Toaster Gremlin

I received this error when trying to complete a certificate request in IIS:
Access is denied. (Exception from HRESULT: 0×80070005 (E_ACCESSDENIED))

This turned out to be a permissions issue with the following folder
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

Ensure that the “Administrators” group has full control and the “Everyone” group has the following permissions on this folder only:
List folder / read data
Read attributes
Read extended attributes
Create files /write data
Create folders / append data
Write attributes
Write extended attributes
Read permissions

When attempting to untar an archive you may see the following error:
tar -zxvf archive.tar
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error exit delayed from previous errors

This tar may have been created without compression. In that case just remove the -z option. If this still does not work the tar file may be corrupt. Try confirming the file type using the “file” command:
file archive.tar
html.tar: POSIX tar archive

It may be necessary to adjust the arp cache timeout in your Juniper firewall, otherwise know as the arp age. Login through SSH and search the config to see if an arp age is already set:

get config | inc arp


If nothing is returned then the arp age is set to the default of 20 minutes. To set this timeout value use the “set arp age” command followed by the number of seconds. For example the following command will set the arp cache timeout to 60 seconds:

set arp age 60


Make sure to save this change by using the “save” command or else it will be reverted next time the firewall is rebooted:

save


Wireshark offers command line options which allows users to capture traffic information through a batch file. This also means the built in Windows scheduled task feature can be used to schedule a capture.

Example batch file:

"C:\Program Files\Wireshark\tshark.exe" -a duration:14400 -a filesize:20480 -a files:512 -w "C:\Program Files\Wireshark\captures\Packet_Capture.pcap"


-w: Specifies the output file:
In this example it will create the following file and increment the names if multiple files are being created:
C:\Program Files\Wireshark\captures\Packet_Capture.pcap

-a: Capture autostop conditions in the example above:
duration: Stop after 14400 seconds (4 hours)
filesize: Create a new file after it reaches 20480KB (20MB)
files: Stop creating new files after it reaches 512 (512 x 20MB = 10GB total)

For a full list of command line options use “wireshark -h” in a command prompt or take a look at the Wireshark command line help page.

If you need to bulk add IPs to a Windows server (2003 or 2008) one of the following batch scripts will make that much easier.

Example one:
This example will add a range of IPs as specified between the parentheses. Here are the values used in the example below:
2 = Starting octet
1 = Value to increment
5 = Ending octet

FOR /L %%i IN (2,1,5) DO netsh in ip add address "EXT" 192.168.1.%%i 255.255.255.192

This will add 192.168.1.2 through 192.168.1.5 to the connection labeled “EXT”.

Example two:
If you have a list of IPs that need to be added in a text file, the following batch script can be used. Ensure that each IP is on a new line:

FOR /F %%i IN (IPs.txt) DO (
netsh in ip add address "EXT" %%i 255.255.255.240
)

Make sure “IPs.txt” is the name of your file, “EXT” is the name of your connection, and the netmask (255.255.255.240) is correct for your range.

Unfortunately there is no way to update a server name in a Coyote Point Equalizer through the GUI without deleting and recreating the server. However these changes can be made manually in the eq.conf file.

1. Login to your CP Equalizer device via SSH

2. Switch to the root user:
su root

3. Make a backup of the live configuration file in a temporary location:
cp /var/eq/eq.conf /var/tmp/eq.conf.bak

4. Create a second copy of this backup so we can edit it:
cp /var/tmp/eq.conf.bak /var/tmp/eq.conf

5. Edit the copy with vi:
vi /var/tmp/eq.conf

6. Either manually update each occurance or do a mass search and replace using the following command in vi:
:%s/OldServerName/NewServerName/g

7. Save the file and exit vi. Then confirm there are no syntax errors in the updated configuration file:
parse_config -i /var/tmp/eq.conf

8. Enter the following commands to update the configuration file and force an update:
cp /var/tmp/eq.conf /var/eq/eq.conf
shadow /var/eq/eq.conf

9. Log into the web interface and confirm your changes were successful.

First you will need to create a .pem file which contains your key, certificate, and any intermediate/root certificates.

1. Open your preferred text editor and copy/paste your certificates in the following order:
Private key
SSL for your domain
Intermediate
Root

The format of your .pem file should look like this:

—–BEGIN RSA PRIVATE KEY—–
Private Key
—–END RSA PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
SSL for your domain
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Intermediate Certificate
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Root Certificate
—–END CERTIFICATE—–

Note: If your certificate is in PFX format you will need to split this into the separate certificate and key files. Search for a PFX splitter if needed as there are many tools out there for this.

2. Save your file with a .pem extension.

3. Login to the Coyote Point web interface and select the specific HTTPS cluster on the left.

4. Click the Security tab.

5. Browse to the .pem file created earlier and then click the upload button.

6. Here you should see the details for all certificates in the .pem file. Make sure you see the actual SSL for your domain along with any intermediate/root certificates.

7. Scroll down to the bottom of this window and hit continue.

8. Make sure to test the HTTPS connection to confirm the certificate is working properly.

This is a quick example of how to automate a FTP task with a batch file. WinSCP allows you to utilize a script file with your connection details and commands, which makes things very easy.

Save the following details into “myscript.txt”:

# Answer all prompts negatively so the script
#does not stall on error
option batch on
# Disable overwrite confirmations which conflict with the previous option
option confirm off
# Connect using a password
open ftp://myftpusername:mypassword@127.0.0.1:21
# Upload files
put C:\mydirectory


Make sure to update these values appropriately:
myftpusername = FTP username
mypassword = FTP user’s password
127.0.0.1 = IP or hostname of machine you are connecting to
C:\mydirectory = directory you wish to copy to the home directory of your FTP user

Then the following can be placed in a .bat file to execute the upload above:

C:\Program Files\WinSCP\winscp.exe /console /script=myscript.txt


Note you may need to update the path to the WinSCP executable or the myscript.txt file depending on your installation.

After installing Cyberghost VPN on a Windows 7 machine I was unable to launch the application. The following error was returned each time:
There is a problem with your Cyberghost VPN Installation. Should Cyberghost try to solve the problem automatically?

After choosing yes the application still failed to launch. I was able to resolve the issue by following these steps:

1. Open up Device Manager:
Start -> Control Panel -> System -> Device Manager

2. Scroll down to Network adapters and expand it.

3. Here I had three different “TAP-Win32 Adapter” instances each with a different V#. Right click each one and choose Uninstall.

4. Install OpenVPN which will install the appropriate TAP-Win32 driver. This can be downloaded here.

5. Now there will only be one instance of “TAP-Win32 Adapter” under Network Adapters and you should be able to launch Cyberghost without error.

First create a new Windows user which will have access to the directory. If this user already exists, skip to step #5.

1. Open Server Manager by clicking Start -> Administrative Tools -> Server Manager

2. Expand Configuration -> Local Users and Groups

3. Right click Users and select New User.

4. Enter the desired user name and password. Make sure to uncheck “User must change password at next logon” and check both options for “User cannot change password” and “Password never expires”.

5. Open IIS Manager by clicking Start -> Administrative Tools -> Internet Information Services (IIS) Manager

6. Expand the server name in IIS then Sites. Expand the site in question and select the directory you are looking to secure.

7. Double click “Authenticaton” under the IIS heading on the right. If you do not see this, make sure you “Features view” is selected at the bottom of IIS.

8. Right click “Anonymous Authentication” and choose Disable.

9. Right click on “Windows Authentication” and choose Enable.

By default the new user we created will be a member of the “Users” group and this group has access to the directory we are securing. However if you want to limit this access to a select user(s) instead of all users on your server, follow the extra steps below.

1. Right click the directory again on the left side of IIS and choose Edit Permissions.

2. Click the Security tab and then click Advanced.

3. Click Change Permissions

4. Select the Users group and choose Remove

5. Click Add -> Advanced -> Find Now to browse for the new user

6. Click OK until all dialogue boxes are closed