Techblog

When I am working with an organization to improve overall network security I start off by looking through logs and in nearly every situation the majority of attacks come from outside of North America.  My next question is “What legitimate reason would someone outside of North America have to reach your network?”, and in many situations the answer is “none”.

For those of you who find yourself in this situation here is some helpful information.

Q1: What does RIR stand for?

A1: Regional Internet Registry

Q2: What does a RIR do?

A2: IANA distrubutes /8 IPv4 address blocks to the 5 RIRs and the RIRs distribute those address’ to organizations, like ISPs, within their region.

Q3: How does this information help me improve my security?

A3:  Using the IANA Ipv4 Address Space Registry we know which RIRs have which IP Blocks.  Since ARIN managed the US, Canada, and some of the Caribbean we can block entire regions that have no legitimate reason to access your network.

Q4: What do you mean “no legitimate reason to access your network”

A4: Well if your organization only deals with customers, clients, etc within North America and Europe then anyone outside of of North America and Europe who tries to access your web servers, email servers, etc is likely doing so for a nefarious reason.

Q5:  Wouldn’t blocking entire regions be dangerous or harmful?

A5:  This depends on your organizational needs, but in most cases the network connections made from regions outside of your organizational influence are done so to harm you.  Blocking these regions is the next logical step and you are already probably blocking large quantities of IPs from these regions anyway, after you responded to a threat.  Simply put the only risk is that you would prohibit legitimate traffic, and this is why you need to ask yourself “Why would someone in X region need to legitimately connect with my network?”

Q6: What’s the benefit from doing this?

A6: If your able to block all traffic outside of ARIN coverage then you should expect to see upwards of 99% reduction in attacks and information gathering.  Very few attacks come from North America and those that do are usually coming in the form of spam, and I credit much of this to the responsiveness from the FBI.  Most countries do not chase after cyber criminals with the same tenacity the US and Canada does and as a result more criminals choose to operate from outside of the ARIN coverage area.  Even in environments that have been actively improving security there is still a sizable reduction in threats detected.

Q7:  What about people who travel outside the country?

A7:  There are several solutions available to work around this problem, but the easiest, and usually most cost effective solution, is to buy a single server who’s sole purpose is for remote access.  This will not open up access for everyday users, but if your Senior Engineer is exploring Africa when a major network outage occurs and they have access to the internet then they can simply remote into the remote system and go from there.   I also should point out that a single cloud server capable of simple remote access via a CLI can be as cheep as 10USD/month.  If you only use the server for emergency international access you could reduce this cost even more.  Just imagine any solution in the same way you currently imagine how you work VPN access or any other security zone access.  You want to block as much as you can as a general rule and then restricted access from a single access point that is heavily managed and monitored.
NOTE:  For email access anyone currently using a mobile device that connects to email via a proxy will still work.  For example if your using a blackberry service or Iphone service then users will still have access to email on their mobile device regardless of where they connect from.  If your using an internal service then you will need to place a mobile mail server that has access.  This is basically a proxy server that allows email to be served from outside the normal RIR restrictions.

By default 2008 R2 has enabled EDNS, but EDNS is not compliant with all domains as of right now.  This causes DNS failures.

Fix

To disable EDns, you can do it from the command prompt, or by editing the registry.

From the command prompt, no restart of DNS is required.  If from the registry, make sure to restart the DNS Server service.

Command prompt: 

dnscmd /config /EnableEDNSProbes 0

No restart is needed.  It takes effect immediately.

or Registry: </>

Create a DWORD called EnableEDNSProbes and set to 0 in HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters

Restart the DNS Server service for it to take effect.

Here is a link to the source of the fix:

http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx

Here is the windows kb article on the issue: http://support.microsoft.com/kb/832223

If you are currently using milter-greylist for sendmail then you may have errors in your maillog indicating errors. 

The first error you may see is a {daemon_port} error. 

The next error you may see is a socket unsafe error

The final error you may see is a error indicating that milter-greylist has stopped working.

All 3 of these can be occuring without any noticable issues for users.  In my mind if you can remove an error by updating the config then you should and all 3 of these errors are because the milter-greylist documentation has a weak/broken example for the M4 file.

THE FIX:

Update your M4 milter-greylist entry to:

INPUT_MAIL_FILTER(`milter-graylist’,`S=local:/var/run/milter-greylist/milter-greylist.sock, F=T,T=S:1m;R:2m;E:3m’)dnl
define(`confMILTER_MACROS_CONNECT’,confMILTER_MACROS_CONNECT`,{daemon_port}’)dnl
define(`confMILTER_MACROS_HELO’,confMILTER_MACROS_HELO`,{verify},{client_resolve}’)dnl                                 
define(`confMILTER_MACROS_ENVRCPT’,confMILTER_MACROS_ENVRCPT`,{client_resolve}’)dnl

Please note that this entry is for the default install location for Yum/Fedora.  If you are using another unix flavor, or installed milter-greylist to run from a different location, just update the file path.

ClamAV installation on fedora is not at all simple or straight forward.  ClamAV support and wiki do not properly document the process so here are the steps you need to complete.

packages to install:

clamav-server

clamav-update

clamav-milter

clamav-milter-sysvinit

Then you need to run the bash script found here:

http://github.com/csmart/naa/blob/master/configure-clamd.sh

In the event that link dies:

#!/bin/bash

# Copyright 2009 "Christopher Smart" <m...@christophersmart.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

#This script is for installing and configuring clam-server (clamd) on Fedora

#Variables
VERSION=0.1
COUNTDOWN_TIMEOUT=5
FEDORA_RELEASE="`cat /etc/fedora-release 2>/dev/null`"
FRESHCLAM_CONF="/etc/freshclam.conf"

#These variables are set later, once we know the user
CLAMD_USER=""
CLAMD_CONFIG=""
CLAMD_SYSCONFIG=""
CLAMD_INIT=""
CLAMD_LOGROTATE=""
CLAMD_PID=""
CLAMD_LOG=""

#These variables are set later, once we know clamav-server version
CLAMD_VERSION=""
CLAMD_CONFIG_TEMPLATE=""
CLAMD_SYSCONFIG_TEMPLATE=""
CLAMD_INIT_TEMPLATE=""
CLAMD_LOGROTATE_TEMPLATE=""

#Functions
countdown() {
	i=$1
	echo "If you do NOT want to proceed, hit CTRL+C within $i seconds..."
	while [ $i -gt 0 ]
	do
		sleep 1
		echo -ne "$i.. "
		let i=i-1
	done
}

#Make this more pretty by adding an extra blank line at the beginning
echo ""

#Print help, if requested
if [ "$1" == "help" -o "$1" == "-help" -o "$1" == "--help" -o "$1" == "-h" -o "$1" == "--h" ]
then
	echo "This script configures clamav-server (clamd) on Fedora."
	echo "Version $VERSION"
	echo ""
	echo "Usage:"
	echo " $0 [option] [username] [port]"
	echo ""
	echo "Options:"
	echo " -c creates an instance, overwriting if already exists."
	echo " -r removes an instance."
	echo ""
	echo "Parameters (optional):"
	echo " [username] pass in the username you want clamd to run as, defaults to 'clamav'."
	echo " [port] pass in the port you want clamd to run on, defaults to '3310'."
	echo ""
	echo "Create example:"
	echo " $0 -c me 3311"
	echo ""
	echo "Remove example:"
	echo " $0 -r me 3311"
	echo ""
	echo "Report bugs to m...@christophersmart.com"
	echo ""
	exit 0
fi

#Check that we're running Fedora
if [ -z "$FEDORA_RELEASE" ]
then
	echo "You don't appear to be running Fedora, sorry!"
	echo "Exiting."
	echo ""
	exit 1
fi

#We're running Fedora, so make sure we're root
if [ $EUID -ne 0 ]
then
	echo "You must run this as root. Prepend sudo, or run:"
	echo "su -c '$0 [option] [username] [port]'"
	echo ""
	echo "Exiting."
	echo ""
	exit 1
else
	echo "You appear to be running `echo $FEDORA_RELEASE`, excellent."
	echo ""
fi

#Set clamd user and port
if [ "$1" != "-c" -a "$1" != "-r" ]
then
	CLAMD_USER="clamav"
	CLAMD_PORT="3310"
else
	if [ -z "$2" ]
	then
		CLAMD_USER="clamav"
	else
		CLAMD_USER="$2"
	fi

	if [ -z "$3" ]
	then
		CLAMD_PORT="3310"
	else
		CLAMD_PORT="$3"
	fi
fi

#Variables for config files, now that we know the user
CLAMD_CONFIG="/etc/clamd.d/$CLAMD_USER.conf"
CLAMD_INIT="/etc/init.d/clamd.$CLAMD_USER"
CLAMD_LOGROTATE="/etc/logrotate.d/clamd-$CLAMD_USER"
CLAMD_PID="/var/run/clamd.$CLAMD_USER"
CLAMD_LOG="/var/log/clamd.$CLAMD_USER"
CLAMD_SYSCONFIG="/etc/sysconfig/clamd.$CLAMD_USER"
CLAMD_CHKCONFIG="/sbin/chkconfig clamd.$CLAMD_USER"

#Removing existing instance of clamd for specified user, if told to do so
if [ "$1" == "-r" ]
then
	echo "**WARNING** Removing clamd instance for user '$CLAMD_USER'."
	countdown $COUNTDOWN_TIMEOUT
	echo ""
	echo "OK then, proceeding.."
	echo ""

	#Check to see if there's a configuration for that user already
	if [ ! -e $CLAMD_CONFIG ]
	then
		echo "No clamd instance found for user '$CLAMD_USER'."
		echo "Exiting."
		echo ""
		exit 1
	fi	

	#Stop and disable daemon
	$CLAMD_INIT stop &>/dev/null
	if [ $? -ne 0 ]
	then
		echo "Could not stop service, sorry."
		echo ""
		echo "Instance of clamd for user '$CLAMD_USER' NOT removed."
		echo "Exiting."
		echo ""
		exit 1
	fi

	#Turn off daemon
	$CLAMD_CHKCONFIG off &>/dev/null

	#Remove configs and logs, etc
	rm -f $CLAMD_CONFIG 2>/dev/null
	rm -f $CLAMD_INIT 2>/dev/null
	rm -f $CLAMD_LOGROTATE 2>/dev/null
	rm -rf $CLAMD_PID 2>/dev/null
	rm -f $CLAMD_LOG 2>/dev/null
	rm -f $CLAMD_SYSCONFIG 2>/dev/null
	unlink /usr/sbin/clamd.$CLAMD_USER 2>/dev/null

	#Remove user?
	if [ -n "`id $CLAMD_USER 2>/dev/null`" ]
	then
		#User exists, so ask if it should be removed
		echo -e "**WARNING** DO YOU WANT TO REMOVE THE USER FROM THE SYSTEM? (y/N): \c "
		read answer
		echo ""
		if [ "$answer" == "y" -o "$answer" == "Y" ]
		then
			#Remove user and confirm success
			echo "OK, removing user '$CLAMD_USER' from the system."
			userdel -r $CLAMD_USER 2>/dev/null
			if [ $? -eq 0 -o $? -eq 12 ]
			then
				echo "User removed successfully."
				echo ""
			else
				echo "**WARNING** Could not remove clamd user from the system. Perform manually."
				echo ""
			fi
		else
			echo "OK, user will NOT be removed."
			echo ""
		fi
	else
		echo "User does not exist in the system, not removing."
		echo ""
	fi
	echo "Instance of clamd for user '$CLAMD_USER' has been successfully removed."
	echo ""
	exit 0
fi

#Creating
echo "Configuring clamd to run as user '$CLAMD_USER' on port '$CLAMD_PORT'."
echo ""
countdown $COUNTDOWN_TIMEOUT
echo ""
echo "OK then, proceeding.."
echo ""

#Checking to see if required packages are installed or not
echo "Checking for required packages.."
if [ -n "`rpm -qa |grep clamav`" -a "`rpm -qa |grep clamav-update`" -a "`rpm -qa |grep clamav-server`" ]
then
	echo "Required packages already installed."
	echo ""
else

	#Install required packages
	echo "Installing required clamav packages.."
	echo ""
	yum -yq install clamav clamav-server clamav-update
	echo ""

	#Check that the install was successful (or already installed)
	if [ -n "`rpm -qa |grep clamav`" -a "`rpm -qa |grep clamav-update`" -a "`rpm -qa |grep clamav-server`" ]
	then
		echo "Packages successfully installed."
		echo ""
	else
		echo "Problem installing required packages, sorry."
		echo ""
		echo "Instance of clamd for user '$CLAMD_USER' NOT created successfully."
		echo "Exiting."
		echo ""
		exit 1
	fi
fi

#Get version of clamd, now that it's installed
CLAMD_VERSION="`rpm -qa |grep clamav-server |awk -F "-" {'print $3'} 2>/dev/null`"

#Variables for template files now that we know the version of clamav-server installed
CLAMD_CONFIG_TEMPLATE="/usr/share/doc/clamav-server-$CLAMD_VERSION/clamd.conf"
CLAMD_SYSCONFIG_TEMPLATE="/usr/share/doc/clamav-server-$CLAMD_VERSION/clamd.sysconfig"
CLAMD_INIT_TEMPLATE="/usr/share/doc/clamav-server-$CLAMD_VERSION/clamd.init"
CLAMD_LOGROTATE_TEMPLATE="/usr/share/doc/clamav-server-$CLAMD_VERSION/clamd.logrotate"

#Create clamav user if doesn't exist
#This should be the user who wants to talk to clamd, else user clamav must have read (and possibly write) access on the files.
echo "Checking for clamav user, '$CLAMD_USER'.."

if [ -z "`id $CLAMD_USER 2>/dev/null`" ]
then
	useradd $CLAMD_USER -r -c "User for clamd" -d /dev/null -M -s /sbin/nologin 2>/dev/null
	if [ $? -ne 0 ]
	then
		echo "Unable to create new clamd user, '$CLAMD_USER', sorry."
		echo ""
		echo "Instance of clamd for user '$CLAMD_USER' NOT created successfully."
		echo "Exiting."
		echo ""
		exit 1
	else
		echo "Created new user."
		echo ""
	fi
else
	echo "User already exists, not creating."
	echo ""
fi

#Copy and configure clamd configuration file
echo "Configuring clamd to do all the right things.."

#Check that ALL required template files exist before continuing
if [ ! -e "$CLAMD_CONFIG_TEMPLATE" -o  ! -e "$CLAMD_SYSCONFIG_TEMPLATE" -o ! -e "$CLAMD_INIT_TEMPLATE" -o ! -e "$CLAMD_LOGROTATE_TEMPLATE" ]
then
	echo "Could not find required template files under /usr/share/doc/clamav-server-$CLAMD_VERSION/, sorry."
	echo ""
	echo "Instance of clamd for user '$CLAMD_USER' NOT created successfully."
	echo "Exiting."
	echo ""
	exit 1
fi

#Check to see if an instance of clamd for user already exists
if [ -e $CLAMD_CONFIG ]
then
	echo "Instance of clamd already exists, clobbering.."
	#Stop existing daemon to enable new one
	/etc/init.d/clamd.$CLAMD_USER stop &>/dev/null
	#Remove existing config because 'cp' is aliased with -i and we don't want a prompt
	rm -f $CLAMD_CONFIG 2>/dev/null
fi

#Check to see if the port is already in use, if so, increment by one until we find something that's free
PORT_INUSE=0
while [ -n "`netstat -ltn |grep ":$CLAMD_PORT"`" ]
do
	CLAMD_PORT=$(($CLAMD_PORT+1))

	PORT_INUSE=1
done
if [ $PORT_INUSE == 1 ]
then
	echo "Port was already in use, using '$CLAMD_PORT' instead."
fi

#Make sure directory exists, which it should if clamav-server is installed (but you never know)
mkdir -p /etc/clamd.d 2>/dev/null

#Copy over the template file
cp -f $CLAMD_CONFIG_TEMPLATE $CLAMD_CONFIG 2>/dev/null
sed -i 's/clamd.<SERVICE>/clamd.'$CLAMD_USER'/' $CLAMD_CONFIG
sed -i 's/^Example/#Example/' $CLAMD_CONFIG
sed -i 's/^#LogFile/LogFile/' $CLAMD_CONFIG
sed -i 's/^#PidFile/PidFile/' $CLAMD_CONFIG
sed -i 's/^LocalSocket/#LocalSocket/' $CLAMD_CONFIG
sed -i 's/^#TCPSocket\ 3310/TCPSocket\ '$CLAMD_PORT'/' $CLAMD_CONFIG
sed -i 's/^#TCPAddr/TCPAddr/' $CLAMD_CONFIG
sed -i 's/<USER>/'$CLAMD_USER'/' $CLAMD_CONFIG
echo "Done."
echo ""

#Copy and configure clamd for log rotation
if [ -d /etc/logrotate.d ]
then
	echo "Configuring log rotation for clamd.."

	#Try to remove existing log rotate config, whether it exists or not because 'cp' is aliased with -i
	rm -f $CLAMD_LOGROTATE 2>/dev/null
	cp -f $CLAMD_LOGROTATE_TEMPLATE $CLAMD_LOGROTATE
	sed -i 's/clamd.<SERVICE>/clamd.'$CLAMD_USER'/' $CLAMD_LOGROTATE
fi
echo "Done."
echo ""

#Configuring clamd under sysconfig
echo "Configuring clamd under syconfig.."

#Try to remove existing config, whether it exists or not because 'cp' is aliased with -i
rm -f $CLAMD_SYSCONFIG 2>/dev/null

#Copy over the template file
cp -f $CLAMD_SYSCONFIG_TEMPLATE $CLAMD_SYSCONFIG 2>/dev/null
sed -i 's/<SERVICE>/'$CLAMD_USER'/' $CLAMD_SYSCONFIG
sed -i 's/^#CLAMD/'CLAMD'/' $CLAMD_SYSCONFIG
echo "Done."
echo ""

#Configuring clamd init script
echo "Configuring clamd init script.."

#Try to remove existing config, whether it exists or not because 'cp' is aliased with -i
rm -f $CLAMD_INIT 2>/dev/null

#Copy over the init script
cp -f $CLAMD_INIT_TEMPLATE $CLAMD_INIT 2>/dev/null
sed -i 's/<SERVICE>/'$CLAMD_USER'/' $CLAMD_INIT
ln -s /usr/sbin/clamd /usr/sbin/clamd.$CLAMD_USER 2>/dev/null
$CLAMD_CHKCONFIG on
#Check that was successful
if [ $? -ne 0 ]
then
	echo "Could not turn service on, sorry."
	echo "Exiting."
	echo ""
	exit 1
fi
echo "Done."
echo ""

#Configure freshclam
echo "Enabling freshclam, the clamav updater.."
sed -i 's/^Example/#Example/' $FRESHCLAM_CONF

#Should we set the proxy too, if in env?
echo "Done."
echo ""

echo "Creating required directories and starting service.."
#Setup logs
touch $CLAMD_LOG
chown $CLAMD_USER:$CLAMD_USER $CLAMD_LOG
chmod 0620 $CLAMD_LOG

#Setup run socket
mkdir $CLAMD_PID 2>/dev/null
chown $CLAMD_USER:$CLAMD_USER $CLAMD_PID/

#Start services
/etc/init.d/clamd.$CLAMD_USER start &>/dev/null
if [ $? -ne 0 ]
then
	echo "Could not start service, sorry."
	echo "Continuing."
	echo ""
fi
echo "Done."
echo ""

#Print summary
echo "The clamd service has been successfully installed and configured with:"
echo "User '$CLAMD_USER' on port '$CLAMD_PORT'."
echo ""
echo 'Have fun!'
echo ""

Now open clamav-milter.conf (/etc/mail/clamav-milter.conf)

comment out:

#Example

Add/Change:

MilterSocket /var/run/clamav-milter/clamav-milter.socket

ClamdSocket unix:/var/run/clamd.clamav/clamd.sock
ClamdSocket tcp:localhost

Now open clamd.conf (/etc/clamd.conf)

comment out:

#User <USER>

Add/Change:

LocalSocket /var/run/clamd.clamav/clamd.sock

Your services are named

THIS INSTALL = OTHER DISTROS

clamd.clamav = clamd

clamav-milter = clamav-milter

In Sendmail you need to edit the m4 file:

add/change:

INPUT_MAIL_FILTER(`clamav-milter',`S=local:/var/run/clamav-milter/clamav-milter.socket,F=T, T=S:4m;R:4m')dnl
define(`ConfINPUT_MAIL_FILTERS', `clamav-milter')dnl

At this point you will need to restart all 3 services (clamd.clamav, clamav-milter, sendmail)

Keep in mind that this process will enable clamav, but by default clamav doesn't do anything.  You will still need to configure clamav, but this process is just like any other distro.

If you have a Cisco ASA and are having problems recieving a DHCP address there are a couple things you should know.

1) Prior to ASA version 7.2.2 (22) there is no way to assign a “client-id”.

2) client-id is a requirement for many ISPs to recieve a DHCP address.

Solution:

1) Need ASA IOS 7.2.(2).22 or higher

2) DO NOT USE ‘Cisco<MAC>-interfaxce_name-<host>’ as the client-id

3) perform the command:

Interface vlanX

dhcp client route distance 1

ip address  dhcp setroute

dhcp-client client-id interface outside

with vlanX being the correct vlan for your outside interface.

Normally I do not link to other articles, but today I came accross this article and thought it was a critical piece of information for so many organizations planning for VMWare Clustering.

http://virtualfuture.info/2010/02/vsphere-cluster-max-4-esx-hosts-per-location-because-of-ha-limitations/

Here is a copy of the information incase the link dies.

vSphere cluster: max 4 ESX hosts per “location” because of HA limitations?
posted by Matthijs Haverink February 3, 2010Not a lot of info is found when you Google for manually selecting/fixing the primary HA nodes in a VMware VI or vSphere environment. Of course Duncan Epping has a couple of extremely interesting posts on Yellow-Bricks.com concerning HA even when it comes down to selecting or promoting the HA status of ESX nodes (a must read!), but I want more …

Let’s start with what I assume to know about HA:

- HA works with primary and secondary HA nodes
- The primary nodes are aware of the states and configs of all nodes in an HA cluster
- The secondary nodes depend on the primary nodes
- There is an supported limit of 5 primary HA nodes per cluster
- The first 5 ESX hosts that are added in a HA cluster are initially defined as primary HA nodes
- All the other hosts that are added to the HA cluster are configured as secondary HA nodes
- There’s a way to configure a HA node as primary or secondary, however it’s not possible to configure an ESX host as a “fixed” primary HA node:

/opt/vmware/aam/bin/Cli
AAM> promotenode (Configure host as a primary HA node)

/opt/vmware/aam/bin/Cli
AAM> demotenode (Configure host as a secondary HA node)

- One primary HA node is the Active Primary HA node; this node coordinates the restarts of the VM’s that went down with “crashed” host.
- When the Active Primary HA node goes down, another primary is (s)elected as Active Primary HA node” and takes over the coordinating role.
- A new primary is chosen when another primary is disconnected from the cluster in one of these situations:

(Re)configuring HA on a host
Disconnecting a host from the cluster (manually or by failure)
Removing a host from the cluster
In case of a HA failure
Putting a host into maintenance mode
Especially when you read the last bullet we can establish that HA roles are really dynamic in a VI/vSphere environment. This means that you have no control over the physical location of the primary and secondary roles.

And this is what my post is about:

This situation freaks me out because when you have a larger environment with a couple of possible failure domains as I’d like to call them (represented by any physically separated group of hosts within an HA cluster like different blade chassis or different server rooms) you want to have control over the placement of these HA roles.

And as I stated earlier Duncan Epping has some interesting articles like the HA deep dive and the Primary and Secondary nodes, pick one! which describe how to select a role for a host but this selection is not static; whenever a primary host is disconnected (Maintenance mode, Reconfigure HA and so on) there is a reelection and you lose control over the role placement.

So what if all 5 primaries HA nodes are on the same “possible failure domain” (say blade chassis) and that goes down? Well you just lost all your HA nodes that know what to do in case of a host-failure, so HA won’t work!

We’ll have to nuance the drama a bit: if 5 hosts of a “10 ESX host cluster” go down, you have a major issue anyway, if HA works or not, because you lost half of your capacity.

But you do have to realize that if HA is configured correctly, the 5 remaining hosts have some resources available, you have your primaries separated over the 2 locations and you have defined the start-up rules for the most important VM’s, these important VM’s will be booted up.

If you have the same situation as above but with all 5 primary HA nodes down because they were physically grouped, HA won’t work and none of the crashed VM’s will be booted up automatically!

During VMworld 2009 Marc Sevigny from VMware explained that they were looking into an option which would enable you to pick your primary hosts.This would solve the problem but until then the only solution is to keep your clusters limited to a total of 8 ESX hosts , 4 ESX hosts per “possible failure domain”.

I’m curious if I’m the only one running into this challenge; please let me know!

P.S. Special kudo’s go to Remon Lam from vminfo.nl who discovered this “feature” and reviewed the article .

10 years ago wireless technology was popping up everywhere.  Most of those technologies were found extremely unsecure and were updated or replaced and much of the credit goes to organizations like Wireless Ethernet Compatibility Alliance (WECA).  They gave us the 1st Wired Equivalent Privacy (WEP) solution.  It wasn’t very long before reports came out that WEP wasn’t very secure at all and many new technologies have emerged to prevent the largest problem, Stream Cipher Attacks.

First we need to discuss the 2 primary wireless security methods.  WEP spawned WEP2, WEP+, and Dynamic-WEP.  There other method is Wi-Fi Protected Access (WPA) which spawned WPA2.  All of these are based on the cryptograph RC4.

NOTE: RC4 is also used for SSL

Out of all of these the only two that should be used today is WPA2 and Dynamic-WEP, and here is why.

With the previous versions the “master” key is static and as a result a person could use a wireless packet sniffer to retrieve the information being sent to any user on a pre-dynamic key system.  Everything you sent out or requested from the wireless connection will be viewable as clear as day and all it requires is a wireless NIC card and a packet sniffer.  Much like the way that a brute force attack occurs the ‘hacker’ will scan the air traffic and then the packet sniffer will pattern match the bits.  This eventually yields the ‘master’ key which can then be used to reverse the encryption and will give the hacker everything sent/received.  Anyone can do this and if you’re not using WPA2 or Dynamic-WEP then you’re subjecting your users to tech theft of the highest degree.  Their email, passwords, usernames, and if they are truly being malicious they can use public security programs, like a Cisco VPN client, to access the network as you. 

This is also very important to remember as many people live exclusively on a wireless connection in hotels, remote work locations, and at home.  Everyday people find that their personal information has been stolen and billions are lost every year from cyber threats that often will originate from issues like this.  Sadly most hotels do not use dynamic encryption models and home equipment is rarely equipped or configured to use the more secure methods.  Standard WEP only needs a “password” and most people believe this to be secure.  

NOTE: Most network and IT service providers are unaware of the differences in WEP and WPA versions and technologies.  This is one of the primary ways hackers target SMB and because of SMB business practices this is an area that they are particularly vulnerable.  If you are currently using a “shared-key” I recommend that you change to a dynamic-key solution as quickly as possible.  For most SMB I recommend a WPA2-Radius configuration because users are able to login with their domain credentials and it is infinately more secure than any shared-key solution.  This solution is also easily available from most wireless connection devices.  You will also need to install and configure an additional component for AD/LDAP, but overall the setup is quick and easy.

Websites like bankofamerica and pandora use Flash Application Data to remmeber the system. This is why even after you clear your cookies bankofamerica will no longer ask for a computer to be approved by you as a trusted private system. It is also the same way that Pandora knows that this system has exceeded the 40 hour useage limit in a month.

Most of the time application data is good to keep around and can be used by web developers for a multitude of purposes, but every so often a problem occurs that can easily be fixed by simply removing the application data. A good example was a clientless VPN that used flash instead of java application data. The flash application data was unable to access the resources properly because of the way the application data saved information prior to a updated and was incompatible with the updated version. Clearing the flash app data fixed the issue right away.

Using the following locations you can locate and delete any websites application data for flash. You can also use these folders to recreate user’s history, but that is a totally seperate topic. Simply find the website you are having trouble with and delete the folder that matches the website. You can also just delete the entire folder and it will auto-recreate. Do remember that when you delete this data you often times will delete the personal settings you had for the website.

WINDOWS XP:
C:\Documents and Settings\USERNAME\Application Data\Macromedia\Flash Player\#SharedObjects

AND

C:\Documents and Settings\USERNAME\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys

VISTA:
C:\Users\USERNAME\AppData\Roaming\Macromedia\Flash Player\#SharedObjects

AND

C:\Users\USERNAME\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys

Mac OS X:
Library > Preferences > Macromedia > Flash Player > #SharedObjects

Strict replication is a registry control introduced by Microsoft to stop ‘lingering objects’.  More specifically this is a way to block replication for older DNS objects. 

HOW:

  KEY Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

  Registry Entry: Strict Replication Consistency

  Value: 1 (enabled), 0 (disabled)

  Type: REG_DWORD

NOTE: This needs to be done to all DNS servers in the forest.

WHAT:

By doing this you will stop replication to anything that that exceeds the TSL, tomb stone life.  By default the TSL is set for 180 days in windows 2003, but can be changed.

WHY:

In older environments it is common to find objects exceeding the TSL to be replicated in DNS.  If a network is properly managed than cleaning up of DNS should be part of the process to add, remove, modify.  This is not always true and old DNS entries can create problems with performance or even be responsible for some types of outages where a resource is unavailable.  Setting strict replication will prevent replication of older objects while you clean up DNS.

NOTE:  laptops that are joined to the network  but never connect to the network, such as remote workers, are at high risk of not being replicated and if you expect a device to be out of the network for more than your TSL you may want to not run strict replication all the time.  Just enable it during maintenances to ensure proper cleanup of DNS.

Nearly everytime I ask someone to run pathping I feel like it is the 1st time they have ever ran the command.

You can find more about the command:
http://technet.microsoft.com/en-us/library/cc958876.aspx

Pathping is a tracert that runs a ping command at every node. This isn’t a command that does anything new, but it does save a process step when troubleshooting problems. Especially problems where partial packet loss is the issue and not total packet loss.

A good thing to note is that windows has not added support for pathping on ipv6.