Block active ssh login attempts from unknown IP’s on linux using hosts.deny

Some hosts on the net are severely compromised or shown to be controlled by malicious  users.

imho: Never allow a root login using ssh to any machine you are setting up. Yes ~they~ are always probing. It is a storm.

The following mechanism will have the hosts that try to login as various users and various password combinations to get a time-out on your machine using hosts.deny. You should use it to throw arsholes off balance, using up their automated scanners/probes precious time.

First you need to know what hosts are attempting to use your secure shell service.
You can show that as an authoritative user, such as root, on your device by running the command:

lastb -F -i

This shows you a list of tries, with no dns lookups, just IP’s.

As such, the following command sorts the list, and creates unique entries on IP and places them in a file (~/catlastlog)

lastb -F -i| awk '{ print $3 }' |sort |uniq > ~/catlastlog

Next, the following command formats it to be used in hosts.deny.

sed -i -e 's/^/ALL:/' ~/catlastlog

Hosts.deny is the file in /etc that tells your machine to deny something from the connecting host, in essence, you can have your machine drop any connection to that host immediately.

The last two commands fill your /etc/hosts.deny file so you are one step closer to being safe from hosts that attempt to use your precious secure shell service (or any service that you publish and want to keep safe).

echo "# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system." > /etc/hosts.deny
cat ~/catlastlog >> /etc/hosts.deny

The first command creates a new and clear hosts.deny file.
The second command fills it with the recent hosts that failed login attempts.

The effect is immediate. New connections are dropped instantly.
Be sure not to lock yourself out [remotely], as this mechanism locks out any failed attempts directly, if you did, you can always edit the hosts.deny file from your console.

I now usually do this manually once in a while, as the compromised hosts vary from day to day. This is a crude form of protection, but I can imagine you could run this as a cron job if you are really fed up with wasted connections on your external interface. If you do, make sure all filenames are named with full path names [such as /secure/directory/catlastlog].

In fact, I encourage any admin to block internet crap. One day you’ll regret you didn’t.
That, and, it’s best to deny evil malicious pests everything [period], even milliseconds of probing time.

Can’t be zealous enough about it.

Hopes this helps you!


Posted in block, command line, hosts.deny, linux, ssh | Comments Off on Block active ssh login attempts from unknown IP’s on linux using hosts.deny

Shutting down windows domain clients remotely

I was not in the office, but I did have to shut down all domain computers after a move to have them install windows updates over the long new-year weekend.

So I ended up with a script I picked up on the web, and adjusted it to my needs.

The computers in the network were all named dt[number] (dt for desktop).
When looking at the Active Directory and in the DHCP server I found the desktop number range was from 41 to 99 in my case, so I just made sure a remote shutdown command (run as domain admin) was executed with the correct computer name. I saved this as a .bat file and ran it.

@echo off 
set /a x=41
if %x% lss 100 (
  echo shutting down dt0%x%
  shutdown /m \\dt0%x% /s /t 30 
  set /a x+=1
  goto :while 

Hope this helps you!
Have a great new year,

Posted in shutdown, Windows | Comments Off on Shutting down windows domain clients remotely

Exchange 2016, receive connector, enable relaying, powershell

In order to have a certain receive connector to be able to relay (other than local delivery: actually route the mail to the outside) perform the following powershell command:

Set-ReceiveConnector "SERVER\Receive Connector" -PermissionGroups AnonymousUsers

Above command enables “Anyonymous user” delivery.

Get-ReceiveConnector "SERVER\Receive Connector" | Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient

Above command enables this receive connector to be able to relay to the next configured step in your Exchange server (probably out).

Hope this helps you!

Posted in Connector, E-mail, Exchange 2016 | Comments Off on Exchange 2016, receive connector, enable relaying, powershell

Checking HP disk status on VMware, command line

Today, I had to check the disk status of an HP array on VMware

Using VMware 6, installed with HP iso, meaning it has HP drivers and tools already installed on VMware, I found it is rather easy to use the cli command.
So I enabled SSH (Host / Configuration / Security Profile / Services / Properties / SSH / Options / Start / Ok) and logged on into VMware with an ssh client (e.g. putty).

A quick search revealed the info about the hp cli (hpssacli):

HP Smart Array CLI commands on ESXi

I wound up with the disk status with:

/opt/hp/hpssacli/bin/hpssacli ctrl slot=0 pd all show status

Then turned off SSH on the host again.  (Host / Configuration / Security Profile / Services / Properties / SSH / Options / Stop/ Ok)

Thanks Mike and Kalle!

Hope this helps you!

Posted in command line, ESXi, hp | Comments Off on Checking HP disk status on VMware, command line

Powershell, get full names of a group of users in AD and export to text file.

Just a quick blurb that I encountered this morning.
In powershell, to get a list of the full names of users and export them to a text file:

Get-ADGroupMember -identity GROUP -Recursive | Get-ADUser -Property DisplayName | Select Name > c:\temp\fullnamesofgroup.txt

The point is that Get-ADGroupmember doesn’t “have” the properties of the object you are looking at. You have to look into the user object with Get-ADUser to get the specific property of the user object.
So, with the above command, you send all the user objects in the group with Get-ADGroupMember to Get-ADUser, and then pipe the values of the property “Name” to a text file on disk.

(The command is shorter than the text to explain it 🙂 )

Hope this helps you. Have fun!

Posted in Active Directory, powershell | Comments Off on Powershell, get full names of a group of users in AD and export to text file.

Place chrome link on desktop, and open with chrome browser

Everyone on windows has a ‘default browser’ set. Windows knows this.

In case you want to run Google Chrome and open an url, (and not your other default browser), well, then just create a good old shortcut (windows .lnk file) with e.g. the name “url-link.lnk”.

With settings like:


"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://open.this.url.tld

and Start in:

"C:\Program Files (x86)\Google\Chrome\Application"

To publish something like that on a users’ desktop, just put this in a login script:

COPY \\SERVER\NETLOGON\url-link.lnk C:\Users\%USERNAME%\Desktop\url-link.lnk /Y

Now users can double click that and use the Google Chrome browser for the url https://open.this.url.tld (or any other you might like)

Hope this helps you!

Posted in News | Tagged , | Comments Off on Place chrome link on desktop, and open with chrome browser

Change Google Chrome homepage setting, but then scripted

In order to change the homepage of the Google Chrome browser, installed on a win7 pc, you can change the homepage, e.g. via login script. (see e.g. for chrome info)

Of course you can load adm files in your domain controller, but it can be done scripted.

powershell -command "(Get-Content 'C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Preferences') | ForEach-Object { $_ -replace 'some.url.tld', 'someother.url.tld' } | Set-Content 'C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Preferences'"

Hope this helps you.

Edit: For your info, the above command changes all occurances of ‘some.url.tld’, beware that any other setting with this value will also be adjusted. cheers.

Posted in Chrome, Homepage | Comments Off on Change Google Chrome homepage setting, but then scripted

Internet Explorer Trusted Sites and Automatic User Logon Registry (ADFS/SSO)

You can’t use GPO if you want your users themselves to be able to add sites to Trusted Sites in Internet Explorer. You can use good old registry though.
Since these are user settings, the user can edit their own registry settings, if you use elevated rights, you would change the elevated users’ settings.
So I used HKEY_CURRENT_USER to add some domains (and subdomains) and change a setting in IE using a VBS script.

The customer I used this for wanted SSO using ADFS to a site, so this option had to be enabled: “Internet Explorer Settings / Security / Trusted Sites / Custom Level / User Authentication / Logon / Automatic Logon with current user name and password”

After searching around and 2 hours of time I borrowed some code, and adapted a script into the following (thank you and thank you for info):

'This script adds 2 domains with subdomains as trusted sites, and turns on autologon with current username and password
'Basic script was found at 
'Setting Autologon with username and password was found at 
' Thanks and
'I needed this setting to use with for ADFS SSO, and didn't want managed Trusted Sites (Users can now still add their own trusted sites if they want)
' Registry settings for autologon:
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\subdomain]
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\subdomain]

Option Explicit
Dim DomainArray(1), SubDomainArray(1), strComputer, strHTTPS, strAutoLogon
Dim dwordZone, dwordAutoLogon, regPath, objReg, counter, subkeyPath
Dim subkeyValue

Const HKEY_CLASSES_ROOT = &H80000000
Const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_USERS = &H80000003
Const HKEY_CURRENT_CONFIG = &H80000005

strComputer = "."
strHTTPS = "https"
strAutoLogon = "1A00"
dwordAutoLogon = "0"
dwordZone = "2"

DomainArray(0) = "\"
SubDomainArray(0) = "subdomain\"

DomainArray(1) = "\"
SubDomainArray(1) = "subdomain\"

Set objReg = GetObject("winmgmts:{impersonationLevel = impersonate}!\\" & strComputer & "\root\default:StdRegProv")

regPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"
objReg.CreateKey HKEY_CURRENT_USER,regPath

regPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"
objReg.CreateKey HKEY_CURRENT_USER,regPath

'Add domains and subdomains to Trusted Sites
For counter = 0 to 1
        subkeyPath = regPath & DomainArray(counter)
        objReg.CreateKey HKEY_CURRENT_USER,subkeyPath
        subkeyPath = regPath & DomainArray(counter) & SubDomainArray(counter)
        objReg.CreateKey HKEY_CURRENT_USER,subkeyPath
        objReg.SetDWORDValue HKEY_CURRENT_USER,subkeyPath,strHTTPS,dwordZone

'set Autologon with current username and password
regPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"
objReg.SetDWORDValue HKEY_CURRENT_USER,regPath,strAutoLogon,dwordAutoLogon

Edit: Some explanation of the script:

An array in vbs defined above as DomainArray(1) is an array of 2 items: 0 and 1.
So if you want to adjust the script to your needs, and you need to add more domains and subdomains, for each added site, increase the array definition by one.

E.g. DomainArray(2) holds 3 items 0,1 and 2 etcetera. Set their values accordingly:

DomainArray(2) = "\"
SubDomainArray(2) = "subdomain\"

the loop in the code should be adjusted too: For counter = 0 to 1 becomes For counter = 0 to 2 to have it run 3 times. the counter variable is used to address each item that the 2 defined arrays use.

In registry the trusted sites values are stored as: first an entry for the site, branched under that any subdomains that are used, that’s why we have 2 arrays.

You can then execute it for the user as follows:

cscript //B script.vbs

Hope this helps you!

Posted in Configuration, Internet Explorer, Trusted Sites | Comments Off on Internet Explorer Trusted Sites and Automatic User Logon Registry (ADFS/SSO)

HP Device Manager installation

Here’s a quick blurb from todays’ afternoon, quickly testing HP Device Manager in my lan here. (Edit: the sofware that you can use to manage HP Thin/Zero Clients)

(On Win2008 R2, will try server 2012 soon)

Install .NET 4.5
Install SQL Express 2014
Turn on SQL Server browser service (set to automatic) and start the service (using e.g. start run: services.msc)

For FTP access I installed FileZilla.
It expects the name of the share that you use as a directory, so, in filezilla configure a usename and password and set the home directory of that user to the inetpub ftproot after installation of the HP Device Manager.

Download and install HP Device Manager 4.7
You need the .exe, you can upgrade afterwards, by running the latest Service Pack (SP5 — see hp ftp site)
Install on a disk location where you want the application.
After installation, configure MS SQL.
In the server field, with default SQL installation, enter:
With windows username authentication or sql username authentication
The rest should be default.

Note: you may want to place the inetpub (the repository) on a large disk, as you can capture images from that location. Captured images can be large.
Share that location, using advanced sharing.

Since I am in a domain the username domain must be set using “DOMAIN\Username” type.

You may want to reboot this after config in order to see if everything starts correctly.

Now you should be able to start HP Device Manager and discover devices in your lan.

Hope this helps you.

Posted in hp, Thin Client | Comments Off on HP Device Manager installation

Remove .NET Framework because of Mamut software

On a completely updated Windows7 workstation you may have .Net Framework 4.6.
This sometimes doesn’t work with particular (older) version of Mamut Business Software.
In order to fix this, remove all updates for .NET framework from Windows Updates.

Then go to Control Panel, Programs and features, and remove all mentions of .Net Framework 4.6 (including language packs).

Reboot. Now you can install your Mamut software.

(just not tested if it breaks when you update afterwards, but we will see soon I guess)

Hope this helps you,

Posted in .NET, Mamut Business Software | Comments Off on Remove .NET Framework because of Mamut software