Code Question

Wednesday, January 12, 2011

Cisco PIX - What does this line do?

I found this line in among many other ACL lines in my PIX. It looks different than the rest of them. It's at the end of the rest of the ACL lines, including being after access-list acl-out deny ip any any.

access-list 110 permit ip 165.138.236.0 255.255.255.0 165.139.2.0 255.255.255.0

What does it do, and what are each of the parts? The rest of my ACL lines end with something like any eq 1234.

Thanks in advance!

From serverfault eleven81

It's allowing all IP traffic from the 165.138.236.0/24 subnet to the 165.139.2.0/24 subnet. It's probably being used as a match list on a VPN tunnel or to prevent NAT on tunneled traffic.

The number, 110, is just an arbitrary number to identify the access list. "Permit" indicates that it will permit the traffic (as opposed to deny). "IP" indicates to match the IP protocol (as opposed to a protocol number, or TCP, UDP, ICMP, etc). The 165.138.236.0 and 255.255.255.0 identify the source network. The 165.139.2.0 and 255.255.255.0 identify the destination network.

For more in depth info, have a look at: http://www.networkclue.com/routing/Cisco/access-lists/index.aspx

eleven81 : A stellar answer. Thank you!

From Evan Anderson
It allows IP traffic in general from 165.138.236.0/24 to 165.139.2.0/24.

The eq 1234 in the other rules specify ports, but there are no ports in IP. To match a port, you have to specify TCP or UDP in the rule.

From MikeyB
That ACL is to allow all the traffic from one subnet to the other one on the same line.

From Ariel Antigua
You should look at the rest of the config to see if there is a rule such as VPN or NAT referencing ACL 110

doing a:
```
sh run | i 110
```
will give you all the lines thave have 110 - i realize there is the posibility of fluff from ip address ect, but it shouldn't be too much.

From Zypher
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/about.html

From XTZ

List of GPO's

How do I get a list of GPO's applied against a machine in a Win2k8 environment remotely?

I would prefer a powershell solution, but anything will help.

From serverfault

GPRESULT

http://technet.microsoft.com/en-us/library/cc733160(WS.10).aspx

Works against remote computers.

In windows 2003 we had to type GPRESULT only in the command line in order to view the Applied Group polices however in windows server 2008 we need to type the /R switch after the gpresult.

From Rob Bergin
GPResult as Rob mentioned is an excellent way of doing this. You can however also get at this information via the WMI RSP Classes. Check out http://msdn.microsoft.com/en-us/library/aa375082(VS.85).aspx for further information as this may allow you to do this in powershell against all of your machines in the environment.

From Kevin Colby
There is 3rd party tools that supposedly do it in PowerShell here: http://www.sdmsoftware.com/freeware

Particularly: Out-SDMRSOPLoggingReport: Creates and XML or HTML Group Policy Results report

From TheCleaner
The Group Policy Management Console can also do this in a GUI manner, and has nice features such as letting you see exactly which policy each setting is coming from.

From mh

How to retrieve the IP Address Assigned to the machine by ISP

Hello Friends

my question is regarding the IP Address assigned to a machine, whenever we go to any site which reveal our IP Address, they display a number which is assigned to the machine through which we are accessing the Internet, i want to know how is it possible to retrieve the IP Address from the local machine using which commands, if any, rather than going to the sites to know the IP Address assigned to the machine by ISP. the local machine is having an IP Address of 192.168.1.2 and is having a DSL router provided by the ISP which will connect to the Internet with Win XP SP2

Looking for favorable replies.

Thanks

From serverfault Everest

Login to your DSL router and look at the status page. If you want to log this information build a script that simply downloads the status page.

You could also write a script with curl/wget that simply gets the page (http://checkip.dyndns.com/) on occasion.

David Pashley : This obviously depends on the DSL router being configured to allow customers to gain access to them. Many consumer grade ISPs tend to ship routers with no user-visible interface.

From Zoredache
You're just looking for the IP assigned to your NIC? Execute:
```
IPCONFIG
```
from a command prompt.

Edit: Re-re-re-reading your question again, it looks like you're asking for the IP address assigned to the Internet-side interface of your router. That's not stored on the local machine. You're going to have to write something to get it from the router itself, or rely on a third-party site to get you that.

Sam Cogan : This will only work if they are directly connected to the internet, I believe he is looking to get the external IP when connected to a NAT router

grawity : Also, what if user has many NICs? What if a NIC has more than one IP?

Evan Anderson : You're downvoting me for at least trying to parse his poor English? Yeesh! I guess I should ask for clarification in a comment rather than in an answer first, eh? Yeah-- if he has multiple NICs he's going to see multiple IP addresses. Far be it from me to assume that the poster has some degree of competence and would be able to figure that out.

Sam Cogan : I agree that the question is poorly phrased, and your answer could be a valid response, I don't feel it deserves a downvote.

From Evan Anderson
You could download WGet then run the following command:
```
wget -q -O - http://whatismyip.com/automation/n09230945.asp
```
You will need to run this either from the WGet directory, or add it to your systems Path.

Kevin Kuphal : I think this is the best option to do it programatically. It is unclear from the question whether the information can come from an online source or must only come from information stored on the local machine.

From Sam Cogan
I like http://www.ipchicken.com/ .

It doesn't provide the additional information that Kevin's site does, but I find the name sticks in people's heads and is easy to remember.

From Peter
If your DSL router has SNMP, you can usually fetch via snmpget the IP address that is assigned to the external interface of your DSL router. Most, (but not all) DSL router manufacturers have SNMP, and they support MIB-II.

example:
```
[root@myhost ~]# snmpwalk -v1 -c ***** 10.1.10.1 ipAdEntAddr
IP-MIB::ipAdEntAddr.75.146.91.10 = IpAddress: 75.146.91.10
```
In this case, I am querying the "inside" IP with SNMP and I get the following IP as my external IP. where ** is my SNMP community string or password. ipAdEntAddr is the SNMP OID string i queried to get the answer.

From netlinxman
You can download this: http://curl.haxx.se/latest.cgi?curl=win32-nossl

Extract it, then go to a command prompt and type "curl http://whatismyip.com/automation/n09230945.asp"

(same idea roughly as above by Sam)

From TheCleaner

Securing SSH tunnels

We have an application that uses SSH to connect to a server : the application's network traffic (database, some custom TCP protocols, etc...) is tunneled through a SSH connection.

We use a key pair and an unprivileged account on the server, but the users still can use their key to login to the server, or do whatever port redirection they want.

Is there a way to configure the SSH server to allow only some tunnels (restricted on the tunnels' end address and port), and disable shell access ? (we use OpenSSH)

[edit]

I came across this article, it seems like removing shell access is not enough. Changed title and description accordingly.

From serverfault Luper Rouch

Setting the user's shell to /bin/false may do what you're looking for.

From sysadmin1138
I believe you could set the ForceCommand directive to /bin/false to prevent shell access.

From mhud
In your authorized_keys file you can specify which command will be run when they login. You could simply set that command to run something that will just wait around for a long time. The sshd man page as a list of all the options you can use in your authorized_keys file.
```
permitopen="tsserver.example.org:3389",no-pty,no-agent-forwarding,no-X11-forwarding,command="/usr/local/stm_shell.sh" ssh-rsa AAAAB3....
```
My stm_shell.sh is this (it also enforces a 12 hour timeout). I am not 100% sure if this is completely secure.
```
#!/bin/bash

# send a hang-up after this process exits
shopt -s huponexit
# maximum session length in hours
CONNECT_TIME=12
sleep $[CONNECT_TIME*60]
kill $PPID
```
Dan Carley : Not so keen on the additional shell script, but the first part is the right answer.

Zoredache : I should probably post as a separate question, but are there other ways to limit the total connect time?

Dan Carley : Not that I'm aware of, using oSSH alone. The only timeouts relate to automatic keepalives. Bash has such a variable, but that's no use, because the shell should of course be /bin/false or equivilant.

Luper Rouch : permitopen is what I was looking for, thanks. What exactly is the advantage of your script over /bin/false when used in combination with permitopen ? (besides limiting sessions duration)

From Zoredache
Maybe the "ChrootDirectory" keyword in the sshd_config (man sshd_config) might give a little more extra security.

From Kyle Brandt

How do you do production IIS website depoys?

So, not sure if this is a Stack Overflow or a Server Fault question. If I have a .NET website that I want to deploy to the production environment, what's the best way to do so. Should I package it as an MSI & install? Use nant to push the needed files up. Just FTP the files up using Beyond Compare?

How do you deploy production code? This is a Windows specific case that I'm looking at here.

From serverfault Glenn Slaven

IIS supports xcopy deployment so just copying the files should be all you need unless you have special requirements.

One way to do it is a simple script that uses ROBOCOPY to copy the new files to the server.

If the site is large and this takes too long, use a version control system. I like Mercurial for this purpose, although you have to be careful that the version control system's configuration files don't end up being served to the public. Deploying is then simply a matter of committing the changes and then checking out the latest version on the server. In addition to being efficient, this allows quick rollbacks (if you tagged the last good version) in case your latest-and-greatest has a showstopper bug.

To minimize downtime, you could have the script copy the files to a new directory and then quickly rename the directories, or change where IIS points to the new directory.

Jonathon Watney : The version control system is appealing but for web sites that require compilation it might not work out too well. Unless a compiled version is kept under version control of course.

Josh : I never thought of putting a source control system out in production. Interesting sure beats having to keep tons of extra zip files around.

Luke : I do this all the time with Subversion. On Apache you'd use mod_rewrite to make sure users can't access the .svn directories. Using version control for deployment is definitely the way to go.

From Joel Spolsky
I'd further Joel's answer by suggesting a Continuous Integration server pickup your changes from your source control system. It will then build the project. Then have it xcopy the output of the build to a new folder. You can then do some quick config changes (web.config and app.config). Voila, ready for Xcopy!

Check out CruiseControl.NET

From pcampbell
oh jeeez, at work we have a whole team for this. They have an in-house tool that takes a server out of the cluster/farm, publishes the files, runs the NUnits, and adds it back into the cluster/farm. They do this for each of 16 servers. It takes hours. The rest of us don't even have "look around access".

For my personal projects, I publish from VS2005 directly to my webserver. Kinda has less strict security.

From tsilb
Consider using the Web Deployment Tool from Microsoft. It was specifically designed to help deploy web applications and updates to those web applications to production IIS 6 and 7 web servers and it does a better job of the task than MSI (Windows Installer), IMHO.

Normally you use it by setting up a "gold master" site somewhere and then telling the tool to pack up the changes from there. It will then look at a target server for deployment and make any changes necessary to make it look like the gold master (which is useful for subsequent updates). It is particularly useful if you are deploying to more than one web server (i.e. a farm), and it has support for deploying more than just files (it can also handle making registry changes, deploying certs, SQL databases, etc).

Portman : +infinity. This tool is a lifesaver and frees entire departments (a la tsilb) to work on more interesting problems.

From Erv Walter
What I did at my previous employer, which was basically an auction/e-commerce site where we could not permit much downtime:
- Take a zipped build version of the release/version to deploy on the build server
- Test it on a staging server which has a copy of the production database and has the same version of software as the production software. Test that everything went smoothly. If not restart the deployment of the staging server (but first restore a backup).
- If everything went well: copy build and database upgrade scripts to production server to a local folder. Take a specific backup of the database and the ASP.NET files (in case something still goes wrong). Prepare then everything so that I only have to click enter to launch the upgrade script and the copying of the database files (note that I could a create a script for this). Then launch everything. This is normally a matter of seconds and the users won't notice much that there has been downtime.
There a lot of funnier things to do as a web developer. But this was the most crucial part of my work.

From Michael

get progress database version on Unix

Is there a simple Unix console command to determine which version of a Progress database is running? I have root access to the Unix console.

Thanks in advance on any guidance!

From serverfault Jorrit Reedijk

If you look in your installation path's bin directory (usually $DLC/bin) you will find an executable called

pro

If you execute that with no parameters it should echo back some information like this, you'll notice that its letting us know the version near the end:

        @@@@@@   @@@@@@   @@@@@@@   @@@@@   @@@@@@   @@@@@@@   @@@@@    @@@@@
       @     @  @     @  @     @  @     @  @     @  @        @     @  @     @
      @     @  @     @  @     @  @        @     @  @        @        @
     @@@@@@   @@@@@@   @     @  @  @@@@  @@@@@@   @@@@@     @@@@@    @@@@@
    @        @   @    @     @  @     @  @   @    @              @        @
   @        @    @   @     @  @     @  @    @   @        @     @  @     @
  @        @     @  @@@@@@@   @@@@@   @     @  @@@@@@@   @@@@@    @@@@@

                           Progress Software Corporation
                                    14 Oak Park
                            Bedford, Massachusetts 01730
                                    781-280-4000

       PROGRESS is a registered trademark of Progress Software Corporation
                              Copyright 1984-2004
                        by Progress Software Corporation
                              All Rights Reserved

OpenEdge Release 10.0B05 as of Sat Apr 15 00:44:33 EDT 2006

P.S. I'm sorry you have to deal with progress.

Jorrit Reedijk : Thanks for your reaction. On running the command I get a message "This version of PROGRESS requires a startup procedure. (495)". I know the the version has to go back at least 8 years, because that's how long the server is already running. P.S. Me too :)

From Mark Turner

In the BIN directory I have found some files using "ls pro*", including "proutil". This doesn't startup without a supplied databasename, but shows it's own version nevertheless.

PROGRESS Version 8.3E as of Wed .... EST 2001 in my case.

Mark Turner : Yeah that would do it. Sorry I didn't have any older Progress installs up anymore. I had a few Solaris 8 machine with progress running on them that had Progress 8. Now everything is on RHEL 4 or 5.

From Jorrit Reedijk
1) There is a file called "version" in the installation directory ($DLC). The "pro" command cats this file on startup. You can too: cat $DLC/version

2) There is also a command called "showcfg" which will provide all of your licensing data. "$DLC/bin/showcfg".

From Tom Bascom
BTW -- Progress version 8 dates from the mid 90s. 8.3E was one of the last patch releases to v8.

From Tom Bascom

How do I use Dvorak on OpenSolaris's console?

For more than 10 years, I've been meaning to try out Solaris, to broaden my system administration experience (most of which is currently with Debian, Ubuntu, and OpenBSD), not least because of the features that Solaris pioneered, such as ZFS and DTrace.

On top of that, OpenSolaris now has a user experience that was "inspired"[1] by Ubuntu, and looks like a fairly credible desktop system too (with my favourite theme, Nimbus :-P).

There is only one real hurdle, for me: the console has no Dvorak support:

It's true that in X, I can simply use setxkbmap dvorak (and it works when I tested it on OpenSolaris 2008.11), but there are some maintenance tasks that can only be done in single-user mode. It would be most ideal to remove the "cognitive dissonance" of using the system, by not having to switch back and forth between the two layouts.

[1] In the same way that CNProg was "inspired" by Stack Overflow. :-)

From serverfault Chris Jester-Young

A found a wiki, albeit in french, that seems to have what you want.

Chris Jester-Young : Awesome---obviously I can tweak the keymap from that site and use it. It's neat that the author of that site has keymaps and instructions for multiple OSs (although, at least for US Dvorak, most OSs already have the keymaps built-in). I'll wait a couple of days to see if others have good answers; after that, I'll pick a best answer. Many thanks!

From David Collantes

Wednesday, January 12, 2011

Blog Archive