Hackviking He killed Chuck Norris, he ruled dancing so he took up a new hobby…


Dealing with credentials in PowerShell

Whenever you write PowerShell scripts that are going to be used for automation you need to secure your credentials. The best practice is to use a service account to execute the PowerShell script and delegate whatever privileges it needs to execute. When dealing with internal systems and resources that are usually pretty easy if they all authenticate from the same ecosystem or are integrated properly. But there is instances where you need to store credentials like when working with external APIs or deattached internal system.

Continue reading...

Unattended use of mysql_secure_installation

After installing MySQL on any Linux distribution you run the mysql_secure_installation script, or at least you should! It will prompt you to set a new root password, remove anon access and a few other things. But if you want this configuration to be done in a deployment or cloud-init script? The mysql_secure_installation command/script doesn't accept any parameters, so it can't be used for unattended install. How ever you can execute the same commands via the mysql command line tool as long as the service is started.

mysql -e "UPDATE mysql.user SET Password=PASSWORD('{input_password_here}') WHERE User='root';"
mysql -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '', '::1');"
mysql -e "DELETE FROM mysql.user WHERE User='';"
mysql -e "DROP DATABASE test;"

I use this to provision new MySQL servers in the Amazon EC2 environment and it works like a charm. If this is used in a cloud-init script make sure to execute the sudo service mysqld start first!


Open Source: A false sense of security

The heartbleed vulnerability dropped like a bombshell, a large majority of web servers on the internet was sharing there memory with the world. The even bigger bombshell was that the vulnerability had existed for over two years. Most people consider open source more secure then proprietary code since anyone can verify that it's safe. The problem is that most people think that someone else already done that!

Continue reading...


Script: NTFS rights on user home directories

Have a normal Windows setup where the user have a home folder on the file server. All the users is connected to there \\fileserver\home$\%username% via GPO on logon. How ever we found that some of the folders had rights that where messed up. So i wrote a quick script that loopes through all folders and checks if there is a user account in the domain if not it will move the directory to __unconnected__ folder. For all know users it uses cacls command to set rights for the user and admins only. If you need something else you can just edit the cacls command before you run it! Script is provided as is and feel free to modify it...

Download script here:

Option Explicit
Dim path, objRoot, domainname, fso, rootFolder, folder, objShell, intRunError
path = inputbox("Enter path of homedirs:")

' Get current domain
IF domainname = "" THEN
	SET objRoot = GETOBJECT("LDAP://RootDSE")
	domainname = objRoot.GET("defaultNamingContext")

' Setup FSO connection
Set fso = CreateObject("Scripting.FileSystemObject")
Set rootFolder = fso.GetFolder(path)
Set objShell = WScript.CreateObject( "WScript.Shell" )

' Go through all homedir folders
For Each folder in rootFolder.SubFolders
	if(FindUser(folder.Name, domainname) = 1) Then
		' Folder found reset the permissions
		wscript.echo folder.Name + " - has a user connected! Reseting the permissions..."
		intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " & folder.Path & " /t /c /g Administrators:F ""Domain Admins"":F " & folder.Name & ":F", 1, True)
		If intRunError <> 0 Then
			wscript.echo folder.Name + " - ERROR assigning rights!"
			wscript.echo intRunError
			wscript.echo folder.Name + " - Rights asigned!"
		End If
	elseif(FindUser(folder.Name, domainname) = 0) then
		' This folder isn't connected move it
		If(folder.Name <> "__unconnected__") then
			wscript.echo folder.Name + " - doesn't have a user connected! Moving to .\__unconnected__"
			fso.MoveFolder folder.Path, rootFolder.Path + "\__unconnected__\"
		End If
		wscript.echo "ERROR: Connection to AD failed!"
	End If

Set objRoot = Nothing
Set fso = Nothing
Set rootFolder = Nothing
Set objShell = Nothing

' Function to check if user exists
FUNCTION FindUser(BYVAL UserName, BYVAL Domain) 
	Dim cn,cmd,rs
	SET cn = CREATEOBJECT("ADODB.Connection")

	cn.open "Provider=ADsDSOObject;"
	cmd.commandtext="SELECT ADsPath FROM 'LDAP://" & Domain & _
			 "' WHERE sAMAccountName = '" & UserName & "'"
	SET rs = cmd.EXECUTE

	IF err<>0 THEN
		FindUser = 2
		wscript.echo "Error connecting to Active Directory Database:" & err.description
     			FindUser = 1
			FindUser = 0

Watchguard SSLVPN unavalible

One organization I work for have Watchguard firewalls and are using SSLVPN. Yesterday it just stopped working. You couldn't connect with the client and if you tried to access the {firewall address}/sslvpn.html you got "Connection refused". First I tried to reboot the firewall and ended up with the same result. Checked the debug log and found these entries:

2011-11-17 20:28:36 sslvpn sslvpn_userlist, entry(virtual_ip=8dea8c0) not found.	Debug
2011-11-17 20:28:36 sslvpn sslvpn_userlist, entry(virtual_ip=adea8c0) not found.	Debug
2011-11-17 20:28:36 sslvpn sslvpn_userlist, entry(virtual_ip=9dea8c0) not found.	Debug
2011-11-17 20:28:36 sslvpn sslvpn_userlist, entry(virtual_ip=4dea8c0) not found.	Debug
2011-11-17 20:28:36 sslvpn sslvpn_userlist, entry(virtual_ip=7dea8c0) not found.	Debug
2011-11-17 20:28:36 sslvpn sslvpn_userlist, entry(virtual_ip=2dea8c0) not found.	Debug

Googled it, of course, and didn't really find anything useful. So i started checking all of the config, the access to the AD and stuff like that. Thought that if the firewall didn't get access to the AD it might just close all AD dependent connections but all looked OK there two.

Finally I found out how to solve it, or really get ride of the problem. It's hardly a sexy solution but here's what I did:

  1. I saved my config to an XML file.
  2. I disabled the SSLVPN and saved that config to the firewall.
  3. Opened the saved XML config with SSLVPN enabled and uploaded it to the firewall.

Then it all worked again!


IIS 7 FTP access denied while uploading files

I got this strange problem yesterday at work. One of our developers was trying to upload files to e new server and he got 500 access denied each time he tried. After he spent hours double checking all the NTFS rights and IIS settings he asked me for help. At the first look I thought the IIS server had been messed up some how. After verifying everything that he told me was OK, after all he is a coder and they usually don't understand servers, I really didn't know what to do next. So I thought about it for a moment and then I started from scratch, checked the entire solution from the bigger picture.

So with the system blueprint in front of me it all started to clear up. The server was situated in our server center across town and all his traffic was passing through a VPN tunnel between our two ISA 2006 servers. The ISA server sets all the FTP rules to "Read-Only" by default but I didn't realise that this was a problem for the VPN site to site tunnel also. After checking the routing rule and then the access rule for the communication between the two networks I found the settings for FTP traffic between the two ISA servers. After I unchecked the "Read-Only" check box for the FTP traffic on the VPN site to site access rule it all worked as designed.