Posted on | July 5, 2012 | No Comments
You can find directions for doing this is several places and I debated whether or not I wanted to post this anywhere but in the process of walking through this install for some interns and poking through a number of different log files I noted that the regular expressions being used were a little out of date for some of the current “attack” formatting that we were seeing.
I made some changes to the regex portion that I think will be beneficial in finding and blocking more instances of intrusion attempts. ( as of May 2012)
This is on a CentOS box running 5.8 with the tools needed to compile and run asterisk already installed.
First install the extra packages for enterprise Linux 5 – i386 “epel”
(of course you can also download a source file from fail2ban.org and go from there – but that is a different post)
[root]# rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
warning: /var/tmp/rpm-xfer.U0EYpN: Header V3 DSA signature: NOKEY, key ID 217521f6
Preparing… ########################################### [100%]
1:epel-release ########################################### [100%]
now check to make sure it has added itself to your repositories
[root]# yum repolist
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
* base: mirrors.cat.pdx.edu
* epel: linux.mirrors.es.net
* extras: centos.mirror.freedomvoice.com
* updates: mirrors.ecvps.com
epel | 3.4 kB 00:00
epel/primary_db | 3.1 MB 00:00
repo id repo name status
addons CentOS-5 – Addons enabled: 0
asterisk-current CentOS-5 – Asterisk – Current enabled: 562
base CentOS-5 – Base enabled: 2,725
digium-current CentOS-5 – Digium – Current enabled: 461
epel Extra Packages for Enterprise Linux 5 – i386 enabled: 5,728
extras CentOS-5 – Extras enabled: 282
updates CentOS-5 – Updates enabled: 510
Now that we have modified the repositories we should be able to yum install fail2ban…lets see
(ok we needed python – which happens to already be installed on this machine – note that it is be updated with this installation)
[root]# yum install fail2ban
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
* base: centos.mirrors.hoobly.com
* epel: mirror.pnl.gov
* extras: centos.mirror.freedomvoice.com
* updates: mirrors.ecvps.com
Setting up Install Process
–> Running transaction check
—> Package fail2ban.noarch 0:0.8.4-29.el5 set to be updated
–> Processing Dependency: shorewall for package: fail2ban
–> Processing Dependency: python-inotify for package: fail2ban
–> Running transaction checkcd
—> Package python-inotify.noarch 0:0.9.1-1.el5 set to be updated
–> Processing Dependency: python-ctypes for package: python-inotify
—> Package shorewall.noarch 0:4.0.15-1.el5 set to be updated
–> Processing Dependency: shorewall-perl = 4.0.15-1.el5 for package: shorewall
–> Processing Dependency: shorewall-shell = 4.0.15-1.el5 for package: shorewall
–> Processing Dependency: shorewall-common = 4.0.15-1.el5 for package: shorewall
–> Running transaction check
—> Package python-ctypes.i386 0:1.0.2-3.el5 set to be updated
—> Package shorewall-common.noarch 0:4.0.15-1.el5 set to be updated
—> Package shorewall-perl.noarch 0:4.0.15-1.el5 set to be updated
—> Package shorewall-shell.noarch 0:4.0.15-1.el5 set to be updated
–> Finished Dependency Resolution
Package Arch Version Repository Size
fail2ban noarch 0.8.4-29.el5 epel 136 k
Installing for dependencies:
python-ctypes i386 1.0.2-3.el5 base 207 k
python-inotify noarch 0.9.1-1.el5 epel 86 k
shorewall noarch 4.0.15-1.el5 epel 9.2 k
shorewall-common noarch 4.0.15-1.el5 epel 232 k
shorewall-perl noarch 4.0.15-1.el5 epel 137 k
shorewall-shell noarch 4.0.15-1.el5 epel 76 k
Install 7 Package(s)
Upgrade 0 Package(s)
Total download size: 883 k
Is this ok [y/N]: y
(1/7): shorewall-4.0.15-1.el5.noarch.rpm | 9.2 kB 00:00
(2/7): shorewall-shell-4.0.15-1.el5.noarch.rpm | 76 kB 00:00
(3/7): python-inotify-0.9.1-1.el5.noarch.rpm | 86 kB 00:00
(4/7): fail2ban-0.8.4-29.el5.noarch.rpm | 136 kB 00:00
(5/7): shorewall-perl-4.0.15-1.el5.noarch.rpm | 137 kB 00:00
(6/7): python-ctypes-1.0.2-3.el5.i386.rpm | 207 kB 00:00
(7/7): shorewall-common-4.0.15-1.el5.noarch.rpm | 232 kB 00:00
Total 656 kB/s | 883 kB 00:01
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 217521f6
epel/gpgkey | 1.7 kB 00:00
Importing GPG key 0x217521F6 “Fedora EPEL <firstname.lastname@example.org>” from /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
Is this ok [y/N]: y
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Installing : shorewall-common 1/7
Installing : python-ctypes 2/7
Installing : python-inotify 3/7
Installing : shorewall-shell 4/7
Installing : shorewall-perl 5/7
Installing : shorewall 6/7
Installing : fail2ban 7/7
python-ctypes.i386 0:1.0.2-3.el5 python-inotify.noarch 0:0.9.1-1.el5 shorewall.noarch 0:4.0.15-1.el5 shorewall-common.noarch 0:4.0.15-1.el5
shorewall-perl.noarch 0:4.0.15-1.el5 shorewall-shell.noarch 0:4.0.15-1.el5
Take a look at these urls for slightly different approaches:
I edited the /etc/fail2ban/filter.d/asterisk.conf file in order to reflect some localizations as well as some additions to the regular expressions used when fail2ban is looking at the log files to match indications of an ‘attack’
[root]# vi /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
# $Revision: 250 $
# Read common prefixes. If any customizations available — read them from
#before = common.conf
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named “host”. The tag “<HOST>” can
# be used for standard IP/hostname matching and is only an alias for
# Values: TEXT
failregex = NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Wrong password
NOTICE.* .*: Registration from ‘\”.*\”.*’ failed for ‘<HOST>’ – Wrong password
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – No matching peer found
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>\:.*’ – No matching peer found
NOTICE.* .*: Registration from ‘\”.*\”.*’ failed for ‘<HOST>’ – No matching peer found
NOTICE.* .*: Registration from ‘\”.*\”.*’ failed for ‘<HOST>\:.*’ – No matching peer found
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Username/auth name mismatch
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Device does not match ACL
NOTICE.* .*: Registration from ‘.*’ failed for ‘<HOST>’ – Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as ‘.*’$
NOTICE.* .*: No registration for peer ‘.*’ \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for ‘.*’ (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
Then editing /etc/fail2ban/jail.conf to enter appropriate email addresses, bantimes, etc.
[root]# vi /etc/fail2ban/jail.conf
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, email@example.com, firstname.lastname@example.org]
logpath = /var/log/asterisk/full
maxretry = 5
bantime = 259200
Don’t forget to check the email address for reporting ssh notices as well…
Now when I start fail2ban I get :
[root]# service fail2ban start
Starting fail2ban: [ OK ]
Then I want to take a quick look at iptables to see if fail2ban is showing up there.
[root@localhost filter.d]# iptables -L -v
Chain INPUT (policy ACCEPT 438 packets, 33411 bytes)
pkts bytes target prot opt in out source destination
438 33411 fail2ban-ASTERISK all — any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 217 packets, 24088 bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-ASTERISK (1 references)
pkts bytes target prot opt in out source destination
438 33411 RETURN all — any any anywhere anywhere
Chain fail2ban-SSH (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all — any any anywhere anywhere
Now you can test the setup by pushing the log file against the filter we defined
[root]# fail2ban-regex /var/log/asterisk/full /etc/fail2ban/filter.d/asterisk.conf
If you have a huge log file this could take quite a while as well as max out the cpu so be careful. You might want to fine some ‘fail to authenticate’ entries in a log file and copy them into a new file to test against that much smaller file…
Also to take a better look at the configuration files without comments try this command (replace the jail.conf with the file you want to look at) -
The “#” can be changed to whatever comment char you see in the file; this will also remove blank lines from the file
[root]# grep -v ‘^$’ jail.conf | grep -v “#” | more
Hope this helps someone.
Posted on | July 5, 2012 | No Comments
The PCI-E card vs. the DREMEL.
It all started simply enough.
I had a box over in the corner that had been running as a server for a couple of years but now I didn’t need it to do that any more. It was a nice enough computer (xeon) and would make a solid functional workstation where things could be created that would make the world a better place to live.
Problem was that it needed two monitors for the this good work I had in mind and sadly the built-in adapter was not up to the task.
You will notice in the accompaning pictures that there are some interesting slots on the board, including an x8/x4 slot that is integrated with the riser slot closest to the CPU.
I looked around for an x8 pci-e card but no one I knew had actually ever seen one and searching for one seemed like a pretty thankless endeavor. Plus I had a couple of working pci-e x16 pulls that were just collecting dust.
I knew in my heart that it was ok to plug a smaller/shorter/slower card (x1,x4,x8) into a larger (x16) slot but was not sure about the other direction. Nomally x4 and x8 slots included an end stop that prevented plugging in an x16 card though over the course of time I have seen a couple of boards that had open ended slots. I assumed this meant that you could put a longer card into the slot designed for a shorter card, for example an x16 card into an x8 slot.
We all know what happens when you assume things so I did a little digging. I am always amazed at how quickly you can loose track of what you are looking for when you go searching on the interwebs.
After controlling my urge to wander down the many paths calling to me I noted that there were many stories; I saw a guy that did this, I remember a friend of mine told me a buddy of his did one thing or another, we cut out the end of the slot…you know. And then there were the pci-x manufacturers that said, no way, don’t try this kind of thing at home.
I began to doubt myself but I continued tirelessly searching (to the sound of Muse playing on Pandora).
During these travels I stumbled across the very simple idea of converting an x8 card slot to an x16 slot. Hmmm. They called these magical things lane reduction extenders. I know that confuses me a little bit too, reduction extenders…I love english.
Anyway, these devices raised the height of the card by a bit and seemed to me that they cost too much money and would end up causing more trouble than they were worth. Then I found the adaptors that used some cable to overcome the height issue. The “Riser Card Adapter Flexible Extender Extension Cable”. Dammit they only cost about 10 bucks. Obviously these were designed and sold by agents of the devil to seduce simple minded people to the dark side.
I began to doubt myself again…where would I tape/glue/screw/attach the card on the end of the flapping cable? Damn the devil and his/her easy fix…
I took a walk and pondered the meaning of life. It didn’t really help much with that but when I returned I had a revelation.
If somebody was willing to sell these converters it must be *OK* – or at least work some of the time. That was enough to convince me that an x16 card would work in an x8 slot – if there was just a way to put it in there? So the uban legend of cutting out the end of the slot may be real after all. the search continues. news at eleven.
However there was no ‘end’ cap to remove from my slot so this simple solution would **NOT** work for me. Why does life have to be so complicated? The x8 slot coexists with the riser card slot…if I removed the seperator I knew deep down that the extra fingers would mate with contacts in the slot that would generate electircal kinds of magic stuff, releasing the smoke trapped in the card and maybe the motherboard. This would be bad. (now listening to Lindsey Stirling, Crystallize)
The *REAL* solution
The strength of my earlier reveleation carried me over the bumps and troughs of this path, helping me accept that my life goal was to someway make this wedding of card and motherboard a reality.
But cutting the slot was off the table so, what is a lazy (though now enlightened) person to do? Spend money on a simple but inelegant solution of purchasing a lane converter? No…No…No… that would be too easy. I would not be bettered by a simple disjunctive syllogism.
Yes such a simple blinding vision – Cut the card to fit!
So I followed my vision even though my workmates thought I had finally slipped over the edge. Dremel and saw and knife and sander…(and tape)
I know – you think you can call BS but I am including some pictures in no particular order so that you can see for yourself.
Enjoy.p.s. I am currently installing update 753.5 of Windows 7 -64bit on this box…
Posted on | July 19, 2011 | No Comments
I am on a roll with failed mirrored drives lately. I am currently fixing a friends failed mirror set on a windows 2003 server after last weeks in-house ubuntu software raid 1 failure.
The phone call
The system volume on the primary drive failed due to read errors. When rebooted they could not get it to load the OS even when they restarted the system. Selecting the default ‘windows 2003′ boot option just put them into a boot loop. This is when they involved me by way of a phone call.
The system is several years old running server 2003 standard with a single 3ghz p4 and 2gb of ram and an asus motherboard in an antec case. The mirrored drives are 80gb sata drives. Good drives in the day. Software RAID 1 mirroring.
Talking with them on the phone – I asked them to choose the ‘mirror – secondary plex’ boot option but this just locked up the system part way into the boot. I was afraid that what ever had messed up the primary system dynamic volume had been copied to the mirror drive so I made arrangements to stop by after finishing the job I was currently at.
Looking at the server ‘in situ’ I noticed that the box was infested with dust bunnies – but didn’t notice any unusual noises – though it is located adjacent to several other pieces of equipment that are fairly loud.
So I shut it down and took it out to give it a quick cleaning. Just enough to remove the bunnies and visually inspect the interior of the box for stuck fans, loose cables, etc.
Reassembled and attempted a ‘default’, don’t touch anything, boot. No luck – bios failure on recognizing the primary boot drive.
Shut down again and checked all the drive cables – removed and reinstalled.
Took a minute to check with my friend to see if he still had the disk image that we had made of his system volume for insurance – and he did. We also took the time to check the backups from the night before of all the data. Looked good as well. It always feels good at a time like this to know that if all else fails we can restore the system volume from the image file and then restore all of the data from the backups.
Boot the system
Bios recognized the drive but would not boot to default. Rebooted and chose ‘secondary plex’ option.
Booted into Windows server, logged in and ran compmgmt.msc /s from the run command.
In disk management I took a look at the drives. The data volume was re-syncing and the system volume was online with errors – failed redundancy status. Hmm.
I waited for the re-sysncing volume to finish (because I am paranoid) and took the opportunity to take a look at the event viewer – run->eventvwr.msc
Check Event Viewer
I read through the errors and decided that the drive probably should be replaced just to be on the safe side even if we could bring it back on line and repair it.
Don’t remove the Mirror! or even break it – yet.
Do not remove the mirror. That will wipe out the shadow drive. This is bad.
Do not break the mirror either. If you break the mirror now (while both drives are in the computer) the second (shadow) drive dynamic volumes will be assigned new drive letters – this will mess with the ability to boot off of that drive at a later date or possibly even rebuilding the raid. I suspect this has something to do with the LDM (Logical Disk Manager) database used by dynamic disks to track volume types, drive letters, etc. If anyone knows the answer to this, let me know.
It is also related to the the fact that the paging file, as far as this particular registry is concerned, is located on a drive that no longer exists…ouch. This can cause a vicious cycle of ‘enter your login name and password’ because there is no virtual memory.
For some more info on this check out http://support.microsoft.com/kb/249321
Another support doc you might want to look at if you inadvertently break your mirror before you remove the bad drive – http://support.microsoft.com/kb/223188
Why is it so complicated? I know, stop whining and get back to work.
For more information on Dynamic disks you can check out http://support.microsoft.com/kb/816307
There is an interesting paragraph there (well more than one, but this is relevant to our conversation)
Missing dynamic disks
If Disk Management shows a missing dynamic disk, this means that a dynamic disk that was attached to the system cannot be located. Because every dynamic disk in the system knows about every other dynamic disk, this “missing” disk is shown in Disk Management. Do not delete the missing disk’s volumes or select the Remove Disk option in Disk Management unless you intentionally removed the physical disk from the system and you do not intend to ever reattach it. This is important because after you delete the disk and volume records from the remaining dynamic disk’s LDM database, you may not be able to import the missing disk and bring it back online on the same system after you reattach it.
Remove problem drive
After the data volume finished its job syncing I shut down the server and removed the problem hard drive. I then installed the replacement hard drive and rebooted.
After logging in I returned to disk management and deleted the failed drive followed by converting the newly installed drive to dynamic by right clicking on the Disk and selecting Dynamic.
Re-enable the mirror
Once the new drive is dynamic as opposed to basic, a fast process, right click on the old drive volumes and create a mirror for each volume.
Now the syncing will take a while. Be patient. Go have lunch, dinner, a cup of coffee or if you prefer, a beer. You deserve it.
Posted on | June 29, 2011 | No Comments
The other day I got an email from mdadm, a process running on some of our servers that keeps an eye on the raid array.
—–This is an automatically generated mail message from mdadm running on woo A DegradedArray event had been detected on md device /dev/md0. Faithfully yours, etc. P.S. The /proc/mdstat file currently contains the following: Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10] md1 : active raid1 sda2 303805120 blocks [2/1] [U_] md0 : active raid1 sda1 7815488 blocks [2/1] [U_] unused devices: <none>
This was not a happy event – looks like one of the two drives in the array was no longer working.
- This is a system that’s a couple of years old running software RAID 1 (mirrored) 320gb SATA drives.
- OS is Ubuntu 9.04 running web services.
- The failed drive is no longer readable by the system.
- There are only two partitions on the drive : System and Swap.
Easiest thing to do here is to replace the drive (first making a new backup).
I just ran a quick check on the raid status to confirm the email I had received.
cat /proc/mdstat (maybe you will need to sudo this command)
This is my output
—–Sun Jun 26:02:27 PM:~$ cat /proc/mdstat Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10] md1 : active raid1 sda2 303805120 blocks [2/1] [U_] md0 : active raid1 sda1 7815488 blocks [2/1] [U_] unused devices: <none> Sun Jun 26:02:28 PM:~$ —–
Now I had to pull the bad drive and replace it.
1- Sometimes you can find out which is the bad drive by looking in dmesg for the read failure on the device.
dmesg | grep ata (or whatever is appropriate for you)
2- Shutdown and unplug the suspect drive – reboot to confirm you have the correct device unplugged.
3- Plug in the new drive (best if it is unpartitioned/unformatted)
reboot and watch the boot up to see if the drive shows up - if you don’t see it go by on the screen (i always get attracted to something else and forget to watch carefully).
Once the box is booted up – grep the output of dmesg to find the new device.
4- You can also check (and get important info for the next steps) by running
sudo fdisk -l
——–Sun Jun 26:02:30 PM:~$ sudo fdisk -l [sudo] password for ken: Disk /dev/sda: 320.0 GB, 320072933376 bytes 255 heads, 63 sectors/track, 38913 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x59b728b7 Device Boot Start End Blocks Id System /dev/sda1 1 973 7815591 fd Linux raid autodetect /dev/sda2 * 974 38795 303805215 fd Linux raid autodetect Disk /dev/sdb: 500.1 GB, 500107862016 bytes 255 heads, 63 sectors/track, 60801 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0×00000000 Disk /dev/sdb doesn’t contain a valid partition table Disk /dev/md0: 8003 MB, 8003059712 bytes 2 heads, 4 sectors/track, 1953872 cylinders Units = cylinders of 8 * 512 = 4096 bytes Disk identifier: 0×00000000 Disk /dev/md0 doesn’t contain a valid partition table Disk /dev/md1: 311.0 GB, 311096442880 bytes 2 heads, 4 sectors/track, 75951280 cylinders Units = cylinders of 8 * 512 = 4096 bytes Disk identifier: 0×00000000 Disk /dev/md1 doesn’t contain a valid partition table Sun Jun 26:02:35 PM:~$ —–
Note that my working drive is sda with a couple of partitions.
The device sdb doesn’t have a valid partition table. Your milage (and drive designations will vary).
5- Now to get the raid back on track we need to copy the existing partition table from the functioning raid drive to the newly installed drive.
(Dangerous stuff here – I have never tried it but would almost bet money that getting the drives backwards would not be ‘good’)
So here is my output for sudo sfdisk -l
—–Sun Jun 26:02:49 PM:~$ sudo sfdisk -l Disk /dev/sda: 38913 cylinders, 255 heads, 63 sectors/track Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /dev/sda1 0+ 972 973- 7815591 fd Linux raid autodetect /dev/sda2 * 973 38794 37822 303805215 fd Linux raid autodetect /dev/sda3 0 – 0 0 0 Empty /dev/sda4 0 – 0 0 0 Empty Disk /dev/sdb: 60801 cylinders, 255 heads, 63 sectors/track sfdisk: ERROR: sector 0 does not have an msdos signature /dev/sdb: unrecognized partition table type No partitions found Disk /dev/md0: 1953872 cylinders, 2 heads, 4 sectors/track sfdisk: ERROR: sector 0 does not have an msdos signature /dev/md0: unrecognized partition table type No partitions found Disk /dev/md1: 75951280 cylinders, 2 heads, 4 sectors/track sfdisk: ERROR: sector 0 does not have an msdos signature /dev/md1: unrecognized partition table type No partitions found Sun Jun 26:02:49 PM:~$ —–
6- Check out the man page for sfdisk and read through some of the stuff there.
We are going to use the -d option which should give us the partition information
about one device and pipe that through to the other device – hopefully using the partition information gleaned from the good drive to recreate the same partitions on the new drive…(fingers crossed here)
sudo sfdisk -d /dev/sda | sudo sfdisk /dev/sdb
So again we are just piping the output of the first sfdisk command into the input of the second.
If you want see the output of the first part of the command before you commit to destroying whatever is on the target of the second sfdisk command you can enter just that portion and see what you get.
sudo sfdisk -d /dev/sda (again use the appropriate drive designation here for your system – not mine)
You should get some output that sort of makes sense to you…
—–Sun Jun 26:02:49 PM:~$ sudo sfdisk -d /dev/sda # partition table of /dev/sda unit: sectors /dev/sda1 : start= 63, size= 15631182, Id=fd /dev/sda2 : start= 15631245, size=607610430, Id=fd, bootable /dev/sda3 : start= 0, size= 0, Id= 0 /dev/sda4 : start= 0, size= 0, Id= 0 Sun Jun 26:02:57 PM:~$ —–
If you point this command at the newly installed drive you should get an error (unless it has an existing partition table that sfdisk recognizes).
Here is mine again
—–Sun Jun 26:02:57 PM:~$ sudo sfdisk -d /dev/sdb sfdisk: ERROR: sector 0 does not have an msdos signature /dev/sdb: unrecognized partition table type No partitions found Sun Jun 26:02:59 PM:~$
All of this double checking makes me feel a little better about continuing…
—–Sun Jun 26:02:59 PM:~$ sudo sfdisk -d /dev/sda | sudo sfdisk /dev/sdb Checking that no-one is using this disk right now … OK Disk /dev/sdb: 60801 cylinders, 255 heads, 63 sectors/track Old situation: Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /dev/sdb1 0+ 972 973- 7815591 fd Linux raid autodetect /dev/sdb2 * 973 38794 37822 303805215 fd Linux raid autodetect /dev/sdb3 0 – 0 0 0 Empty /dev/sdb4 0 – 0 0 0 Empty New situation: Units = sectors of 512 bytes, counting from 0 Device Boot Start End #sectors Id System /dev/sdb1 63 15631244 15631182 fd Linux raid autodetect /dev/sdb2 * 15631245 623241674 607610430 fd Linux raid autodetect /dev/sdb3 0 - 0 0 Empty /dev/sdb4 0 - 0 0 Empty Successfully wrote the new partition table Re-reading the partition table … If you created or changed a DOS partition, /dev/foo7, say, then use dd(1) to zero the first 512 bytes: dd if=/dev/zero of=/dev/foo7 bs=512 count=1 (See fdisk(8).) Sun Jun 26:03:01 PM:~$ —–
Whew…I always get a little butterfly thing no matter how many drives i break…
(P.S. right at the moment I am listening to a shredder from the early 90s Gary Hoey. No Joe Satriani but still fun sometimes)
7- So now I want to take another quick look at all of the partitions with
sudo fdisk -l
—–Sun Jun 26:03:02 PM:~$ sudo fdisk -l Disk /dev/sda: 320.0 GB, 320072933376 bytes 255 heads, 63 sectors/track, 38913 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x59b728b7 Device Boot Start End Blocks Id System /dev/sda1 1 973 7815591 fd Linux raid autodetect /dev/sda2 * 974 38795 303805215 fd Linux raid autodetect Disk /dev/sdb: 500.1 GB, 500107862016 bytes 255 heads, 63 sectors/track, 60801 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0×00000000 Device Boot Start End Blocks Id System /dev/sdb1 1 973 7815591 fd Linux raid autodetect /dev/sdb2 * 974 38795 303805215 fd Linux raid autodetect Disk /dev/md0: 8003 MB, 8003059712 bytes 2 heads, 4 sectors/track, 1953872 cylinders Units = cylinders of 8 * 512 = 4096 bytes Disk identifier: 0×00000000 Disk /dev/md0 doesn’t contain a valid partition table Disk /dev/md1: 311.0 GB, 311096442880 bytes 2 heads, 4 sectors/track, 75951280 cylinders Units = cylinders of 8 * 512 = 4096 bytes Disk identifier: 0×00000000 Disk /dev/md1 doesn’t contain a valid partition table
8- Nice – there is the second drive with appropriate partitions but still not a happy raid camper.
Again and again – use the correct nomenclature for your particular system configuration
In the case of our example system we will use these commands
This is for the swap partition
sudo mdadam –add /dev/md0 /dev/sdb1
—–Sun Jun 26:03:13 PM:~$ sudo mdadm –add /dev/md0 /dev/sdb1 mdadm: added /dev/sdb1 —–
and this is for the system partition
sudo madam –add /dev/md1 /dev/sdb2
—–Sun Jun 26:03:13 PM:~$ sudo mdadm –add /dev/md1 /dev/sdb2 mdadm: added /dev/sdb2 —– so now that we did that -lets see what is going on by looking at mdstat again.
—–Sun Jun 26:03:16 PM:~$ cat /proc/mdstat Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10] md1 : active raid1 sdb2 sda2 303805120 blocks [2/1] [U_] [>....................] recovery = 0.9% (2881792/303805120) finish=80.2min speed=62493K/sec md0 : active raid1 sdb1 sda1 7815488 blocks [2/2] [UU] unused devices: <none> Sun Jun 26:03:16 PM:~$
Awesome stuff. Look, the computer machine is working to bring the newly added device up to snuff. Love it.
You can also get additional information using
sudo mdadm –detail /dev/md1
sudo mdadm –detail /dev/md0
—–Sun Jun 26:04:02 PM:~$ sudo mdadm –detail /dev/md0 /dev/md0: Version : 00.90 Creation Time : Sat Sep 19 19:59:31 2009 Raid Level : raid1 Array Size : 7815488 (7.45 GiB 8.00 GB) Used Dev Size : 7815488 (7.45 GiB 8.00 GB) Raid Devices : 2 Total Devices : 2 Preferred Minor : 0 Persistence : Superblock is persistent Update Time : Sun Jun 26 15:15:35 2011 State : clean Active Devices : 2 Working Devices : 2 Failed Devices : 0 Spare Devices : 0 UUID : c6fe5bf1:47145c2e:8f53a666:581a3da1 Events : 0.604 Number Major Minor RaidDevice State 0 8 1 0 active sync /dev/sda1 1 8 17 1 active sync /dev/sdb1 Sun Jun 26:04:04 PM:~$
-----Sun Jun 26:03:30 PM:~$ sudo mdadm –detail /dev/md1 /dev/md1: Version : 00.90 Creation Time : Sat Sep 19 19:59:48 2009 Raid Level : raid1 Array Size : 303805120 (289.73 GiB 311.10 GB) Used Dev Size : 303805120 (289.73 GiB 311.10 GB) Raid Devices : 2 Total Devices : 2 Preferred Minor : 1 Persistence : Superblock is persistent Update Time : Sun Jun 26 16:02:40 2011 State : active, degraded, recovering Active Devices : 1 Working Devices : 2 Failed Devices : 0 Spare Devices : 1 Rebuild Status : 55% complete UUID : a004ba5a:4a61bca9:f20d5c50:35d36b51 Events : 0.4423477 Number Major Minor RaidDevice State 0 8 2 0 active sync /dev/sda2 2 8 18 1 spare rebuilding /dev/sdb2 —–
9- Now go get a cup of coffee, tea, water…what ever you enjoy. this recovery will take a bit of time to complete. I am going to have some left over pasta from dinner last night.
10- Finally we want to install GRUB on to the new drivesudo grub-install /dev/md1
Good luck, ken.
Posted on | May 24, 2011 | 2 Comments
Recently I was troubleshooting what I initially felt was a SonicWall VPN problem.
The client/user tunnels to the VPN endpoint through a wireless connection with a Verizon MIFI 2200. The tunnel comes up just fine but after a few minutes his Remote Desktop Connection to a box on the other end of the VPN drops.
The time between drops varies a bit but hovers around the 5-8 minute mark. He is still able to browse the internet, check email, etc. using local tools with out any undue troubles. The VPN client tool shows that it is connected but sadly no traffic moves across the tunnel after the MIFI becomes ‘dormant’. Can not ping the other side of the tunnel or run a tracert. The computer is a relatively new laptop computer running Windows 7 that otherwise seems happy and well adjusted.
Using the laptop’s ethernet adaptor to attach to a LAN at a different location connecting to the internet through a dedicated line has no issues with the VPN dropping connection.
Using wireless through a d-link router connecting to the internet through a cable modem showed no tendency to drop the VPN connection.
I tested the MIFI using a different notebook with a fresh windows 7 professional installation. Loaded SonicWall’s 32bit Global VPN Client and configured the connection.
- - Attaching the computer through its ethernet adaptor to dslmodem-internet - the VPN was solid with no drops.
- - Tethered to the MIFI 2200 with a USB cable the VPN also was solid with no drops.
- - Connecting to the MIFI 2200 wirelessly, the VPN would build a tunnel and work fine for awhile – the time varied but within 5 minutes or less the VPN connection would drop. Could not print to the remote printer or use any other network devices across the VPN – connection to the internet (browsing, email, twitter) was still ok.
I checked the firmware and it was pretty old – early 2009 v125.008 so I upgraded the latest from Verizon, v167.029 dated october 2010 and thought that certainly the problem would be fixed.
Sadly this did not resolve the issue and still after a few minutes (or less) the connection would remain dormant long enough that the VPN would fail – though it still shows connected in the VPN client tool. Browsing and other TCP services worked fine. I ran a ping process to see if that would prevent the dropping of the VPN connection but the tunnel collapsed all around me anyway.
The tunnel can be disconnected and reconnected using the VPN client but terminal services, etc must be reinitiated. Bad.
Poked around in the interwebs and discovered that many people were having the same type of problem – inability to hold a reliable connection when attaching to the MIFI 2200 over wireless.
At this point in time it seems there is no real fix outside of using the MIFI in tethered mode. (May 2011)
Posted on | May 15, 2011 | No Comments
Changing Server 2008 Password Policy
I have been having some fun working on a couple of Windows Server 2008 R2 installations. Learning a lot of new things every day and this is something that I thought might be of interest.
In one installation the folks that were paying the bill did not like the default password policies that are now standard in windows server. They felt that in their small and close environment there was no real need for the stricter requirements being enforced by the new default policies. There were actually pretty lax in their password demands.
I did not and still do not agree with them but upon their insistence I had to figure out how to bypass this need for stronger passwords.
As a quick reminder Microsoft Server 2008 r2 now insists that your password meet certain ‘complexity’ requirements. This is a good thing – as long as you can remember your password and don’t write it somewhere obvious. Briefly:
Account Policies/Password Policy
Policy :: Settings
- Enforce Password history :: 24 passwords remembered
- Maximum password age :: 42 days
- Minimum password age :: 1 day
- Minimum password length :: 7 characters
- Password must meet complexity requirements :: Enabled
- Store passwords using reversible encryption :: Disabled
Some of these settings can be adjusted at the user level in Active Directory Users and Computers. Modifying or shutting off the Complexity policy requirement in not accessible there.
Here is an explanation of the password complexity requirement option.
Password must meet complexity requirements
This security setting determines whether passwords must meet complexity requirements.
If this policy is enabled, passwords must meet the following minimum requirements:
Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.
Enabled on domain controllers.
Disabled on stand-alone servers.
Note: By default, member computers follow the configuration of their domain controllers.
There are probably several ways of working around this – but I chose the simple (not always the best no matter what anyone says) way. Please don’t laugh. I thought this was simple…
- Open Group Policy Management Editor
- New Window – Browse for a Group Policy Object
- Under the Domains/OUs tab select Default Domain Policy -> OK
- New Window – Group Policy Management Editor
- Default Domain Policy [servername.domain.extension]
- Expand Computer Configuration
- Expand Policies
- Expand Windows Settings
- Expand Security Settings
- Expand Account Policies
- Select Password Policy
- Now in the right pane :
- Right Click “Password must meet complexity requirements Enabled”
- Select Properties
- New Window – Select Security Policy Setting tab
- Select Disabled->OK
There is probably an easier, faster, or better way to do this. Let me know.
Posted on | February 21, 2011 | No Comments
HP Media Smart Server – troubleshooting Remote Access to media services.
Recently I had the opportunity to spend some time trouble shooting a problem with remotely accessing an HP Media Smart Server. A friend of mine had been beating his head against the wall for awhile trying to get access to his box from locations outside of his home network. He had things working well at home but could not seem to crack the code of opening up his router to gain access to appropriate ports from other locations.
The UPnP option was not doing the trick for him.
I did a little research before I went to visit and found there is a fair amount of support available for these boxes. Sadly some of the recommendations were not very helpful so I thought I would take a little time and jot down the steps that we took to resolve his problems – maybe you will get a laugh out of it or maybe you will cry. Hard to say.
The first thing that I did was run some port scanning software from my office pointed at his personal “homeserver.com” hostname to check and see what ports might be open. None. Well, I thought that was interesting because my friend had explained to me that he had set up his router to port forward everything that was necessary.
In hindsight I should have known then and there what the problem was (I think this is why they say hindsight is 20/20). But, I am not always that bright and thought that maybe there was a problem with my software or maybe his dynamic DNS wasn’t working or, you know, something else was wrong.
The next thing was to check with the ISP supplying him internet connectivity at his home to find out their policies on running services with a residential account. As expected they did have some policies in place that prevented remote access to ports used for web services, outgoing mail services, NetBT ports, things like that. But not port 443, or 3389, or 4125. These are the ports that will need to be open for us to get set up and going.
At this point I asked him if he had more than one router at home, this is not uncommon anymore with VOIP specific routers, etc., being placed into service. If you happen to have two routers, one connected to the other, that configuration can create a special set of routing problems. One solution for avoiding dual router (double NAT) problems is to set up the DMZ on your non VOIP router and then hook the VOIP router into your primary router all by itself as the DMZ device. If your ISP allows for multiple devices to be hooked to your DSL/Cable modem then another simple solution is to use a switch as the first device after the Cable/DSL modem and hook your two routers separately to two different ports on the switch. If you are using two routers one behind the other for a special reason make sure that they are on different lan ip ranges.
So, back to the one router approach since that was all he had. I showed up at his home and passed on the wine – which was tough because it was pretty good wine. Sadly, I need all my available brain cells working when I am troubleshooting and a glass of wine will definitely slow me down.
We began by checking that the Media Server Web interface was available locally. In our browser we used the IP address of the server instead of its name, for instance https://192.168.123.15. We also made sure that we had remote desktop access to the server. Both of these worked locally. Good.
Next step was to take a look at DNS resolution for his server host name – that was all as it should be – so we moved on to https://www.grc.com and used ShieldsUP! To check for open ports. Not a one. Hmm.
Popped up the router in a browser, logged in, and took a look there. Double checked the IP address and and ports that were being forwarded onto the media server. It all looked good. But still no ports were open from outside the network. I had brought a laptop and hooked it up to my verizon phone for internet access so we could test access from outside his local network. Still no go.
Then we decided to change the server IP address from it current ‘reserved dhcp’ to a manually assigned IP address outside of the DHCP range being handed out by the router (a D-link DIR 825). Some routers just don’t like to forward ports to DHCP assigned IP addresses – even when the directions say they will.
Magically ShieldsUP! now showed the appropriate ports as open and I was able to access his Media Services from my remote laptop. Everyone was happy.
The saddest part was that I had run out of time and had to leave, so I still missed out on the glass of wine.
Posted on | September 19, 2010 | No Comments
7 ½ step path to a successful project
There aren’t really seven and one half steps to magically manage successful projects, or ten for that matter, but there are a number of items that will always require careful and diligent attention.
I was working on a project writing a database query interface for a law firm a number of years ago (more years than I would like to specify – when dBase III was king) and during a discussion of the project with a seasoned programmer friend of mine I said, “When I finish coding this I am going to compile it and never touch it again.” My friend laughed.
For a long time.
At that particular moment I didn’t see the joke but after the stakeholders redefined the functionality of the project time after time without any seeming willingness to alter either the timeline or cost allowances I came to see the very deep dark humor in my statement. On so many levels.
Field Marshall Helmuth Carl Bernard von Moltke said once upon a time in the late 19th century, “No battle plan ever survives contact with the enemy.” Dwight Eisenhower followed up a few years later with, “In preparing for battle I have always found that plans are useless, but planning is indispensable.” I am now convinced they were both seasoned project managers who believed deeply in the need to plan but they also had the benefit of vast experience allowing them to embrace the fact that a plan is just a way to get started doing something.
The sad truth is I like plans, especially when they help guide me through complex tasks. The caveat is simply that the plans I make are completely ignored by life, requiring that they be constantly updated (read changed) during any meaningful project. In creative, new projects, this process of change has to be an iterative process. I always try to remember that, like a marriage, flexibility within the agreed upon framework is primary. Evolution is life, life is change, impermanence just is. The plan will change, be open to that. Hell, plan for it.
P.S. The scope of this article does not include arguing about PMP vs. Prince2
The 7.5 fold path to enlightenment.
1. What is the goal? Notice I didn’t say ‘your’ goal because a project’s goal belongs to the stakeholders, you are the catalyst in a complex chemistry project. A big part of your job as the project manager is to help the folks the product is being built for clearly define what the product is. Some people go so far as to say that if you can’t define the goal in a single sentence you’re not likely to ever reach it…
2. Spend some time planning . Self evident yes, but we have a tendency to want to ‘get going’ on projects. Take the time to deconstruct. Reductionism is good when applied properly. Break down the big picture into smaller absorbable, manageable parts. Include an iterative process of requirements capturing. Gather data, sometimes it will not even seem related to anything meaningful until you have that epiphany next month. Don’t ever assume you know what the end-users need.
3. Hold onto the big picture. Don’t forget that the smaller parts are interconnected pieces of a complex system of parts that must have a common goal. Sometimes the evolving subsystems don’t evolve in the direction you need. Gently guide everyone back on track when they have wandered off into the woods.
4. Communicate. With everyone. All the time.
5. Know your team. Have them all read #4. Support them, lead them, help them communicate with each other and you. Trust them and make sure they can trust you. Maybe they really do like pizza?
6. Know your Stakeholders. Who are they and what is their relationship to you and the project. They will run the gamut from the people that pay the bills through to the people that are using the end result of the project. And since we don’t know everything we may have to reach outside the team to find ‘experts’ to help in specialized areas like the law or cell phone app design. Listen to all of them carefully. They are the people that are going to decide if you have really completed the project.
7. Test. Test again. Test early, test often. (See #3) Make sure the pieces are fitting together. Evolve the project parts concurrently whenever possible – hopefully avoiding that day when the two halves of the bridge are coming together and you missed the fact there is no place to put the off-ramp.
7.5 Own your project but don’t let it own you. Embrace change and be flexible but remain focused on the goal.
“No battle was ever won according to plan, but no battle was ever won without one.” – Dwight D. Eisenhower.
Posted on | August 21, 2010 | No Comments
A Foundation for Ethics in AI and Human Relations
The relationship between humans and ‘intelligent’ machines is becoming increasingly complex as we move forward together into the new age of synthetic organisms, intelligent systems, and personal use of enhanced bio-synthetic replacement parts for our bodies. We will more regularly come face to face with intelligent systems that will make decisions impacting our everyday life without input from us. From the already widely accepted collection of data assembled by thousands of cameras photographing you as you walk and drive in your town to the seeming science fiction of armed robotic border guards.
There are many ethical issues that need to be addressed now as we rapidly put into place human guided and unguided intelligent equipment. ‘AI’ systems are now being used to complement human decisions in a wide variety of situations, from searching for data online to medical equipment used in the operating room to data management tools used by Generals in war rooms. More autonomous devices such as vehicles able to find their own way through the world are also becoming more widespread. One label for an important part of this field is called “Cognitive Computing”.
There is some discussion taking place in philosophical and technological circles about Cognitive Computing but very little awareness in the general public outside opinions created by movies like “Terminator” and “AI” – and just as importantly there is little discussion of ethical considerations on a governmental level.
One of the first questions that has to be examined is “Should devices with advanced artificial intelligence be thought of (treated) like any other tool that we have built?” Should they be treated more like farm animals, or dogs or will we need to treat them as intelligent beings? “At what point do we need to consider artificially intelligent machines or synthetic organisms our legal equals?”
That is just one of many questions that will require careful exploration. The interaction between intelligent equipment and humanity will give rise to situations we have never been confronted with before. Many of these events will fall well outside the boundaries of our current legal and ethical environments and it is wise for us to begin laying the ground work that will enable the people of the world and their leaders to make well reasoned and careful decisions. Not decisions that are based on irrational fear, bigotry or just lack of knowledge, but rather decisions based on long running rational discussions not just among scientists but philosophers, spiritual leaders, psychologists and people from all walks of life.
It is important to include a wide range of people rather than focusing on one narrower field of study largely because it is the convergence of technologies from many divergent fields, such as biology, nano-tech, structural engineering, computer science, neurobiology, etc., that is enabling the rapid advances in ‘Cognitive Computing’.
To address these many difficult questions rapidly coming our direction we need to gather together knowledgeable individuals from diverse fields of work and study to help develop a balanced perspective from outside the tech culture. These knowledgeable individuals must include Defense Department personnel, guiding members of corporations that currently build robots, ethicists, philosophers, biologists, roboticists, religious leaders, psychologists, and the doctors utilizing bio-synthetic parts for starters. The collected information must be presented to the ‘the rest of us’ in a way that will attempt to actively involve everyone in the process of reaching these history changing ethical decisions and guide the future of humanity.
This goal of information dissemination can be accomplished on several fronts.
- Writing articles in newspapers, magazines, wikipedia. Electronic Newsletters.
- Speaking engagements at schools, business organizations, government bodies, etc.
- Web site with information, new content, blog, links.
- New Social Networking tools (twitter, facebook, etc.)
- Video – youtube, Television.
- Photography books.
- Art exhibits
- Lobbying efforts
- Software apps that would help raise awareness for mobile devices and desktop systems.
- Toys that help define the relationships between humans and intelligent machines as well as ‘enhanced’ humans.
- Children’s books.
http://www.komonews.com/news/tech/44713162.html – “New surveillance cameras don’t even need anyone watching” – Mathematical algorithms embedded in the stores’ new security system pick out sweethearting on their own. There’s no need for a security guard watching banks of video monitors or reviewing hours of grainy footage.
http://abcnews.go.com/Technology/story?id=2504508&page=1 – “Robo-Soldier to Patrol South Korean Border” – “Until now, technology allowed these robots to conduct monitoring function[s] only. But [now] our robots can detect suspicious moving objects, literally go after them, and can even fire at them,” said Sang-Il Han, principal research engineer at Samsung Techwin.
http://www.isd.mel.nist.gov/whatsnew.htm – National Institute of Standards and Technology Intelligent Systems Division – (James Albus – Senior Fellow at NIST) Albus, who predicts that autonomous vehicles could equal human levels of performance in most areas within 20 years, is the co-inventor of the Real-time Control Systems (RCS) architecture and methodology.
http://www.darpa.mil/darpatech2002/presentations/dso_pdf/speeches/EISENSTADT.pdf – Dr. Eric Eisenstadt – Defense Sciences Office (DSO) – Brain Machine Interface : “Picture a time when humans see in the UV and IR portions of the electromagnetic spectrum, or hear speech on the noisy flight deck of an aircraft carrier; or when soldiers communicate by thought alone. Imagine a time when the human brain has its own wireless modem so that instead of acting on thoughts, warfighters have thoughts that act. Later during DARPATech, you will hear from IPTO about efforts to create intelligent machines.”
http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/science/nature/7740484.stm?ad=1 – IBM has announced it will lead a US government-funded collaboration to make electronic circuits that mimic brains. – Part of a field called “cognitive computing”, the research will bring together neurobiologists, computer and materials scientists and psychologists. – As a first step in its research the project has been granted $4.9m (£3.27m) from US defence agency Darpa.
http://www.physorg.com/news161598692.html – Artificial Tissue – A team of Australian and Korean researchers led by Geoffrey M. Spinks and Seon Jeong Kim has now developed a novel, highly porous, sponge-like material whose mechanical properties closely resemble those of biological soft tissues. As reported in the journal Angewandte Chemie, it consists of a robust network of DNA strands and carbon nanotubes.
http://news.bbc.co.uk/2/hi/technology/6200005.stm – From BBC News a headline in 2006. “Robots could one day demand the same citizen’s rights as humans, according to a study by the British government.”
Posted on | March 18, 2010 | 3 Comments
Understanding the the terms used in registering a Domain name will help insure that you maintain control of your own domain.
ICANN – this is the non profit organization that currently manages the assignment of names and numbers on the internet in order to insure that every node (spot) on the network is unique.
To quote from the ICANN web site :
ICANN was formed in 1998. It is a not-for-profit public-benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers.
To reach another person on the Internet you have to type an address into your computer – a name or a number. That address has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn’t have one global Internet.
ICANN has created the system of Registrars, organizations that register/issue unique domain names. All Registrars must be accredited by ICANN, whicn maintains a list of these Registrars at http://www.icann.org/registrars/accredited-list.html
The gTLDs (Generic Top Level Domains) include .aero, .biz, .com, .coop, .info, .museum, .name, .net, .org, and .pro. These are the domains that we obtain a name in, for instance, mycoolname.com or mycoolname.biz, etc. Each of these domain names must be unique.
When you are issued the registration to a domain name people/entities will be assigned to different domain management ‘roles’. The initial Registrant (the person/entity obtaining the domain name) and the administrative, technical and billing contacts are the people or entities listed on the original Domain Name Registration Agreement that is filed with the Registrar when you actually obtain the domain name.
Who is assigned to perform the duties of these management ‘roles’ is important in terms of who ultimately controls and can change your domain information. When you register your domain name using a third party such as an ISP or Web development company (as opposed to you going directly to a Registrar’s website and filling out the application yourself) you need to be sure that when that organization assigns people/groups to the different management roles, they are being filled by people that you want. Incorrectly handling of these roles can be a very painful and/or costly error that you won’t notice until later when you want to move your website to a new hosting company, move your email services, change your domain DNS information, etc. You want to be sure that your interests are protected by the people assigned to each role.
You are the Registrant – even if you use some other business to fill out the registration form for you. You or your company/organization needs to be listed as the Registrant. The Registrant is the party that ultimately controls the domain name (at least as long as the renewal fees are paid to the Registrar…)
The administrative, technical and billing contacts are people, groups or a ‘role contact’ that represent the Registrant (you) when issues/questions about your domain name arise either with the Registrar or other entity that might need to gather information about your domain name.
A ‘role contact’ is really just a job title by another name. The person or group holding that title can change but the contact information for that ‘role contact’ will not. An example of a ‘role contact’ would be ‘hostmaster’, ‘webmaster’, ‘domainmaster’ or what ever title you like. You can assign this role contact to the admin, tech or billing fields when filling out your domain name application. It is an excellent method of insuring that contact continuity is maintained when people move on to a new position in your company.
This is the person, group, or ‘role contact’ that will act on behalf of the Registrant in communications with the Registrar. This again should be ‘you’ or someone who can be trusted to represent your interests at all times. They do not need to be technically proficient but must be able to deal with the basic questions that might arise in dealing with the Registrant, stuff like “What is the mailing address, phone number, fax, etc…”
Insure that this is exactly who you want it to be in the application for registration. You can create a special position in your organization and use that as the Admin contact or you can assign it to an individual – just be sure that if the individual leaves your employ the domain information gets updated to reflect the new person with this duty.
Pretty much what it says. The technical contact manages the name servers of a domain name. In many cases, the technical contact will be a representative of the internet service provider, hosting company, or web development firm that helps you manage your website, email services, etc.
I think we all know what this is about. The Registrar needs to know who is going to pay for you domain name when renewal time comes up. It is also important that this contact information remains current so that billing information gets to someone that will actually pay for the renewal in a timely manner.
Name Servers (from wikipedia)
Name servers. Most registrars provide two or more name servers as part of the registration service. However, a registrant may specify its own authoritative name servers to host a domain’s resource records. The registrar’s policies govern the number of servers and the type of server information required.
The most important thing to take from this is that you want to be sure that these domain management roles are filled appropriately to insure that you can continue to control and user your domain name.
If the data stored in these positions are not accurate, you should immediately contact the people you used to register this domain name and begin the process of setting things right. This can sometimes take quite a bit of time and might involve faxes, letters, etc. to the domain registrar. Plan ahead. Use the Whois command/service to check out what information is currently in place for your domain.
ICANN requires accredited Registrars to provide free public access to the name of the registered domain name and its nameservers and registrar, the date the domain was created and when its registration expires, and the contact information for the Registered Name Holder, the technical contact, and the administrative contact you will generally find a whois service link on your Registrar’s website – or you can use services like whois.net
I am happy to help with these services if you are not comfortable with doing this in house.
kenkeep looking »