Acronis Image Backup
TCP/UDP ports: 9876, 9877
Windows Shared Folders
TCP ports: 139, 445
UDP ports: 137, 138
Wednesday, July 30, 2014
Monday, July 28, 2014
Find files based on modified time
‘find’ is a very powerful Linux command which provides various options for searching files based on different criteria. One of these options allows users to search for files based on the modification/access/creation time of the file. In Windows, we don’t have such powerful command. But we do have a command to search for files based on the file modification time. It can’t be used to find files based on file creation/access time. Still something is better than nothing. Below you can find how to use this command.
1. Find files modified in the last 1 month
forfiles /P directory /S /D +30
This command search for files created in the folder(specified with /P) in the last 30 days. Specifying /S makes it search for such files recursively in all subfolders.
Get the list of files in the current folder which are modified in last 3 days.
forfiles /S /D +3
Note that we have not used /P as we want to search in the current working directory only.
Get the list of files which are not modified in the last 3 days
forfiles /S /D -3
If there are no files meeting the condition, the command prints the following message.
D:\>forfiles /S /D +3 ERROR: No files found with the specified search criteria.
2. Find files that were last modified 1 month back
forfiles /P directory /S /D -30
3. Find files based on modification date
To find files modified after 1st August 2013, we can run the below command
forfiles /P directory /S /D +08/01/2013
To find files modified before 20th August 2013:
forfiles /P directory /S /D -08/20/2013
Execute commands on the files selected
forfiles has an equivalent functionality similar to -exec option with linux find command. This can be used to run commands on the files set returned by the command.
The syntax of the command is
forfiles /D date /C "cmd /c command @file"
4: Move files to another folder based on modification time
Let’s say we want to move the files which are not modified in the last 3 days to another folder(D:\archiveDir). The command for this would be as below
forfiles /S /D -3 /C "cmd /c move @file D;\archiveDir"
This command looks processes files in subfolders also, ‘/S’ can be removed to perform this only for the files in the current folder.
5: Delete files in the current folder which are modified in the last 7 days
forfiles /D +7 "cmd /C del @file"
Be cautious while running these commands, verify that you are deleting the right set of files, otherwise the data lost may not be recoverable. Use these commands at your own risk.
To remove files from subfolders also:
To remove files from subfolders also:
forfiles /S /D +7 "cmd /c del @file"
http://www.windows-commandline.com/find-files-based-on-modified-time/
Sunday, July 27, 2014
How to change network type from public to private on Windows Server 2012
In Server Manager -> Local Servers -> Tools -> Local Security Policy -> Network List Manager Policies --- right click on Network 1 (the name found in "View your active networks"). Click on the "Network Location" tab and select a "Location type".
Saturday, July 26, 2014
Install IPsec VPN for iPhone Android on pfSense 2.0
Install IPsec VPN for iPhone Android on pfSense 2.0
You can connect a number of devices to pfSense 2.0 using IPsec, most notably Android (Phones and Tablets) and iOS (iPhone, iPad, iPod Touch, etc) devices but anything that is capable of IPsec will typically work.
This document covers the most common setup for mobile devices, which is IPsec using Xauth and a mutual Pre-Shared Key.
This setup has been tested and working on Android 2.3.3 and iOS 4.3.5. Others may work as well, including the actual software Cisco client.
Mobile Clients
Go to VPN > IPsec > Mobile Clients
IKE Extensions: check "Enable IPsec Mobile Client Support".
User Authentication: select "Local Database".
Group Authentication: select "system".
Virtual Address Pool: check "Provide a virtual IP address to clients".
Virtual Address Pool: Netowrk: "10.0.0.0" / 24
DNS Servers: check "Provide a DNS server list to clients.
DNS Servers: Server #1: 8.8.8.8.
DNS Servers: Server #2: 8.8.4.4.
Click on "Save" button.
Click on "Apply changes" button.
Next, Create phase1 if it doesn't exist.
Phase 1 settings
Interface: WAN.
Description: IPsecVPN.
Authentication method: Mutual PSK + Xauth.
Negotiation mode: aggressive.
My identifier: My IP address.
Peer identifier: Distinguished name: MY_VPN_GROUP_NAME.
Pre-Shared Key: MY_VPN_PRE_SHARED_KEY.
Policy Generation: default.
Proposal Checking: Obey.
Encryption algorithm: AES 128 bits/
Hash algorithm: SHA1.
DH key group: 2.
Lifetime: 28800.
NAT Traversal: Force.
Note: Some have had more success with the following settings:
Policy Generation: Unique.
Proposal Checking: Strict.
NAT Traversal: Force.
Phase 2 settings
Mode: Tunnel.
Local Network: Network
Local Network: 10.0.0.0 / 24
Protocol: ESP
Encryption algorithms: check "AES 128 bits" only.
Hash algorithms: check "SHA1" only.
PFS key group: off.
Lifetime: 28800 seconds.
Click on "Save" button.
Click on "Apply changes" button.
Enable IPsec
VPN > Tunnels tab:
Check "Enable IPsec".
Create a IPsecVPN group with a privilege
Go to System > User Manager > Groups tab > Add a new group:
Group Name: IPsecVPN.
Description: IPsecVPN.
Click on "Save" Button. Then, edit the "IPsecVPN " group we just created again:
At the Assigned Privileges section, click on the "Add" button: select "User - VPN - IPsec xauth Dialin".
Click on "Save" Button.
User Settings - create a new user
Go to System > User Manager > Users tab > Add a new user:
Username: MyName_iphone
Password: ********
Group Memberships: IPsecVPN.
Click on "Save" Button.
Make sure the "Effective Privileges" field: Inherited from "IPSecVPN" has been set after saved.
Firewall Rule - allow VPN clients to connect to WAN interface:
Go to Firewall > Rules > WAN tab > Add new rule:
Interface: WAN.
Protocol: ESP.
Source Address: any
Destination: type "WAN net" (or "WAN address" depends on your situation)
Description: IPsecVPN
Click on "Save" button.
Click on "Apply changes" button.
Interface: WAN.
Protocol: TCP/UDP.
Source Address: any
Destination: type "WAN net" (or "WAN address" depends on your situation)
Destination port range: ISAKMP (500)
Description: IPsecVPN
Click on "Save" button.
Click on "Apply changes" button.
Interface: WAN.
Protocol: TCP/UDP.
Source Address: any
Destination: type "WAN net" (or "WAN address" depends on your situation)
Destination port range: IPsec NAT-T (4500)
Description: IPsecVPN
Click on "Save" button.
Click on "Apply changes" button.
Firewall Rule - disable VPN clients access to LAN network:
Go to Firewall > Rules > IPsec tab > Add new rule:
Interface: IPsec.
Protocol: any.
Source Address: 10.0.0.0 / 24
Destination: check "not".
Destination: type "WAN net" (or "WAN address" depends on your situation)
Click on "Save" button.
Click on "Apply changes" button.
Interface: IPsec.
Protocol: any.
Source Address: 10.0.0.0 / 24
Destination: check "not".
Destination: type "Network"
Destination: Address "192.168.0.0 / 16" (we don't want VPN clients to access LAN subnet).
Click on "Save" button.
Click on "Apply changes" button.
Firewall Rule - NAT Outbound:
Go to Firewall > NAT > Outbound tab:
Click on "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" > click on "Save" button. Some rules will be set automatically.
Add a new mapping rule:
Interface: WAN.
Protocol: any.
Source: type "network".
Source: address "10.0.0.0 / 24".
Destination: check "not".
Destination: type "Network"
Destination: Address "192.168.0.0 / 16" (we don't want VPN clients to access LAN subnet).
Click on "Save" button.
Click on "Apply changes" button.
Device Setup (iOS)
Go to iPhone > Settings > General > Network > VPN
Add VPN Configuration
Click IPsec
Description: whatever you want
Server: IP of the server
Account: your xauth username
Password: your xauth password (or leave blank to be prompted every time)
Group Name: MY_VPN_GROUP_NAME
Secret: MY_VPN_PRE_SHARED_KEY
Device Setup (Android)
NOTE: These settings are not present on all Android devices. See Android VPN Connectivity for more info.
Settings, Networks & Wireless, VPN Settings, Advanced IPsec VPNs
From there, press the menu button, then add.
Connection Template: PSK v1 (AES, xauth, aggressive)
VPN Name: whatever you want
VPN Server: IP of the server
The phone forces the keyboard to numbers, not sure if a hostname is supported.
Pre-Shared Key Type: text
Pre-Shared Key: PSK from the Phase 1 above
Identity Type: User FQDN
Identity: vpnusers@example.com
Username: your xauth username
Password: your xauth password
Internal Subnet IP: Whatever subnet(s) you specified in p2 above.
Finish
Troubleshooting
By default iOS will tunnel all traffic over the VPN, including traffic going to the Internet. If you are unable to access Internet sites once connected, you may need to push a DNS server to the client for it to use, such as the LAN IP address of your firewall if you have the DNS forwarder enabled, or a public DNS server such as 8.8.8.8/8.8.4.4.
The reason for the above is that your 3G provider is likely giving your mobile devices DNS servers that are only accessible from their network. Once you connect to the VPN the DNS servers are now being accessed via the VPN instead of the 3G network, and the queries are likely to be dropped. Supplying a local/public DNS server will work around that.
Reference:
http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0
You can connect a number of devices to pfSense 2.0 using IPsec, most notably Android (Phones and Tablets) and iOS (iPhone, iPad, iPod Touch, etc) devices but anything that is capable of IPsec will typically work.
This document covers the most common setup for mobile devices, which is IPsec using Xauth and a mutual Pre-Shared Key.
This setup has been tested and working on Android 2.3.3 and iOS 4.3.5. Others may work as well, including the actual software Cisco client.
Mobile Clients
Go to VPN > IPsec > Mobile Clients
IKE Extensions: check "Enable IPsec Mobile Client Support".
User Authentication: select "Local Database".
Group Authentication: select "system".
Virtual Address Pool: check "Provide a virtual IP address to clients".
Virtual Address Pool: Netowrk: "10.0.0.0" / 24
DNS Servers: check "Provide a DNS server list to clients.
DNS Servers: Server #1: 8.8.8.8.
DNS Servers: Server #2: 8.8.4.4.
Click on "Save" button.
Click on "Apply changes" button.
Next, Create phase1 if it doesn't exist.
Phase 1 settings
Interface: WAN.
Description: IPsecVPN.
Authentication method: Mutual PSK + Xauth.
Negotiation mode: aggressive.
My identifier: My IP address.
Peer identifier: Distinguished name: MY_VPN_GROUP_NAME.
Pre-Shared Key: MY_VPN_PRE_SHARED_KEY.
Policy Generation: default.
Proposal Checking: Obey.
Encryption algorithm: AES 128 bits/
Hash algorithm: SHA1.
DH key group: 2.
Lifetime: 28800.
NAT Traversal: Force.
Note: Some have had more success with the following settings:
Policy Generation: Unique.
Proposal Checking: Strict.
NAT Traversal: Force.
Phase 2 settings
Mode: Tunnel.
Local Network: Network
Local Network: 10.0.0.0 / 24
Protocol: ESP
Encryption algorithms: check "AES 128 bits" only.
Hash algorithms: check "SHA1" only.
PFS key group: off.
Lifetime: 28800 seconds.
Click on "Save" button.
Click on "Apply changes" button.
Enable IPsec
VPN > Tunnels tab:
Check "Enable IPsec".
Create a IPsecVPN group with a privilege
Go to System > User Manager > Groups tab > Add a new group:
Group Name: IPsecVPN.
Description: IPsecVPN.
Click on "Save" Button. Then, edit the "IPsecVPN " group we just created again:
At the Assigned Privileges section, click on the "Add" button: select "User - VPN - IPsec xauth Dialin".
Click on "Save" Button.
User Settings - create a new user
Go to System > User Manager > Users tab > Add a new user:
Username: MyName_iphone
Password: ********
Group Memberships: IPsecVPN.
Click on "Save" Button.
Make sure the "Effective Privileges" field: Inherited from "IPSecVPN" has been set after saved.
Firewall Rule - allow VPN clients to connect to WAN interface:
Go to Firewall > Rules > WAN tab > Add new rule:
Interface: WAN.
Protocol: ESP.
Source Address: any
Destination: type "WAN net" (or "WAN address" depends on your situation)
Description: IPsecVPN
Click on "Save" button.
Click on "Apply changes" button.
Interface: WAN.
Protocol: TCP/UDP.
Source Address: any
Destination: type "WAN net" (or "WAN address" depends on your situation)
Destination port range: ISAKMP (500)
Description: IPsecVPN
Click on "Save" button.
Click on "Apply changes" button.
Interface: WAN.
Protocol: TCP/UDP.
Source Address: any
Destination: type "WAN net" (or "WAN address" depends on your situation)
Destination port range: IPsec NAT-T (4500)
Description: IPsecVPN
Click on "Save" button.
Click on "Apply changes" button.
Firewall Rule - disable VPN clients access to LAN network:
Go to Firewall > Rules > IPsec tab > Add new rule:
Interface: IPsec.
Protocol: any.
Source Address: 10.0.0.0 / 24
Destination: check "not".
Destination: type "WAN net" (or "WAN address" depends on your situation)
Click on "Save" button.
Click on "Apply changes" button.
Interface: IPsec.
Protocol: any.
Source Address: 10.0.0.0 / 24
Destination: check "not".
Destination: type "Network"
Destination: Address "192.168.0.0 / 16" (we don't want VPN clients to access LAN subnet).
Click on "Save" button.
Click on "Apply changes" button.
Firewall Rule - NAT Outbound:
Go to Firewall > NAT > Outbound tab:
Click on "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)" > click on "Save" button. Some rules will be set automatically.
Add a new mapping rule:
Interface: WAN.
Protocol: any.
Source: type "network".
Source: address "10.0.0.0 / 24".
Destination: check "not".
Destination: type "Network"
Destination: Address "192.168.0.0 / 16" (we don't want VPN clients to access LAN subnet).
Click on "Save" button.
Click on "Apply changes" button.
Device Setup (iOS)
Go to iPhone > Settings > General > Network > VPN
Add VPN Configuration
Click IPsec
Description: whatever you want
Server: IP of the server
Account: your xauth username
Password: your xauth password (or leave blank to be prompted every time)
Group Name: MY_VPN_GROUP_NAME
Secret: MY_VPN_PRE_SHARED_KEY
Device Setup (Android)
NOTE: These settings are not present on all Android devices. See Android VPN Connectivity for more info.
Settings, Networks & Wireless, VPN Settings, Advanced IPsec VPNs
From there, press the menu button, then add.
Connection Template: PSK v1 (AES, xauth, aggressive)
VPN Name: whatever you want
VPN Server: IP of the server
The phone forces the keyboard to numbers, not sure if a hostname is supported.
Pre-Shared Key Type: text
Pre-Shared Key: PSK from the Phase 1 above
Identity Type: User FQDN
Identity: vpnusers@example.com
Username: your xauth username
Password: your xauth password
Internal Subnet IP: Whatever subnet(s) you specified in p2 above.
Finish
Troubleshooting
By default iOS will tunnel all traffic over the VPN, including traffic going to the Internet. If you are unable to access Internet sites once connected, you may need to push a DNS server to the client for it to use, such as the LAN IP address of your firewall if you have the DNS forwarder enabled, or a public DNS server such as 8.8.8.8/8.8.4.4.
The reason for the above is that your 3G provider is likely giving your mobile devices DNS servers that are only accessible from their network. Once you connect to the VPN the DNS servers are now being accessed via the VPN instead of the 3G network, and the queries are likely to be dropped. Supplying a local/public DNS server will work around that.
Reference:
http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0
Friday, July 25, 2014
iSCSI storage
iSCSI
In computing, iSCSI (Listeni/aɪˈskʌzi/ eye-skuz-ee), is an acronym for Internet Small Computer System Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities.
http://en.wikipedia.org/wiki/ISCSI
Internet Fibre Channel Protocol
Internet Fibre Channel Protocol (iFCP) is a gateway-to-gateway network protocol standard, officially ratified by the Internet Engineering Task Force, which provides Fibre Channel fabric functionality to fibre channel devices over an IP network. Currently the most common comes in 1 Gbit/s, 2 Gbit/s, 4 Gbit/s, 8 Gbit/s, 10 Gbit/s variants.
http://en.wikipedia.org/wiki/Internet_Fibre_Channel_Protocol
Fibre Channel over IP
Fibre Channel over IP (FCIP or FC/IP, also known as Fibre Channel tunneling or storage tunneling) is an Internet Protocol (IP) created by the Internet Engineering Task Force (IETF) for storage technology.
http://en.wikipedia.org/wiki/FCIP
Fibre Channel over Ethernet
Fibre Channel over Ethernet (FCoE) is a computer network technology that encapsulates Fibre Channel frames over Ethernet networks. This allows Fibre Channel to use 10 Gigabit Ethernet networks (or higher speeds) while preserving the Fibre Channel protocol.
http://en.wikipedia.org/wiki/FCoE
In computing, iSCSI (Listeni/aɪˈskʌzi/ eye-skuz-ee), is an acronym for Internet Small Computer System Interface, an Internet Protocol (IP)-based storage networking standard for linking data storage facilities.
http://en.wikipedia.org/wiki/ISCSI
Internet Fibre Channel Protocol
Internet Fibre Channel Protocol (iFCP) is a gateway-to-gateway network protocol standard, officially ratified by the Internet Engineering Task Force, which provides Fibre Channel fabric functionality to fibre channel devices over an IP network. Currently the most common comes in 1 Gbit/s, 2 Gbit/s, 4 Gbit/s, 8 Gbit/s, 10 Gbit/s variants.
http://en.wikipedia.org/wiki/Internet_Fibre_Channel_Protocol
Fibre Channel over IP
Fibre Channel over IP (FCIP or FC/IP, also known as Fibre Channel tunneling or storage tunneling) is an Internet Protocol (IP) created by the Internet Engineering Task Force (IETF) for storage technology.
http://en.wikipedia.org/wiki/FCIP
Fibre Channel over Ethernet
Fibre Channel over Ethernet (FCoE) is a computer network technology that encapsulates Fibre Channel frames over Ethernet networks. This allows Fibre Channel to use 10 Gigabit Ethernet networks (or higher speeds) while preserving the Fibre Channel protocol.
http://en.wikipedia.org/wiki/FCoE
Thursday, July 24, 2014
execute mysql query statement through command line
mysql -u root -p -e "show databases;"
or
mysql --defaults-file=/root/.my.cnf --defaults-group-suffix=_test -N -B -e "show databases;"
or
mysql --defaults-file=/root/.my.cnf --defaults-group-suffix=_test -N -B -e "show databases;"
WMIC: the best command line tool you've never used
Some people say command line tools are obsolete, out of date, no longer necessary when you can “point and click”, instead.
But the reality is very different. Every version of Windows sees the command line given new powers and abilities, and if you don’t explore these then you really are missing out.
WMIC
Take the WMIC command, for instance. It has astonishing scope and a huge set of features: the program can return useful information about your system, control running programs, and generally manage just about every aspect of your PC, all from the command line or a convenient shortcut.
How might this work? Let’s suppose you need to know the model of motherboard used in your PC. You could poke around in a system information program, but it’s easier to open a command window (elevated, on Windows Vista or 7 – click Start, type CMD, right-click the link to cmd.exe and select Run As Administrator) and enter the command
wmic baseboard get product,manufacturer
WMIC will then give you the answer right away.
Or maybe you’re wondering if your BIOS needs an update. How old is it, anyway? Restart your PC and one of the boot-time messages might give you a date, but again it’s easier to enter something like
wmic bios get name
and let WMIC tell you more.
System Information
The program can also provide details on many other aspects of your system. Commands like
wmic product list brief
wmic service list brief
wmic process list brief
wmic startup list brief
will list your installed software, services, running processes and Windows startup programs, for instance.
wmic service list brief
wmic process list brief
wmic startup list brief
will list your installed software, services, running processes and Windows startup programs, for instance.
Obviously these details can be found elsewhere, but one advantage of WMIC is that it can save its output for reference later. Use the command
wmic service get /format:hform > c:\folder\services.html
and WMIC will create a formatted HTML page detailing your running services (replace “C:\folder” with an appropriate path for your system). If you have PC problems a few months later you can then look back at this record and see what’s changed.
Uninstall automatically
WMIC isn’t just about reporting on system information, though. Use the appropriate CALL command and it can also carry out a variety of useful maintenance tasks.
Do you regularly have to uninstall and reinstall particular programs, for instance? Doing this manually via Control Panel is tedious, but WMIC can automatically uninstall many applications with a single command. To see how, enter
wmic product get name
and look for the name of the program you’d like to remove. Then enter the name as it appears in that list, in a second command, like this
wmic product where name=”windows live writer” call uninstall
And your specified program will be uninstalled automatically, without you even seeing the uninstall program. (Which is convenient, but also risky as there probably will be no chance to cancel your action – so use this with extreme care.)
Process management
WMIC can, say, also close all the instances of a particular program. So if you want to shut down all Internet Explorer windows, for instance, then the command
wmic process where name=”iexplore.exe” call terminate
would do the trick, closing every instance immediately. (Though again, beware, programs closed in this way probably won’t prompt you to save files you’re working on, so use the command carelessly and data may be lost.)
Or maybe you’d prefer to optimise your system by setting your process CPU priorities? WMIC can handle that, too. Entering
wmic process where name=”notepad.exe” call setpriority 64
will set every running Notepad process to the Idle priority, for instance (see MSDN for the numbers to use to set other priorities).
And this is still barely scratching the surface. WMIC can also give you useful information about your PCs user accounts, change the Start mode of particular services, retrieve useful information from your event logs, change a static IP address, reboot or shut down a PC, and a whole lot more.
And best of all, you can even apply the commands to a remote system by applying the NODE switch and a network name, like
wmic /node:steve-pc service list brief
There’s a huge amount of power on offer here, then. See the Tech-Wreck InfoSec Blog for more great WMIC examples, then open a command window and try a few for yourself.
===
Spot Odd Executables - wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath
Look at services that are set to start automatically - wmic SERVICE WHERE StartMode="Auto" GET Name, State
Find user-created shares (usually not hidden) - wmic SHARE WHERE "NOT Name LIKE '%$'" GET Name, Path
Find stuff that starts on boot - wmic STARTUP GET Caption, Command, User
Identify any local system accounts that are enabled (guest, etc.) - wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name"
Change Start Mode of Service - wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled
Number of Logons Per USERID - wmic netlogin where (name like "%skodo") get numberoflogons
Obtain a Certain Kind of Event from Eventlog - wmic ntevent where (message like "%logon%") list brief
Clear the Eventlog (Security example) - wmic nteventlog where (description like "%secevent%") call cleareventlog
Get Mac Address - wmic nic get macaddress
Reboot or Shutdown - wmic os where buildnumber="2600" call reboot
Update static IP address - wmic nicconfig where index=9 call enablestatic("192.168.16.4"), ("255.255.255.0")
Change network gateway - wmic nicconfig where index=9 call setgateways("192.168.16.4", "192.168.16.5"),(1,2)
Enable DHCP - wmic nicconfig where index=9 call enabledhcp
Service Management - wmic service where caption="DHCP Client" call changestartmode "Disabled"
Start an Application - wmic process call create "calc.exe"
Terminate an Application - wmic process where name="calc.exe" call terminate
Change Process Priority - wmic process where name="explorer.exe" call setpriority 64
Get List of Process Identifiers - wmic process where (Name='svchost.exe') get name,processid
Information About Harddrives - wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber
Information about os - wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:\osinfo.htm
Information about files - wmic path cim_datafile where "Path='\\windows\\system32\\wbem\\' and FileSize>1784088" > c:\wbemfiles.txt
Process list - wmic process get /format:htable > c:\process.htm
Retrieve list of warning and error events not from system or security logs - WMIC NTEVENT WHERE "EventType<3 AND LogFile != 'System' AND LogFile != 'Security'" GET LogFile, SourceName, EventType, Message, TimeGenerated /FORMAT:"htable.xsl":" datatype = number":" sortby = EventType" > c:\appevent.htm
Total Hard Drive Space Check - wmic LOGICALDISK LIST BRIEF
Get Running Services Information - Wmic service where (state=”running”) get caption, name, startmode, state
Get Startmode of Services - Wmic service get caption, name, startmode, state
Get Domain Names And When Account PWD set to Expire - WMIC UserAccount GET name,PasswordExpires /Value
Get Hotfix and Security Patch Information - WMIC QFE GET /format:CSV >QFE.CSV
Get Startup List - wmic startup list full
Find a specific Process - wmic process list brief find "cmd.exe"
Get List of IP Interfaces - wmic nicconfig where IPEnabled='true'
Change IP Address - wmic nicconfig where Index=1 call EnableStatic ("10.10.10.10"), ("255.255.255.0")
OS/System Report HTML Formatted - wmic /output:c:\os.html os get /format:hform
Products/Programs Installed Report HTML Formatted - wmic /output:c:\product.html product get /format:hform
Services Report on a Remote Machine HTML Formatted - wmic /output:c:\services.htm /node:server1 service list full / format:htable
Turn on Remoted Desktop Remotely! - Wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1
Get Server Drive Space Usage Remotely - WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV
Get PC Serial Number - wmic /node:”HOST” bios get serialnumber
Get PC Product Number - wmic /node:”HOST” baseboard get product
Get Services for Remote Machine in HTML Format - wmic /output:c:\services.htm /node:server1 service list full / format:htable
http://www.softwarecrew.com/2011/01/wmic-the-best-command-line-tool-youve-never-used/
http://tech-wreckblog.blogspot.ca/2009/11/wmic-command-line-kung-fu.html
Wednesday, July 23, 2014
Brother MFC 7460DN Printer
I have a Brother MFC-665W. It is on a LAN using DHCP. I want to scan, and when i pushed the Scan button the LCD on the printer says "Check Connection". I can print to the printer, copy, and fax from it, but it doesn't want to scan. I've tried to scan from a PC using the Control Center 3, but when i try a prescan it gives me a Failed to Connect to device message. I've also tried setting static and clearing memory from unplugging the power, while press and hold the red stop button turned plugged back the power, but still the same have the same issue.
===
I think I solve the issue for scanning so far. Here's what you do goto control panel -> Scanners and Cameras. Then right click into propertise, then check Specify your machine by address. It should already have the printer IP address listed in the box below. If not our can goto to your router and see the ip in the DHCP Client List .
After this I'm able to use the Control Center 3 scanning.
I think the problem was the NODE name list in the setting in my winxp pro does not match the actual NODE name the printer is using.
===
http://www.brother-usa.com/FAQs/Solution.aspx?FAQID=200000032111&Model=1930&ProductID=MFC7240&Keyword=#.U9AMQ_ldUVe
http://www.fixya.com/support/t1251894-mfc_665cw_scanner_keeps_saying
===
I think I solve the issue for scanning so far. Here's what you do goto control panel -> Scanners and Cameras. Then right click into propertise, then check Specify your machine by address. It should already have the printer IP address listed in the box below. If not our can goto to your router and see the ip in the DHCP Client List .
After this I'm able to use the Control Center 3 scanning.
I think the problem was the NODE name list in the setting in my winxp pro does not match the actual NODE name the printer is using.
===
http://www.brother-usa.com/FAQs/Solution.aspx?FAQID=200000032111&Model=1930&ProductID=MFC7240&Keyword=#.U9AMQ_ldUVe
http://www.fixya.com/support/t1251894-mfc_665cw_scanner_keeps_saying
Monday, July 21, 2014
NULL SID Security Log Event ID 4625 when attempting logon to 2008 R2 Remote Desktop Session Host
NULL SID Security Log Event ID 4625 when attempting logon to 2008 R2 Remote Desktop Session Host
Domain sid inconsistent
Solution:
c:\windows\system32\sysprep\sysprep.exe
Domain sid inconsistent
Solution:
c:\windows\system32\sysprep\sysprep.exe
- Select "Enter System Out-of-Box Experience (OOBE)"
- Check "Generalize"
Saturday, July 19, 2014
The server was unable to allocate from the system nonpaged pool because the server has reached the configured limit for nonpaged pool allocations
Problem:
After several days of backing up clients to a windows 7 machine acting as a BDR, the clients are no longer able to connect. Rebooting the BDR resolves the issue for a few days.
Looking in the System Event viewer the following entry will be shown.
Error 2017
"The server was unable to allocate from the system nonpaged pool because the server has reached the configured limit for nonpaged pool allocations."
Cause:
Windows 7 is not designed to handle the large traffic generated by backing up multiple clients.
Resolution:
The following registry keys can be adjusted to help windows 7 manage the high traffic.
Set the following registry key to '1′ (default value is 0 - zero):
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\LargeSystemCache
Set the following registry entry to '3' (default value is 1):
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\Size
A restart is required after making the changes.
Windows 7 should not be used as a backup destination. Windows 7 is a workstation OS and not intended by Microsoft to be used as a file server.
http://www.storagecraft.com/support/kb/article/131
Acronis Advanced Backup TIB, XML and Catalog files
Catalog contains catalog (that you can see on the 'data view' tab). Without it you can use 'archive view' instead. It will be regenerated on the next backup or manually by 'catalog now' function.
Without xml files archives are restorable, too, however xml files will be regenerated automatically during restore and will not contain some information from the original files. For example, if archive contains several full backups, new xml file will be generated for each chain of full and dependent backups. Archive name will be changed to something like Archive_2013_01_20_ ... (i.e. orignal name + date) If you need to continue backing up to the archive, xml files must not be deleted.
https://forum.acronis.com/forum/40532
Without xml files archives are restorable, too, however xml files will be regenerated automatically during restore and will not contain some information from the original files. For example, if archive contains several full backups, new xml file will be generated for each chain of full and dependent backups. Archive name will be changed to something like Archive_2013_01_20_ ... (i.e. orignal name + date) If you need to continue backing up to the archive, xml files must not be deleted.
https://forum.acronis.com/forum/40532
Thursday, July 17, 2014
Static NFS mounts vs autofs direct map mounts
Static NFS mounts vs autofs direct map mounts
Do you use static nfs mounts or automount? If you use automount, the mount needs to get re-established if not acessed for a while, thus delaying the first page load.
===
It's actually hard to argue one way or the other. The only item I can point out (happened to me) is that if you are using static mounts as in fstab and someone/thing makes an error the system may not boot and you'll have to go into rescue mode to get the system back online. That won't happen when using autofs.
http://drupal.stackexchange.com/questions/97705/drupal-files-on-nfs-performance-degredation
http://serverfault.com/questions/596621/static-nfs-mounts-vs-autofs-direct-map-mounts
Do you use static nfs mounts or automount? If you use automount, the mount needs to get re-established if not acessed for a while, thus delaying the first page load.
===
It's actually hard to argue one way or the other. The only item I can point out (happened to me) is that if you are using static mounts as in fstab and someone/thing makes an error the system may not boot and you'll have to go into rescue mode to get the system back online. That won't happen when using autofs.
http://drupal.stackexchange.com/questions/97705/drupal-files-on-nfs-performance-degredation
http://serverfault.com/questions/596621/static-nfs-mounts-vs-autofs-direct-map-mounts
How to mount SMB CIFS Windows shared folder under FreeBSD
This document provides help on mounting SMB/CIFS shares under FreeBSD Operating System.
The mount_smbfs command mounts a share from a remote server using SMB/CIFS protocol. You can easily mount MySharedFolder share using the following syntax:
The mount_smbfs command mounts a share from a remote server using SMB/CIFS protocol. You can easily mount MySharedFolder share using the following syntax:
1 | mount_smbfs -I 192.168.1.1 //myUser@serverName/mySharedFolder /mnt/mySharedFolder |
Where,
192.168.1.1 is the IP address of the remote computer.
myUser is your user name.
serverName is NETBIOS Server Name.
mySharedFolder is CIFS share name.
/mnt/mySharedFolder is the local mount point directory.
192.168.1.1 is the IP address of the remote computer.
myUser is your user name.
serverName is NETBIOS Server Name.
mySharedFolder is CIFS share name.
/mnt/mySharedFolder is the local mount point directory.
You will be prompted for your password. Once this happens you can change to the directory and view the contents using cd and ls command:
1 | cd /mnt/mySharedFolder |
2 | ls -la |
To avoid password prompt, you have to create a .nsmbrc file in your home directory:
1 | vi ~/.nsmbrc |
Set username and password as follows:
[SERVERNAME:MYUSER]
password=myPassword
password=myPassword
Note: Both the hostname and the username need to be in uppercase.
Now mount mySharedFolder as follows:
1 | mount_smbfs -N -I 192.168.1.1 //myUser@serverName/mySharedFolder /mnt/mySharedFolder |
The -N option forces to read a password from ~/.nsmbrc file. At run time, mount_smbfs reads the ~/.nsmbrc file for additional configuration parameters and a password. If no password is found, mount_smbfs prompts for it. You need to use the -N option while writing a shell script.
mount_smbfs does not make the mount permanent. If the FreeBSD system is rebooted, you will have to mount the share again. To make the mount occur each time you start the FreeBSD system, you can put an entry in your/etc/fstab file. An example file would look like this:
//myUser@serverName/mySharedFolder /mnt/mySharedFolder smbfs rw,-N,-I192.168.1.1 0 0
Next, you have to add the username and password to /etc/nsmb.conf:
[SERVERNAME:MYUSER]
password=myPassword
password=myPassword
http://blog.up-link.ro/freebsd-how-to-mount-smb-cifs-shares-under-freebsd/
Wednesday, July 16, 2014
人生最重要的:你每天早上在床上滾來滾去時,問自己這3個問題!
編譯 / 王紫炘
你早晨醒來張開眼睛,一直到起床刷牙洗臉的那一刻,都想了些什麼呢?「天怎麼那麼快就亮了?我都還沒睡飽~」或是「今天事情好多喔……到底要忙到什麼時候?」事實上,你早上的所思所想,將決定了你用什麼心態,迎接嶄新的一天。
你大概不希望自己的一天,被早晨起床的負面想法所影響。比方說,「我睡不夠,請讓我再多睡10分鐘吧。」可以想見,你的一天很可能就會在拖延、來不及中度過。
《Entrepreneur》的專欄作家Matthew Toren,建議我們可以做這樣的生活練習:在最有威力的早晨時光,詢問自己一些大膽、樂觀的問題,讓自己帶著創業家的心態與眼光,迎接一天的工作。他建議從以下三個問題開始:
1. 我今天可以幫助誰?
古希臘哲學家柏拉圖有一句名言:「待人要仁慈,因為你所遇到的每個人,都正在經歷艱苦的戰鬥。」(Be kind, for everyone you meet is fighting a hard battle.)
如果用這樣的想法開啟一天:「我可以給予,我有能力付出。」那麼,我們的存在、我們正在做的事情,立即就產生了意義、提供了價值。因此,花一點時間想想今天要幫助誰?想想看一天有什麼機會可以幫助別人?這無疑會讓你的一天,更豐富、更美好。
2. 我今天怎麼樣才能變得更好?
樂天創辦人三木谷浩史曾說:「每天改善1%,一年強大37倍。」至於要改善什麼?要把改變想得很大、很遠,或很小、很特定?這全都看你自己。只要你能將想法化為具體的正面行動,讓今天比昨天更好一點,就很足夠了。
比方說,你知道自己要運動才健康,卻常常找藉口偷懶沒上健身房?那麼,今天就下定決心走一趟健身房吧。又或者,你在同事面前對某人情緒失控,你想著應該把事情處理得更好一點?那麼,帶著對某人的理解、再更靠近他一些,向他對你的壞脾氣表達歉意。
為什麼要這樣做?因為成功通常不是一夜之間發生的,你無法快速成為一名傑出的領導者或企業家。因此,你所能做的,就是讓自己不斷改善、變得更好,不斷地累積智慧,未來才有能力做出更大的承諾。
3. 今天我要如何創造價值?
這或許和第一點「我今天可以幫助誰?」很像,但在這裡,我們可以想想如何創造工作的價值。你的工作,如何能夠讓其他人過得更幸福、過得更好?
比方說,若你從事服務業,或許多一個笑容、一句問候,就能讓被你服務的人有一天的好心情;如果你是程式設計師,多清除掉一個bug,就能讓顧客的使用更順暢。小編也是,為了分享對大家有幫助的文章,多想一下,究竟現在的經理人最迫切解決的問題是什麼呢?要怎麼呈現,才能讓大家更容易了解呢?
無論是服務、產品或是我們分享的好內容,透過哪種「形式」並不重要,重要的是其中的「價值」。這些你主動創造的價值,最終將會與你的目標、願景緊密的連結,進而更容易達成想要的結果。
http://www.managertoday.com.tw/?p=43187
你早晨醒來張開眼睛,一直到起床刷牙洗臉的那一刻,都想了些什麼呢?「天怎麼那麼快就亮了?我都還沒睡飽~」或是「今天事情好多喔……到底要忙到什麼時候?」事實上,你早上的所思所想,將決定了你用什麼心態,迎接嶄新的一天。
你大概不希望自己的一天,被早晨起床的負面想法所影響。比方說,「我睡不夠,請讓我再多睡10分鐘吧。」可以想見,你的一天很可能就會在拖延、來不及中度過。
《Entrepreneur》的專欄作家Matthew Toren,建議我們可以做這樣的生活練習:在最有威力的早晨時光,詢問自己一些大膽、樂觀的問題,讓自己帶著創業家的心態與眼光,迎接一天的工作。他建議從以下三個問題開始:
1. 我今天可以幫助誰?
古希臘哲學家柏拉圖有一句名言:「待人要仁慈,因為你所遇到的每個人,都正在經歷艱苦的戰鬥。」(Be kind, for everyone you meet is fighting a hard battle.)
如果用這樣的想法開啟一天:「我可以給予,我有能力付出。」那麼,我們的存在、我們正在做的事情,立即就產生了意義、提供了價值。因此,花一點時間想想今天要幫助誰?想想看一天有什麼機會可以幫助別人?這無疑會讓你的一天,更豐富、更美好。
2. 我今天怎麼樣才能變得更好?
樂天創辦人三木谷浩史曾說:「每天改善1%,一年強大37倍。」至於要改善什麼?要把改變想得很大、很遠,或很小、很特定?這全都看你自己。只要你能將想法化為具體的正面行動,讓今天比昨天更好一點,就很足夠了。
比方說,你知道自己要運動才健康,卻常常找藉口偷懶沒上健身房?那麼,今天就下定決心走一趟健身房吧。又或者,你在同事面前對某人情緒失控,你想著應該把事情處理得更好一點?那麼,帶著對某人的理解、再更靠近他一些,向他對你的壞脾氣表達歉意。
為什麼要這樣做?因為成功通常不是一夜之間發生的,你無法快速成為一名傑出的領導者或企業家。因此,你所能做的,就是讓自己不斷改善、變得更好,不斷地累積智慧,未來才有能力做出更大的承諾。
3. 今天我要如何創造價值?
這或許和第一點「我今天可以幫助誰?」很像,但在這裡,我們可以想想如何創造工作的價值。你的工作,如何能夠讓其他人過得更幸福、過得更好?
比方說,若你從事服務業,或許多一個笑容、一句問候,就能讓被你服務的人有一天的好心情;如果你是程式設計師,多清除掉一個bug,就能讓顧客的使用更順暢。小編也是,為了分享對大家有幫助的文章,多想一下,究竟現在的經理人最迫切解決的問題是什麼呢?要怎麼呈現,才能讓大家更容易了解呢?
無論是服務、產品或是我們分享的好內容,透過哪種「形式」並不重要,重要的是其中的「價值」。這些你主動創造的價值,最終將會與你的目標、願景緊密的連結,進而更容易達成想要的結果。
http://www.managertoday.com.tw/?p=43187
mysql mysqldump read password login information from file for crontab
mysql mysqldump read password login information from file for crontab
# vim ~/.my.cnf
[client]
host = hostname
port = 3306
user = root
password = mypassword
database = dbname
[mysqldump]
host = hostname
port = 3306
user = root
password = mypassword
database = dbname
Note:
The [client] option group is read by all client programs (including mysqldump, but not by mysqld).
The [mysqldump] option group is for "mysqldump" command only.
Make sure no other people can read .my.cnf file:
# chmod 400 ~/.my.cnf
Following two commands work:
# mysql --defaults-file=/root/.my.cnf
# mysqldump --defaults-file=/root/.my.cnf db_name > db_name.sql
or simply:
# mysql
# mysqldump db_name > db_name.sql
Multiple selection
# vim ~/.my.cnf
[client_conn1]
host = hostname1
port = 3306
user = root
password = mypassword
database = dbname1
[client_conn2]
host = hostname2
port = 3306
user = root
password = mypassword
database = dbname2
# mysql --defaults-file=/root/.my.cnf --defaults-group-suffix=_conn1
Note: group has to be preceded by 'client' to be read by mysql.
Note: it has to go after any [client] groups, otherwise it will be overridden.
Or set it as a alias command:
# vim ~/.cshrc
alias d1 'mysql --defaults-file=/root/.my.cnf --defaults-group-suffix=_conn1'
# vim ~/.my.cnf
[client]
host = hostname
port = 3306
user = root
password = mypassword
database = dbname
[mysqldump]
host = hostname
port = 3306
user = root
password = mypassword
database = dbname
Note:
The [client] option group is read by all client programs (including mysqldump, but not by mysqld).
The [mysqldump] option group is for "mysqldump" command only.
Make sure no other people can read .my.cnf file:
# chmod 400 ~/.my.cnf
Following two commands work:
# mysql --defaults-file=/root/.my.cnf
# mysqldump --defaults-file=/root/.my.cnf db_name > db_name.sql
or simply:
# mysql
# mysqldump db_name > db_name.sql
Multiple selection
# vim ~/.my.cnf
[client_conn1]
host = hostname1
port = 3306
user = root
password = mypassword
database = dbname1
[client_conn2]
host = hostname2
port = 3306
user = root
password = mypassword
database = dbname2
# mysql --defaults-file=/root/.my.cnf --defaults-group-suffix=_conn1
Note: group has to be preceded by 'client' to be read by mysql.
Note: it has to go after any [client] groups, otherwise it will be overridden.
Or set it as a alias command:
# vim ~/.cshrc
alias d1 'mysql --defaults-file=/root/.my.cnf --defaults-group-suffix=_conn1'
Unable to use key file "id_rsa" (OpenSSH SSH-2 private key)
Unable to use key file "id_rsa" (OpenSSH SSH-2 private key)
You cannot use "OpenSSH SSH2 private key" directly with pscp. Please convert the private key file to PuTTY format using PuTTYgen tool.
cmd> pscp -i test.ppk MyName@192.168.1.3:/home/test/tmp/files.tar.xz .
You cannot use "OpenSSH SSH2 private key" directly with pscp. Please convert the private key file to PuTTY format using PuTTYgen tool.
cmd> pscp -i test.ppk MyName@192.168.1.3:/home/test/tmp/files.tar.xz .
SFTP server (SSH FTP server) on Windows
Bitvise SSH Server WinSSHD
http://www.bitvise.com/
Core FTP
http://www.coreftp.com/
VanDyke VShell
http://www.vandyke.com/products/vshell/index.html
http://www.bitvise.com/
Core FTP
http://www.coreftp.com/
VanDyke VShell
http://www.vandyke.com/products/vshell/index.html
不使用密碼的SSH連線 - ssh-keygen
不使用密碼的SSH連線 - ssh-keygen
環境介紹 (windows 使用putty pietty 連線也可以,後面會說明)
A電腦 192.168.1.1 - 要被連線的主機
B電腦 192.168.1.2 - 使用SSH連線到A電腦的主機
小明 在 A主機 有一個使用者帳號 A_min
在 B主機 有一個使用者帳號 B_min
環境設定 - A主機
# vi /etc/ssh/sshd_config
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no (如果不想讓使用者使用密碼登入的話再設定)
# service sshd restart
步驟一 - 於B電腦使用ssh-keygen 產生 兩把金鑰
B電腦
[B_min@B電腦 ~]$ ssh-keygen -t rsa
(按三下Enter 不用設密碼)
會在 /home/B_min/.ssh/ 目錄下產生2個檔案: id_rsa , id_rsa.pub
步驟二 - 將 B電腦產生的 id_rsa.pub 上傳到 A電腦的 A_min 家目錄底下的 ".ssh"目錄 (什麼方法都可以只要你把它放進去就對了)
[B_min@B電腦 ~]$ cd ~/.ssh
[B_min@B電腦 .ssh]$ pwd
/home/B_min/.ssh
[B_min@B電腦 .ssh]$ scp id_rsa.pub A_min@192.168.1.1:~/
關鍵的步驟三:接下來要在A主機上操作了,用SSH連線或是直接在A主機上操作,隨意!
A主機
[A_min@A電腦 ~]$ cd ~/.ssh
[A_min@A電腦 .ssh]$ cat ../id_rsa.pub >> authorized_keys2
[A_min@A電腦 .ssh]$ chmod 644 ~/.ssh/authorized_keys2
WARNING: There has been an SSH1 exploit and you should be using ssh2/DSA or ssh2/rsa keys. Such keys go into ~/.ssh/authorized_keys2 but are generated in a similar way. See about the exploit to learn more. (舊得是用 ~/.ssh/authorized_keys)
驗證
[B_min@B電腦 ~]$ ssh A_min@192.168.1.1
Last login: Fri Feb 27 21:40:00 2009 from 192.168.1.2
恭喜你不用密碼登入囉
Windows Client - B電腦是Windows Client的話...
需要工具軟體:PuTTY , PuTTYgen 下載
金鑰產生方法
使用PuTTYgen產生金鑰
Generate > 滑鼠亂動進度列跑跑跑(很有趣XD) > 金鑰演算完成
Save Public Key > 存檔 → 步驟一的 id_rsa.pub
Save Private Key > 存檔 → 步驟一的 id_rsa
阿接下來就跟步驟二之後一樣,把 id_rsa.pub 丟到 A電腦上的 A_min 帳號....自己看著辦
PuTTY 使用金鑰連線方法
很簡單只要設定一個地方
設定畫面 > Connection > SSH > Auth
將key的位置放入Private key file for authentication
填好連線主機IP就Open吧
login as:A_min
Authenticating with public key "imported-openssh-key"
用誰登入就看你把id_rsa.pub丟到誰家
因為我們範例裡面丟到A_min家,當然是用A_min的帳號來連線
=====================================================================
Reference:
http://www.freebsddiary.org/secure-file-copy.php
http://www.freebsddiary.org/rsync.php
http://www.freebsddiary.org/ssh-authorized-keys.php
http://slv922.pixnet.net/blog/post/26419814
環境介紹 (windows 使用putty pietty 連線也可以,後面會說明)
A電腦 192.168.1.1 - 要被連線的主機
B電腦 192.168.1.2 - 使用SSH連線到A電腦的主機
小明 在 A主機 有一個使用者帳號 A_min
在 B主機 有一個使用者帳號 B_min
環境設定 - A主機
# vi /etc/ssh/sshd_config
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no (如果不想讓使用者使用密碼登入的話再設定)
# service sshd restart
步驟一 - 於B電腦使用ssh-keygen 產生 兩把金鑰
B電腦
[B_min@B電腦 ~]$ ssh-keygen -t rsa
(按三下Enter 不用設密碼)
會在 /home/B_min/.ssh/ 目錄下產生2個檔案: id_rsa , id_rsa.pub
步驟二 - 將 B電腦產生的 id_rsa.pub 上傳到 A電腦的 A_min 家目錄底下的 ".ssh"目錄 (什麼方法都可以只要你把它放進去就對了)
[B_min@B電腦 ~]$ cd ~/.ssh
[B_min@B電腦 .ssh]$ pwd
/home/B_min/.ssh
[B_min@B電腦 .ssh]$ scp id_rsa.pub A_min@192.168.1.1:~/
關鍵的步驟三:接下來要在A主機上操作了,用SSH連線或是直接在A主機上操作,隨意!
A主機
[A_min@A電腦 ~]$ cd ~/.ssh
[A_min@A電腦 .ssh]$ cat ../id_rsa.pub >> authorized_keys2
[A_min@A電腦 .ssh]$ chmod 644 ~/.ssh/authorized_keys2
WARNING: There has been an SSH1 exploit and you should be using ssh2/DSA or ssh2/rsa keys. Such keys go into ~/.ssh/authorized_keys2 but are generated in a similar way. See about the exploit to learn more. (舊得是用 ~/.ssh/authorized_keys)
驗證
[B_min@B電腦 ~]$ ssh A_min@192.168.1.1
Last login: Fri Feb 27 21:40:00 2009 from 192.168.1.2
恭喜你不用密碼登入囉
Windows Client - B電腦是Windows Client的話...
需要工具軟體:PuTTY , PuTTYgen 下載
金鑰產生方法
使用PuTTYgen產生金鑰
Generate > 滑鼠亂動進度列跑跑跑(很有趣XD) > 金鑰演算完成
Save Public Key > 存檔 → 步驟一的 id_rsa.pub
Save Private Key > 存檔 → 步驟一的 id_rsa
阿接下來就跟步驟二之後一樣,把 id_rsa.pub 丟到 A電腦上的 A_min 帳號....自己看著辦
PuTTY 使用金鑰連線方法
很簡單只要設定一個地方
設定畫面 > Connection > SSH > Auth
將key的位置放入Private key file for authentication
填好連線主機IP就Open吧
login as:A_min
Authenticating with public key "imported-openssh-key"
用誰登入就看你把id_rsa.pub丟到誰家
因為我們範例裡面丟到A_min家,當然是用A_min的帳號來連線
=====================================================================
In a previous article, I showed you how to backup your mySQL database from one box to another. In this example I used ftp. I now know of a more secure method which is suitable for use across untrusted networks, particularly the internet. See also ssh - much more secure than telnet for a few more ways of copying files files around |
How's it all done then?
|
It's all done with ssh (or more correctly, with OpenSSH). When I first tried this solution with ssh, I couldn't find a way to connect to the other box from within a script. I could see no way to securely supply the password. So I gave up. Then I posted a message to the freebsd questions mailing list and I found my answer. If you read man ssh, you'll find a section which talks about RSA based authentication. This allows one box to authenticate itself without having to supply a password. Which is exactly what is needed in this situation. |
What you'll need first
|
First, you'll need a login on both machines. And both machines will need to be running ssh (my preference is the OpenSSH implementation of ssh). I suggest you connect to both machines now, via ssh of course, and then continue with the rest of the article. I'll refer to one machine as the source machine. That's the box from which you wish to transfer files. I'll refer to the other machine as the destination machine, the box to which you wish to transfer files. |
It's all about keys
|
WARNING: This section recommends using an empty passphrase which is is risky. If anyone obtains your private key, they will be able to login to any machine on which your public key is an authorized_key. The non-password authentication is done with keys. And it's done like this.
WARNING: There has been an SSH1 exploit and you should be using ssh2/DSA or ssh2/rsa keys. Such keys go into ~/.ssh/authorized_keys2 but are generated in a similar way. See about the exploit to learn more. If you are doing a copy.paste with the public key, remember that authorized_keys contains only one key per line, although this line may be very long. You should now be able to connect from the source box to the destination box without a password. Like this: ssh user@destination.boxIf that doesn't work, then something is wrong. check the above steps and try again. You should also read ssh - authorized keys and chmod to see how I later broke this solution by changing directory permissions. |
How does this magic work?
|
ssh-keygen create two keys, one public, one private. When you connect to the remote box, the ssh server on that box sends your ssh program a challenge in the form of a random number. This random number challenge is encrypted with the public key you placed on the destination box. The challenge can only be decrypted by the private key, which is on the source box. The ssh program decrypts this number and tells the server the answer. In this method, the client tells the server that it knows the private key. It is by this method that one box proves to another box it is who it says it is. |
The backup script
|
I took the original backup script I created for mySQL and modified it to use ssh. Here is the amended script. You can also obtain this script from xxx.#!/bin/sh # # mysql databse backup # Copyright 1999, 2000 DVL Software Limited # # Available from # http://www.freebsddiary.org/samples/dns_fetch.sh # # # the name of the backup file. file name format is # backup.2000.01.12.at.22.59.48.tgz # BackupFile="forum.backup.`date +%Y.%m.%d.at.%H.%M.%S`.tgz" # # dump the database. # make the following replacements: # # userid - the user id to use when connecting # to the database # password - the password for the above user # database - the name of database to dump # /pathto/ - the path to the backup file # /usr/local/bin/mysqldump -uuserid -ppassword -c --add-drop-table database > /pathto/forum_backup.txt # # compress it # tar cfz $BackupFile /pathto/forum_backup.txt # # copy it offsite, change user and othersite.org accordingly. # scp $BackupFile user@othersite.org:$BackupFile # # remove the files we created # rm $BackupFile forum_backup.txt |
Additions to the above
|
There are a few nice additions to the above script which work rather nicely. I also use this script to backup various directories, but exclude others. The additions to do that look like this:As you can see, I backup all the php3 files, and everything in the phorum and phpPolls directory. But I also exclude everything specified in the exclude.txt file. Here's what that file contains:tar cfz $BackupFile \ -X exclude.txt \ /home/freebsddiary/forum_backup.txt \ /home/freebsddiary/www/*.php3 \ /home/freebsddiary/www/phorum \ /home/freebsddiary/www/phpPolls You can put whatever you want. In this case, no directories named _vti_cnf will be included in the backup.$ more exclude.txt */_vti_cnf/* |
Doing it all from a cron job
|
This should work flawlessley. The only thing needed now is a cron job to start off the above. Here is what I use:This will run the patch job at 5am every day. Adjust the values as appropriate to your need. See man 5 crontab for some very good examples.$ more ~/crontab #/home/freebsddiary/crontab - dan's crontab for FreeBSDDiary # # SHELL=/bin/sh #PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin #HOME=/var/log # mail any output to `dan', no matter whose crontab this is MAILTO=dan@example.org # #minute hour mday month wday command # # 0 5 * * * $HOME/dump_database.sh The above can be added to the cron jobs by doing this: crontab ~/crontab |
That's everything!
|
Michael O Shea wrote in to mention that using rsync over SSH would be faster as it transfers only changed files. That's a very good idea if tranferring the same group of files on a regular basis. See rsync - synchronizing two file trees for more information. That should be everything. Please, if you do follow these instructions, and they work for you, please tell your friends. It if doesn't work, and you can figure out what I've left out, please add your comments using the link at the top or bottom of this article. |
Reference:
http://www.freebsddiary.org/secure-file-copy.php
http://www.freebsddiary.org/rsync.php
http://www.freebsddiary.org/ssh-authorized-keys.php
http://slv922.pixnet.net/blog/post/26419814
Subscribe to:
Posts (Atom)