Search This Blog

Loading...

2016-11-09

Basic Group Policy Configuration

Group Policy is typically applied to Organizational Units.
Organizational Units have a book icon under "Active Directory Users and Computers"

It is a good idea to separate your Organizational Units into:
  • Computer Policy
  • User Policy
You place user accounts under the Users OU and Computers in the Computer OU

Creating OU's is done by creating and managing users.

You would go to "active directory users and computers" then right click on the domain and click "create ou"

To manage group policy you go:
Start > Administrative Tools > Group Policy Management
You then drill down the forest to the specific domain you're looking for.

Once you find the OU you're looking for you just right click it and press "Create a GPO in this domain, and Link it here"

You then just give it a name and you'll find it under the OU

To configure the group policy you just created:
  1. Expand the OU you created the Policy for
  2. Find the policy you created, right click it, press "Edit"

Computer Configuration - Is applied to the machine when the computer starts up
User Configuration - Is applied when the user logs in
Policies - Are strictly enforced and the users cannot change the preferences specified
Preferences - Are not strictly enforced and the user can change what is specified

All you do then is expand the policies until you find a policy you would like to modify. Once you find it you will have to enable the policy.


References:
https://www.youtube.com/watch?v=b253bUxZ270
https://www.youtube.com/watch?v=J_bQ4IIp3l8

2016-05-13

Setting IP Address with Network Manager

It seems like most network configuration is now being supported and focused on through network manager.

With that being said it is useful to know how to setup connections using the network manager cli "nmcli"

Delete a Conneciton

First find the connection you want to delete
nmcli con show

[root@beta-spc ~]# nmcli con show
NAME UUID TYPE DEVICE
eno2 b92a64bd-d6d4-4df4-bb76-bb3d79906ca6 802-3-ethernet --
eno4 de8b37ac-dfbd-4bae-8b16-10ec27f3f8f2 802-3-ethernet --
eno3 d25d0375-742f-4ad0-9510-7f86c3d5c619 802-3-ethernet --
net-eno1 b2eab8d8-c13b-4822-a202-9892c8676a3b 802-3-ethernet eno1

Then lets delete "net-eno1" so we can add new info for it

nmcli con del b2eab8d8-c13b-4822-a202-9892c8676a3b

Add a new connection

nmcli con add ifname eno1 type ethernet ip4 192.168.249.7/24 gw4 192.168.249.1


Resources:
https://www.certdepot.net/rhel7-configure-ipv4-addresses/

2016-05-10

Collaborative Playlists

This tutorial describes how to create a playlist that can be shared and collaborated on among youtube users.

  1. Login to youtube.com
  2. Search a video you would like to add to your playlist
  3. Click the video you would like to add to the playlist
  4. Click the "Add to" button below the video
  5. Click "Create new playlist" button that comes up
  6. Type a name for the playlist you would like to create and then select "Create"
  7. In the top left of the screen locate the drop-down menu and click it
  8. Find the playlist you just created and click it
  9. Go to "Playlist Settings"
  10. Click on the "Collaborate" tab
  11. Flip the switch that says "Collaborators can add videos to this playlist"
  12. Click the "Get link" button
  13. Copy the link and save it somewhere as you will need it to share with all members who you would like to be able to add videos to your playlist
  14. Select the "Save" button
When users open the link you have shared with them it will display the playlist.

They will be able to add videos using the "Add videos" button located on the top right of the playlist


Resources and other playlist sharing options:
http://techpp.com/2013/01/23/create-share-music-playlists/
http://lifehacker.com/five-best-ways-to-share-playlists-1720065800
https://support.google.com/youtube/answer/6109639?hl=en
http://www.youtubeplaylist.org/
https://m.youtube.com/watch?v=EgjDdhAWBrg
http://www.makeuseof.com/tag/b00mbox-create-youtube-playlists-friends/

2016-01-01

Add and Replce Lines Using Sed

Insert a line after the matched string

sed '/$match/ a "$new_line"' $filename


Insert a line before the matched string

sed '/$match/ i "$new_line"' $filename


Replace Matching Line

sed '/$match/ c "$replacement_line"' $filename


References:
http://arkit.co.in/linux/sed-command-20-practical-examples/
http://www.grymoire.com/Unix/Sed.html

2015-12-31

Apache Log Analysis

The below will install and configure GoAccess
GoAccess is an httpd-access log parser that will give you page hit statistics and other useful analytic tools.

Equipment

GoAccess OS: RHEL 7.0
Server OS: FreeBSD 5.4 STABLE
Server Application: Apache/1.3.34 (Unix)

Prerequisites

Install GoAccess

yum -y install goaccess

Ensure you have access to httpd-access.log

Either live files under: /var/log/httpd-access.log
OR
Copy the files from a live server: scp /var/log/httpd-access.log $servername:/path/

Configure GoAccess

Open up /etc/goaccess.conf and change the three parameters: time-format, date-format, and log-format to match what I have here
grep -E "log-format|time-format|date-format" /etc/goaccess.conf | grep -v "^#"
time-format %H:%M:%S
date-format %d/%b/%Y
log-format %h %l %u %^[%d:%t %^] "%r" %s %b "%R" "%u"

The original httpd.conf combined LogFormat that I have looks like

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

The important part in this config is to note that we do some ignoring of fields that apache adds.
We ignore the brackets before and after the timestamp:

%^[
%^]

We can see that we also:
Remove escapes \"%r\"
Change \"%{Referer}i\" to "%R"
Change \"%{User-Agent}i\" to "%u"

Analyzing Some Logs

Either ensure you are in /var/log/ or copy the files to a directory on your server.

GoAccess supports piping of log files to analyze so we can just run it like this:
bzcat httpd-access.log.* | goaccess
Alternatively, generate an html report just by redirecting output to an html file like this:
bzcat httpd-access.log.* | goaccess > report.html

http://webmasters.stackexchange.com/questions/4852/what-is-the-best-apache-logs-analyzer
https://en.wikipedia.org/wiki/List_of_web_analytics_software
http://www.debianhelp.co.uk/analog.htm
http://stackoverflow.com/questions/9234699/understanding-apache-access-log
http://xmodulo.com/interactive-apache-web-server-log-analyzer-linux.html
http://i-heart-geek.blogspot.ca/2011/10/top-command-line-tips-apache-access-log.html

2015-12-23

Finding Friend Safari

For when I can't find all of the pokemon "in game". There is a reddit community specifically for this that is super active.

https://www.reddit.com/r/friendsafari

Differences Between /dev and /sys Directories

I've always been a bit unclear about the differences between the purposes of the directories /dev and /sys.

But this post explains it the most clearly I've ever seen:
http://unix.stackexchange.com/questions/119680/difference-between-dev-and-sys-class

The general idea being that:
  • /dev are hardware devices attached to the system where udev is the tool that performs detection and addition of these devices.
  • /sys represents that path of how these physical hardware devices are attached to the system. Such as how a device is mapped PCI device path. It is basically a representation of how things are "plugged in"

/proc and /sys have kind of merged functions according to this post - http://serverfault.com/questions/65261/linux-proc-sys-kernel-vs-sys-kernel

References:
libudev and Sysfs Tutorial - http://www.signal11.us/oss/udev/

2015-12-12

Kickstart Firewall Configuration

There are a couple ways to configure the firewall during a CentOS or Redhat kickstart installation.

Method 1 - Use the firewall command in Kickstart syntax

The firewall command is a supported kickstart command and is basically a wrapper for firewall-offline-cmd as it uses the same parameters

The following example opens up both port 80 and 443 to allow http and https traffic

firewall --enabled --port 80:tcp,443:tcp


Method 2 - Use the firewall-offline-cmd in the %post section

You can perform firewall config using the firewall-offline-cmd in the %post section of the kickstart file. However, you must be aware the syntax is different from the typical firewall-cmd that you may be used to using with firewalld

I do not have an example right now but as far as I am aware the syntax is very similar to the firewall command in method 1

2015-12-07

Clean Console Log Output

To remove colour codes and redraw characters from console to make console logs more readable.


#!/usr/bin/env perl
while (<>) {
s/ \e[ #%()*+\-.\/]. |
(?:\e\[|\x9b) [ -?]* [@-~] | # CSI ... Cmd
(?:\e\]|\x9d) .*? (?:\e\\|[\a\x9c]) | # OSC ... (ST|BEL)
(?:\e[P^_]|[\x90\x9e\x9f]) .*? (?:\e\\|\x9c) | # (DCS|PM|APC) ... ST
\e.|[\x80-\x9f] //xg;
print;
}


Usage:

less /path/to/console.log | cleanLog | less

2015-11-22

Introduction to IPv6

IPv6 Fundamentals

There are only 3 address types, and IPv6 does not have broadcast addresses.

The reason broadcast was removed is because it is considered a subset of multicast addresses. If every host listens to a specific multicast address it is essentially the same as a broadcast address.
  • Unicast
  • Multicast
  • Anycast

IPv6 address format

8 hexadectets, hextets or a quibble (quad nibble) colon separated
Each hexadectet represents 2^16 in hex

IPv6 Address Space

2^128 addresses
3.4x10^38 addresses (undecillion)

An IPv6 Address

represented in hex
broken into eight equal parts
utilizes colons as a delimiter
RFC 5952 defines the text representation
each character is 4 bits - hex (nibble)
each colon separated value is 16 bits - hextet (4 nibbles)

All of the above represent the exact same address, just a way of reducing address size by compressing out zeroes.

Special IPv6 Addresses

Unspecified Address
::/128
Counterpart in IPv4 0.0.0.0/32
Function is exactly the same in IPv4 and IPv6

Default Route
::/0
Counterpart in IPv4 0.0.0.0/0

Loopback Address
::1/128
Counterpart in IPv4 127.0.0.1/8

Documentation & Misc.
2001:db8::/32 - documentation uses to use example addresses (shouldn't be used)
0100::64 - for purpose of discard (to null route packets)

Transition addresses (IPv4 to v6 or v6 to v4)

::ffff:0:0:0/96
2001::/32
2002::/16
fc00::/7
2001:20::/28
2001:2::/48
64:ff9b::/96


Deprecated address space:

::/96
fec0::/10
3ffe::/16
0200::/7


IPv6 Address Types

Unicast - sends out a single packet to a specific destination
Multicast - sends out a single packet destined for a multicast address and the router then splits it up and sends out multiple packets
Anycast

Unicast Addresses
Global - 2000::/3
Link-Local - fe80::/64
Unique Local - fc00::/7

Multicast Addresses
Beginning with "ff" indicates multicast address
All Multicast - ff00::/8
Solicited-node - ff02::1:f00:0/104
Link-local all-nodes - ff02::1
For every unicast address assigned you will have an associated multicast address

Anycast Addresses
Anycast addresses are really unicast
You can't tell an Anycast address by looking at it
Think of Anycast as a function of unicast

IPv6 Address Formatting Rules

Must all be lowecase hex
Colons are designated port numbers so with IPv6 you have to use square brackets in URLs
Example:
http://[2001:db8:cafe:5150::1]:8080

IPv6 Zone ID

Zone ID's typically make it easier to identify interfaces tied to IPv6 addresses
Example:
An IPv6 address is assigned to a host interface
Interface "8" has 2001:db8:cafe:5150::1

To represent a zone id use a %

2001:db8:cafe:5150::1%8


Typically the Zone ID will match interface ID
So in linux systems you can have something that looks like:

2001:db8:cafe:5150::1%eth0
2001:db8:cafe:5150::1%eno0

IPv6 Address Usage

Global Unicast Addresses

The total global unicast address space is 2^128 and we're only starting with 1/8 of the total available space when using 2000::/3

2000-3fff are the beginning hextet

All of the main IP providers have been given /12 or more to allocate out
2xxx are global unicast addresses that are being assigned
3xxx havent been assigned as of yet 2015-11-22

A standard IPv6 prefix for a lan is a /64

Each network that we would run in a lan has the amount of IPv4 addresses squared. So a /64 is effectively (total IPv4 address space)^2

IANA has all of the addresses these are handed out to APNIC, ARIN, and RIPE which are registries.

So it goes:
1 IANA
2 Registries
3 Organizations ISPs etc



IANA is holding 3000::/4 addresses in reserve as global unicast until we're ready to give out more.

Link-local addresses

Exist on every interface
fe80::/64
From the range of fe80::/10 but only the /64 is used for now
You cant subnet with the /10 since nothing has been coded to do so yet

Link-local is designed to be unique on a link like private subnets routed between each other.

Bogon addresses are addresses you would not expect to see on your local segment coming from outside of the internet.

IPv6 Neighbor Discovery Protocol

Allows hosts to discover other hosts on the same layer 2 ethernet segment. It uses multicast.
Replaces the function of ARP in IPv4

IPv6 packet is sent to destination which is a solicited node

A solicited node address is an address that exists for each IPv6 address on a host.

The solicited node address is created by appending the last 24 bits on an IPv6 address onto another prefix called the "solicited node prefix"

The solicited node prefix is: ff02::1:ff00:0/104

Once this solicited mode address is built up it installs the multicast address on the NIC to listen for traffic from other devices to discover each other.

Interfaces typically have a link-local and a global unicast address on them. So if the last 24 bits are the same on both the link-local and global unicast it only a single solicited node address is shared for these two addresses.

The Neighbor Discovery Protocol (NDP) process uses Solicited Node, Mulicast, and ICMPv6 to do its discovery

Building a solicited Node Address



There is a cool protocol that allows for link local name resolution using multicast because IPv6 addresses are so hard to remember the two are:
mDNS - mainly used by Apple - ff02::fb
LLMNR (Link Local Mulicast Name Resolution) - Microsoft mainly uses it - ff02::1:3

The equivalent of IPv4 broadcast in mulicast is: ff02::1 if you send packets to this address its pretty much the equivalent of sending a broadcast to an entire local network segment on layer 2.

IPv6 Anycast Addresses Use Cases

Typically requires the use of routing protocol to inject routes

Source wants to talk to the anycast address: 2001:db8::1
Routers will control the propagation of the anycast address throughout the network.
The servers themselves inject information into the router to let it know its status/availability. Then the routes communicate this availability to the rest of the routers in he network.
The routers will also know which machine will have the lowest cost or will be quickest to get to through the magic of routing.


ICMPv6


What is ICMPv6

Similar function as ICMP
Foundational level protocol - just as fundamental as IPv6
Provides info about the health of the network

ICMPv6 Protocol Details

Used to report errors and messages - It is not possible for IPv6 to operate without ICMPv6

Main Message Types:
Error
Informational

Type and Code fields are different than ICMP


Message body is just to provide additional verbose output for error and informational error codes.

Why ICMPv6

If there is a problem delivering or forwarding payload we use ICMPv6 to send these error messages

Combination of type and code will tell you what is happening.

Ping and traceroute work the same.

ICMPv6 Path MTU Discovery

Prior to sending a payload the router will be able to recognize that the MTU on its outbound interface is smaller than what it is expecting to send and will send back an "ICMPv6 Packet Too Big" message and will not attempt to fragment.


A cool tool is called "mtupath" which will tell you the MTU on a segment

Windows:

mtupath -6 $ipAddress


Neighbor discovery
Linux

ndisc6

Allows you to discover devices on the same link using ICMPv6 neighbor discovery.

IPv6 Prefix Notation


Counting in hex will give us our subnet mask bits since each character represents 1 hex character. Which represents a nibble which is 0000 through 1111 in binary or (0-9 and A-F) in hex.


Typically /64's are used for local segments.

However providers will typically allocate /48 address space giving you 16 bits to "subnet" with.


Subnetting Best Practices

Use natural nibble boundaries (count in increments of 4 when selecting subnets, i.e. /60 /56 /52)




Prefix Policy Table

defines how packets are routed out of an interface for ipv6

gives precedence to some local prefixes vs global

IPv6 and DNS

New Record Type
AAAA - resolves to an IPv6 address

A = 32bit record
AAAA = (A*4) = 32*4 = 128 bits

Reverse DNS record
PTR - points to ip6.arpa

Instead of IPv4 which:
PTS - points to in-addr.arpa



Router Advertisements

A method of dynamically discovering local neighbors and adding routes/default gateways


Automatic way to get default gateway essentially

Once you setup an IPv6 address on Cisco IOS it will by default send out RA's unless you specify not to.

DHCPv6 does not provide default gateway information so RA's are required to distribute this information.

Preference values are defined to break ties if there are multiple routers on a local LAN segment.

Failover can take some time as RA's are transmitted on regular defined intervals. Thus it is recommended to use VRRP or some other HA technology to make multiple default gateways highly available.

What are the use cases of RA

Obtain default gateway
Learn DNS info
determine if SLAAC DHCPv6 or both are used
Learn what Global Unicast or ULA prefix to use for that interface

IPv6 Neighbor Discovery



Neighbor Soliciations and Advertisements do the same function as IPv4 ARP

Inverse Neighbor Discovery (IND) protocol functions like IPv4 Reverse ARP

IPv6 and ethernet

New ethertype
IPv4 0x0800
IPv6 0x86DD

Jumbograms are a function available in IPv6 which allows the payload length to exceed the theoretical limit for IP MTU and is only a Layer 3 function.