Category Archives: Uncategorized

Create a temporary folder in powershell

I needed to create a temporary folder. I modified the code found here https://stackoverflow.com/questions/34559553/create-a-temporary-directory-in-powershell. One issue in the original code was the chance (albeit extremely slight) of having a name collision with an existing folder. The script below checks and tries 5 times before failing. It isn’t neat, and is somewhat of a brute force method of getting around the issue, but it gets the job done. You can see the modified code here https://pastebin.com/DPfj3iT7

Install Unifi Controller on Rasperry PI

Install pi
enable ssh
connect to wifi
change password
sudo apt-get install rpi-update && echo Y | sudo rpi-update
sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get -y install oracle-java8-jdk
https://help.ubnt.com/hc/en-us/articles/115015026968-UniFi-Supported-Java-JRE-Version

Add unifi to sources list
echo ‘deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti’ | sudo tee -a /etc/apt/sources.list.d/100-ubnt.list > /dev/null

sudo apt-get -y install dirmngr
Add key to our raspberry pi
sudo apt-key adv –keyserver keyserver.ubuntu.com –recv 06E85760C0A52C50
sudo apt-get update
sudo apt-get install unifi -y
sudo systemctl stop mongodb
sudo systemctl disable mongodb
sudo reboot
logon to website: https://%controllerIP%:8443

References: https://community.ubnt.com/t5/UniFi-Wireless/UniFi-Controller-5-5-on-Raspberry-Pi/td-p/2045751

Delete declined updates in WSUS

We have all seen poorly maintained WSUS servers.  This script can assist by deleting declined updates.  Combine this with a number of other methods of housekeeping on WSUS servers.

Additionally using the script we can see all the objects returned by the command $wsus.getupdates() | get-member | select name

Name
----
AcceptLicenseAgreement
Approve
ApproveForOptionalInstall
CancelDownload
CreateObjRef
Decline
Equals
ExpirePackage
ExportPackageMetadata
GetChangesFromPreviousRevision
GetHashCode
GetInstallableItems
GetLicenseAgreement
GetLifetimeService
GetRelatedUpdates
GetSummary
GetSummaryForComputerTargetGroup
GetSummaryPerComputerTargetGroup
GetSupportedUpdateLanguages
GetType
GetUpdateApprovals
GetUpdateCategories
GetUpdateClassification
GetUpdateEventHistory
GetUpdateInstallationInfoPerComputerTarget
InitializeLifetimeService
PurgeAssociatedReportingEvents
Refresh
RefreshUpdateApprovals
ResumeDownload
ToString
AdditionalInformationUrls
ArrivalDate
CompanyTitles
CreationDate
DefaultPropertiesLanguage
Description
HasEarlierRevision
HasLicenseAgreement
HasStaleUpdateApprovals
HasSupersededUpdates
Id
InstallationBehavior
IsApproved
IsBeta
IsDeclined
IsEditable
IsLatestRevision
IsSuperseded
IsWsusInfrastructureUpdate
KnowledgebaseArticles
LegacyName
MsrcSeverity
ProductFamilyTitles
ProductTitles
PublicationState
ReleaseNotes
RequiresLicenseAgreementAcceptance
SecurityBulletins
Size
State
Title
UninstallationBehavior
UpdateClassificationTitle
UpdateServer
UpdateSource
UpdateType

Quick start guide for cloning and committing a repo using Github for Windows and TFS

 

Create the project in TFS

Create a directory:  md d:\githubrepo\sitename

Navigate into directory:  cd /d d:\githubrepo\sitename

Clone the repo:  git clone http://TFSSite:8443/tfs/DefaultCollection/_git/sitename

Create files as required

Add the files into the repo:  git add .

Commit changes:  git commit

use nano (or vi / vim / notepad / vscode as required) to add comments

Push changes to master:  git push

Create a DHCP Superscope

A transient (we were bought in to assist migration to new MSP) customer wanted to increase DHCP addresses without creating a VLAN.  They were looking at increasing their available IP addresses by about 200, and their current network was a /24 (192.168.17.0).

image

Firstly, add the new gateway IP address to the router.  In this case (on a Server 2008 Windows router), 192.168.17.1 was the original router IP, we add 192.168.18.1.

On the DHCP server, right click IPv4 and select New Scope…

Follow the wizard…

Assign the IP range to exclude and a delay if necessary

Change the default duration if necessary (default 8 days)

More than likely you will need to configure DHCP options

Add the router address as used above

Add DNS Servers in

Add WINS if necessary

Activate the scope

And click Finish

Your DHCP console should look something similar to this:

Right click on IPv4 and select New Superscope…

Click Next

Name the Superscope and click Next

image

Add the available scopes you wish to include in the Superscope and click Next

Click Finish

You should then see devices picking up an address from the 2nd scope as appropriate.

image

 

You can see more details on the Console icons here:

http://anonit.net/server-2008-r2-dhcp-console-icons-reference/

http://anonit.net/server-2003-2008-dhcp-console-icons-reference/

 

Now off to fix the next few issues at this site:

image

image

References:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc757614(v=ws.10)

https://msdn.microsoft.com/en-us/library/dd891486.aspx

Setting up a pop3s mail server at Server Mule

 

I had a VPS at Server Mule (www.servermule.com.au) and wanted to setup a pop3 mail server.  I will configure a catchall account to get all email, and include DNSBL to prevent spam.

Begin my provisioning the server at Server Mule.

Setup the firewall at server mule:

Allow inbound 22 tcp from your IP address

Allow inbound 80, 443, 995, 587 and 25 tcp from all

Set the default rule to block

Save the firewall

Apply the firewall

2017-08-25 09_27_46-Console Home - ServerMule

Logon to the server via SSH

apt-get -y remove apt-listchanges

To generate the SSL certificate using certbot, we need to edit /etc/apt/sources.list and add

deb http://ftp.debian.org/debian jessie-backports main

Run the command apt-get update && apt-get -y upgrade

Change the timezone by the command dpkg-reconfigure tzdata

install the required packages:

apt-get -y install certbot -t jessie-backports

apt-get -y install postfix dovecot-core dovecot-pop3d dovecot-lmtpd mailutils

During the postfix install, select Internet site and enter your domain name (not FQDN)

postfixInternetSite

postfixDomainName

Stop postfix while being configured: postfix stop

Backup /etc/postfix/master.cf

cp /etc/postfix/master.cf /etc/postfix/master.cf.old

edit /etc/postfix/master.cf

uncomment “submission inet n – – – – smtpd”

Under submission, uncomment “-o smtpd_sasl_auth_enable=yes”

Under submission, add “-o smtpd_sasl_auth_only=yes”, “-o smtpd_sasl_type=dovecot”, and “-o smtpd_sasl_path=private/auth”

Generate the SSL certificate using the command certbot certonly

Choose the options standalone, enter a valid email address, and agree to the terms and conditions.  Enter your fully qualified domain name (not just domain name).

certbot1

certbot2

certbot3

Take note of the location of the certificate

certbot4

Backup /etc/postfix/main.cf

cp /etc/postfix/main.cf /etc/postfix/main.cf.old

edit /etc/postfix/main.cf

Add the following to enable SSL, ensuring you modify the directory location to the one indciated from the steps above

smtpd_tls_cert_file = /etc/letsencrypt/live/mail5.anonit.net/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail5.anonit.net/privkey.pem
smtpd_tls_security_level = may
smtp_tls_security_level = may

 

Edit the mydestination line so it is blank

mydestination=

Ensure the “myhostname” section is the FQDN

Comment out the following lines if they exist by putting a hash as the first character:

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

 

Backup /etc/dovecot/dovecot.conf

cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.old

Add the following to enable pop3s, again modifying the directory the certificate location noted above.

service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
}
}

ssl = required
ssl_cert = </etc/letsencrypt/live/mail5.anonit.net/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail5.anonit.net/privkey.pem

 

Restart postfix and dovecot

service postfix restart && service dovecot restart

Test SSL connections locally

openssl s_client -starttls smtp -connect mail5.anonit.net:587
openssl s_client -connect mail5.anonit.net:995

Both tests should return “Verify return code: 0 (ok)”

You may need to CTRL-C from the pop3s test (2nd command)

openssltest1

openssltest2

Test external access to port 25.

Run an open relay test http://www.mailradar.com/openrelay/

 

Create a user vmail that will own all virtual mailboxes:

groupadd -g 2000 vmail
useradd -g vmail -u 2000 vmail -d /var/vmail -m

Edit /etc/dovecot/dovecot.conf

Add the following

auth_mechanisms = plain login
disable_plaintext_auth = yes

service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
user = postfix
mode = 0666
}
}
mail_location = maildir:/var/vmail/%d/%n
passdb {
driver = passwd-file
args = scheme=CRYPT username_format=%u /etc/dovecot/userdb-file
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/vmail/%d/%n
}

 

Create the user account for pop3

doveadm pw -s SHA512-CRYPT

Enter a password and take not of the hash provided

Create a new file /etc/dovecot/userdb-file and enter the hash provided by the previous command, in the format:

EmailAddress:HASH

EG:

anonit@anonit.net:{SHA512-CRYPT}$6$dFyP5PncotyXGmMU$IVZ3moV3YduogGXURiaCDWy5GeESfnxC453aMz4yzdBBXA6lvjmnKZFBNLTkcI8LNVHScODAh9K4ch.cun2UZ1

 

Add to  /etc/postfix/main.cf

virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = $mydomain
virtual_alias_maps = hash:/etc/postfix/virtual_aliases

Create a file /etc/postfix/virtual_aliases and add

@anonit.net         anonit
postmaster          root
webmaster           root
info                root
abuse               root
# redirect to the user that should get root’s mails
root                anonit

The first line should be the catch all domain, and the account to deliver to.

Update postfix config and restart postfix

postmap /etc/postfix/virtual_aliases
service postfix restart

 

Modify /etc/dovecot/dovecot.conf to enable local mail delivery and add

service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0666
user = postfix
group = postfix
}
}
protocol lmtp {
postmaster_address =
anonit@anonit.net
}

Create a new SSH session to the server, and view mail.log by the following command

tail -f /var/log/mail.log

In the original session, run the commands and check the logs for errors:

service postfix restart

service dovecot restart

echo test | mail anonit@anonit.net

Perform another open relay test http://www.mailradar.com/openrelay/

Test that local delivery and remote delivery works.

You should be able to view the emails in /var/vmail/domainname/user/new

EG:

incomingEmail

 

Add the DNSBL, edit /etc/postfix/main.cf

smtpd_recipient_restrictions =
reject_rbl_client zen.spamhaus.org,
reject_rbl_client dnsbl.sorbs.net
permit

References

https://www.servermule.com.au/help/servermule-articles/how-do-configure-my-servermule-firewall/
http://www.almost-working.com/how-to-setup-a-mail-server-on-debian-8-jessie-using-postfix-dovecot-and-lmtp/
http://www.almost-working.com/foundational-setup-on-a-debian-8-7-jessie-virtual-server/
https://www.faqforge.com/linux/how-to-enable-port-587-submission-in-postfix/
https://certbot.eff.org/#debianjessie-nginx
https://stackoverflow.com/questions/18377813/postfix-status-bounced-unknown-user-myuser
https://tecadmin.net/setup-catch-all-email-account-in-postfix/#
http://www.iredmail.org/docs/enable.dnsbl.html
https://serverfault.com/questions/474133/configure-postfix-with-a-threshold-for-reject-rbl-client

Prevent apt-get upgrade from showing the change log

I was scheduling an apt-get update && apt-get –y upgrade on a Debian 8 box and the process stopped waiting for keyboard input showing the change logs for CA-Certificates.

it had actually started VI and was displaying a text file.  This would stop the automatic update process.

To prevent this I ran apt-get –y remove apt-listchanges

References:

https://serverfault.com/questions/835303/is-there-a-way-to-make-apt-get-upgrade-not-show-changelogs

Install JDK10 on raspberry pi

install pi – http://anonit.net/headless-install-of-raspbian-jessie/

enable ssh
connect to wifi
change password

sudo apt-get install rpi-update && echo Y | sudo rpi-update
sudo apt-get update && sudo apt-get upgrade -y

(using nano instead of vi)

sudo apt-get install pv
sudo dd if=/dev/zero bs=1M count=1024 | pv | sudo dd of=/var/SWAPFILE
sudo mkswap /var/SWAPFILE
sudo nano /etc/dphys-swapfile

Modify the following lines:

CONF_SWAPFILE=/var/SWAPFILE

CONF_SWAPSIZE=1024

reboot

check the swap file size with

swapon -s
The swap size should be 1048572 (ish)
sudo apt-get install openjdk-9-jdk
sudo apt-get install build-essential libx11-dev libxext-dev libxrender-dev libxtst-dev libxt-dev libcups2-dev libasound2-dev libfontconfig1-dev zip mercurial

hg clone http://hg.openjdk.java.net/jdk/jdk10
(clones the repo – may take some time (30 mins internet dependant))
cd jdk10
bash configure –disable-warnings-as-errors –with-native-debug-symbols=none –with-version-pre=”armhf” –with-version-build=46 –with-version-opt=””
make LOG=cmdlines images
(builds java from source – may take some time (210 mins))
test:
cd jdk10/build/linux-arm-normal-server-release/jdk/
bin/java -version
openjdk version “10-armhf” 2018-03-20
OpenJDK Runtime Environment (build 10-armhf+46)
OpenJDK Server VM (build 10-armhf+46, mixed mode)

 

References: https://blogs.oracle.com/jtc/build-jdk-10-for-your-raspberry-pi-right-on-your-device

 

Connect to Exchange powershell remotely

Connect to Exchange powershell remotely using the following commands

$exchCred=Get-Credential
$exchUri=”
http://servername/powershell”

$exchSession=New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $exchUri -Authentication Kerberos -Credential $exchCred
Import-PSSession $exchSession

$exchCred is the credentials used to connect

$exchUri is the Uri of the Exchange server powershell virtual directory.  EG: http://exchange.anonit.net/powershell

 

To remove the session at the end, use Remove-PSSession $exchSession

 

See the powershell script here

 

Reference:

https://community.spiceworks.com/scripts/show/3956-connect-to-exchange-powershell-remotely