Office Communications Server (OCS) 2007 (R2) and Linux Client
It is always amazing what the community out there is creating while I am asleep. I just wondered if there is a way to natively connect a Linux machine to an OCS 2007 (R2) Installation. And well yes, there is.
SIPE is a protocol extension for the Pidgin Instant Messanger and on my standard Ubuntu 9.04 system I just followed the instructions on the SIPE website (installing the required packages and a simple configure, make, make install process) and off I was. A new protocol Microsoft LCS/OCS is available.
So far I tested this connecting through a NATed network to the OCS R2 Edge Servers (not internally). OK, there is no Audio or Video (A/V) support and there are still problems with ACLs and presence information but in general instant messaging and presence works.
And it’s nice to be able to change the user agent manually. So if your client version gets banned you simply change it to the latest Microsoft Office Communciator (MOC) string and you should be fine again.
Ah yes, there is a Windows Version, too.
Great work! Keep it up.
(Advanced) Using Nmap Results With Nessus Batch Scanning
I’m refering to an article I read on the Nessus blog: Using Nmap Results With Nessus Batch Scanning. Since they don’t seem to offer comments I decided to write this short article.
First of all it is important to have read this info: Nmap from within Nessus
Combining the information of these two articles I’d like to add that you should also use the -v option when running nmap. This is because otherwise the file containing the grepable results will not contain a comment line starting with “Ports scanned: ” following the information about all scanned ports. The “nmap.nasl“ script contains a part where it says:
if (egrep(string: res, pattern: '^# +Ports scanned:+TCP\\(65535;'))
full_scan = 1;
else
full_scan = 0;
So as you can see “nmap.nasl” uses this for some extra info
The next point is that you usually use such a construct in batch mode (yeah, I not only read the title but wrote it). I for one care this for them… uh, nevermind, wanted to say that you usually start such a scan with the command line nessus client. It got slightly updated and lots of stuff is now found in “.nessus” files. They are “XML” and may contain the targets.
But I for one do not wanna have this information inside a “.nessus” file but inside a plain text file I can also feed to Nmap (-iL option). Since the “nmap.nasl” script checks if the current target is found in the grepable results file you have to supply the target info to Nessus. This is done with the command line option --target-file.
This is somewhat redundant info and it would be nice if you could also feed the grepable results file as an input file to Nessus but on the other hand, what is this option “Do not scan targets not found in the file” for?
To make a long story short I suggest at least these command line options for Nmap and Nessus:
nmap -v -sV -O -P0
nessus --dot-nessus <file.nessus> --target-file <file>
--policy-name <name>
Remote KVM VMs, bridged Networking, and RH Virtual Machine Manager
Remember the good ole times when there was only one single virtualization solution to chose from? Well, today there is VMWare ESX, Microsoft Hyper-V, Citrix XenServer, Sun xVm/VirtualBox, and lot’s of others with different approaches. And the craziest part is their giving it all away for free (or parts of it). It’s almost impossible to check all of them out.
I decided to follow the Red Hat way and check out KVM because to me it seems as the only really free solution (maybe Xen) that takes the hypervisor approach and allows virtualization w/o the need to make changes to the guest OS.
One thing first: Using KVM still requires a lot of commandline tasks, especially when used in a client/server scenario. Not everything can be configured inside the available GUIs. But hey, there is SSH and you may connect to the remote machine this way anytime. Still, the client GUI is used to do the standard tasks: create, start, stop, monitor virtual machines, networks, and storage locations.
In fact, this article is about the commandline part
So here is my setup:
- Debian 5 Server
- Debian KVM and libvirt-bin packages
- Ubuntu 9.04 Client
- Ubuntu virt-manager package
I use SSH as a protocol between the Virtual Machine Manager and the remote host mainly because it’s the easiest way to get a quick solution running.
Besides the current limitations of the Virtual Machine Manager (crashes every once in a while) and libvirt (currently not able to pass -std-vga or -vga option to KVM although a patch is available) one main problem I had was to configure bridged networking so that guests could use the host interface w/o NAT. The workaround I use is as follows:
- Create a VM with a supported network type inside Virtual Machine Manager
- Connect to the host via SSH and navigate to
/etc/libvirt/qemu/machinename.xml - Look for the
<interface>section. I change it to look as this:
<interface type='bridge'> <source bridge='br0'> </interface>
This requires you to have a bridge interface up and running on the host. Mine is called “br0″ as you can see. Setting up bridge interfaces differs in the distributions. A good place to start is libvirt’s Wiki: Netowrking, the Qemu Wiki, and the KVM FAQ about guest networking
Last thing is to restart libvirtd (Debian system)
/etc/init.d/libivirt-bin reload
Ah right, there is this directory /etc/libvirt/qemu/networks. I tried to create a network here that then would probably be usable inside Virtual Machine Manager but I couldn’t get this to work w/o too much code manipulation. Problem is that the interface type in the machine.xml file would be “network” and not “bridge“. Furthermore, a manipulated network.xml file does not show up inside VM Manager. Whenever you manipulate inside libvirt’s XML files you may end up with your devices, VMs, networks not showing up inside VMM anymore.
And if you’re having problems getting a host only network to run I suggest you check out the mcast option. Instead of an interface like the one above you use this:
<interface tpye='mcast'> <source address='230.0.0.1' port='12345'/> </interface>
If you need separated “host-only” networks simply change the multicast IP or the port. But you probably only made a mistake with the IP address anyway (Darn! But it might be heplful one day).
So here is a list of tasks I currently still do on the commandline:
- Create bridge interfaces (obviously)
- Create differential / immutable disks
- Copy/clone VM settings
- hmmm…. I’ll think of some more
Create Certificates in a Windows Environment
A quick reminder for a certreq.inf file
[NewRequest] Subject = "CN=name" KeyLength = 2048 Exportable = TRUE MachineKeySet = TRUE [RequestAttributes] CertificateTemplate = "Template Name"
Type
certreq.exe -new
and supply the above file in the open file dialog. Then, specify a file to save the request in. Take the request (base-64 – cut’n'paste will do) to a CA and submit it. Take the response certificate back to the machine (base-64 again) and type
certreq.exe -acceppt "response.cer"
You will the find a certificate in the machine store (MachineKeySet = TRUE). Of course, template and usage must match
UPDATE: Just found an article that relates to this one.
Password Security
This is just too crazy. Right now I am sitting in a hotel room of a hotel chain which offers WLAN services itself (a software called “HotSpotCenter” from Dr. Eckhardt + Partner GmbH) and through Swisscom.
Both solutions are far too expensive and I usually do not depend on such things since I have a UMTS flatrate. But for some reason I do not get a connection in my hotel room and so I looked for unsecured wireless networks and of course I found one right away with the hotel name as SSID. Connecting to it and opening a web browser I was presented with a welcome page asking me to present my credentials.
I then figured they have some kind of MAC authentication and wanted to sniff wireless traffic a little bit and see if I could capture a MAC address of an allowed client. So I started MS Netmon and shortly after I had a MAC address to try out. But then my wireless network driver would not let me change my MAC address and with no Internet access I was chasing my own tail.
“What the heck let’s try some passwords” I thought and my first try was the hotel name as user and password. Doing so I found myself confronted with the administrative interface of the HotSpot Software.
Playing around a little but I finally printed myself a nice little voucher and now I am writing this post.
Now this is password security the way I like it.
Tweaking the Nokia N800
I’ve been using the Nokia N800 for quite some time now and never found the time to enable Dual-Boot. The reason one might want to dual boot the device is that you can copy the OS to another SD(HC) card that may be faster in terms of I/O than the internal flash memory.
So I looked for a fast SDHC card and finally chose a SanDisk Extreme III with 8GB. According to Alternate read and write speed is 20 MB/s so it’s far more than the Class 6 standard (6 MB/s) requires.
I then used this How-To from Schmot’s blog to configure dual-boot. Nice walk-through and I had no problems at all. Afterwards the N800 greets you with a new welcome menu:
Now, the big question is if this is really worth the work? Subjectiveley spoken I’d say yes it is faster than before. Objectively I can’t tell. I use mYtube to watch You Tube videos and I hope it a least profits from the fast SD disk it now uses as buffer storage.
Ah yes, the reason for this post is a personal shortcut:
fsck -fy /dev/mmcblk0p2
This command is needed whenever there is a problem with the MMC booted OS and has to be launched from the internal flash OS, of course Hopefully my super trouper SD card will manage any filesystem problems itself.
Cool commandline moves
FOR /L %f IN (1,1,254) DO ping -w 500 -n 1 192.168.1.%f | findstr /I reply >> %TEMP%\ping_results.txt
SMB/CIFS Download Manager
With this article we’re going back to the origins of the “Perimeterless Network“. If you (like us) are living the idea of the “Perimeterless Network” you sure can access your SMB / CIFS shares from anywhere in the world. Fo security reasons connections are protected with IPSec, right?
Now, for testing purposes I had to download a large DVD image from a remote file server and since I am accessing the Internet by WLAN and IPSec slows down the connection, too, I thought of using a download manager. The best choice would be a handy command line tool like wget. I did remember a tool called smbget I had used before which actually is part of the Samba Suite. But the only Windows binary I could find was at http://paully.com/smbget/ and on that page it says:
“For me it was very useful to transfer big files with size about 1 gigabyte over the our intranet through Samba from Germany to Belarus and from Belarus to Germany. If remote file is not available the application will try to download it until the job is done ”
OK, Belarus is not really what I’d call a democratic country so I was a little anxious about downloading a pre-compiled binary from such a source. Furthermore, I don’t know if Windows binaries are always larger than BeOS, BSD, and Linux ones but in this case the difference was huge. Anyway, if the source is not available anymore I am hosting the Windows Zip here.
Internet Explorer 8 (IE8) RC1 Inline Search
Some might remember my post quite some time ago about what is still missing in Internet Explorer. Major criticism was the antiquated search box. What can I say, finally someone chastened the IE developpers and they integrated an inline search that will fit most needs. Good job!
It took me a while to remember this new feature since I still had the IE Inline Search plug-in activated. But once I deactivated it I got enlightened.
So, who still needs Firefox and for what reason? Only speaking for Windows systems, of course. And leave me alone with Google Chrome, Apple Safari, and Opera.
Ubuntu 8.10 Intrepid Ibex on IBM Thinkpad R30: Screen Resolution Problem (1024x768)
I just got my old IBM Thinkpad R30 back and I thought installing Ubuntu on it could be useful. So I downloaded the Desktop Edition Live-Install-CD thing and booted into the live system.
Disappointedly I discovered that the latest Ubuntu seems to have problems configuring the right resolution. The system would only let me choose 800×600 as a maximum but the display is capable of 1024×768. So I started searching the web and found descriptions of a bug. Still, all this seemed a little overdosed to me and searching around a little more I found another thread where a guy describes the problem of Xorg detecting the right display refresh rates.
So I figured out that I wouldn’t need all this xorg.conf stuff except the refresh rates and changed my original xorg.conf to look like this:
Section "Device" Identifier "Configured Video Device" EndSection Section "Monitor" Identifier "Configured Monitor" Option "DPMS" HorizSync 28-49 VertRefresh 43-72 EndSection Section "Screen" Identifier "Default Screen" Monitor "Configured Monitor" Device "Configured Video Device" EndSection
The only lines I added are bold. And after I restarted X with [CTRL][ALT][DEL] I got the wanted resolution. Btw it is a Trident graphics chip but /var/log/Xorg.0.log showed that it is detected just fine.
About
Originally this site was intended as a project site. The goal was to define standards for the perimeterless network using
open-source software. To be honest I simply do not have the time for such a thing. So what is left is a blog with sporadic
posts that are either helpful for myself or I think are helpful for others, too since I had a hard time finding information
on the Internet. Think of it as a knowledge base.
Ehm yes, somtimes I write down my two cents on any topic that may go through my mind at that point in time ;-)