FANDOM


Welcome to the BrainDumps WikiEdit

Configurations/Tweaks worth knowing

Describe your topicEdit

Everything worth remembering in sysadmin

BrainDumpsEdit

EVERYTHING WLAN

A. Troubleshooting Pfsense for GuestWLAN Edit

1. Check the Routing Table for a valid route from the vlan/subnet (Guest VLAN 192.168.32.0/24) to the controller . Edit

#netstat -rn

If there is no valid route, add the route for the Guest VLAN

#route add -net network nexthop/Gateway

#route add -net 192.168.32.0/24 192.168.1.121

- 192.168.32.0/24 - network to be routed

- 192.168.1.121 - next hop or Gateway

2. Check for valid NAT translations for the VLAN32 subnet/network Edit

#pfctl -t tonatsubnets -T show

If there are no NAT translations for the network (VLAN32), create it:

#pfctl -t tonatsubnets -T add network

#pfctl -t tonatsubnets -T add 192.168.32.0/24

3. Blocking Attacker IP/Subnet with NULLROUTES Edit

on pfsense/router add nullroutes:

 route add -net 2.20.188.0/24 127.0.0.1 -blackhole

 route add -net 2.20.189.0/24 127.0.0.1 -blackhole

 route add -net 80.150.193.0/24 127.0.0.1 -blackhole

-blackhole is the icmp respoinse, if you want the response to be _Destination Host Unreachable" use: "-reject" instead of "-blackhole".

to make them permanent… add them to /etc/rc.local

4. Blocking Websites with PFSENSE Edit

- PFBlock

- Using DNS - If the built in DNS Forwarder or DNS Resolver are in use, an override can be configured which will resolve the website to block to an invalid IP address (such as 127.0.0.1).

- Firewall Rules - If a website rarely changes IP addresses, access to it can be blocked using firewall rules

- Squidguard

5. Tool to Design WIFI infrastructure before deploying Edit

Xirrus WIFI design tool

http://www.xirrus.com/resources/free-tools/#WFD

B. MAC OSX. Yosemite Problem Edit

Looks to be the authentication chain delays again, just like in early Mavericks.Head

into Keychain, go to Certificates, then open each certificate in the 

chain and set the Extensible Authentication (EAP) to "Always Trust". 1. Double-click on your hard drive, go to Applications, expand Utilities, and select Key Chain Access. Double-click on Key Chain Access.

2. Select the System Roots keychain from the list on the upper left side of the Key Chain Access screen

3. Scroll down to find UTN-USERFirst-Hardware. Double click UTN-USERFirst-Hardware.

4. Scroll down to Trust Settings. Expand the Trust Settings and change the Extensible Authentication (EAP) field to Always Trust.

5. Authenticate with your machine's user name and password. Click OK to allow the changes to the certificate to be made.

C. BASIC AND TRANSMIT RATES - DISABLE 802.11B ON WIRELESS SERVICES Edit

1. In order to stop 802.11b service on your network, as you mentioned, you would need to disable the lower 802.11g data rates so that clients will not be able to connect at 802.11b rates.

a. The following transmit rates need to disabled: 802.11g :1,2,5,6,9,11 b. The following transmit rates can be enabled: 802.11g: 12,18,24,36,48,54 c. The following basic rates need to be disabled: 802.11g: 1,2,5,6,9,11 d. The following basic rates can be enabled: 12,18  However, some legacy clients may have connectivity issues with this setting, and so the recommendation is to test the configuration with various client devices before applying it widespread.

OpenVPN Configurations Edit

OpenVPN Server Settings Edit

General information Edit

1. Server Mode : Remote Access (SSL/TLS) or Peer-o-Peer (SSL/TLS)

2. Protocol: UDP

3. Local Port: 1194

4. Device Mode: Tunnel Mode

5. Interface: WAN Interface (Virtual WAN Interface)

Cryptographic Settings Edit

6. TLS Authentication: Enable TLS authentication and generate TLS keys.

7. Peer Certificate Authority: Choose the applicable certificate authority

8. Server Certificate: Choose the applicable Server Certificate

9. Choose the Dephi Helman (DH) Parameter Length: 2048 bits

10. Choose appriorate Encryption algorithm: AES-128-CBC (128-bits)

11. No Hardware Crypto Acceleration

12. Certificate Depth - One (Client + Server)

Tunnel Settings Edit

13. IPv4 Tunnel Network: This is the IPv4 virtual network used for private communications between this server and client hosts

Choose any private IP in CIDR

ex. 10.50.50.0/24

14. IPv4 Local Network/s: These are the IPv4 networks that will be accessible from the remote endpoint.

Ex. 192.168.50.1/22

15. Compression: Compress tunnel packets using the LZO algorithm.

16. Inter-client communication: Allow communication between clients connected to this server.

Client Settings Edit

17. Dynamic IP: Allow connected clients to retain their connections if their IP address changes.

18. Address Pool: Provide a virtual adapter IP address to clients (see Tunnel Network)

Advanced configuration Edit

19. Add Routes:

ex.

verb 3

route 192.168.0.0 255.255.224.0; - Route to Internal Munchen Network

route 172.16.11.0 255.255.255.0; - Route to Internal Telephone Network

OpenVPN Client Settings

General information

1. Server Mode: Peer To Peer (SSL/TLS)

2. Protocol: UDP

3. Device Mode: Tunnel Mode

4. Interface: WAN Interface (Virtual WAN Interface)

5. Local Port: No Local Port

5b. Server Port: 1195

6. Server Host or Address: 91.240.217.254

7. No Proxy authentication settings

Cryptographic Settings

8. TLS Authentication: NO TLS Authentication

9. Peer Certificate Authority: Choose the applicable certificate authority

10. Client Certificate: Choose the applicable Server Certificate

11. Choose appropriate Encryption algorithm: BF-CBC (128-bits)

12. No Hardware Crypto Acceleration

Tunnel Settings

13. IPv4 Tunnel Network: None

14. IPv4 Remote Network/s: None

15. Compression: Compress tunnel packets using the LZO algorithm.

16. Type-Of-Service: None

Advanced configuration

None

Monitoring Tools Edit

1. New Relic

2. Pingdom

3. Gomez

4. Kamino

Dashboards Edit

1. Klipfolio

2. Insights

Networking Best Practices Edit

1. Put all Servers in a different VLAN (Subnet) to control access to them and keeping them separate from the other network.

Technologies Edit

1. Google Chrome Box - for video conferencing

2. OpenVPn - VPN client

3. Truecrypt - File/share/folder encryption

4. MIISCLIENT - Synchronization Server Manager - for AD synch

5. XAMPP - For Apache, PHP and MySQL

Everything Servers Edit

1. File Server Edit

a. To allocate size QUOTA limits to shares use the FILE SERVER RESOURCE MANAGER

b. To manage sessions, provision Storage and Shares use SHARE AND STORAGE MANAGEMENT

Everything Scripting Edit

1. Scripts to load network drives or shares at logon Edit

2. PowerShell commands to manage Exchange and AD Edit

Connect to Msol-Service: $LiveCred = Get-Credential -credential admin@westwing.onmicrosoft.com Connect-MsolService -Credential $LiveCred

Connect to Outlook (Exchange) Powershell: $LiveCred = Get-Credential -credential admin@westwing.onmicrosoft.com $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection Import-PSSession $Session

--------------

Vollzugriff auf anderes Postfach geben: Add-MailboxPermission -identity admin@westwing.de -user fabian.ernst@westwing.de -AccessRights FullAccess

remove-MailboxPermission -identity customer.support@westwing.de -user grazia.coccaro@westwing.de

Sendeberechtigung: Add-RecipientPermission -id admin@westwing.de -accessrights sendas -trustee tobias.griesbauer@westwing.de

remove-RecipientPermission -id customer.support@westwing.de -accessrights sendas -trustee grazia.coccaro@westwing.de ------------------

--->>> Im AD Emailadresse und Displayname für Security Group Universal falls noch nicht gesetzt !!!

Raumpostfach: New-Mailbox -name "Test Raum" -Alias "TestRaum" -Room Add-MailboxPermission "testraum" -user "username" -AccessRights fullaccess Set-CalendarProcessing "elcmeet1" -AutomateProcessing autoaccept -AllowConflicts $false (Setzt Automatische Annahme für Einzelressource) get-mailbox -ResultSize Unlimited -RecipientType RoomMailbox | Set-CalendarProcessing -AutomateProcessing autoaccept -AllowConflicts $false -ProcessExternalMeetingMessages $false (setzt attribute auf alle Raumpostfächer !! )

Raumliste:

New-DistributionGroup -Name "HQ MUC" -RoomList

-> Mitglieder zu Raumliste hinzufügen:

Add-DistributionGroupMember -Identity "MUC" -Member MUCMeet1

Shared Postfach: New-Mailbox -name "Test Raum" -Alias "TestRaum" -shared Add-MailboxPermission "testraum" -user "test raum" -AccessRights fullaccess sendas

Kalenderressource: shared Postfach anlegen und dann Kalenderberechtigungen vergeben: add-MailboxFolderPermission -identity LNOTeamVacation@westwing.onmicrosoft.com:\Kalender -User tobias.griesbauer@westwing.de -AccessRights Owner

zum Anpassen der Berechtigungen: statt add set verwenden.

------------------------- Gösse auf 5GB setzen (falls von MS requested):

Set-Mailbox "Test Raum" -ProhibitSendReceiveQuota 5GB -ProhibitSendQuota 4.75GB -IssueWarningQuota 4.5GB -------------------------

Benutzerrechte um Termindetails einsehen zu können:

Set-MailboxFolderPermission -id "TestRaum:\Calendar" -User Default -AccessRights Reviewer

Für Meetingräume Authorberechtigung für user "Default": Set-MailboxFolderPermission MUCMeet14@westwing.onmicrosoft.com:\calendar -User Default -AccessRights Author

__________________________

B O O K I N P O L I C Y __________________________

Set-CalendarProcessing -Identity mucmeet15@westwing.onmicrosoft.com -AutomateProcessing AutoAccept -BookInPolicy "financeteam@westwing.de","room96bookin@westwing.de"

__________________________ A R C H I V __________________________ ~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Unterlizenz kaufen und zuordnen. 2. Enable-Mailbox -Identity user@domain.com -Archive 3. in Office365 Aufbewahrungsrichtlinie zuweisen -> Richtlinie auf Ordner zuweisen wenn benötigt

(4. Start-ManagedFolderAssistant -Identity Service   || für den Fall daß das Archiv nach 30 Minuten nicht im OutlookWebAccess auftaucht)

<<<<<<<<<<<<<<<<< Nur bei Beweissicherungspflicht benötigt: >>>>>>>>>>>>>>>>>>>>>>>>>> Set-Mailbox user@domain.com -LitigationHoldEnabled $true -LitigationHoldDuration 3650 ---------------------------------------------------------------------------------------

Manually Start Office365 Synch:

-> miisclient öffnen

-> DirSyncConfigshell öffnen und 

Start-OnlineCoexistenceSync

eintippen und bestätigen

Daraufhin kann man den Syncerfolg im miisclient nachverfolgen.

Photos and videos are a great way to add visuals to your wiki. Find videos about your topic by exploring Wikia's Video Library.