July 17 2016

Sending Email Checklist

Email is one of those pains that every server admin must go through. Between possibily being blacklisted, setting up DNS records, and trying to not go into a SPAM folder, it’s just a nightmare! Fortunately, it’s pretty simple to fix.

  • Make sure you have a hostname that’s not localhost.localdomain
    • By default all 1&1 CloudServers configure this way, though cPanel asks to set up a hostname during the creation process.
    • Name it something that’s going to actually resolve: cloudserver1.mydomain.com should have an A record that points back to your server. You don’t need anything listening like HTTP, just make sure the hostname resolves.
  • Make sure you’re not blacklisted.
    • It doesn’t matter if the IP was blacklisted before hand or not, check the ip and get information about why it’s blacklisted. Chances are, it’s because an email went out while you were still “localhost.localdomain”
    • Blacklist removals are almost too simple, instead of trying to find a “clean” ip, just get it removed and take ownership of your new address.
  • Create a PTR record for the IP and set it to your hostname.
    • cloudserver1.mydomain.com => 123.123.123.123 so 123.123.123.123 => cloudserver1.mydomain.com
  • Set up an SPF record on the domains that are sending mail or on the domain of the mailserver that’s going to be used
    • Remember to have ipv4 and/or ipv6 listed: “v=spf1 ipv4:123.123.123.123 -all”
    • Use both SPF records and TXT records with the SAME values
  • Ensure that you can communicate on port 25 from the server that’s sending email
    • Try telnetting to a remote server on port 25 from your server. If you can’t communicate outbound on 25, it’s likely blocked
      • 1&1 by default filters port 25 on CloudServers to limit spam. If you’re sure you have security setup (all email clients will come through via 587, you won’t operate an open relay, etc) then call and ask to have the port unfiltered.

 

If after doing all of this, 1 of 3 things should happen:

  • You email gets sent and hits the inbox without issue
    • Congrats, you’ve successfully set up your email server!
  • Your email gets sent and hits the spam folder
    • Check the email headers and look for why it was filtered and fix it
      • Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 123.123.123.123 as permitted sender) <== This means that you don't have ipv4:123.123.123.123 in your SPF record (and you used ~all)!
      • Received-SPF: neutral (google.com: 123.123.123.123 is neither permitted nor denied by best guess record for domain of [email protected]) <== This means you don't have an SPF record at all!
  • Your email doesn’t get sent out at all
    • Check your MailLog or any bounceback you receive to try and fix it:
      • “Refused to talk to me” – chances are you’re blacklisted. Check for a postmaster link and recheck your domain/ip for blacklists
      • “550-5.7.1 [123.123.123.123] The IP address sending this message does not have a PTR record setup. As a policy, Gmail does not accept messages from IPs with missing PTR records.” <== This means that you don’t have a PTR record setup!

 

March 28 2016

CentOS 7 | Reset Root Password | Grub Method

Imagine the situation where your Administrator is fired/quits, and with him takes the root password of the server and need access to the server right now. Fortunately, Linux makes the process incredibly easy since you have local access, at least in the eyes of the Linux OS. All this method requires is the ability to manipulate GRUB, so if you have a way of seeing the grub menu and working with it, then this method is for you.

Let’s Get Started

  1. Reboot the server and get to the Grub Menu
  2. Go to the line that says “linux16”.
    1. There’s going to be a few more lines compared to CentOS6‘s method, just scroll slowly, it’s there.
  3. Using the Right arrow, go into the “linux16” line and find the word “ro”.
    1. This is telling the server to boot into Read Only. The server boots that and then upon login/mounting you get a Read/Write access. We want to bypass that.
  4. Change “ro” to “rw” and follow it up with “init=/sysroot/bin/sh”
    1. “ro” becomes “rw init=/sysroot/bin/sh”
  5. Press Ctrl-X to boot with this configuration
    1. Note that this doesn’t save the configuration, just lets you boot into it for this Session
  6. Now you should have Root access, type the “passwd” command to change the password.
  7. Reboot the server and use your new password to login.

This method is great for 1&1’s Dedicated Servers using the Serial Console, 1&1’s Cloud Servers using either the KVM/VNC console, and Digitalocean’s KVM console. As long as you can see GRUB, you can change the root password.

March 28 2016

CentOS 6 | Root Password Reset (GRUB Method)

Imagine the situation where your Administrator is fired/quits, and with him takes the root password of the server and need access to the server right now. Fortunately, Linux makes the process incredibly easy since you have local access, at least in the eyes of the Linux OS. All this method requires is the ability to manipulate GRUB, so if you have a way of seeing the grub menu and working with it, then this method is for you.

Let’s get started:

  1. Boot to the grub menu
  2. At the Grub menu press ‘e’ for edit.
  3. You should see 3 lines, scroll to the kernel line
  4. Using the Right Arrow, scroll to the end of that line
  5. Type the number “1” at the end and then hit “Enter”
  6. Now you’re looking at the 3 line again, hit ‘B’ to boot with this configuration
    1. Note: This is not saving the configuration, just booting you into Single User Mode for this session.
  7. You should now be booted into Single User Mode with Root access. Change the password with the “passwd” command
    1. # passwd
  8. Reboot the server with the “reboot” command

This method is great for 1&1’s Dedicated Servers using the Serial Console, 1&1’s Cloud Servers using either the KVM/VNC console, and Digitalocean’s KVM console. As long as you can see GRUB, you can change the root password.

February 28 2016

[WIP]Configure Active Directory tutorial

[Best_Wordpress_Gallery id=”1″ gal_title=”Active Directory Tutorial”]

This is still a work in progress. However I’ve included the above slideshow of a successful run through. I’ll be translating my screenshots into the tutorial below.

Domain: dankedonuts.lan

1 server : AD Controller (10.0.0.2)

1 Server : DNS/DHCP Server (10.0.0.1)

1 Server : AD Client (10.0.0.100)

Private networking (using 10.0.0.0/24)

 

On AD Controller:

Go to the Control Panel > System > Change name of computer. Call computer “addc” for AD Domain Controller. For now we won’t mess with the Domain yet. Close, reboot server.

Go to Server Manager > Manage > Add Roles > install the Active Directory.

After installation, it may take some time, the Flag in SErver Manager should appear for “Post Deployment”. You have to Promote this computer to becoming a Domain Controller.

Select Add new Forest

Root domain: “dankedonuts.lan”

Set a Directory Services Restore Mode password.

Our new NetBIOS name is “dankedonuts”
Follow prompts and click install when prompted.

The server will reboot again to confirm all changes.


 

Now we have an Active Directory, but it’s useless unless we can get others to join. Let’s get the DNS server running.

Set the name for this server as “dns” so we can figure it out in AD later. Use WorkGroup rather than domain for now.

For Active Directory domains to work, your main domain needs to have an SRV record like _ldap._tcp.dc._msdcs.mydomain.com. For our case, it’ll be _ldap._tcp.dc._msdcs.dankedonuts.lan.

Lets get the Roles. By default, DNS roles are installed, but if you go to Server Manager > Tools and you do NOT see DNS, then you’re missing some features. Click Manage > Remove Role and uninstall the DNS Role. After it’s done, you do NOT have to reboot, just go ahead and re-add the DNS role. Once that completes, reboot.

Now we can configure the DNS Manager. I’m not going to lie, Windows DNS is a PoS compared to Linux, so I have screenshots of my configuration. Basically:

-Server Manager > Tools > DNS
-Expand DNS, Expand Forward Lookup Zones.
-Right click on Forward Lookup Zones > New Zone > Primary > set the domain as "dankedonuts.lan"
-When complete, rightclick on dankedonuts.lan > New Domains > "dc._msdcs" as the name.
-Expand "dankedonuts.lan" > expand "_msdcs" > right click "dc"
-Click "Other New Records..." > choose SRV > Protocol = ldap > Click OK.

Go back to dankedonuts.lan's level and add Host(A) records for dns, addc, and (same as parent folder).

Now we should have the records we need, but since we’re the Nameserver, and this is a “fake” domain, lets change our Preferred DNS Provider to being either 127.0.0.1 or 10.0.0.1. Either way, we want to be able to do an “nslookup dankedonuts.lan” and we should get 10.0.0.2. Also do a “ping -a 10.0.0.2” and ensure that addc responds.

If so, then we’re ready to go back to the Control Panel > System  and change the Domain to “dankedonuts.lan”. If all is successful, it should ask you for an Active Directory username. By default, the Administrator of the ActiveDirectory server should work, but instead, let’s create a user for this server.

 


Back on AD Server, go to Server Manager > Tools > “Active Directory Users and Computers”.

Expand “dankedonuts.lan” > goto Users > right click in the blank area to create a new user. Name it “dnsadmin”, give it a password, and click okay.

Go back to the DNS server


Now we can input the new credentials and successfully join the Domain.

Yay!

Now let’s start taking care of the DHCP side of things. One of the first tasks of a Network Administrator is to really think about how he’s going to assign IP Addresses. For this example, we’re going to use just a small sample of 10.0.0.100 – 10.0.0.254 for clients. Later we can expand to include more and make our PNetwork even larger.

Server Manager > Tools > DHCP
Expand “dns.dankedonuts.lan”Right click “IPv4” and click “New Scope”
Name it whatever you want, set the range 10.0.0.100 to 10.0.0.254
Don’t exclude anything
Set all the router/wins/ etc IP to 10.0.0.1 (our DHCP server’s IP) and remove any public IPs.

When you’re done, rightclick “dns.dankedonuts.lan” and click “Authorize”.

Now we’re ready to assign our first client!


On the Client Server, configure the Ethernet1 to use the following:

Click “Advanced…”
Add 10.0.0.1 to “Default Gateway”
Add 10.0.0.1 to “DNS server addresses”
Add 10.0.0.1 to WINS addresses

Open up Powershell/CMD and do “ipconfig /release Ethernet1”

Verify that Ethernet1 has been assigned to a 10.0.0.100-254 address.

 

Now go to Control Panel > set any name for this computer and join the domain. Nothing special to do.


 

By now, everything is set up and good to go.

In the AD Controller, go to Server Manager > Tools > Active Directory Users …

Go to Computers and you should see our Client and DNS server.

December 23 2015

Remote FTP Backups with Plesk

A common control panel that’s being sold at providers such as 1&1 is the Parallels Plesk Panel. It’s fairly simple and straight forward to use, and is provided at a discount compared to the popular cPanel. Like cPanel, Plesk allows an Administrator to configure domains, customer subscriptions, and provide web hosting services to their own customers. An important aspect that any webhost needs to provide for their customers, and for their own infrastructure, is a backup solution.

I’ve previously gone in depth about Backup Solutions and ideas for the 1&1 Cloud Server, which is a perfect place to start since it has the most backup options self contained at 1&1, but you may want something a bit different, something where the backups are kept with you and are in your full possession.

Typically, Plesk’s Backup Manager can be set up on a schedule which stores either Full or Incremental backups in the /var/lib/psa/dumps directory. This is great if we’re on a dedicated server and have hundreds of GigaBytes of disk space, but with the Cloud Servers, every GB is valuable to us and space is limited. Most of us have a local computer that has almost a TB of space available to us, even more if we look at having a USB Harddrive. We’ll want to leverage that space by configuring Plesk to send backups to that drive using free software such as FileZilla FTP Server.

Right off the bat, I don’t like FTP, due to many reasons of security which I won’t delve on, but it’s all that Plesk allows right off the bat. Later, I’ll write alternative setups to try to get rid of FTP from the equation and use something a bit more secure.

Requirements

  • Plesk
  • FileZilla FTP Server
  • Know you local IP Address
  • DynDNS (optional)

Plesk Guide

http://download1.parallels.com/Plesk/Doc/en-US/online/plesk-administrator-guide/59256.htm#

Please read up on the Plesk Admin Guide to understand how to setup and use the feature in depth. I’ll only be covering the basic jist of setting it up.

IP Address Concern

Many ISP providers choose to provide IP Address dynamically which means that they are constantly changing. This provides a huge issue for trying to configure FTP Schedules when Plesk doesn’t know the IP of where to connect to.

If this is the case, I recommend looking into a service like DynDNS or No-IP. These services will create a domain like “mydomain.dyndns.net” which is pointed at your IP. A client program is ran on your computer to update this domain whenever your IP changes. We provide this domain to the FTP Storage setting instead of using just an IP address, and won’t have to worry about this IP concern.

FileZilla FTP Server

Right off the bat, you’re going to want to get FileZilla setup and running, Firewall Exceptions added, and as needed, port forwarding completed. http://portforward.com/ is a great site that explains steps for various routers and configurations to forward ports. Forwarding is needed in this world of multiple devices connected to a single gateway like your Cable Modem.

Create a user, password, and Shared folders of where you’re going to place the files and call that storage the user’s “home”. Password authentication is at least a piece of security, another piece is to  add IP Filtering to block all IPs except for your server. This at least means the only way someone is accessing these files are to be coming from your server. That’s a start I suppose.

In the “Settings” configuration of FileZilla, set the “IPs are not allowed access..” and give it a “*” which basically is a wildcard saying All IPs are not allowed access. “Exclude the following IPs…” and give it your server’s IP.

Backup Settings in Plesk

After you configure Plesk for FTP Storage, you’ll want to start looking at the Schedule for an option that fits your business model. Personally, I like the idea of doing a Full backup every week, with incremental backups everyday.  The incremental will make sure that only small changes are recorded and saved, which will help keep filesize down. You should check the “Suspend Domains” while the Backups get processed. This will ensure there’s no file conflicts of files being in use or changing, but it will also mean that you’re sites on that domain will be unavailable, so schedule during the late night hours when your business can be safely taken offline.