Hello everyone! One thing I wanted to post about today was mac address filtering using DHCP on Windows Server 2003. The Microsoft DHCP team has a utility just for this called the Mac Filter Callout. It is essentially a DLL file, a .txt file and some registry settings that allow you to administer the DHCP filtering on your server. While MAC addresses can be spoofed – I think this is a good first step or even a good step depending on your environment (personally I am a fan of RADIUS authentication).

The tool is downloadable here http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Components-PostAttachments/00-02-09-83-36/MacFilterCalloutInstaller.zip It will install several files in the following locations MacFilterCallout.dll and SetupDHCPMacFilter.rtf to %SystemRoot\%system32 on a 32bit system and %SystemRoot%\SysWOW64 on a 64bit system.

Make the following registry changes:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters

Mac Address List format:

#MACList.txt

MAC_ACTION = {ALLOW / DENY}

#List of MAC Addresses:

000a0c0d1254     #lab-server1

000d0c4a6723     #lab-server2

• File supports comments. Comments can be entered following a ‘#’ sign. Any text followed by ‘#’ till the end of line is treated as a comment.
• First line in the file (excluding comments) should specify the action. Action can be either ALLOW or DENY
  • When action is specified as ALLOW, all requests from MAC address present in this list will be served by DHCP servers. All requests originating from MAC address not present in this list will be ignored.
  • When action is specified as DENY, all request from MAC address present in the list will be ignored by DHCP servers. All requests from MAC addresses not present in this list will be severed by DHCP server.
  • Only one action out of ALLOW or DENY can be specified in MAC Address List File
• MAC address should be specified in format XXXXXXXXXXXX (where X can be hex digit 0 – F).There should not any delimiter such as -, : in MAC address. Each MAC address should be specified in separate line.
• If there is any error in MAC Address List File, it will be logged into CalloutErrorLogFile or default error log file. Following is expected behavior of dll in cases of errors
  • If the action is not specified correctly, then DHCP server will function as if there is no callout dll i.e. none of the requests will be ignored.
  • If one or more MAC addresses are not specified correctly, then in this case those MAC address entries will be ignored. Error for the same will be logged in error log file.

Once you are ready to start using the Mac Address filtering and you have your registry changes and Mac Address List filled out the way you like go ahead and perform the following:

Stop the DHCP Servive

Start the DHCP service. When DHCP server is started, event 1033 will be logged if Callout DLL is loaded correctly by the DHCP server.

Here’s a quick htaccess edit that will redirect your domain to a subfolder;

RewriteEngine On

Options +FollowSymlinks

RewriteBase /

RewriteCond %{HTTP_HOST} www.domainname [OR]

RewriteCond %{HTTP_HOST} domainname

RewriteCond %{REQUEST_URI} !subfolder/

RewriteRule ^(.*)$ subfolder/$1 [L]

An issue I’ve come across a lot is that clocks don’t stay correct for a long time…

Now some smart heads thought up a way to fix that, it’s called NTP, Network Time Protocol.

Setting it up is easy:

on RHEL/Fedora/CentOS:

centos ~ # yum install ntp

on Debian and debian based distributions:

debian ~ # apt-get install ntp

(everything is root of course)

on debian you are done now, NTPD should be started, of course if you want to specify your own NTP server or NTP pool, you just edit /etc/ntp.conf

on RHEL it’s just a few more steps:

chkconfig ntpd on

ntpdate pool.ntp.org

/etc/init.d/ntpd start

and that should be it, please do know that if it’s a VPS forget about NTP, the system time is inherited from the host, unless you run it on a windows host(ex. Windows 2008 or in my debian server’s case, Windows 2008 R2 and using Hyper-V)

The error you get will be something like this:

ntpdate[18411]: step-systime: Operation not permitted

after trying to run ntpdate pool.ntp.org

On Windows it’s all a hell lot easier(in gui that is)

Right click on the clock and choose Adjust time and date

go to the Internet time tab.

then click the button saying Change settings.

make sure the checkbox is checked, and if you prefer a different ntp server, change it from time.microsoft.com (but it’s good as well, NTP takes latency into account when setting clock)

Windows does not support ntp pools, so please define a proper NTP server.

Simple script I made the other day that will generate the exact code you need to password protect a directory. Path is set for a plesk user’s httpdocs folder but can be modified as needed.

http://server-monkey.com/htaccessgenerator

./ch_admin_passwd is Plesk’s utility to set the admin password.

“Gets password from the environment variable PSA_PASSWORD
Password should be from 5 to 16 symbols and should not contain login name, whitespace, quotes or national characters”

[root@ServerMonkey bin]# export PSA_PASSWORD=’newpass’

[root@ServerMonkey bin]# echo $PSA_PASSWORD

newpass

[root@ServerMonkey bin]# ./ch_admin_passwd

[root@ServerMonkey bin]# export PSA_PASSWORD=

[root@ServerMonkey bin]# cat /etc/psa/.psa.shadow

newpass

[root@ServerMonkey bin]#