain-name jephe.com
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending

interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
.......
interface GigabitEthernet0/48
!
interface Vlan1
 ip address 10.0.0.100 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.0.0.1
no ip http server
no ip http secure-server
snmp-server community public RO
!
control-plane
!
!
line con 0
 logging synchronous
line vty 0 4
 logging synchronous
 login local
 transport input ssh
line vty 5 15
 logging synchronous
 login local
 transport input ssh
!
!
monitor session 1 source vlan 1
monitor session 1 destination interface Gi0/48
ntp server 10.0.0.1

end
----------------------------

Appendix:
 Cisco routers/Switches have two privilege levels:
  • User EXEC mode—privilege level 1
  • Privileged EXEC mode—privilege level 15
When you log in to a Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can't make any changes or view the running configuration file.
Because of these limitations, most Cisco router users immediately type enable to get out of user EXEC mode. By default, typing enable takes you to level 15, privileged EXEC mode. In the Cisco IOS, this level is equivalent to having root privileges in UNIX or administrator privileges in Windows. In other words, you have full access to the router.
For networks maintained by just a few people, everyone typically has the password to get to privileged mode

Cisco IOS provides for 16 different privilege levels ranging from 0 to 15.

The Cisco IOS comes with 2 predefined user levels.
User EXEC mode runs at privilege level 1 and “enabled” mode (privileged EXEC mode)runs at level 15.
 

Understanding qmail smtp relay


Environment: datacenter network 10.0.100.0/24, qmail server ip address: 10.0.100.16
Objective: how to configure smtp relay from other ips, including those from the same network segment  and another network segment ip 10.0.104.4

How qmail smtp relay works:

1.  check configuration files /var/qmail/control/rcpthosts and /var/qmail/control/smtproutes and /etc/tcp.smtp(actually useful file is /etc/tcp.smtp.cdb, you need to generate this cdb file after changing tcp.smtp and also make sure /etc/tcp.smtp.cdb file is world readable, very important, otherwise, qmail will ignore this file and refuse relay from any other hosts except for localhost )

Important: any changes to rcpthosts, smtproutes and tcp.smtp(thereafter, run the following tcprules command to generate tcp.smtp.cdb), no need to restart qmail to take effect, qmail will read them on the fly. 

The command is :
# cd /etc/
# tcprules tcp.smtp.cdb tcp.smtp.temp < tcp.smtp
# chmod go+r tcp.smtp.cdb
2. under the following cases, qmail allows the smtp relay from other hosts:
a. the host appears in the /etc/tcp.smtp file and generated the coresponding /etc/tcp.smtp.cdb file.
for example:
127.:allow,RELAYCLIENT=""
10.0.100.:allow,TCPREMOTEHOST="",TCPREMOTEIP="",RELAYCLIENT=""
10.0.104.4:allow,TCPREMOTEHOST="",TCPREMOTEIP="",RELAYCLIENT=""
:allow
note: this will allow 10.0.100.0/24 segment and 10.0.104.4 ip to be able to relay email 
through this qmail server
b. if the smtp client ip does not appear in above tcp.smtp file, then alternative way is 
to add the recipient domain in the /var/qmail/control/rcpthosts.
for example: the following is the content of the file /var/qmail/control/rcpthosts
 
domain1.com
domain2.com

note: when you add any domain to above file, qmail will be using the new configuration on the fly. Although the smtp client ip is not inside the database file /etc/tcp.smtp.cdb, as long as the recipient email domain part appears in above rcpthosts file, the smtp relay is allowed.

c.  only after the smtp relay is allowed, you can decide which email gateway will be forwarded to for the specified domain, this can be configured in /var/qmail/control/smtproutes.

for example:

:10.0.100.1
domain1.com:10.0.100.14
domain2.com:10.0.100.15

note:  for different domain, the email will be sent to the different ip, for any other domains, will be sent to 10.0.100.1.


How to stop/start qmail:

You can vi /etc/inittab to comment out the svscanboot line, then run 'init q' to take effect, after that, vi /etc/inittab to uncomment it then run 'init q' again.

About PortableApps.com


PortableApps.com is the world's most popular portable software solution allowing you to take your favorite software with you. A fully open source and free platform, it works on any portable storage device (USB flash drive, iPod, memory card, portable hard drive, etc). With millions of users all over the world and a full collection of open source software as well as compatible freeware and commercial software and partners in the software and hardware industry, PortableApps.com is the most complete solution for life on the go.
PortableApps.com was founded by John T. Haller, the developer behind numerous portable applications including "Portable Firefox" which started the portable software trend. We've been making software portable since March 2004. Today, our team stands at nearly 100 developers, translators, application packagers, designers and release testers. Our goal is to centralize the knowledge and development of portable software efforts and build a single, open platform which any software or hardware developer can use.

Carry your Google Chrome with you everywhere


If you are one of the hardcore Google Chrome fan and you are very much used to it then you will definitely want to carry it with you wherever you go.  Having a portable browser can make your life a lot easier. You can have your favorite bookmarks, your saved passwords and everything else with you at any point of time. You’ll only need to plug in your pen drive and start the browser.
All you have to do is download the compressed file from the link given below and extract it in your removable device. Then go to the folder named PortableGoogleChrome and run the ChromeLoader file to get started. No installation is required so you can use it on computers with limited rights as well.
The browser is having all the features which you get on your regular google chrome but you might see some minor difference in performance which is pretty much acceptable as you are running it from a portable device instead of your hdd. If at any time you feel like uninstalling it then just simply delete the folder and you are done.
You can download the latest version of portable Google Chrome from the link given below and if you want to update your portable browser you can simply go to the same site and download the newer version again.

Download Google Chrome Portable


Dome9 Provides Cloud Server Firewall as a Service


Dome9 provides the first-ever cloud server security management service for automated and elastic security

Centrally manage security policies for your cloud servers.
Any OS, any server, any cloud, from anywhere!

Jelly Bean Is The Google’s New Android OS


Google continues to name its Android operating systems after sweets in alphabetical order.  Soon after Google CEO Eric Shmidt declared the launch of approaching version of Android OS as Ice Cream Sandwich,  a new version is being planned, called Jelly Bean. Yes. According to reliable sources in ‘This is My Next’, Jelly Bean is the name given to the new avatar of Android.
This tradition of OS names getting sweets’ name has been going on for a while now. Previous versions of Android maintained a distinctive alphabetical order. The names given were Cupcake 1.5, Donut 1.6, Eclair 2.1, Froyo 2.2, Gingerbread 2.3, Honeycomb3.0 and the upcoming Ice Cream Sandwich. Jelly Bean would be the next in line soon.
The report cites the industry source stating that the “game-changing stuff” that in the first place had been planned for Ice Cream Sandwich will be now pushed to Jelly Bean. The report even added that Jelly Bean could be called Android 4.5 or Android 5.0, taking into account the amount of features bundled in it.
Ice Cream Sandwich is believed to be a universal operating system that shall be functioning on phones, tablets, TVs, and even phones that convert into laptops. In the eye of all other things, the OS is in all likelihood to bring in an updated app launcher, holographic user interface, responding or communicating and new home-screen widgets and a multi-tasking panel. With such a mass appeal, it’s sure to find interested users once it’s launched. Eagerly awaiting.

How to use HP ILO to do NFS diskless installation of RHEL 5.1 remotely


Objective: install RHEL 5.1 OS for one of HP server in datacenter remotely from office with DVD ISO file and NFS method, it won't require you to have any disk from office.

Steps:
  • download RHEL 5.1 DVD ISO file, put it on the one of datacenter NFS server, can be different network segment from the destination server. (In this case, during installation, you might need to set default gateway properly so that the destination sever can talk to this NFS server)
  • configuring NFS server export, in /etc/exports, put this:
/sourcefile/rh51 *(ro)

  • put rhel-5.1-server-i386-dvd.iso to /sourcefile/rh51 folder
  • mount this iso somewhere to copy out boot.iso to your local Windows PC in office which will be used for HP ILO virtual CDROM media image for booting up RHEL installation
  • startup NFS server - service portmap start; service nfs start
  • use IE to access HP ILO address
  • go to virtual media to mount this boot.iso image
  • use virtual power to reset the server
  • press enter to boot up OS installation virtual boot.iso disk
  • untick high performance mouse, and close the virutal media window to make USB mouse to work
  • continue to install until finish
  • that's it, done.

tomcat keystore and cacerts


Objective: create SSL certificate for tomcat
Enrironment: Linux server, tomcat, keytool, keystore, cacerts


Concept:
.keystore file which resides /usr/local/tomcat is the default keystore file for tomcat. It's SSL certificate container for server itself, the CA certs file is under /usr/local/jdk/jre/lib/security/.

The self signed SSL certificate generated by keytool or openssl has to be imported to ca certs file in order to avoid SSL warning when the https URL is being accessed from one server to another, without using browser.



Steps:

1. list the existing keys, the default file is .keystore under /usr/local/tomcat folder
# cd /usr/local/tomcat
# keytool -list -v -storepass changeit

2. delete the existing keys( key alias :tomcat)
# cd /usr/local/tomcat
# keytool -delete -alias tomcat -storepass changeit

3. generate self-signed key
# keytool -h for usage
# keytool -genkey -alias tomcat -keysize 1024 -validity 3650 -keypass changeit -storepass changeit
What is your first and last name?
[Unknown]: jephe
What is the name of your organizational unit?
[Unknown]: IS
What is the name of your organization?
[Unknown]: Jephe
What is the name of your City or Locality?
[Unknown]: Singapore
What is the name of your State or Province?
[Unknown]: Singapore
What is the two-letter country code for this unit?
[Unknown]: SG
Is CN=jephe, OU=IS, O=somename, L=Singapore, ST=Singapore, C=SG correct?
[no]: yes


for above self-generated key to work without SSL warning, you need to import to ca certs file

4. list the existing CA certificates from /usr/local/jdk/jre/lib/security/cacerts
# cd /usr/local/jdk/jre/lib/security
# keytool -list -v -keystore cacerts

5. in order to add self-signed key to cacerts, export it first from .keystore file
# keytool -export -alias jephe -keypass changeit -storepass changeit -file /tmp/jephe.der

6. then import to cacerts file under /usr/local/jdk/jre/lib/security/cacerts
# cd /usr/local/jdk/jre/lib/security
# keytool -import -alias jephe -trustcacerts -keystore cacerts -file /tmp/jephe.der -storepass changeit

note: add this key to trusted cacerts and give alias as jephe
you can add one more, but have to give the different alias name


7. you can delete the existing cacert key:
# cd /usr/local/jdk/jre/lib/security
#keytool -delete -keystore cacerts -alias jephe

8. import a openssl generated self signed pem format certificate from openldap server into ca certs file on tomcat server (for ldaps connection from tomcat server to openldap server)

# cd /usr/local/jdk/jre/lib/security
# keytool -import -alias jephe -trustcacerts -keystore cacerts -file /tmp/jephe.pem -storepass changei


References:
1. convert pem to der format 

openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER

Understanding SSL certificate


  • Commonly used public key algorithms include RSA(for web)El Gamal(for gpg) and Diffie-Hellman (for ssh).
  • Generate a 1024 bit RSA private key
    Execute command: “openssl genrsa -out private_key.pem 1024”
    e.g.


    $ openssl genrsa -out private_key.pem 1024
    Generating RSA private key, 1024 bit long modulus
    .............................++++++
    ................................................................++++++
    e is 65537 (0x10001)

    Generating a public key from a private key

    Execute command: "openssl rsa -pubout -in private_key.pem -out public_key.pem"
    e.g.



    $ openssl rsa -pubout -in private_key.pem -out public_key.pem
    writing RSA key
    A new file is created, public_key.pem, with the public key.


    Viewing the key elements

    Execute command: "openssl rsa -text -in private_key.pem"


    For security purposes, the integers p and q should be chosen uniformly at random and should be of similar bit-length

    Compute n = pq.


    • n is used as the modulus for both the public and private keys

    All parts of private_key.pem are printed to the screen. This includes the modulus (also referred to as public key and n)public exponent (also referred to as e and exponent; default value is 0x010001 - 65537), private exponent, and primes used to create keys (prime1, also called p, and prime2, also called q), as well as a few other variables used to perform RSA operations faster and the Base64 PEM encoded version of the key.

    The "public key" actually represents a pair of parameters (numbers): a Modulus and a public exponent E. The public exponent is usually chosen to be relatively small (often 3 bytes). The size of the Modulus in bits is referred to as the "key size". A Modulus of size 128 bytes represents a "1024 bit RSA key". 
    The "private key" is usually described as a number pair consisting of the same key Modulus and aprivate exponent DD is usually chosen to be about the same size as the modulus (~128 bytes).Random selection of Modulus, E and D starts by random selection of two large prime numbers.
  • openssl genrsa command generates a pair of private key and public key actually, not only private key.
  • how to verify a ssl certificate, nowadays, CA use SHA1withRSAencryption to sign the public key as certificate.
To validate the certificate, one needs the certificate that matches
the Issuer (Thawte Server CA) of the first certificate. First one
verifies that the second certificate is of a CA kind; that is, that it
can be used to issue other certificates. This is done by inspecting a
value of the CA attribute in the X509v3 extension
section. Then the RSA public key from the CA certificate is used to
decode the signature on the first certificate to obtain a MD5 hash,
which must match an actual MD5 hash computed over the rest of the
certificate
  • how to verify CA root certificate itself
This is an example of a self-signed certificate, as the issuer and subject are the same. There's no way to verify this certificate except by checking it against itself; instead, these top-level certificates are manually stored by web browsers. Thawte is one of the root certificate authorities recognized by both Microsoft and Netscape. This certificate comes with the web browser and is trusted by default. As a long-lived, globally trusted certificate that can sign anything (as there are no constraints in the X509v3 Basic Constraints section), its matching private key has to be closely guarded.

  • how to show SSL connection information from the browser
  1. Internet Explorer
Version 6.0 - from file menu, choose properties, you will see something like this:
SSL 3.0, RC4 with 128 bit encryption (High); RSA with 1024 bit exchange
or right click on page blank area, choose properties.

Version 7.0 - firstly, show file menu by choosing tools/menu bar, then use the same method as above.

2. Firefox
right click on the blank area of SSL website homepage, choose 'view page info'. You will see something like this:
Connection encrypted: high-grade encryption, AES-256 256bit

  • Useful OpenSSL commands
1. generate a pair of RSA private and public key (will be triple-DES encrypted and PEM format which has begin certificate and end certificate)
$ openssl genrsa -des3 -out server.key 1024
or
$ openssl genrsa -out server.key 1024

note: the most browser only supports RSA 1024bit key. Not either DSA or 2048bit key.

2. View RSA private key details
$ openssl rsa -noout -text -in server.key

3. Create a decrypted PEM version of rsa private/public key pair
$ openssl rsa -des3 -in server.key -out server.key.new
$ mv server.key.new server.key
or
$ openssl rsa -in server.key -out server.key.unsecure

4. create CSR file from private/public key pair file, will be in PEM format
$ openssl req -new -key server.key -out server.csr

5. view CSR file details
$ openssl req -noout -text -in server.csr

6. view CRT file detail
$ openssl x509 -noout -text -in server.crt

  • Creating a certificate authority and certificates with openssl
(refer to http://www.octaldream.com/~scottm/talks/ssl/opensslca.html)

The short answer is to use the CA.sh or CA.pl script provided by OpenSSL (/usr/share/ssl/misc/CA)

The private key contains a series of numbers. Two of those numbers form the "public key", the others are part of your "private key". The "public key" bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers. To view the Certificate and the key run the commands:
$ openssl x509 -noout -text -in server.crt
$ openssl rsa -noout -text -in server.key
The `modulus' and the `public exponent' portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it's bothering comparing long modulus you can use the following approach:
$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5
And then compare these really shorter numbers. With overwhelming probability they will differ if the keys are different. BTW, if I want to check to which key or certificate a particular CSR belongs you can compute
$ openssl req -noout -modulus -in server.csr | openssl md5
  • convert PEM to DER format
The default certificate format for SSLeay/OpenSSL is PEM, which actually is Base64 encoded DER with header and footer lines. For some applications (e.g. Microsoft Internet Explorer) you need the certificate in plain DER format. You can convert a PEM file cert.pem into the corresponding DER file cert.der with the following command: 
$ openssl x509 -in cert.pem -out cert.der -outform DER


  • how to generate .pem/.csr/.crt/ etc certificate files.
cd /usr/share/ssl/certs
make server.pem
make server.crt
etc
  • How to apply new SSL certificate in Apache without restarting service
ps -efH to find out the pidnum of parent httpd
then run kill -USR1 pidnum to make sure it generates new log file
Please refer to http://httpd.apache.org/docs/1.3/stopping.html

  • How to test to make sure the server has been restarted with new certificate?
use openssl s_client command to check if it get retrieve the new certificate:

openssl s_client help to get the the help manual
openssl s_client -connect 10.0.201.104:443 -tls1  to retrieve the certificate content.

or use curl directly
curl -v https://10.0.0.1 will display the certificate, even decrypted for PEM certificate, you can see the start date and end date directly on the screen.
  • Useful URLs
  1. http://www.modssl.org/docs/2.8/ssl_faq.html#ToC27
  2. http://www.herongyang.com/crypto/openssl_rsa.html

How to tune Apache performance and harden it


  • understand How Apache works first
the main process is responsible to accept the new incoming connections and pass it to "worker" process, once the worker finishs its job which is reading user's request and send back response. it tells the main process it has done the job and waiting for the new connection

  • Apache and keepalive issue - reduce keepalive value to 2 seconds to allow Apache to terminate the connection soon enough, also 
Imagine there're 1000 users connecting to your website at the same moment, how do you handle it? by default, Apache has setting for keepalive 15 seconds and timeout 300 seconds(5 minutes).

If there's no keepalive, each connection will only serve one file which needs to be downloaded for browser display, this is not efficient method since normally a website page contains a few files in order to be properly displayed.

You can reduce the KeepAlive timeout to 2 seconds (do not turn if off). 2 seconds is enough to let the client has the enouchg time to request all the files needed for a page display, also without having to open more than one connection, also let Apache to terminate the connection soon enough so that it can handle more clients then normal.
  • use a worker threaded MPM
use a work thread MPM will use less memory and increase the connection it will be able to handle.

  • Some other tips
Disable ExtendedStatus
HostnameLookups off
Setting Options -Indexes FollowSymLinks (so Apache doesn't have to check if the file is symbolic link or not, it just follow)
reasonable connection timeout value than 300 (use 30 seconds or less to avoid those modem user hog the connection)
  • use thttpd for static files
You can farm all your static files like images to thttpd , make sure it supports keep alive.

  • Apache is the only service on the web server
You can tune StartServers, MinSpareServers, MaxSpareServers, MaxClients and MaxRequestsPerChild parameters accordingly if you are running 3-tier archtecture such as Apache, Java-enabled middle server and database backend.

You can have a big StartServers value and MinSpareServer(0) and MaxSpareServers value the same as StartServers value.

If you trust your application, you can set MaxRequestPerClient a very big value.

  • hardening
user apache 2.2 builtin chroot (chrootdir /path)
use 'TraceEnable Off' to disable trace/track in main httpd.conf
use ServerTokens Prod 

HP ILO2 Authentication through OpenLDAP on HP DL385G2


Many companies are using HP servers because of the easier management of ILO(Integrated Lights-Out). After you deployed a large number of HP servers, you'll find one problem which is to manage all the ILO administrator password. Since the ILO provides the directory setting which you can use the centralized LDAP database for authentication, but HP doesn't documented how to configure it through OpenLDAP.

This articles guides you to configure a openldap server specially for doing HP ILO2 authentication. I'm using RedHat Enterprise Linux 4 update 5 and OpenLDAP. It's only being tested on HP DL385G2 server although it might be working for other models too.

The following is the some important concept for enabling ilo2 authentication through openldap.

On OpenLDAP:
  • Adding ‘memberOf’ attribute and ‘user’ objectclass into openldap (details later)
  • Allow version 2 binding in /etc/openldap/slapd.conf which is ‘allow bind_v2’
  • Slapd must also listen on port 636(ldaps)
On ILO2:

  • Using schema-free configuration in ILO
  • Specify port 636 and OpenLDAP servername or IP address
  • Configuring user context and group DN
Special schema for ilo auth in /etc/openldap/slapd.conf
[root@repo openldap]# grep -e ilo.schema -e bind_v2 /etc/openldap/slapd.conf
include /etc/openldap/schema/ilo.schema
allow bind_v2

[root@repo openldap]# grep TLS /etc/openldap/slapd.conf
TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
Note: must enable TLS for listening on port 636 for ilo ldaps connection

[root@repo openldap]# more /etc/openldap/schema/ilo.schema
attributetype ( 1.3.6.1.4.1.15959.9.1.1
NAME 'memberOf'
DESC 'Group which user belongs to'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

objectclass ( 1.3.6.1.4.1.15959.9.2.1
NAME 'memberOf'
SUP top AUXILIARY
DESC 'Required by Integrated Lights-Out for OpenLDAP '
MUST ( memberOf )
)

objectclass ( 1.3.6.1.4.1.15959.9.2.2
NAME 'user'
SUP top AUXILIARY
DESC 'Required by Integrated Lights-Out for OpenLDAP '
)
Import ldif
Note: replace ou=linuxtechres and dc=blogspot,dc=com with your organization ones.

[root@repo ldif]# more base.ldif
dn: dc=blogspot,dc=com
dc: blogspot
description: Root LDAP entry
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
dn: ou=linuxtechres,dc=blogspot,dc=com
objectclass: top
objectclass: organizationalunit
ou: linuxtechres

dn: ou=groups,ou=linuxtechres,dc=blogspot,dc=com
objectclass: top
objectclass: organizationalunit
ou: groups
dn: ou=users,ou=linuxtechres,dc=blogspot,dc=com
objectclass: top
objectclass: organizationalunit
ou: users
[root@repo ldif]# more user.ldif
dn: cn=jephe.wu,ou=users,ou=linuxtechres,dc=blogspot,dc=com
cn: jephe.wu
uid: jephe.wu
sn: Wu
uidnumber: 1000
homedirectory: /home/jephe.wu
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectclass: inetorgperson
objectClass: memberOf
objectClass: user
shadowLastChange: 13650
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gidNumber: 100
displayname: Jephe Wu
userPassword: {SSHA}7znBGbK5/GMGWVryUuunxgQ87N8L38/b
memberOf: cn=iloadmin,ou=groups,ou=linuxtechres,dc=blogspot,dc=com
[root@repo ldif]# more groups.ldif
dn: cn=iloadmin,ou=groups,ou=linuxtechres,dc=blogspot,dc=com
cn: iloadmin
objectClass: top
objectClass: groupofnames
member: cn=jephe.wu,ou=linuxtechres,dc=blogspot,dc=com

ILO Configuration

Enable the following options on ILO2 (Administration-Security- Directory Settings)
Use Directory Default Schema
Local User Accounts Enabled
Directory Server Address: FQDN of openldap server or ip address
Directory Server LDAP Port 636
Directory User Context 1 ou=users,ou=linuxtechres,dc=blogspot,dc=com
 
Then go to ‘Administrator Groups’:
Security Group Distinguished Name cn=iloadmin,ou=groups,ou=linuxtechres,dc=blogspot,dc=com
Administer Group Accounts Allowed 
Remote Console Access Allowed
Virtual Power and Reset Allowed
Virtual Media Allowed 
Configure iLO 2 Settings Allowed
That's it. Now you can login ILO2 as jephe.wu with your openldap entry password for every HP servers in your data center which are configured with openldap authentication.

Use Linux to reset Windows server administrator password

It's possible you might forget your Windows server administrator password or it's locked after you tried too many times. But don't worry, there's a nice tool 'chntpw' which can help you to reset and unlock it. The following example was tested on Windows 2003 server.


1. download the Linux rescue CD - RIP(Recovery Is Possible)

note: to reduce download time. Non-X version is enough.

2. reboot your Windows server with this CD, you might want to choose option 2 to skip keyboard map

3. login as root without password

4. run the following commands to mount Windows 2003 server partition as read-write

cd /mnt

mount -t ntfs-3g /dev/sda1 win -o force (assuming your Windows partition is /dev/sda1, you can use fdisk command to find out)

note: to make sure you mounted Windows partition as read/write, you can try to run command

touch /mnt/win/testfile to confirm it won't give you any error.

cd win/WIN2K03/system32/config

chntpw SAM

then follow the screen instruction

first, answer y to reset/unlock the counters

then enter * to blank password

finally, enter y all the way to finish


5. finishing up

cd /mnt

sync

umount win

reboot

Note:

1. you can use chntpw SAM -l to list all Windows users

2. use chntpw SAM -u user1 to unlock/reset user1 password

3. http://www.tuxera.com/community/ntfs-3g-download/ (NTFS 3G website)

What Does a System Administrator Do?

What is a system administrator? Well, look at the title. Administrator of systems. A system administrator takes care of systems.

Now, most people read "system" to mean an individual computer, and think that all a sysadmin does is clean viruses off your computer and replace your monitor. That's not wrong -- but it is only one page of the whole story.

A real computing system is larger. Very few computers work just on their own anymore; when you use the web, play a game online, share files with a friend, or send email, you're using a complex and intricate collection of computers, networks and software that come together to do the job you're asking.

A sysadmin manages these systems -- they figure out how to bring storage from one server, processing from another, backups from a third and networking from a fourth computer all together, working seamlessly. For you.

It's not an easy task. Your sysadmins need to understand in depth computing protocols. They often have to know something about programming, something about hardware, a lot about software -- and even more about the people using their system.

A sysadmin is a professional, with complex skills, ethical challenges, and a daunting job. Many, if not most, people find computers difficult to use, and sometimes they're unreliable. Being a sysadmin doesn't absolve someone of dealing with unreliable computers. Oh, one can dream of such a day, but the opposite is true; no one sees more dead computers in a day than a sysadmin. No one sees them doing truly baffling things, and no one has more stories of computers failing, acting possessed, or even catching on fire.

The challenge of a sysadmin is making a computing system -- a whole network of resources and servers and software -- work together, work right, work even when parts of it fail -- and work for you.

That's the most important job of the sysadmin: to work for you. To take the staggering array of technologies, acronyms, protocols, networks, vendors, budgets, limited time, competing products, and threats to the computing network, assemble them all together in a working system. Their job is not only to be the geek in the corner who types all day. What they're doing is bringing these diverse pieces of technology into order, and fitting them together to fill your needs at work and home; to translate the world of computing into human terms.

This is a daunting task and we're still at the cutting edge; we're not perfect, and the field is still figuring itself out. Being a sysadmin takes a certain boldness, to be one of the first people to take on the challenge of turning difficult computers into easy to use systems. But hundreds of thousands of people are working in that field now, from the entry level help desk tech to the corporate CIOs and everyone in between.

So when you think of a sysadmin, think of the people who run the servers that help you clean it off, the people who run your backups to make sure your data is safe, the people who bring you the network, the people who monitor it for security -- and yes, the person who cleans the virus off your computer and replaces your monitor.

When is Sysadmin Day? A: Last Friday of July.

System Administrator Appreciation Day is on the Last Friday of July. Always has been on the Last Friday of July. It has never been on any other day of the week or any other month. It has never been on a Saturday. Whatever day the last Friday of July is in your own country, as long as it is the Last Friday of July. Sysadmin Day is a 24 hour event, for the entire Last Friday of July. From the first minute of Friday, to the last minute of Friday. Celebrate Sysadmin Day in your own local time-zone, for the entire Last Friday of July. A �day� is defined as the twenty-four hour period starting at 12:00:01 a.m. and ending at 11:59:59 p.m.


July 29, 2011 (Last Friday Of July) 12th Annual  System Administrator Appreciation Day
 
A sysadmin unpacked the server for this website from its box, installed an operating system, patched it for security, made sure the power and air conditioning was working in the server room, monitored it for stability, set up the software, and kept backups in case anything went wrong. All to serve this webpage.


A sysadmin installed the routers, laid the cables, configured the networks, set up the firewalls, and watched and guided the traffic for each hop of the network that runs over copper, fiber optic glass, and even the air itself to bring the Internet to your computer. All to make sure the webpage found its way from the server to your computer.

A sysadmin makes sure your network connection is safe, secure, open, and working. A sysadmin makes sure your computer is working in a healthy way on a healthy network. A sysadmin takes backups to guard against disaster both human and otherwise, holds the gates against security threats and crackers, and keeps the printers going no matter how many copies of the tax code someone from Accounting prints out.

A sysadmin worries about spam, viruses, spyware, but also power outages, fires and floods.

When the email server goes down at 2 AM on a Sunday, your sysadmin is paged, wakes up, and goes to work.

A sysadmin is a professional, who plans, worries, hacks, fixes, pushes, advocates, protects and creates good computer networks, to get you your data, to help you do work -- to bring the potential of computing ever closer to reality.

So if you can read this, thank your sysadmin -- and know he or she is only one of dozens or possibly hundreds whose work brings you the email from your aunt on the West Coast, the instant message from your son at college, the free phone call from the friend in Australia, and this webpage.

Show your appreciation

Friday, July 29, 2011, is the 12th annual System Administrator Appreciation Day. On this special international day, give your System Administrator something that shows that you truly appreciate their hard work and dedication. (All day Friday, 24 hours, your own local time-zone).

Let's face it, System Administrators get no respect 364 days a year. This is the day that all fellow System Administrators across the globe, will be showered with expensive sports cars and large piles of cash in appreciation of their diligent work. But seriously, we are asking for a nice token gift and some public acknowledgement. It's the least you could do.

Consider all the daunting tasks and long hours (weekends too.) Let's be honest, sometimes we don't know our System Administrators as well as they know us. Remember this is one day to recognize your System Administrator for their workplace contributions and to promote professional excellence. Thank them for all the things they do for you and your business.