We has tubez!

So the series I’ve been doing on ESXi has been getting nothing but great feedback, and I’m glad that I can share what I’ve learned over the course of the last couple years with everyone.
On episode 518 of Hak5, we show how truly easy it is to add iSCSI storage to a free deployment of ESXi.

So what is iSCSI?

In computing, iSCSI (pronounced /аɪsˈkʌzi/), is an abbreviation of Internet Small Computer System Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities. By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. iSCSI can be used to transmit data over local area networks (LANs), wide area networks (WANs), or the Internet and can enable location-independent data storage and retrieval. The protocol allows clients (called initiators) to send SCSI commands (CDBs) to SCSI storage devices (targets) on remote servers. It is a popular storage area network (SAN) protocol, allowing organizations to consolidate storage into data center storage arrays while providing hosts (such as database and web servers) with the illusion of locally-attached disks. Unlike traditional Fibre Channel, which requires special-purpose cabling, iSCSI can be run over long distances using existing network infrastructure.

In simpler terms, using some free software, it’s stupid easy to create a large amount of storage which is not tied to the physical adapter of the host server (in this case, the server ESXi is running on).

So what do we need?

• Functioning ESXi Installation
• Server capable of running FreeNAS
• Gigabit connectivity between ESXi server and FreeNAS

Now let’s get started. While it’s recommended to separate your iSCSI traffic from your other internet networking, for the purpose of this instruction, we’re just going to use the same IP subnet for all of our LAN and iSCSI traffic.
Our ESXi server sits at 10.10.1.55 and our newly installed FreeNAS server is located at 10.10.1.66

1. Connect to your FreeNAS server through the WebGUI using your favorite browser. In the top menu select Disks, then click Management.
2. Click on the plus sign in the lower right corner to add drives.
3. Next to Disk, choose the drive you want to add from the drop down, and if you want enter a description for it next to Description.
4. When you go back to the Disk Management screen you will be asked to confirm the addition by clicking on Apply changes, go ahead and do that now.
5. From the top menu choose Services, then iSCSI Target.
6. Click on the plus sign in the Extent area.
7. The Bolded fields are required, so place a name in the Extent name field, leave the Type as Device, and then choose the Device you want in the dropdown.
8. When you get back to the iSCSI Target page click on Apply changes.
9. Click on the plus sign in the Target area.
10. As before the Bolded fields are required. Here is a breakdown of the fields:

    Target name: Add your own or leave the default
    Flags: RW for Read/Write or RO for Read Only
    Storage: Will have the extents listed that were setup, choose the one you want to use
    Authorized Network: Enter the IP network that can access this drive. For us we’re going to enter 10.10.1.0 and we’ll leave the /24 as our subnet is 255.255.255.0

    Once you fill in all the info click on Add.

11. Back at the iSCSI target page you need to click on Apply changes once again.
12. Now place a check in the box next to Enable in the top right corner and then click Save and Restart in the bottom left.
13. The iSCSI Target drive is now setup and ready for use.

Now we need to setup ESXi to connect to our newly created iSCSI target.
Start by logging into your your host by using the Vitrual Infrastructure Client.
Click on your host, and then click the configuration tab.
Click Storage adapters, and then select your VMHBA32 iSCSI storage adapter.
Click properties and configure, then check the enabled box.
Goto the dynamic discovery tab, and add your FreeNAS IP address (in this case, 10.10.1.66)
Click ok, then close, and then rescan the HBA.

At this point you should see your storage, now we need to format the new storage.
So click back to the storage option on the left.
Then click Add Storage.
Select Disk / Lun, and click next.
Select your new disk on the FreeNAS iSCSI target, and next, next, finish.

DONE!

Questions? Post em in the comments!

Hey everyone,

Just a little post regarding the most recent episode of Hak5.
I went into showing users how easy it really is to setup a VOIP provider so that you can easily make and receive phone calls to and from external numbers.

I chose to use Teliax, which in my opinion is a great option if you’re looking for a provider as they have some really attractive pricing especially the pay as you go plan.
The nice thing about that plan is you can have 10 simultaneous calls going, and so long as your 3CX license provides, there’s no extra setup.  It will just deduct you based on how many minutes each of the callers is using.

There have also been a couple of questions that have popped up both here on my blog and in email.  Check out those after the break.

(continue reading…)

Recently on Hak5 I showed how easy it was to setup a Windows based IP-PBX using software by 3CX, a company out of the small country of Cypress.

After having an urgent need to replace our aging PSTN based telephone system which costs $100/hr for some monkey to come in and make a simple extension change, my company decided it was time for something we could control.

I had been through this motion about a year prior, and in that time, came away with a solution from Mitel which ended up costing around $30,000.  Now this was a great platform, (IP3300 if I remember correctly) Office Communications Server 2007 integration, remote site support, Exchange 2007 UM integration, all of the key features that I had spent tireless hours implementing in our infrastructure to hopefully take advantage of in a new phone system.

However, the current economic conditions as they are, we could no longer justify a $30,000 price tag for a new phone system;  Enter 3CX.

After searching google for about a half hour, and looking at all of the asterisk based IP-PBX systems, I came across the 3CX IP-PBX platform which ran on top of Windows.  Now I know there are those of you out there that may be reading this thinking to yourselves, AHHH MORE WINDOWS.  Well you can go to hell, seriously.  My company is a Microsoft shop, end of story.  I have no need, nor the time to do something in linux that would take me personally longer than it would in Windows.  You may be quicker, and that’s good for you, but I can’t be bothered.  Windows works for my company, and that’s all that you need to know.

Back on track…  After downloading the free version (yes it’s completely free if you don’t need some of the advanced features such as Exchange 2007 UM integration, or call parking, etc.) I literally had a functioning internal phone system up and running in about 10 minutes.  The installation is painless, and the configuration steps a breeze.

So I decided to kick it up a notch.  I ordered a single Linksys SPA962 IP Phone from 888voipstore (I highly recommend these guys, sure you can find stuff for 10-15 bucks cheaper, but at the end of the day, I’m speaking to someone I understand, and who is very attentive to their customer)  After receiving said phone, I plugged in the mac address to the 3CX back end, and auto provisioned the phone.  CAKE!  Nice and moist, just the way I like it.

Next came the all important decision of how many people we’re going to roll this out to in Phase 1.  Answer? 16
I can handle 16, and apparently so can 3CX.  I had 16 extensions and phones configured in about 2 hours.  That includes the time it takes to upgrade the phones to the latest 6.1.5a firmware available from Cisco.

All in all I’m pretty satisfied with the 3CX package.  While I can’t get into every nitty gritty detail of my phone system, I don’t need to.  The software works, a few small issues not withstanding) and I can eventually turn over basic user maintenance to someone who isn’t an IT person because it really is that easy to use.

I really would suggest anyone with a Windows machine lying around the house who has a need for a basic PBX for use with either a VOIP provider, or a PSTN gateway look at 3CX.  I know I’ll be deploying a server here at the hakhouse for some other business purposes, and don’t have to worry about much beyond which machine I’m actually going to throw it on.

For more info on 3CX or to download the free version OR their enterprise version with a free demo license which unlocks all of the software’s functionality, but limit’s it to 2 concurrent calls should visit http://www.3cx.com

Recently I had the pleasure of being a part of the Napera Indigo Beta program in which Napera, (a networking company founded by Todd Hooper formerly of Watchguard) sent me a 24 port gigabit switch with their new embedded switch platform installed on it.

The Napera beta is basically a test of a network software platform for installation by companies interested in the features that Napera is spearheading.  With the recent release of Windows XP SP3, Vista and the upcoming release of Windows 7, microsoft has taken the bold move of having the ability to offload the monitoring and auditing of machines connected to your internal network and checking them for things like up to date OS patches, firewalls and antivirus.

The program focused on a couple key components.
1. Set-up and Activation
2. Enable NAP and Health Reporting
3. Health Enforcement
4. Identity Enforcement
5. Guest Access

You can read a little more on exactly what NAP is here : http://www.microsoft.com/technet/network/nap/napoverview.mspx

All of that aside, in the most recent episodes of Hak5, I dived into the interface and health reporting functionality of the Napera switch and it’s ability to limit workstation access based on Health and Authentication with Active Directory.

I’m a steadfast believer that anything that makes my life easier as a Systems Admin, or now in my case a CTO for a small company, is a great advancement and something that I think is sorely lacking in the industry.

I can go on and on about the functions of the napera software but I think it’s best experienced from the horse’s mouth.

For more information on Napera, head on over to http://www.napera.com/indigo/Napera%20Indigo%20User%20Guide.pdf for the Users’s guide on Indigo.

How to use a Western Digital “My Book” drive (Home Edition, but I don’t think that matters) in Windows 2003 Server:

1. Follow instructions for normal connection using USB, then:
2. Start -> My Computer -> (right-click) Manage Open Storage -> Disk Management  External drive will appear in list of partitions, but it will be inactive and will not have a drive letter assigned.
3. Right-click on the partition, select Mark Partition as Active
4. Right-click on the partition again,
5. select Change Drive Letter and Paths,
6. click Add.  Assign a drive letter.
7. The drive should now be accessible.

This procedure should only be necessary the first time the drive is plugged in.

So while our smoothwall is and has been working well for us for the past two years, I recently had the need for something a little more robust.

I came across a fork of the monowall project, pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.

Here’s a short summary of some of the eye catching features.

* Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
* Able to limit simultaneous connections on a per-rule basis
* pfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense can do so (amongst many other possibilities) by passively detecting the Operating System in use.
* Option to log or not log traffic matching each rule.
* Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
* Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
* Transparent layer 2 firewalling capable – can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes).
* Packet normalization – Description from the pf scrub documentation – “‘Scrubbing’ is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.”
o Enabled in pfSense by default
o Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations.
* Disable filter – you can turn off the firewall filter entirely if you wish to turn pfSense into a pure router.
* pfSense offers three options for VPN connectivity, IPsec, OpenVPN, and PPTP.

There’s a ton of other great features that you can read up on at http://is.gd/iauk

The LiveCD ISO is available from http://www.pfsense.org/mirror.php?section=downloads and for VMware folks, a prebuilt VM is available at http://files.pfsense.org/vmware/pfSense-1.2.2-VM.zip

On the latest episode I showed an alternative to windows terminal services.

The website is located at http://www.xpunlimited.nl there is a large list of benefits at http://xpunlimited.nl/benefits.html

One of the really nice features is the ability to repurpose an old XP machine to use as a terminal server.

The setup couldn’t be easier, and is pretty much a standard application installer, customization is a very simple process from limiting application launches, to customizing the initial desktop, and even advanced functions which replicate the microsoft terminal services security settings.

Questions or alternatives?
Please leave a comment.

For episode 416 of HAK5, I showed how easy it really is to tunnel all kinds of traffic from HTTP, FTP, and more over a secure SSH Socks proxy.

Some of you may be thinking to yourself… “HOLY CRAP WHAT ARE THESE TERMS?!”  And I’m here to assure you that it’s going to be OK! Really it is.

What you’ll need

• An SSH server to act as your proxy.
  Simple enough really!  If you’re using windows I highly recommend freeSSHd.  If you’re on a mac check out this page for instructions on how to enable remote logon.  Linux users, you should know how to do this.
• An SSH client on the computer you’re using.
  Mac and *nix machines have SSH built right in at the command line. Windows users can do like I did in the episode and download plink (available here).  There are other people out there that will recommend Cygwin, but for this purpose, it’s really overkill.

How proxies work

In a nutshell, what you’re doing with a proxy is setting up a middle-person (no not a pineapple, but close) between you and the internet. Using the proxy, your browser hands off web page requests to the proxy server, which handles the request and fetches the page for you from the internet. The web site actually thinks the request is coming from the proxy server, not your computer, which is a good way to obscure your originating IP address.

Additionally, the connection between your computer and the proxy happens over SSH, an encrypted protocol. This prevents wifi sniffers from seeing what you’re doing online.

Start your SSH tunnel

So you’ve got your ssh server setup at your house or workplace. Great! To connect to it we’re going to setup a local proxy server on your client that you’ll be browsing the internet from, which will then “tunnel” web traffic from your local machine to the remote server over SSH. The command to run on your linux / mac client in a terminal window is : ssh -ND 9999 you@example.com

For Windows it’s as simple as browsing to the directory you saved plink to and runningplink.exe -N -D 9999 you@example.com

Of course, you’re going to replace the you with your username on your SSH server and example.com with your server domain name or IP address. What that command does is accept requests from your local machine on port 9999 and hands that request off to your server at example.com for processing.

When you execute either of those commands, you’ll be prompted for your password.  After you authenticate, nothing will happen. The -N tells ssh not to open an interactive prompt, so it will just hang there, waiting. That’s exactly what you want.

Set Firefox to use SOCKS proxy

Once your proxy’s up and running, configure Firefox to use it. From Firefox’s Tools menu, choose Options, and from the Advanced section choose the Network tab. Next to “Configure how Firefox connects to the Internet” hit the “Settings” button and enter the SOCKS information, which is the server name (localhost) and the port you used (in the example above, 9999.)

Save those settings and hit up a web page. When it loads, visit http://www.ipchicken.com to see if it’s using your remote ssh server to tunnel traffic.  If you are, GOLDEN!

If you feel there’s something I’ve missed, hit me up here (http://www.mattlestock.com)

PS: Remember that you’ll need to open your firewall a bit by cracking open port 9999 on your local machine and port 22 on your server for SSH.

Hey guys, just a post here giving a little more info on what I talked about on episode 415 of Hak5.

After installing a fresh copy of your Windows OS of choice, the biggest headache for most of us is the arduous task of trying to locate drivers for all of our different components. So this post is all about making your reinstall a little less troublesome.

Here’s a list of some of the better driver backup utilities!

DriverBackup2 is a lightweight driver-backup tool. The application is portable with a caveat: you’ll need administrative privileges for full use. You can opt to backup one or all of your drivers, the backed up files are dumped into a tree structure based on driver name. DriverBackup2 also allows you to restore and delete unnecessary drivers. If you ever hunted for obscure drivers online, when installing legacy or obscure hardware for instance, DriverBackup2 will save you the hassle of searching them out again.

Double Driver lists all the hardware drivers installed on your system and creates backups of both the actual drivers and lists of the driver names. While handy with any computer, Double Driver really shines if you have a computer that came with pre-installed drivers that are hard if not impossible to come by. With a few clicks you’ll have those archaic laptop drivers backed up and ready to put back to work after a fresh install.

DriverMax allows you to easily reinstall all your Windows drivers. No more searching for rare drivers on discs or on the web or inserting one installation CD after the other. Simply export all your drivers (or just the ones that work ok) to a folder or a compressed file. After reinstalling Windows all drivers can be back in place in less than 5 minutes.

DriverView is a helpful upgrade from looking through devices individually in the Device Manager, but the real value here is in the list generation. Create an HTML-formatted backup list for your future troubleshooting needs or export to text to show friends or forum members just what’s gone wrong.  While it doesn’t actually backup drivers, if you’re still into doing things the old fashion way, DriverView is a great choice!

Now that we’ve got all of the corporate slogans and descriptions out of the way, my personal favorite is the first link we’ve talked about here.  The interface is the least cluttered, and the process really couldn’t be any easier.  For those of you who are looking to deploy driver backups in an automated fashion, there’s a built in commandline builder!  Like I said, I’ve personally used it and really does make life alot easier after a reinstall.

So check it out and if you have any questions, remember: matt@hak5.org – http://revision3.com/forum/  or http://forums.hak5.org

Till Next Week!
Trust Your Technolust

Hey guys, here’s my notes for the Webmin / Usermin segment I did on episode 414 of HAK5.

Talking about making your life easier if you’re a linux system admin I demonstratred the great and free tools Webmin and Usermin available from http://webmin.com/

Here’s a great screenshot of visual iptables editing.

Installing the package is as easy as RPM -i webmin-1.441-1.noarch.rpm
Once installed goto https://yourserver.com:10000 and login with a user like root.
After you’ve logged in you can just start clicking through the menus and see what you can do with this great piece of software.

During the show I explained how to create custom commands and deploy them to users with the webmin addon (http://webmin.com/usermin.html).

If you have any questions, feel free to post a comment or send me an email: matt [at] hak5 [dot] org