My friend Jason recently posted an update on his blog over at Peaks and Protocols about redoing his home network’s DNS setup. This reminded me that I really needed to do an update on my own recent DNS rebuild, which was based around Hashicorp‘s Consul, DNSMasq and Ansible running on some Raspberry Pi 3s. Overkill? Probably. But if you can’t have fun with your home network, what’s the point? On to the setup…
Despite coming from the networking side of IT, I tend to use regular consumer grade equipment at home. It typically just works, and I’m not looking for extreme reliability or features. I’ve been using hardware from Linksys, Netgear, and the other consumer network vendors for at least the last 10 years. Sometimes, though, things happen that make you reevaluate your previous life choices…
For me, that thing was an email that I received from Verizon saying my router was infected with malware.
Every now and then, you have to export a certificate in Windows, and someone forgot to check that little box to let you be able to do it… What is an enterprising SysAdmin to do? Enter Mimikatz (source), a tool that lets you patch the Windows crypto api and do several cool (and frightening) things. The process is very simple.
To Export an Unexportable Private Key: Create a temp directory Download the latest version of Mimikatz Extract the appropriate version (32 or 64 bit) to the temp directory Open an admin command prompt Change to the temp directory Run mimikatz Type crypto::capi And finally type crypto::certificates /export You’ll see all of the certificates in the MY store exported into the temp directory in pfx format.
Now that we are implementing more Linux systems, I’m noticing some of the pain points of keeping certain things in sync. A big annoyance, for example, is keeping our infrastructure and users’ SSH keys in sync across all of our machines. There are several methods currently available, but I had issues with each. I’ve listed the two main methods below.
Via Configuration Management A very DevOpsy way of tackling the problem would be to us a configuration management system like Chef to keep the files updated.
My company currently does a lot of it’s debug logging via email… This means that every time an unhandled exception occurs in production, qa, uat, or integration, we get an email. Thank goodness for custom email rules and single instance storage in Exchange. Oh wait.
I have been a proponent of Logstash and the ELK stack for quite a while now. It is a wonderfully flexible framework for centralizing, enriching, and viewing log data.
Lenovo installed a piece of software that could arguably be called malware or spyware. Superfish, as this article indicates, installs a self-signed root certificate that is authoritative for everything. I wanted to be sure that this issue wasn’t present on any of our Lenovo systems, so I turned to PowerShell to help.
I found a copy of the certificate on Robert David Graham’s github here. I pulled the thumbprint from the cert which appears to be: c864484869d41d2b0d32319c5a62f9315aaf2cbd
I will be giving a presentation on Chocolatey, a Windows package manager, tonight at the New Jersey League of Professional Systems Administrators meetup. It is being held at the Lawrence Headquarters Branch of the Mercer County Library, 2751 Brunswick Pike, Lawrenceville, NJ. Come by and get some cake, meet some folks, and learn about a great tool! For more details and to register, head over to the meetup: http://www.meetup.com/LOPSA-NJ/events/218257852/
Apparently I’ve been living under a rock for a while, because I didn’t know that SHA-1 was being phased out in the immediate future. Thank you, GoDaddy, for notifying me with a month and change to spare. As it turns out, Google will no longer be trusting certain SHA-1 signed SSL certificates with the release of Chrome 39, which is set for November. For details, see the following links.
Gradually Sunsetting SHA-1 (Google) SHA1 Deprecation Policy (Microsoft) Phasing out Certificates with 1024-bit RSA Keys (Mozilla) Due to the fact that our clients often purchase their own SSL certificates, we have no internal records to check what algorithm was used to sign the certificates in use.
Our account decommission process involves disabling a user and moving them to a “Disabled Domain Accounts” OU. Well, it turns out that our previous admin never actually hid these mailboxes from the Global Address List (GAL), so many of our offshore partners have still been sending emails to them. I decided to start cleaning this up a bit today with the following:
Search-ADAccount -SearchBase "ou=Disabled Domain Accounts,dc=example,dc=local" -AccountDisabled -UsersOnly |Set-ADUser -Replace @{msExchHideFromAddressLists=$true} Another simple bit of PowerShell.
I recently found myself in need of the ability to clear the DNS cache of all the laptops in my company. I found a very powerful and simple way to do so and thought I would share.
$c = Get-ADComputer -Filter {operatingsystem -notlike "*server*" } Invoke-Command -cn $c.name -SCRIPT { ipconfig /flushdns } The first line queries Active Directory for all computers that are not servers. The second line simply invokes the normal windows command “ipconfig /flushdns” on all computers.