fbpx

Month: January 2018

Posted on

Setup High Availability with Sophos 9.x

Today I wanted to take advantage of installing a passive instance of Sophos UTM 9.x (we use version 9.307006 at the moment)

Our installation is entirely virtual, we only have virtual hosts, ESXi 5.5 2456374, Force10 Switches and SAN gear.

First thing to do is get your UTM setup and configured the way you want it. Put a couple extra nics in there for the future, get basic firewall functionality setup and “everything” working. OR, if you’ve already got a UTM setup, start by logging into your UTM shell as root and enter the following command:

cc set ha advanced virtual_mac 0

The above MUST be done for the HA system to work in the vmWare environment.

Next, clone your existing system. I have an even/odd numbered vhost scheme going on so I changed the name of the existing UTM to UTM01 and cloned it from vHost01 to vHost02 as UTM02.

Once the clone snapshot completed, I logged into the UTM01 and went to:

Management, High Availability, and clicked the Configuration tab.

Here, select Hot Standby (active-passive)

Below in Configuration, select your NIC, I used the last one added to the system. (eth7)

Then enter the device name (csutm01) and a device node select 1 and set an encryption key.

 

Go ahead and apply all your settings, (click both apply buttons)

By now your clone should be done, DO NOT POWER IT ON.

Right click the VM, and disconnect all network cards except the one connected to the HA network.

Now, power up the UTM02 and open the console. Wait for the system to come to the login screen and use your root credentials to login.

Now we will reset the configuration of the UTM02 to factory. MAKE SURE you are on the CORRECT SYSTEM!!

So, login as root,

cc (enter)

RAW (enter)

system_factory_reset (enter)

The system will power off when complete. Once it has powered off, reconnect your internal interface. Power back up again and go through the basic setup settings. The only thing required is an internal network. Don’t configure anything else. (may have to add a license file)

Once the system allows you to login,  go to

Management, High Availability, and clicked the Configuration tab.

Here, select Hot Standby (active-passive)

Below in Configuration, select your NIC, I used the last one added to the system. (eth7)

Then enter the device name (csutm02) and a device node select 2 and set an encryption key.

Go ahead and apply all your settings, (click both apply buttons)

The web interface will lock up indicating that you have lost connection to the secondary UTM02.

You should already be logged in to UTM01 and if you go to the High Availability menu, you should see the system UTM01 Active, or Master and the UTM02 status Syncing. It takes about 15 minutes for the system to stabilize so be patient.

There you have it. the above steps are exactly how I set up my three data centers and a development environment. If you have any troubles please feel free to send me a message

Posted on

Non-Root User Permissions Oracle Linux

I’m working on a system recently migrated to Oracle Linux 6.6 from a very old Solaris system. There is a CIFS mount from a Windows 2012r2 server that existed on the old system. The raw mount point has 777 directory permissions.

[root@localhost ~]# ls -ld /datastore/
drwxrwxrwx 2 root root 4096 Jan 6 09:50 /datastore/
When the mount is active the permissions are:

[root@localhost ~]# ls -ld /datastore/
drwxr-xr-x 1 root root 634564 Jan 6 09:50 /datastore/
Users other than root cannot write to the share or create files. Looking at the old server, the permissions on files and subdirectories within the same share have the setuid bit. This is not present on the new system. The /etc/fstab looks like:

//cifshost/datastore /datastore cifs username=user,password=password,domain=mydomain.local 0 0

You’ll need to change /etc/fstab and add the file_mode=0666,dir_mode=0777 mount options.

//cifshost/share/datastore /datastore cifs user=user,pass=password,file_mode=0666,dir_mode=0777 0 0

And you should be good to go!

Posted on

Update EqualLogic Disk Firmware

Ok, we all know that updating controller firmware on the EqualLogic Systems is an easy task, basically open the GUI, upload a file, click a few buttons and Bang! updated.

http://www.matavesi.com/wp-content/uploads/2020/06/kit_V9.0.3-R427117_1120407684.tgz

http://www.matavesi.com/wp-content/uploads/2020/06/kit_V8.1.3-R422462_334193118.tgz

So now you’re getting emails from SANHQ complaining about disk firmware. What then?

http://www.matavesi.com/wp-content/uploads/2020/06/kit_V10.0_DriveFw_2480353603.tgz

http://www.matavesi.com/wp-content/uploads/2020/06/kit_V8.0_DriveFw_2285700222.tgz

http://www.matavesi.com/wp-content/uploads/2021/02/kit_V11.0_DriveFw_2875173717.tgz

First, open your favorite FTP software, mine’s WinScrape aka WinSCP.

FTP over to your EQL box’s group IP or management IP.

Upload the .tgz package, I used kit_V8.0_DriveFw_2285700222.tgz

I did not unzip the file, repeat, it does not need any further work.

Then I Putty (ssh) over to the EQL box’s group IP or management IP and perform the following command – update.. yes that’s it. just type “update”. and best part is you can do it hot, no outage necessary!

I’ll just paste in the entire output from my instance.

Welcome to Group Manager

Copyright 2001-2014 Dell Inc.

EQLSAN> update
13:24:23 Updating from kit file “kit_V8.0_DriveFw_2285700222.tgz”

This command will install the update kit file that was
copied to the array.

If you choose to proceed, you will be shown the current firmware version
and the version to which you will update. You will then be given the
choice to proceed again.

Do you want to proceed (y/n) [y]: y

13:24:39 Verifying kit integrity.
Starting Disk Firmware update… V8.0
…Initializing support libraries…

Identifying drives that qualify for firmware upgrades… Please wait.

22 drive(s) in this array qualify for a firmware upgrade.

The process will now update the 22 drives that qualify for a firmware upgrade.

If you proceed, please do not power off or restart the array, or remove

any drives until the update process completes.

Do you want to continue at this time (Y/N)? y
SKIPPING DriveID 0 No firmware is available for Model: HUS723030ALS640

SKIPPING DriveID 1 No firmware is available for Model: HUS723030ALS640

SKIPPING DriveID 2 No firmware is available for Model: HUS723030ALS640

Checking health status of Array
UPGRADING DriveID 3 firmware from RN08 to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 3

SKIPPING DriveID 4 No firmware is available for Model: HUS723030ALS640

SKIPPING DriveID 5 No firmware is available for Model: HUS723030ALS640

SKIPPING DriveID 6 No firmware is available for Model: HUS723030ALS640

Checking health status of Array
UPGRADING DriveID 7 firmware from RN08 to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 7

SKIPPING DriveID 8 No firmware is available for Model: HUS723030ALS640

SKIPPING DriveID 9 No firmware is available for Model: HUS723030ALS640

Checking health status of Array
UPGRADING DriveID 10 firmware from RE0C to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 10

SKIPPING DriveID 11 No firmware is available for Model: HUS723030ALS640

SKIPPING DriveID 12 No firmware is available for Model: HUS723030ALS640

SKIPPING DriveID 13 No firmware is available for Model: HUS723030ALS640

Checking health status of Array
UPGRADING DriveID 14 firmware from RE0C to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 14

SKIPPING DriveID 15 No firmware is available for Model: HUS723030ALS640

SKIPPING DriveID 16 No firmware is available for Model: HUS723030ALS640

SKIPPING DriveID 17 No firmware is available for Model: HUS723030ALS640

Checking health status of Array
UPGRADING DriveID 18 firmware from RE0C to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 18

SKIPPING DriveID 19 No firmware is available for Model: HUS723030ALS640

SKIPPING DriveID 20 No firmware is available for Model: HUS723030ALS640

SKIPPING DriveID 21 No firmware is available for Model: HUS723030ALS640

Checking health status of Array
UPGRADING DriveID 22 firmware from RE0C to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 22

SKIPPING DriveID 23 No firmware is available for Model: HUS723030ALS640

Checking health status of Array
UPGRADING DriveID 24 firmware from RE0C to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 24

SKIPPING DriveID 25 No firmware is available for Model: HUS723030ALS640

Checking health status of Array
UPGRADING DriveID 26 firmware from RN08 to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 26

Checking health status of Array
UPGRADING DriveID 27 firmware from RN08 to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 27

Checking health status of Array
UPGRADING DriveID 28 firmware from RE0C to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 28

SKIPPING DriveID 29 No firmware is available for Model: HUS723030ALS640

Checking health status of Array
UPGRADING DriveID 30 firmware from RE0C to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 30

Checking health status of Array
UPGRADING DriveID 31 firmware from RN08 to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 31

Checking health status of Array
UPGRADING DriveID 32 firmware from RE0C to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 32

SKIPPING DriveID 33 No firmware is available for Model: HUS723030ALS640

Checking health status of Array
UPGRADING DriveID 34 firmware from RN08 to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 34

Checking health status of Array
UPGRADING DriveID 35 firmware from RN08 to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 35

Checking health status of Array
UPGRADING DriveID 36 firmware from RE0C to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 36

SKIPPING DriveID 37 No firmware is available for Model: HUS723030ALS640

Checking health status of Array
UPGRADING DriveID 38 firmware from RN08 to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 38

Checking health status of Array
UPGRADING DriveID 39 firmware from RN08 to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 39

Checking health status of Array
UPGRADING DriveID 40 firmware from RE0C to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 40

SKIPPING DriveID 41 No firmware is available for Model: HUS723030ALS640

Checking health status of Array
UPGRADING DriveID 42 firmware from RN08 to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 42

SKIPPING DriveID 43 No firmware is available for Model: HUS723030ALS640

Checking health status of Array
UPGRADING DriveID 44 firmware from RE0C to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 44

SKIPPING DriveID 45 No firmware is available for Model: HUS723030ALS640

Checking health status of Array
UPGRADING DriveID 46 firmware from RN08 to RE12 using ./fwbin/RE12.lod
Drive firmware successfully updated : on drive 46

SKIPPING DriveID 47 No firmware is available for Model: HUS723030ALS640

Logging post run disk information

Entering cleanup phase… Please Wait…
The update was successful.
Would you like to email the results to Dell (Y/N)? n
Done cleanup … quitting with an exit status of 0

EQLSAN>

SANHQSetup32And64_v3.2.1

Posted on

Vmware Tools on CentOS 6.x or 7 x64

Problem:

Running Vsphere 5.x and installed the VMWare tools on a CentOS 6.x x64 system.  After an OS update that requires reboot vmware-tools does not automatically startup.

As of version 8.6.11.20852 (build-1015158) the vmware tools install script vmware-install.pl does not create a start script in /etc/init.d since it now uses upstart.

Additional information: When you installed vmware-tools you did not Enable automatic building and installation of kernel modules at boot.

Resolution:

1.) You can re-run /usr/bin/vmware-config-tools.pl after each OS update that modifies the kernel.2.) You can run /usr/bin/vmware-config-tools.pl and ENABLE the automatic building and installation of kernel modules at boot (Note: you will need to remember to enable this option with subsequent vmware-tools upgrades)

3.) You can create your own init script from the services.sh script located in the /etc/vmware-tools directory.

From command line:
[root@host]# cp /etc/vmware-tools/services.sh /etc/init.d/vmware-tools
[root@host]# vim /etc/init.d/vmware-tools

Paste the following just below the line ##VMWARE_INIT_INFO## and save:

# chkconfig: 235 03 99

[root@host]# chkconfig –add vmware-tools (two dashes)
[root@host]# chkconfig vmware-tools on

Verify that it works:
[root@host]# service vmware-tools restart

Posted on

Manage Windows 8 Wireless Network Profiles

I was having a heck of a time with my little tablet connecting to some wireless connections using the same SSID. Here’s how I fixed it…

If you need to change a wireless connection profile, you can usually do it by following these steps:

  1. Swipe in from the right edge of the screen, tap Settings, and then tap Change PC settings. (If you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, click Settings, and then click Change PC settings.)
  2. Tap or click Network, tap or click Connections, and then tap or click the connection you want to change.
  3. On the page that appears, make the changes you want.

Some tasks, such as deleting a profile, must be done at the command prompt. To do these tasks, open Command Prompt, and then type the appropriate command from the following table.

  • Open  Command Prompt by swiping in from the right edge of the screen, tapping Search (or if you’re using a mouse, pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search), entering Command Prompt in the search box, and then tapping or clicking Command Prompt.
TASK
INSTRUCTIONS

Delete a profile

At the command prompt, type:

netsh wlan delete profile name=”ProfileName”

Show all wireless profiles on the PC

At the command prompt, type:

netsh wlan show profiles

Show a security key

At the command prompt, type:

netsh wlan show profile name=“ProfileName” key=clear

Move a network up in the priority list

Connecting to a new network and choosing Connect automatically will place it at the top of the list.

Stop automatically connecting to a network within range

Tap or click the network in the network list, and then click Disconnect.

Stop automatically connecting to a network that’s out of range

At the command prompt, type:

netsh wlan set profileparameter name=”ProfileName” connectionmode=manual

How Windows determines connection priority

Windows usually connects to networks in this order:

1. Ethernet

2. Wi‑Fi

3. Mobile broadband

When you connect to a new Wi‑Fi network, it’s added to the list, and Windows will connect to that network while it’s in range. If you connect to another Wi‑Fi network while in range of the first network, Windows will prefer the second network over the first one.

Mobile broadband networks are treated differently. If you manually connect to a mobile broadband network when there is a Wi‑Fi network in range, the mobile broadband network is  preferred just for that session. The next time you’re in range of both networks, the Wi‑Fi network is preferred. This is because mobile broadband networks typically are metered.

If you want to force your PC to prefer a mobile broadband network over Wi‑Fi, tap or click the Wi‑Fi network in the list of networks, and then click Disconnect. Windows won’t automatically connect to that Wi‑Fi network.

Posted on

Re-register Windows client/server in WSUS

To re-register Windows client/server in WSUS review the following instructions:

1. Run “gpupdate /force” command on the Windows client/server that have a registration issue in WSUS.

2. Run “wuauclt /detectnow ” command on the Windows client/server that have a registration issue in WSUS.

Tip: You can use the Event Viewer to review the re-registration

3. In rare cases, you may need to run: “wuauclt.exe /resetauthorization /detectnow” command on the Windows client/server that have a registration issue in WSUS.

Posted on

Force10, Equallogic, and VMware

I was having a retransmit issue with the above equipment, here’s how I got around it. On the Force10’s I ran this config as the Equallogic and the vHost iscsi ports have to be configured this way:

config
protocol spanning-tree rstp
no disable
interface GigabitEthernet x/x
description EQL or vHost iSCSI Port
no ip address
mtu 9252
switchport
flowcontrol rx on tx on
spanning-tree rstp edge-port
no shutdown
!
that’ll take the TCP retransmit down to below .05

Posted on

Unix and Active Directory Integration

Step by step,

yum install nscd samba samba-common samba-client samba-winbind

yum upgrade

vi /etc/hosts
192.168.1.30 dc.domain.com pdc01

Run authconfig-tui
Authentication Configuration – check Cache Information, Use Winbind, Use MD5 Passwords, Use Shadow Passwords, Use Winbind Authentication
Winbind Settings – check ads, type the short name of the domain, example.com needs to be just example in this field, enter FQDN of domain controllers, ADS realm is FQDN of primary DC, check /bin/bash
Click on Join Domain
Enter credentials for a domain administrator and make sure the server successfully joined the domain

vi /usr/local/bin/bash-wrapper

#!/bin/sh

# This script restricts shell access to privileged users. The “template shell”
# option in the ‘/etc/samba/smb.conf’ file should be set to call this wrapper.

# Get group memberships for this user.
BFN_ID=$(/usr/bin/id)

# Grant shell access to users that are in the local wheel group.
if /bin/echo “$BFN_ID” | /bin/grep -P ‘[=,][0-9]{1,8}(wheel)’ > /dev/null
then
exec /bin/bash –login “$@”
fi

# Grant shell access to users that are in the domain administrators group.
if /bin/echo “$BFN_ID” | /bin/grep -P ‘[=,][0-9]{1,8}(domain admins)’ > /dev/null
then
exec /bin/bash –login “$@”
fi

# Else print a notice and just exit.
echo “Shell access to this computer is disabled.”

# eof

vi /usr/local/bin/ad-phase2.sh

# ad-phase2.sh – Phase 2
# Description: This script automates the process of joining a linux box
# to an AD domain. The process is divided in two parts.
#
# Please edit the relevant parts of the script below prior running it

# This block doesn’t need to be edited
#sed -i ‘s%protocols: files%protocols: files winbind%g’ /etc/nsswitch.conf
#sed -i ‘s%rpc: files%rpc: files winbind%g’ /etc/nsswitch.conf
#sed -i ‘s%netgroup: files%netgroup: files winbind%g’ /etc/nsswitch.conf
#sed -i ‘s%automount: files%automount: files winbind%g’ /etc/nsswitch.conf

# The following line allows users to logon without the ugly EXAMPLEuser syntax
sed -i ‘s%winbind use default domain = false%winbind use default domain = true%g’ /etc/samba/smb.conf

# More parameters to make life easier with UID and GID correspondances
sed -i ‘s% template shell = /bin/bash% template shell = /usr/local/bin/bash-wrapper%g’ /etc/samba/smb.conf
sed -i ‘/ winbind offline logon = false/a winbind enum users = true’ /etc/samba/smb.conf
sed -i ‘/winbind enum users = true/a winbind enum groups = true’ /etc/samba/smb.conf
sed -i ‘/winbind enum groups = true/a winbind cache time = 5’ /etc/samba/smb.conf
sed -i ‘/winbind cache time = 5/a winbind nested groups = true’ /etc/samba/smb.conf

# This line will allow for home folders to be created in /home/DOMAIN/username upon first login
echo “session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022” >> /etc/pam.d/system-auth

# The following line will allow all the users within the Domain Admins group to sudo on the server
echo “%domain admins ALL=(ALL) ALL” >> /etc/sudoers

# Replace “base OU=Users,DC=example,DC=com” with the container of the users you want to allow on the box
sed -i ‘s%base dc=*******,dc=com%base OU=Users,DC=*******************,DC=com%g’ /etc/openldap/ldap.conf
chmod +x /usr/local/bin/ad-phase2.sh
chmod +x /usr/local/bin/bash-wrapper
service winbind restart
service nscd restart

Reboot for good measure.

Posted on

To Enable or Disable Hibernate in a Elevated Command Prompt

1. To Enable Hibernate
NOTE: This step will restore the hiberfil.sys file, and the Allow hybrid sleep and Hibernate after Power Options under Sleep.

A) Open a Elevated Command Prompt.

B) In the elevated command prompt, type powercfg -h on and press Enter.

C) Close the elevated command prompt.

2. To Disable Hibernate
NOTE: This step will disable hibernation, delete the hiberfil.sys file, and remove the Allow hybrid sleep and Hibernate after Power Options under Sleep. This will also disable fast startup in Windows 8.

1. Open a Elevated Command Prompt.

2. In the elevated command prompt, type powercfg -h off and press Enter.

3. Close the elevated command prompt.