UKStokes.com

Managing multiple PuTTys

Sep 9th 2009

By: ben

No comments
I don't have any Linux cluster servers to look after but do manage 2 Linux server farms. They are similar to clusters in that they are both groups of RHEL servers that all have to have an identical config. The larger of these farms is 12 RHEL 5.3 servers, and to roll out changes to them all, I wanted to be able to make the change once, and after it was verified, make the same change on the other 11 servers. I started off by writing this script on server1:
```
#!/bin/sh

echo -n "Enter command to run (on one line): "
read STRING

for SERVER in server2 server3 server4 server5 server6 etc; do

echo -e "\033[1;31m$SERVER says:\033[m"
ssh $SERVER "$STRING"

done

echo -n "Do you want to run the command locally? (y/n) :"
read ANSWER

case "$ANSWER" in

y|Y) echo -e "\033[1;31mlocalhost says:\033[m"; $STRING ;;
N|n) exit 1 ;;
esac
```
For this to work I had to create ssh keys on each server using:
```
ssh-keygen -t dsa
```
And then install the newly generated key (~/ssh/id_dsa.pub) into the authorized_keys file on server1. This works for running simple commands one at a time.

For other tasks its sometimes necessary to manage multiple ssh sessions at once, for example to monitor resources using htop or tailing log files. On Linux you can use ClusterSSH (cssh) but this turned out to be a royal pain in the butt to get working on CentOS or RHEL. It worked OK in an Ubuntu VM but was a bit clunky and I felt there would be a better way of managing multiple PuTTy windows, since I am using a Windows 7 laptop for my day-to-day stuff.

There are quite a few goodies for this on the Links page on the Putty website and this is where I found Putty Command Sender. Quite simply you type your command into the command sender, and much like clusterssh, it sends it to all the putty windows you have open.

Putty Command Sender

It's not so great for editing files in Vi on 12 servers at once but it is possible - you can send cursor movements as well as lines of code or single commands. The only thing you have to watch out for in PuttyCS is that all Putty windows have updated before you start typing your next command, otherwise the last window to update may miss the first few characters of the next command.

Finally to launch my sessions in groups I'm using Putty Session Manager. Other alternatives are available but I found this one to be the best. It's lightweight nature fits in with Putty nicely.
Enterprise Linux

Enterprise Linux, Linux, Putty, SSH
I’ve had it with Vista.

Aug 12th 2009

By: ben

4 comments
My Vista computer is configured to automatically update every Tuesday at 5:00pm. Today it downloaded and installed the following patches:

- Windows Malicious Software Removal Tool - August 2009 (KB890830)

- Update for Windows Mail Junk E-mail Filter [August 2009] (KB905866)

- Security Update for Windows Vista (KB973540)

- Update for Microsoft Office Outlook 2007 Junk Email Filter (KB972691)

- Security Update for Windows Vista (KB971557)

- Security Update for Microsoft .NET Framework 2.0 Service Pack 2 (KB972594)

- Security Update for Windows Vista (KB956744)

- Security Update for Windows Vista (KB971657)

- Security Update for Windows Vista (KB973507)
- - Windows Malicious Software Removal Tool - August 2009 (KB890830)
- - Update for Windows Mail Junk E-mail Filter [August 2009] (KB905866)
- - Security Update for Windows Vista (KB973540)
- - Update for Microsoft Office Outlook 2007 Junk Email Filter (KB972691)
- - Security Update for Windows Vista (KB971557)
- - Security Update for Microsoft .NET Framework 2.0 Service Pack 2 (KB972594)
- - Security Update for Windows Vista (KB956744)
- - Security Update for Windows Vista (KB971657)
- - Security Update for Windows Vista (KB973507)
One of these updates broke my network connectivity. The NIC was still available but DHCP was broken, and assigning a static address would not help. The device itself was functioning normally and nothing in the event log gave any clues. Looking in the update history in the Windows Update application, all of these security updates have the same description:

A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it.

Microsoft, how about telling me what the hell is being patched, since I can't use the links to the technet articles as my network stack was broken. Not very helpful when I am trying to figure out which patch has wrecked the system.

Cold light of day edit: I realise this is a Microsoft problem, not neccessilary a Vista problem.

Luckily System Restore actually works, and returned me to where I started at 5:00 this afternoon, with everything working.

One final thing. Why is Vista such a resource pig? This computer is a dual core AMD64 2.30Ghz but it runs like its been eating pastry all day. As I am typing this, I have 4 apps open, my CPU is boiling over and my memory usage is over 1Gb. Why?! This PC is only used for web surfing, email and music.

Vista ... why oh why

OK - so ending the apps in my tray (Skype, Gladinet, MSN and Avast) have recovered a few hundred Mb, but I don't see why Vista is so bad at memory management compared to Windows XP, Windows 7 ... or for that matter any Linux distro ...

Well thats it, I can't be arsed troubleshooting it. I'm through with Vista. Time to backup, wipe and move on.
Rants, Windows Vista

Performance, Rant, Windows Vista
Install RHEL with Kickstart and no DHCP

Jun 25th 2009

By: ben

No comments
I've been installing 16 RHEL 5.3 servers on a DR site, owned by our sister company. There is no DHCP server on the subnet which has stopped us using HP Rapid Deployment Pack to roll out the servers, but it was still possible to use Kickstart, by specifying the IP information as a parameter when booting from the RHEL CD (disk 1). The syntax goes like this:
```
boot: linux ks=http://server/kickstart.cfg ksdevice=eth0 ip=xx.xx.xx.xx netmask=xx.xx.xx.xx gateway=xx.xx.xx.xx dns=xx.xx.xx.xx
```
DNS servers can be comma separated if you want to specify more than one.
Enterprise Linux

Enterprise Linux, kickstart, RHEL
Scripts to make en mass changes to profile paths

Jun 11th 2009

By: ben

No comments
We've been migrating shares on our main file server to a DFS share to give us some flexibility with our storage. Part of these changes involve migrating Profile Paths and Terminal Server Profile Paths to the new DFS share location. After the data was being synchronised by DFS we needed a way to change the Profile Path and TS Profile Path attribute on all accounts in part of our Active Directory. This cannot be done using AD Users and Computers - if you bulk select users in ADUC and bring up the collective properties, you will notice the TS Profile Path is not available for editing. There are a few free tools that can do this, notibly ADModify.NET, but we needed a way to script it so it could be run overnight, and also only make changes to the paths if one existed already.

ChangeProfilePaths.vbs.txt
ChangeTerminalServerPaths.vbs.txt

The scripts are pretty much identical, the only bits you need to change are these lines at the top:
```
SMTPServer = "mail.ukstokes.ad"
Set domain = GetObject("LDAP://OU=Company Users,DC=ukstokes,DC=ad")
NewTSPath = "\\ukstokes.ad\data\profiles$\users\"
```
The LDAP string needs to be changed to the starting point in your AD tree. Every OU underneath will be affected.

Also these 2 lines at the bottom:
```
objEmail.From = "ben@------.ad"
objEmail.To = "ben@------.ad"
```
The script will send an email at the end with a summary of the changes so you will need to change the From and To addresses accordingly.

Before making any mass changes like remember the golden rule to test it in an isolated environment first.
Scripting

Active Directory, Scripting, Windows
Set up a ‘honeypot’ router using Netfilter (iptables)

Jun 4th 2009

By: ben

No comments
We're in the process of moving all servers from a legacy flat network to a new server VLAN. Each time a server is moved and is assigned a new IP address, there is a risk that some applications in the building might still try and connect to the server's old IP address rather than the DNS name. To log any attempts to reach the old IP address I've set up a 'honeypot' router using iptables and CentOS (as a small VMware machine). Each time a server is moved, the old server IP is added to the CentOS machine and and 2 rules are added in the iptables firewall to drop and log the incoming IP connections. The failed connections would usually logged to the console and the 'messages' log file, but alternatively these could be sent to a remote syslog server by specifying:
```
kern.*        @xx.xx.xx.xx
```
in the syslog.conf. In our case we're logging to our Cacti server and using the Cacti syslog plugin (from here) to view our Linux server and network switch syslogs in a central location.

iptables configuration
In a default installation of CentOS, iptables is already installed and running by default. There are only 2 changes to make; The first is to bind your additional IP address to your network card (usually eth0). This is done by creating a virtual device called eth0:1, by inserting this text into new file etc/sysconfig/network-scripts/ifcfg-eth0:1 (10.10.2.17 is the destination address of the incoming traffic that I want to log):
```
IPADDR=10.10.2.17
NETMASK=255.255.0.0
```
And then bringing up the virtual device using:
```
ifconfig eth0:1 up
```
In the iptables config file (etc/sysconfig/iptables) I added these lines in the RH-Firewall-1-INPUT chain:
```
-A RH-Firewall-1-INPUT -d 10.10.2.17 -j LOG --log-level 4 --log-prefix "OLD SRV1"
-A RH-Firewall-1-INPUT -d 10.10.2.17 -j DROP
```
Any traffic to 10.10.2.17 will now be logged in messages and the lines will be prefixed with "OLD SRV1".

Note about file paths: I'm getting an odd error when posting Linux file paths in WordPress - putting a leading / in the path gives a 404 error. The paths I mentioned above should have a leading forwardslash "/".
Enterprise Linux

CentOS, iptables, netfilter, routing
Test post

May 25th 2009

By: ben

No comments

Just a quick test so see if posting and collection via RSS is working since I have migrated to a new webhost.

A cat selected at random

Blogging, Random stuff
Configure alerting for a Symantec Brightmail appliance

May 20th 2009

By: ben

No comments

I wanted to configure email alerts from our Brightmail gateway (formally Symantec 8300 series appliance) so that we would be notified when message queues were over certain thresholds. This is a missing feature on the appliance, so as a workaround I've done it using Cacti instead. We already monitor CPU and memory usage of the appliance using Cacti by configuring it as a 'ucd/net SNMP device', and this week I discovered Symantec also publish templates for Cacti for graphing MTA queues (inbound, outbound and delivery). There are 2 graphs, one showing number of messages, and the other showing the MTA sizes in megabytes.

I added the templates to our Cacti and configured them against our Brightmail gateway and they work very nicely.

Queue sizes as graphed by Cacti

Just to explain the queue above - we always have a fair amount of transient garbage stuck in the delivery queue due to malformed domain names, typos in email addresses and other random stuff stuck in a retry queue for a few days.

For alerting we already have the threshold plugin 'thold' installed on Cacti so I set up 2 new threshold templates for the inbound and outbound delivery queues. If a queue now goes over 150 messages we will receive an alert - it will also send an email when the value goes back under the 150 value.

My thresholds

The email alerts also contain a copy of the graph as an attachment which is a very nice feature. It pretty much tells you what time your queues started building up, and this is a valuable clue in helping you find out what has caused the problem.

Messaging

Cacti, Messaging
Update DMZ servers using WSUS

Apr 20th 2009

By: ben

No comments

If you have a server in the DMZ that requires Windows Updates but does not have Internet connectivity, it's actually quite easy to configure it to receive automatic updates from a WSUS server on your network.

1. Firewall config: Open tcp/80 (or tcp/443 if you have configured SSL) on the firewall between your DMZ server and your WSUS server.

2. On your DMZ server open gpedit.msc. Go into Computer Configuration - Administrative Templates - Windows Components - Windows Update.

Configure Windows Update using gpedit.msc

3. Enable "Configure automatic updates" and configure the schedule of your choice.

4. Enable "Intranet Microsoft Update Service Location". Specify your WSUS server in both fields using the http://server format.

5. Enable "Client side targetting" and enter the name of your Target Group into the box.

That's it - the updates will now flow in.

Windows Servers
Configure automatic login on OCS 2007

Apr 11th 2009

By: ben

6 comments
Here's the scenario: You have a single OCS 2007 standard edition server on your network. Your Active Directory uses a DNS suffix that is not available externally, for example ocs.internal.ad. You are using a certificate issued by your domain CA on your OCS server (this is recommended) and automatic logon works fine while your clients are on the internal network.

You have also deployed an OCS 2007 Edge Access Server. The server's name in external DNS is sip.yourdomain.com.

The goal is to enable clients to log in automatically. This is a nice to have - and I think even nicer when they can log in automatically from both within the corporate LAN and the outside of your network.

The problem
If you change your users OCS sign-in names to their email addresses (i.e. user@yourdomain.com), the automatic logon works fine on the outside but not from the inside (providing your Edge Access server and supporting DNS records are set up correctly). Meanwhile from outside of your network if your users have sign-in names using your internal AD namespace (i.e. user@internal.ad), automatic logon fails - this is because the internal.ad DNS suffix does not exist on the outside and your OCS client cannot find an SRV record in DNS to locate the OCS server.

The solution!
There are several components that need to be in place for this to work.

1. DNS Configuration
For this to work you are required to set up a copy of your external DNS as a primary zone in your Active Directory DNS. Then in your internal DNS configure an A Record for sip.yourdomain.com pointing to the IP address of your internal OCS server. In addition, set up some SRV records:
```
_tcp._sipinternal.yourdomain.com -- sip.yourdomain.com (0 0 5061)
_tcp._sipinternaltls .yourdomain.com -- sip.yourdomain.com (0 0 5061)
```
2. Certificate configuration
For authenticating external clients, you will need an SSL certificate on your Edge Access server. Choosing the right sort of certificate is vital for the Edge Access role. You have to select one from this list for federation and public IM connectivity to work properly. Other certificates may work, but have not been approved for use with OCS 2007 by Microsoft.

For authenticating internal clients, Microsoft recommend you use a certificate from the CA on your domain. From your standard edition server, run setup on the OCS CD and go through the certificate wizard. When configuring the certificate, specify ocs.internal.ad (insert your internal server name here) as the primary name of your server and sip.yourdomain.com (your external namespace) as the alternative name on the certificate.

3. Sign-In names
Last thing is to configure sign in names, these will need to be changed to use your external DNS suffix, i.e. user@yourdomain.com. One word of warning on this - if you change sign-in names while the users are logged on, they will be kicked off the system and receive an error about invalid credentials. Instead, make the changes while the users are logged off and they will then be picked up automatically the next time the computers are booted up on the network.

After making this change users should then be able to log in automatically from both the corporate network and the Internet.

This is one area IMHO where the OCS 2007 documentation does not go into enough detail.
Windows Servers

Get system stats automatically on SSH login

Apr 10th 2009

By: ben

I noticed in recent versions of Ubuntu you get some system stats in a banner message when you connect using SSH. I thought this was pretty useful so have implemented my own version on our Red Hat servers at work.

This runs every 5 minutes as a cron job and updates the file /etc/motd (Message Of The Day) which is shown when a user logs in. Our servers already have a 5 line banner message with information including the server name and purpose of the server, hence the first 5 lines being saved and readded into a new /etc/motd each time.


#!/bin/bash
cat /etc/motd | head -n 5 > /tmp/file && cat /tmp/file > /etc/motd

CPUTIME=$(ps -eo pcpu | awk 'NR>1' | awk '{tot=tot+$1} END {print tot}')
CPUCORES=$(cat /proc/cpuinfo | grep -c processor)

echo "System summary (collected `date`)

 - CPU Usage (total average) = `echo $CPUTIME / $CPUCORES | bc`%
 - Memory free (real)        = `free -m | head -n 2 | tail -n 1 | awk {'print $4'}` Mb
 - Memory free (cache)       = `free -m | head -n 3 | tail -n 1 | awk {'print $3'}` Mb
 - Swap in use               = `free -m | tail -n 1 | awk {'print $3'}` Mb
" >> /etc/motd

Now when we log in we get a summary like this:

SSH Server Stats

Enterprise Linux, Scripting

Bash scripting, Enterprise Linux, Linux

- <
- 1
- 2
- 3
- 4
- 5
- ...
- 11
- >

Managing multiple PuTTys

I’ve had it with Vista.

Install RHEL with Kickstart and no DHCP

Scripts to make en mass changes to profile paths

Set up a ‘honeypot’ router using Netfilter (iptables)

Test post

Configure alerting for a Symantec Brightmail appliance

Update DMZ servers using WSUS

Configure automatic login on OCS 2007

Get system stats automatically on SSH login

Subscribe

Recent Posts

Spam Blocked

Recent Comments

Categories

Tags

Sponsored links