Cincinnerdi Tech Stuff (was Redboot’s Tech Projects)

Having set up my SBS server some time ago, I couldn’t remember where I had set the incoming port number (falsely called 65535 here.) I find the button that pops open the dialog box for this quite forgettable, so I’ll document this here hoping to help someone — me included — in the future.

Running TCPView from SysInternals shows that inetinfo.exe is listening on port 65535.

This was set in Exchange System Manager, drilling down seven levels to the SMTP-Default, right-clicking Properties, Advanced and editing the incoming port number. By default, this is port 25 for SMTP.

Some fellow Nerds were discussing the problem of Windows Updates having patches that refused to install, Nerds Todd Myles and Barry Ball suggested Dial-a-fix http://wiki.djlizard.net/Dial-a-fix.

I had been having the same issue with an install of Small Business Server 2003, so I decided to try this out. It worked quite well and took very little time. A great utility.

Below are the screen shots showing the blow-by-blow. (more…)

In this post, I tell how to detect if a Windows installation CD is bad using the CRC305.EXE.

Recently I again downloaded Microsoft’s Small Business Server 2003 CD ISO images and began burning them to CD on my laptop. To be sure they’re good, The MS download manager checks that the CRC values check. I have the Sonic software verify the CD after the burn to make sure it’s burned properly. Should be okay, right?

Nope.

Ran through two complete installations of SBS only to find during and after CD #4 there are setup errors. The first indicates that a file for what appears to be a Korean help file just doesn’t exist. It’s one of two files, so I tried just copying and renaming the one file to be the name it wanted for the second file. I knew this was cheating, but what are the chances I’ll ever want help in Korean. It continues on until a final error indicates it cannot proceed. The errorlog.txt file showed numerous errors besides this one.

After re-burning CD 1 at a slower speed, I found I had the same error. I downloaded and ran CRC305.EXE from Microsoft’s web site and ran it against the CD on my laptop. It indicated that it was good. However, running it on the server on which I was trying to load the CDs indicated that ALL of the CDs had an error after the 99% point!

So I burned the CDs on THAT machine (yes there was a lot of time involved with this!), ran CRC205.EXE on that machine and it showed that the disks passed. I was able to install the complete system with the new CDs without errors.

For posterity sake, here are the screen shots for setting up client computers from an SBS server. I decided to include the initial user setup which provides for an automatic “next step” of setting up the computer. So there are two “push” parts: User setup and client computer setup and two “pull” parts: Assigning user to the computer / migrating their profiles and installing software via the Client Setup Wizard

Part I

(more…)

I remember my first experience with Firefox when I noticed that it was free AND better. Wait, something free should have some tradeoffs, right? Well I’ve had that experience again, this time with VirtualBox. Read on or just go get it now! Yes, it runs in Vista, XP, Linux and Apple (beta.)

How I got to VirtualBox

It was early ‘06 when my friend Mark Wash said I’d better get up to speed on virtualization technology. I yawned. I don’t get it; who need to run a machine inside a machine? Suffice it to say, I soon “got it.” So, I set out to find which would be best for my needs (multi-OS, need for sandboxing, etc.) and my budget (oh so low). Microsoft’s was out since I wanted multi-OS. I liked VMware’s functionality and experience. The trial version showed its stuff. The availability of the VMPlayer was great. The beta versions were ridiculously slow.

Then, there was Parallels. Can you say “carbon copy?” It seemed to be identical. But little by little, the gaps in what it could do became more apparent. Many VMWare features were listed in Parallel’s support forums as “maybe someday” features. But the price! How could I go wrong? Without making this a Parallel’s bashing post, it was clear that using an Ubuntu guest within an XP was somewhat frustrating since the guest tools didn’t really work, nor did USB support. And an XP guest within an Ubuntu host? Don’t even go there! I suppose the version for Macintosh is more reliable.

It was as I was lamenting these issues in an Ubuntu forum that someone asked if I’d tried VirtualBox. No, never heard of it. Turns out it only came out in January, 2007 as you can see in their progress log . Having worked with various open source projects, one tries not to set high expectations, but off I went.

Eureka! A “just works” experience

I can’t even guess how complex it must be to program a VM, but VirtualBox makes it look easy. It just works! The availability of a version for the most recently released version of Ubuntu was a nice touch. Installing this was amazingly easy for a Linux application. The interface is clean, new VM setup a cinch and maintenance of VMs is easy to monitor. Oh, and want to move a virtual drive from one OS to another? Just put it in an accessible spot, go to the virtual disk image manager and add it, then create a virtual machine linking to this disk. I setup a fat32 partition so these can be accessed from either OS without being moved.

The feature set of VirtualBox is impressive, providing a much more ambitious goal than Parallels. Taking snapshots (not an option in Parallels) works slick. Click to close the guest window and it can save the state of the machine very quickly. Just try stuff like the host + A to automatically resize your guest screen. So slick.

Figure 1-Note Shared Clipboard can have copy / pasting going in either direction, both or disabled.

You can have a remote display allowing you to setup a virtual machine on a remote server and send all only the KVM info across to your client machine. There’s a complete CLI functionality that provides for an amazing range of control. (These last two I’ve not explored yet.)

Issues

• VirtualBox now supports using VMDK files so that you can take a disk image created under VMWare and just start using it in VirtualBox (a wish list item in Parallels I might add.) Though I didn’t need this ability, I tried grabbing an old VMDK image I had backed up to try it. I received a nasty error message, perhaps because there were snapshots on that VM?
• Initially upon installing v. 1.4.0 into a Vista host, I found that after my Ubuntu guest auto-activated my mouse in the window, my keyboard was gone and the mouse was confined inside the edges of my Ubuntu guest! This required a hard reset of the machine. I uninstalled VirtualBox, reinstalled and have not had the same disconcerting issue.
• The default “host key”, the right Ctrl key, is not my first choice and so I change this to my scroll lock key. Now don’t laugh: It’s probably obvious to most, but when they say host + F they mean “hold down the host key while pressing F” Somehow, it just seemed wrong to hold down the Scroll key and this led me into wondering why no hot keystrokes worked.
• Note that when Ubuntu auto updates the Linux kernel, the VirtualBox will abend upon running after the next reboot. I panicked and changed the grub menu default to us the prior kernel at boot time until a nice forum poster named onero gave easy instructions for an update.

Cisco’s port-security feature in its switches can restrict a switchport to a single, learned MAC address, potentially preventing such security issues as:

• A user bringing in their own router, switch or hub to create a rogue network.
• A user unplugging their corporate PC and plugging in an unauthorized laptop.
• Unauthorized use of a virtual machine (VM) on a PC which creates a new MAC address

It’s easy to see that the VM – Parallels in this case – uses a separate MAC address for its separate IP in the following screen shot:

We can mitigate problems from normal, non-hacker users; presumably hackers could spoof a laptops MAC address. Shoot, I can even plug in my old Linksys NAT router, have it “clone” my PC’s mac address and it will be able to circumnavigate all of the above listed exploits. But, it does afford some level of protection, so off we go…

Last time the Sticky wasn’t working quite right (thanks to errors in Cisco book!):

“During this practice setup, I found that the 3550 switch DID restrict use of multiple MACs it didn’t learn a “Sticky MAC” address and permitted me to swap out one PC for another. Though I followed Cisco’s instructions (ISBN-10: 1-58720-171-2) where it indicates that Sticky Learning is the default. However, later research on the Cisco web site indicates it’s not (see Note 1 below). I’ll try the switchport
port-security mac-address sticky command next time.”

So this time I used the right IOS, so we get to see some security in action.

Note: The running-config is actually changed to add new “sticky” lines with the actual mac addresses added “…sticky  ####.####.####” 

Also, I’ll note here, I attempted to proceed with DAI (Dynamic ARP Inspection) but the switch’s CLI simply returned an error that the ip arp… command is invalid. Also, the use of ip source binding was also unavailable. Hmmm. Our switches are running IOS Release 12.1Cisco’s web site shows this command supported on a 3550 using Cisco IOS Release 12.2(35) SE (See web page). Administration so far refuses to upgrade the IOS release (sigh!)

Now on to the blow-by-blow account of Port-security: (more…)

Plugging away at using Word 2007 (Office 2007) and finding some cool stuff (Like the BLOG posting facility) yet about every 3^rd posting I find that Word crashes. Uninteresting, even annoying in of itself, it IS interesting for a couple of reasons:

Today, after umpteen crashes, a dialog pops up and says something like, “It appears that Office is repeatedly crashing. We’re sorry about that. Would you like to run Microsoft Office Diagnostics in an attempt to resolve the problem?” Ah! They care! How kind! Sure, please figure out the problem!

So, it ran a very attractive diagnostic process for about 10 minutes and came up with nothing:

Hmmm. Looks good, but the proof is in the pudding and it didn’t solve any problem. At a referring web site, it provided no additional insight, but it did suggest I turn on an ability to routinely download a file to MS info about my system and maybe this would help. (See Word Options, Trust Center, Privacy Options, Download a file periodically that helps determine system problems.)

I did. Best I can hope for is a bug fix in the future I guess.

On the positive side, the crash recovery mechanism now takes place immediately, not just when you restart Word. This is a surprisingly smart, yet simple idea. Since the editing is freshly in your mind, better take care of damage control ASAP.

Cranky Nerd with a Pet-Peeve:

Is it just me, my laptop*, or is the flushing of the type-ahead buffer being relegated to a lower priority nowadays? That is, why am I typing text and sometimes finding that it waits a while to show up?

It was WAY long ago when I saw a word processing app demonstrated using a Wyse dumb-terminal on a Xenix box. We witnessed the UNACCEPTABLE: characters would NOT appear on our screen until AFTER we pressed the keys. You would begin typing and when the processor (dare I confess it was a 80286?) got busy the characters might display a half a second to a few seconds later. We all immediately judged this word processor unworthy. The standard was a typewriter, then a PC running WordStar, Word, WordPerfect or MultiMate. They ALL could keep up using processors that were mental midgets compared with those we use today.

What’s going on? I’m seeing this more often recently, and it’s not just on my laptop.

* My HP dv5000 with numerous personality flaws: (more…)

Cisco allows you to monitor any switchport to limit the rate of DHCP client activity. Presumably, someone flooding a network with spurious DISCOVER packets could give a DHCP server headaches.

I figured extra packets would just be dropped, but was in for somewhat of a shock when the port was placed into a permanent ERR-DISABLE status. That means a SysAdmin would need to reset the port manually, unless other provisions were made.

So what’s reasonable number of packets per minute? Maybe 3? I set it to 2 to see what the result. Pretty drastic!

The IOS: (more…)

Don’t look here if you’re hoping to actually see a “how-to.” Here’s a link to Cisco page on Switch Auto-Configuration. (I haven’t gone through it, but from what I read I wouldn’t assume it’s going to be easy. Looks like it’s easy on the switch; but you have to configure a ton of stuff!)

So the point of this posting is just to show what displays on your console if you reload or start the switch after erasing the startup-config and a DHCP server happens to be attached. What’s not apparent from the listing is that there will be endless console messages showing attempts to reach a config server.

— System Configuration Dialog — (more…)

OVERVIEW – Where Cisco’s DHCP Snooping is used to prevent a rogue DCHP server from offering up bad IPs or worse a bad gateway

My daughter’s school gives every student two different ID numbers to use. It’s so confusing for her as to which one to use when. In the same manner, allowing a second DHCP on a subnet segment is apt to confuse many host PCs and the users too. Any home router or a Windows Shared Internet or a distro of Linux can easily be setup as a DHCP server, plugged into your network and begin the confusion.

Worse, if a malicious hacker wants to intercept all packets on a network, browse them and send them on their way, setting up a rogue DHCP server, which can define the gateway IP as itself, is one way to do it (i.e., a man in the middle attack.)

Fortunately, Cisco switches allow you to mitigate either the accidental or intentional danger by defining one or more ports on a switch that can be trusted to dole out IP using DHCP. All ports in a VLAN are initially flagged as untrusted for any DHCP offers, then you may indicate which are to be trusted. We will use the global config command ip dhcp snooping to turn it on. Then we’ll use interface commands to set it up for various ports.

I learned a bit more about the somewhat mysterious background workings of DHCP. And frankly, some mysteries continue. Watching WireSharksniff packets provides a clearer idea as to what’s going on. When a client attempts to renew an IP lease (at half way thru its duration) I believe it uses a direct unicast with the original server. If never answered, it will resort to a discover broadcast, trying to locate any DHCP server to offer it an IP. What seems strange though is after a host interface is forced to close down (in Linux with an ifdown command) then brought back with an ifup, the host seems to request the same IP address it had before even if it’s requesting the IP from a different DHCP server. What’s more, if there should be two DHCP servers present (an abnormal and incorrect setup) the host seems to accept (i.e., request) the IP from the original server. This would seem to indicate the need for a hacker to disable the original DHCP server or intercept any of its offers.

Now I overcame this by temporarily disconnecting the Good DHCP server and resetting the host NIC (using ifdown + ifup). The host PC then became responsive to the Rogue server. Note in the Wireshark sniff display below that both 1.1.1.7 (Rogue) and 1.1.1.11 (Good) DHCP servers offered IPs, but in the window below showing the details of the REQUEST packet that it’s accepting the Rogue offer.

Eric Capal says it’s because the first one doesn’t have to do an ARP request since the original server is still in the host’s ARP cache.

SETUP – Where two DHCP servers are established and the fun begins

• Setup PC 11 (HD # 07) as DHCP server to dispense IPs 1.1.1.13-250/24
• Setup PC07 (HD # 01) as DHCP server (rogue) to dispense IPs 1.1.1.201-210/24
• (Oops, forgot to activate the server in Windows!)
• Activated MST instead of PVST (see previous post) in an effort to lower the BPDUs. That didn’t work as there’s only 1 VLAN in use.
• I messed around with Wireshark trying to get some capture filters to work. Need some training here. Want only source (not transmitted or destination) on one PCs MAC.
• Put both DHCP servers on one net and did some ifdown/ifup commands. Seems a host will go back to its original DHCP server and use it to get its IP. Then if that one is unavailable, it goes to the other and then becomes “loyal” to that one. Capal says that’s because the first one doesn’t have to do an ARP request since that’s still in its ARP cache.
• I was surprised to see that PC10 was leasing the 1.1.1.252 address after it was not suppose to be able to access DHCP advertisements from the rogue DHCP server. In fact it was NOT in contact with that server, it was merely re-obtaining the 252 IP from the “good” DHCP server. It was its previous IP and it was a valid IP in the “good” server’s scope of IPs. Apparently it requested the “good” server to lease that same IP even though it was originally dealt from the rogue server.

Now for the Show Run and Show IP DHCP Snooping commands: (more…)

Maintaining a VLAN database is much easier using VTP, but requires some care about adding a new switch, else it might wipe out your carefully configured VLANS.

I presumed the best way was to setup ONE switch, zap the other switches revision numbers to zero, and then hook them up. But I could have hooked them all up first and then configured. Switches after THAT would have needed to have their revision # set back.

I planned to incorporate the router right into the load balanced, fault tolerant MST (Multiple Spanning Tree) switch network, but ran into a glitch when it came to the router switch ports. The switch banks added into a 1760 router are NOT full function switches, lacking any but VTP transparent mode and NO facility for any STP other than standard. Odd since the IEEE has deprecated STP in lieu of Rapid STP.

I was able to configure the router switch port, a vlan (10) to serve as an IP addressable gateway, a finally ping out to another network (4.4.4.0/24). No small feat since this required the config of the PIX 501 firewall appliances with a static route back to my net. I did get into the config of the PIX enough to see that OSPF routing protocol could be configured to make this simpler and more flexible.

Questions I still have:

An IP is listed for “who” updates VTP on the switch (see note marked ** below). Since the switches update themselves (presumably with layer 2 multicasts) I’m not sure why a layer 3 IP would be important.

VTP Setup.

Let’s take a look at the initial state of VPT on the 3550 switch that I chose to be the “leader” (more…)