Signing certificates for Apache or NGINX and Trusting them in your browser.

I know there are a ton of postings on how to sign your own SSL certificates. I just think there’s too much out there (including in my own blog) and none that are very simple. Recently, I figured that I would do it myself (again).

Are you sick of seeing something like this Screen Shot 2016-05-17 at 5.36.16 PM in your browser bar?

Rather see something like this? Screen Shot 2016-05-17 at 5.36.32 PM

I’ll show you how to do it for free.

First off, We create a Certificate Authority. This is the guy that will vouch for your server to say that he is who he is.

You create the new CA by running:

On Mac OS X:
/System/Library/OpenSSL/misc/CA.sh -newca
or on an Ubuntu system:
/usr/lib/ssl/misc/CA.pl -newca

Here’s the output:

alyu1-mbpr:~ alyu$ /System/Library/OpenSSL/misc/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
...................+++
...............................................................................................................+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ShocKNetworK
Organizational Unit Name (eg, section) []:Security
Common Name (e.g. server FQDN or YOUR name) []:alton-mbp.shocknetwork.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /opt/local/etc/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
 Serial Number: 9449349124978877974 (0x8322d4f6e103a616)
 Validity
 Not Before: May 17 23:00:51 2016 GMT
 Not After : May 17 23:00:51 2019 GMT
 Subject:
 countryName = US
 stateOrProvinceName = California
 organizationName = ShocKNetworK
 organizationalUnitName = Security
 commonName = alton-mbp.shocknetwork.com
 emailAddress = [email protected]
 X509v3 extensions:
 X509v3 Subject Key Identifier:
 C5:5E:16:99:96:81:1F:1D:BE:D2:FE:81:B0:57:34:A1:19:24:D8:AF
 X509v3 Authority Key Identifier:
 keyid:C5:5E:16:99:96:81:1F:1D:BE:D2:FE:81:B0:57:34:A1:19:24:D8:AF

X509v3 Basic Constraints:
 CA:TRUE
Certificate is to be certified until May 17 23:00:51 2019 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Next, you go and get the certificate request. With typical Linux applications, you would request a certificate with the following command:

On Mac OS X:
/System/Library/OpenSSL/misc/CA.sh -newreq
or on an Ubuntu system:
/usr/lib/ssl/misc/CA.pl -newreq

Output:

alyu1-mbpr:~ alyu$ /System/Library/OpenSSL/misc/CA.sh -newreq
Generating a 2048 bit RSA private key
.........................+++
........+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Riverbed
Organizational Unit Name (eg, section) []:Tech Marketing Lab
Common Name (e.g. server FQDN or YOUR name) []:alton-web-server.pod3.techmktg.lab
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem

Now, let’s sign the certificate you just requested.

On Mac OS X:
/System/Library/OpenSSL/misc/CA.sh -sign
or on an Ubuntu system:
/usr/lib/ssl/misc/CA.pl -sign

Output:

alyu1-mbpr:~ alyu$ /System/Library/OpenSSL/misc/CA.sh -sign
Using configuration from /opt/local/etc/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
 Serial Number: 10013577564278676468 (0x8af75fbd91a6dbf4)
 Validity
 Not Before: May 23 00:34:03 2016 GMT
 Not After : May 23 00:34:03 2017 GMT
 Subject:
 countryName = US
 stateOrProvinceName = California
 localityName = San Francisco
 organizationName = Riverbed
 organizationalUnitName = Tech Marketing Lab
 commonName = alton-web-server.pod3.techmktg.lab
 emailAddress = [email protected]
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 F1:A4:7E:2E:DA:2B:29:96:6C:B6:F1:2C:C5:CD:43:34:6D:2B:75:5E
 X509v3 Authority Key Identifier:
 keyid:43:52:6A:22:33:C4:67:E9:3B:17:DF:DD:20:5D:77:59:E1:C4:EC:67

Certificate is to be certified until May 23 00:34:03 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number: 10013577564278676468 (0x8af75fbd91a6dbf4)
 Signature Algorithm: sha256WithRSAEncryption
 Issuer: C=US, ST=California, O=Riverbed, OU=Security, [email protected]
 Validity
 Not Before: May 23 00:34:03 2016 GMT
 Not After : May 23 00:34:03 2017 GMT
 Subject: C=US, ST=California, L=San Francisco, O=Riverbed, OU=Tech Marketing Lab, [email protected]bed.com
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (2048 bit)
 Modulus:
 00:9a:17:37:3b:68:4a:5c:60:73:c5:5f:bb:40:39:
 b0:ed:eb:df:76:f1:1c:37:c0:3a:71:82:5d:d6:1c:
 04:a1:24:1c:d6:26:c0:cc:f3:1f:51:f9:b8:d4:65:
 f2:fb:ec:6e:87:42:12:e5:ec:0c:38:53:91:62:8a:
 2e:1e:be:33:e9:f4:ce:8d:92:f8:81:cd:bd:52:67:
 85:c6:ec:85:d2:29:33:37:a2:fb:d9:23:0c:47:62:
 d8:8b:03:12:12:ff:9f:61:83:a7:9b:18:37:8c:37:
 87:f1:dc:66:bc:6c:2c:19:87:dc:29:c1:8e:ab:d3:
 cf:6d:d5:2c:a8:9e:11:ea:81:b9:c0:d0:5d:28:a0:
 d8:fe:dd:fe:e2:4d:ad:a5:74:9a:42:40:c8:e8:9e:
 92:37:c2:39:ec:4c:21:1c:88:69:ec:5c:77:1e:f0:
 48:0e:8a:df:69:4b:af:6e:c4:cb:4f:80:02:e4:38:
 ea:ee:ad:bd:82:df:ae:47:a5:e5:39:7e:6f:18:65:
 12:bd:a1:79:f7:f7:73:1a:8d:71:17:31:5b:f7:66:
 eb:e6:80:1e:4b:bf:65:33:7d:e7:2c:94:38:8c:13:
 ee:06:99:56:fd:f7:70:24:a0:4d:d5:c4:0f:df:48:
 84:88:83:4f:c3:59:50:d2:e9:9b:f4:bc:02:c1:c1:
 3f:ad
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 F1:A4:7E:2E:DA:2B:29:96:6C:B6:F1:2C:C5:CD:43:34:6D:2B:75:5E
 X509v3 Authority Key Identifier:
 keyid:43:52:6A:22:33:C4:67:E9:3B:17:DF:DD:20:5D:77:59:E1:C4:EC:67

Signature Algorithm: sha256WithRSAEncryption
 72:85:da:b3:57:f6:4d:49:df:33:ae:f3:bd:58:99:d2:fc:ca:
 af:03:63:07:3a:16:f9:69:ea:50:db:97:30:d5:fe:71:a8:90:
 4a:3c:88:04:49:b7:a3:14:6d:e1:14:8e:96:80:77:e8:6f:9c:
 26:07:35:75:fa:d2:e5:48:93:b7:0c:64:7f:d4:29:32:f8:da:
 f1:6f:12:1b:8f:50:d3:e8:79:e0:ff:f0:86:80:bc:14:73:52:
 21:c5:71:f2:70:ba:7b:db:11:4c:b7:9c:9e:b8:66:ed:4f:d8:
 9b:b6:c3:d1:18:c6:e7:a2:25:f6:80:3d:02:b8:98:56:9c:80:
 81:76:cb:f1:4a:c7:0d:4a:8b:7e:7b:41:e0:82:95:b5:bf:34:
 2f:6f:8e:91:cf:43:40:c0:91:4d:43:9c:4a:c6:2f:bf:69:de:
 5d:fa:a9:ed:1c:63:eb:85:a1:97:fa:53:95:f0:ac:a1:55:db:
 72:61:eb:3f:dc:ff:2b:77:38:f5:c2:9e:26:ca:41:b4:67:b2:
 9a:5d:b7:84:23:0d:89:b4:f3:f1:1b:e2:f5:55:f9:4b:bf:24:
 40:2d:77:55:4d:b8:b0:76:23:50:e2:bc:74:9f:38:4c:27:42:
 a2:4d:3f:67:dc:ea:b3:d3:69:ee:85:2c:eb:ab:a0:f1:d2:29:
 a5:45:c1:a1
-----BEGIN CERTIFICATE-----
MIIEUTCCAzmgAwIBAgIJAIr3X72Rptv0MA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UECgwIUml2ZXJiZWQx
ETAPBgNVBAsMCFNlY3VyaXR5MSQwIgYDVQQDDBtzZWN1cml0eXNlcnZlci5yaXZl
cmJlZC5jb20xJDAiBgkqhkiG9w0BCQEWFWFsdG9uLnl1QHJpdmVyYmVkLmNvbTAe
Fw0xNjA1MjMwMDM0MDNaFw0xNzA1MjMwMDM0MDNaMIG9MQswCQYDVQQGEwJVUzET
MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzERMA8G
A1UECgwIUml2ZXJiZWQxGzAZBgNVBAsMElRlY2ggTWFya2V0aW5nIExhYjErMCkG
A1UEAwwiYWx0b24td2ViLXNlcnZlci5wb2QzLnRlY2hta3RnLmxhYjEkMCIGCSqG
SIb3DQEJARYVYWx0b24ueXVAcml2ZXJiZWQuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAmhc3O2hKXGBzxV+7QDmw7evfdvEcN8A6cYJd1hwEoSQc
1ibAzPMfUfm41GXy++xuh0IS5ewMOFORYoouHr4z6fTOjZL4gc29UmeFxuyF0ikz
N6L72SMMR2LYiwMSEv+fYYOnmxg3jDeH8dxmvGwsGYfcKcGOq9PPbdUsqJ4R6oG5
wNBdKKDY/t3+4k2tpXSaQkDI6J6SN8I57EwhHIhp7Fx3HvBIDorfaUuvbsTLT4AC
5Djq7q29gt+uR6XlOX5vGGUSvaF59/dzGo1xFzFb92br5oAeS79lM33nLJQ4jBPu
BplW/fdwJKBN1cQP30iEiINPw1lQ0umb9LwCwcE/rQIDAQABo3sweTAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQU8aR+LtorKZZstvEsxc1DNG0rdV4wHwYDVR0jBBgwFoAUQ1Jq
IjPEZ+k7F9/dIF13WeHE7GcwDQYJKoZIhvcNAQELBQADggEBAHKF2rNX9k1J3zOu
871YmdL8yq8DYwc6Fvlp6lDblzDV/nGokEo8iARJt6MUbeEUjpaAd+hvnCYHNXX6
0uVIk7cMZH/UKTL42vFvEhuPUNPoeeD/8IaAvBRzUiHFcfJwunvbEUy3nJ64Zu1P
2Ju2w9EYxueiJfaAPQK4mFacgIF2y/FKxw1Ki357QeCClbW/NC9vjpHPQ0DAkU1D
nErGL79p3l36qe0cY+uFoZf6U5XwrKFV23Jh6z/c/yt3OPXCnibKQbRnsppdt4Qj
DYm08/Eb4vVV+Uu/JEAtd1VNuLB2I1DivHSfOEwnQqJNP2fc6rPTae6FLOuroPHS
KaVFwaE=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

Now, you probably want to remove the passphrase from the certificate so that Apache or Nginx doesn’t ask you to input it each time you start the service. You can do this by running first backing up the key.pem and then running:

openssl rsa -in newkey.pem -out key.pem

alyu1-mbpr:~ alyu$ cp newkey.pem newkey.pem.orig
alyu1-mbpr:~ alyu$ openssl rsa -in newkey.pem -out key.pem
Enter pass phrase for newkey.pem:
writing RSA key

Make sure you get the “writing RSA key” message. If you don’t, you’ll get a message like this:

alyu1-mbpr:~ alyu$ openssl rsa -in newkey.pem -out key.pemd
Enter pass phrase for newkey.pem:
unable to load Private Key
140735125303376:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
140735125303376:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
140735125303376:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
140735125303376:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:

You now have the necessary files. You’ll want to protect the files in some directory on the system and make them readable only by the web server.

cacert.pem – in the demoCA folder. You can rename it to cacert.crt and just double click on it in Windows or open it with the keychain in Mac and add it to your trusted certificates list.

newcert.pem – this is your certificate. In Apache, it will go with the “SSLCertificateFile” line in the /etc/apache2/sites-enabled/<site> file. In NGINX, it goes in the “ssl_certificate” line in the /etc/nginx/sites-enabled/<site> file.

key.pem – this is your private key file. In Apache, it will go with the SSLCertificateKeyFile” line in the same file. In NGINX, it goes in the ssl_certificate_key line.

Enable SSL on the web server and you should be all set!

 

 

 

 

Using 2 ISPs at home at the same time! Tomato MultiWAN – works great! (Video)

Why do you really need this? When Shibby first put out the firmware with MultiWAN support, I questioned why someone would pay for 2 service providers. Too much bandwidth utilization? If you need more bandwidth, just upgrade your line with your current ISP. It would be cheaper than getting a new line!

Do you need reliability? When you work from home and need to be connected to the Internet for your work and it’s not available, that’s when you might look into a solution like this one! I have Comcast Business. Does that help? No, not really when the problems is with the infrastructure and not a misconfiguration or something internal. It just means that when you call, you talk to someone a little more competent and you can get a person quicker than going through the phone system. You can have someone come on-site a little faster too. That said, the service is the same as that of all other consumers. After a few rains and a couple of Comcast outages (not exactly outages, but huge degradations in service), I started to think about getting a second provider. Luckily, in San Francisco, we have a few options for service providers here. I happen to be lucky enough to have access to 2 different cable providers, Comcast and Wave Broadband (formerly Astound). I used Astound before. It was not bad. My experience was not nearly as bad as what the Yelp reviews say. I’ve now had them for a couple of weeks and still have the same opinion. They seem to be just fine.

So, moving onto the implementation. As you can see from the screenshot, Shibby makes it easy! First configuration the VLAN. It points to a link for where to do it – in advanced settings. You can look at the next screenshot to see an example of the VLAN being set up. I’m using LAN port 1 for the 2nd WAN port.

In this screen however, You might notice my “Load Balance Weight”. The problem with my service providers is that Comcast gives me unlimited bandwidth. Wave Broadband does not. Because of this, I want more connections to go out of the first WAN link and Shibby gives us a couple of ways to do it. First is with “Load Balance Weight”. I’m just setting the 1st link to 2 and 2nd WAN link to 1. You can play with the numbers to try finding your desired balance.

Screen Shot 2016-04-29 at 6.43.42 PM

Screen Shot 2016-04-29 at 6.43.01 PM

Another place to do load balancing is by pinning a particular host to a particular WAN link. For example, I have some traffic I want out of 1 WAN link and some out of another. This way, I can tell my highest traffic hosts to go through WAN1 while some others through WAN2.

Screen Shot 2016-04-29 at 6.47.37 PM

Here’s a status window to show that I have both WANs connected.

Screen Shot 2016-05-01 at 4.23.59 PM

Lastly, you can see from different searches of what’s my IP, that both WAN links are being utilized.

Screen Shot 2016-05-01 at 4.29.15 PM Screen Shot 2016-05-01 at 4.29.26 PM

Please post your comments and share!

How to set the NTP server on all ESX hosts in vCenter at the same time with PowerCLI

I was frustrated with a number of my lab hosts have the wrong times/timezones. Rather than going to each ESXi host to update the time servers, I ran a simple script to do it with PowerCLI.

As before running any script, you must authenticate with the vCenter or the host by running

Connect-VIServer <hostname>

Then, we’ll cycle through each of the ESXi hosts and add an ntp server. Obviously, use the time server you want i.e. time.apple.com or clock.redhat.com 🙂

Get-VMHost | Add-VMHostNtpServer -ntpserver "0.ubuntu.pool.ntp.org"

With that set, you can then move on to punching the hole through the firewall to request the time from the servers.

get-vmhost | Get-VMHostFirewallException | where {$_.Name -eq "NTP client"} | Set-VMHostFirewallException -Enabled:$true

#Start NTP client service and set to automatic
get-vmhost | Get-VmHostService | Where-Object {$_.key -eq "ntpd"} | Start-VMHostService
get-vmhost | Get-VmHostService | Where-Object {$_.key -eq "ntpd"} | Set-VMHostService -policy "automatic"

How to use PowerCLI to register or unregister a bunch of templates at a time …

I recently resignatured a datastore that housed all of my templates and ran into an issue with a bunch of datastores that wouldn’t unmount and a slew orphaned templates. To get rid of them, I had to unregister them all and then register them, but had a ton, so I didn’t want to do them one at a time.

Unregistering the VM templates is easy. Just select them all, right click and click “remove from inventory”. The registering part is harder – need to browse the datastore and then right click and add to inventory and give it a name. So, I did it with PowerCLI.

The first thing we want to do is get a list of all of the vmtx files in the datastore that the templates reside in. I do it like this:

$vmtxs = gci vmstore:\$((Get-Datacenter -name "DCpod"))\templates -Recurse -Include *.vmtx | select -exp datastorefullpath

You can list it and you should see something like this:

PowerCLI C:\Program Files\VMware\Infrastructure\vSphere PowerCLI> $vmtxs
[templates] Win8.1_Template/Win8.1_Template.vmtx
[templates] Windows 10 template/Windows 10 template.vmtx
[templates] Win2K8R2_Template_1/Win2K8R2_Template.vmtx
[templates] Ubuntu_Server_Template/Ubuntu_Server_Template.vmtx
[templates] Win2K12R2_Template/Win2K12R2_Template.vmtx
[templates] webservertemplate2/webservertemplate2.vmtx

With the list of files, you can loop through and register them all on a particular host like this:

PowerCLI C:\Program Files\VMware\Infrastructure\vSphere PowerCLI> foreach($vmtx in $vmtxs)
{
$currentname = ($vmtx -split "/|\.")[1]
$vm = new-template -name $currentname -templatefilepath $vmtx -vmhost esxhostname.domain.com
}

 

ESX 6.0 – The operation is not allowed in the current connection state of the host.

UPDATE:

The things in the posting did NOT work. According to IBM’s website, the fix is by removing a package:

esxcli software vib remove -n intel-cdmv2-provider

I got this message when trying to power on a vm, trying to deploy a template, and something else.

So I read this
https://communities.vmware.com/thread/331857?start=0&tstart=0
and then I go to the host and try restarting hostd (/etc/init.d/hostd restart) and it will no longer restart.

Looking into /var/log/hostd.log, it appears that /tmp is full:

2016-02-09T06:01:01.648Z info hostd[79EC2B70] [[email protected] sub=Vimsvc.ha-eventmgr] Event 620 : The ramdisk ‘tmp’ is full.
As a result, the file /tmp/auto-backup.6942719/local.tgz could not be written.

So I look into the /tmp directory and find a file that’s 256MB – cimple_log_err_messages

cat cimple_log_err_messages
2016/02/09 23:28:57:LOG FILE ERROR: log.cpp(610) : No CIMPLE_HOME env var defined. Looking for CIMPLE_HOME
2016/02/09 23:28:57:LOG FILE ERROR: log.cpp(610) : No CIMPLE_HOME env var defined. Looking for CIMPLE_HOME

The first thing I do is to clear up the file – just run:
> cimple_log_err_messages

Then I’m able to start hostd, but how do I stop the file from filling up again?

I find this kb: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2094441

Not that it helps! It’s for 5.x. I go to the IBM url and it just leaves me more confused.

I look into disabling CIM. I find instructions here: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1025757

ummm it’s for 5.x again. 🙁
Run the instructions and the sfcb watchdog just restarts by itself!

Finally, I poke around in the vSphere client and notice in the profile that there is some CIM stuff there. For the heck of it, I try disallowing communication with IBMIMM.

Screen Shot 2016-02-10 at 11.45.09 AM

I believe the log messages continued after disabling it, so I continued to disable CIM as well. After disabling CIM, the log messages stopped.

Screen Shot 2016-02-29 at 12.14.11 PM

 

Linux self-service firewall with Apache, Perl, IPtables, and UFW

I was recently in a situation where I was offering DNS service to some people. There just happened to be some records that were different from their ISPs DNS servers so I set up the server on my public IP address. I did not want to offer DNS to the world because last time I tried that, I got queries from all kinds of places for all kinds of records. I was initially opening up IP tables when people asked for the service and give me their IP address. After getting about 10 texts, I quickly got tired of collecting the IP addresses, so I made a webpage and with the perl script to write them to a list. With that, I would have a cron jobs go through the list and use UFW to update the IPTables to allow them access.

Here are the files inside of the directory where I’m creating the list.
dnsauth.tar

There’s a simple index.html file in the directory. It’s basically a form that asks for:
Name – who the person is. duh!
IP address – I want them to enter the IP address they want to authorize just in case they’re submitting someone else’s IP address.
Password – I don’t want just anyone to come in and get access to my DNS server.

The addip.cgi basically just writes all of those inputs and the IP address they’re coming in from into /tmp/iplist.txt in CSV format. I record the IP address they’re coming in from $ENV{‘REMOTE_ADDR’} just in case I get abuse or something.

The root user then has a cron job that runs through the iplist.txt file every 10 minutes. Here’s my file:

#!/bin/sh
if [ -f /tmp/iplist.txt ]; then
DATE=$(date +%Y%m%d)
cp /tmp/iplist.txt /home/alton/dnsservice/iplist.txt.$DATE
for i in `grep rice /tmp/iplist.txt | cut -f1 -d','`; do /usr/sbin/ufw insert 1 allow proto udp from $i to any port 53; done
grep rice /tmp/iplist.txt >> /home/alton/dnsservice/authorized_dns_ips.txt
grep -v rice /tmp/iplist.txt >> /home/alton/dnsservice/cheaters.txt
rm -rf /tmp/iplist.txt
sync
fi

Obviously, rice was my password. I just looped through the file and authorized anyone that used the right password. I also logged anyone that used the wrong password in /home/alton/dnsservice/cheaters.txt.

Hope this was useful! I welcome any comments. Obviously, this was quick and dirty. I’m sure there is a more secure way of doing this, but this is what came easy to me. Would love to hear your thoughts!

Getting VMware PowerCLI 6 to work on Windows 10

UPDATE: PowerCLI 6.3R1 has been released and fully supports  Windows 10, so there’s no need to do the hack anymore!

 

PowerCLI 6 is not supported on Windows 10 yet, but I just thought I would give it a try anyway. Upon installation of PowerCLI 6 on Windows 10, I was greeted with this unwelcome screen:

powercli6

Luckily and very quickly, I found this link: https://communities.vmware.com/thread/504866?start=0&tstart=0

Just an environment variable. Need to add PSModulePath with “C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI\Modules” as the value and reboot.

Screen Shot 2016-02-18 at 12.31.24 PM