Open CMS

I've been looking for an open CMS system, as an alternative to Sharepoint. Only thing I've found so far is:

http://typo3.com/

Exchange 2007 - spam from your own domain

Obviously, this is coming from a spammer who has spoofed your email address, or that of someone else from your domain. Unfortunately, SMTP- the protocol that allows mail clients and servers to exchange email, allows headers to be spoofed easily.
In Exchange 2007, Accepted Domains tell Exchange which domains to accept email for. If a domain – e12labs.com in this example, exists as an Accepted Domain, there is no reason external senders should use that domain in the MAIL or FROM headers.
You may have remote POP3/IMAP4 users who use SMTP to send mail. However, such sessions should be authenticated, and preferably use a separate Receive Connector.
Thanks to the extensive Transport Permissions model in Exchange 2007, we can easily prevent such spam. Receive Connectors have the ms-exch-smtp-accept-authoritative-domain-sender permission which dictates whether an Accepted Domain can be used in the MAIL or FROM headers. External/internet hosts submit mail to your server without authentication, as anonymous senders. To prevent anonymous senders from sending mail using your domain(s), we need to remove the ms-exch-smtp-accept-authoritative-domain-sender permission assigned to them.
Use the following command to remove the ms-exch-smtp-accept-authoritative-domain-sender permission from NT Authority\Anonymous Logon on internet-facing Receive Connector(s):
Get-ReceiveConnector “My Internet ReceiveConnector ” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission
Once this permission is removed, when anonymous senders try to submit mail using your Accepted Domain(s), here’s how the SMTP conversation goes:
220 E12Postcard.e12labs.com Microsoft ESMTP MAIL Service ready at Wed, 3 Sep 2008 06:22:43 -0700
helo
250 E12Postcard.e12labs.com Hello [172.31.0.170]
mail from:jadams@e12labs.com
550 5.7.1 Client does not have permissions to send as this sender
Exchange stopped spoofing of P1/envelope headers. Let’s continue the session and try to spoof the P2 headers (the ones in the DATA part of the message) – maybe that’ll work!
mail from:someone@someotherdomain.com
250 2.1.0 Sender OK
rcpt to:jadams@e12labs.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with.
from:jadams@e12labs.com
subject: Header spoofing
This is how we spoof headers, spoof headers.
.
550 5.7.1 Client does not have permissions to send as this sender
quit
221 2.0.0 Service closing transmission channel

Setup SSH without a password

Using the below steps, you can ssh to the server from client without the entering any password.
The machine which run the ssh command is the client
The machine that the client access using ssh is the server

1. Run the following command on the client
   
   • -> ssh-keygen -t dsa
   
   
2. File id_dsa and id_dsa.pub will be created inside $HOME/.ssh
3. Copy id_dsa.pub to the server’s .ssh directory
   
   • -> scp $HOME/.ssh/id_dsa.pub user@server:/home/user/.ssh
   
   
4. Change to /root/.ssh and create file authorized_keys containing id_dsa content
   
   • -> cd /home/user/.ssh
   • -> cat id_dsa >> authorized_keys
   
   
5. You can try ssh to the server from the client and no password will be needed
   
   • -> ssh user@server
   
   

Another alternative to the above steps is to use ssh-copy-id command. The steps are:

1. Run the following command on the client
   
   • -> ssh-keygen -t dsa
   
   
2. File id_dsa and id_dsa.pub will be created inside $HOME/.ssh
3. Copy the id_dsa.pub to the server’s .ssh directory
   
   • -> ssh-copy-id -i ~/.ssh/id_dsa.pub user@server
   
   
4. You can try ssh to the server from the client and no password will be needed
   
   • -> ssh user@server
   
   

Install LAMP stack on OpenSUSE 11

Install & Configure Apache2 Webserver

Install Apache webserver

opensuse11:~ # yast2 – -install apache2

This should install apache webserver. To check try the following command:

opensuse11:~ # rcapache2 status
Checking for httpd2: unused

That tells you, the Apache webserver is installed but just not started yet.
To test if the webserver serves pages, add a file index.html into /srv/www/htdocs/ directory. This is the default web root directory for apache on your system.
Add some text to the html file to say “Hello World!”
Start Apache2 Webserver
Now start the Apache 2 webserver so we can check if it works OK.

opensuse11:~ # rcapache2 start
Starting httpd2 (prefork) done

Now, open a web browser like Firefox and go to http://localhost and you should see the ext you entered (here “Hello World!″)
Let’s proceed to install PHP5

Install PHP5

opensuse11:~ # yast2 – -install php5 php5-mysql apache2-mod_php5

This should install PHP5, PHP5-MySQL module and the Apache2 PHP5 module.
For Apache2 to enable the PHP5 module, restart for changes to take effect.

opensuse11:~ # rcapache2 restart
Syntax OK
Shutting down httpd2 (waiting for all children to terminate) done
Starting httpd2 (prefork) done

Install & configure MySQL

opensuse11:~ # yast2 – -install mysql mysql-tools

This should install MySQL Database Server and options mysql-tools (for administration) on your openSUSE. To check the installation, run the following command:

opensuse11:~ # rcmysql status
Checking for service MySQL: unused

The above indicates that the MySQL Server is installed but not started yet.
Start MySQL Server

opensuse11:~ # rcmysql start
Starting service MySQL done

By default there is no root password set for MySQL and it is important to set the password for the ROOT account.
Set Root Password

opensuse11:~ # mysqladmin -h localhost -u root password rootpassword

This should set the root password as “rootpassword”. Set the password to something more appropriate.
To check if Root password is set and the MySQL Client can logon to the MySQL Server try the following:

opensuse11:~ # mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.51a SUSE MySQL RPM

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql> show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| mysql |
| test |
+——————–+
3 rows in set (0.04 sec)

mysql>

In the above, I used mysql client to logon as root, entered the password and list the databases. That completes the installation of LAMP on openSUSE 11.0
To administer MySQL database, the easiest and the popular tool is phpMyAdmin, given that we have discussed PHP5, apache2 setup here which are required for phpMyAdmin, it makes sense to look at quickly setting up and configure phpMyAdmin

Install phpMyAdmin

opensuse11:~ # yast2 – -install phpMyAdmin

This installs phpMyAdmin and setup a website at /srv/www/htdocs/phpMyAdmin directory. Change directory and use the sample config file to quickly setup phpMyAdmin.

opensuse11:~ # cd /srv/www/htdocs/phpMyAdmin
opensuse11:~ # cp config.sample.inc.php config.inc.php

Edit the file and look for

$cfg['blowfish_secret'] = ‘mysqladmin’;

Enter a value for blowfish secret (I’ve set it to mysqladmin here)
Thats done and has the default configs on it. Logon to phpMyAdmin from http://localhost/phpMyAdmin with the MySQL root username and password.

How to recover from linux disk errors

Run the following command on the offending disk (this needs to be done from a boot CD):
fsck
i.e. fsck /dev/hda2
If fsck reports superblock errors then dump out the superblock info:
dumpe2fs /dev/hda2 | grep superblock
Once you get the output from this, pass a backup superblock back to the device:
fsck – b XXXXX /dev/hda2 (where XXXXX is the backup superblock number and HDA2 is the device)
If not of these work, create a bit for bit copy of the drive with DD:
dd if=/dev/hda of=/mnt/recovery/hdimage.dd
Then run fsck on the image:
fsck /mnt/recovery/hdimage.dd
Then mount the image as a loopback device:
mount -0 loop /mnt/recovery/hdimage.dd /mnt/hdimage
Then look at the mounted hdimage mount to see if data is there.
You can also use the Foremost data carving app available from:
http://foremost.sourceforge.net
Example – foremost hdimage.dd

HP Mini 5101

Got myself an HP 5101. Out of the box it comes pre-loaded with Win XP. This lasted approximately 3 weeks before it got infected! So out goes Windows and in comes something else, so far I've tried:

• Moblin 2.0 - great interface but couldn't get wireless working, will have to revisit
• Linux Mint 7 - installed OK but failed to boot, couldn't see SDA!

Next on the list to try is:

• Ubuntu 9.04 remix - might be OK
• OpenSuse 11.1 - seeing as HP can ship the 5101 with SLED then this might just work OK!

It is a great device but shows fingerprints horribly, also the battery isn't as good as I expected.

AD - DC command line tools

Find number of login attempts


nltest /server:servername /logon_query


Find global catalogue servers


dsquery server -forest -isgc


Find fsmo role owners


netdom query fsmo

Check Microsoft Active directory for duplicate SID's

From the command prompt of a Windows DC

ntdsutil "sec acc man" "co to se rwsmhdc" "check dup sid" q q

The log will be created in the folder where you ran the command from.

Exchange 2007 autodiscovery

In order to use Outlook Anywhere (2007) and keep out of office functionality, you will need to setup the autodiscover service on your Exchange 2007 box.

To be able to use Out of Office in Outlook Anywhere

Add external dns entry called autodiscover.yourdomain.com pointing at the external IP of your Exchange server (x.x.x.x)

Add an internal dns entry (a) record pointing to autodiscover.yourdomain.com

Check to make sure that there is an autodiscover entry in IIS on exchange server

Upgrade your SSL certificate to be a UC type that allows multiple names. Add autodiscover.yourdomain.com as one of the new names.

Linux DD command

The ‘ dd ‘ command is one of the original Unix utilities and should be in everyone’s tool box. It can strip headers, extract parts of binary files and write into the middle of floppy disks; it is used by the Linux kernel Makefiles to make boot images. It can be used to copy and convert magnetic tape formats, convert between ASCII and EBCDIC, swap bytes, and force to upper and lowercase.

For blocked I/O, the dd command has no competition in the standard tool set. One could write a custom utility to do specific I/O or formatting but, as dd is already available almost everywhere, it makes sense to use it.
Like most well-behaved commands, dd reads from its standard input and writes to its standard output, unless a command line specification has been given. This allows dd to be used in pipes, and remotely with the rsh remote shell command.
Unlike most commands, dd uses a keyword=value format for its parameters. This was reputedly modeled after IBM System/360 JCL, which had an elaborate DD ‘Dataset Definition’ specification for I/O devices. A complete listing of all keywords is available from GNU dd with
# dd –helpFor more options check dd man page
Using dd you can create backups of an entire harddisk or just a parts of it. This is also usefull to quickly copy installations to similar machines. It will only work on disks that are exactly the same in disk geometry, meaning they have to the same model from the same brand.

Full hard disk copy

dd if=/dev/hdx of=/dev/hdy
dd if=/dev/hdx of=/path/to/image
dd if=/dev/hdx | gzip > /path/to/image.gz
Hdx could be hda, hdb etc. In the second example gzip is used to compress the image if it is really just a backup.

Restore Backup of hard disk copy

dd if=/path/to/image of=/dev/hdx
gzip -dc /path/to/image.gz | dd of=/dev/hdx

MBR backup

In order to backup only the first few bytes containing the MBR and the partition table you can use dd as well.
dd if=/dev/hdx of=/path/to/image count=1 bs=512

MBR restore

dd if=/path/to/image of=/dev/hdx
Add “count=1 bs=446″ to exclude the partition table from being written to disk. You can manually restore the table.

Linux Mint 7

I've recently switched my desktop OS to Mint 7 (gnome) from Ubuntu. When used with the EXT4 partition boot times are very quick indeed. Also not having to load all the CODECS is a godsend.

Backup up a linux folder to a Windows share

On your distrib make sure you have the mount.cifs package installed, then create a CRON job to mount the remote Windows share on your linux box and rsync the data to it, before finally unmounting the Windows share:

:mount the remote Windows share first, using a windows user with full read/right rights

/sbin/mount.cifs //windows_server/windows_volume /windows_share -o user=somewindowsuser,password=cheese,dom=awindowsdomain

:rsync a local linux folder to the windows share - this is ubuntu so I had to use sudo

sudo rsync -a -v -z //mylocallinuxfoldertobackup/ /windows_share/LinuxBackup/

:unmount the windows share

/sbin/umount.cifs /windows_server

Windows Login script code

Connect a printer from a login script

rundll32 printui.dll,PrintUIEntry /in /n \\printserver\hp5500

Create section labels in your script

With these you can make your script easier to read and control actions

Labels have the following syntax:

:label1

When you want to move to that section in a script, use the goto command, with the label, i.e.:

goto label1

Applying Registry Changes

If you have a number of registry changes that you want to make on all machines - perhaps to implement a certain setting, then the login script can do this for you.

Simply export the relevant settings in to a .reg as normal. Then place this .reg file in the usual login script location (more information here) and enter the following command in to your login script:

%systemroot%\regedit /s .reg

This will import the registry file silently each time the user logs in