Thursday, April 24, 2008

TNEF Conversion

Have you ever gotten a winmail.dat file in Entourage or Mail.app or even Thunderbird not to mention any other mail client?
So you are wondering how do I open winmail.dat on an Apple OS X machine
well here it is.

Not that I get them often, but ....
On the odd occasion i will get an email that is sent to me that has a winmail.dat attachment. This is a mail from Microsoft Outlook. Although there are ways of disabling the option to send TNEF (Transport Neutral Encapsulation Format) files. its generally easier to just convert the file yourself and leave the sender out of it.


There are a few ways of dealing with these pesky files.

1. you can download and use TNEF Enough.

2. you can use my script although there is more work involved its probably a little easier once setup. (OSX Tiger Needed)

The Requirements.
1. OSX Tiger or above with Apple Developer Tools Installed.
2. Automator
3. Darwin Ports installed
4. Install TNEF
5. Download my winmail script.

The How To:
1. Installing XCode Tools.
If you already have the Apple Developer tools installed then skip to the next section

if not, you can either install in from your Tiger or Leopard Install DVD, if you don't have it handy you can get it from the Apple Developer site





2. Installing Darwin Ports.
go here for Darwin Ports or here for Macports to download the DMG file.
Install the ports system and then in your terminal.app (in the Utilities Folder) type in the following

sudo port -d selfupdate

you might not need to do an update but it is recommended

then in your Terminal.app window type the following
% sudo port install tnef

you will be prompted for your password.

then you will see something like this
---> Fetching tnef
---> Verifying checksum for tnef
---> Extracting tnef
---> Configuring tnef
---> Building tnef with target all

---> Staging tnef into destroot

---> Installing tnef

Once that is done you have TNEF installed.

Download the winmail.zip file

extract winmail.zip
the winmail app should be pretty generic, and should not need to be changed at all, butyou are more than welcome to open it in automator and edit it as you need.

Basically what it does is finds the winmail.dat file on your desktop.
then extracts the contents and moves it to a TNEF folder in your Documents folder the script will create the TNEF Folder
After that it opens the folder so you can see the contents and deletes the original winmail.dat file from your desktop

What I have done is added the winmail app into my Dock, so when a mail arrives with a winmail.dat attachment all I do is save it to my desktop and click on the Winmail application icon on my Dock.
If all works well you are presented with a finder window with the contents of the winmail.dat file.

Monday, April 21, 2008

How to enable SSH login access to a Cisco 800 Series

How to enable SSH login access to a Cisco 800 Series

So you want to be able to secure your router so that it is necessary to ssh into it rater than just telnet in.

If this is being used as an ADSL or DSL router like in the article “Setting up a Cisco 800 series for ADSL

NOTE: This should work with any Cisco 800 Series router including the Cisco 801 Cisco 827 Cisco 837 Cisco 877 and Cisco 877W routers provided the Cisco IOS on the router supports ssh
Firstly is ssh enabled?


router#sh ip ssh
SSH Disabled - version 2.0
%Please create RSA keys to enable SSH.
Authentication timeout: 60 secs; Authentication retries: 5

In this case its not, if you got a error saying that sh ip ssh is not recognized then you would know that ssh is not supported or possibly that the command is different for your platform.

How to enable SSH on a Cisco 800 series


router# config term
router(config)#crypto key generate rsa usage-keys label router-key
The name for the keys will be: router-key
Choose the size of the key modulus in the range of 360 to 2048 for your
Signature Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
Choose the size of the key modulus in the range of 360 to 2048 for your
Encryption Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

router (config)#
000047: *Mar 1 20:40:50.843 UTC: %SSH-5-ENABLED: SSH 1.99 has been enabled
router (config)#exit

According to the line above SSH has been enabled, we can confirm this by running the sh ip ssh command again.






router#sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
router#

Now setting the router up to accept ssh logins

Usually it will anyway because by default the transport is set to all

transport preferred all
transport input all

But we want to change that

Router#conf t
!
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
login local
transport preferred ssh
transport input ssh
!
Write your config and test it.

Sunday, April 20, 2008

NFS Drive Shares and FreeBSD Ports

One of the things I love about FreeBSD is the ports directory.

The ability to install and upgrade any port simply by going to /usr/ports/porttype/portname i.e. /usr/ports/www/apache13 then all you have to do is type in make and make install or in many cases make install clean and you are on your way. The system connects to various mirror sites and downloads the entire source needed to install the port.

Of course it can become a little painful if you are trying to install 3 identical ports on 3 different servers or trying to upgrade a port that is on 5 or 6 or more servers. I don’t mind running the portupgrade pkg-name command 5 or 6 times, but the problem is the server downloads the source package 5 or 6 times depending on how many servers that port needs to be installed or upgraded on.

So how to save time and bandwidth for port upgrades? Well that’s simple, but as always you have to take in to account some possible security issues.

The way we have used here is to use NFS, which by no means is a secure way of doing it, but the risk can be minimized. I would not suggest using something like NFS on a bunch of servers that are open completely to the Internet. However if you have your gaggle of say 5 or 10 servers in a firewalled environment where the only access from the outside world is limited to a few ports for instance





TCP 80 / www
TCP 443 / https
TCP 21 /FTP
TCP 25 / SMTP

And a few others then you have already done a fair amount to minimize your risk. And you can do some more in the actual NFS setup.

This is what we are going to do:
We set up a server to be the “master” and we setup the other servers to be the “slaves”
Ultimately, the slaves will mount the masters /usr/ports/distfiles directory as their own (the slaves will not have their own /usr/ports/distfiles directory
Firstly decide on a “master” machine the master should have a fair amount of spare drive space and should probably not be too over worked.

Once you have selected the NFS Master
You need to add these lines to your rc.conf file

rpcbind_enable="YES"
nfs_server_enable="YES"
mountd_flags=""

Add these lines the the /etc/export file (you will probably have to create this file)

/usr/ports/distfiles -maproot=root 10.0.0.2 10.0.0.5 10.0.0.6 10.0.0.9 10.0.0.10 10.0.0.11 etc

The maproot=root basically is risky business but since our servers are pretty hard to get into unless you are on the inside of the firewall it’s a calculated risk.

Obviously the 10.0.0. list of servers should be replaced by the IP’s of your servers.

Ok now the “slave” setup
In the slaves /etc/rc.conf file add the following 2 lines

nfs_client_enable="YES"
amd_enable="YES"

The amd_enable=”YES” directive is to tell the server to automount

Then in the slaves /etc/fstab add this
10.0.0.15:/usr/ports/distfiles /usr/ports/distfiles nfs rw 0 0

For this example 10.0.0.15 is the “master server”

Ok time to start it all up

Firstly on the Master server run the following as root
# rpcbind
# nfsd -u -t -n 4
# mountd

Then on slave servers run the following as root
nfsiod -n 4

Ok that should get the servers all listening for the mounts that you want.

Now try to mount the master’s distfile

mount master-server:/usr/ports/distfile /usr/ports/distfile

That should do it if you run df –h you should see something like this

df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/ad4s1a 68G 2.1G 60G 3% /
devfs 1.0K 1.0K 0B 100% /dev

master-server:/usr/ports/distfiles 340G 42G 271G 14% /usr/ports/distfiles


Now any files that a slave might download while doing a portupgrade will be downloaded to the master server and will automatically be available to any other server master or slave with out having to re-download the file

You might also want to check out the FreeBSD Handbook for info related to NFS

Friday, April 18, 2008

Squid Proxy Status Codes

The TCP_code = requests on the proxy HTTP port (3128 by default)

The UDP_code = requests on the proxy ICP port (3130 by default)

If ICP Logging was disabled in the config file with the the log_icp_quaries directive, then surprise surprise ICP will not be logged.

The following result codes are from Squid version 2+

TCP_HIT
A valid copy of the requested object was in the cache.

TCP_MISS
The requested object was not in the cache.

TCP_REFRESH_HIT
The requested object was cached but STALE. The IMS query for the object resulted in "304 not modified".

TCP_REF_FAIL_HIT
The requested object was cached but STALE. The IMS query failed and the stale object was delivered.

TCP_REFRESH_MISS
The requested object was cached but STALE. The IMS query returned the new content.

TCP_CLIENT_REFRESH_MISS
The client issued a "no-cache" pragma, or some analogous cache control command along with the request. Thus, the cache has to refetch the object.

TCP_IMS_HIT
The client issued an IMS request for an object, which was in the cache and fresh.

TCP_SWAPFAIL_MISS
The object was believed to be in the cache, but could not be accessed.

TCP_NEGATIVE_HIT
Request for a negatively cached object, e.g. "404 not found", for which the cache believes to know that it is inaccessible. Also refer to the explanations for negative_ttl in your squid.conf file.

TCP_MEM_HIT
A valid copy of the requested object was in the cache and it was in memory, thus avoiding disk accesses.

TCP_DENIED
Access was denied for this request.

TCP_OFFLINE_HIT
The requested object was retrieved from the cache during offline mode. The offline mode never validates any object, see offline_mode in squid.conf file.

UDP_HIT
A valid copy of the requested object was in the cache.

UDP_MISS
The requested object is not in this cache.

UDP_DENIED
Access was denied for this request.

UDP_INVALID
An invalid request was received.

UDP_MISS_NOFETCH




SQUID HTTP status codes

000 Used mostly with UDP traffic. [Only used in SQUID?]
100 Continue
101 Switching Protocols
102 Processing [Only used in SQUID?]
200 OK
201 Created
202 Accepted
203 Non-Authoritative Information
204 No Content
205 Reset Content
206 Partial Content
207 Multi Status [Only used in SQUID?]
300 Multiple Choices
301 Moved Permanently
302 Moved Temporarily
303 See Other
304 Not Modified
305 Use Proxy
307 Temporary Redirect [NOT USED in SQUID]
400 Bad Request
401 Unauthorized
402 Payment Required
403 Forbidden
404 Not Found
405 Method Not Allowed
406 Not Acceptable
407 Proxy Authentication Required
408 Request Timeout
409 Conflict
410 Gone
411 Length Required
412 Precondition Failed
413 Request Entity Too Large
414 Request URI Too Large
415 Unsupported Media Type
416 Request Range Not Satisfiable [NOT USED in SQUID]
417 Expectation Failed [NOT USED in SQUID]
424 Locked [Only used in SQUID?]
424 Failed Dependency [Only used in SQUID?]
433 Unprocessable Entity [Only used in SQUID?]
500 Internal Server Error
501 Not Implemented
502 Bad Gateway
503 Service Unavailable
504 Gateway Timeout
505 HTTP Version Not Supported
507 Insufficient Storage [Only used in SQUID?]
600 Squid header parsing error



More Squid info can be found at Squid's FAQ

Apache Status Codes

Often when debugging a problem or looking through your logs you will see the apache status codes

For Example
xxx.xxx.xxx.xxx - - [28/Jul/2006:13:49:28 +0200] "GET /news.php HTTP/1.1" 200 807 "http://www.joe-ma.co.za/news.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20060703 FreeBSD/amd64 Minefield/3.0a1"





Successful Client Requests
200 OK
201 Created
202 Accepted
203 Non-Authorative Information
204 No Content
205 Reset Content
206 Partial Content

Client Request Redirected
300 Multiple Choices
301 Moved Permanently
302 Moved Temporarily
303 See Other
304 Not Modified
305 Use Proxy

Client Request Errors
400 Bad Request
401 Authorization Required
402 Payment Required (not used yet)
403 Forbidden
404 Not Found
405 Method Not Allowed
406 Not Acceptable (encoding)
407 Proxy Authentication Required
408 Request Timed Out
409 Conflicting Request
410 Gone
411 Content Length Required
412 Precondition Failed
413 Request Entity Too Long
414 Request URI Too Long
415 Unsupported Media Type

Server Errors
500 Internal Server Error
501 Not Implemented
502 Bad Gateway
503 Service Unavailable
504 Gateway Timeout
505 HTTP Version Not Supported

Thursday, April 17, 2008

How to Jail ftp users via ProFTPd

Installing and configuring ProFTPD

Installing and configuring ProFTPD so that a web user can login and be jailed to their home directory is very simple

Firstly install proftpd via your FreeBSD Ports Directory



Once installed copy the proftpd.conf sample file to proftpd.conf
Edit the file and uncomment #DefaultRoot ~ as per below





# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~

Then edit the proftpd startup script in /usr/local/etc/rc.d/
And change

proftpd_enable=$
to
proftpd_enable=$

edit your /etc/rc.conf file and add
proftpd_enable="YES"

Then start proftpd via the startup script

You should now be able to login as a user you created and you should only see your directory you should not be able to go back from /home/myuser to /home for instance

This is great for keeping clients in their vhost directory so that the can not traverse other directories.

Monday, April 7, 2008

Setting up Apple OS X 10.4 Server Software Update Service

A suggestions the first time you start it up make sure that the updates are not mirrored or enabled.

In the Apple Server Admin tool select Software Update the select Settings you will see a general tab make sure that Automatically mirror updates from Apple and Automatically enable updates are not selected click save and then start the service.

Once the service has started and everything seems fine and you have no errors in the software update log file select the updates tab and select the updates that you need or want to enable If you want to enable all of them that’s fin but only do a few at a time like 15 to 20 unless you have ample bandwidth available. As the server will go and download all the updates that are selected at the last glance I had that was about 4 GB





Once you have setup and configured your Apple OS X Tiger server for Software Updates you can check out the below information

If you have Apple Remote Desktop you can send a Unix command to change the software update URL. Some people have to change it in two locations. As per below


defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://update.server.com:8088/

defaults write /private/var/root/Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://update.server.com:8088/


By what I have heard Apples Work Group Manager should information down to managed clients. But you can also use this great Application if you are Terminal shy. Software Update Enabler
I would assume that this also works with 10.5 server.

Apple OS X 10.4 Server Monitor "waiting for response"

So you have reinstalled or installed Apple OS X 10.4 server. And you have noticed that no matter what you do you can’t get the Apple OS X Server to talk to your Server Monitor application all that you see is “Waiting for response” where you should be seeing other info like the Drives Temperatures Fan Speeds etc.

I have only noticed this on a 10.4 Server where I installed the Server in Target Disk Mode using Firewire. The Xserve is a G5 dual with no graphics card (also called a headless server) The server was installed via a G4 Powerbook.





Anyway When the system installs it seems to check the hardware now because you have mounted the OS X Server Hard drive onto your other Mac (non Xserve) my guess is that it does not / can not probe the correct hardware, and since the Apple Powerbook is not a G5 Xserve it can not configure the hardware monitor properly.

Anyway to get around this, first make sure that you are in fact connected to the IP address of the Apple Xserve and you don’t have and username password issues. So make sure that servermgrd is running you can open Apple’s Server Monitor and check to see that you can login and see to correct information listed there. Also you can check that the server is listening on port 311 a simple lsof – i | grep server
And you should see something like this in your Terminal

servermgr 656 root 16u IPv4 0x05776f98 0t0 TCP *:asip-webadmin (LISTEN)
servermgr 656 root 17u IPv4 0x0577677c 0t0 TCP *:asipregistry (LISTEN)
servermgr 664 root 16u IPv4 0x05776f98 0t0 TCP *:asip-webadmin (LISTEN)
servermgr 664 root 17u IPv4 0x0577677c 0t0 TCP *:asipregistry (LISTEN)

Now if all this is in place and you still get the “Waiting for response” in Apples Server Monitor you can simply sudo (or su to root but that’s not suggested) /System/Library/ServerSetup/SetupExtras/hwmondSetup
And then check your Server Monitor again.

You should now see all the data you would expect to.
As far as I know hwmondSetup is only available in 10.4 and I would guess 10.5 not that I have a 10.5 Server to play with. but from what I can tell hwmondSetup is not a part of 10.3 or below.

Sunday, April 6, 2008

Active on mouse over Terminal.app Mac OS X

This is something that I find pretty handy:

I am often ssh'd inter different servers or connected to routers, I usually have 4 Terminal windows open.
One of the big things is that by default they are not active / selected just by having my mouse over a specific window and you have to actually click on the Terminal window that you are actually using at that point in time.

So if you are dragging and dropping text between 2 Terminal windows you have to copy from source window then select destination window then paste.

Or you can enable the mouse over active stuff.





You can do this by opening a terminal window and typing defaults write com.apple.Terminal FocusFollowsMouse -string YES to enable or defaults write com.apple.Terminal FocusFollowsMouse -string NO to disable

This Hint could possibly be used for other applications too but I am not 100% sure about that.
In theory you could do the same with multiple Safari windows if you don't use tabbed browsing or if you wanted it for some reason.
Im not sure of the exact command but I would guess that you could use somehting like
defaults write com.apple.Safari FocusFollowsMouse -string YES

Joe's Store