2009/11/21

PowerShell examples

ping an ip address range and report which hosts are down:
PS H:\> for ( $i=200; $i -lt 255; $i++ ) { ping -n 1 -a -w 1000 192.168.0.$i > $null; if (!$?) { echo "192.168.0.$i is
down" }; }

Send an email with attachments (like logs), quick and dirty:
send-mailmessage -to me@foo.com -Subject "see attachment" -from myhost@foo.com -attachments "C:\bar.log" -smtpserver mail.foo.com

2009/11/17

Cisco Router notes




! If telnet is configured and enabled, then telnet to the router; else connect to the serial port

(I use putty for both)

myrouter> enable

myrouter# config terminal

myrouter(config)# password encryption aes
myrouter(config)# service password-encryption


! assign a domain name; this is a prerequisite for ssh key generation
myrouter(config)# ip domain-name mydomain.com

! initialize the authentication, authorization and accounting policy
myrouter(config)# aaa new-model

! configure the authentication source; in this case we'll use a local db
myrouter(config)# aaa authentication login default local

! configure the authorization source; the aaa policy is called "default"
myrouter(config)# aaa authorization exec default local

! create a user, assign a low privilege level (so enable password is still needed) and password
myrouter(config)# username my-username password my-password

! apply the policy to the vty
myrouter(config)# line vty 0 4
myrouter(config-line)# login authentication default
myrouter(config)#


! Enable SSHv2 only (disables SSHv1)

myrouter(config)# ip ssh version 2
myrouter(config)# crypto key generate rsa general-keys modulus 1024

! After verifying that ssh works, do this:
! Enable SSH only on virtual terminals (disables telnet)

myrouter(config)# line vty 0 4
myrouter(config-line)# transport input ssh

! add this to the ACL for your wan interface
permit tcp any host (router-external-ip) eq (some-high-range-port)
! Add this nat to open external access to ssh at the high-range port
ip nat inside source static tcp (router-internal-ip) 22 interface FastEthernet0 (the same-high-range-port)



How to copy router config to ssh server with scp:
enable
copy run scp://my-usename:my-password@backuphostname//path/to/folder/$h-$t

archive
path scp://my-usename:my-password@backuphostname//path/to/folder/$h-config
! the write memory option will cause the archive scheduler to create a copy of the config each

time it's saved to nvram. (it will append an incrementing -# to the end)
write-memory
end
(note that you may need the 'file prompt quiet' command to stop it from prompting whether you want to do it.)

# now compare two configs:
show archive config diff system:running-config

scp://my-usename:my-password@backuphostname//path/to/folder/router-config-1
# now replace the running config with an archived one:
config replace scp://my-usename:my-password@backuphostname//path/to/folder/router-config-1 list



# now log all config changes to syslog:
config t
archive
log config
logging enable
! suppress display of passwords in configuration logs
hidekeys
! enable sending of notifications of configuration changes to syslog
notify syslog
exit


#The ‘do’ command allows you to run exec level commands from config mode.

Examples:
Router(config)#do show run

# Enable syslog logging
my-router(config)# logging (my-syslog-server-ip)
! The level "notifications" will include emergencies(0), alerts(1), critical(2), errors(3), warnings(4), and notifications(5); but it will exclude informational(6) and debugging(7)
my-router(config)# logging trap notifications
# optionally specify on what interface the logging should originate
my-router(config)# logging source-interface f0/0

2009/11/13

LDAP search to get active accounts with no password expiration

To get user account names of all *active* Active Directory *user* accounts with passwords that do not expire, run this command on Linux (substitute your domain, your admin account, and your domain controller):

ldapsearch -b "dc=mydomain,dc=com" -D "cn=myAdminAccount,ou=Users,dc=mydomain,dc=com" -H ldap://mydomaincontroller/ -W -x '(&(objectclass=User)(userAccountControl:1.2.840.113556.1.4.803:=65536)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectclass=Computer)))' sAMAccountName | egrep "^#"

The "1.2.840.113556.1.4.803" is the ldap code for a bitwise compare, and 65536 (decimal) is 0x10000 (hex), which refers to the bit that identifies whether a password will expire. (if "on", password will not expire.) "2" refers to the bit that identifies whether an account is enabled or not.