For a while I have been meaning to type up a guide to setting up dual factor VPN's on Netscreen SSG firewalls. It took me a while to figure it all out, referring to lots of online sources so hopefully this will be useful to someone. I have a Juniper Netscreen SSG 140 firewall which various users are logging into, getting access to different systems based on their permissions. I used the excellent and cheap Yubikey from Yubico to get the second factor working. Feel free to post any queries or suggestions, I'll try to answer any I can but I'm far from an expert.
Friday, 9 March 2012
Thursday, 19 January 2012
IPv6 - Time to get the ball rolling?
About a year ago I started seriously looking into IPv6 and managed to get all the way to "Guru" status on the Hurricane Electric certification program. However I lost momentum because then I was stuck. Our main providers did not support IPv6 (BTNet, 123-reg, Rackspace being the main ones) so I could not get direct IPv6 connectivity for any of our systems. Using a tunnel would have worked but did not seem right for productions systems.
However after hearing about the world IPv6 launch day being planned for 6th June this year I've had another look and things are looking a lot more workable. Good news since RIPE is due to run out of IP address blocks for Europe in about 164 days.
Rackspace are supporting IPv6 on most of their services if you put in a request.
BT plan to launch a full standardised IPv6 support in early 2012 - I have fired off an email to my account manager to see if there is any firmer dates.
123-Reg now support IPv6 AAAA records via their web based DNS management and even IPv6 glue for domains - however you need to raise a support request for DNS glue.
Given that service providers seem to actually support IPv6 now, and with at least Google, Facebook, Yahoo and Bing planning to turn IPv6 on permanently from 6th June we seem to be approaching the point where having IPv6 connectivity is both possible and usable. How long before IPv4 starts to have noticeable problems for end users is another question but since it will happen eventually I'm happy to get started as soon as possible. Its going to be a fun challenge to get my teeth into as soon as BT start assigning subnets.
However after hearing about the world IPv6 launch day being planned for 6th June this year I've had another look and things are looking a lot more workable. Good news since RIPE is due to run out of IP address blocks for Europe in about 164 days.
Rackspace are supporting IPv6 on most of their services if you put in a request.
BT plan to launch a full standardised IPv6 support in early 2012 - I have fired off an email to my account manager to see if there is any firmer dates.
123-Reg now support IPv6 AAAA records via their web based DNS management and even IPv6 glue for domains - however you need to raise a support request for DNS glue.
Given that service providers seem to actually support IPv6 now, and with at least Google, Facebook, Yahoo and Bing planning to turn IPv6 on permanently from 6th June we seem to be approaching the point where having IPv6 connectivity is both possible and usable. How long before IPv4 starts to have noticeable problems for end users is another question but since it will happen eventually I'm happy to get started as soon as possible. Its going to be a fun challenge to get my teeth into as soon as BT start assigning subnets.
Thursday, 17 November 2011
vSphere hosts disconnecting
I recently reinstalled by entire vSphere & Veeam infrastructure (old install was not playing nice with a large SQL database - too many big jobs running overnight at the same time). Overall it all went really smoothly - point the new vSphere at the ESXi hosts and it warns that the old vSphere will be disconnected, Veeam installed and connected with no problems (or so I thought). Unfortunately I tested a Veeam backup before I enabled the Windows Firewall which lead to everything failing on the first night. Windows firewall needs a few ports opened for vSphere to remain connected to the ESXi hosts. After a few minutes all the hosts show as (not responding) in the vSphere client.
A full list of the ports for VMWare products can be found here http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382
However if you are just wanting to connect your vSphere server to your ESXi hosts then these are the ports that need to be open on the vSphere server (assuming you have installed on Windows and not used the new vSphere appliance)
For vSphere/ESXi 4.x you need the following:
vSphere/ESXi 5.x also needs these (but I have not tested as still on 4.x until Veeam adds full support)
A full list of the ports for VMWare products can be found here http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382
However if you are just wanting to connect your vSphere server to your ESXi hosts then these are the ports that need to be open on the vSphere server (assuming you have installed on Windows and not used the new vSphere appliance)
For vSphere/ESXi 4.x you need the following:
TCP port 111 NFS Client - RPC Portmapper (NFS needed for Veeam's instant recovery feature)
TCP port 2049 NFS Client
TCP and UDP port 902 Heartbeat (This is the important one!)
vSphere/ESXi 5.x also needs these (but I have not tested as still on 4.x until Veeam adds full support)
TCP port 5989 CIM XML transactionsAs soon as you enable the two heartbeat protocols your hosts should automatically reconnect and then everything should work. Lesson learned - wait for timeouts after enabling firewall before assuming its all working!
UDP port 111 NFS Client - RPC Portmapper (NFS needed for Veeam's instant recovery feature)
UDP port 2049 NFS Client
Friday, 28 October 2011
Setting the window title in Putty
There are two ways to set the window title for a Putty ssh client. Statically and on the fly. Both have their uses depending on what you want to achieve.
Static window title
Statically is easy - and is best for naming a connection eg "Web server" so you know where the connection goes. There are two settings you need to change in the putty configuration screens.
1. Under Terminal -> Features tick to disable remote window title changing (to stop the remote server changing what you set)
2. Under Window -> Behaviour enter the new title you would like to see for that connection.
3. Your putty window will now have a fixed title (assuming you remember to save the setting - if not it will only last for this session)
Dynamic window title
Sometimes though you want to change the window title on the fly - or set it from the server rather than set it manually on each clients computer. In this case the following command will let you change the window title from within the Linux shell:
Static window title
Statically is easy - and is best for naming a connection eg "Web server" so you know where the connection goes. There are two settings you need to change in the putty configuration screens.
1. Under Terminal -> Features tick to disable remote window title changing (to stop the remote server changing what you set)
 |
| Disable remote updates to window title |
Sometimes though you want to change the window title on the fly - or set it from the server rather than set it manually on each clients computer. In this case the following command will let you change the window title from within the Linux shell:
The most obvious way to use this is to type it straight into the shell (or write a script to do it for you) which is what I did in the screenshot below. The other option is to add it to .bashrc which will allow you to pre set the window title for any users you wish or include it in any scripts that take a long time to run so you can glance at the window title on your task bar to see how far along it is.export PROMPT_COMMAND="echo -ne '\033]0;Dev Server - Compiling \007'"
Wednesday, 27 July 2011
Quickly query a registry key
Sometimes you want to know quickly what a registry key is set to on a Windows machine. Maybe you want to see what the windows update settings are because you are trying to deploy wsus. Maybe you have just applied a security setting with GPO on a domain
From the command line you can quickly query the settings in the registry like this:
The quickest way I know to convert hexadecimal to decimal if you are not sure is to use google - a search for "0xb as decimal" in google shows the answer of 11 above the other search results.
From the command line you can quickly query the settings in the registry like this:
c:\>Reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /sThe /s switch shows all sub keys. Note the key values are dispalyed in hexadecimal so ScheduledInstallDay of 0x5 is day 5, starting counting from sunday as 1 so Thursday. ScheduledInstallTime of 0xb is 11 in decimal so 11am.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
ElevateNonAdmins REG_DWORD 0x1
DoNotAllowSP REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate REG_DWORD 0x0
AUOptions REG_DWORD 0x3
ScheduledInstallDay REG_DWORD 0x5
ScheduledInstallTime REG_DWORD 0xb
NoAutoRebootWithLoggedOnUsers REG_DWORD 0x1
RescheduleWaitTimeEnabled REG_DWORD 0x1
RescheduleWaitTime REG_DWORD 0x5
RebootRelaunchTimeoutEnabled REG_DWORD 0x1
RebootRelaunchTimeout REG_DWORD 0x1e
c:\>
The quickest way I know to convert hexadecimal to decimal if you are not sure is to use google - a search for "0xb as decimal" in google shows the answer of 11 above the other search results.
Tuesday, 26 July 2011
Recycle bins - why so many and how to clear them
Each user has a separate recycle bin for each partition on a computer. This is great as it means is Bob empties his recycle bin then Alice still has her files in her recycle bin. However it can be a pain if you are trying to clear space on a hard drive as you can empty the recycle bin on a multi user machine and there are still files taking up space in the recycle bin...
You can control the space available to the recycle bin by right clicking on it and choosing properties. Sometimes you want to keep a big recycle bin (working with large files) but also try to reduce space used by the bin where possible (Virtual servers with backups of whole VM's, obsessive compulsive sysadmin...). Each user has their own recycle bin which is great for accountability but the name of each bin is not easy to decipher.
For NTFS partitions the recycle bin is stored in c:\recycler (Note: you have a recycler folder on every partition - for simplicity I'm just going to use c:\recycler in my examples but if you have a D drive you will also have d:\recycler etc...). This is a system folder so to view it you need to make system files visible (Tools -> System folders -> view -> untick "Hide protected operating system files"). In this folder there will be several folders with long complex names (eg "S-1-8-13-2457591-767657898-480356960-2981" ) This long string of characters is the SID (Security Identifier) which uniquely identifies each user on a computer/domain for security. You can right click and choose properties on these folders and see the size but if you try to go into a folder that is not yours it appears empty even if full of files.
To determine the user name associated with a SID you can type the following at a command prompt (Replace this sample SID with the one you have of course...):
If you are sure you want to delete a users recycle bin then as long as they are logged out you can just delete their folder under c:\recycler - if they are logged in this file is in use in which case you will have to ask them to do it.
You can control the space available to the recycle bin by right clicking on it and choosing properties. Sometimes you want to keep a big recycle bin (working with large files) but also try to reduce space used by the bin where possible (Virtual servers with backups of whole VM's, obsessive compulsive sysadmin...). Each user has their own recycle bin which is great for accountability but the name of each bin is not easy to decipher.
For NTFS partitions the recycle bin is stored in c:\recycler (Note: you have a recycler folder on every partition - for simplicity I'm just going to use c:\recycler in my examples but if you have a D drive you will also have d:\recycler etc...). This is a system folder so to view it you need to make system files visible (Tools -> System folders -> view -> untick "Hide protected operating system files"). In this folder there will be several folders with long complex names (eg "S-1-8-13-2457591-767657898-480356960-2981" ) This long string of characters is the SID (Security Identifier) which uniquely identifies each user on a computer/domain for security. You can right click and choose properties on these folders and see the size but if you try to go into a folder that is not yours it appears empty even if full of files.
To determine the user name associated with a SID you can type the following at a command prompt (Replace this sample SID with the one you have of course...):
wmic path win32_useraccount where sid="S-1-8-13-2457591-767657898-480356960-2981" get nameOr if you know the name of a user you can find their SID with this command:
wmic path win32_useraccount where name="bsmith" get sidNow we can track down who has the big recycle bin so if you have ongoing problems at least you know who to chase.
If you are sure you want to delete a users recycle bin then as long as they are logged out you can just delete their folder under c:\recycler - if they are logged in this file is in use in which case you will have to ask them to do it.
Sunday, 24 July 2011
Bitcoin - How and when to backup wallet.dat
Bitcoin is a fascinating subject both from the technical and social viewpoints. While there is a lot of people online talking about how to use it and whether you should use it, there seems to be far fewer people talking about how the wallet works from a backup perspective. This seems strange as your wallet contains your money and if you do not understand how it works you might loose your money.
If you don't care about the WHY and just want the answer jump to the bottom of this post.
The first thing to understand is that your wallet does not contain the actual money. Your wallet contains a lot of public/private key pairs (I'm assuming you understand the basics of public/private key cryptography - if not I'll be writing something up on that soon inspired by the latest portforwardpodcast). The blockchain contains the list of who has which bitcoins.
Every time you are sent money it is sent to one of your public keys and only your private key is able to send that money on again. As your bitcoin client downloads each new block it compares it with the keys in your wallet and adds or subtracts the amounts sent to/from your keys.
This is part of the security of Bitcoin as if someone tries to send you bitcoins your client can see if they actually have those bitcoins to send by looking back through the blockchain. If everything is correct then the transaction will be included in the next block generated which is the first confirmation. By the time you have 6 confirmations you can be pretty sure the money is yours.
The public/private keys can become used in two ways so your wallet.dat file contains 100 spare keys for future use (you can change this default to anything you want). A new public/private key pair is automatically generated each time you send or receive bitcoins to help improve the anonymity of bitcoin. Each new key pair is added to the end of the list and every time a new key pair is needed the oldest spare one is used.
You can see this happening when you receive bitcoins - the client shows your current bitcoin address on its main window. When you receive some bitcoins a new address from the list of spares will become active and a new address will be generated and added to the end of the spare list. Since your wallet still contains the old address you can still receive funds sent to it without any problems.
When you send bitcoins a key pair can also be used. This is because if you have received 10 bitcoins to a single address and you want to send 2 bitcoins the transaction sends all 10. 2 bitcoins go to the person you are paying and the remaining 8 bitcoins are sent back to a new one of your own addresses. This is all hidden by the client so you do not see these keys.
You can see this happening at http://bitcoincharts.com/bitcoin/ which shows the latest unconfirmed transactions - almost every transaction has 2 outputs. One will be the money going to its new owner and the other will be the remainder of the money going back to its existing owner on a new address.
You can backup your wallet.dat file, complete several transactions and keep using the new addresses to receive money with no problems. At some point, probably about 100 transactions (sending and receiving) you will start using key pairs that are not in your backed up wallet.dat file. If you then loose your wallet you could loose a lot of your bitcoins as the backup will not have valid key pairs to access the money.
What this means for your backup of wallet.dat:
So taking all this into account you should backup your wallet.dat file regularly but it is not necessary to backup after every single transaction. Your wallet already knows the encryption keys it will use for the next 100 transactions. Speaking of encryption please encrypt your wallet! A future bitcoin client is expected to include encryption which should improve things but until then its your money - look after it!
On Linux your wallet.dat file is stored in ~/.bitcoin/
On Windows the location of your wallet depends on your windows version. For Windows7 (and Vista if you are still suffering that OS) it is in C:\Users\<your user name>\Appdata\Roaming\BitCoin. For older versions of Windows (eg XP, 2003 etc) it is in C:\Documents and Settings\<your user name>\Application data\BitCoin.
Just close the bitcoin client and copy this file somewhere safe (both "safe if my computer dies" and "Safe from anyone that wants to steal my money"!) The only file you need to backup is the wallet.dat file - all the other files will be re-created/downloaded if you start the bitcoin client with the wallet.dat file in the bitcoin data directory.
Disclaimer: Everything here is based on my understanding of how things work - I am in no way connected with bitcoin apart from being a user. The main bitcoin client is still at version 0.3.24 - it is a relatively new program that is likely to change as new issues with the growing bitcoin network emerge and new features are added.
If you don't care about the WHY and just want the answer jump to the bottom of this post.
The first thing to understand is that your wallet does not contain the actual money. Your wallet contains a lot of public/private key pairs (I'm assuming you understand the basics of public/private key cryptography - if not I'll be writing something up on that soon inspired by the latest portforwardpodcast). The blockchain contains the list of who has which bitcoins.
Every time you are sent money it is sent to one of your public keys and only your private key is able to send that money on again. As your bitcoin client downloads each new block it compares it with the keys in your wallet and adds or subtracts the amounts sent to/from your keys.
This is part of the security of Bitcoin as if someone tries to send you bitcoins your client can see if they actually have those bitcoins to send by looking back through the blockchain. If everything is correct then the transaction will be included in the next block generated which is the first confirmation. By the time you have 6 confirmations you can be pretty sure the money is yours.
The public/private keys can become used in two ways so your wallet.dat file contains 100 spare keys for future use (you can change this default to anything you want). A new public/private key pair is automatically generated each time you send or receive bitcoins to help improve the anonymity of bitcoin. Each new key pair is added to the end of the list and every time a new key pair is needed the oldest spare one is used.
You can see this happening when you receive bitcoins - the client shows your current bitcoin address on its main window. When you receive some bitcoins a new address from the list of spares will become active and a new address will be generated and added to the end of the spare list. Since your wallet still contains the old address you can still receive funds sent to it without any problems.
When you send bitcoins a key pair can also be used. This is because if you have received 10 bitcoins to a single address and you want to send 2 bitcoins the transaction sends all 10. 2 bitcoins go to the person you are paying and the remaining 8 bitcoins are sent back to a new one of your own addresses. This is all hidden by the client so you do not see these keys.
You can see this happening at http://bitcoincharts.com/bitcoin/ which shows the latest unconfirmed transactions - almost every transaction has 2 outputs. One will be the money going to its new owner and the other will be the remainder of the money going back to its existing owner on a new address.
You can backup your wallet.dat file, complete several transactions and keep using the new addresses to receive money with no problems. At some point, probably about 100 transactions (sending and receiving) you will start using key pairs that are not in your backed up wallet.dat file. If you then loose your wallet you could loose a lot of your bitcoins as the backup will not have valid key pairs to access the money.
What this means for your backup of wallet.dat:
So taking all this into account you should backup your wallet.dat file regularly but it is not necessary to backup after every single transaction. Your wallet already knows the encryption keys it will use for the next 100 transactions. Speaking of encryption please encrypt your wallet! A future bitcoin client is expected to include encryption which should improve things but until then its your money - look after it!
On Linux your wallet.dat file is stored in ~/.bitcoin/
On Windows the location of your wallet depends on your windows version. For Windows7 (and Vista if you are still suffering that OS) it is in C:\Users\<your user name>\Appdata\Roaming\BitCoin. For older versions of Windows (eg XP, 2003 etc) it is in C:\Documents and Settings\<your user name>\Application data\BitCoin.
Just close the bitcoin client and copy this file somewhere safe (both "safe if my computer dies" and "Safe from anyone that wants to steal my money"!) The only file you need to backup is the wallet.dat file - all the other files will be re-created/downloaded if you start the bitcoin client with the wallet.dat file in the bitcoin data directory.
Disclaimer: Everything here is based on my understanding of how things work - I am in no way connected with bitcoin apart from being a user. The main bitcoin client is still at version 0.3.24 - it is a relatively new program that is likely to change as new issues with the growing bitcoin network emerge and new features are added.
Subscribe to:
Posts (Atom)