It can be a pain to add new monitors in Nagios — so I made a script!

Check it: https://gist.github.com/zyphlar/2051455

I’ve got this simple digital signage script floating around that I repurpose a lot. Recently added Asterisk logs to it, so I can see minor fluctuations and trends like lagged peers in addition to other stuff I’ve written like my Nagios monitor. Here’s the script! https://gist.github.com/zyphlar/1943729

Hot on the heels of my Arduino Nagios Display, I’ve made a kit version of the LED matrix that is much easier to assemble! It’s daisy-chainable, so you only need however many rows you want. Perfect for workshops where you want to introduce someone to shift registers and LED matrixes but don’t want to buy 80 LEDs per student, while letting them take home something useful yet expandable.
Continue reading →

Reviewing my system, I realized one script I take advantage of the most is a logging script I made years ago to track logins.

I mainly use it to see who is using which computer, saving on guesswork and coming in very handy when troubleshooting weird problems. It also comes in handy when tracking down an asset or debugging login issues (i.e. if there’s no connection during login, it won’t write to the logfile.)

So here you go, in all its VBScript glory: https://gist.github.com/zyphlar/1793697

You may realize that giving out admin rights (i.e. adding someone to the Administrators group) is a bad thing. But your boss and/or favorite employee might be demanding that they need them in order to do their job. You feel stuck. What do you do?

First, you need to learn something: the Administrators group isn’t magic. The only reason it can do all the things it can do is because when Windows gets installed, it creates a group called Administrators and grants it a lot of permissions on files, folders, registry, and Local Security Policy entries.
Continue reading →

I recently waded into a debate about whether people in an organization should be given local administrator access to their machines.

Now firstly, this violates the principle of least privilege, which is what all of security is based on. You don’t get it unless you need it; you get the minimal privilege necessary to do your job. Imagine if cashiers could withdraw from the company account, if untrained boot camp grads were given missile launch keys, and if spies told their families everything. Security doesn’t work that way.

Still, it got debated, and someone finally asked what specific dangers they were putting their network in by giving certain people local admin rights.

It’s not a simple question, but I’ve come up with some examples.
Continue reading →

This is a comment I posted on Paul Gregory’s Forbes post about Mr. Buffet’s Secretary’s salary– saying that for her to be paying less than him (assuming a 15% rate) then she’d have to be making over $200k, meaning she’s not such a poster child for injustice after all. (I guess God only has pity for those making more or less than $200-500k?)
Continue reading →

Getting notified by SMS is better than via email, I think, because then you can tell the difference between midnight spam and a server fire. Here’s my command for sending a shortened message (to #yournumber#@YourCarrierSMSGateway.com)

Add these to your commands.cfg and then change your contact settings (usually contacts_nagios2.cfg) to use the appropriate command.
Continue reading →

I like the Whiteline icon set for Nagios’ statusmap cgi, but it’s too big; here it is resized to 40px wide and I added an Ubuntu icon as well.

Download: whiteline.zip

See my earlier Nagios post

Sometimes padlocks, zip ties, sternly-worded signs and keyed ignitions just don’t cut it. Maybe what you’re looking for is something more like…

…a web-enabled RFID interlock loosely based on 23b’s Open Access Control system?
Continue reading →

The Minecraft release party, MineCon, was this year in Las Vegas. In a flash of inspiration, I knew I’d found my first cosplay opportunity. Most people would wear cardboard boxes, which isn’t very Vegas. What Minecraft-themed costume would fit Vegas, aside from old people in sweatpants gambling their retirement checks away? A suit, of course! With a Notch-inspired Fedora, and Creeper-print fabric to tie it back to Minecraft. Hours of sewing later, I’m the proud owner of a Creeper shirt (and fedora.)
Continue reading →

The movie ‘Hackers’ came out in 1995, when I was still in elementary school. So by the time I grew up and watched it (along with the Matrix and Tron) I knew that the kinds of computer visualization depicted in those movies was something I wanted. I’m a very visual person (and I think computers are generally way more cerebral than visual) so I’ve always wanted a more visual, physical representation of computer systems. Imagine if we had a tricorder or sick bay analyzer that could show you every little invisible detail of complex systems like the environment, human bodies, or networks? This is one small step towards that.
Continue reading →

People want lots of money these days for digital signage, but lots of it is mediocre at best and especially lacking in third-party data sources. How much money is it worth to edit HTML by hand? About the cost of decent digital signage software! So I made my own with pure Javascript and JQuery goodness:
Continue reading →

So you’ve got Ubuntu 11.04 and think you’ll use Nagios and its fun plugin, NRPE, to monitor your cloud servers, right? Sure! There are some gotchas though. Read on. Note: You may want to check out check_mk instead of NRPE as it is reportedly sexier.
Continue reading →

Why buy an expensive disk or flash drive duplicator when you can make one yourself with Linux for free or cheap?

Here are the cloning scripts you can use to copy a disk and then write it back to a large number of target disks. Modify the IMAGE.img and /dev/DEVICE as desired (each “of=” is another output file, make sure you don’t get confused and accidentally set an “of=” to a device that you might not want to destructively overwrite!) It even beeps when it’s done! Make sure to mark the scripts as executable (chmod +x) so you can double click them, or run them by typing ./SCRIPT.sh in terminal. Continue reading →

This is the line I put in a Scheduled Task to download a remote directory and save it locally. You should be able to use it in reverse to upload something.

"C:Program FilesWinSCPWinSCP.exe" /console /log=winscp.log /command "option batch on" "option confirm off" "open USERNAME:PASSWORD@EXAMPLE.com -hostkey=""ssh-rsa 2048 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF"" " "get /home/backups/* c:backups*" "exit"

Separated for readability:
Continue reading →

Ever needed to access, or maintain access, to a computer that’s behind a firewall? Just run one of these commands on that computer (in Linux or maybe Mac) and you’ll get a tunnel to that computer’s port 22 (SSH) over whatever port you type for the PORTNUM in the examples below.

First example: ssh -R PORTNUM:localhost:22 USERNAME@SERVERNAME

So if you ran the command ssh -R 5001:localhost:22 user@example.com you’d be able to login to example.com and then run ssh user@localhost.com -p 5001 to connect back to that computer.
Continue reading →

Long pretentious blog titles are apparently my new thing.

One big problem I have had in trying to use cloud infrastructure for Real World Applications is that a huge percentage of those apps (or their protocols) don’t communicate securely. For example, I just set up an SMB share (Windows fileshare) on the internet the other day. WHA?? Yeah it’s possible, and guess what? SMB is about as encrypted as FTP, which is to say “basically not at all.” So if you really need SMB between servers, and you’re in the cloud (or anywhere else where you give a rat’s ass about security, really, come on people) you’re gonna need to wrap some encryption around that protocol. Ideally you won’t have to deal with PPTP or buy a bunch of Cisco gear either. Enter IPsec.

Continue reading →

So I’m teaching a friend how to set up Linux, Apache, MySQL, and PHP. Here’s my version of teaching you how to do it.

Linux:

• Download and install Ubuntu (Server or Desktop.) See instructions here. Install with the default options, or just run the Desktop version from USB.

LINUX PRIMER:

• Remember that if you have trouble running a command, you might need to type sudo before it to run it as root (the administrator account on Linux machines. Most installing/repairing/uninstalling/configuring work requires root privileges.)

• To edit files, use nano (easiest), vim (hardcore), or gedit (if you’re running desktop not server). In Ubuntu Desktop, you access programs using the “Dash Home” (aka Ubuntu Menu at the top left) and typing a command or search keyword. For this guide we’ll be working out of the terminal, so type “terminal” and open the terminal program.

• From terminal, to edit a file like /etc/apache2/httpd.conf you’ll type vim /etc/apache2/httpd.conf. Other useful commands include cd for changing directories, ls for listing files in a directory, and find * -name "*a*" for finding everything under the current directory with “a” in the name.

• Also remember that the text to the left of your cursor (user@computer:folder$) shows you the current folder you’re in (such as ~ which is a shortcut for your home folder, /home/yourusername). Everything under Linux is stored as a file under the root directory (/) and so there are no C: or D: prefixes like in Windows. If you see a preceding slash (/home/user) that means “the user folder, under the home folder, under the root folder.” This is an important distinction because “home/user” could mean any home folder anywhere, depending on context. If your current folder is /var/www then you’d be talking about /var/www/home/user which might not even exist. So pay attention to slashes and context.

• Use of the arrow keys, and home/end/pgup/pgdn, will help a lot. You can press the up arrow to re-type previously entered commands, press Ctrl+R to do a reverse-search of previous commands, and open the ~/.bash_history file to see logs of your previous sessions.

• Use the Tab key to auto-complete things on the command line. To type “vim /etc/apache2/httpd.conf you can actually type “vim /etc/apahtt” (if there is no auto-completion, then you need to type more to be more specific.)

• Rule #1 of Linux is RTFM — this means either read the manual (by typing man in the terminal, for example “man vim” or “man find” or “man life”, OR just Google it. Copy the error or key words from the error into Google and hunt away! Finally, don’t be afraid to ask– but not before reading the man page and Google (or if you’re in a class, ask your neighbor or the instructor.) Open source software like Linux is all-volunteer, so help volunteers by asking intelligent questions — questions that you still have after attempting to find the answer yourself. For further reading, check out “How to Ask Questions the Smart Way” by ESR: http://is.gd/smartquestions

• To copy-paste from the Ubuntu Desktop terminal, highlight something with your mouse and press Ctrl+Shift+C (copy) or Ctrl+Shift+V (paste). You can also right-click and choose the copy or paste options.

(END LINUX PRIMER)

• Make sure you’re connected to the internet. Use the Wifi icon in the top right to connect to networks, or in terminal type ifconfig and ping 8.8.8.8 to check what might be wrong.

• Let’s start by typing sudo -i so that we become root and don’t have to type sudo after half this stuff. If you’ve got a password, it’ll ask you to type it.

• A brand-new Ubuntu install might not have its software repositories updated. Type apt-get update to fetch info about the latest software available.

• Run this command to install Vim, Apache, Git, MySQL, and PHP with my favorite plugins.
apt-get install vim apache2 git-core mysql-server php5 libapache2-mod-php5 php5-gd php5-curl php5-mysql php5-xsl php5-cli

• Pay attention to any errors during this process; problems here can result in a piece of software not working later on in this guide and retracing your steps sucks.

• MySQL should ask you for a root password. Make up something extremely long and random, and store it in a safe place for future reference. (In this case, a sticky note is actually more secure than a text file.) You’ll need to type this in when we get to the MySQL section and any other time you need to administer the MySQL server.

• This is my backup script (crontab) — to make a crontab, type crontab -e

# Below is for regular backups.
10 19 * * * /usr/bin/mysqldump --opt -uUSER DBNAME > /backups/DBNAME.sql
14 19 * * * /usr/bin/mysqldump --opt -uUSER mysql > /backups/mysql.sql
16 19 * * * tar -zcf /backups/etc-backup.tgz /etc
18 19 * * * tar -zcf /backups/www-backup.tgz /var/www

For the root user, create a /root/.my.cnf file (as root) with the following content:
[client]
password=PASSWORD

Note that USER, PASSWORD, and DBNAME should be replaced appropriately. Formerly the crontab script included a -pPASSWORD option (without a space) but this is less secure and reliable than the .my.cnf method.

If your backups aren’t created properly (0 filesize) it may be because the backup user’s password isn’t getting found. You can add --defaults-extra-file=/root/.my.cnf to the mysqldump command in your crontab.

Make sure you create /backups and that it is writeable by root (or whoever the cron job runs as.) Test the command before putting it in your crontab.

You’ll see that I’m doing a mysqldump of the database named ‘mysql’ — this is intentional as it is the database that holds configuration information including database users which you’ll probably want during a restoration.

Also, I’m doing a backup of /etc which is where most configuration files are stored. Half of a website is how it’s configured, so you’ll definitely want that during a restoration.

This should take care of most Apache/MySQL websites as long as all websites are stored in /var/www — if not, modify the script as needed.

• Finally, it would be a good idea to encrypt these files or at least make sure they’re chmod 700 — readable only by the folder owner and nobody else — because they will invariably contain passwords in the config files and mysql tables. Your mileage may vary and it’s your responsibility to make sure you’re adequately secured.

Don’t forget to copy your backups offsite. I typically add this line to a remote crontab -e:


15 21 * * 1 scp -r root@example.com:/backup /backups/latest/example


You’ll need to copy ~/.ssh/id_rsa.pub from the remote machine to the /root/.ssh/authorized_keys file on example.com though, to let scp run without a password. (Test scp manually so you can accept example.com’s key first.)

• Save, exit, and check back tomorrow to make sure the contents of /backups looks good (in nano, save is Ctrl+O and exit is Ctrl+X. In vim, you insert text by typing i, exit from insert mode with Escape, save is :w and exit is :q)

Apache:
Continue reading →

This was a comment I posted to this topic on DreamInCode forums.

The most frustrating part of R’ing T F’ing M is usually “ok but how do I do this thing I want to do?” I see MSDN now has a Remarks section with Common Tasks, so as long as what you want to do is there I could see that being an improvement over most documentation.

Continue reading →

Continue reading →

Hacker in the original sense.

These “caveats” are derived and repurposed from the Zen Caveats. Funny how well Zen and technology fit together. Many are presented without modification. If you like this, try reading the Rootless Root. Continue reading →

Linux webservers like Ubuntu (and CentOS, etc) can sometimes be confusing for new admins who aren’t sure how to do proper backups or migrate websites and databases between servers. It takes awhile, but you eventually get a toolkit of scripts, commands, or techniques that work for you. If you’re lucky, you actually write them down!

Here are mine. Continue reading →

While trying to install AFS ImageDepot Express for a user, I ran into some issues, namely the following error:

unable to configure local datasource

as well as a problem with “exclusive access to file” when trying to change the datasource in the program. Turns out that by giving the user Modify permissions on the Program FilesAFS folder and giving them Modify privileges to the registry key HKLMSoftwareODBC (and sub-keys, especially ODBC.iniAFS) the problem is solved.

I just moved a Concrete5 website from one Ubuntu server to another, yet for some reason submitting an email form (a Form block) results in some major errors– looking in the Concrete5 log under /dashboard/reports/logs shows an “Unable to send mail” error.

Here’s how I fixed it. Continue reading →

You’ve probably heard of test-driven programming, where the first thing a developer writes is an automated test, not the actual program code. This way when the code is written, it can instantly and repeatedly be tested to see if it works.

Why not do the same in an IT department, or any other endeavor for that matter? If automated testing is available, it should be used as early as possible in the endeavor so that as soon as a working state is achieved effort can be diverted to polishing or new tasks instead of wasting more time “making it work” when it already does.

How many times have you as a technician been troubleshooting a connection issue, and realized the problem had been fixed for awhile but you didn’t notice? If your first step had been to set up automated pings or http connection tests, you might have saved a lot of time and frustration. Tools like Nagios and IPmonitor are well equipped for this task. If you know of any other good tools, leave a comment!

Just some food for thought. Get some visualization or results of what you’re working on if at all possible.

How can an inexperienced “tech guy” help his organization IT-wise, if outsourcing isn’t on the table?

As an unwittingly frequent mentor to technical hopefuls, it’s hard to draw the line between “sure just follow these steps” and “it’s over your head, outsource if at all possible.” How do you distill half a decade of experience into an email? Here’s a case study: Continue reading →

Here’s the slides from my Technical Brownbag today at Gangplank.

Thanks for having me, guys! Please comment on your thoughts or anything you have to add.

Edit: One of the biggest security holes is the HTTPS issue. Please please PLEASE install and use an SSL cert on every webserver you run. WordPress, webmail, and anything else you run on your server is woefully insecure without HTTPS.

Also: Make separate database users for each app, and make their passwords at least 10 random characters. No sharing of users or passwords!

Security for Developers presentation slides (PDF)

Here’s the raw text of the slides: Continue reading →

Most people are blissfully unaware of what security means in the 21st century, despite using 21st-century technology daily. Many nerds are aware of attacks like viruses, trojans, and phishing, and many computer users are familiar with the idea that passwords are important and that their hard drives’ data can always be recovered, but there are whole areas of security people are totally ignorant about.

This is a quick-n-dirty primer on security issues you probably don’t know about (or aren’t protecting yourself from.)

Continue reading →

In order to login via Remote Desktop on Windows XP, you must be a member of the local machine’s Remote Desktop Users group. This is slightly different than on Windows Server, where you can modify the permissions of Terminal Services and define custom groups to be allowed access.

Additionally, you’ve probably tried to change the GPO setting under Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment for ‘Allow log on through Terminal Services’ and discovered that it still doesn’t work fully for non-Administrators.

The solution is to add the group, or the user, that you want to be able to login remotely, to the RDP computer’s local Remote Desktop Users group. You cannot add people to the Active Directory domain Remote Desktop Users group, because this group is “local” to the Domain Controller only. So how does an administrator add a user or group to all client workstations’ Remote Desktop Users groups without going to each computer manually? Use a GPO: Continue reading →

I recently had my car serviced for an intermittent, weird noise– it’s 3 years old and just started making a weird clutch noise over the past few months. My experience was pretty average (read: mildly frustrating) and my response to a Honda phone survey resulted in a disappointed voicemail from David, the service advisor I worked with, and an email from Honda asking for a lengthier fill-in-the-blanks survey. Here’s what I wrote in response to that survey email, word-for-word, typos and all: Continue reading →

This is a comment I posted on WebProWorld after a quick Google search to see what the consensus was on right nav in webdesign. It represents my current analysis of the issue.

I think, when designing your site, you should know which direction visitors’ eyes will go. In L-to-R reading countries, this is top-left to bottom-right with few exceptions. In R-to-L reading countries, this is probably different.

There’s a new trend in websites (especially blogs) where the content is the message (and, to some extent, the navigation.) In this case, the designer is saying “those links on the right are useful, but you probably want to read this content first.” Continue reading →

Better code for doing a date-based countdown in Javascript. The top results on Google appear to have been written in 1990 and are unnecessarily cumbersome– here’s a version I wrote for a quick Christmas “countdown” webpage.

One major advantage to my version is that it compensates for the date in a given timezone, so that it counts down to the same exact second regardless of time zone (assuming that everyone’s computer time is accurate) instead of “rolling” across time zones. This is done by taking advantage of the way numerical timestamps are stored (always in GMT) and the .toUTCString commands. For an even more accurate rollout, I used inline php code to populate the timestamp number and also perform some logic when the server thinks the time has been reached, so that users can’t simply change their computer’s clock to see the result (which in this case is just reloading, since my PHP should have replaced the server-side HTML by that point.)

If you’d like to see the inline PHP that handles the official rollout, leave a comment!

This is a reply to a post here: http://gangplankhq.com/2009/11/gangplank-looking-to-move-downtown/

Whether Tempe is a poser or Phoenix is sucky or Chandler is a thriving tech incubator is somewhat diluted by their public perception. I think perception is reality– if the public thinks something, it becomes a self-fulfilling prophecy.

Moving Gangplank to Buckeye would be a harder sell than moving it to Downtown Phoenix– people would whine either way, but Buckeye isn’t perceived as a technological place whereas Downtown Phoenix seems like an objectively logical choice. I’ve only lived in Phoenix since ’04, but Chandler/Mesa/Gilbert doesn’t seem like an objectively logical choice for technology incubators. It might be in practicality, but I think that would shock most Valley residents, and so unfortunately you’re working against public perception which is an uphill battle.

It’s hard to be “the best collab space in Phoenix” if you’re actually 10 miles outside of Phoenix and a 30 minute drive from the city center. If Gangplank doesn’t want to be, that’s fine, but it’d be helpful to explicitly state this so guys like myself don’t write short blog-essays in vain.

This site is the personal blog counterpart to my professional site, zyphon.com