ipHouse Dot Logo

Local PHP configuration

PHP 5.3 added a useful feature, per-directory .ini files. You can enter PHP configuration directives into a text file named “.user.ini”, upload it to your htdocs directory or any other directory of your website, and that configuration will be used for any PHP scripts in that directory or below.

For example, you may not want to display page errors to visitors of your website, but want to see them for anything in the /development/ sub-directory where you’re working on new things. You might create a .user.ini file in that sub-directory containing

error_reporting = E_ALL
display_errors = On
display_startup_errors = On

Or perhaps you have a sub-directory of remote procedure calls which are invoked from a webpage via AJAX and always return JSON data. You could simplify them by creating a .user.ini file in that subdirectory containing

default_mimetype = “application/json”
display_errors = Off

What can’t you do? You can’t use any configuration directives marked PHP_INI_SYSTEM, which cover fundamental and security-related PHP configuration are reserved for the root php.ini file.

ipHouse Dot Logo

What’s the deal with DNSChanger Malware?

The FBI will be shutting down the temporary DNS servers that they set up to support Internet users that were compromised with DNSChanger malware. Anyone still using those DNS servers will be unable to resolve host names, which will effectively render them unable to do pretty much anything online until they clean up their infected system.

On November 8th 2011, the FBI, in conjunction with NASA-OIG and Estonian police, arrested several criminals operating under the company name “Rove Digital”. Rove Digital had been distributing DNS changing viruses (TDSS, Alureon, TidServ and TDL4). They then routed victims through their own DNS servers in order to direct traffic to junk ads. They infected around 4 million users, and made a reported $14Million before getting shut down.

With such a large number of compromised users relying on Rove Digital’s DNS servers for their Net access, the FBI decided to temporarily leave the DNS servers up and running to give people time to clean up their infected systems. Because people have been slow about cleaning up their computers, the FBI extended their original March deadline to Monday July 9th.

If you would like to verify that your computer is clean, you can go to http://www.dcwg.org/detect/ for a list of safe sites that you can use to check. Should you find that you have a compromised computer, they have good resources available to help you clean up your system.

ipHouse Dot Logo

Adding Exchange 2010 mailboxes from text file with PowerShell

I wrote before about adding Exchange 2010 mailboxes with PowerShell and AWK. I was having some trouble with the syntax of importing from a .csv or tab-delimited file so I punted and used awk on my workstation and got the work done.

That workflow is not ideal. I’d rather do it all in PowerShell. I got some great help from the fine folks over at /r/powershell and Don Jones’s PowerShell books and videos.

Here is a better way:

  • Use the Import-Csv cmdlet to import the data as an array objects with text properties, for each column.
  • Add and adjust the properties we need and their values.
  • Pass the whole array to New-Mailbox, which will do the right thing, as long as all the parameter names match the object properties.

If I exported the data as .csv, with properly named column headers, this would get even easier, but I will give PowerShell the same data I gave awk for the sake of parity. So let’s say I have no control over the format the data arrives in and it comes space-delimited like this:

Alice Adams aadams aadams@corp.domain.com Password1
Bob Baker bbaker bbaker@corp.domain.com Password2
Charlie Carter ccarter ccarter@corp.domain.com Password3
Dan Davis ddavis ddavis@corp.domain.com Password4
Ed Evans eevans eevans@corp.domain.com Password5
Frank Foster ffoster ffoster@corp.domain.com Password6

Here is how to use PowerShell to add these users using the data from this file.

To use a space for the field delimiter, we’ll use -Delimiter ‘ ‘. This file does not have a header row. Import-Csv imports as key-value pairs, so each column needs a name.  By default, it uses the top row for that, but that would not be the right thing to do here, since the top row is data.  So we can either put a header row on the file, or define alternate column names with a -Header argument.  Here is the command import my users.txt file as an array of objects, $users:

PS> $users = Import-Csv -Delimiter ' ' -path .\users.txt -Header FirstName, LastName, SamAccountName, UserPrincipalName, plaintextpass

This loads the data from the file into an array of objects $users.  Each element of $users has properties as defined in the header with values from the corresponding row.  Here’s the first element in $users:

PS> $users[0]

FirstName         : Alice
LastName          : Adams
SamAccountName    : aadams
UserPrincipalName : aadams@corp.domain.com
plaintextpass     : Password1

Next, we’ll add the “Name” property, which is a string in the form “FirstName LastName”

PS> $users = $users | Select-Object -Property *, @{name='Name';expression={$_.FirstName + ' ' + $_.LastName}}

The property is appended to the end of the list, but that’s fine, since Add-Mailbox accepts these arguments in any order. Here’s how the first object looks now.

PS> $users[0]

FirstName         : Alice
LastName          : Adams
SamAccountName    : aadams
UserPrincipalName : aadams@corp.domain.com
plaintextpass     : Password1
Name              : Alice Adams

Add-Mailbox wants the password as a system.securestring, and won’t accept a plain string at all. Items of type System.SecureString is stored in memory encrypted.  We’re defeating the security benefits of that behavior by handling the passwords as plaintext elsewhere in the script and in the data file. For exactly that reason, ConvertToSecureString will complain if we use it to accept plain text with -AsPlainText, but it will do it anyway if we use -Force.  The whole thing goes like this.

PS> $users = $users | Select-Object -Property *, @{name='Password';expression={(ConvertTo-SecureString -AsPlainText -Force -String "$_.plaintextpass")}}

Now we have the password stored as a SecureString.  Trying to print the password only prints “System.Security.SecureString” and not the actual contents, but it is in there.

PS> $users[0]

FirstName         : Alice
LastName          : Adams
SamAccountName    : aadams
UserPrincipalName : aadams@corp.domain.com
plaintextpass     : Password1
Name              : Alice Adams
Password          : System.Security.SecureString

Now let’s get rid of that plaintext password.  Strictly, this step is not necessary. Since “plaintextpass” does not match any of the arguments that Add-Mailbox accepts, it will be discarded.  But since we need to encrypt the password as a SecureString to pass it anyway, why pass it as plaintext as well.  So we strip the property out like this:

PS> $users = $users | Select-Object -Property * -ExcludeProperty plaintextpass

And finally, our objects look like this:

PS> $users[0]

FirstName         : Alice
LastName          : Adams
SamAccountName    : aadams
UserPrincipalName : aadams@corp.domain.com
Name              : Alice Adams
Password          : System.Security.SecureString

It is not an accident that these are exactly the arguments that Add-Mailbox wants.  This is the fun part.

PS> $users | Add-Mailbox

That’s it. The contents of the properties of each object in $users are passed to the corresponding arguments Add-Mailbox accepts.  Add-Mailbox takes those arguments and creates six new users.

And of course, since this is powershell, all of this can be done in one big pipeline if readability is not your thing.  That would look like this:

PS> Import-Csv -Delimiter ' ' -path .\users.txt -Header FirstName, LastName, SamAccountName, UserPrincipalName, plaintextpass | Select-Object -Property *, @{name='Name';expression={$_.FirstName + ' ' + $_.LastName}}, @{name='Password';expression={(ConvertTo-SecureString -AsPlainText -Force -String "$_.plaintextpass")}} | Select-Object -Property * -ExcludeProperty plaintextpass | Add-Mailbox
World_IPv6_launch_badge_187

World IPv6 Launch

Today is the day many companies and organizations permanently enable IPv6 for their products and services. This is a big deal.

We’ve had all of our major public servers accessible by both IPv4 and IPv6 for some time, and continuously since World IPv6 Day last year. We’ve also been assigning IPv6 networks by request to customers with routers and network gear capable of supporting it. We’d love to assign more, but although enterprise-grade equipment and every major computer operating system supports IPv6, support in consumer-grade equipment such as DSL routers has been in a chicken-and-egg limbo for years.

So what’s the big deal?

The Internet has run on the IPv4 protocol since September, 1981. An IPv4 address is a 32-bit value, which provides around 4 billion unique IP addresses. Even though changes have been made to the allocation and usage of this space, from replacing the original classed network system with CIDR to routing schemes like NAT, it was never really designed or intended for an rapidly growing public Internet, and it’s clearly at the end of its road.

IPv6, which has actually been around for longer than you might think, is the next generation of Internet addressing. Will it ever fully replace IPv4? That’s unknown but the days of freely allocating more IPv4 addresses are at an end.

IPv6 uses a 128-bit address and provides a vastly larger number of unique IP addresses. Large enough to handle 4 billion unique organizations each with 4 billion unique clients each with their own 64-bit address space, itself 4 billion times larger than the entire IPv4 address space. IPv6 provides the room to create and implement advanced networking features like auto-configuration, efficient routing, and simplified renumbering.

What can you do to help move us further away from IPv4?

Talk to your Internet and/or hosting provider about IPv6 and ask about their deployment plans.  Ask them to publicly comment or announce their plans. Talk to your IT department and ask the same questions.

Welcome to the production Internet!

Top 10 Signs You Have a Terrible Hosting Provider

  1. They boast of their “multi-homed SLIP” connectivity
  2. They’re proud to provide both types of power, volts and amps
  3. Each rack is supplied with its own extension cord and ground plug adapter
  4. Their climate control system is an open window and a $10 box fan
  5. They try to sell you a “virtual rail kit”
  6. Private cages can be used for fights on the weekends
  7. Their tech support email address ends in @hotmail.com
  8. Their fire suppression system is a “No Smoking” sign
  9. Their security system reads “Beware of Shih-Tzu”
  10. Their backup system involves WinZip and BitTorrent