Archive for Admin Notes’ Category

17

Mar
2015
Comments Off on Installing MongoDB on OSX (Yosemite)

Installing MongoDB on OSX (Yosemite)

Installing MongoDB on OS X is an easy task. However, if you want the service to start each time your computer is restarted, some additional effort is required.

The easiest way to get MongoDB installers is to use Homebrew.

[korey@localhost ~]$ brew install mongodb

At this point MongoDB is installed. To start it manually, first create the location where the DB will be stored (default is /data/db):

[korey@localhost ~]$ mkdir /data/db
[korey@localhost ~]$ mongd

Note that the user running mongod needs to have write access to the DB folder. The downside here is that the DB needs to be started manually each time and it will run as your userid.

In order to automatically start the service, it is necessary to create a LaunchDaemon which will allow the service to start as soon as the computer starts.

    1. The first step is to create a service account so the service does not run as root.
    2. Next, is to create a proper location for the log and database location:

    [korey@localhost ~]$ sudo mkdir -p /var/lib/mongodb
    [korey@localhost ~]$ sudo mkdir -p /var/log/mongo
    [korey@localhost ~]$ sudo chown -R _mongo:_mongo /var/lib/mongodb
    [korey@localhost ~]$ sudo chown -R _mongo:_mongo /var/log/mongo

    3. Now that we have an account and location, it is time to create the daemon plist file:

    <!--?xml version="1.0" encoding="UTF-8"?-->
     
     
     
        Label
        org.mongo.mongod
        ProgramArguments
     
          /usr/local/bin/mongod
          --dbpath
          /var/lib/mongodb/
          --logpath
          /var/log/mongo/mongodb.log
     
        KeepAlive
     
        UserName
        _mongo
        GroupName
        _mongo

    Store this file at: /Library/LaunchDaemons and name it: org.mongo.mongod.plist.

Now you can start and stop the service without having to restart your computer by using the following commands:

[korey@localhost ~]$ sudo launchctl load /Library/LaunchDaemons/org.mongo.mongod.plist
[korey@localhost ~]$ sudo launchctl unload /Library/LaunchDaemons/org.mongo.mongod.plist
read more

17

Mar
2015
Comments Off on Creating a service account on OS X (Yosemite)

Creating a service account on OS X (Yosemite)

Creating service users on OS X is not as straight forward as doing so on Linux system.  For starters, the useradd command is not available.

So in order to perform the same action on OS X, open a terminal window and run the following commands. For this example, I will create a group and user in order to run MongoDB.

[korey@localhost ~]$ sudo dscl . -list /Users UniqueID
_amavisd                83
_appleevents            55
_appowner               87
_appserver              79
_ard                    67
_assetcache             235
_astris                 245
_atsserver              97
_avbdeviced             229
_calendar               93
_ces                    32
_clamav                 82
_coreaudiod             202
_coremediaiod           236
_cvmsroot               212
....

The above command lists all the current users along with their UID. This is necessary so that we can pick an unused ID below 500 (UIDs above 500 are for normal users). You can run the same command with /Groups instead of /Users to get a list of groups.

First, lets create a group for the users with the same name:

[korey@localhost ~]$ sudo dscl . -create /Groups/_mongo gid 300
[korey@localhost ~]$ sudo dscl . -create /Groups/_mongo RealName "Mongo DB Server Group"
[korey@localhost ~]$ sudo dscl . -create /Groups/_mongo passwd "*"

As you can see the group ID is set to 300, and the password is set to “*”. This is a special password not to allow logins as that group of user. I am not certain if this is necessary, but looking at other similar groups on OS X, it seems to be the right way to do this.

Now, lets create the user and make sure that it will not show up as a user on the login screen:

[korey@localhost ~]$ sudo dscl . -create /Users/_mongo
[korey@localhost ~]$ sudo dscl . -create /Users/_mongo uid 300
[korey@localhost ~]$ sudo dscl . -create /Users/_mongo gid 300
[korey@localhost ~]$ sudo dscl . -create /Users/_mongo NFSHomeDirectory /var/empty
[korey@localhost ~]$ sudo dscl . -create /Users/_mongo UserShell /usr/bin/false
[korey@localhost ~]$ sudo dscl . -create /Users/_mongo RealName "Mongo DB Server"
[korey@localhost ~]$ sudo dscl . -create /Users/_mongo passwd "*"

At this point, the service account is created, and its primary group set to the one we just created. Setting the shell and home folders are necessary to make sure that the account does not show up on the login screen and to ensure that even if someone does login as that user, they will not have access to anything. Once again, the account password here is set to “*” in order to not allow logins.

If you look at /etc/passwd on your OS X machine, you’ll notice that most service accounts are listed in there, but the above account is not. I am not sure if this will be problematic over the long term, but for all intents and purposes, the service account works as expected.

Naturally, I searched a good while before I came up with the above command set and here are some links that helped me:

read more

18

Oct
2012
Comments Off on Cleanup Your Open With Context Menu in OSX

Cleanup Your Open With Context Menu in OSX

Recently I noticed that I had many duplicate entries in the Open With context menu on my Mac (Mountain Lion). Then after a clean re-install, I noticed the same behaviour repeating. For example, I had three entries for Even Note.

Well, a little googling lead me to this link with this magic command to reset the menu and clean it up.

/System/Library/Frameworks/CoreServices.framework/Frameworks/\
LaunchServices.framework/Support/lsregister -kill -r -domain local \
-domain system -domain user

Note:

  • This all has to be on one line, but I had to break it up to fit here with the back slash. So to execute, copy it to one line and remove the backslash.
  • The location may be different if you are on an older version of OSX per the link above.

read more

16

Aug
2012

Securing your Mail Server

I recently noticed some bounced emails from a domain I managed and upon further inspection found out that someone is sending spam emails using random spoofed email addresses from that domain.  At first I thought one of the email accounts was  jeopardized but when I saw the bogus from address, I knew it was just spam abuse that would not end well for the true users of the domain.  So I set out to find out how to secure the email server to minimize if not eradicate this abuse.

Before going further, I should say that this particular domain is using Site5 for hosting and Google Apps (the free version) for mail and other things.  A great combination by the way.

Google already supports some of these features and it has great help on how to set this up, so the toughest thing is to setup your DNS just right.  During this investigation and discovery I ran across Unlock The Inbox, which proved to be an absolute gem in teaching me what to do and then helping me verify the settings.

Here is what you need to do:

  1. Read the Google help on how to setup DKIM (DomainKeys Identified Mail) Signatures.  Stop short of the last step to Start authentication, until you have finished all the DNS changes.
  2. Go to Unlock the Inbox  and read about DKIM, DMARC (Domain-based Message Authentication, Reporting & Conformance), SPF (Sender Policy Framework) and ADSP (Author Domain Signing Policy).  The combination of these will give you a pretty good level of security, although DKIM is the most important, followed by SPF.
  3. Create your DNS entries.  For the sake of argument, assume the domain name is acme.com  and remember that this was done on Site5, but Google has instructions for many popular providers.
    1. Login to you site’s cpanel
    2. Go to the advanced DNS editor.
    3. Enter the following four entries:
    4.         Record Type: TXT
              Record Name: google._domainkey
                      TTL: 3600
               IP Address: v=DKIM1; k=rsa; p=MIGfMA0GCS...
      

      This is the DKIM record. The IP Address above is really the value and you should get it from Google when you generate you domain key. The Record name should be the same regardless of your domain name, just make sure not to end it in a dot, so it appends your domain to it. The end result for the name should be google._domainkey.acme.com.

              Record Type: TXT
              Record Name: acme.com.
                      TTL: 3600
               IP Address: v=spf1 include:_spf.google.com ~all
      

      This is the SPF record and not how we put in our domain name and ended it with a dot. The Site5 DNS editor does not allow for @, per Google’s instructions, so this is the only way to get around this.

              Record Type: TXT
              Record Name: _adsp._domainkey
                      TTL: 14400
               IP Address: dkim=all;
      

      This is the ADSP record and again the name does not end with a dot so the domain gets appended to it just like our DKIM record.

              Record Type: TXT
              Record Name: _dmarc
                      TTL: 14400
               IP Address: v=DMARC1; p=quarantine; adkim=s; aspf=s; \
                           rua=mailto:spam@acme.com; ruf=mailto:spam@acme.com; \
                           pct=100
      

      This was the trickiest one only because the Site5 DNS editor replaces the @ in the email with your domain name. What I found out is that if I pasted the value just like above, it saved fine, but it would not display right when I tried to edit it. The email addresses are not necessary unless you want to receive a report when emails are spoofed from your domain. Once again, the name here does not end in dot so that the domain will get appended to it and most importantly, the backslashes are just used as line breaks, but are not part of the actual string you need to input.

  4. Wait for a few hours so DNS propagates
  5. Go to KLOTH.NET and verify the settings with the Site5 DNS server
  6.         Domain: google._domainkey.acme.com
            Server: dns.site5.com
             Query: TXT (text)
    

    This should return the value you entered above once DNS has been updated. You can repeat the same process for the other entries to make sure as well.

  7. Start authentication.
  8. As a final step, send an email from your domain to mailtest at unlocktheinbox dot com and you will receive a report on whether things are working or not.

I did this over a period of a few days, first enabling DKIM, then SPF and once those were verified, I then enabled DMARC and ADSP.  In any case, once all of this is in place, you should have very little to no email spoofing on your domain, and even if it does, you should get an email with reports so you can followup.

Make sure to read the links provided here so you know exactly what each of the records are doing.

Goog Luck.

read more

19

Jul
2012
Comments Off on Configure Witopia VPN on DD-WRT

Configure Witopia VPN on DD-WRT

I like using a VPN service for a more secure browsing experience and I have used Witopia for the past little while with great success. The only issue was that I had to install it on all the PCs that I wanted to use it with and then remember to turn it on, etc which I did not like very much. So after a decent amount of googling, I decided to get a second router that supports DD-WRT and set that up to always be connected via VPN. This way, it is just a matter of switching my wireless connection from any device.

After some research I settled on Buffalo AirStation WHR-HP-G300N (bought from Newegg) which is a tiny little router that comes with DD-WRT installed. The only downside, I later found, is that since it’s got smaller memory on-board it does not support OpenVPN.

Witopia itself does provide a Cloakbox Pro device itself which is a higher end Buffalo router pre-configured to VPN, but I wanted to do it my way. So keep in mind as you read the instructions below that my setup is using a VPN router that is behind my main router.

Setup Instructions

  1. Add Google’s public DNS servers as static DNS servers for the DHCP server. Note that since my main router is using 192.168.1.x, I put this router on 192.168.11.x to make sure there is no complications.
  2. Configure the wireless access point on the router so that it does not conflict with your main wirless connection (i.e. give it a different name and use a different channel to be extra safe).
  3. Enable and configure the PPTP client on the router to connect to your favorite VPN location. You can get a list of the VPN location for Witopia here. For the Server IP or DNS Name I put in the IP address of the vpn server I wanted to connect to (e.g. pptp.chicago.witopia.net).
  4. Add a startup script to the router to configure it to use the VPN connection properly.

    The script below will wait until VPN is connected and then update the router’s routing appropriately. Note that 192.168.1.1 is the internal IP of my main router, not the VPN router which is 192.168.11.1.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    
    echo "echo \"Startup Config started\" >> /tmp/mylog.txt" > /tmp/startupConfig.sh
    echo PPTPSERVER=$(/usr/sbin/nvram get pptpd_client_srvip) >> /tmp/startupConfig.sh
    echo PPTPGWY=192.168.1.1 >> /tmp/startupConfig.sh
    echo "/sbin/route add -host \$PPTPSERVER gw \$PPTPGWY" >> /tmp/startupConfig.sh
    echo "#/sbin/route del default" >> /tmp/startupConfig.sh
    echo "/sbin/route add default gw \$PPTPGWY metric 100" >> /tmp/startupConfig.sh
    echo "/sbin/route add default dev ppp0" >> /tmp/startupConfig.sh
    echo "/sbin/route del default" >> /tmp/startupConfig.sh
    echo "/sbin/route del default" >> /tmp/startupConfig.sh
    echo iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE >> /tmp/startupConfig.sh
     
    echo "ifconfig ppp0 > /dev/null" > /tmp/whileLoop.sh
    echo "RC=\$?" >> /tmp/whileLoop.sh
    echo "echo \"Checking ppp0: \$RC\" >> /tmp/mylog.txt" >> /tmp/whileLoop.sh
    echo "while [ \$RC -ne 0 ]; do" >> /tmp/whileLoop.sh
    echo "  sleep 5" >> /tmp/whileLoop.sh
    echo "  ifconfig ppp0 > /dev/null" >> /tmp/whileLoop.sh
    echo "  RC=\$?" >> /tmp/whileLoop.sh
    echo "  echo \"Checking ppp0: \$RC\" >> /tmp/mylog.txt" >> /tmp/whileLoop.sh
    echo "done" >> /tmp/whileLoop.sh
    echo "echo \"Running startupConfig.sh\" >> /tmp/mylog.txt" >> /tmp/whileLoop.sh
    echo "ifconfig ppp0 >> /tmp/mylog.txt" >> /tmp/whileLoop.sh
    echo "sh /tmp/startupConfig.sh" >> /tmp/whileLoop.sh
     
    sh /tmp/whileLoop.sh &

Once all this is setup, connect to the wireless for the VPN router, and go to IP Location Finder and make sure that it reports your location correctly. If it is still reporting your current location, then VPN is not working and you have to get your hands dirty and login to the router itself and poke around. That is beyond what I wanted to get into here, but I am sure you can find your solution on the internets.

read more

12

Jul
2012
Comments Off on Calculate the Broadcast IP for your network

Calculate the Broadcast IP for your network

There is a good article on how to calculate the broadcast IP based on your IP address and net mask on eHow. What I have here is a quick utility to facilitate things.

provide IP and netmask:

IP:
Netmask:
Broadcast IP:
read more

12

Jul
2012
Comments Off on Installing MySQL on CentOS

Installing MySQL on CentOS

First thing you need to do is make sure the binaries are installed using yum. Note that this will only install MySQL and that you may need to run it as root depending on your systems permissions.

[korey@localhost ~]$ yum install mysql-server mysql

The next thing is start MySQL:

[korey@localhost ~]$ service mysqld start

Once you start the service, it will give you some instructions for having it start automatically on reboot, and how to secure it.
Finally, secure MySQL, by setting a password for the root user and removing the anonymous user. Just make sure you use the same password for the first two statements below, otherwise you’ll end up scratching your head as to why you cannot login sometimes.

[korey@localhost ~]$ mysql -u root
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('****');
mysql> SET PASSWORD FOR 'root'@'localhost.localdomain' = PASSWORD('****');
mysql> DROP USER ''@'localhost.localdomain';
mysql> DROP USER ''@'localhost';
read more

10

May
2012
Comments Off on Default path on OSX

Default path on OSX

Started working with Homebrew recently instead of Macports to install third party packages on OSX. Homebrew comes with a doctor command that lets you know any conflicts that may cause it to not function properly. Short of it all is that Homebrew told me I needed to modify my path to make sure the /usr/local/bin is before /usr/bin. But where is the path defined on OSX?

it is in /etc/paths (at least on OSX Mountain Lion). This file is a list of paths, each defined on a separate line which also specified their order. In order to update it run:

sudo vi /etc/paths

here is what mine looks like:

1
2
3
4
5
/usr/local/bin
/usr/bin
/bin
/usr/sbin
/sbin
read more

20

Apr
2011
Comments Off on Force SSH to use password authentication

Force SSH to use password authentication

This is a simple but useful tip. I have a server where I do SSH public key authentication for SVN+SSH, but sometimes would like to just login to the site and get a command line. For those times, I use the following command to force password authentication even tough I have the correct identity file in my .ssh folder.

ssh -o PreferredAuthentications="password"  myUsername@myServerAddress
read more

26

Nov
2010
Comments Off on Extending the system disk on a Windows VM

Extending the system disk on a Windows VM

I have had to do this on a few different occasions, and while its simple, I do not always remember the procedure so here it is for others to reference when needed.

The issue is you setup your windows VM and after a while you start running out of disk space.  What do you do?

The easies thing is to add a new disk to the VM image and put most of the installed programs there, but that requires that you have planned ahead of time.  If you resize the system disk in a Windows VM, you will have the un allocated space when you restart the VM, but Windows does not let you extend that drive. Here is that easiest way to proceed.  Keep in mind that you will most likely loose all your snapshots using this procedure.

Requirements

  • Windows VM whose disk will be extended
  • Second Windows VM that will be used to extend the disk size of the first.
  • Windows XP or higher on both VMs

Procedure

  1. Shut down the VM image you want to extend.
  2. Open the settings of a second Windows VM (it must be shutdown as well).
  3. Add a new disk to the second Windows VM, but instead of creating a new disk file, choose the system disk from the VM you want to extend.
  4. Start the second Windows VM.
  5. Check to make sure the new drive and all its contents show up now in the VM.
  6. Start a terminal session (cmd.exe)
  7. Type diskpart
  8. At the new prompt, type list volume
  9. Choose the right value by typing select volume <#>, where <#> is the number of the volume you want to extend.
  10. Once the volume has been selected, just type extend.  This will extend the drive to use all the available unallocated space.
  11. type exit.
  12. Shut down the second VM.
  13. Remove the drive you added in step 3 from the second VM.
  14. Start the Windows VM you wanted to extend and now the disk space should be available for use.

Hope you found this useful and good luck.

read more

Page 1 of 212