In the virtualhost
<VirtualHost *:80>
ServerName domain1.com
ServerAlias *.domain1.com
DocumentRoot /path_to_documentroot
ErrorDocument 404 /path_to_documentroot
ErrorDocument 403 /path_to_documentroot
RewriteEngine on
redirectMatch 301 ^/$ http://www.domain2.com ... this one only redirects the page itself ... no subdirectories
##redirectMatch 301 ^(.*)$ http://www.domain2.com ... this one redirects the main page and all subpages
ErrorLog logs/domain1.com_error_log
CustomLog logs/domain1.com_log common
AddType application/x-httpd-php .php .php4 .php3 .phtml .htm .html .cmh
</VirtualHost>
In .htaccess
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/subdirectory1/(.*)$
RewriteRule ^(.*) http://www.domain2.com/subdirectorynew [R=301,L]
RewriteCond %{REQUEST_URI} ^/subdirectory2/(.*)$
RewriteRule ^(.*) http://www.domain2.com/subdirectorynew [R=301,L]
Wednesday, September 1, 2010
Friday, February 12, 2010
Fixing Exchange 2003 Permissions/Activesync
Part 1:
Method 2: Use Adsutil.vbs
Drive:\inetpub\adminscripts
Use a Web browser to verify that you can connect to your Outlook Web Access server. If you are also running other mobility services, verify that you can connect to these services by using an appropriate client.
Part 2:
Add/modify a registry value to point to the exchange-oma
Part 3:
Creating a secondary virtual directory for ActiveSync and OMA access
Method 2: Use Adsutil.vbs
- Back up your IIS Metabase. To do this, follow these steps:
- Start IIS Manager.
- Right-click Default Web Site, point to All Tasks, and then click Save Configuration to a File.
- Delete the virtual directories for Outlook Web Access. To do this, right-click Exadmin in the left pane of IIS Manager, and then click Delete. Click Yes when you are prompted with the question of whether you want to delete this item.
Repeat this step for the following virtual directories:
- Exchange
- ExchWeb
- Microsoft-Server-ActiveSync
- OMA
- Public
- Quit IIS Manager.
- Click Start, click Run, type cmd, and then press ENTER.
- Change to the following folder. In this example, Drive is the hard disk drive where Windows is installed:
Drive:\inetpub\adminscripts
- Type adsutil, and then press ENTER.
Important By default, CScript is not the default scripting host for Windows Server 2003. To run the adsutil command, CScript must be configured as the default scripting host. To do this, click Yes if you are prompted to register CScript as you default host for VBscript, and then click OK.
Note If you receive a list of adsutil command options, CScript is already configured as the default scripting host for VBscript. - Type adsutil delete ds2mb, and then press ENTER.
Note To set the default scripting host to WScript, type WScript //H:WScript at the command prompt, press ENTER, and then click OK. - Click Start, point to All Programs, point to Administrative Tools, and then click Services.
- To restart the Microsoft Exchange System Attendant service, follow these steps:
- Click Start, click Run, type services.msc, and then click OK.
- Right-click Microsoft Exchange System Attendant, and then click Restart.
- When you are prompted to restart the dependant Exchange Server services, click Yes.
Note When you restart the Microsoft Exchange System Attendant service, the Microsoft Exchange Information Store service is also restarted. In this scenario, your Exchange Server users lose connectivity to their Exchange Server mailboxes.
The virtual directories are re-created. To verify that the virtual directories are re-created, start IIS Manager, and then view the Default Web site folder.
Important If the virtual directories are not re-created after 15 minutes, restart the computer.
- Reset the access permissions to Anonymous. To do this, follow these steps:
- Start IIS Manager, right-click ExchWeb, click Properties, and then click the Directory Security tab.
- Under Authentication and access control click Edit, and then verify that the Enable anonymous access check box is turned on.
- Click to select the Integrated Windows authentication check box, click OK, and then click Apply.
- If an Inheritance Overrides dialog box appears, click Select All, and then click OK.
- Under Authentication and access control, click Edit, and then click to clear the Integrated Windows authentication check box.
- Click OK two times, and then quit IIS Manager.
Use a Web browser to verify that you can connect to your Outlook Web Access server. If you are also running other mobility services, verify that you can connect to these services by using an appropriate client.
Part 2:
Add/modify a registry value to point to the exchange-oma
| 1. Click Start, click Run, type regedit, and then click OK. | ||||
| 2. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters | ||||
| 3. On the right panel, make sure ExchangeVDir points to /exchange-oma. If the value of ExchangeVDir is ExchDAV, you should change it to /exchange-oma. Note: the ExchangeVDir and exchange-oma are case sensitive. In the Value data box, you must enter a forward slash (/) following by exchange-oma. Click OK. | ||||
| 4. If there is not ExchangeVDir, you need to create it. Right-click Parameters, click to New, and then click String Value. Type ExchangeVDir, and then press ENTER. Right-click ExchangeVDir, and then click Modify. | ||||
| 5. Quit Registry Editor. | ||||
6. Restart the IIS Admin service. To do this, follow these steps:
|
Part 3:
Creating a secondary virtual directory for ActiveSync and OMA access
| 1. | Start Internet Information Services (IIS) Manager from Administrative Tools. | ||||
| 2. | Locate the Exchange virtual directory, for example, Web Sites\Default Web Site\Exchange | ||||
| 3. | Right-click the Exchange folder click All Tasks, and then click Save Configuration to a File. | ||||
| 4. | In the File name box, type a name. For example, type ExchangeVDir. Click OK. | ||||
| 5. | Right-click the root of this Web site. Typically, this is Default Web Site. Click New, and then click Virtual Directory (from file). | ||||
| 6. | In the Import Configuration dialog box, click Browse, locate the file that you created in step 4, click Open, and then click Read File. | ||||
| 7. | Under Select a configuration to import , click Exchange, and then click OK. A dialog box will appear that states that the "virtual directory already exists." | ||||
| 8. | In the Alias box, type a name for the new virtual directory that you want Exchange ActiveSync and Outlook Mobile Access to use. In our case, it is exchange-oma. Click OK. | ||||
| 9. | Right-click the new virtual directory. In this example, click exchange-oma. Click Properties. | ||||
| 10. | Click the Directory Security tab. | ||||
| 11. | Under Authentication and access control, click Edit. | ||||
| 12. | Make sure that only the following authentication methods are enabled, and then click OK:
| ||||
| 13. | Under Secure communications, click Edit. Make sure that Require secure channel (SSL) is not enabled, and then click OK. | ||||
| 14. | Click OK, and then close the IIS Manager. |
Tuesday, November 10, 2009
Backup/Restore MySQL Databases
BACKUP ALL DATABASES:
#!/bin/sh
#
# SCRIPT TO DUMP ALL THE DATABASES
#
PATH=/usr/local/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/lib:/etc
export PATH
/usr/bin/mysqldump -u root --password=<your mysql root password> --all-databases | gzip > /root/mysqlbackup/databasebackup.sql.gz
RESTORE ALL DATABASES:
/usr/bin/mysql -u root -p < databasebackup.sql.gz
enter your root password when prompted
#!/bin/sh
#
# SCRIPT TO DUMP ALL THE DATABASES
#
PATH=/usr/local/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/lib:/etc
export PATH
/usr/bin/mysqldump -u root --password=<your mysql root password> --all-databases | gzip > /root/mysqlbackup/databasebackup.sql.gz
RESTORE ALL DATABASES:
/usr/bin/mysql -u root -p < databasebackup.sql.gz
enter your root password when prompted
Monday, August 24, 2009
US Debt Clock
WHY ARE WE STILL SPENDING MONEY WE DON'T HAVE????????
This is a view of the website US Debt Clock.org
This is a view of the website US Debt Clock.org
Saturday, April 18, 2009
Rsync, scp, and ssh without passwords
A great writeup about this is here.
Whenever you need to use scp to copy files, it asks for passwords. Same with rsync as it (by default) uses ssh as well. Usually scp and rsync commands are used to transfer or backup files between known hosts or by the same user on both the hosts. It can get really annoying the password is asked every time. I even had the idea of writing an expect script to provide the password. Of course, I didn’t. Instead I browsed for a solution and found it after quite some time. There are already a couple of links out there which talk about it. I am adding to it…
Lets say you want to copy between two hosts host_src and host_dest. host_src is the host where you would run the scp, ssh or rsync command, irrespective of the direction of the file copy!
1. On host_src, run this command as the user that runs scp/ssh/rsync
$ ssh-keygen -t rsa
This will prompt for a passphrase. Just press the enter key. It’ll then generate an identification (private key) and a public key. Do not ever share the private key with anyone! ssh-keygen shows where it saved the public key. This is by default ~/.ssh/id_rsa.pub:
Your public key has been saved in <your_home_dir>/.ssh/id_rsa.pub
2. Transfer the id_rsa.pub file to host_dest by either ftp, scp, rsync or any other method.
3. On host_dest, login as the remote user which you plan to use when you run scp, ssh or rsync on host_src.
4. Copy the contents of id_rsa.pub to ~/.ssh/authorized_keys
$ cat id_rsa.pub >>~/.ssh/authorized_keys
$ chmod 700 ~/.ssh/authorized_keys
5. If this file does not exists, then the above command will create it. Make sure you remove permission for others to read this file. If its a public key, why prevent others from reading this file? Probably, the owner of the key has distributed it to a few trusted users and has not placed any additional security measures to check if its really a trusted user. Note that ssh by default does not allow root to log in. This has to be explicitly enabled on host_dest. This can be done by editing /etc/ssh/sshd_config and changing the option of PermitRootLogin from no to yes. Don’t forget to restart sshd so that it reads the modified config file. Do this only if you want to use the root login. Please note, there seems to be an exception to this addition if your system uses PAM for authentication, so test.
Well, thats it. Now you can run scp, ssh and rsync on host_src connecting to host_dest and it won’t prompt for the password. Note that this will still prompt for the password if you are running the commands on host_dest connecting to host_src. You can reverse the steps above (generate the public key on host_dest and copy it to host_src) and you have a two way setup ready!
Lets say you want to copy between two hosts host_src and host_dest. host_src is the host where you would run the scp, ssh or rsync command, irrespective of the direction of the file copy!
1. On host_src, run this command as the user that runs scp/ssh/rsync
$ ssh-keygen -t rsa
This will prompt for a passphrase. Just press the enter key. It’ll then generate an identification (private key) and a public key. Do not ever share the private key with anyone! ssh-keygen shows where it saved the public key. This is by default ~/.ssh/id_rsa.pub:
Your public key has been saved in <your_home_dir>/.ssh/id_rsa.pub
2. Transfer the id_rsa.pub file to host_dest by either ftp, scp, rsync or any other method.
3. On host_dest, login as the remote user which you plan to use when you run scp, ssh or rsync on host_src.
4. Copy the contents of id_rsa.pub to ~/.ssh/authorized_keys
$ cat id_rsa.pub >>~/.ssh/authorized_keys
$ chmod 700 ~/.ssh/authorized_keys
5. If this file does not exists, then the above command will create it. Make sure you remove permission for others to read this file. If its a public key, why prevent others from reading this file? Probably, the owner of the key has distributed it to a few trusted users and has not placed any additional security measures to check if its really a trusted user. Note that ssh by default does not allow root to log in. This has to be explicitly enabled on host_dest. This can be done by editing /etc/ssh/sshd_config and changing the option of PermitRootLogin from no to yes. Don’t forget to restart sshd so that it reads the modified config file. Do this only if you want to use the root login. Please note, there seems to be an exception to this addition if your system uses PAM for authentication, so test.
Well, thats it. Now you can run scp, ssh and rsync on host_src connecting to host_dest and it won’t prompt for the password. Note that this will still prompt for the password if you are running the commands on host_dest connecting to host_src. You can reverse the steps above (generate the public key on host_dest and copy it to host_src) and you have a two way setup ready!
Friday, April 10, 2009
Removing SSL Vulnerabilities on Webservers
A great website for reference is here.
IIS CONFIG
Create a sslvulnerabilityremoval.reg file with the following and merge it onto the Windows Server (2003 in my case) and reboot.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:0000000
APACHE CONFIG
Here's a basic setup in the httpd.conf file for Apache
<VirtualHost *:443>
ServerName whatever.yourdomain.com
DocumentRoot "/export/web/html"
ErrorLog logs/whatever.yourdomain.com_error_log
CustomLog logs/whatever.yourdomain.com_access_log common
<Directory "/export/web/html">
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/httpd/conf/ssl/whatever.yourdomain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/whatever.yourdomain.com.key
SSLCertificateChainFile /etc/httpd/conf/ssl/intermediate.crt
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</VirtualHost>
TESTING
You should receive an error on each of these tests. If you receive a lot of information, you're vulnerable.
Testing for SSLv2 vulnerabilities
# openssl s_client -ssl2 -connect SERVERNAME:443
Testing for weak ciphers
# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP
IIS CONFIG
Create a sslvulnerabilityremoval.reg file with the following and merge it onto the Windows Server (2003 in my case) and reboot.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:0000000
APACHE CONFIG
Here's a basic setup in the httpd.conf file for Apache
<VirtualHost *:443>
ServerName whatever.yourdomain.com
DocumentRoot "/export/web/html"
ErrorLog logs/whatever.yourdomain.com_error_log
CustomLog logs/whatever.yourdomain.com_access_log common
<Directory "/export/web/html">
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/httpd/conf/ssl/whatever.yourdomain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/whatever.yourdomain.com.key
SSLCertificateChainFile /etc/httpd/conf/ssl/intermediate.crt
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</VirtualHost>
TESTING
You should receive an error on each of these tests. If you receive a lot of information, you're vulnerable.
Testing for SSLv2 vulnerabilities
# openssl s_client -ssl2 -connect SERVERNAME:443
Testing for weak ciphers
# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP
Tuesday, March 17, 2009
Apache 2.2 SSL Setup including redirect
Usually done in /etc/httpd/conf.d/ssl.conf
I comment out the virtual host in the above file and add the relevant data to my file.
NameVirtualHost 192.168.1.1:80
NameVirtualHost 192.168.1.1:443
<VirtualHost 192.168.1.1:80>
ServerName whatever.yoursite.com
DocumentRoot "/export/web/html"
ErrorLog logs/whatever.yoursite.com_error_log
CustomLog logs/whatever.yoursite.com_access_log common
Redirect / https://whatever.yoursite.com/
</VirtualHost>
<VirtualHost 192.168.1.1:443>
ServerName whatever.yoursite.com
DocumentRoot "/export/web/html"
ErrorLog logs/whatever.yoursite.com_error_log
CustomLog logs/whatever.yoursite.com_access_log common
##LogLevel debug
<Directory "/export/web/html">
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
AuthName "LDAP Authorization"
AuthType Basic
### The next 2 lines are required in Apache 2.2
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPBindDN "ldapuser@ad_domain"
AuthLDAPBindPassword "password"
AuthLDAPURL "ldap://AD_Domain_Controller/ou=Users,dc=yoursite,dc=com?sAMAccountName?sub"
### Either use valid-user or ldap-user
#require valid-user
require ldap-user user1 user2 user3 user4
require ldap-user user5 user6 user7 user8
satisfy all
</Directory>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/httpd/conf/ssl/yoursite.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/yoursite.com.key
SSLCertificateChainFile /etc/httpd/conf/ssl/bundle.crt
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</VirtualHost>
I comment out the virtual host in the above file and add the relevant data to my file.
NameVirtualHost 192.168.1.1:80
NameVirtualHost 192.168.1.1:443
<VirtualHost 192.168.1.1:80>
ServerName whatever.yoursite.com
DocumentRoot "/export/web/html"
ErrorLog logs/whatever.yoursite.com_error_log
CustomLog logs/whatever.yoursite.com_access_log common
Redirect / https://whatever.yoursite.com/
</VirtualHost>
<VirtualHost 192.168.1.1:443>
ServerName whatever.yoursite.com
DocumentRoot "/export/web/html"
ErrorLog logs/whatever.yoursite.com_error_log
CustomLog logs/whatever.yoursite.com_access_log common
##LogLevel debug
<Directory "/export/web/html">
Options FollowSymlinks
AllowOverride None
Order allow,deny
Allow from all
AuthName "LDAP Authorization"
AuthType Basic
### The next 2 lines are required in Apache 2.2
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPBindDN "ldapuser@ad_domain"
AuthLDAPBindPassword "password"
AuthLDAPURL "ldap://AD_Domain_Controller/ou=Users,dc=yoursite,dc=com?sAMAccountName?sub"
### Either use valid-user or ldap-user
#require valid-user
require ldap-user user1 user2 user3 user4
require ldap-user user5 user6 user7 user8
satisfy all
</Directory>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/httpd/conf/ssl/yoursite.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/yoursite.com.key
SSLCertificateChainFile /etc/httpd/conf/ssl/bundle.crt
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</VirtualHost>
Subscribe to:
Posts (Atom)