Something is wrong.
Instagram token error.

MacKeeper Removal Tool for Munki

Posted: May 28th, 2018 | Author: | Filed under: munki | No Comments »

mackeeper-3.2-icon-100757775-large
Can we have an honest talk about MacKeeper, it’s garbage. So bad. So so bad. When I see it in the wild now, infecting it’s stupid face into my user’s computers I just shake my head. To be fair, it’s well made and well deployed across the net. For all intensive purposes the product is a complete success, however so was the shake weight.

I wrote a script with heavy influence from previous writers on the net to kill the current version of MacKeeper. Next I took that script and dropped it into an installer sort of bash file that runs as a postinstall into unixorn’s luggage.

Simply grab the postinstall file from the following URL and after getting The Luggage into your system you could build out a pkg file for munki.
https://github.com/syntaxcollector/mackeeperkiller


Mitigating Issues with Uptime Reminders by way of MunkiReport

Posted: May 9th, 2018 | Author: | Filed under: Uncategorized | No Comments »

A lot of our users have can go weeks or months without a reboot. Then they write in to ask for support on their slow Mac. Well…. reboot man! How would you feel if you didn’t sleep for a couple days? To mitigate this we’ve leveraged munkireport and google sheets to automate this process. We’ve created a google sheet with three four columns; USER NAME SERIAL NUMBER COMPUTER NAME ASSOCIATED EMAIL. Then we wrote a python script to pull this information in and cross reference it against computer records that report an uptime greater than 7 days. At the end of the script we email all of those users and ask them to please reboot.


#!/usr/bin/python

# munkireport integration to alerts users of 7 day uptime.
import re
import gspread
from oauth2client.service_account import ServiceAccountCredentials
import sqlite3
conn = sqlite3.connect('db.sqlite')
import smtplib
from email.MIMEMultipart import MIMEMultipart
from email.MIMEText import MIMEText

## use creds to create a client to interact with the Google Drive API
scope = ['https://spreadsheets.google.com/feeds']
creds = ServiceAccountCredentials.from_json_keyfile_name('client_secret.json', scope)
client = gspread.authorize(creds)
#
# Find a workbook by name and open the first sheet
# Make sure you use the right name here.
sheet = client.open("copiousUsers").sheet1
humanname = sheet.col_values(2)
humanname = filter(None, humanname)
serialnumber = sheet.col_values(3)
serialnumber = filter(None, serialnumber)
emailaddress = sheet.col_values(5)
emailaddress = filter(None, emailaddress)
hostname = sheet.col_values(4)
hostname = filter(None, hostname)

# Now find hosts on the shitlist
c = conn.cursor()
#c.execute('SELECT hostname FROM machine INNER JOIN reportdata ON machine.id=reportdata.id WHERE reportdata.uptime>604800;')
c.execute('SELECT serial_number FROM reportdata WHERE uptime>604800;')
shitlist = c.fetchall()
conn.close()
# clean up the list and make ascii unicode
newlist = []
for tup in shitlist:
newlist = newlist + [item.encode('ascii','backslashreplace') for item in tup]
# get rid of anything after the first (.)
newlist = [i.split('.', 1)[0] for i in newlist]

# loop the list and search for matches against the googlesheet, get the details of each user and make a list of lists.
userlist = []
for line in serialnumber:
if line in newlist:
indexNumber = (serialnumber.index(line))
user=(humanname[indexNumber])
email=(emailaddress[indexNumber])
host=(hostname[indexNumber])
x = [user, email, host]
userlist.append(x)

for line in userlist:
## user is line[0] and email is line[1] and the host is line[2]
msg = MIMEMultipart('alternative')
msg['From'] = 'yourEmail'
msg['To'] = line[1]
msg['Subject'] = 'Reboot Reminder, Over 7 Days Uptime Detected'

text = """\
Hello %s,

We have noticed that your computer, %s, has been up for 7 days without a reboot. Please reboot your computer when you can. Having a computer left on for too long without a reboot can lead to memory leaks and overall performance issues.

Best Regards,
Automatic Watchdog
""" % (line[0],line[2])
html = """\


Hello %s,

We have noticed that your computer, %s, has been up for 7 days without a reboot. Please reboot your computer when you can. Having a computer left on for too long without a reboot can lead to memory leaks and overal performance issues.


""" % (line[0],line[2])

part1 = MIMEText(text, 'plain')
part2 = MIMEText(html, 'html')
msg.attach(part1)
msg.attach(part2)

server = smtplib.SMTP('smtp.gmail.com', 587)
server.starttls()
server.login("emailaddress", "password")
text = msg.as_string()

server.sendmail("emailaddress", line[1], text)
server.quit()


Cisco SG200-50 Smart Switch Review

Posted: January 2nd, 2018 | Author: | Filed under: Cisco, Networking | No Comments »


How to Compile Monero Miner xmr-stak for Ubuntu 16.04 LTS

Posted: December 12th, 2017 | Author: | Filed under: CryptoCurrenty, Monero | Tags: , , , , | No Comments »

Monero-MiningI have a couple ethereum mining rigs using AMD GPUs but my partner and I would like to diversify our operation. We wanted a Monero CPU and GPU Miner for AMD cards but couldn’t find a pre-compiled binary.

Get AMDAPPSDK http://developer.amd.com/amd-accelerated-parallel-processing-app-sdk/ You’ll need to get this into your linux rig somehow and install it.

Next we need to prep the system for the build so run the follow lines of bash.

sudo apt install libmicrohttpd-dev libssl-dev cmake build-essential libhwloc-dev cmake-curses-gui
git clone https://github.com/fireice-uk/xmr-stak.git
cd xmr-stak; mkdir build; cd build

Now we’re ready to configure the compilation. ccmake .. -DCUDA_ENABLE=OFF Change the install path to /usr/local/xmr-stak Press “C” a couple times until you see a “G” option for generate config file.

After this I tried to run make but it errored out saying that libOpenCL.so was missing so make sure the OpenCL library in /opt is pointing to the right place.

tjadmin@rig05:~/xmr-stak/build$ ls -l /opt/AMDAPPSDK-3.0/lib/x86_64/libOpenCL.so
/opt/AMDAPPSDK-3.0/lib/x86_64/libOpenCL.so -> /usr/lib/libOpenCL.so.1
tjadmin@rig05:~/xmr-stak/build$ ls -l /usr/lib/libOpenCL.so.1
ls: cannot access '/usr/lib/libOpenCL.so.1': No such file or directory

:(

rm /opt/AMDAPPSDK-3.0/lib/x86_64/libOpenCL.so
ln -s /usr/lib/x86_64-linux-gnu/libOpenCL.so.1 /opt/AMDAPPSDK-3.0/lib/x86_64/libOpenCL.so

After this is done you should be able to make and then make install

Once installed navigate to /usr/local/xmr-stak/bin and run sudo ./xmr-stak

You’ll be navigated through some first-run questions to ask for your pool and wallet address and whether you want to run nicehash.


Migrate DNS Service from old host to new host – Server 5.x & 6.x

Posted: September 10th, 2017 | Author: | Filed under: DNS, Mac OS X, macOS Sierra | No Comments »

1F2F983500000578-3499652-image-a-8_1458344126936It’s so easy.

On your source host simply copy the contents of /Library/Server/named to same directory on the new host. Refresh server.app and don’t forget to change the NS records to point to the new host.

Bam


Why you should *never* leave your Mac unattended

Posted: July 13th, 2017 | Author: | Filed under: Mac OS X | No Comments »

insecureRecently I was contracted by a local backpack company to automate changing some settings on a bunch of Mac clients. The three main parts to the script had to; clean the connect to servers window and inject a new server record in to favorites, delete all login items referencing an old file server, and find a specific keychain item, retrieve the password, and inject a new keychain item using the same password. The first two were easy enough but the keychain was interesting. Through a little bit of research I soon found that the security command could do most of what I wanted. If you issued a command like

security find-internet-password -a jordan -s file.server.local -w

It would prompt you to either allow or deny access to the item and then spit the password out on the command line. But wait a minute here, in Keychain Access.app if I want to show a password I would need the password to the computer to gain access. Not on the command line though. This was pretty interesting I thought. That means as long as I have access to the console and the machine is logged in I can extract *any* password from the login.keychain that I want.

To take this a step further I made a little bash script that dumps the login.keychain to file using security dump-keychain login.keychain then I parse the data finding all the entries that I can retrieve the password for. The script will prompt the user once for each item that it finds in the keychain and then write all the data out to a csv file in /tmp

Is this a security flaw? Well, the jury’s out on that one. Some people say YES! and some people say no. To me, it’s all just rather interesting. Try it out for yourself and you’ll see why you should never leave your machine unattended again.

Download script here

Oh btw, I am *not* a developer. Amateur scripter at best, this code takes a long time to run. Upwards 10 mins for larger keychains.


Low Power File Server for a Sailboat

Posted: April 6th, 2017 | Author: | Filed under: Linux, Work | No Comments »

mason_43_photoRecently I was lucky enough to be a crew member on a sailboat that was making passage through the Caribbean. The Captain of the vessel, who lived aboard, was speaking to me about data storage and how difficult of an equation it was. Sailboats have very little power available to them when they’re underway as most don’t run their engine which is the only source to power the limited batteries kept onboard. He was thinking about picking up a Drobo-Mini and using SSDs to reduce the amount of draw on his system, however this solution is DAS based and doesn’t allow him access to the data unless he plugs directly into the box which means, you need a computer as well. Which is even more draw on the electrical system.

After a quick think and a look around the Internet I decided that the best way to address this issue would be to use a Raspberry Pi 3, a four port USB hub,  multi-SD card reader, and mdadm, with smb, nfs, and upnp. I’m not going to go into the nitty gritty of how to setup a raspberry pi as there are many tutorials available online already. However I will touch on some performance metrics that I was able to pull.

It’ll be small physically, have very little power draw, each microSD card draws between 66–330 mW during data transfer, at idle 0.2mA. Each bank will be less than 1mA at idle and 1.2W during transfer. Each bank should yield close to 800GB, all together I’ve calculated 3.2TB of data storage at 6-8W. Pretty dope hey?
The issue is cost. Prices in CAD
Computation
Raspberry Pi is $60
case and parts $20
USB Hub $26
total: $106 plus tax / shipping
Data Storage
Four card reader $20
200GB microSD card $91
800GB bank total $384 plus tax / shipping
Performance
Performance will max out at around 40MB/sec which isn’t great however we’re not looking for performance we’re looking for efficiency.
I welcome comments to this plan below :) My next step to this plan would be to get the Pi to be a wireless access point as well.


Restrict RADIUS usage in Server 5.x

Posted: February 29th, 2016 | Author: | Filed under: Uncategorized | No Comments »

2000px-Circle-withsegments.svgThis is a follow up post to my previous article about how to setup RADIUS on Server 5.x

In my Open Directory user list I have a user called scanner with a password of, you guessed it, scanner. Now I know this isn’t the most secure thing ever but the user only has very limited access. Recently I wanted to implement RADIUS so that the VPN concentrator could authenticate against Open Directory but I certainly don’t want the scanner user to be able to authenticate. Previously I would fire up WorkGroup Manager and build a service access control list, SACL. However with WGM now gone I have to do it on the command line. After some hacking I figured it out.

First, you’ll need to make a group in OD called VPN and put the users you would like to have VPN access in it. Then whip open a terminal and get the GUID of that group.

dscl localhost read /LDAPv3/127.0.0.1/Groups/VPN

You’re looking for the “GeneratedUID” record this somewhere. Next edit the following script and put your GeneratedUID into the line where it says NestedGroups


dscl localhost create /Local/Default/Groups/com.apple.access_radius
dscl localhost create /Local/Default/Groups/com.apple.access_radius RealName com.apple.access_radius
dscl localhost create /Local/Default/Groups/com.apple.access_radius passwd "*"
dscl localhost create /Local/Default/Groups/com.apple.access_radius gid 260
dscl localhost create /Local/Default/Groups/com.apple.access_radius NestedGroups PASTE_GUID_HERE

Then reboot radius with a serveradmin stop/start radius and you should be good to go!


Make certificates quickly

Posted: February 15th, 2016 | Author: | Filed under: SSL | No Comments »

Now that you have your own Certificate Authority setup from my previous article you’ll want a fast way of whipping up new certs. Never fear for making certs is here. Drop the following code into an executable file and place it into the myCA folder. You’ll be able to make certificates at whim by issuing a command like

make-cert.sh hostname.lan.domain.com 3650 01


#!/bin/bash

HOSTNAME=$1
DAYS=$2
SERIAL=$3

if [[ $# -lt 3 ]]; then
echo $0: requires FQDN for certificate, valid for X days, two digit serial, please document this
echo example: $0 hostname.lan.domain.com 3650 01
echo place this script into the myCA root folder
exit 1
fi

mkdir $HOSTNAME
openssl genrsa -des3 -out $HOSTNAME/$HOSTNAME.key 4096
openssl req -new -key $HOSTNAME/$HOSTNAME.key -out $HOSTNAME/$HOSTNAME.csr
openssl x509 -req -days $DAYS -in $HOSTNAME/$HOSTNAME.csr -CA cert/cert.pem -CAkey key/ca.key.pem -set_serial $SERIAL -out $HOSTNAME/$HOSTNAME.crt
openssl rsa -in $HOSTNAME/$HOSTNAME.key -out $HOSTNAME/$HOSTNAME.key.insecure
mv $HOSTNAME/$HOSTNAME.key $HOSTNAME/$HOSTNAME.key.secure
mv $HOSTNAME/$HOSTNAME.key.insecure $HOSTNAME/$HOSTNAME.key
exit 0


RADIUS Setup for OS X El Capitan – Server 5.x

Posted: February 15th, 2016 | Author: | Filed under: Open Directory, RADIUS, SSL | 2 Comments »

Quite simple to setup. First paste in the following commands.

radiusconfig -setconfig auth yes
radiusconfig -setconfig auth_badpass yes

Now install an SSL cert/key pair for your host, the built in ones are found in /etc/certificates or you followed my previous article about becoming a certificate authority and you have the certs on hand.

radiusconfig -installcerts /path/to/key /path/to/cert

Now… if you didn’t make your own CA and you’re using the built in Apple Server certs then you’ll have to do some extra magicary. First use pull an ls /etc/certificates and not the key, cert, and chain files for your host.


radiusconfig -installcerts /path/to/key.pem /path/to/cert.pem /path/to/chain.pem
radiusconfig -setcertpassword
Apple:UseCertAdmin

The last line is the ‘magic’ that I spoke of earlier.

Finally add some clients

radiusconfig -addclient other

Then start the radius server

serveradmin start radius

When I did this recently I didn’t have a way to test the server so I installed the FreeRadius server via brew.

brew install freeradius-server

And then tested the server by using radtest The binary can be found in the following directory /usr/local/Cellar/freeradius-server/3.0.9/bin

The syntax of the command is as follows:

radtest username password radius-server[:port] nas-port-number secret

Here’s an example:

radtest username password 192.168.1.1 10 secret

An Access-Accept is a passing grade!