Regenerating SID’s using Powershell ​

I’ve devised a handy way to regenerate SID’s on Microsoft operating systems using a third party tool and a little PowerShell magic.

The Breakdown

The first part of the script sets variables that can be called upon to randomise the SID number.
The next part sets the source location to download newsid.exe and defines a destination location
The “set-itemproperty” adds a key into the registry to trick Newsid to think it has already accepted the EULA.
The “start-bitstransfer” initiates the download of newsid
The real magic is in the last part – newsid is executed with “/a” to run with no prompts and “/n” to not reboot after execution”. The “S-1-5-21-“ is the first part of any SID then it calls the three random numbers generated from $random%.

The Script

$random1 = Get-Random 10000000000
$random2 = Get-Random 10000000000
$random3 = Get-Random 10000000000

$sidsource = "https://source.domain.com/newsid.exe"
$siddest = "C:\Scripts\newsid.exe"

Set-ItemProperty -Path "HKCU:\Software\Sysinternals\NewSID" -Name "EulaAccepted" -Value 1
Start-BitsTransfer -Source $sidsource -Destination $siddest

C:\Scripts\newsid.exe /a /n S-1-5-21-$random1-$random2-$random3

 

Obviously change the source and destination to suit your needs - this is also written for PowerShell v5 +

Nagios XI – Adding Microsoft Server Services via API

When automating server provisioning you might be considering implementing Nagios for monitoring servers and services as part of the build process. Apart from the help section of Nagios console giving some hints on how to interact with the API, there isn’t much else to go on so I’m sharing my learnings on how to do this.

I’m not going to go through the whole implementation of automating Nagios into server builds but more specifically connecting to the API.

The Nagios reference is http://host.example.com/nagiosxi/help/ and then click on “Config Reference”

The first step is to add the host – now this is in the Nagios help section so hopefully, this is nothing new

curl -XPOST "http://nagios.example.com/nagiosxi/api/v1/config/host?apikey=aw33E58m17bH6d3m4z6Y5V9FNVwJTvDU5tjEAGw7C35iLarr&pretty=1" -d "host_name=testapihost&address=127.0.0.1&check_command=check_ping\!3000,80%\!5000,100%&max_check_attempts=2&check_period=24x7&contacts=nagiosadmin&notification_interval=5&notification_period=24x7&applyconfig=1"

You will need to change the FQDN, API Key, Hostname and address to your requirements to make this work for you.

Scroll to the right of the code to see it all.

One thing to note is every setting is separated by a “&” and variables specified by the check start with “!”. This is the key to understanding how this works.

Add Processor

curl -XPOST "http://nagios.example.com/nagiosxi/api/v1/config/service?apikey=aw33E58m17bH6d3m4z6Y5V9FNVwJTvDU5tjEAGw7C35iLarr&pretty=1" -d "host_name=testapihost&service_description=CPU&check_command=check_xi_service_nsclient\!password\!CPULOAD\!80,90&check_interval=5&retry_interval=5&max_check_attempts=2&check_period=24x7&contacts=nagiosadmin&notification_interval=5&notification_period=24x7&applyconfig=1"

Add Disk

curl -XPOST "http://nagios.example.com/nagiosxi/api/v1/config/service?apikey=aw33E58m17bH6d3m4z6Y5V9FNVwJTvDU5tjEAGw7C35iLarr&pretty=1" -d "host_name=testapikey&service_description=CDisk&check_command=check_xi_service_nsclient\!password\!USEDDISKSPACE\!-l C -w 80 -c 95&check_interval=5&retry_interval=5&max_check_attempts=2&check_period=24x7&contacts=nagiosadmin&notification_interval=5&notification_period=24x7&applyconfig=1"

Add Memory

curl -XPOST "http://nagios.example.com/nagiosxi/api/v1/config/service?apikey=aw33E58m17bH6d3m4z6Y5V9FNVwJTvDU5tjEAGw7C35iLarr&pretty=1" -d "host_name=testapihost&service_description=Mem&check_command=check_xi_service_nsclient\!password\!MEMUSE\!-w 80 -c 90&check_interval=5&retry_interval=4&max_check_attempts=2&check_period=24x7&contacts=nagiosadmin&notification_interval=5&notification_period=24x7&applyconfig=1"

Add Uptime

curl -XPOST "http://nagios.example.com/nagiosxi/api/v1/config/service?apikey=aw33E58m17bH6d3m4z6Y5V9FNVwJTvDU5tjEAGw7C35iLarr&pretty=1" -d "host_name=testapihost&service_description=Uptime&check_command=check_xi_service_nsclient\!password\!UPTIME&check_interval=5&retry_interval=7&max_check_attempts=2&check_period=24x7&contacts=nagiosadmin&notification_interval=5&notification_period=24x7&applyconfig=1"

Make sure you change the FQDN, API Key, Hostname and password variables for this to work.

I found the configuration wizard very helpful, what I did was add the service I wanted to check, see what the “check command” was and the variables set and then crafted my own curl command to add to Nagios.

Powershell – The size limit for this request was exceeded

So this sounds easy he said – run me a report that gets all objects from a group based on certain attributes and export it to Microsoft Excel.

No worries, I had that scripted for three groups to export to three different Excel files in under 10 minutes – until I ran it and came across “Get-ADGroupMember : The size limit for this request was exceeded”

Okay so I start doing some research thinking “this is just a speed bump” and I’ll sort it out in five minutes! I came across hundreds of people with the same issue and finding “workarounds” none of which worked.

I thought it might be best to publish this to the public in case someone else comes across it.

Now just to let everyone know if they know the answer already or have other solutions – I cannot go changing the maximum value and time limit on all the Domain Controllers.

The code:

$group = "GroupName"
Get-aduser -filter * -searchBase "DC=domain,DC=local" -properties * | ?{$_.memberof -match "$group"} | Select-Object Name,SurName,GivenName,department,mail,pager,division | export-csv C:\Output\report.csv

I’m getting the attributes “Name,SurName,GivenName,department,mail,pager,division” for this particular report but you can modify to your requirements.

Obviously you don’t need to do this for getting members of groups with under 1,500 objects.

Blocking Postfix traffic using Fail2ban

So if you are reading this then you have probably seen what appears to be every bot in China connecting to your Postfix server to attempt anything from relaying to auth attacking.

Well, have I got the solution for you!

Now before you implement this, I will warn you, this is very restrictive, it doesn’t really give any room for client error but believe me, your iptables will be full of blocked hosts in no time!

At a minimum I would suggest you have iptables configured for ignoring some CIDR’s (like your cell network, home outside IPv4, work address etc) so that you don’t block yourself from the server.

All of these don’t have to be implemented, if you don’t see the need, don’t add it.

Assumptions

I will assume you have a working environment, I’m specifically using Ubuntu 16.04.3 LTS – because of Postfix potentially logging differently depending on the version, I can only say that these regex filters work for this flavor. I use Postfix 3.1.0, to check the version you use:

postconf -d | grep mail_version

You will need:

  1. Ubuntu 16.04 LTS
  2. iptables installed
  3. postfix installed and configured to receive mail
  4. fail2ban installed and basic jail configuration setup

Jails

Like I said before, these are quite brutal, you can change the bantime and maxretry strings as you see fit.

[postfix-auth]
enabled = true
filter = postfix-auth
port = smtp
logpath = /var/log/mail.log
maxretry = 3
bantime = 604800

[postfix-rbl504]
enabled = yes
port     = smtp
logpath  = /var/log/mail.log
maxretry = 2
findtime  = 86400
bantime = 604800

[postfix-rbl450]
enabled = yes
port     = smtp
logpath  = /var/log/mail.log
maxretry = 2
findtime  = 86400
bantime = 604800

[postfix-rbl550]
enabled = yes
port     = smtp
logpath  = /var/log/mail.log
maxretry = 2
findtime  = 86400
bantime = 604800

[postfix-rbl454]
enabled = yes
port     = smtp
logpath  = /var/log/mail.log
maxretry = 2
findtime  = 86400
bantime = 604800

[postfix-rbl554]
enabled = yes
port     = smtp
logpath  = /var/log/mail.log
maxretry = 2
findtime  = 86400
bantime = 604800

Filters

Filters will need to be placed in “/etc/fail2ban/filter.d” folder. The file name will need to be what the jail is called eg: postfix-rbl554 = /etc/fail2ban/filter.d/postfix-rbl554.conf

I know some of these regex queries might look like duplicates but I want to make sure that all conditions are met regardless of string.

Postfix-auth

[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
	  = lost connection after EHLO from (.*)\[<HOST>\]
	  = lost connection after EHLO from(.*)\[<HOST>\]
	  = lost connection after ELHO from unknown (.*)\[<HOST>\]
          = lost connection after ELHO from unknown(.*)\[<HOST>\]
ignoreregex =

postfix-rbl504

failregex = reject: RCPT from \S+\[<HOST>\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname; .*$ 
            NOQUEUE: reject: RCPT from \S+\[<HOST>\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname; .*$
	    NOQUEUE: reject: RCPT from \S+\[<HOST>\]: 504 5\.5\.2
ignoreregex =

postfix-rbl450

[Definition]
failregex = reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
	    NOQUEUE reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
	    reject: RCPT from (.*)\[<HOST>\]: 450 4.7.8
            NOQUEUE reject: RCPT from (.*)\[<HOST>\]: 450 4.7.8
ignoreregex =

postfix-rbl550

[Definition]
failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
	    NOQUEUE: reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
            reject: RCPT from (.*)\[<HOST>\]: 550 5.7.1
            NOQUEUE: reject: RCPT from (.*)\[<HOST>\]: 550 5.7.1
ignoreregex =

postfix-rbl454

[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
	    NOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1
	    reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1
ignoreregex =

postfix-rbl554

[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
	  = NOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1
ignoreregex =

Conclusion

Obviously, this is not a silver bullet, you should try this along with Postfix RBL blocking and something like Spamassasin for optimal results.

If you really want to clean up your logs and stop wasting resources processing bot attacks then this will really come in handy but just beware you might block a source you aren’t meant to

Automatically Upload Desktop, Documents and Downloads to Dropbox from your Mac

dropbox_glyph_blue

 

If you would like to automatically upload your Desktop, Documents and Downloads automatically to your Dropbox from your Mac, follow this nice little trick:

I will be using the “Documents” folder as an example:

Open Terminal (Spotlight/Terminal)

Change directory to your Dropbox folder (by default it is in the users home directory)

Change to Dropbox Directory

Create the symbolic link from your users Documents folder to Dropbox

ln -s ~/Documents

(Mine already exists)

Link Documents to Dropbox

Repeat for any other folders you want to back up automatically to Dropbox.

Fix resolution for VMware Fusion Unity

LOGO1

Fix resolution for VMware Fusion Unity

This is for VMware Fusion version 7.1 however it might work *not tested with other versions.

I’m just doing a quick write up about how to fix the annoying resolution problem when running applications in Unity on VMware Fusion. This issue just keeps coming back (after installing VMware Fusion) and I can never remember how to fix it. It’s obvious when you see it but it isn’t when you are in a panic trying to fix it!

Under the virtual machine, click settings

Click on Display

vmware fusion virtual machine settings

Click on “Use full resolution for Retina display”

vmware fusion ful resolution retina unity

VMTools will prompt you to log off

VMtools change user interface size settings log off

Now go into Unity view and you will now see things without a microscope!

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Creating a software RAID on Ubuntu/Debian

linux-logo-300x300

Creating a software raid of disks is quite easy in Ubuntu, I will assume the disks are attached (physically or virtually) to the guest operating system.

Currently Ubuntu supports the following raid levels:

  • RAID level 0
  • RAID level 1
  • RAID level 2
  • RAID level 3
  • RAID level 4
  • RAID level 5
  • RAID level 6
  • RAID level 10
  • RAID level 50
  • RAID level 0+1

In this example I am using sdb1 and sdc1 disks and settings the raid to a mirror (1) with a total mirrored size of 4TB (3906885440K)

  • Install mdadm (if not already installed)
apt-get update && apt-get install -y mdadm
  • Run mdadm to create the mirror
mdadm --create --verbose /dev/md0 --raid-device=2 --level=1 /dev/sdb1 /dev/sdc1
mdadm_create_raid1
  • Run mkfs.ext3 to create a ext3 filesystem on the mirror volume
mkfs.ext3 /dev/md0
mkfs.ext3_dev_md0
  • Mount the mirror by creating a mount point and running mount to mount the md0 volume
mkdir /mnt/raid1
mount /dev/md0 /mnt/raid1
mount_raid1
  • Check to see if you can see the mirror
df -h
df_h_raid1
  • Check the status of the build
cat /proc/mdstat
mdadm_raid_build_cat_proc
  • Add to fstab to auto mount on startup
vi /etc/fstab
/dev/md0 /mnt/raid1 ext3 defaults 0 0

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

VMware Creating RDMs from Locally Attached SATA Disks

LOGO1

I recently had to connect two 4TB sata disks to a server to provide some raw storage to the network. Going on past experiences I didn’t want to virtualise the disks but rather present them to the virtual machine guest as a raw device mapping (RDM).

You will need a separate datastore that is separate to the ones you are attaching. It will have to be VMFS5 to get around the 2TB limit with VMFS3.

Note: This is not supported by VMware to the best of my knowledge.

Procedure

  1. Start a SSH session to the VMware ESX host (or if on the physical server, drop to console)
  2. Run fdisk to see the disk layout.
fdisk –l
vmware_esx_fdisk_list
  1. You will need to find the vml identifier, you need to match that to the drive.
ls /dev/disks/ -l
VMware_ESX_ls_dev_disks

In my example, the two I am interested in are:

vml.01000000002020202020202020202020205a33303346325742535434303030

vml.01000000002020202020202020202020205a33303351523246535434303030

  1. Now browse to the VMFS5 datastore you will be creating the RDM’s
cd /vmfs/volumes/datastorename
Browse to RDM location
  1. Best practise would be to create a folder for the RDM’s to sit in
mkdir RDMs
  1. Create the RDM’s by running the vmkfstools command (use the vml. location that you found in previous steps)
vmkfstools -r /vmfs/devices/disks/vml.01000000002020202020202020202020205a33303346325742535434303030 4TB_Disk1_RDM.vmdk -a lsilogic
vmkfstools -r /vmfs/devices/disks/vml.01000000002020202020202020202020205a33303351523246535434303030 4TB_Disk2_RDM.vmdk -a lsilogic
VMware_ESX_vmkfstools_RDM
  1. Verify you have the files created
ls –lash
VMware_ESX_RDM
  1. Attach to virtual machine
VMware_Use_Exisiting_Virtual_Disk VMware Select RDM VMware_RDM_Attached VMware RDM_Physcial_LUN

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.

Limit SSH connections geographically

linux-logo-300x300

There is a real security risk to leaving your shell connection ports exposed to the internet especially if you don’t ever intend on connecting from Zimbabwe as well as other random countries.

This can limit brute force attack exposure and also save valuable resources and bandwidth by rejecting a packets before a tcp handshake.

Install GeoIP

You will need to implement a database that can be queried locally that stores IP ranges to countries.

apt-get install geoip-database geoip-bin

Query GeoIP database

geoiplookup 8.8.8.8

The script

mkdir /scripts
vi /scripts/sshfilter.sh

Past the following in:

#!/bin/bash
ALLOW_COUNTRIES="AU"

if [ $# -ne 1 ];
then
echo "Usage: `basename $0` <ip>" 1>&2
exit 0
fi

COUNTRY=`/usr/bin/geoiplookup $1 | awk -F ": " '{ print $2 }' | awk -F "," '{ print $1 }' | head -n 1`

[[ $COUNTRY = "IP Address not found" || $ALLOW_COUNTRIES =~ $COUNTRY ]] &&; RESPONSE="ALLOW" || RESPONSE="DENY"

if [ $RESPONSE = "ALLOW" ]
then
exit 0
else
logger "$RESPONSE sshd connection from $1 ($COUNTRY)"
exit 1
fi

Enable script

chmod +x /scripts/sshfilter.sh

Lock down SSH

Setup a deny all for the ssh daemon

vi /etc/hosts.deny

Add the following into the deny file

sshd: ALL

Enable the script in the allow ssh file

vi /etc/hosts.allow

Add the following into the allow file

sshd: ALL: aclexec /scripts/sshfilter.sh &a

Testing

Test the script by inputting the script name and then an IP afterwards

/scripts/sshfilter.sh 8.8.8.8

Should output something like the following:

Aug 25 15:23:21 server root: DENY sshd connection from 8.8.8.8 (US)

Update GeoIP

There is only one constant with the world and that is change, IP addresses are no exception.

Create a new file called update_geo.sh in /scripts

vi /scripts/update_geo.sh

Add the following into the file

#!bin/bash

cd /tmp
wget -q https://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
if [ -f GeoIP.data.gz ]
then
gzip -d GeoIP.dat.gz
rm -f /usr/share/GeoIP/GeoIP.dat
mv -f GeoIP.dat /usr/share/GeoIP/GeoIP.dat
else
echo "Cannot download the GeoIP database"
fi

Change the script to execute

chmod +x /scripts/update_geo.sh

Edit the crontab

crontab -e

Paste the following at the bottom of the crontab

* * 20 * * /scripts/update_geo.sh

Adding Colour to Linux Bash Shell

linux-logo-300x300

If the standard black and grey makes you feel uninspired, you can change this by adding two lines to your .bashrc file in the users profile.

1. Edit the .bashrc file

vi ~\.bashrc

2. Add the following lines

force_color_prompt=yes
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\[email protected]\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '

Should you have any questions, comments or suggestions, please don’t hesitate to comment below. If you like what you have read, please share it on your favourite social media medium.