jump to navigation

Using an access list on a Cisco Device which has an interface configured for dhcp April 29, 2008

Posted by daakeung in Cisco.
Tags: ,
add a comment

Came across this one today at work, while securing one of my routers,

If you intent to secure your cisco device using an access-list on the wan interface, but still need the wan interface to receive a dhcp address.

You accesslist should look something like this:

permit udp any eq bootps any eq bootpc
permit udp any eq bootps any eq bootps
deny ip any any

Always end your wan port access-list by locking everything else off.

Advertisements

Cisco Password Recovery April 19, 2008

Posted by daakeung in Cisco, IT.
add a comment

Here’s a list I came across for recovery procedures on cisco devices:

http://www.cisco.com/warp/public/474/index.shtml

GT&T Woes : Losing connectivity after couple seconds with public dhcp reservation from GT&T April 9, 2008

Posted by daakeung in Cisco.
Tags: , , ,
2 comments

here we go again……..sigh……..why why why why, but why……lol.
A company I work for have been trying to setup a vpn connection using dsl for quite some time now (close to 2 years). Apparently, the way GT&T assigns a static public ip address to the dsl line, is by DHCP reservation. Now this has to be matched to your mac address, putting all this gibberish aside. When you get the lease, ip connectivity works for a few seconds and drops, keep in mind we are using a cisco 1811 router.

When preforming a debug dhcp:

The lease time shows as

*Mar 31 17:58:54.307: DHCP: SRequest placed lease len option: 0

This looked strange, so I called them up and they said that leases last for 30 mins.

so I manually configured the interface as follows:

interface FastEthernet0
ip dhcp client lease 0 0 30

ip address dhcp

duplex auto

speed auto

Release and renewed the lease

The debug dhcp outputted:
*Mar 31 18:02:33.859: DHCP: SRequest placed lease len option: 1800

So far connectivity has been up, and it hasn’t fallen off (as yet)

Hope this has been helpful.

Spam from gmail April 7, 2008

Posted by daakeung in E-Mail, IT.
Tags: , ,
add a comment

Have you had problems receiving e-mail from Gmail users recently? If so, you’re one of thousands. Over the past month, major anti-spam vendors have had to apply scrutiny to Gmail in a way they haven’t had to before, and the result is reduced delivery performance and sometimes outright blocking of Gmail. Some messaging hosts are being instructed to reject SMTP connections from Google. Ars Technica has independently confirmed this.

http://arstechnica.com/news.ars/post/20080406-gmail-being-throttled-blocked-by-some-anti-spam-vendors.html

Spamassassin on RHEL 4 (disable per user settings) April 6, 2008

Posted by daakeung in E-Mail, IT, Linux.
Tags: , , ,
add a comment

Recently I have been working with a group, to move their email system from a shared solution to a dedicated server.

Setting up Spamassassin has yield some ups and down.
By default, Spamassassin has per-user settings enabled by default. So any configuration I was making via /etc/mail/spamassassin/local.cf wasn’t being applied properly, as they were over-ridden by user_prefs located in ./home/(user)/.spamassassin/

To disable spamasssassin from using per-user prefs, you need to set a parameter when starting it.

File you need to edit is /etc/sysconfig/spamassassin
# Options to spamd
SPAMDOPTIONS=”-d -c -m5 -H”

The option you need to add is -x

so the output look like this
# Options to spamd
SPAMDOPTIONS=”-x -d -c -m5 -H”
Save and restart spamassassin

service spamassassin restart

and you will be working only with the config located at /etc/mail/spamassassin/local.cf

Windows Time Service reasons and problems April 4, 2008

Posted by daakeung in IT, Microsoft.
Tags: , , ,
add a comment

Windows time service plays an important role in the Kerberos authentication protocol. The purpose of the Windows Time service is to make sure that all computers that are running Microsoft Windows 2000 or later versions in an organization use a common time.

This being said, windows time service uses a hierarchical relationship that controls authority and does not permit loops.

The PDC operations master at the root of the forest becomes authoritative for the organization. Microsoft recommends that you configure your authoritative time server to sync with a hardware source, since syncing with external internet sources, does not perform any form of authentication when gathering time information.
To configure the PDC master without using an external time source, change the announce flag on the PDC master. The PDC master is the server that holds the forest root PDC master role for the domain. This configuration forces the PDC master to announce itself as a reliable time

To set it as NTP server, do the following modification in the registry, please backup the registry prior to doing this.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
In the right pane, right-click AnnounceFlags, and then click Modify.
In Edit DWORD Value, type A in the Value data box, and then click OK.

And then restart w32tm service.

If your application log for the PDC generate the following error, you will need to disable NTP client

Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 12
Date: 4/4/2008
Time: 8:38:13 AM
User: N/A
Computer: XXXXX

Description:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
To disable NTP client,

Open your registry
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient
Create or Modify a new dword called “Enable”
Set value as 0 to disable this tweak and 1 to enable this tweak

and reboot the system for it to take effect.

VMWARE ESX Server slow write when using NFS as a Data-Store. April 4, 2008

Posted by daakeung in Linux, Virtualization, Vmware ESX.
Tags: , , , ,
2 comments

I’ve been playing around with virtualization for quite sometime not, at the beginning I wasn’t too interested. In fact a friend of mine, Q hooked on this thing like a junkie on crack…heh…. need less to say, I’ve been testing HA, DRS and Vmotion stuff out.

To have all your VMs accessible to your esx servers at any time, you would need a common storage amongst them, the Data Store is this case.

Any of you tested with NFS, would notice because of the sync being done when writing a file to the nfs store, dramatic decrease in throughput for the data, can result in VMs crashing and sometimes in Windows, disk errors show up in the event log.

I currently run Centos 5 (latest update)

/VMWARE-HOSTS x.x.x.x(rw,async,no_subtree_check,nohide,no_root_squash) x.x.x.x(rw,async,no_subtree_check,nohide,no_root_squash)
I was reaching throughput of 9 – 16 mbit with sync, using async throughput has increased.

Now I get more than 80mbit.

Where did my domain SRV records go ? April 2, 2008

Posted by daakeung in Microsoft.
Tags: , , , , ,
add a comment

Came to work this morning, to find users were having gpo and user authenication problems with ISA and LOGON .

Checked if my primary DC was up, it was but when I check my events logged, I was greeted with this:

GPO2

EVENTID:1058

Arg…….I then double checked my other DC, and it had no problems, so this particular DC hosts my primary DNS as well.

Also AD replication failed

So DNS being the thing to break AD. I noticed, the SRV records were missing from DNS.

So instead of rebuilding the DC or Restoring a backup, I registered the srv records for my primary dc.

You can find the nltest.exe tool in the windows 2003 support tools

C:\>nltest.exe /DSREGDNS
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully

Doubled check it was created, and everything seems to be okay.

Microsoft 2003 DHCP and DNS (Active Directory Integrated) LEASE ISSUE April 1, 2008

Posted by daakeung in IT, Microsoft, Network Services.
Tags: , , ,
1 comment so far

Currently I am running DNS integrated zones with secure updates, and DHCP. Problem is that DHCP has been giving out ip addresses before ttl for the ahost record expired. Which caused workstations trying to fail dns registration, since the workstation that used the ip previously had it’s computer account tied into the AHOST and PTR.

Now matching lease time and dns expiration would fix this problem, but I have clients outside of the enterprise coming and going.

So instead of the clients registering their own records, I configured the DHCP server to register the client record and remove them when lease expires. This helps non domain computers to register and to prevent DNS pollution.

You need to enable option 81, which requests the client to send it’s FQDN (Fully qualified domain name)

You do this by opening the properties for the server or scope in DHCP MMC. Then enable the following, it’s self explanator.

DHCP, Applying DNS settings

Now when doing that, all dns records created by the dhcp server, by default will have the dhcp server computer account tied to them. So in the event of a DHCP failure, the backup DHCP server would not be able to modify the DNS records that the primary DHCP server had created. So create a user for DHCP in active directory, and set on the DHCP server the credentials, this way you can have multiple DHCP servers sharing the same account.