Aug 01

Windows 10: Remove OneDrive From Explorer

I’ve had Windows 10 installed for all of 10 minutes now, and I’ve already had to look up a tweak to get rid of an annoyance, OneDrive. I personally don’t believe in using the cloud to store my personal information. It’s just too easy to get hacked and stolen, and let’s not even talk about the NSA. I trust nobody.

Anyway, there are a couple things you can do to get rid of OneDrive from ever showing up. First is to stop if from auto-starting up. As with Windows 8.1, you can go to Task Manager, choose the Startup tab, and disable it there. It will still show up in Windows Explorer though. Happily there is a very simple fix, although it involves editing that nasty registry.

Open regedit in the usual fashion, and navigate to these two keys:

HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}

HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}

In each of these keys, there is the same DWORD key System.IsPinnedToNameSpaceTree. Change that key to 0 from the default 1.

That’s it!

Big thanks to this thread for the information: Remove OneDrive from the Explorer Side Panel in Windows 10

Jun 04

PowerShell: Scripted RoboCopy

Sometimes you might have a server on a weak network link, or even a remote server with a slow connection. CommVault and other backup suites a lot of times will have difficulty dealing with these slow links and timing out. This is where the good ol’ robocopy program from Microsoft themselves comes in handy. Of course you can just run RoboCopy straight as a scheduled task, but you might want to get better tabs on what’s going on. One was to do this is through the PowerShell. It’s also a great script to get started with the powerful PowerShell and learn some basics. This script in particular backs up an entire partition (ignoring some system folders) which just hosted data to a centralized server and then e-mailed someone about the outcome and why. It also makes a log of everything it did, then keeps the logs in check so they don’t get out of control. Take a look, copy, paste, and enjoy!

 

May 17

Ubuntu 14:04+: Creating a VERY jailed user with jailkit

I have many hobbies I dabble in, one of them is vintage computers, and the other is vintage phones. I have an Asterisk server with a special card that connect to some of my vintage phone gear. I also have vintage computers that I could use to play with modems and act as a phone company of sorts. Of course Asterisk is digital and that introduces some problems, but that’s another story for another article far far away. I have a server set up as a dial-in server (as in I can dial the server’s modem extension as it is connected to one of the ports of that special card mentioned earlier). I wanted to make a dial in server that can serve DOS and CP/M files, but not in a BBS form as I didn’t want or need the complexity of a full BBS system. Sure, there are a few downsides like someone could hang on the line forever if they wanted to. Being that this sort of thing is becoming more and more obscure, I’m not too worried about that. I am however worried about making it public and having someone come in and mess with and break the system. After some research I found some interesting software called jailkit. This does exactly what I needed. This is also useful for creating very restricted users on servers for other projects.

For example, my dial in user only has access to the XMODEM and ZMODEM commands that you can install in Linux, and CD to change directories. The jailed user can’t do anything else except change directories around in the jail itself, and transfer files the old fashioned way. Now, my usage case is pretty extreme (and probably a bit weird), but it’s a good example of how locked down you can get.

Before I begin, a huge thanks goes out to “gs69azza” and his forum post here. Most instructions I found on Google don’t work for the newer versions of Ubuntu. There was always something weird that would stop me in my tracks.

First, download and unpack the latest version of jailkit (the the time of this post, it is 2.17. Change the link as necessary to get the latest (see the jailkit link above):

Now, compile and install:

Next, make a jail. You can really put it anywhere you would like but do not put it in /home. This will confuse yourself and jailkit.

Next create the new home directory environment for users:

Create a group in the jail to link the users that will be made to a “users” group. Create /jail/etc/group and add this line:

After that, we need to create a jail user in etc/password so we can define the shell to log in to. This example uses “jailuser”, but of course you can name it whatever you would like. This is the first place you must edit when creating a new user for the jail. Edit /etc/password and add the user as below:

Now, create the same user you created above in the jail itself. Create /jail/etc/passwd and add the following:

Now that that is done, we need to edit the shadow to include the new user. Edit /etc/shadow and add:

Of course, change jailuser to whatever user name you would like.

Next is to change the password of the new user:

Now that the shadow file has been updated, copy the shadow files so that the jail is synced with the system:

Next create the new user’s home directory:

Now we will need to copy over commands that you will want your users to use in this jail. The post linked above has a much bigger list, but here are some examples for some basics:

Note: bash is required, but don’t worry, they can’t use the chroot trick to break out of the jail with the bash command. ls is optional.

Keep issuing similar commands to copy over the software you want the jailed user to run. For example, If you want them to edit files, you have to copy over an editor. The jk_cp script also copies over the libraries needed to run the programs. There are a couple special cases:

(optional) Create /proc in jail for ps to work:

(optional) Set permissions for sudo to work:

That’s it! Now log in as that user and make sure everything works. Check out /var/log/auth.log if you are having any issues. For example, I had an extra space character after the shell path in /etc/passwd which was preventing log in.

There are many things you can do with this setup. For example, I created a .bashrc for my user (as root so that the user couldn’t edit it), and added the following lines to hide more of the system, and enable a “help” command which is a very simple script I created that just tells the user what they actually can do. It also customizes the command prompt they get.

Note: The “help” script is actually in /jail/bin/help. For things that are sitting inside the jail, the paths are as if /jail was the root. The help script also overrides the standard “help” command.

Also, to remove more system identification (and for other reasons), I completely disabled the standard MOTD system wide. See this post: Ubuntu 14.04+: Disabling Login Messages (MOTD).

If you don’t want to do it system wide however, and want to disable the messages for the user, create .hushlogin in their home directory:

Finally, my last requirement was to be able to serve DOS and CP/M files so that it is possible to xmodem them over (great for recovering an old system). Of course, it would be silly to duplicate the files over just for the jailed user. However, you can’t directly mount an NFS share to the user jail either, but you CAN do a bind mount! I use autofs to automatically mount my NFS file server to a directory in /mnt on the dial in server. Then I use a bind mount in fstab to make the directories I want available to the jailed user. Here is an example of an entry in fstab that makes this possible:

Note: _netdev is super important in this line, don’t forget it! If you don’t have fstab wait for the network to become available, and you reboot the machine, it will hang trying to mount those directories (ask me how I know!).

Note 2: Don’t forget to make the directories to mount to (e.x. /jail/home/jailuser/cpm).

You can go pretty far down the jailed user rabbit hole. The jailkit homepage has lots of great documentation for doing more with it.

May 17

Ubuntu 14.04+: Disabling Login Messages (MOTD)

In an earlier post (Ubuntu 14.04+: Changing Login Messages), I showed you how to modify, change, or even disable parts of the big long MOTD (Message of The Day) that you get with default Ubuntu. Admittedly, some of the information is useful at a glance. I have a pretty good pulse on my own Linux servers (since there is only a couple), so I don’t really need or want the messages. So, after a quick Google search I found this post that describes disabling the message for SSH through PAM. It’s pretty simple.

Just edit /etc/pam.d/sshd and comment (using the # sign) the following two lines:

Save your changes, and you’re done! Now all you see when you SSH in is the last login time. Much faster.

May 08

PowerShell: Finding Those Pesky Service Accounts

In most Windows environments I’ve worked in, there is rarely any good documentation, especially documentation that tells you were service accounts are being used. This always presents a problem when you have to change the account’s password, or have to change the account all together. Getting tired of things breaking when this happens, I finally wrote a PowerShell script to go out and find these accounts.

This script connects to each machine listed in a text file or a specific Active Directory OU, and goes through each account you want to find. This is also useful to find old accounts to get rid of, or accounts that are in places they shouldn’t be. It then dumps the results in a CSV in the specified directory. It checks local Administrators group, MS SQL server if installed, Scheduled Tasks, and Services. The user account it is run under needs to have administrator rights to the machines being tested.

This requires PowerShell 4.0 or higher. Enjoy!

 

Apr 17

MediaWiki on Linux: Domain Authentication

Enabling LDAP authentication on MediaWiki is fairly straightforward, but there are a couple tricks and gotchas to watch out for.

First, a couple packages are needed: php-ldap (through your packaged manager) and Extension:LDAP Authentication (download and install as instructed).

This assumes that you already have your Linux server working with your LDAP environment.

First, edit /etc/openldap/ldap.conf and add this line to the bottom:

After all, we trust our own domain, right?

In your LocalSettings.php, add the following:

Just change my.domain.com to your FQDN.

After updating both files, on command line run:

You should now be able to log in with your domain user. I also disabled anonymous editing in my configuration.

Mar 21

Asterisk 13: C*NET IAX Connection (ckts.info)

All of the instructions you see online are for much older versions of Asterisk. It makes sense, as a phone system is always highly customized and can get very complicated, very quick. It’s hard to upgrade an in-place system to a newer version, especially in Asterisk’s case where the newer stuff broke a lot of the old stuff. However, for a new setup, why not use the latest and greatest? More security fixes, more features, and hopefully less bugs. The downside? There isn’t much documentation out there for things on the newer systems yet. This means learning from scratch and adapting!

Thankfully, once I learned a little more about how to use extensions.conf and iax.conf, it appears trivial to get a C*Net connection going (although this is after 10+ hours of head abuse by scratching and banging, and elevated blood pressure).

So let’s get started!

C*NET Side:

You have to register and activate your office code first. When all is said and done, you will receive your e-mail from one of the great people over on that side with your activation information. If you haven’t received this e-mail yet, receiving calls won’t work. It’s part of a manual entry process on their Asterisk server to allow connection to yours (it maps your office code to your IP). The most important information from this e-mail is your username. Of course your country code, office code, and thousands block are also good things to know.

Networking Side:

You MUST have port 4569 UDP opened/forwarded to your Asterisk box. You can call out to C*Net without this port opened, but you cannot receive calls. It’s a fairly obscure port number, so security wise it probably won’t be subjected to much abuse, but make sure you have something like fail2ban in place to help with security.

Asterisk Side:

First, make sure the IAX2 module is loaded:

If it’s not loaded, make sure you don’t have it as a noload line in modules.conf. If you are like me, you might have disabled it along with a host of others.

IAX.CONF:

Next, edit iax.conf to give IAX a route into your extensions.conf. The [username] context must be changed to the username you received in your e-mail.

Note: context can also be changed to whatever context you want in extensions.conf, however I would recommend using one specifically for C*Net, for reasons you will see next. Double check to make sure the names match.

 

EXTENSIONS.CONF:

On to the potatoes of the meat and potatoes.

In the [globals] context, add the following:

Change the CNETANI to be whatever yours is. country code + office code + thousands block. Also change MYNAME to your name.

Now, add a new context for the macro that will actually do the dialing out to C*Net. This macro is a heavily modified version of one from Los Angeles Telephone to work with the newer versions of Asterisk. It will not work in versions like 1.8.

Basically, it uses something called ENUM lookup to get all the IAX (or SIP) information that Asterisk needs to complete the call to C*NET using the DNS name of std.ckts.info so you don’t have to keep track of IP addresses. This particular macro tries an IAX connection first, tries a SIP connection as a fallback, and then finally fails with a failed lookup message.

Now that we have the macro set up, receiving in and dialing out capabilities can be added. Dialing out uses this macro.

Receiving calls:

Earlier in iax.conf the context “from-cnet” was defined, so that is next to be added:

A couple important notes with this section:

The first line is just for my debugging and flow following process. NoOp just simply spits out to console/log what you tell it to. You can completely remove the first line if you would like, just change the n to 1 on the second line if you do so.

The second line forwards the call to another context, which in my case is “from-internal”. Change this to whichever context you use for your extensions. This is useful so you don’t have to define them again. The -3 part of ${EXTEN:-3} tells it to forward the last 3 numbers of the call, since I use 3 number extensions. Change it to 2 to only forward the last 2, etc. For example, if you dial 1-636-1112, it goes to the from-internal context with the digits 112.

Sending calls:

Here we just need to add a few quick lines. These are in my “from-internal” context, but can be place in whichever context you have set up for dialing out definitions.

A couple important notes:

The first line again is just for debugging/logging. The same modification can be made if desired.

Because I have a few different ways to make calls outbound of my Asterisk, I am now on “dial 7 to get an outside line” for C*Net. I can also dial 8 to dial out on my cell phone (via x-link Bluetooth), and dial 9 to dial out on my VOIP line (I know, getting out of control!).

Finally, save your extensions.conf, reload the IAX module and the dialplan:

 

Troubleshooting:

“CAUSE: No such context/extension”

This is most likely an error in your extensions.conf. Even if you have a NoOp command as the very first line, it won’t spit anything out unless there is something correctly configured to do after. In my case, I had assumed I would at least see output from the NoOp command, and that was incorrect and caused hours of high blood pressure.

“CAUSE: No authority found.”

This is an error in the iax.conf configuration. In C*Net’s case, there must be a context with the correct username, and type must be equal to user (type=user).

Done!

That’s it! Enjoy C*Net and the great people that are part of it. Don’t forget to sign up for the mailing list. There are a lot of very smart people on it, and most with 20+ years of industry experience.

https://www.ckts.info/

Feb 22

Asterisk 13/DAHDI: Setting up an FXO Channel

With DAHDI, this turns out not to be so bad. Once you add the physical hardware, There is just a few DAHDI related commands to run, and a small section of extensions.conf to change.

Note: Throughout I use the parameter -vvvvv to indicate as much as verboseness as possible. I use all 5 v’s from habit because of Asterisk’s console command (more of a make sure it’s as verbose as possible by adding many v’s).

First (after installing the hardware), run dahdi_scan as root to make sure it’s detected. Your output should look similar to mine:

Then, run dahdi_cfg as to configure DAHDI to accept the current hardware setup:

Now, run dahdi_genconf as root to re-generate the other configuration files to set up signalling:

If you have a Digium TDM400P/800P/2400P card, also see: fxotune

If this is the first time configuring DAHDI, make sure “#include /etc/asterisk/dahdi-channels.conf” is under the “channels” context in chan_dahdi.conf:

 

Now we get to play in extensions.conf. If you check out /etc/asterisk/dahdi-channels.conf, you should see an entry similar to this:

By default, we now have a context “from-pstn” that we need to either add, or modify in extensions.conf. Here is a part of mine as an example.

Note: Don’t assume that only having NoOp in a context will at least spit out a message if it’s called. It actually doesn’t do anything unless there is something else below it that works correctly.

Jan 31

Ubuntu 14.04/Asterisk 13: Rotating Logs

After a while, Asterisk can spit out a lot of logging, which eventually will take up a large amount of room. Thankfully Ubuntu already has a program installed by default to help get a handle on logs called “logrotate.” This makes it really simple to add more logs to be rotated. Simply create the file below and add in the logs you want to rotate:

/etc/logrotate.d/asterisk

Done! By default, logrotate is scripted to run daily (as seen under /etc/cron.daily).

To take a quick look, this is what the script does:

1st line consists of one or more log paths. The options will apply to all of the logs specified.
missingok – If the log file is missing, go on to the next one without issuing an error message.
rotate 7 – Log files are rotated times before being removed.
notifempty – Do not rotate the log if it is empty.
daily – Logs are rotated daily.
The lines between postrotate and endscript (both of which must appear on lines by themselves) are executed after the log file is rotated. The command in the middle tells Asterisk to reload the logger module which re-creates the files.

Jan 19

Ubuntu 14.04/Asterisk 13: CDR Reporting to MySQL

On Linux, I am familiar with MySQL, and for me it’s the easiest to get going. Asterisk used to include support for MySQL directly (and the config is still there, but not compiled into Asterisk by default anymore), but has since moved to a ODBC structure which offloads the database handling, making it database server agnostic. This is good in the way that it makes writing reports a lot more flexible, but also bad because you have to learn how to configure ODBC also. It’s not as simple as configuring the single ini anymore.

For a few reasons, it is suggested to install/use a MySQL server on another machine. It is safer and more space could be available if there isn’t enough on your Asterisk box. I don’t have that luxury, so I will have the SQL server sit on the server itself for now.

First, install MySQL:

During the install it will ask you for a root user password. Please enter a strong password, but one you will remember, as you will need it later.

Now we will need to use MySQL’s CLI client to set up our databases and tables. We will be calling the database “asterisk”, and the standard for CDR reports is a table called “cdr”. Of course, you can create the table in a separate database if you want.

Make a new file to copy all of the lines we need to make the table that CDR will use.

Now, copy and paste the following into a new file, I called it cdr.sql:

Putting it in /tmp will make the file disappear automatically on reboot. It can really be put anywhere, but this guide assumes that location, so change the path to suit your needs.

Copy and paste the following into the new file:

Now, save and exit. Don’t forget the semicolon on the last line.

Log in to MySQL:

Create a new database:

If you are new to MySQL, every command that completes correctly responds with something similar to:

If not, it will tell you the error. 99% of the time it’s a syntax error, so check for spelling, etc. Also, every command must end with a semicolon.

Now, let’s go into the database and create the table:

It should now say “Database changed.” We can now create the CDR table. This can be done a few ways. You might be able to copy everything below in directly, or you can copy and paste it into a file on your asterisk box in your home directory (or wherever else that’s convenient, like your home directory).

Next, import the table structure we saved to a file earlier:

If there are no errors, then it might say “0 rows affected” even though it actually imported.

Double check and make sure it’s all there:

It should show you 16 rows (it will say how many on the bottom).

Now, let’s create a user for CDR (and CEL):

I used a random password generator site to generate a very long random password. I highly recommend using the longest, hardest, and strongest password you can bear to use to keep your system secure. These passwords will be stored in plain text in the configuration file, so DO NOT use your “normal” passwords. I immediately wrote the password down in a secure password file I have. Don’t lose this password! It will be needed in a few steps.

Now that all that is done, give this user permissions. For security the user will only be able to add or remove data, not tables or the entire database.

Add permissions:

To double check, you can execute the following command and you should see the permissions listed:

Now we are done with the MySQL side. type “exit” to leave the console.

Next we will need to configure unixODBC to connect to MySQL. This will vary slightly based on your installation. The file we are looking for is “libmyodbc.so”. Once we know where the file is, we can edit the odbc.ini file to set up a MySQL connection.

First, find and make a note of where libmyodbc.so file is located:

This usually should return one line. If there is more, look for a path that’s similar to mine:

Do the same for libodbcmyS.so, but without the updatedb command as it’s not needed. Make sure to note both paths.

Edit the /etc/odbcinst.ini to reflect the MySQL setup correctly:

Note: Make sure the [Default] section exists and specifies a driver, otherwise the res_odbc module in Asterisk will bark.

Now, edit the /etc/odbc.ini file (which might be blank) and add the following:

Edit /etc/asterisk/res_odbc.conf to say the following:

Edit /etc/asterisk/cdr_odbc.conf to say the following:

Note: The dsn in cdr_odbc.conf is the dsn specified in res_odbc.conf, not the dsn specified in odbc.ini.

Edit cdr_manager.conf to say the following:

Finally, edit /etc/ cdr_adaptive_odbc.conf to say the following:

NOTE: If you use the sample configs that come with Asterisk, then there is already a couple sections that are similar to this one. I personally backed up the default one, and then emptied it out to only say the above lines. This way, there are no problems. However, if you already have database connection definitions here, make sure to not delete those of course.

Save and exit, and then reload Asterisk:

Now you can make a test call where the other end answers, and then hang up. There should be no CDR errors.

You can do a quick check to make sure the data made it after the call:

If there are no records, double check for configuration errors. “dsn” names are case sensitive, and must match exactly.

Whew! That’s it!

Troubleshooting:

There are some commands that can be used to troubleshoot any issues you might have:

In the asterisk console, using “cdr show status” should get you something similar:

If not, there are some configuration errors somewhere. Your registered backends section might be different, as I have pared mine down to the minimum, but the there should be at least those 3 listed.

In the asterisk console, the command “odbc show all” should look almost exactly like this:

If not, then there is a database connection issue. Check your odbc.ini and odbcinst.ini files to make sure they are correct, that the user/password is correct, and that the user has proper access to the correct database.

Older posts «