Windows 2012 R2 - File Backup

I need to backup my files running on Windows 2012 R2 to external drive. I also need this to be done in a regular basis and send me an email after the job done with the report.

First, I create a batch file, called backup.bat, with the content

@echo off
robocopy H:\Home V:\Home /MIR /R:1 /W:1 /LOG:V:\Home.txt
robocopy K:\Documents V:\Documents /MIR /R:1 /W:1 /LOG:V:\Documents.txt
copy /b V:\Documents.txt +V:\Home.txt V:\Backup.txt

The last line is joining the 2 log files into a single file, backup.txt

Schedule this daily with the Windows Scheduler, having an actions:

Start a Program: cmd.exe
Add arguments: /c D:\scripts\backup.bat

That bit is done for backup job.

Now, the email bit. I create a powershell script, called email.ps1, with the content:

 function sendMail{

     Write-Host "Sending Email"

     #SMTP server name

     $smtpServer = "smtprelay.domain.local"

     #Creating a Mail object

     $msg = new-object Net.Mail.MailMessage

     #Creating SMTP server object

     $smtp = new-object Net.Mail.SmtpClient($smtpServer)

     #Email structure 

     $msg.From = "backup@mydomain.id.au"

     $msg.ReplyTo = "backup@mydomain.id.au"

     $msg.To.Add("me@mydomain.id.au")

     $msg.subject = "Backup Email - Daily"

     $msg.body = "Backup Email - Daily"

     $attachment = New-Object System.Net.Mail.Attachment("V:\Backup.txt", 'text/plain')

     $msg.Attachments.Add($attachment)

     #Sending email 

     $smtp.Send($msg)

  

}

#Calling function

sendMail 

The email powershell script attach the backup.txt file and send it away

On the same schedule job created earlier, add a second action:

Start a Program: powershell

Add arguments: D:\scripts\email.ps1

Done. Second action will be executed after the 1st action is running and it will grab the log and attach it to the email.

Westpac CISO Award

I got the CISO Award!! It was a surprise for me who just started with Westpac Security team for 8 months.

Finally CISSP!

Today I sat for 4.5 hour CISSP exam and got it done!

OwnCloud Manual Upgrade

I adopted the below methods from upgrading Wordpress manually and tweak the process for manually upgrading OwnCloud:

Backup
Navigate to your OwnCloud location and run the following to backup your OwnCloud.

rsync -a owncloud/ owncloud.backup/

Download Latest OwnCloud 

wget https://download.owncloud.org/community/owncloud-9.1.1.tar.bz2

replace the link with the latest bz2 file.

Extract the Package

bzip2 -d owncloud-9.1.1.tar.bz2
tar xvf owncloud-9.1.1.tar

this creates "owncloud" directory

Copy the Updated Files

rsync -rtv new_path_version/owncloud/ old_path_version/owncloud/

this syncs any file that has been changed from the new location/version to the old location

Navigate to The Site

Load the site and it will ask you to upgrade the database. Don't do it over the UI, do it manually

Database Upgrade Manually

run the following command from the "owncloud" directory

To test the database upgrade:

sudo -u www-data php occ upgrade --dry-run -v

To execute the database upgrade:

sudo -u www-data php occ upgrade -v

Dynamic DNS for Ubuntu

I am using opendns.com to protect my network at home. My IP isn't static, so I need a way to update opendns.com with my IP if that changes.

I am running ubuntu, so let's start with installing ddclient

sudo apt-get install ddclient

and then edit ddclient.conf

sudo vi /etc/ddclient.conf

I use the following config

use=web, web=myip.dnsomatic.com
ssl=yes
server=updates.opendns.com
protocol=dyndns2
login=<open-dns-username>
password=<open-dns-password>
<open-dns-label>

Ubuntu Apt-Get Proxy

To have Ubuntu apt-get connection proxies via your proxy, do the following

sudo vi /etc/apt/apt.conf

Add the following line:

Acquire::http::Proxy "http://yourproxy.tld:port";

save and fire away

PowerShell - Mount BitLocker Encrypted VHD

If you have .VHD BitLocker encrypted files and would like to mount it using PowerShell:

$ss = Read-Host "Enter BitLocker Password:" -AsSecureString

Mount-VHD <path-to-VHD>\Example.VHD

#Check your disk manager which drive letter the volume is assigned to the VHD

Unlock-BitLocker -MountPoint <drive letter> -Password $ss

Windows 2012 R2 ISO to USB

Need to rebuild my drop-dead Windows 2012 R2 server.
There is no way to burn the 5.4GB ISO to my single layer 4.7GB DVD media.

So the only way is to USB boot it, here is how.

Format your USB drive - FAT32 ONLY. Make sure it is format with Master Boot Record scheme.
Plug in to your machine

Download your Windows 2012 R2 ISO file

Download Windows 7 USB/DVD Download Tool here

Install Windows 7 USB/DVD Download Tool

Run it and select your ISO and target your USB

Done

.NET Executing Assembly Location

During coding, if you want to reference another file, such as configuration file, text file or XML file that is located on the same location where your binary/library is you can use the following:''

string location = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location);

Have fun coding :)

UNIX Screen - Split Screen

You can do it in screen the terminal multiplexer.

• To split vertically: ctrla then |.
• To split horizontally: ctrla then S (uppercase one).
• To un-split: ctrla then Q (uppercase one).
• To switch from one to the other: ctrla then tab

Note: After splitting, you need to go into the new region and start a new session via ctrla then c before you can use that area.

EDIT, basic screen usage:

• New terminal: ctrla then c.
• Next terminal: ctrla then space.
• Previous terminal: ctrla then backspace.
• N'th terminal ctrla then [n]. (works for n∈{0,1…9})
• Switch between terminals using list: ctrla then " (useful when more than 10 terminals)
• Send ctrla to the underlying terminal ctrla then a.

Passed Cisco 300-320 Exam Today!

Had to sit on the Cisco 300-320 exam today to extend my Cisco certifications for another 3 years.
Officially still CCNP and CCDP

Fail2ban BAN-Forever!

OK, enough is enough. As per my previous blog about setting up fail2ban, there was this one persistent idiot who kept trying to break in my network. Due to fail2ban default setting, which un-bans previously banned IP, he could keep trying and trying and trying...

So, I came across this blog and set my systems as per following:

Modify fail2ban config:

vi /etc/fail2ban/fail2ban.conf

Make sure

log level = 3
logtarget = /var/log/fail2ban.log

Modify Logrotate config:

vi /etc/logrotate.d/fail2ban

Make sure

notifempty
monthly
rotate 13
missingok
postrotate
fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
endscript
# If fail2ban runs as non-root it still needs to have write access
# to logfiles.
# create 640 fail2ban adm
create 640 root adm

Add Repeat Offender rule:

vi /etc/fail2ban/jail.local

Add the following to the bottom of the line. This sets any IP that has been failing 10 times for a period of 365 days will be banned forever

#
# Repeated Offender to be banned forever
# if has been baned 10 times for 1 year
#
[repeatoffender]

enabled  = true
filter   = repeatoffender
action   = repeatoffender[name=repeatoffender]
           sendmail-whois[name=Repeat-Offender, dest=me@domain.me, sender=fail2ban@domain.me]
logpath  = /var/log/fail2ban*
maxretry = 10
findtime = 31536000
bantime  = -1

Create fail2ban Filter:

vi /etc/fail2ban/filter.d/repeatoffender.conf

Add the following to the file:

# Fail2ban configuration file
# this filter monitors the fail2ban log file and permanently bans the IP
#
# only works with iptables

[Definition]
_jailname = repeatoffender
failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+
ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]+Ban\s+

Create fail2ban Action:

vi /etc/fail2ban/action.d/repeatoffender.conf

Add the following to the file:

# Fail2Ban configuration File
#
#

[INCLUDES]

before = iptables-blocktype.conf

[Definition]

# Option: actionstart
# Notes.: command executed once at the start of fail2ban
# Values: CMD

actionstart = iptables -N fail2ban-
              iptables -A fail2ban- -j RETURN
              iptables -I  -p  -j fail2ban-
              # Establish chain and blocks for saved IPs
              iptables -N fail2ban-ip-blocklist
              iptables -A fail2ban-ip-blocklist -j RETURN
              iptables -I  -p  -j fail2ban-ip-blocklist 
              cat /etc/fail2ban/ip.blocklist. |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-ip-blocklist 1 -s $IP -j REJECT --reject-with icmp-port-unreachable; done

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D  -p  -j fail2ban-
             iptables -F fail2ban-
             iptables -X fail2ban-
             # Remove chain and blocks for saved IPs to prevent duplicates on service restart
             iptables -D  -p  -j fail2ban-ip-blocklist
             iptables -F fail2ban-ip-blocklist
             iptables -X fail2ban-ip-blocklist

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L  | grep -q 'fail2ban-[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = VERIFY="*"
            ADD="        # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): Perma-Banned"
            FILE=/etc/fail2ban/ip.blocklist.
            grep -q "$VERIFY" "$FILE" || iptables -I fail2ban-  1 -s  -j DROP
            grep -q "$VERIFY" "$FILE" || echo "$ADD" >> "$FILE"

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = # Do nothing becasuse their IP is in the blocklist file

# To manually unban from the ip blocklist file run this command:
# Be warned that if the ip is in log rotated files it must be whitelisted
#
# sed -i '/^/d' /etc/fail2ban/ip.blocklist.repeatoffender
#

[Init]

# Default name of the chain
#
name = default

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT

that's it. to check the iptables, to show which IP is blocked there, just run:

iptables -L -n

Bigpond SMTP Fails

That's right! my Bigpond Internet service fails to deliver!

Fail 1
It does not allow outbound SMTP from my network to anywhere else except their own SMTP server

Fail 2
It has got limited number email relay allowed per day or month

I understand this to block their customers become spammer. However, their solution is stereotyping every single one of their customers as spammers.

To avoid this I use gmail to relay my email, bypassing bigpond all together.
So what I did:

Create a new gmail account - specifically used for relaying only, which a very strong password

then

Install required software

sudo apt-get install mailutils libsasl2-2 ca-certificates libsasl2-modules

Create Gmail credential file

vi /etc/postfix/sasl_passwd

add the following content

[smtp.gmail.com]:587    USERNAME@gmail.com:PASSWORD

Modify the credential file permissions

sudo chmod 400 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd

Copy the CA certificate

cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem

Modify main.conf and add the following line

relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes

Reload

sudo /etc/init.d/postfix reload

Now my outbound SMTP relay is going through Gmail SMTP server authenticated.

OpenVPN + VPN Gate + Squid

OK, so I need a VPN tunnel for my Internet connection at home. I don't want client-to-site VPN as it will isolate all my traffic (e.g. not only HTTP/S) to the Internet. I want only my HTTP/S traffic to go to the VPN tunnel.


So I setup Ubuntu server with OpenVPN client and Squid Proxy. This server has got 2 vNICs. One is facing the Internet and the other want is facing the internal network. The goal is to have this server establishes OpenVPN connection to VPN Gate from its primary interface and listen to the proxy connection on the secondary interface.


This way, I can use my browser to use Squid proxy and my Internet traffic is going through the VPN tunnel


Install OpenVPN client
Install OpenVPN with the following command


#> sudo apt-get install openvpn curl unzip dnsmasq-base wget


Download VPN Gate .ovpn file
Go to http://www.vpngate.net and download OpenVPN Config File. This can be TCP or UDP. Save this file to /etc/openvpn/ and change its extension from .ovpn to be .conf




Install Squid
Install Squid3 with the following command


#> sudo apt-get install squid3


Modify Squid.Conf
This modification is to set Squid to use google DNS servers for its resolution instead of using OpenVPN Client auto configuration


#> sudo vi /etc/squid3/squid.conf


find dns_nameservers and change it to:
dns_nameservers 8.8.8.8 8.8.4.4


Restart Squid
Restart Squid daemon to make the change


#> sudo service squid3 restart


Launch OpenVPN Client
Start VPN client connection to VPN Gate using the file downloaded earlier


#> sudo openvpn /etc/openvpn/vpngate.conf


The reason changing the .ovpn to .conf, is because by default if you put any file in the /etc/openvpn/ folder with .conf, it will be treated as configuration file by OpenVPN and it will launch itself every time the server is restarted


Browser Proxy
Now you can set your browser proxy to us the internal IP address of this server and port number 3128 as the proxy server and the traffic will be tunnelled to the VPN tunnel


Enjoy!

XenDesktop 7.6 Multiple Screen with Desktop Viewer

By default when Desktop Viewer is enabled, it does not span on multiple screen. When it is maximizes, it only maximizes on one screen. To have it utilizes multiple screen, do:

Enable Desktop Viewer
Login to your StoreFront Server
Navigate to C:\inetpub\wwwroot\Citrix\<your store or receiver web>\
Edit web.config
Find showDesktopViewer="true" and make sure the value is true, not false

Enable Force Full Screen
Login to your StoreFront Server
Navigate to C:\inetpub\wwwroot\Citrix\<your store>\App_Data\
Edit default.ica
Find [Application] 
Add DesktopViewer-ForceFullScreenStartup=true under that tag

Propagate your change across your  Server Group

NetScaler 10.1 Custom Theme

Custom theme for NetScaler is a quick win to maximum appearance on the Access Gateway login page. With custom theme, the changes you made will persist on NetScaler reboot.

To edit/create a new theme, using winscp or filezilla connect to NetScaler and take a backup of:

/netscaler/ns_gui

on your local backup copy, start making changes:

put your pictures in /media
put your css changes in /css
put you html adjustment in index.html
put localised string in /resource/en.xml

Once the adjustment is done, upload the files back to /netscaler/ns_gui

To record the changes as a custom theme do the following:

mkdir /var/ns_gui_custom
cd /netscaler
tar -zcvf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*

this creates customtheme.tar.gz in the /var/ns_gui_custom folder

Now you can login to NetScaler, navigate to Global Settings and change the theme to custom
all done!

To make adjustment to this custom theme, you do:

edit /var/ns_gui_custom/ns_gui
rm /var/ns_gui_custom/customtheme.tar.gz
cd /var/ns_gui_custom
tar -zcvf /var/ns_gui_custom/customtheme.tar.gz ns_gui/*

that's it

Google Authenticator for Ubuntu

I am running SSH on Ubuntu and publish this service on my firewall so that I can remotely login. I used fail2ban to block IP address that is trying to brute-force his way in to my SSH server. I also setup notification so that I get email notification whenever someone is either successful login or not.

I think I need more than that, so today decided to dual-factor my SSH entrance :)

Running Ubuntu, I just need to run:

sudo apt-get install libpam-google-authenticator

This will install the lib for google authenticator
Then login to to system as the user who I want to be dual-factor authenticated, I run:

google-authenticator

this will prompt me a lot of question and I answered accordingly.
this also give me a QR code that I can add to my Google Authenticator apps.

Next is to edit /etc/pam.d/sshd and add the following line:

auth required pam_google_authenticator.so

Next is to edit /etc/ssh/sshd_config, and find the following line and change it:

ChallengeResponseAuthentication yes

Next is to restart the SSH service:

sudo service ssh restart

Then test it!!

Hello Windows 10!

Today, I installed Windows 10 Enterprise x64 Edition, and it looks great!!

Look at that, how slick does it look? I like it! 

More to come on this blog about Windows 10.. stay tune.

SCCM 2007 R2 Software Updates Diagram

My SCCM 2007 R2 Software Update relationship diagram.

Search Folder

This contains all the updates metadata that meets the criteria, e.g. superseded: no, expired:no, etc

Update List

This is the list of updates that are selected from search folder. I use this update list per month basis, e.g. Jan 2015, Feb 2015. This way, a compliance report can be run agains a specific update list. 

Deployment Packages

This is the deployment package that gets deploy to the Distribution Point. I use the same deployment package for a specific product, for example I have "Windows Server 2012 R2" deployment package for all updates of Windows Server 2012 R2, respectively of their month.

Deployment Management

This is the deployment task that is created for a specific collection.

Collections

A collection of computers that is targeted for software updates

What to do every month to patch machines?

• Go to the search folder, select all the updates for this month for a specific product 
• Right click and select Download Software Updates, target the deployment packages for that product. Don't forget to update Distribution Point
• Right click and select Update List, create a new Update list for this month.
• From the newly created Update List, select all the updates and click-and-drag them to the Deployment Task for a specific collection that you want to install the updates on
• Check the software available and installation deadline for that Deployment task

PowerShell List Volumes

Just a quick PowerShell to get the list of volumes on your server

Get-wmiobject Win32_volume | Select Name, @{n="Capacity (GB)";e={$_.Capacity/1GB}},@{n="Freespace (GB)";e={$_.Freespace/1GB}}