October 30, 2015

Use adcli to join Linux computer to a Windows Domain Controller

Setup:

Domain: domain1.ncst.com
The computer that runs Windows Server 2008 R2 and is the domain controller: WIN-HPTI079TSF6, or WIN-HPTI079TSF6.domain1.ncst.com
IP address of the domain controller: 192.168.5.206

Linux computer name: git, full name with domain: git.domain1.ncst.com
Linux computer IP address: 192.168.5.204


1. Set up Linux /etc/resolv.conf to point it to the Domain Controller which should also be a DNS server

  nameserver 192.168.5.206
  nameserver 4.2.2.1

2. (Not needed anymore since Step 1's Name server would resolve this) 
Set up Linux /etc/hosts file so that the domain controller name resolves:

  192.168.5.206 win-hpti079tsf6.domain1.ncst.com

3.Set up your krb5.conf 

$ cat /etc/krb5.conf
[libdefaults]
        default_realm = DOMAIN1.NCST.COM
        kdc_timesync = 1
        ccache_type = 4
[realms]
        DOMAIN1.NCST.COM = {
                kdc = 192.168.5.206
                admin_server = 192.168.5.206
        }

4. (Not needed)
On the domain controller DNS server, add DNS A record for "git.domain1.ncst.com"

5. Finally, use the adcli command to join:
./adcli join -v --login-user=Administrator -H git.domain1.ncst.com -N GIT -D domain1.ncst.com  -R DOMAIN1.NCST.COM

 --show-details   --show-password

The result:
* Using fully qualified name: git.domain1.ncst.com
 * Using domain name: domain1.ncst.com
 * Using computer account name: GIT
 * Using domain realm: domain1.ncst.com
 * Discovering domain controllers: _ldap._tcp.domain1.ncst.com
 * Sending netlogon pings to domain controller: cldap://192.168.5.206
 * Received NetLogon info from: WIN-HPTI079TSF6.domain1.ncst.com
 * Wrote out krb5.conf snippet to /tmp/adcli-krb5-zKaph4/krb5.d/adcli-krb5-conf-FxUjvg                                                                             
 Password for Administrator@DOMAIN1.NCST.COM:
 * Authenticated as user: Administrator@DOMAIN1.NCST.COM
 * Looked up short domain name: DOMAIN1
 * Using fully qualified name: git.domain1.ncst.com
 * Using domain name: domain1.ncst.com
 * Using computer account name: GIT
 * Using domain realm: domain1.ncst.com
 * Enrolling computer name: GIT
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab                                             
 * Using fully qualified name: git.domain1.ncst.com
 * Using domain name: domain1.ncst.com
 * Using computer account name: GIT
 * Using domain realm: domain1.ncst.com
 * Looked up short domain name: DOMAIN1
 * Computer account for GIT$ does not exist
 * Found well known computer container at: CN=Computers,DC=domain1,DC=ncst,DC=com
 * Calculated computer account: CN=GIT,CN=Computers,DC=domain1,DC=ncst,DC=com
 * Created computer account: CN=GIT,CN=Computers,DC=domain1,DC=ncst,DC=com
 * Set computer password                                                           
 * Retrieved kvno '2' for computer account in directory: CN=GIT,CN=Computers,DC=domain1,DC=ncst,DC=com
 * Modifying computer account: dNSHostName
 * Modifying computer account: userAccountControl
 * Modifying computer account: operatingSystem, operatingSystemVersion, operatingSystemServicePack
 * Modifying computer account: userPrincipalName
 * Discovered which keytab salt to use
 * Added the entries to the keytab: GIT$@DOMAIN1.NCST.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/GIT@DOMAIN1.NCST.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/git.domain1.ncst.com@DOMAIN1.NCST.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/GIT@DOMAIN1.NCST.COM: FILE:/etc/krb5.keytab                                                              

 * Added the entries to the keytab: RestrictedKrbHost/git.domain1.ncst.com@DOMAIN1.NCST.COM: FILE:/etc/krb5.keytab


** You can also add  --show-details   --show-password to the command to show the machine password

October 26, 2015

The 3 Records you must know for good email delivery

The 3 Records you must know for good email delivery are:
  • Reverse DNS (PTR)
  • SPF (Sender Policy Framework)
  • DKIM (DomainKeys Identified Mail)
These are the 3 core records you must have correct for sending email.   Of course, you need an MX record if you want to receive email, but that’s another topic.


https://www.rackaid.com/blog/email-dns-records/

SPF wizards

October 20, 2015

gvim on Windows: how to set font to GB2312

The Windows version of VIM that I am using is the Win-32 console and OLE GVIM flavor.  Assuming you took the defaults during the installation of the program, you will find the VIM init file in the %DRIVE%\Program Files\Vim called _vimrc.  Edit this file and add a line that looks like the following:
set guifont=Lucida_Console:h10
This will use the Lucida Console font in size 10 regular.  You can use other fonts, sizes and settings. The syntax is basically:
set guifont=font-family:size:style
Here is a snippet from the VIM help guide:
 For the Win32 GUI     *E244* *E245*
 - takes these options in the font name:
  hXX - height is XX (points, can be floating-point)
  wXX - width is XX (points, can be floating-point)
  b   - bold
  i   - italic
  u   - underline
  s   - strikeout
  cXX - character set XX. valid charsets are: ANSI, ARABIC,
        BALTIC, CHINESEBIG5, DEFAULT, EASTEUROPE, GB2312, GREEK,
        HANGEUL, HEBREW, JOHAB, MAC, OEM, RUSSIAN, SHIFTJIS,
        SYMBOL, THAI, TURKISH, VIETNAMESE ANSI and BALTIC.

   Use a ':' to separate the options.
 - A '_' can be used in the place of a space, so you don't need to use
   backslashes to escape the spaces.
 - Examples:
     :set guifont=courier_new:h12:w5:b:cRUSSIAN
     :set guifont=Andale_Mono:h7.5:w4.5

October 17, 2015

Ubunut 14.04 install Strongswan IKE2 for Windows 7

1. sudo apt-get install strongswan  strongswan-plugin-eap-mschapv2
2. generate certificates using the following commands (change vpn.example.com to your actual domain name or IP address) (Source: http://serverfault.com/questions/536092/strongswan-ikev2-windows-7-agile-vpn-what-is-causing-error-13801)
ipsec pki --gen --type rsa --size 4096 --outform pem > vpnca.key.pem
ipsec pki --self --flag serverAuth --in vpnca.key.pem --type rsa --digest sha1 \
    --dn "C=US, O=Example Company, CN=Example VPN CA" --ca > vpnca.crt.der
ipsec pki --gen --type rsa --size 4096 --outform pem > vpn.example.com.key.pem
ipsec pki --pub --in vpn.example.com.key.pem --type rsa > vpn.example.com.csr
ipsec pki --issue --cacert vpnca.crt.der --cakey vpnca.key.pem --digest sha1 \
    --dn "C=US, O=Example Company, CN=vpn.example.com" \
    --san "vpn.example.com" --flag serverAuth --outform pem \
    < vpn.example.com.csr > vpn.example.com.crt.pem 
openssl rsa -in vpn.example.com.key.pem -out vpn.example.com.key.der -outform DER

sudo cp vpnca.crt.der /etc/ipsec.d/cacerts
sudo cp vpn.example.com.crt.pem /etc/ipsec.d/certs
sudo cp vpn.example.com.key.der /etc/ipsec.d/private

3. import the above vpnca.crt.der file to your windows certificate store (as CER file). To install the trusted CA certificate locally, call up the Microsoft Management Console (mmc) and add the Certificates Snap-In. Then, It is of the utmost importance that you select Computer account, Go into the Certificates (Local Computer) / Trusted Root Certification Authorities / Certificates folder,and select the Import action which will start the Certificate Import Wizard (https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapCert)

4. Edit /etc/ipsec.conf to be as follows: (source: https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig)

# ipsec.conf - strongSwan IPsec configuration file

config setup
    plutostart=no

conn %default
    keyexchange=ikev2
    ike=aes128-sha1-modp1024!
    esp=aes128-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no

conn win7 
    left=%any
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    leftcert=vpnCert.pem
    leftid=@vpn.strongswan.org
    right=%any
    rightsourceip=10.10.3.0/24
    rightauth=eap-mschapv2
    #rightsendcert=never   # see note
    eap_identity=%any
    auto=add

5. Edit /etc/strongswan.conf to be as follows:
charon {
        dns1 = 8.8.8.8
        dns2 = 4.2.2.1
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

6. Edit /etc/ipsec.secrets to be as follows (make sure there is a space between the name and the ":", otherwise strongswan won't recognize the name):

: RSA vpn.example.com.key.der

carol : EAP "abcd1234"
dave  : EAP "fghj5678"

7. ipsec start; and then use ipsec status/statusall to check status;
8. Change server ip_forward to 1; and add NAT rule: 
    sudo iptables -t nat -A POSTROUTING  -o eth0 -j MASQUERADE
9.Server configuration is complete. Follow this guide to configure your Windows 7 client: http://support.purevpn.com/how-to-setup-purevpn-manually-on-windows-7-ikev2  or this guide:   https://supportforums.cisco.com/document/98366/flexvpn-ikev2-windows-7-builtin-client-ios-headend-part-i-certificate-authentication




October 9, 2015

strongswan load test on ubuntu 14.04

Getting strongswan load test to run on 14.04.

Mostly from this post on the mailing list: https://lists.strongswan.org/pipermail/users/2011-August/001966.html

1. you will need to first access the following link

http://wiki.strongswan.org/projects/strongswan/repository/entry/src/libcharon/plugins/load_tester/load_tester_creds.c

and then 

- copy the RSA private-key into 2 files and name them "initiator_key.pem" 
and "responder_key.pem"

- copy the self-signed cert into 3 files and name 
them "cacert.pem", "initiator_cert.pem" and "responder_cert.pem"

On the Initiator GW/PC/Machine
--------------------------------
- Please note that the load-tester plugin can only act in and as a road-warrior-
client simulator mode. So you should be enabling the load-tester plugin on only 
the initiator linux-machine running the strongswan package

- The ipsec.conf file on this initiator is NEVER used or NOT required just 
comment out all config statments

- copy the cacert.pem, initiator_cert.pem and the initiator_key.pem to the 
respective locations "cacerts", "certs" and "private" under .../ipsec.d/ folder

- in the ipsec.secrets file, include the statement 
: RSA initiator_key.pem

- The strongswan.conf file should be as below:

------------------------------------------
charon {
    reuse_ikesa = no
    threads = 32

    plugins {
        load-tester {
            # enable the plugin
            enable = yes
            # example: 10 connections, 5 in parallel
            initiators = 5
            iterations = 2
            # use a delay of 100ms, overall time is: iterations * delay = 100s
            delay = 100
            # address of the gateway
            responder = 45.79.64.19
            load = yes
            # IKE-proposal to use
            proposal = aes128-sha1-modp2048
            # use faster PSK authentication instead of 1024bit RSA
            initiator_auth = pubkey
            responder_auth = pubkey
            # request a virtual IP using configuration payloads
            request_virtual_ip = yes
            # disable IKE_SA rekeying (default)
            ike_rekey = 0
            # enable CHILD_SA every 60s
            child_rekey = 60
            # do not delete the IKE_SA after it has been established (default)
            delete_after_established = no
            # do not shut down the daemon if all IKE_SAs established
            shutdown_when_complete = no
        }
    }
}
-----------------------------------------------------------

On the Responder GW/PC/Machine
******************************
- do not enable load-tester plugin here. just configure this machine as a Road-
Warrior-VPN-Server

- the ipsec.conf file should be as below:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
        ikelifetime=60m
        keylife=30m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        mobike=no

conn rw-server
        left=%defaultroute
        leftcert=responder_cert.pem
        right=%any
        rightsourceip=10.3.0.0/16
        authby=pubkey
        keyexchange=ikev2
        type=tunnel
        auto=add

#

- copy the cacert.pem, responder_cert.pem and responder_key.pem to the 
respective locations under ipsec.d folder

- The ipsec.secrets file should have an entry as below:

: RSA responder_key.pem


2. That's it, now you start strongswan ipsec on both initiator and responder 
(first on this) using "ipsec start" or "ipsec start --nofork"

Use the following commands to examine the results:

ipsec status
ipsec statusall
ip route show route 220
ip -s xfrm state
ip -s xfrm policy

You may also want to know why if your strongswan is not logging at all:

http://tiebing.blogspot.com/2015/10/ubuntu-1404-strongswan-not-logging.html 

ubuntu 14.04 strongswan not logging

It turns out that ubuntu uses "AppArmor" to limit where strongswan can write files. You can install apparmor-utils and use the command "aa-complain" to turn strongswan binaries from "enforce" mode to "complain" mode:

# apt-get install apparmor-utils
# aa-status
# aa-complain /usr/lib/ipsec/charon
Setting /usr/lib/ipsec/charon to complain mode.

Just for reference,a strongswan conf file for logging:

charon {
    reuse_ikesa = no
        threads = 32

        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
         }

       filelog {
               /var/log/charon.log {
                time_format = %b %e %T
                append = yes
                default = 1
               }
        }
}

This link is where I got the inspiration:
https://lists.strongswan.org/pipermail/users/2014-July/006351.html

October 6, 2015

openssl performance test

openssl speed -elapsed -multi 8 -evp aes-128-cbc

or aes-128-gcm

Forward traffic from one IP address to another

The first thing to do is do enable IP forwarding. This is done either by using:
 echo "1" > /proc/sys/net/ipv4/ip_forward
or
 sysctl net.ipv4.ip_forward=1

Then, we will add a rule telling to forward the traffic on port 1111 to ip 2.2.2.2 on port 1111:
 iptables -t nat -A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 2.2.2.2:1111

and finally, we ask Iptables to masquerade:

iptables -t nat -A POSTROUTING -j MASQUERADE

Disable “Waiting for network configuration” messages on Ubuntu boot

sudo vim /etc/init/failsafe.conf
I changed the first sleep command to
sleep 5
and then commented out the following lines:
$PLYMOUTH message --text="Waiting for network configuration..." || :
sleep 40
 
$PLYMOUTH message --text="Waiting up to 60 more seconds for network configuration..." || :
sleep 59
Just place a ‘#’ character at the beginning of each of those lines. Now it will just wait 5 seconds and then continue on.
To my surprise, the network was actually working just fine even though the script thinks it is not.

Just a note, do NOT remove the failsafe.conf file, otherwise it will hang the boot process indefinitely waiting for the network to be “configured.”

Windows netsh wlan command lines

To export a profile with password in clear, so that you can import it later:

netsh wlan export profile name="default2"  key=clear

list existing profiles: netsh wlan show profiles

  • To delete existing WLAN profile:  netsh wlan delete profile name=”profilename”
  • To Export WLAN profile to XML file: netsh wlan export profile name=”SSID”  This will export the WLAN configuration to .\ folder in XML format as Connection-SSID.XML
  • Import WLAN profile to the target computer: netsh wlan add profile filename=”c:\temp\filename.xml”  

netsh wlan show interfaces
netsh wlan show drivers
netsh wlan show networks
netsh wlan connect name="ProfileName"
netsh wlan disconnect
netsh wlan dump > myconfig.txt
netsh exec myconfig.txt

To make your wifi an access point:
netsh wlan set hostednetwork mode=allow ssid=SomeSSID key=passphrase
netsh wlan start hostednetwork

October 5, 2015

mysql logging

Running the following was the simplest way to dump queries to a log file without restarting
SET global log_output = 'FILE';
SET global general_log_file='/Applications/MAMP/logs/mysql_general.log';
SET global general_log = 1;
can be turned off with
SET global general_log = 0;