September 16th, 2011 by The Oracle -
  Bookmark and Share

If you have a Windows 7 32-bit CD, perhaps with a new computer, OEM disc should work fine, do the following:

1. Make a folder on your C Drive called Win7Mount
2. Obtain a copy of ImageX. This can be downloaded from Microsoft. It is their new imaging software.
3. Insert your Windows 7 DVD or mount your ISO. Note the drive letter.
4. Open a command prompt and change directories to wherever ImageX is installed. I have the Windows AIK installed so mine was at C:\Program Files\AIK\Tools\x86.
5. Type the following command: imagex /mount H:\Sources\install.wim 1 C:\Win7Mount and press ENTER.
6. Wait for imagex to complete. Will take 2-3 minutes to fully mount DVD.
7. Now browse to C:\Win7Mount\Windows\winsxs\
8. Copy the contents of x86_ntprint.inf_31bfxxxxxxxxxxxxxxxxxxxxxxx to wherever you save your Print Drivers. I called it “Windows 7 32-bit NTPRINT”. That way when I need it in the future I will remember what it was for. (Note: there is another folder called x86_ntprint.inf.resources_xxxxxxxxxxxxxxxxxx. I copied the contents of that one as well, but didn’t need it. I figured I might in the future so I went ahead and grabbed it now.)
9. Now type: imagex /unmount C:\Win7Mount and press ENTER. This process will take 60 seconds or so.
10. Now when the print server asks for the Windows media, just browse to that new folder you created and it will find the files needed.

Thanks for KESWADMIN and BRYANT FONG for the winsxs help. I just thought I would put all the steps together for people that might not have it installed, but do have the media available.

August 11th, 2011 by The Oracle -
  Bookmark and Share

A private key contains a series of numbers. Two of these numbers form the “public key”, the others are part of the “private key”. The “public key” bits are included when you generate a CSR, and subsequently form part of the associated Certificate.

To check that the public key in your Certificate matches the public portion of your private key, you simply need to compare these numbers. To view the Certificate and the key run the commands:

$ openssl x509 -noout -text -in server.crt
$ openssl rsa -noout -text -in server.key

The `modulus’ and the `public exponent’ portions in the key and the Certificate must match. As the public exponent is usually 65537 and it’s difficult to visually check that the long modulus numbers are the same, you can use the following approach:

$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5

If the output (numeric output) from these two computations match exactly then you can be sure that the private key and certificate are matched properly.

Should you wish to check to which key or certificate a particular CSR belongs you can perform the same calculation on the CSR as follows:

$ openssl req -noout -modulus -in server.csr | openssl md5

July 22nd, 2011 by The Oracle -
  Bookmark and Share

I bought godaddy hosting plan few months ago. I cancelled my plan because the support was suck and ignorant. Godaddy also failed to deliver what they promised. They stated in their website for ultimate hosting plan will get 1000 email account with 1Gb storage but in the end I only get 10. That’s why I cancelled my plan.

Yesterday, 21/7/2011. I bought the plan (same plan) again from them where I’m expecting they already getting better in terms of support and their product itself. Today 22/7, I really regret that I give them another chance. I was confused by their support that never really answer my question about the email quota. Another things are email creation took very long time to complete ( I have waited more than 5 hours but it never be done), the same thing happen when I created email account (the status was stuck at updating mx record).

Why that process took very long time to complete? I can’t any good reason in my mind except they create it manual per customer request basis. It suppose to be automatically done by system, right? What if the customer have some project that really urgent and need to be done fast?

One day after I bought the hosting I decided to let it go. This is the second time godaddy let me down and for sure I won’t let them let me down for the third time coz that chance won’t never come.

It’s time to say good bye and put big red bold stroke for Godaddy in my web hosting list.

July 19th, 2011 by The Oracle -
  Bookmark and Share

Authenticating a LINUX User ID with a locked Password?

It is often desirable to lock the password of an account, but still allow the user to login via SSH using another authentication method, such as SSH public key authentication.

However, even when only public key authentication is enabled in the SSH Tectia Server config, Tectia will check the user’s account and password to ensure the account is not locked. If it finds the account or password locked, Tectia will not allow the user to login.

Below is a method to configure SSH Tectia to use PAM to do account validation without verifying the user’s password, thereby allowing server administrators the ability to allow users whose accounts are locked to login using another authentication method.

Configuring SSH Tectia Server

In the /etc/ssh2/ssh-server-config.xml file, please make sure the following settings are enabled.

Configure Tectia Server to Call PAM for Account Checking Only

<params>
  <!--Possible other params can be inserted here -->
   <settings 
      pam-account-checking-only="yes" />

<pluggable-authentication-modules pam-calls-with-commands="yes" />
</params>

Set Tectia Server to Allow the Chosen Authentication Method

Also in the /etc/ssh2/ssh-server-config.xml file.

  <authentication-methods login-grace-time="600">
   <!--Possible other authentication attributes or elements can be inserted here -->
    <authentication name="authentication">
     <!--Possible selectors can be inserted here-->
      <auth-publickey />      
    </authentication>
   <!--Possible other authentication elements can be inserted here -->
  </authentication-methods>

Configure PAM to See the Users’s Password as Optional

In the /etc/pam.d/ssh-server-g3 file (create one as below if necessary), set the following:

auth        required      /lib/security/$ISA/pam_env.so
auth        required    /lib/security/$ISA/pam_unix.so likeauth nullok
account    required    /lib/security/$ISA/pam_unix.so likeauth nullok
session    required      /lib/security/$ISA/pam_unix.so likeauth nullok

NOTE: The above PAM config file is from Red Hat Linux 3 – your config file may vary.

This configuration is provided as an example only, SSH does not provide technical support for how to configure PAM

July 11th, 2011 by The Oracle -
  Bookmark and Share

Received this error message in the Exchange Event Viewer:

Log Name:      Application
Source:        MSExchangeTransport
Date:          7/12/2011 9:44:38 AM
Event ID:      1021
Task Category: SmtpReceive
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      mail.xxx.xxx
Description:
Receive connector Default Email rejected an incoming connection from IP address 10.0.0.1. The maximum number of connections per source (20) for this connector has been reached by this source IP address.
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
<System>
<Provider Name=”MSExchangeTransport” />
<EventID Qualifiers=”32772″>1021</EventID>
<Level>3</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=”2011-07-12T01:44:38.000Z” />
<EventRecordID>199286</EventRecordID>
<Channel>Application</Channel>
<Computer>mail.axs.sg</Computer>
<Security />
</System>
<EventData>
<Data>Default Email</Data>
<Data>20</Data>
<Data>10.0.0.1</Data>
</EventData>
</Event>

To make sure this problem won’t come back again, I raised the maximum number of connections per source. To do so, follow these steps.

  1. Open an Exchange Management Shell (Powershell with the Exchange snap-in)
  2. Type get-receiveconnector. This lists all connectors of your Exchange environment
  3. Type get-receiveconnector -id “unique receive connector name” | fl to get a overview of all the settings of that receive connector. To find out what receive connector you need to query, refer to the email you received from SCOM
  4. Look for MaxInboundConnectionPerSource in the overview. Here you’ll find the current setting.
  5. To adjust the MaxInboundConnectionPerSource, type set-receiveconnector -id “unique receive connector name” -MaxInboundConnectionPerSource 50
    In this case, the MaxInboundConnectionPerSource will be set to 50.
June 8th, 2011 by The Oracle -
  Bookmark and Share

This setup has been done on Ubuntu Server Lucid. There are a lot of manual how to install modsecurity out there so I’m not going to write how to install it in this post.

1. Enable modsecurity for apache. Check on /etc/apache2/mods-enabled/

Link available mod-security module to mods-enabled folder
# ln -s ../mods-available/mod-security.load mod-security.load

2. Edit file /etc/apache2/mod-security/modsecurity_crs_10_config.conf

Look for this variable
SecServerSignature “It’s none of your business”

3. Edit /etc/apache2/conf.d/security

Set Server Token to Full
ServerTokens Full

Otherwise you’ll get this error message when you try restart apache service.

[Sun Jun 05 07:58:44 2011] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
[Sun Jun 05 07:58:44 2011] [notice] Apache/2.2.14 (Ubuntu) mod_ssl/2.2.14 OpenSSL/0.9.8k Internet Information Services (IIS) configured — resuming normal operations

4. Restart apache service

June 8th, 2011 by The Oracle -
  Bookmark and Share

To secure the server you should hide apache banner information from being displayed so the attackers will not found out what version of Apache version you are running on your server and thus making it more difficult for them to exploit your server.

You can hide Apache banner by modify apache configuration file To secure the server you should hide apache banner information from being displayed so the attackers will not found out what version of Apache version you are running on your server and thus making it more difficult for them to exploit your server.

You can hide Apache banner by modify apache configuration file /etc/httpd/conf/httpd.conf

Change the ServerSignature line to: ServerSignature Off
Change the ServerTokens line to: ServerTokens Prod
Restart Apache: /sbin/service httpd restart

Quote:

Change the ServerSignature line to: ServerSignature Off
Change the ServerTokens line to: ServerTokens Prod
Restart Apache: /sbin/service httpd restart

June 8th, 2011 by The Oracle -
  Bookmark and Share

Another way to protect your folder from outsiders is to set authentication with .htaccess and .htpasswd

This is the.htaccess standard config to enable user login password

AuthGroupFile /dev/null
AuthName “Closed User Group”
AuthType Basic
AuthUserFile /path_to_htpasswd_file/.htpasswd
require valid-use
r

Shell command to generate .htaccess password

htpasswd -bcm .htpasswd user password

April 7th, 2011 by The Oracle -
  Bookmark and Share

I was facing this problem when tried to add launchpad repository into my Ubuntu source list.

W: GPG error: http://ppa.launchpad.net lucid Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 8F63FC3CB64F0AFA

How to solve this? What I did was:

root# gpg –keyserver keyserver.ubuntu.com –recv 8F63FC3CB64F0AFA
root# gpg –export –armor 8F63FC3CB64F0AFA | sudo apt-key add –

If you facing this error message when trying to receive the gpg key

gpg: requesting key B64F0AFA from hkp server keyserver.ubuntu.com
gpgkeys: HTTP fetch error 7: couldn’t connect to host
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

Try to add this parameter into command –keyserver-options debug

root# gpg –keyserver-options debug –keyserver keyserver.ubuntu.com –recv 8F63FC3CB64F0AFA
gpg: sending key 81611305 to hkp server keyserver.ubuntu.com
gpgkeys: curl version = libcurl/7.19.7 GnuTLS/2.8.5 zlib/1.2.3.3 libidn/1.15
* About to connect() to keyserver.ubuntu.com port 11371 (#0)
*   Trying 91.189.89.49… * Connection timed out
* couldn’t connect to host
* Closing connection #0
gpgkeys: HTTP post error 7: couldn’t connect to host
gpg: keyserver internal error
gpg: keyserver send failed: keyserver error

Now you know this process is communicating via port 11371. Please open this port to get the gpg key.