Securing Splunk web interface with Let’s Encrypt

   Posted by: Dante   in General

The availability of Let’s Encrypt across most modern browsers’ trusted stores is pretty awesome. Combine that with an easy to use interface for generating/renewing certificates and you’ve got a winning platform.

Today we’ll look into generating a certificate with Let’s Encrypt to secure a Splunk Enterprise installation. This howto assumes a couple things:

  1. Splunk is installed under /opt/splunk
  2. Let’s Encrypt binaries are under /opt/letsencrypt

Let’s get started! First make a backup of current certs under /opt/splunk/etc/auth/splunkweb (privkey.pem and cert.pem). To do this, we’ll use the standalone temporary webroot feature from Let’s Encrypt, which will listen on port 80 for incoming connections to validate the domain/host. Make sure that’s open. Run ‘letsencrypt-auto certonly’ from the Let’s Encrypt folder, then select the temporary webserver option. Your new certs should be generated under the /etc/letsencrypt/live folder.

Next up we’ll simply link the generated certs to the Splunk folders. With default folders in consideration, do this:

  • cd /opt/splunk/etc/auth/splunkweb
  • ln -s /etc/letsencrypt/live/ (YOUR HOST) /privkey.pem ./privkey.pem
  • ln -s /etc/letsencrypt/live/ (YOUR HOST) /fullchain.pem ./cert.pem

After that, log into the Splunk interface on port 8000 (default) and go to the Administration section, then enable SSL for the Splunk Web component. After a server restart, it should start serving SSL content over port 8000.

Leave a comment if you had any issues or suggestions!

Tags: , ,


Installing ZoneMinder on Ubuntu 14.04 Trusty Tahr

   Posted by: Dante   in General

ZoneMinder is a free open-source PVR for security cameras with plenty of features such as zone-based motion detection, support for network cameras with various protocols, etc. The install instructions on the program’s website are a bit misleading for a new install, so we’re going to do a step-by-step install walk-through here. This is based on the 1.27 release of ZoneMinder and the Server release of Ubuntu 14.04 LTS. On my first install, I used a low power machine with an Atom D525 processor, and that wasn’t nowhere near the capability needed for a single network camera, so I had to change the hardware to something beefier. Take that into consideration before starting the process. In the end, I used a small DELL desktop with an Intel C2D E6300 and it worked out great for 3 ACTi network cameras.

Let’s start with deploying Ubuntu on the machine you’ll use to record video. I did a base install with the basic Ubuntu server, OpenSSH and Samba packages, no X and no LAMP stack (this will be installed later). Configure disk as needed during the install.

After the system is operating, then we’ll add the repository for ffmpeg. With Ubuntu 14.04, they’ve switched to libav and there’s no package for ffmpeg, so we’ll add it from the official PPA. Issue these commands:

user@host:~$ sudo apt-add-repository ppa:jon-severinsson/ffmpeg
user@host:~$ sudo apt-get update

Now we’ll add a whole slew of packages, required by ZoneMinder. Issue this command:

user@host:~$ sudo apt-get install apache2 mysql-server php5 php5-mysql build-essential libmysqlclient-dev libssl-dev libbz2-dev libpcre3-dev libdbi-perl libarchive-zip-perl libdate-manip-perl libdevice-serialport-perl libmime-perl libpcre3 libwww-perl libdbd-mysql-perl libsys-mmap-perl yasm automake autoconf libjpeg8-dev libjpeg8 apache2-mpm-prefork libapache2-mod-php5 php5-cli libphp-serialization-perl libgnutls-dev libjpeg8-dev libavcodec-dev libavformat-dev libswscale-dev libavutil-dev libv4l-dev libtool libnetpbm10-dev libavdevice-dev libmime-lite-perl dh-autoreconf dpatch git ffmpeg libvlccore-dev libvlc-dev libcurl4-gnutls-dev libjson-any-perl netpbm zip libnet-sftp-foreign-perl libio-pty-perl libexpect-perl libtiff5

Define a secure password for your MySQL install. After it completes, we’ll continue by retrieving the ZoneMinder and building the package. Let’s clone the repository under /opt and build the .deb package for installation (note that the ubuntu1204 link is not misspelled):

user@host:/opt$ sudo git clone https://github.com/ZoneMinder/ZoneMinder.git zoneminder
user@host:/opt$ cd zoneminder
user@host:/opt/zoneminder$ sudo ln -s distros/ubuntu1204 debian
user@host:/opt/zoneminder$ sudo dpkg-checkbuilddeps
(the above command should return no results)
user@host:/opt/zoneminder$ sudo dpkg-buildpackage

This should result in a few packages being available under /opt. We’ll install the .deb package using:

user@host:/opt$ sudo dpkg -i ./zoneminder_1.27.1-1_amd64.deb

After installing the package, if it complains about dependencies, do ‘sudo apt-get -f install’ followed by ‘sudo dpkg-reconfigure zoneminder’ to correct the situation. At the time of writing, this came out clean. Now we’re going to make the web interface available via Apache:

user@host:/opt$ sudo cp /etc/zm/apache.conf /etc/apache2/sites-available/zm.conf
user@host:/opt$ sudo a2ensite zm
user@host:/opt$ sudo a2enmod cgi
user@host:/opt$ sudo service apache2 restart

This should make the web interface available through http://host/zm. Beware that this is a standard install with all defaults, so it’d be recommended to follow standard procedures to tighten down Apache’s config as well as MySQL and the system itself.

From here, standard ZoneMinder configuration applies, so just add your cameras as desired. There’s a good starter tutorial for motion detection here.

Tags: , , , , ,

Today, we at Your Nearest Bar are proud to announce our first software release, called JetScanner. It is a little utility coded in Python (tested only on 2.7) that allows scanning pages from an HP JetDirect device that has an AiO or MFP device attached to it. Currently it is only tested with the HP JetDirect 175x, or J6035B. If you’d like us to add support for other JetDirect devices, please shoot an email to somedude at yournearestbar dot com.

The code is licensed under the GPLv2 and it’s available for download at http://code.google.com/p/jetscanner/. The program has descriptive help built-in with the switch -h or –help. Current plans include changing the PDF postprocessing and adding e-mailing capabilities, so check back in the future for an updated version.

Tags: , , , , , , ,


Monitoring dd with a progress bar

   Posted by: Dante   in General

When using the linux utility dd, there is no visual output of the progress, how long it is going to take, or anything else. Easy to solve with the use of pv:

% pv /dev/sda | dd of=/dev/sdb bs=100M

that’ll display the amount of data transferred, the elapsed time, the throughput speed, a nice progress bar, and the ETA. For devices that do not have a fixed size, let’s say, /dev/zero, there’ll be only a throughput display.

Tags: , , , ,


Printing across different subnets

   Posted by: Dante   in General

When printing across different subnets, or configuring a personal firewall, certain ports need to be opened. For RAW and LPD/LPR printing, use the following:

  • TCP 9100
  • TCP 515

If printing from Microsoft Windows, the operating system will need SNMP access open as well, otherwise the printer detection procedure won’t work. Open the following port:

  • UDP 161

Make sure that the SNMP access is read-only, or that it has a strong password if read-write is really needed.

Tags: , , , , , , , , ,


Enabling SSH access on a Cisco router

   Posted by: Dante   in General

Let’s go through a quick and easy way to enable SSHv2 access on a Cisco router. Should be similar on a switch.

  • Make sure the IOS has the crypto modules, usually identified by a “k9” or “k5” in the IOS file name. Check with show version
  • Configure a hostname with the command hostname and a domain name with the command ip domain-name
  • Generate a new keypair with crypto key generate rsa and use 2048 bits
  • Create a new username for SSH access: username sshuser password 0 mysshpassword. Replace sshuser and mysshpassword accordingly.
  • Configure SSH parameters:
    • ip ssh timeout 60
    • ip ssh authentication-retries 3
    • ip ssh rsa keypair-name NAME (replace NAME with the keypair name obtained from show crypto key mypubkey rsa
  • Prevent non-SSH sessions with line vty 0 4 and transport input ssh
  • Additionally, prevent SSH access from outside a certain subnet:
    • access-list 15 permit
    • line vty 0 4
    • access-class 15 in

Now SSHv2 should be enabled and accessible. All commands should be entered in global configuration mode, except for the show commands.

Tags: , , , ,


Fixing Windows Media Center TV Setup

   Posted by: Dante   in General

Given certain circumstances, Windows Media Center will get stuck at “Downloading TV Setup Data” and do nothing else. This generally occurs after some sort of hardware change, as it happened to me on a motherboard change and on a hard drive change. YMMV.

For the sake of clarity, this entire post refers to Windows 7, but it could apply to Vista as well, given that the paths are relatively the same.

Anyway, there are a few posts around the Web that tell you to run a command line for mcupdate.exe with some switches. That’s like getting a tire patch, it’ll work for now but won’t last. Here’s the new tire solution:

1) Go to the Control Panel, Programs and Features, and click “Turn Windows Features on/off”. Uninstall Windows Media Center.

2) Reboot.

3) Empty out the folder C:\ProgramData\Microsoft\eHome\

4) Go to the features and enable Windows Media Center again.

5) Run Windows Media Center and do the TV setup.

This solution is the only one that worked across reboots and allowed me to go and reset the TV signal without hassle. Please leave a comment if something else worked for you.

Tags: , , , , , ,

Today I’ve decided to give OpenSolaris a spin, and to my surprise, it doesn’t have the SmartArray drivers available by default. Took some considerable amount of research to come up with a procedure to do the install. Here are the steps:

  1. Download the SmartArray drivers for Solaris on the HP website (at the time of writing, I installed OpenSolaris 2009.06 and used drivers for Solaris 10)
  2. Uncompress the package with gunzip.
  3. Inside the newly uncompressed folder, there will be a file called CPQary3.pkg. First run pfexec touch /ADD_DRV_IGNORE_ROOT_BASEDIR then run pfexec pkgadd -d ./CPQary3.pkg in the folder with the uncompressed files. There will be some errors installing the man page, but those should be ignored. The driver will be successfully installed.
  4. Run the Device Driver Utility. Right click the Smart Array controller, go to Show Details. Make note of the node name of the controller, which was pcie11,409a in my case.
  5. Run pfexec add_drv -c scsi -i ‘”pcie11,409a”‘ cpqary3 while substituting it for the correct node name in your case. It shouldn’t give any errors. Please note that the node name has a single quote followed by a double quote.
  6. Run the OpenSolaris Installer, and it should detect your arrays.

Overall it’s an easy process, and it amazes me that the default image does not include this driver. Good luck with the install. Questions are welcome in the comment area.

Tags: , , , , , ,


Windows System Image Restore and Intel RAID volumes

   Posted by: Dante   in General


Computer has 4 hard drives, two in RAID-0 and 2 independent disks. RAID-0 contains two partitions, C: and D:. One of the drives started failing, needing replacement, and then a backup was done using Windows System Image Backup, included with Windows 7. Recovery DVD was generated t oboot the computer.

All fine and dandy, the failing HDD was replaced. Another RAID-0 volume was created, and proceeded to boot the recovery DVD. After following the steps and making sure to exclude the independent disks from the restore process, the backup says that there are no valid volumes present. Tried downloading the latest Intel drivers, no go. Tried going with all independent disks, the DVD wouldn’t even boot. After some time playing around and fearing for the data, here’s a few tips to have a successful experience:

  1. Make sure to label the new RAID-0 volume *exactly* as it was before. The default is Volume0, and it *has* to be the same for the restore to work;
  2. Disconnect any and all hard drives that you don’t need. In this procedure, there were two independent disks, one had the image backups, the other was for regular data storage. Had to disconnect the second independent disk for the restore to work.

In a nutshell, the procedure works fine, despite the majority of people going to Acronis (I agree it’s a much more reliable solution) for this image backup. Following the 2 simple tips mentionded before, the backup will restore and the drives will be the same as before. As always, make sure to have regular data backups in place!

Tags: , , , , ,

With Microsoft Exchange 2007, there is a default policy that enforces the use of a 4 digit passcode (PIN) to unlock the phone. Here’s how to make the passcode optional to the user:

  1. Login to a machine with the Exchange Management Tools installed
  2. Open the Exchange Management Console
  3. Expand the Organization Configuration
  4. Click on Client Access and then choose the password tab
  5. Remove the check from the box that says Require Password

Afterwards, do a manual sync with the phone, then disable the passcode under Settings / General / Passcode Lock.

Tags: , , , , , ,