Archive for the ‘Documentation’ Category

Turn off Server Manager startup at logon.

In Windows 2016, Server Manager starts up at logon. It does this in Windows 2012 R2, but I have not confirmed whether the solution is the same to prevent this behavior. To stop this, you do from the Task Scheduler.

You bring up Task Scheduler under Administrative Tools.

Expand Task Scheduler Library/Microsoft/Windows, and go down to ServerManager.

Under Server Manager, you will see two tasks: CleanupOldPerfLogs and ServerManager.

Right mouse click ServerManager and select Disable. This will turn this behavior off for all users that login to the server.

I have verified that can be modified the same way in Server 2012 R2 as well.

Using puttygen to generate OpenSSH public key

I was given the private key for an SFTP server on a remote network. The key was generate using puttygen.exe or similar program on a Windows system. I needed to using public key authentication to access the server. This is what I did to generate a public key to authenticate.

On a Windows system, I ran puttygen.exe and imported the private key. You can either do this as a parameter to the puttygen.exe program or import the key once you have started puttygen.exe:

puttygen somebodys.ppk

Once the key is imported, you can change the key comment from imported-openssh-key to something more meaningful. And enter and confirm your choice of passphrase.

Then save the public key by clicking the button.

Copy the newly generated public key to the openssh sftp client machine.

Put the file in file in the ~/.ssh directory and secure it (chmod 400 ~.ssh/somebodys.pub).

Then you just have to pass it to your sftp command.

$ sftp -i ~/.ssh/somebody.pub myusername@their.host.name

Write protect a USB drive in Windows

You can write protect a USB (or any drive for that matter) using DISKPART.

With the drive plugged in open up a command prompt and enter DISKPART.

Then list the disks in your system to determine which one is the USB drive using LIST DISKS

Once identified, enter SELECT DISK #, where # is the number corresponding to your USB disk.

To list disk attributes enter ATTRIBUTES DISK.

To set disk to read only enter ATTRIBUTES DISK SET READONLY.

To remove read only restriction enter ATTRIBUTES DISK CLEAR READONLY.

CentOS 7 – smarthost authentication

Using the default MTA (Postfix), the following needs to be configured. I have tested authenticating to an Exchange 2010 server.

I am not really sure about the minimum software needed in CentOS 7 for this, but I did install the following in a minimum installation (postfix installed by default):

cyrus-sasl-plain
cyrus-sasl-lib

Create a credential file:

# cd /etc/postfix
# vi cr_info
my.server.domain theusername:andtheirpassword
# chmod 600 cr_info
# postmap hash:/etc/postfix/cr_info

Configure postfix for smarthost authentication:

# vi /etc/postfix/main.cf

# JGZ 4/27/2018
relayhost = my.server.domain
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/cr_info
smtp_sasl_security_options = noanonymous

Restart postfix:

# postfix reload

Import a Trusted Root Certificate Authority in Windows 2012 R2 GPO

Export the certificate when you go to the site. I did this in Chrome through the “Developers Tools”. The result was a pem file.

I brought up the group policy management console and edited the GPO where I wanted the certificate. Then, I imported it.

Import the certificate to:
Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

CentOS 7 – Certificate For Apache Notes.

Generate a key and CSR:

# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Valencia
Organization Name (eg, company) [Default Company Ltd]:GreatTechHelp
Organizational Unit Name (eg, section) []:Information Systems
Common Name (eg, your name or your server’s hostname) []:myhostname
Email Address []:some@email.address

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Files created:

# ls
ca.csr ca.key

Sign the key:

# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=US/ST=California/L=Valencia/O=GreatTechHelp/OU=Information Systems/CN=myhostname/emailAddress=some@email.address
Getting Private key

Copy the certificate, key and csr files and set the permisions:

# cp ca.crt /etc/pki/tls/certs/
# cp ca.key /etc/pki/tls/private/ca.key
# cp ca.csr /etc/pki/tls/private/ca.csr
# chmod 600 /etc/pki/tls/certs/
# chmod 600 /etc/pki/tls/private/ca.key
# chmod 600 /etc/pki/tls/private/ca.csr

Edit the apache configuration for the VirtualHost or site (Virtual host in this example.):

# cd /etc/httpd/conf.d/
# ls
autoindex.conf myhostname.conf php.conf README ssl.conf userdir.conf welcome.conf
# vi myhostname.conf

ServerName server.domain.tld
ServerAlias someothername
DocumentRoot /var/www/html

NameVirtualHost *:443


ServerName myhostname.greattechhelp.com
ServerAlias myhostname
DocumentRoot /var/www/html/myhostname
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}


SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

AllowOverride All

DocumentRoot /var/www/html/myhostname
ServerName myhostname.greattechhelp.com
ServerAlias myhostname

Restart apache:

# systemctl restart httpd

To renew the cert:

# cp -p /etc/pki/tls/certs/ca.crt /etc/pki/tls/certs/ca.crt.bak
# cp -p /etc/pki/tls/private/ca.key /etc/pki/tls/private/ca.key.bak
# openssl req -new -days 365 -x509 -nodes -newkey rsa:2048 -out /etc/pki/tls/certs/ca.crt -keyout /etc/pki/tls/private/ca.key
# systemctl restart httpd

MySQL DB access via shell.

Here is a decent secure way to get yourself access to your MySQL/MariaDB databases from a shell script in linux:

# umask 277
# vi /somedirectory/.supersecretfile
# ls -l /somedirectory/.supersecretfile
-r——–. 1 root root 36 Feb 2 11:58 /somedirectory/.supersecretfile
# umask 022

# mysql –defaults-file=/somedirectory/.supersecretfile -e “SOME SQL COMMAND”

VMware ESXi and iSCSI storage issue.

I was having some trouble with a couple iSCSI volumes in a two member ESXi cluster. Two of the volumes were display in the client adapater details as mounted, but the volumes were not showing as mounted in the Storage pane or with a df command in the CLI.

Logs to check in for a possible hint:

# grep -i volumename vobd.log
# grep -i volumename vmkernel.log

When I listed the filesystems from the CLI using the following, the volumes were not listed or obviously mounted:

# esxcli storage filesystem list

List iSCSI adapters configured:

# esxcli iscsi adapter list

A rescan of all the adapters did not work either:
Rescan adapter:

# esxcli storage core adapter rescan -a

To list all the devices and their world IDs:

# esxcli storage core device world list

To only list the world IDs tied to one device:
# esxcli storage core device world list -d mydeviceid

List all guests and their World ID:

# esxcli vm process list

Restart management services:

# services.sh restart

The vmkernel.log had a clue. A message stating that “Device mydeviceid detected to be a snapshot:”

# grep -i mydeviceid vmkernel.log

Listing the snapshots revealed the issue:
List snapshot:

# esxcli storage vmfs snapshot list

Both of my troubled volumes were listed as snapshots. I was told by VMware that this can happen if something changes in the META data of the iSCSI SAN/NAS. This was possible in my case, because I just updated my FreeNAS to the latest version. All that needed to be done was remove the snapshots. Once removed the volumes were mounted immediately.
Remove snapshot:

# esxcli storage vmfs snapshot mount -u “59b153b3-86f464ec-999d-a0d3c1f0cdf0”
# esxcli storage vmfs snapshot mount -u “59b1a680-bc18c507-831a-2c768a56eb24”

User Specific ssh/sftp/scp Customizations in CentOS.

I ran into a situation where I was trying to place files for support, and they only supported 3des ciphers (3des-cbc,blowfish-cbc,3des-cbc). The global ssh client configuration on my system only supported aes ciphers. Instead of adding the 3des to the global configuration (/etc/ssh/ssh_config), I wanted to add it to just one account.

$ vi ~/.ssh/config
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,3des-cbc

$ chmod 400 ~/.ssh/config

Then, I could run ssh/sftp/scp with -vvv to verify. You should see the following output:


debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,3des-cbc
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,3des-cbc

Of course, you can add any customization you want to the ~/.ssh/config file you want. This is just an example. What got me was the global config file is call ssh_config, while the user config file is called config. man ssh_config help me discover the correct name. If you do not have the correct name, you need to pass a -F myspecialcustomconfigfile to the ssh/sftp/scp command.

Modify Exchange Message Size Limits

There are a number ways to control message size in Exchange. Many actually. Even down to the header size.

Reference: https://technet.microsoft.com/en-us/library/bb124345(v=exchg.141).aspx

Here are the options I have been most likely to use:
This is where you set your server parameters. This setting applies to all users on the server:
To view your current settings:

Get-TransportConfig | Select MaxSendSize,MaxReceiveSize

To modify your settings:

Set-TransportConfig -MaxSendSize 15MB -MaxReceiveSize 15MB

Here is where you can set the parameter based on a receive connector only:

Get-RecieveConnector | Select MaxMessageSize

To modify:

Set-ReceiveConnector -Identity “receiveconnectorname” -MaxMessageSize 15MB

And this for a send connector:

Get-SendConnector | Select MaxMessageSize

To modify:

Set-SendConnector -Identity “sendconnectorname” -MaxMessageSize 15MB

This is where you would set it for the individual mailbox. So, you might want have your other settings high, and restrict by mailbox if the need is there.
To view a mailbox’s limits:

Get-Mailbox | Select Name,MaxSendSize,MaxReceiveSize
Get-Mailbox mailboxname | Select Name,MaxSendSize,MaxReceiveSize

To modify:

Set-Mailbox jgz -MaxSendSize 100MB -MaxReceiveSize 100MB

Return top

INFORMATION