Android calendar and contacts synchronisation

In this post I will show you how to setup your android to sync with the nextcloud.

The idea is to be able to see the NextCloud calendar appointments on the Adroid device and be able to add new ones on it.

Since adding CalDAV (calendar) and CardDAV (contacts) to android is not supported nativley you will have to install a 3rd party tool. I choose to use the open source tool DAVdroid for that.

If you have a few bucks to spare, are lazy or both please buy the app in the app store and support the developers.

(If you do, you can skip the first 6 steps)

Since DAVdroid is open source you can get the app for free. This is how you get the apk.

1) Visit the DAVdroid seite and click on Open Source > download the App on F-Droid

2) Download the APK

3) Your device will warn you about instaling software from unknown sources.
Go to settings.

4) Here you can allow the installation from unknown sources "once".

5) Disable the android battery life optimizer as it can interrupt the DAVdroid sync.

6) Click the plus in DAVdroid

8) Here you can insert the connection details of your NextCloud

https://<URL>/nextcloud/remote.php/dav/principals/users/USER/

If you are unsure, just copy them.
Go to the calendar and click on Settings & Import in the lower left corner.

At the URL replace USER with the login name !

9)Now define wether you want to sync calendar and/or contacts and click on the two arrows on the top to trigger a manual synchronisation.

Thats it.
The connection is established and contacts should get uploaded.

Also calendar objects should start appearing and you should be able to create them.

 

Cheers,
Ori


Using aliases

Aliases are awesome.
You do want to have them.
Period.

Aliases in WatchGuard can stand for an IP address or a range of IP addresses.
Those aliases can then be used in firewall rules.

In case you make a change at one of those aliases at a later point, all the rules using this alias will be changed.
Especially if you work on a lot of machines with thousands of rules, you definitely do want this.

Go to Setup > Aliases... to manage the aliases on the WatchGuard.

I create a new alias named Gravityzone and use DNS lookup to fill that alias with a buch of IPs related to the BitDefender GravityZone Cloud.

Confirm the creation of the new alias by clicking on ok.

This new alias can now be used in firewall rules. This rule for example gets used to enable clients to talk to the GravityZone, that are not supposed to be able to surf the web.

Just place the following before the deny rule and it works.

Cheers,
Ori


Setup iOS filesync

In this aritcle I want to show you how you can setup a filesync on an iOS device.
The idea is that famely members can use the nextcloud to access photos made by an iPad or drop files on the device.

Preparing the accounts

Login to your NextCloud using an administrative account and go to Users.

Create a new user for the iPad.
This user will later be used to sync the iPad with the NextCloud.

 

Setting up the synchronisation

Download the NextCloud app from the app store.

Login to the app using the newly created NextCloud app.

Delete the default folders and create a folder that you want to share with others.
I called this folder iPadFN.

Go to '...', select share and then select the users or groups that you want to share the devices content with.

Then enter the folder you just shared.
Create some folders for the type of files you want to share.
In my case this would be books and photos.

Select the three dots on the folder you want to upload your pictures to.
Click on folder for automatic upload.
You need to do this BEFORE you change the settings of what gets uploaded.

Then go to More > Settings > Automatic Uploads and tweak the settings the way you want them.
In the end select upload entire camera storage.
This will apply the changes and is probably going to take a while.

Thats it, the setup is complete.
When the device is connected to a wifi pictures should get uploaded automaticly.

Now you just have to drop some files in the shared folder...

 

 

... and they get synched to the device.

 

Cheers,
Ori


KVM: Manage virtual networks using libvirt

Just a short refference.

List virtual networks
virsh net-list

Change the configuration of the network
virsh net-edit <network>

Cheers,
Ori


Connect OpenVPN with WatchGuard SSL-VPN

To connect a Linux client with WatchGuard SSL-VPN you can use OpenVPN.
I am going to demonstrate this using Ubuntu 18.04 Desktop.

First login to https://WatchGuard-IP:Port/ssl-vpn.html and download the Mobile VPN with SSL client profile.

Then install OpenVPN, the OpenVPN network manager and the Gnome desktop integration.

sudo apt install openvpn network-manager-openvpn network-manager-openvpn-gnome

After the installation has completed move the downloaded file client.ovpn to /etc/openvpn/

sudo mv ~/Downloads/client.ovpn /etc/openvpn/

Now go to Network > VPN and add a new VPN.

Select Import from file ...

... and select the .ovpn config that you moved to /etc/openvpn.

This will openin he Add VPN window.
Add the IP:Port of the WatchGuard as well as the User Credentials and then klick Add.

You can now go to Network > VPN or more comfortably select the Network in the upper right screen corner to enable the VPN.

If you have successfully connected, you will find a new tun interface.

ip address show

IPs from the internal target network should now be reachable.

You can disable the VPN the same way you enabled it.

Cheers,
Ori


Monitoring 03: Check_MK adding a windows host

In this article I want to show you how to add a windows host to your check_mk monitoring.
Download the den Windows Client check_mk_agent.msi found at WATO - CONFIGURATION > Monitoring Agents.

Get this file onto the target system somehow.
Starting the MSI, in some windows versions, you have to confirm the installation since this package is not signed.

The installation of the client itself boils down to next, next and finish.
You can also silently deploy the MSI.

Now we have to setup a windows firewall exception for the monitoring agent.
Start a CMD with elevated rights and paste the following command.

netsh advfirewall firewall add rule name="Check_MK" description="Monitoring" dir=in localport=6556 protocol=tcp action=allow program="%ProgramFiles(x86)%\check_mk\check_mk_agent.exe" profile=private,domain enable=yes

Now we add the windows host.
Go to WATO - CONFIGURATION select Hosts and click on New Host.

Now give the Host a Name, add it to a Site and confirm with Save&Test.
When the tests are successful confirm with Save&Exit.

Switch to Services, confirm the preselected services with Monitor and click on the pending Changes.

Here you activate the changes made to the site.

Finally check that the host is visible at Views > Hosts > All Hosts and is showing some Data.

Cheers,
Ori


Monitoring 02: Check_MK adding a linux host

In this article I want to show you how you can connect a linux host to check_mk.
Lets add the linux server hosting the check_mk.

At first you will always have to install a so called monitoring agent.
On the left hand side navigation bar scroll down to WATO - CONFIGURATION.
and select Monitoring Agents.

In this case the server is ubuntu so we choose the check-mk-agent_VERSION_all with the ending .deb for debain based linux distributions.

Fastes way to get this package onto the target system is to simply copy the link and download the package using wget.

wget http://IP/Site/check_mk/agents/check-mk-agent_1.5.0p2-1_all.deb

Now install die package using dpkg.

dpkg -i check-mk-agent_1.5.0p2-1_all.deb

After installing the package the command check_mk_agent should be available generating a bunch of output.

Back to the check_mk web interface go to WATO - CONFIGURATION and select Hosts to add a new Host.

Here we give the new host a Namen, add it to a Monitoring Site and type localhost as the IPv4 address.
Then klick on Save & Test.

In the next window check_mk is testing the connection to the host using Ping, SNMP and Traceroute.
When the tests are complete confirm by clicking on Save & Exit.

Now change to the tab Services.

Here you can check what services have been discovered on the client and can be monitored.
Confirm the preselection by clicking on Monitor.

The view will change and you will notice a message informing you about uncommitted changes.
Click on that message.

Select the site that you made changes to and click on Activate Selected.
Now the client will be added to the active monitoring.

If you now change to the Views section and click on All Hosts you will find the newly added host.

Clicking on the hosts name you can see details on the monitored services.

The State PEND (pending) and the matching clock symbol with the warning sign are an indicator that the service has just recently been added to monitoring.
After a while these checks will come online and you will seed data.

Cheers,
Ori


Monitoring 01: Check_MK installation

In this Aricle I want to show you the Nagios based monitoring solution check_mk.
MK stands for Matthias Kettner and is the company that is developing and selling check_mk.

Monitoring, meaning the supervising of devices, allows you to permanently check certain values on devices.
Values like the used up disk space, CPU Temperature or CPU Load.

For every check on every device you can define at what point a critical state has been reached and what action should then be taken.
A common usecase is to generate an e-mail informing the admin about an issue.

Check_MK is available in den versions CRE , CEE und CME.

My articles will be based on the raw edition since it is open source and published under GNU GPL v2 license.

Installation

I want to show you the installation process on a freshly installed ubuntu server 16.04.
1) Select the packet for your linux distribution and download it using wget.

wget https://mathias-kettner.de/support/1.5.0p2/check-mk-raw-1.5.0p2_0.xenial_amd64.deb

Then install that package unsing dpgk.

dpkg -i check-mk-raw-1.5.0p2_0.xenial_amd64.deb

If you should run into issues check your /etc/apt/sources.list.

deb http://de.archive.ubuntu.com/ubuntu/ xenial main restricted universe
deb http://de.archive.ubuntu.com/ubuntu/ xenial-security main restricted
deb http://de.archive.ubuntu.com/ubuntu/ xenial-updates main restricted universe

Choose a sources list generator, edit your seources.list update your sources, upgrade your system and you should not have any issues with missing dependencies anymore.

OMD

The tool called Open Monitoring Distribution is installed alongside check_mk.
It is used to make managing nagios and ist plugins a lot easier.
Using the command omd create we now create a new site.
I will call this site hackzenwerk.

omd create hackzenwerk

After you have created this site check_mk will generate an admin account called cmkadmin for you and displays the password.
Write it down.

Now we need to start this site.

omd start hackzenwerk

Connecting to (port 80) IP/site you will see a check_mk login screen that you can login to using cmkadmin.
In my case this means http://<IP>/hackzenwerk

The connection is still insecure so you should generate an ssl certificate.

If your check_mk is reachable over the internet you can generate a lets encrypt certificate.
Since my testing system is not available from the internet I use a self-signed certificate.

Meldet euch dort mit den zuvor generierten Logindaten an und ihr landet in einer nackten Check_MK Verwaltungsoberfläche.

Cheers,
Ori


Creating a network diagram

In this article I want to show you how you can visualize an existing evironment in a network plan.

Network plans help colleagues who are not familiar with a network understanding it faster.
They are also very useful to explain certain issues to someone or visualize why a certain investment is important.

Informationen gathering

At first you will have to collect a lot of information about the network you want to visualize.
A resource that we often tend to forget about is the already existing documentation that might exist.
It might not be complete or out of date but can contain valuable information.

Check the (hardware) firewall
-> What networks do exist
-> How many Uplinks are there
-> Upstreaming Device(es)

Find a way into the network
-> VPN
-> Remote Access to a server or client
-> Scan the network

Check the networking devices
-> What devices are there (Vendor, Model, IP)
-> Do you have login credentials and do they work?
-> How are the devices interconnected (cdp, lldp)

Check the servers
-> Physical or virtual?
-> In wich Networks are the Servers located?
-> What do they do?

Check other devices
-> Access Points
-> Phone Systems / IP-Phones
-> Conferencing Systems
-> Printers

Once you got all these Infos available you can begin creating the network plan.

 

What type of network diagram

It is important that you are aware of what style to choose for what purpose.
Is it for example enough to provide an abstract view of the network?

Should the networks be visualized?

Should buildings be part of the plan?

We can scale this up until we visualize infrastructures that span across continents, you get the point.

Do you maybe want a floorplan that is showing the devices?
(Good for planing wifi)

As you can see the type of network plan depends on what it is going to be used for.
Do you want to provide an overview over a virtualisation structure with lots of hypervisors, lots of networks and a ton of servers?
Then you probably want to have an abstract plan showing the structure of the logical Network.

Is the plan supposed to be used by a technician to be able to find physical devices at a location?
Then you probably want a plan that is as close to the physical reality as possible.

These concepts nearly always get mixed to some point.
However when you have really complex plans, it might be better to have two or more separate plans suited for the right purpose.
When you are trying to force every available information into one network plan you can end up making it unreadable and therefor unuseful.

As you can see, creating a network diagram is a form of art in itself.

Creating the network diagram

I am currently using the non-free software Visio from Microsoft to create network diagrams.


Draw by LibreOffice would be a good free alternative.

You could also just use GIMP if you want to create a network diagram, its up to you.
At this point I assume you already made up your mind what type of diagram you want to create and what software you are going to use.

If you are going to use floorplans or want to visualize buldings / floors, start by doing that.
Once that is complete feed all the information you gathered in the information gathering process into the network plan.
Start at the Internet Uplink and then go down the Line.

Uplink > Router > Firewall > Switch(es) > Devices attached to the Switches (Servers, Clients etc.)

It is a good idea to write important IP addresses and hostnames into the network diagrams.
Also it is a good idea to not only write down physical servers but also virtualized ones.

End-User devices can usually be culminated into a group.
(20 Workstations, 15 mobile devices, etc.)

Cheers,
Ori


Documentation is everything

When a project or environment is reaching a certain size a good documentation is incredibly important.
I personally think that even for small projects a clean documentation is important, but I wont't go into that now.

If there is no well organized documentation you will run into several issues:
- Working hours will get "burned" searching for information
- Passwords get missing, resulting in issues
- Key knowledge held by single people ("Well, working in that network you just have to know XYZ, you know now!")
- New colleagues cannot get up to pace without help, again burning time
- etc...

I could continue but I guess you get the point.
The obvious reason for writing things down is the human tendency to forget things.
However the most important reason is that there are more then one person tasked with planning, enhancing, maintenance and fixing urgent issues.
When changes are not immediately and completely documented, the other people working in the environment cannot rely on the information they have.
This WILL backfire, trust me.

A good documentation should should be designed to enable a person unfamiliar with the documented matter:
- Get a quick overview over the complete situation
- Get access to the available data in a structured and searchable manner
- Just have to look in one place

What you should avoid:
- Different files that have to be searched like Version_pre_2016, Networkplan_old, see documentation XY
- Old data like a not documented change of the contact person
- Incorrect data like the wrong device models. If you are not sure don't write it down!

A documentation should at least consist of the following parts:
- Textdocumentation
- Network Diagram
- Complete documentation

Good would be as well the following conponents:
- Hardware Inventory
- Software (license) Inventory
- Clear defined On- and Offboardingprocesses

Cheers,
Ori