Category: IT

Networking

Firewall your Exchange 2007 server

Software that is not reachable, can't be hacked. Easy as that. So if you have an cloud-based anti-spam/anti-virus filter, you can block your smtp server for badguys.

In my situation, I'm using a Windows 2008 SBS server with Exchange 2007.

  1. Start wf.msc
  2. Go to inbound rules
  3. Find MSExchangeTransportWorker and double-click it to open the properties
  4. On the tab "scope", select "These IP addresses" and add the following IPs: 'Local subnet', 127.0.0.0/8, 192.168.0.0/16, fe80::/16
  5. Also add the IPs of your anti-spam servers as well
  6. Then click OK
  7. Don't forget to check that the changes actually work by both checking an IP that can connect and one that doesn't
© GeekLabInfo Firewall your Exchange 2007 server is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IT

Run a batch file invisibly

Save this one line of text as c:\windows\quiet.vbs
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
To run a batch file invisibly, start it using the following command:
wscript.exe "C:\windows\quiet.vbs" "C:\path\file.bat"

© GeekLabInfo Run a batch file invisibly is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IT

Error 1913: Setup cannot update file C:\windows\win.ini

Installing Microsoft Office 2010 using the preinstalled "out of the box" function, I got this error:
Error 1913: Setup cannot update file C:\windows\win.ini

Permissions were right. I could rename the file, so that means it was not in use by some other program... but apparently it was Trend Micro blocking the installation.

Using services.msc I disabled all Trend Micro stuff, finished the install and rebooted to get all services running as normal.

© GeekLabInfo Error 1913: Setup cannot update file C:\windows\win.ini is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IT

Squid active directory authentication on Centos 5.6

Step 1. Install ntp and synchronize clocks

We'll be using winbind, kerberos and ntlm to authenticate the user. This requires the clocks of the AD server and the proxy server to be synchronized.
rpm -qa ntp || yum -y install ntp
sed -i "s/^server /#server /g" /etc/ntp.conf
echo "server YOURSERVERNAME" >> /etc/ntp.conf
ntpdate YOURSERVERNAME #synchronize right now
service ntpd start #and keep in sync
chkconfig ntpd on #after reboot as well

Step 2. Install required software

yum install krb5-workstation samba-common authconfig squid
chkconfig squid on

Step 3. Connect to active directory

Please note that MYCOMPANY.local and mycompany.local may be different domains due to the upper/lowercase.
ADSERVER=sbs.MYCOMPANY.local
DOMAIN=MYCOMPANY.local
WORKGROUP=MYCOMPANY
authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=$ADSERVER \
--krb5realm=$DOMAIN --smbservers=$ADSERVER --smbworkgroup=$WORKGROUP \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=$DOMAIN \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \
--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline \
--winbindjoin=Administrator --disablewins --disablecache --enablelocauthorize --updateall

I found some information saying that /var/cache/samba/winbindd_privileged should be chowned 750 to root:squid or that you should add user squid to group wbpriv. Also, squid.conf should not have cache_effective_group defined. However, this part was not relevant on my Centos 5.6. The reason could be that I installed 5.4, then upgraded, i'm not sure. Just leaving it as a note.

Now check your winbind connection using the following commands:
wbinfo -u
wbinfo -g

Step 4. Configure squid

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
acl our_networks src 192.168.0.0/16
acl ntlm proxy_auth REQUIRED
http_access allow our_networks ntlm
authenticate_ip_ttl 900 seconds

This will allow all valid, logged in users to surf the web. You could also limit which users can surf by adding
--require-membership-of=ADGROUPNAME to the ntlm_auth command

Start Squid using /sbin/service squid restart and you're good to go.

You may want to check what else I'm writing on Squid. I'm planning to document a lot more in the next few weeks.

© GeekLabInfo Squid active directory authentication on Centos 5.6 is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
IT

Arrrrgh! Kill it! Kill wp_attempt_focus with fire!

Somewhere around version 2.8.4 or something, WordPress introduced a "feature" to focus the username form and wipe the username. I dont want to type my username every time again and again and again. So what can we do to kill wp_attempt_focus? There is no hook available to disable that part of the code, but we can use some dirty tricks:

I created the following 'plugin' to get rid of it:
function kill_wp_attempt_focus($in){
return preg_replace('/function wp_attempt_focus/','function wp_attempt_focus(){} function wp_attempt_focus_killed',$in);
}
if($_SERVER["PHP_SELF"]=='/wp-login.php'){
ob_start('kill_wp_attempt_focus');
}

It grabs the output of /wp-login.php, renames the original wp_attempt_focus() to wp_attempt_focus_killed() and creates a new empty function to prevent errors.

© GeekLabInfo Arrrrgh! Kill it! Kill wp_attempt_focus with fire! is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
Desktop software

USB Video DVD Maker for Linux

Today I borrowed a USB video device, just to see if I can get it working on Linux. And I did! The device's package shows that is supports PAL (720x576@25fps) and NTSC (720x480 @ 30fps), but not much more.

According to lsusb, the device is built by eMPIA Technology, Inc and it has id eb1a:2861. Because I have another webcam attached, the device is connected to /dev/video1 is a character device with major 81 and minor 1. In the /sys filesystem, there's information on the device. I can find the right node using the next command:

cd /sys/dev/char/81:1

This is a symlink to (in my case) /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-5/2-5:1.0/video4linux/video1. In this directory, I find some more useful information. The file name tells me the device is actually a em28xx-based device.

The device has 2 inputs: a serie of RCA connectors with a composite signal and a SVideo connector. This is represented by showing two "sub-devices". The composite signal is /dev/video1, while the SVideo connector is /dev/vbi0.

To display the screen of my Sony* HDR-SR11 camera, I use the command:

mplayer -cache 128 -tv driver=v4l2:device=/dev/video1:input=1:width=720:height=576:outfmt=i420 tv://

* Yes, a Sony. And I'm really sorry. I bought it several years ago. I'm boycotting Sony nowadays.

© GeekLabInfo USB Video DVD Maker for Linux is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
IT

Use your laptop as a wifi router

Last week, I was snowboarding with my family in Scheffau, Austria. In the appartment, there was one single cat-5 cable, while 5 of us wanted to use the internet. So I figured out how to build a ad-hoc wifi network with my laptop in order to share the network connection.

My configuration

On my laptop, I'm running Fedora 13 with dnsmasq installed. All other software is pretty standard. My wifi driver creates a wlan0, but other laptops may create wmaster0 interfaces etcetera.

Step 1: Enable routing

We set up IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -I FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
For a permanent situation, you may want to be a little more picky in what to forward and what not.

Step 2: Set up the wifi

First, we switch from managed mode to ad-hoc mode:
/sbin/iwconfig wlan0 mode Ad-Hoc
Then we choose a name for the new network. I chose my own name:
/sbin/iwconfig wlan0 essid "David"
I use WEP, which is pretty insecure, but is just good enough to keep neighbours from connecting by accident. (I would not use this for a network that stays up for more than an hour.):
iwconfig wlan0 key 1351351350
And we set the wifi channel to "automatically select a channel":
iwconfig wlan0 channel auto

Step 3: Configure the network

Then we must configure an IP. Since 192.168.0.0/16 and 10.0.0.0/8 are mostly used in ADSL environments, I use the third IANA assigned block: 172.16.0.0/12 (172.16.0.0-172.31.255.255):
ifconfig wlan0 172.31.1.254 up

And allow incoming DHCP/DNS requests:
iptables -I INPUT -m udp -p udp --dport 67 -j ACCEPT
iptables -I INPUT -m udp -p udp --dport 53 -j ACCEPT

Then, finally, we start dnsmasq as a DHCP/DNS server:
dnsmasq --no-daemon --domain-needed --bogus-priv --interface=wlan0 --bind-interfaces --dhcp-range=172.31.1.50,172.31.1.100,12h --dhcp-option=option:router,172.31.1.254 --dhcp-authoritative --log-queries --log-dhcp

Step 4: Have fun!

We're done. Other laptops can now connect to your network and you're forwarding their packets.

© GeekLabInfo Use your laptop as a wifi router is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...