Archive

Archive for the ‘Technical Information’ Category

DHCP Server Logs

Feb 18, 2013 1 comment

There have been several instances where I have been trying to troubleshoot DHCP Issues live, or other cases when I needed to know what computer had a specific IP address in the past…. A useful way to find out this information is to use/view the DHCP server logs. The log keeps only the past 7 days of logs, but through backups, you can actually go back to any point in time.

The log it located at C:\Windows\System32\dhcp

The logs are named dhcpsrvlog-mon; dhcpsrvlog-tues, etc… you get the idea. There is also a separate log to DHCPv6 (IPv6) addreseses.

 

dhcplog

Also, along that lines, don’t specifically trust the DHCP Lease active/inactive status as indicated in the DHCP console. Sometimes a reservation is used for a device that is set statically, so DHCP will show inactive, while the address is actually in use. Also it might show active even though the device isn’t properly receiving an IP address.

Enjoy!

Advertisements

Cisco terminal length 0 and –more–

From time to time I just need to perform a simple dump of a configuration file from a Cisco IOS device for backup or review purposes, such as a from a router or switch. However, for switch stacks or complex configurations the configuration file can be long, and when using something like Putty to log all the terminal/ssh actions to a file, there is no need to constantly press any key at the –more– prompt. To avoid this, you can simply enter:
terminal length 0
at the enable (#) prompt. From there you will no longer see page breaks but rather have the data scroll out to you the entire configuration file. This also avoids the needs to go back and find/replace the –more– elements from a dump.

Enjoy!

REU Power Outage – South East Redding

Redding Electric Utility (REU) is reporting a power outage in South East Redding today. No ETA for restoration. This was caused by a sub-station outage.

ca.gov email servers under spam attack

 

ca.gov

For the past couple of days many ca.gov domains have been under attack with a huge volume of spam. The result is effectively a denial of service of the mail servers, as they are saturated with connection attempts. This has caused various many emails to sporadically bounce because the sending SMTP mail servers are unable to connect to the ca.gov mail servers.

Using an inbound hosted mail filtering service such as Postini or MxLogic can help avoid this problem for your organization because they host multiple inbound SMTP servers, and have a focus on the stability and reliability of these services so you don’t have to worry about it.

W32/autorun.worm.aaeb-h Outbreak

Nov 28, 2012 1 comment

I don’t typically post on virus or malware outbreaks because it would consume too much of my time and they are simply too frequently created. For the most part, if you run your network and systems with the concepts of defense in depth and principle of least access, you should be fine. And as long as you are not running as the local administrator of your workstation you should also be fine… But every once in a while a piece of malware becomes noteworthy…

In this case, W32/autorun.worm.aaeb-h infects both removable media and network shares by coping itself to those locations. Once copied, it modifies the permissions so the executable is hidden. When used with removable media (think USB flash drives, or even MP3 players), it will modify the autorun.inf to auto-run the executable. It will also infect files with common file types such as audio (mp3, wmv, avi) and documents (doc, xls, pdf).

The presence of the following file names will indicate you might have this worm:

  • Secret.exe
  • Sexy.exe
  • Pron.exe
  • Password.exe
  • x.mpeg

Defense:

  • Disable autorun feature
  • Prevent the use of USB media for mission-critical servers
  • Ensure scanning is enabled for removable media

Mitigation:

For more information on McAfee product coverage and mitigation for this threat, see PD24169 – Threat Advisory: W32/Autorun.worm.aaeb

How to Remove a XenServer Slave when it No Longer Exists in the Pool

Citrix article CTX126382 describes how to remove a XenServer Slave from a pool, however it does not completely clean up after the process is complete. While the host will be removed, any storage repositiories will be left behind, such as DVD and local storage.

To clean these up perform the following:

1) Click on the disconnected storage repository on the console

2) On the general tab, right-click on the UUID and select copy

3) On the Pool master console, type: xe sr-forget uuid= (and then right-click paste which will insert the UUID of the disconnected storage repository)

Repete this process for all disconnected storage repositories, which is tpically local storage, DVD, and removable storage.

 

 

 

DHCP Best Practices

Here are several DHCP best practices as collected from various resources including Comp/TIA and Microsoft:

  • Always include the entire subnet in the scope (192.168.1.1 – 192.168.1.254, or 172.29.0.1 – 172.29.255.254)
  • Add exclusions for ranges which are using static IP addresses, and for future growth area, such as setting aside 10 addresses for printers so they stay within the same general IP address range
  • For networks where DHCP services are critcal or for larger networks, consider two DHCP servers configured in an 80/20 split (however, Microsoft Server 2012 has a new provision for redundant DHCP servers)
  • Configure active directory credentials to enable DHCP to update the DNS server with IP address information using secure updates.
  • Use “server side conflict detection” only when needed – this is a feature which delays DHCP from handing out an address until it has first issued an ICMP ping message to check if the address might already be in use but not known by DHCP already (ie statically assigned within the lease range without an exclusion or active lease).
  • Typical DHCP lease time is 8 days, however if you have a separate scope for guest or wireless clients, consider a shorter lease time such as 8 hours; conversely, leases for fixed devices (printers, etc) consider 16-24 days.