IIS on Windows Server Core

 Windows famous because of the GUI to make everything easier. But when you have  windows server core under your management without any documentation, this will make you wonder, why install windows server Core. Is more secure than windows server ?

We not talk about security now. What we are going to talk here is installation of SSL certificate which will be use by the Webservice.

Quite easy with some command, but the diligence to look for what command should you run is the aha moment.

Here i document my journey and the process to do it.

1. You will need other windows server GUI to be able manage the windows core server with GUI.

2. Install the certificate and the root using windows MMC, put on the trusted root certificate.

3. You have the .pfk certificate format to be installed on IIS. But you cannot do it via remote IIS console. its by design.

4. The way to install the pfk is copy your certificate to the core server, and run this :
    C:/> certutil -importpfk <Path to certificate file>
    If prompt for password, enter it and it will success.

5. The last part, change the binding using remote IIS console. Your new SSL certificate will be show up on the list of certificate.

Some notes, the IIS management service not run on the core server , you can start it by :

C:/> net start WMSVC

In my experience on this, really Microsoft windows try to be like Linux part, but it wont be the same. 

In Linux every config file is accessible by a text editor.

That's all for my experience. Hope help someone. 

And i did it !!!

Read More

Compile Erlang using Kerl with crypto module

When working with erlang, we can use old version to run our erlang app which are not yet upgraded.

This multiple erlang version run like python env if you come from python.

So in erlang we using Kerl which can switch to multiple erlang version at runtime. So here we go.

We are using Debian 10.x buster. Some prerequisite before able to finish are install the dev tools.

# apt-get install build-essential autoconf libncurses5-dev openssl libssl-dev fop xsltproc unixodbc-dev libz-dev

Then get the openssl version supported on your erlang version. Here i use 17.5.x release which require openssl-1.0.xx to compile properly with crypto module.

1 $ git clone git@github.com:openssl/openssl.git --branch OpenSSL_1_0_2-stable

2 $ cd openssl

3 $ mkdir __result

4 $ ./config --prefix="${HOME}/openssl" shared zlib -fPIC

5 $ make depend

6 $ make

7 $ make install INSTALL_PREFIX="/home/me/openssl/__result"

Then we can start the kerl compilation.

Get the kerl 

1 $ curl -0 https://raw.githubusercontent.com/kerl/kerl/master/kerl

2 $ chmod a+x kerl

Make the ssl available for kerl compiler

1 $ export KERL_CONFIGURE_OPTIONS="--with-ssl=/home/me/openssl-OpenSSL_1_0_2-stable/__result/home/me/openssl-OpenSSL_1_0_2-stable/openssl/"

2 $ mkdir .kerl

3 $ kerl build 17.5.3 17.5.3

This should be show which indicate SSL included.

 

Then continue with installation:

$ kerl install 17.5.3 ~/.kerl/17.5.3

To test run erlang.

$ . ~/.kerl/17.5.3/activate

$ erl

> crypto:start().

Should no error if install successfully.

And make that fault tolerant app with 0 downtime.

Read More

panic cannot login to linux

Panic ! Thats what occurs when a critical systems you manage cannot login , but the service was running properly.

Recently i do some changes on the /etc/security/limits.conf and it make all lockout. No SSH can be done, but all the service was running properly.

To the rescue, we need to login to the systems and revert back changes, and to do that we need to go into single mode.

We do on Centos 7.x systems which is the grub boot loader is different than the old version.

So how to do it step by step, and no panic. 

• Reboot your machine and immidiately go to rescue mode.
• Chose one boot options and press "e" to change the entry
• Look for below entry :
  linux16 /boot/vmlinuz-3.10.0-123.el7.x86_64 root=UUID=act2884249823928928392 ro  xxxxxx
• Change the ro to below 
  rw init=/sysroot/bin/sh
• Then continue the boot, press ctrl+x to do that. No worries, after finish you can reboot and the grub boot loader will be still the old one.
• once boot to single mode you need to mount the filesystem. do
  # chroot /sysroot/
• After this step you can revert back any settings you made to restore it to working state.
• On our side, its /etc/security/limits.conf
• After finish we can reboot the machine to production mode
  # reboot -f

That was no panic attack anymore if you know what you are doing.

Always make sure you have backup of the OS.

Or better way use Container these days. 

Read More

Compiling GoLang application

When using Golang basic setup need to be done to able compile all application based on golang in github.

To do that install golang then set in your home directory.

let say /home/geek/go/

inside the folder create a src folder, and put all the go app you want to compile.

Then remember to set env variable GOPATH.

in ~/.bashrc set :

GOPATH = /home/geek/go

Example you have a killer-app download from github with go source code.

Put it inside /home/geek/go/src/killer-app/

Then do this :

$ cd /home/geek/go/src/killer-app/

$ go get ./...

$ go build

Then there will be a file created from the compile called killer-app 

Then profit.

Read More

Stafull and Stateless widget in Flutter

In flutter we have 2 type of widget, Statefull and stateless. Difference are the stateless widget will never changes after it rendered. Meantime statefull widget can be change in the future after the widget rendered.

There are difference on how to use it. Because flutter using inheritance of the widget, we will always override some of the function / properties of the widget. There will be a lot of inheritance method in flutter.

Lets go for the stateless widget first. On the stateless widget, the one we override are the build function.

Below is the example code.

import 'package:flutter/material.dart';

void main() => runApp(MyApp());

class MyApp extends StatelessWidget {

  @override

  Widget build(BuildContext context) {

    return MaterialApp (

      title: 'Measures Converter' ,

      home: Scaffold(

        appBar: AppBar(

          title: Text('Measures Converter'),

        ),

        body: Center(

          child: Text('Measures Converter'),

        ),

      ),

    );

  }

}

And for statefull widget, we override the createState method.

import 'package:flutter/material.dart';

void main() => runApp(MyApp());

class MyAppState extends State<MyApp> {
  @override
  Widget build(BuildContext context) {
    return MaterialApp (
      title: 'Measures Converter' ,
      home: Scaffold(
        appBar: AppBar(
          title: Text('Measures Converter'),
        ),
        body: Center(
          child: Text('Measures Converter'),
        ),
      ),
    );
  }
}

class MyApp extends StatefulWidget {
  @override
  MyAppState createState() => MyAppState();


}

Read More

Basic Flutter Scaffolding

Flutter makes the development enjoyable and fast.

Here are some of the template for create a basic layout.

We create an app with App bar and a body.

import 'package:flutter/cupertino.dart';
import "package:flutter/material.dart";

void main() => runApp(MyApp());

class MyApp extends StatelessWidget {
@override
  Widget build(BuildContext context){
    return MaterialApp(
      title: 'My Work Timer',
      theme: ThemeData(
        primarySwatch: Colors.blueGrey,
      ),
      home: Scaffold(
        appBar: AppBar(
          title: Text('My Killer App'),
        ),
        body: Center(
          child:
            Text('My Killer APp'),
        ),
      ),
    );
  }
}

Read More

Mobile Development with Flutter

Nowdays, mobile development not need to be tricky and hard.

Old timers for mobile dev will use java fro android and object C for ios development, which means 2 code for 2 platform Android and IOS.

Other path was hybrid using web development technique which just load a Web view in the application, so developer can use Web development tools and style to develop mobile app.

Now, we have Google who develop Flutter on top of Dart which will make the Java slogan "code once run on any mobile platform (Android / IOS) but now with happiness.

All in flutter just a widget and tooling all free and available and it also beautifull on the app generated because the template also provided like Material Design or Cupertino for IOS.

My interest on Flutter become increasing and after watching some time on the progress of Flutter. Now as on my writing, Flutter version 2.7.0 is been used on my development tools.

You will have my Flutter blogging on their feature and also this will be my flutter docs on my joourney to flutter.

Hope you enjoy it.

Read More

Securing your Web services using Nginx

If we have an API service and want to publish to public, better use a reverse proxy like nginx to handle all the dirty traffic trying to taken down your services.

With Nginx you will make your API server live prosper and not minding the dirty request which should not coming on your server if not using Nginx in front of it.

So lets do the Nginx configuration for securing your backend API server.

    add_header Cache-Control public;

    add_header X-frame-Options "DENY";

    add_header X-Xss-Protection "1; mode=block" always;

    add_header Content-Security-Policy-Report-Only "script-src https://skyway.shineapi.net";

    add_header X-Content-Type-Options "nosniff" always;

    add_header Strict-Transport-Security 'max-age=31536000;includeSubDomains;preload;' always;

    add_header Referrer-Policy no-referrer-when-downgrade;

 
   if ($http_referer = "") {  return 403; }


With above configuration, any request incoming your API will be handled by Nginx and protected by the header config which is web security standards for securing any web app in the wild.

For the explanation i will put on another blog post for details.

Read More

Monitoring tools in the new age with Grafana

We know for old school monitoring tools are using Nagios, Cacti, CollectD. Well, that's what i use on my job to monitoring infrastructure.

No fancy graphic and display, no filter , only plain time range value with the monitored data.

Now, we see Grafana. I try grafana and its looks a like elastic kibana. Well, apparantly Grafana was a fork of Kibana 3.0 . Grafana is Free to use, but also have enterprise version which have support.

With grafana we can connect to multiple datastore. What i try was using prometheus, as it can be generate data also the TSDB it used. no need more DB for the storage.

Also we can also put our application metrics to prometheus to scrap and display it.

Now version 6.x , grafana have many plugin and chart template to be use.

It can also used for your monitoring dashboard to show alerts.

Alerts can be set using prometheus alert manager. all is there to be exploited.

Lets continue the journey with Grafana + prometheus + prometheus alert manager

Read More

Create a Services in linux box

In linux box, everything runs at startup is a service.

Service located on  /etc/systemd/system/servicename.service

Step to create a service are :
1. Create a service user account
2. Change ownership of config file to the service account
3. Create a service file to load when startup

Create service user account the secure way :

• $ sudo useradd --no-create-home --shell /bin/false blackbox_exporter

Here are template for create a service and use the created user above.

[Unit]
Description=Blackbox Exporter
Wants=network-online.target
After=network-online.target

[Service]
User=blackbox_exporter
Group=blackbox_exporter
Type=simple
ExecStart=/usr/local/bin/blackbox_exporter --config.file /etc/blackbox_exporter/blackbox.yml

[Install]
WantedBy=multi-user.target

This will be inside the .service file.

Then we need to reload the daemon.

#systemctl daemon-reload

And service can run using below command :

#systemctl start service_name

To enable it do :

#systemctl enable service_name

Hope this helps

Read More

Exchange server error 452-4-3-1-insufficient-system-resources

When Microsoft Exchange have problem cannot receive any email from other party, there will be a lot of things can be happened. But make sure you pin point the exact issue by looking at the server event logs for exchange. Also if possible to get the NDR report from the sending party so we can know exactly what exchange spit out when error happening. Usually a mature mail systems will have specific error so administrator can resolve the problem.

On this case, we get the error message from the sender which are 452-4-3-1-insufficient-system-resources. What we got from this was :

1. Server is reachable
2. SMTP service is up
3. When complete the sending, it fail with insufficient system resources

On Exchange documentation, this error related to storage, so the situation was when exchange going to store the receive message to disk, its spit error because insufficient resources.

Microsoft Exchange Transport is rejecting message submissions because the available disk space has dropped below the configured threshold.The following resources are under pressure:

Queue database logging path (“C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\data\Queue\”) = 96% [High] [Normal=92% Medium=94% High=96%]

Physical memory load = 90% [limit is 94% to start dehydrating messages.]

The following components are disabled due to back pressure:

Inbound mail submission from Hub Transport servers

Inbound mail submission from the Internet

Mail submission from Pickup directory

Mail submission from Replay directory

Mail submission from Mailbox server

Content aggregation

The following resources are in normal state:

Queue database path (“C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\data\Queue\mail.que”) = 95% [Normal] [Normal=95% Medium=97% High=99%]

Version buckets = 0 [Normal] [Normal=80 Medium=120 High=200]

Private bytes = 14% [Normal] [Normal=71% Medium=73% High=75%]

Batch Point = 0 [Normal] [Normal=2000 Medium=4000 High=8000]

Submission Queue = 0 [Normal] [Normal=1000 Medium=2000 High=4000]

With Microsoft Exchange, it have a monitoring component which monitor available resources - Back Pressure, which is also tracking free space on a disk, where the Exchange Transport service queue are located.

Checking on the disk resources on servers, we have plenty disk 1.4TB with free 100GB of disk. This was strange.

Some behavior to note when the threshold limit exceeded, Exchange can  :

- Medium (90%) threshold - Stop receiving mail over SMTP from external senders (MAPI client e-mails are yet processed)

- High (99%) threshold - The mailflow stops to be processed completely

Dig down more on the event log, we found that the drive of Microsoft Exchange transport was because the available disk space has dropped below the configured threshold. And we read the documentation in Microsoft, it states that Microsoft Exchange transport service will need retain a min 10% free disk space where the transport Role folder resides.

So in this case the size of 1.4TB will need minimum 10% to be free, which are 140GB, and in this case not enough as it left only 100GB. This is by design to prevent disk full and Microsoft Exchange crash.

The solution to this was easy, just add more disk with expanding the drive, or just move transport role folder to another disk drive if you cannot expand it. After the disk size threshold surpassed, restart Microsoft exchange transport service and all will be running again.

If you want to move the transport queue to another disk , you can edit the config in exchange install located in 

$env:exchangeinstallpath\bin\EdgeTransport.exe.config  wiith the following changes

<add key=”QueueDatabasePath” value=”C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\data\Queue” />

<add key=”QueueDatabaseLoggingPath” value=”C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\data\Queue” />

When change the trasnport queue path, leave the content and just restart transport service as Exchange will recreate the folder automatically.

Note : Old directory can safely be removed

In my case, we just extend the disk without restart the servers.

Read More

Squid delay pools setup

Squid can do bandwith management and separate speed access based on group.

Below example of setup :

########################################### define networks
acl all src 0.0.0.0/0.0.0.0
acl unlimited src "/etc/squid/unlimited.txt"
acl our_1mbps src "/etc/squid/our_1mbps.txt"
acl our_512kbps src "/etc/squid/our_512kbps.txt"
acl our_256kbps src "/etc/squid/our_256kbps.txt"


######### give access

http_access allow unlimited
http_access allow our_1mbps
http_access allow our_512kbps
http_access allow our_256kbps
http_access deny all


##### define delay pools

delay_pools 4
delay_class 1 2
delay_access 1 allow unlimited
delay_access 1 deny all
delay_parameters 1 -1/-1 -1/-1


delay_class 2 2
delay_access 2 allow our_1mbps
delay_access 2 deny all
delay_parameters 2 -1/-1 131072/131072

delay_class 3 2
delay_access 3 allow our_512kbps
delay_access 3 deny all
delay_parameters 3 -1/-1 65536/65536

delay_class 4 2
delay_access 4 allow our_256kbps
delay_access 4 deny all
delay_parameters 4 -1/-1 32785/32786

With above setup, clients will limited to the above bandwith.

Read More