Lecture Your Sudoers

/etc/Sudoers is a file that controls what happens when you use sudo. /etc/sudo_lecture is a file that Apple includes in macOS that tells your users that what they’re about to do is dangerous. You can enable a lecture, which will be displayed each time sudo is invoked. To turn on the lecture option in sudo, open /etc/sudoers and add the following two lines (if they’re not already there):

Defaults lecture=always
Defaults lecture_file = “/etc/sudo_lecture”

Then save the file and edit /etc/sudo_lecture. Apple has kindly included the following
Warning: Improper use of the sudo command could lead to data loss or the deletion of important system files. Please double-check your typing when using sudo. Type “man sudo” for more information. To proceed, enter your password, or type Ctrl-C to abort.
Let’s change this to:
Hack the planet.

Now save and open a new Terminal screen. Run sudo bash and viola, you will get your new message. Enjoy.

Show The Software Update Service In Server 5.2 for macOS Sierra

By default, the Software Update Service, long a part of OS X Server, is hidden. This indicates the service is not likely to be long for this world. However, many an organization still likes to leverage cooling off periods for their Mac fleet. To see the service, once you’ve installed the Server app, open the Server app and then from the View menu, select Software Update. screen-shot-2016-09-25-at-2-56-57-pm You’ll then see the Software Update service. If you click off of the service and close the app, it will be hidden again. If you enable the service, you will then see it each time you open the Server app. We’ll get into enabling the Software Update service in a bit. screen-shot-2016-09-25-at-2-57-14-pm Enjoy.

Setup FTP in OS X Server 5 for El Capitan and Yosemite

OS X Server 5 (for El Capitan and Yosemite) sees little change with the FTP Service. Instead of sharing out each directory the new incantation of the FTP service allows administrators to share a single directory out. This directory can be any share that has previously been configured in the File Sharing service or a website configured in the Websites service. Screen Shot 2015-09-22 at 11.12.11 PM To setup FTP, first open the Server app and then click on the FTP service. Screen Shot 2015-09-22 at 11.12.37 PM Once open, use the Share: drop-down list to select a share that already exists (output of sharing -l basically) and click on one of the shares or Custom to create a new share for FTP. Then, set the permissions as appropriate on the share and hit the ON button for the FTP service. Now, let’s test from a client. I like to use the ftp command line interface built into OS X. To test, type ftp followed by the address of the site (and I like to put the username followed by @ before the hostname, as follows: ftp robin@elcapserver.krypted.lan When prompted, provide a password. Then, assuming your get the following, you’re in: 230 User robin logged in.
Remote system type is UNIX
Using binary mode to transfer files. Here, type ls to see a list of the directories contents. Or pwd to see what directory you are in (relative to the root of the ftp share). And of course, type get followed by the name of a file to transfer it locally: get myfile.txt Open a terminal window on the server and let’s look at the few options you have to configure FTP from the command line. We already discussed sharing -l to see a list of the available shares. Additionally, you can use the serveradmin command, where ftp is the name of the service. Let’s look at the status of the service, first: sudo serveradmin fullstatus ftp Now let’s look at status: sudo serveradmin status ftp Same thing, right? Let’s look at all the settings: sudo serveradmin settings ftp If you have spaces in the name of a share that you configure from the Server app the thing will fail. Good stuff, so use serveradmin to manually set shares with spaces or other special characters in the names: sudo serveradmin settings ftp:DocumentRoot = “/Shared Items/Krypted” Overall, this ftp implementation is meant for users who just need to access their web server where all the files live in a web root of some sort. Otherwise, I’d still recommend most people use a third party tool. But if you just need to log into one share and you don’t need a lot of fancy features on top of your protocols that haven’t changed much since 1985 then this implementation will still work for ya’ without any extra work. Since we mentioned 1985, let’s look at some other things that are as old, although perhaps not as dated, as the FTP Protocol. Things from the year 1985:
  • Back To the Future is Released
  • Coke introduces one of the largest marketing fails of all time, New Coke. It is so bad it opens a hole in the Ozone, also discovered in this year by Al Gore
  • Rambo Part II and Rocky Part IV come out, Sly doesn’t come out
  • Mad Max Beyond Thunderdome teaches us that Tina Turner’s still got it – Bill Schroeder doesn’t have it, no relation to Ricky, he leaves the hospital part-cyborg with the first artificial heart.
  • A View To A Kill finally ends the Roger Moore era of James Bond. Computer nerds, keep in mind, he saved Silicon Valley. This movie had Christopher Walken and Duran Duran. What more could you ask for? Oh, right – Tanya Roberts! Oh, and Thomas Patrick Cavanaugh actually gets life for being a real spy.
  • Since Police Academy was a hit, the producers figured they’d screw it up by making a second movie: Police Academy 2 comes out
  • After watching Cocoon I now know I’ll never have to grow old, so I can treat my body however I want…
  • The unabomber is at the half way point of his career with 2 bombings this year, The Rainbow Warrior sinks (no known relation to the unabomber, unless he was a French antieco-terrorist), flight 847 is hijacked and Gorbachev becomes the leader of the largest pain in President Reagan’s bung hole: Russia (OMG Commies – Run!!!). In order to pay for the tail end of the cold war, Reagan lowers taxes and sends America into debt for the first time since 1914, a debt we are still in (evil Democrats, always incurring more American debt!). Meanwhile, Margaret Thatcher has shoulder pads surgically implanted because health care is free in Great Britain and all. Actually, National Health Service contributes little to England’s national debt, which was about as low in percentage of GDP as it had been since before WWI under her and due to her terms as PM. It was at its highest in the early 1800s, far before shoulder pads were in fashion… Having said that, the US, who went into debt for the first time had to sell Reagan’s autobiography rights in order to pay for his colon surgery since there’s not NHS here… He could have asked Gotti, who became the leader of the Gambinos in 1985 for a loan, but I hear he was too busy playing Tetris, which also came out in 1985…
  • British Telecom phases out red telephone boxes – almost as a result a single season of Dr. Who airs on TV.
  • In 1985, Paul Simon, Stevie Wonder, Ray Charles, Bob Dylan, Michael Jackson, Billy Joel, Cyndi Lauper, Willie Nelson, Lionel Richie, Smokey Robinson, Kenny Rogers, Diana Ross, Paul Simon, Bruce Springsteen, Tina Turner, Daryl Hall, Kenny Loggins, Huey Lewis and of course Al Jarreau sang We Are The World. Prince wouldn’t show and Waylon Jennings stormed out. Jane Fonda hosted a HBO special in between workout videos. Live Aid happens too, and is far cooler. But, at least Rich Ramirez (the Night Stalker) got nabbed in LA.Top singles on the charts include Madonna, Wham!, Simple Minds, Duran Duran, Phil Collins, Dire Straits, Starship, Lionel Richie, Foreigner and REO Speedwagon.
  • Top TV shows include the sweaters from the Cosby Show, Family Ties, Murder She Wrote, Dynasty, The Golden Girls, Miami Vice, Cheers, Knots Landing, Growing Pains and of course, DALLAS
  • The Ford Taurus and the Mercury Sable bring a new low point to American automobile engineering – luckily The Nintendo came out and no one cared for a decade or more…
  • The Commodore Amiga is launched.
  • The Free Software Foundation is founded by rms, author of great cookie recipes, tips on women and GNU Manifestos.
  • And most importantly, Steve Jobs starts NeXT

Configure sFlows on a Brocade 8470

sFlow is an industry standard that allows network equipment with the appropriate agents to send data to sFlow collectors, which then analyze network traffic. You can install sFlow on routers, switches, and even put agents on servers to monitor traffic. Brocade (along with most other switch manufacturers) supports sFlow. Before you do anything log into the switch and check the current flow configuration: show sFlow To configure, log into the switch and use the the int command to access an interface. From within the interface, use the following command: sflow forwarding Then exit the interface using the very difficult to remember exit command: exit Repeat the enablement of forwarding for any other necessary interfaces. Next, we’ll configure a few globals that would be true across all interfaces. The first is the destination address, done using the destination verb followed by the IP and then the port (I’m using the default 6343 port for sFlow): sflow destination 6343 Set the sample rate: sflow sample 512 Set the polling interval: sflow polling-interval 30 Finally, enable sFlow: sflow enable

Scripting PGP Whole Disk Encryption On A Mac (or Windows, really)

The PGP Whole Disk Encryption (WDE) tools have a command line interface for both OS X and Windows. The options are mostly the same across the two. We’ll focus on two for the purposes of this little article. The first is –list-user and the second is –change-passphrase, although there are a number of other options. A general breakdown of the options include the following:
  • –enum – show the disks available
  • –disk-status – show the encryption status disk indicated with the –disk option
  • –stop – stop the encryption or decryption process of a –disk using –passphrase
  • –instrument – Install BootGuard using the –disk option followed by the number of the disk
  • –uninstrument – Remove BootGuard using the –disk option followed by the number of the disk
  • –add-user – Add a PGP user (include a user name followed by –passphrase and the passphrase, as well as –disk and the number of the disk)
  • –change-passphrase – Change the password on –disk for user specified with -u on –domain with the -i to make it interactive (with an option to include a –recovery-token if you don’t have the password)
  • –list-user – List the PGP users with access to a –disk
  • –encrypt – Manually enable encryption on a –disk using a –passphrase
  • –decrypt – Disable encryption by decrypting the disk at –disk using a –passphrase
  • –recover – allow a user to recover a –disk when BootGuard is unavailable using the –passphrase
symc_pgp_wholedisk_0So let’s put these in motion. First, let’s just look at all the disks available using the –enum option: pgpwde --enum OK, so disk 0 is my only volume and it’s bootable. Nothing has been encrypted yet. So let’s confirm by looking at –disk-status: pgpwde --disk-status --disk 0 Now, let’s see who’s got access to that disk: pgpwde --list-user --disk 0 Then, let’s enable BootGuard on our volume: pgpwde --instrument --disk 0 And then add user cedge to be able to unlock that volume, with a passphrase of krypted: pgpwde --add-user cedge --passphrase krypted --disk 0 And then let’s encrypt it: pgpwde --encrypt --passphrase krypted --disk 0 And finally, to change the password of that cedge account to something more secure: pgpwde --change-passphrase --disk 0 -u cedge --passphrase krypted --new-passphrase "!Ab@nK$Ru13z" To make scripting this a bit easier, you can also choose to skip the whole –passphrase option (since you might not know the current passphrase since they’re not typically reversible) you can use the –recovery-token option (assuming you have a token). Note: No passwords were hurt in the writing of this article.

Allow Diskless NetBoot From the Command Line

Client systems don’t have to have drives. Nor should they, in certain circumstances. Therefore, diskless NetBoot has been a part of OS X since the early beginnings. And it’s great provided you have the Server Admin application handy. But if you want to enable/control diskless NetBoot without Server Admin then you’re going to need to use the command line. Each of your NetBoot images will be stored in an array, which can be seen by running the serveradmin command, along with the settings option and then the net boot service, as follows: serveradmin settings netboot Locate the netBootImagesRecordsArray, which shows the images that are served up on the server. Find the appropriate one (most people tend to only have one) and then make sure that the SupportsDiskless option is set to yes. serveradmin settings netboot:netBootImagesRecordsArray:_array_index:0:SupportsDiskless = yes You can also set DisabledSystemIdentifiers, EnabledSystemIdentifiers, Type (type of file share), pathToImage, Architecture and use IsEnabled to enable and disable images programatically. This allows administrators to programmatically control NetBoot and therefore build custom imaging workflows that, for example, update the NetBoot set for NetRestore at the time of generating the NetRestore NetBoot set. It would also come in handy if any of these features were ever removed from the GUI…

Ubuntu and Firewalling

Using the firewall in Ubuntu can be as easy or as hard as you want to make it. BSD variants all basically use the ipfw command whereas most of the rest of the *nix world will use netfilter. Netfilter has a number of front ends; the one that comes pre-installed in Ubuntu is ufw, short for ‘uncomplicated firewall’. Ufw is good for basic port management: allow and deny type of stuff. It’s not going to have the divert or throttling options. So let’s look at some basic incantations of ufw (you need to have elevated privileges to do all of this btw).

Initial Configuration

First you need to enable ufw, which is done using the ufw command (no need to apt-get this to install it or build it from source) followed by the enable option:
ufw enable
You can also use the disable option to turn the firewall back off:
ufw disable
And to see rules and the status of the firewall, use the status option:
ufw status

The ufw Configuration File

The ufw configuration file is /etc/default/ufw. Here, you can manage some basic options of ufw. These include:
  • IPV6 – Set to YES to enable
  • DEFAULT_INPUT_POLICY – Policy for how to handle incoming traffic not otherwise defined by a rule. Defaults at DROP but can be changed to ACCEPT or REJECT
  • DEFAULT_OUTPUT_POLICY – Same as above but for handling outgoing traffic not otherwise defined by a rule.
  • DEFAULT_FORWARD_POLICY – Same as above but for forwarding packets (routing).
  • DEFAULT_APPLICATION_POLICY – I’d just leave this as the default, SKIP.
  • MANAGE_BUILTINS – when set to yes, allows ufw to manage default iptables chains as well.
  • IPT_MODULES – An array of iptables modules that can be added
To restart ufw after you make changes to the configuration file, use the services command:
service ufw reload
service ufw restart

Creating Rules

The first thing most people will want to do is enable a port. And of the ports, 22 is going to be pretty common, since without it you can’t ssh back into the box. For this, you’ll use the allow option followed by the name of the service (application profile):
ufw allow ssh
You can use numbers instead (since ufw isn’t going to know every possible combination and you might be running some on custom ports):
ufw allow 22
You can also deny traffic using the same structure, just swapping allow with deny:
ufw deny http
Beyond a basic allow and deny, you can also specify what IP addresses are able to access each port. This is done using ufw followed by the proto option, which is the followed by the actual protocol (tcp vs udp, etc) which is then followed by the from option and then the source then the to option then the IP to accept traffic (or the any option for all IPs on your box) and finally the port option followed by the actual port. Sounds like a lot until you see it in action. Let’s say you actually want to allow traffic for port 10000 but only from In that case, your rule would be:
ufw allow proto tcp from to any port 10000
Or if you only wanted 10000 to be accessible on one IP of your system (theoretically you have two in this scenario) that has an address of
ufw allow proto tcp from to port 10000

Using ufw

Once you have your rules configured, you are invariably going to have to troubleshoot issues with the service. Obviously, start with log review to perform a hypothesis of what the problem is. To enable logging use the logging option and specify the on parameter for it:
ufw logging on
Once enabled I usually like to view both /var/log/messages and /var/log/syslog for entries:
cat /var/log/syslog | grep UFW ; cat /var/log/messages | grep UFW
One of the best troubleshooting tools to prove any hypothesis that has to do with a rule is to simply delete the rule. To delete the deny http rule that we made earlier, just use the ufw command along with the delete option specifying the deny 22 rule as the rule to remove:
ufw delete deny http
Additionally, just disabling ufw will usually tell you definitively whether you are looking at a problem with a rule, allowing you to later look into disabling each rule until you find the offending rule.


Ubuntu also comes with iptables by default. iptables is the ipchains replacement introduced a number of years ago and is much more complicated and therefore flexible than ufw, although using one does not mean you cannot use the other. To get started, let’s look at the rules:
iptables -L
You will then see all of the rules on your host. If you have been enabling rules with ufw these will be listed here. You can then configure practically anything for how each chain (a chain is a series of rules for handling packets) functions. You can still do basic tasks, such as enabling ssh, but iptables will need much more information about what specifically you are trying to do. For example, to accept incoming traffic you would need to define that the chain will add an input (by appending it to the chain using -A INPUT) for tcp packets (-p tcp) on port 22 (–dport ssh) and accepting those packets (-j ACCEPT):
iptables -A INPUT -p tcp –dport ssh -j ACCEPT
That is about as simple as iptables get. I’ll try and write up more on dealing with it later but for now you should have enough information to get a little wacky with some basic firewall functionality on Linux. Enjoy.