clear mac address-table dynamic interface gi1/0/5
Need to Monitor some Traffic with Wire shark?
First, set the port you are sending the traffic to have no config
Then setup the configuration:
monitor session 1 source vlan 25 rx
monitor session 1 destination interface Gi1/0/10
monitor session 1 mode
NOTE: The last line enables the monitor session, you can disable it by using the No command in front
First check to see if you need to add a new Virtual Disk, or if you can just increase the current Virtual disk
Login to the VM and look at this command
If you already have 4 separate Partitions, you will need to add a New Virtual Disk, Otherwise you can increase the current size, and we’ll add a new LVM Partition to the new space thats added.
Make Linux Find the new space
You NEED to do this as the Root user. So ‘sudo su -‘
If you expanded the existing disk
echo 1 > /sys/block/sda/device/rescan
If you added a new disk
Depending on what your host is, adjust the next command as needed
echo “- – -” > /sys/class/scsi_host/host0/scan
Create the new Parition
Once the rescan is completed, verify you see the new disk, or the new size
Now we will go into fdisk for the disk that needs the changes, either the free space on the original disk, or the new blank disk
enter ‘n’ to create a new partition
enter ‘p’ for a primary partition
enter the partition number that is one higher then the current highest one
First cylinder should default to the first available one in free space
Last Cylinder should default to the last available one in the free space
Now you need to tell it what type of partition it is
enter the partition number you just created (eg 4)
the Hex code for VLM is ‘8e’ you can verify that by entering ‘L’
enter ‘q’ to wright the configuration to the disk
Rescan partition table for linux to find the updates
Sometimes that doesn’t work and you need to do
partx -v -a /dev/sda
Check your work
You should now see an additional partition you just made (eg /dev/sda4)
Create the Physical Logical Volume
Note, i’ll be using /dev/sda4, be sure to use the correct one you made
You should see it was created, now find our your Volume Group name
Now add the Physical volume to the Volume Group
vgextend cl /dev/sda4
Check your work
Now you can extend your Logical Volume (eg var) to use the space thats available on the new Physical volume you added. Use lvdisplay to see what the name is.
lvextend /dev/cl/var /dev/sda4
Extend the File system
Assuming your using XFS:
If your using EXT:
You have a requirement for Full Disk Encryption, but have no Budget (like with all other IT related items)
Its free and Easy.
This is assuming your system is standalone and you have full control of the vCenter Server, cluster, and storage. Also assumes you know what your doing and take responsibilities for your own actions.
Some changes would need to be made if integration of AD.
- Set Encryption settings and policies
- Run gpedit.msc
- Click on Computer Configuration –> click Administrative Templates –> click Windows Components –> click on Bitlocker Drive Encryption.
- Modify “Choose drive encryption method and cipher strength” and set it to Enabled, AEC 256-bit (Do the same for the Vista, 2008, 7 & 2008R2 entry if using older version)
- Click OK to save
- Click on Operating System Drives
- Modify “Require Additional Authentication at Startup”
- Set to Enable:
- Allow BitLocker without compatible TPM (requires…….)
- Leave the rest at defaults
- Click OK
- Modify “Choose How BitLocker-protected operating system drives can be recovered
- Allow data recovery agent
- Omit recovery options from BitLocker setup wizard (everything should be done command line anyway)
- Save BitLocker recovery information to AD DS for Operating system drives
- Do not enable BitLocker until recovery information is stored in AD DS for Operating system drives
- Navigate Back to BitLocker Drive Encryption –> Fixed Data Drives
- Modify “Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
- Leave checkbox unchecked for “Do not install BitLocker…”
- Click OK
- Modify “Configure use of passwords for fixed data drives”
- Click OK
- Modify “Choose how BitLocker-protected fixed drives can be recovered
- Check “Allow data recovery agent”
- Check “Omit recovery options from the BitLocker setup wizard”
- Check “Do not install BitLocker…”
- Click OK
- Close gpedit.msc
- Create Virtual Floppy drive in Vmware
- Connect to vSphere web server (using the old Flash one as of 6.5 works, the HTML5 doesn’t have the floppy options)
- Shutdown the VM
- Add a Floppy drive to the VM, Creating a New Image and saving it on your data-store (somewhere you feel safe storing the keys) MAKE SURE YOU HAVE IT SET TO CONNECT AT POWER ON.
- Set the VM to go into the BIOS at next power on
- Power on the VM, it should go into the BIOS config automatically
- Change the Boot Order to Hard Disk First (move the Removable media below the hard drive)
- Save and exit the BIOS and let windows boot normally.
- Once in Windows you will need to “Format” the A: Drive, you can just right click on it, select Format, and accept the default values.
- Enable the Encryption
- Login to Windows with admin account
- Open Command prompt with Elevated Administrative rights
- The Following command will Create the keys and instruct Windows to save the Key to the A: drive, and Display the Recovery password to you.
manage-bde.exe –on C: -rp –sk A:
- If your hard disk is Thin Provisioned and not Think Provisioned, you will need to use this command
manage-bde.exe –on C: -used -rp –sk A:
- TAKE NOTE OF THE RECOVERY PASSWORD YOU RECEIVE ON SCREEN AFTER RUNNING THE ABOVE COMMAND. You will need this if your Floppy image ever gets lost/corrupted/etc.
- You will need to reboot windows to get the initial Test completed so it can start encrypting your Disks.
- Windows should boot up normally. Log into windows
- Windows will automatically start the encryption process after a minuet or so. Run this command to Monitor its progress.
- You should see the Percentage increase as it goes. Also Verify you see External Key & Numerical Password under the “Key Protectors”
- That’s it. Just keep that Recovery key handy, you will need it one day. Two Different Locked Draws at Two different buildings is best.
- Enable Encryption for Secondary hard drives.
- If your C drive is already encrypted, this process is fairly smooth. This Example the Second drive is letter “E”
- Login to Windows, Verify the C drive is 100% encrypted
- The Following command will Create the keys and instruct Windows to save the Key, and Display the Recovery password to you, as well as start the Encryption Process.
manage-bde.exe –on E: -rp
- If you have Thin provisioned hard drive
manage-bde.exe –on E: -used -rp
- TAKE NOTE OF THE RECOVERY PASSWORD YOU RECEIVE ON SCREEN AFTER RUNNING THE ABOVE COMMAND. You will need this if your key ever gets lost/corrupted/etc.
- Then you need to set it to Auto unlock so you don’t have to manually enter that password
manage-bde.exe -autounlock E: -enable
- This will create an ‘External Key’ that is stored on your C drive (which is encrypted) that is used to decrypt the drive when the server boots.
- Monitor the progress
- It should go to 100% Encrypted.
- Verify you see External Key & Numerical Password under the “Key Protectors”
- Also Verify Automatic Unlock shows Enabled.
- Keep Those Floppy Images safe. One way would be to put them on a ‘nas’ that has a NFS share, only accessible from the IP(s) of the ESXi servers. The NAS is located in a different area of your building, and then is backed up/snapshots & replicated to another Building
sudo nano /etc/systemd/timesyncd.conf sudo systemctl restart systemd-timesyncd systemctl status systemd-timesyncd
Enable SSH on ESXi host
SSH into Host
#Set Multipathing to Round Robin default
esxcli storage nmp satp set -P VMW_PSP_RR -s VMW_SATP_ALUA
#change Default IOPS to 3
esxcli storage nmp satp rule add -s "VMW_SATP_ALUA" -V "COMPELNT" -P "VMW_PSP_RR" -O "iops=3"
The issue is unsupported algorithms by the iDRAC system. iDRAC6 still has yet to fix this (9/3/2018) but is resolved on 7+ AFAIK
There is only a single item to remove from your java.security file to retain the IDRAC6 functionality.
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
need to be changed to
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, DES40_CBC, RC4_40
Effectively it’s only `3DES_EDE_CBC` instance should be removed from this directive and nothing more.
Additionally i would reccommend you make the following change in the IDRAC
iDRAC Settings –> Network/Security –> Services: Change the SSL
Encryption to 256-bit or higher.
This doesn’t negate the above change thats needed in your java.security
file until Dell makes a Fix.
Get Members’ names from Active Directory Group (you need the ActiveDirectory Module added to your powershell if not doing it from a DC.
Get-AdGroupMember -identity "Group Name" | select name
If you want to dump it to a CSV, you can add this to the end of the above command
| Export-csv -path C:\Output\Groupmembers.csv -NoTypeInformation
before ssl will work you need to load the module
sudo a2enmod ssl
To remove all accounts with the public role only and prevent them from seeing other databases they have no need to see, run this query.
USE master; GO REVOKE VIEW ANY DATABASE TO PUBLIC;