On October 15, 2017, security researcher Mathy Vanhoef announced the discovery of KrackAttacks, a serious flaw in the WPA2 encryption protocol that encrypts most WiFi connections. Using this method, an attacker can decrypt traffic from almost any wireless access point (WAP) and clients. Every WiFi access point will need to be upgraded with patch that prevents this attack.
Ubiquiti has already released a patch for UniFi access points that addresses this vulnerability. However, the upgrade process may not be straightforward, depending on the age of your access points. The following process will ensure that you are running a safe version of the firmware (18.104.22.16837 or later). Note that any upgrade will result in downtime for each access point as it is upgraded, so you will want to perform a rolling upgrade if you have multiple devices that will be upgraded while people are using them. Continue reading Upgrade Ubiquiti UniFi Access Points (WAP) now to avoid KrackAttack
When you run yum upgrade on a CentOS/RedHat 7 instance, you will be upgraded to 7.4. If you have a FreeRADIUS server, you will be upgraded from version 2 to 3, and your server will likely stop authenticating! Good times! Fortunately, the solution was not complicated for us, because we had good documentation.
Your radius server suddenly starts denying logins.
Continue reading Warning: CentOS/RedHat 7.4 installs FreeRADIUS 3 with breaking changes
It can confusing when you have multiple persistent disks on an instance running on Google Compute Engine. For example, a server may have separate disks for the filesystem root, MySQL data, logs, and /tmp. Once you’ve created the Compute Engine disks and attached each one to the instance, how do you know which Compute Engine disk maps to each volume on the instance?
Continue reading Managing persistent disks on Google Compute Engine
The Historical Answer
With Windows NT, prior to the advent of Active Directory, there was one Primary Domain Controller (DC) per domain, and every other DC was a Backup.
The Modern Answer
When Active Directory was introduced with Windows 2000, domain controllers became fully multi-master. There is no primary domain controller. However, there are two caveats that may confuse you.
Continue reading Is there a “Primary Domain Controller” in Active Directory?
If you are a Linux or OS X power user, then you’re used to having all the necessary tools built into your OS. When you log into a Windows system (What! No command line?) you may feel lost. These tools and shortcuts will help you be productive on Windows systems.
- Alt-x is a magic shortcut key on Windows 8 and Server 2012. It pops up a little menu in the lower right corner of the screen which contains just the items that an admin needs. Try it!
Continue reading Making Windows work for Linux and OS X admins
In Part 1, I summarized the basic concepts of SNMP and defined the terms and acronyms used in this post. Now, I will show how to use SNMP to monitor actual devices. As an example, I will monitor an enterprise-grade uninterruptible power supply (UPS) and power distribution unit (PDUs) from Tripp-Lite. These devices have an SNMPWEBCARD installed to support communication over Ethernet.
Command-line tools for SNMP communication should be available for any Linux distribution (or any other UNIX-derived OS). Documentation for the basic SNMP tools is available online. The challenge with SNMP is figuring out what parameters are supported by a particular device. Most devices support a set of standard OIDs that return basic information such as device name, uptime, etc.
Continue reading Monitoring with SNMP, Part 2: Command-line tools for active SNMP
SNMP is a protocol for conveying information and controlling devices over a network. SNMP can be used in two ways:
- Active: a device sends a command to set a parameter or request information for another device
- Passive: a device sends an alert (called a trap) to another device, which is configured to receive traps and do something with the information.
The “payload” of an SNMP message is called an Object Identifier, or OID. An OID is an ordered list of non-negative numbers, such as:
The sequence is hierarchical, starting with the highest-level object and progressing to lower-level objects. The above sequence corresponds to:
iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) system(1) sysUpTime(3) 0
When this command is sent to a device, it will return the uptime of the device.
The translation between the numerical sequence and the human-readable form is stored in a text file called a Management Information Base, or MIB. The format of the MIB is defined in RFC 2578. Some MIB files are standard and contain object IDs that are recognized by almost all devices. Device manufacturers also provide custom MIB files in which they define specialized object IDs for a particular device. Unfortunately, some devices don’t have MIB files, and you will have to query the device to see what objects it supports and decipher what they mean.
In Part 2 of this series, I will use active SNMP to monitor infrastructure.