Duo ByPass

To bypass duo 2fa for a script or secure login etc on Linux you simply need to add the following to your SSHD PAM config (/etc/pam.d/sshd)

auth    [success=2 default=ignore]      pam_access.so accessfile=/etc/security/access-local.conf

You will then need to create the access file and put your rules in for example

+ : ALL : 192.168.1.0/24
- : ALL : ALL

For information on the access file, see here

Nagios Core Upgrade

Ubuntu

Stop Service / Daemon

This command stops Nagios Core.

===== Ubuntu 14.x =====

sudo service nagios stop

 

===== Ubuntu 15.x / 16.x / 17.x / 18.x =====

sudo systemctl stop nagios.service

 

Downloading the Source

cd /tmp
sudo rm -rf nagioscore*
wget -O nagioscore.tar.gz https://github.com/NagiosEnterprises/nagioscore/archive/nagios-4.4.1.tar.gz
tar xzf nagioscore.tar.gz

 

Compile

cd /tmp/nagioscore-nagios-4.4.1/
sudo ./configure --with-httpd-conf=/etc/apache2/sites-enabled
sudo make all

 

Install Binaries

This step installs the binary files, CGIs, and HTML files.

sudo make install

 

Install Service / Daemon

This installs the service or daemon files. While these will already exist they do get updated occasionally and hence need replacing.

sudo make install-daemoninit

 

Update nagios.cfg

If you are upgrading from Nagios Core 4.3.2 and earlier you will need to update the nagios.cfg file to point to /var/run/nagios.lock using the following command:

sudo sh -c "sed -i 's/^lock_file=.*/lock_file=\/var\/run\/nagios.lock/g' /usr/local/nagios/etc/nagios.cfg"

More information about this is detailed in the following KB article:

Nagios Core – nagios.lock Changes In 4.3.3 Onwards

 

Start Service / Daemon

This command starts Nagios Core.

===== Ubuntu 14.x =====

sudo service nagios start

 

===== Ubuntu 15.x / 16.x / 17.x / 18.x =====

sudo systemctl start nagios.service

 

Confirm Nagios Is Running

You can confirm that the nagios service is now running with the following command:

===== Ubuntu 14.x =====

sudo service nagios status

 

===== Ubuntu 15.x / 16.x / 17.x / 18.x =====

sudo systemctl status nagios.service

 

Confirm Nagios Version

You can confirm the nagios version being used with the following command:

sudo /usr/local/nagios/bin/nagios -V

 

This will output something like:

Nagios Core 4.4.1

Local Gov Strategy Forum​

Local Gov Strategy Forum

Like many of these events I felt a certain amount of resignation as the date approached. These events seem like a good idea when you book yourself on them. Then as they get close you realise you are still in local government and you are still considered a force for change and modernisation over 10 years since you started in the industry.

Well… I was really surprised when for the first time the people I met and spoke to were all excited by change in the sector, in part this has been forced upon a number of authorities due to budget cuts, but once they start looking they see the real benefit of cultural and technology transformation for their residents and staff. 

Of course this event was sponsored, and there were a few of the normal suspects peddling their frankly b/s wears to an already jaded public sector, but for the first time ever, I took two business cards and didn’t file them in the round file! I even have two post even meetings booked in.

Here’s to local government and them finally getting it… guess I better start looking at a career change. 

RDP Cert (Windows 7)

Commercial Certificate Authority TLS Remote Desktop Service (RDS) certificate RDP Windows 7

There are two good guides on how to install a commercial certificate, to replace the self-signed generated by Remote Desktop Services, and avoid warning messages, but they both leave steps out. Here are all the steps.

1. Generate a private key and certificate request

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

2. Get it signed by a commercial certificate authority

3. Convert your key, certificate, and Certificate Authority chain to a pfx file for Windows

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Don’t double-click the resultant “certificate.pfx” file. It will always put it into your personal certificate store, when you want it in the computer certificate store.

4. Install certificate – Open command-line, mmc, Add/Remove snap-in, Certificates, Computer Account, Local Computer

Expand Certificates (Local Computer), Personal, Certificates. Right click in right pane, All Tasks, Import…

Import your pfx file. Make sure the private key is included.

5. You need the thumbprint of the certificate. Double-click the certificate to view it in the mmc, and choose the Details tab. At the bottom is the Thumbprint. Copy it to Notepad, and remove the Question mark at the beginning, and all the spaces. It should be a string like “6adbb56632cc476ad790d899f2c34c42c1881590”

6. This link explains the command to use the CA cert instead of the self-signed, http://www.weaklink.org/2015/05/tls-certificate-for-windows-88-1-remote-desktop-service/

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "SSLCertificateSHA1Hash" /t REG_BINARY /d 6adbb56632cc476ad790d899f2c34c42c1881590

7. You must also allow the RDP service the rights to view the private key. Microsoft explains the ACL necessary, https://support.microsoft.com/en-us/kb/2001849

Click Start, click Run, type mmc, and click OK.

On the File menu, click Add/Remove Snap-in.

In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and click Add.

In the Certificates snap-in dialog box, click Computer account, and click Next.

In the Select Computer dialog box, click Local computer: (the computer this console is running on), and clickFinish.

In the Add or Remove Snap-ins dialog box, click OK.

In the Certificates snap-in, in the console tree, expand Certificates (Local Computer), expand Personal, and navigate to the SSL certificate that you would like to use.

Restart Remote Desktop Services, or Restart the computer, and the next time you use the RDP, it will not complain about the certificate.

Extend a partition and LVM with Ubuntu 16.04

There is a risk of data loss doing this!!!

First add the additional disk space using your virtualisation admin software (i.e. ESXi / Proxmox / etc)

Rescan the bus

echo 1 > /sys/class/block/sda/device/rescan

Next start fdisk

sudo fdisk /dev/sda

Press p to print the current partition list. Copy the start block for both sda2 and sda5. Now we need to delete the partitions.

Press d to delete the partion accept the default of ‘2’
Press d again and accept the default of ‘5’

Now press n for a new partition

Create an extended partition, make sure the start block is that of your “old” sda2 partition.

Accept the other defaults to use all available space.

Now press n again

This time accept the defaults. The start block will be wrong, but this is ok and a slight anomaly with this method.

This bit is super, world ending, important.

Once you are back to the fdisk prompt press x (to enter expert mode)

Press b and make sure sda5 is selected.

Enter the start value that you copied earlier for sda5.

Once you are back at the expert command prompt, press r (to return to the main menu) and then w (to write the changes and exit.

We’ve now finished with fdisk.

Now sync the changes with the running OS.

partprobe

Extending LVM

Run

pvresize /dev/sda5
lvextend -l +100%FREE /dev/VGNAME/LVNAME
resize2fs /dev/VGNAME/LVNAME

If you don’t know your VGNAME or LVNAME run

lvdisplay

That’s all there is to it!

Expand a hard disk with LVM

The “hardware” part, “physically” adding diskspace to your VM

Increasing the disk size can be done via the vSphere Client, by editing the settings of the VM (right click > Settings).

If the “Provisioned Size” area (top right corner) is greyed out, consider turning off the VM first (if it does not allow “hot adding” of disks/sizes), and check if you have any snapshots made of that VM. You can not increase the disk size, as long as there are available snapshots.

Partitioning the unallocated space: if you’ve increased the disk size

Once you’ve changed the disk’s size in VMware, boot up your VM again if you had to shut it down to increase the disk size in vSphere. If you’ve rebooted the server, you won’t have to rescan your SCSI devices as that happens on boot. If you did not reboot your server, rescan your SCSI devices as such.

Then rescan the bus.

~$ 'echo 1 > /sys/class/block/sda/device/rescan'

Create the new partition

Once the rescan is done (should only take a few seconds), you can check if the extra space can be seen on the disk.

~$  fdisk -l

Disk /dev/sda: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          13      104391   83  Linux
/dev/sda2              14         391     3036285   8e  Linux LVM

So the server can now see the 10GB hard disk. Let’s create a partition, by start fdisk for the /dev/sda device.

~$  fdisk /dev/sda

The number of cylinders for this disk is set to 1305.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): n

Now enter ‘n’, to create a new partition.

Command action
e   extended
p   primary partition (1-4)
 p

Now choose “p” to create a new primary partition. Please note, your system can only have 4 primary partitions on this disk! If you’ve already reached this limit, create an extended partition.

Partition number (1-4): 3

Choose your partition number. Since I already had /dev/sda1 and /dev/sda2, the logical number would be 3.

First cylinder (392-1305, default 392): 
Using default value 392
Last cylinder or +size or +sizeM or +sizeK (392-1305, default 1305): 
Using default value 1305

Note; the cylinder values will vary on your system. It should be safe to just hint enter, as fdisk will give you a default value for the first and last cylinder (and for this, it will use the newly added diskspace).

Command (m for help): t
Partition number (1-4): 3
Hex code (type L to list codes): 8e
Changed system type of partition 3 to 8e (Linux LVM)

Now type t to change the partition type. When prompted, enter the number of the partition you’ve just created in the previous steps. When you’re asked to enter the “Hex code”, enter 8e, and confirm by hitting enter.

Command (m for help): w

Once you get back to the main command within fdisk, type w to write your partitions to the disk. You’ll get a message about the kernel still using the old partition table, and to reboot to use the new table. The reboot is not needed as you can also rescan for those partitions using partprobe. Run the following to scan for the newly created partition.

~$ partprobe -s

If that does not work for you, you can try to use “partx” to rescan the device and add the new partitions. In the command below, change /dev/sda to the disk on which you’ve just added a new partition.

~$ partx -v -a /dev/sda

If that still does not show you the newly created partition for you to use, you have to reboot the server. Afterwards, you can see the newly created partition with fdisk.

~$  fdisk -l

Disk /dev/sda: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          13      104391   83  Linux
/dev/sda2              14         391     3036285   8e  Linux LVM
/dev/sda3             392        1305     7341705   8e  Linux LVM

Extend your Logical Volume with the new partition

Now, create the physical volume as a basis for your LVM. Please replace /dev/sda3 with the newly created partition.

~$  pvcreate /dev/sda3
Physical volume "/dev/sda3" successfully created

Now find out how your Volume Group is called.

~$  vgdisplay
--- Volume group ---
VG Name               VolGroup00
...

Let’s extend that Volume Group by adding the newly created physical volume to it.

~$  vgextend VolGroup00 /dev/sda3
Volume group "VolGroup00" successfully extended

With pvscan, we can see our newly added physical volume, and the usable space (7GB in this case).

~$  pvscan
PV /dev/sda2   VG VolGroup00   lvm2 [2.88 GB / 0    free]
PV /dev/sda3   VG VolGroup00   lvm2 [7.00 GB / 7.00 GB free]
Total: 2 [9.88 GB] / in use: 2 [9.88 GB] / in no VG: 0 [0   ]

Now we can extend Logical Volume (as opposed to the Physical Volume we added to the group earlier). The command is “lvextend /dev/VolGroupxx /dev/sdXX“.

~$  lvextend /dev/VolGroup00/LogVol00 /dev/sda3
Extending logical volume LogVol00 to 9.38 GB
Logical volume LogVol00 successfully resized

If you’re running this on Ubuntu, use the following.

~$  lvextend /dev/mapper/vg-name /dev/sda3

All that remains now, it to resize the file system to the volume group, so we can use the space. Replace the path to the correct /dev device if you’re on ubuntu/debian like systems.

~$  resize2fs /dev/VolGroup00/LogVol00
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/VolGroup00/LogVol00 is mounted on /; on-line resizing required
Performing an on-line resize of /dev/VolGroup00/LogVol00 to 2457600 (4k) blocks.
The filesystem on /dev/VolGroup00/LogVol00 is now 2457600 blocks long.

And we’re good to go!

~$  df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00 9.1G 1.8G  6.9G  21% /
/dev/sda1              99M   18M   77M  19% /boot
tmpfs                 125M     0  125M   0% /dev/shm

Unifi Video Mongodb remove

Occasionally you hit an issue with a unifi camera and it won’t connect or remove from the controller. The easiest / only way to fix this is to manually remove it from the database.

SSH into the NVR and find all the cameras:

mongo localhost:7441/av
db.camera.find()
db.camera.find({}, {_id: 0, name: 1, uuid: 2})

Look for the camera in question, we will want the UUID

"Driveway", "uuid" : "1fbfb420-a091-3c8f-b184-e43ec862b14a"

Then remove it, exit the tool, and restart UFV

db.camera.remove({uuid:"1fbfb420-a091-3c8f-b184-e43ec862b14a"})
exit
service unifi-video stop; service unifi-video start

I admire….

People I follow..

As most of you will be aware, I find management and leadership courses to be a bit futile. Yes, you do pick up good ideas and practices, it is a great way to network with your peers, but has anyone come out a reformed leader / manager… not that I’ve seen. Worse than that, when under stress people revert back to the manager they are. Having said that, in my time in leadership roles I have come across a couple of real gems of people, who I admire and respect, they talk sense (to me). I will update this page if any new ones pop up!

I first came across Simon Sinek a few years ago on a random management course I had been sent on. For some reason he stuck, the way he talks, the way that some of his talk is science (some of it is pseudo science and junk, so be careful). The way he talks and the passion behind it. He is one of my all time favourite TED talkers.

My personal favourite video is this one. His books are a good read and he is constantly tweaking and refining his work.

Dave Coplin is an absolute tech legend. Having worked at Microsoft for approximately a billion years, he was their Chief Envisioning Officer, he totally embraces the fact that we need to change the way we work. We need to accept technical change and more than that we need to embrace it. 

His book Business Reimagined is short, but totally worth a read. The video Re-imagining work shifts in the digital revolution is really worth a watch.

Many of you know my absolute IT hero is Grace Hopper.

She was a truly talented computer scientist, in a time before computer science. She coined the term “bug” when she found a moth in one of her computers that wasn’t working. Her lectures were easy to follow, even on the most complex of subjects including on how far data travels in a second which she used chucks of physical cable to illustrate. 

She was a decorated Navy vetran and in 1986 she was the oldest active-duty commissioned officer in the US Navy.

A true pioneer. She also gave the world one of my favourite quotes of all time

“It’s to ask forgiveness than it is to get permission.”

My IT Titans

OK, this one is a cheat, but I wanted to reflect the people who I respect in my industry… All of them for different reasons, but mostly because they are amazing technologists, leaders, business owners and actual people.

  • Bill Gates – Microsoft
  • Michael Dell – Dell
  • Steve Wozniak – Apple
  • The other Steve – Apple
  • Bill Hewlett – HP
  • David Packard – HP

Chelmsford – The Digital Journey So Far

 

 The Digital Journey So Far was published in Public Sector Executive in the Apr/May 2018 edition.

Back in 2016 we decided we had had enough of being tied into expensive contracts with the big suppliers and, with this, our inability to move agilely as an organisation. We took matters into our own hands in a programme of digital transformation that would leave the council as a master of its own destiny.

When this programme is complete, we intend to only be using our own internal staff to run, maintain and develop this new platform. We think this programme will take us five years to deliver completely, and we predict it will deliver us significant savings, both financially and in resource. 

This is underpinned by an entirely new technology platform using the building blocks in two core products, Office 365 and Dynamics 365.

In May 2017, we started a realignment of our IT function to ensure we had a team that was able to deliver this new programme. We are proud that during this realignment we were able to attract some amazing talent into the organisation and continued to grow our existing talent with internal promotions. We wanted to run this project as our own and not be stuck with a partner who didn’t “get us,” and to this end the project itself has attracted a number of industry-leading contractors who wanted to come and work with us. This has, in turn, inspired the team and led to better buy-in.

With the wider council, we have massively increased the amount of information we give them, including a fortnightly newsletter and monthly “buzz days” which deep-dive some of the core components in an interactive way.

Office 365 is the first major strand of the project: it becomes the core IT offering and affects all the workforce and councilors. In the past year we have rolled out some of its core components and have started enabling the business to work where and whenever they want. This has allowed teams within the council to start trialing their own ideas, and a number of services have made their own mini solutions. 

With the migration to Exchange online and OneDrive for Business complete, we have started the project to migrate our telephone system to Skype for Business and our shared file infrastructure to SharePoint. We are aiming to have the council fully migrated to the new platform by the end of the calendar year.

CRM is the most complex part of the programme: it aims to take the council’s current back-office systems and migrate them to a single platform, giving a single view of the customer. The beginning of the year saw us build our own platform in Azure, but by the summer it was clear that we would be better on the hosted Dynamics 365 platform. This work was completed in the summer and the team started building our foundational capabilities. Microsoft upgraded the platform and we migrated to the new build with minimal effort, the permanent team really understanding how rapid the development and deployment is. 

In the first year we only experienced one hiccup: one of our systems reached end of life during the year, and this became a distraction. We attempted to accelerate elements of the programme, but in the end this led us into a situation where we had wasted resource on focusing on an issue that we couldn’t resolve in the time we had. Once we successfully used our contingency plans, we took time to reflect and stabilise the foundation work we had already completed – ready for year two.

Digital journey so far