Monday, April 14, 2014

Sensatronics EM1 Environmental Sensor with PRTG

Monitoring the EM1 Sensor from PRTG
How we got here...

In the past we have had issues with the A/C in our computer room. The A/C unit was spec'd out with a consumer grade unit (Carrier) rather than a more traditional unit. Unfortunately the unit was not optioned to run in cold weather, and there were issues with charging the unit that required extra maintenance.

As so our locked room would occasionally have a propped-open door with a fan exhausting heat into the office. Of course we care about physical security, and the prospect of increased downtime when these failures occur on a weekend or during a vacation. So we looked around for a simple environmental monitor and came up with the Sensatronics EM1 (around $500) and Overseer software.

Overseer is designed to run on your workstation, which means leaving the machine running all weekend. Loading it up in a VM produces inconsistent notifications. And we also need to collect syslogs.

So, we are evaluating PRTG. PRTG loads up on top of Windows 2012 in a VM, does an auto discovery (here I blocked it from discovering desktops lest I get notified every time someone shuts down). And there is a Beta version syslog repository. Good start...

There is a monitor in our APC UPS which was discovered properly. But since we bought the EM1 monitor I figure let's give it a try. The EM1 has additional sensor capacity, and I could use it in a new location.

Key Tricks

Getting started - PRTG doesn't ship with the device information for the sensor built in, so auto discovery will not work. But, PRTG does have a concept of templates for the devices. And Sensatronics has a zip file of basic device configurations here. Update 7/2017: The zip file is no longer on Sensatronics' website, best option is to call support.

Load the extracted files into the program directory for PRTG on the server, in our case:
\\prtg\c$\Program Files (x86)\PRTG Network Monitor\devicetemplates

With the templates loaded we need to create the new device as follows:

In PRTG we need to do two things:
  1. Create a new group, (I called it SNMP V1) because the SNMP version is inherited from the group.
  2. For SNMP set the inheritance of settings OFF, and set the version to v1
Now we create a new device in PRTG, and specify as follows:

Start the discovery and you should get:

Which is at least data. The temperature is the main point, it's not 8 degrees in there. The web page on the sensor shows this:

And so here is where I call Sensatronics for Tech Support :-)
And.. the answer is, the template for the device has an error. In the column 'division' the entry should be changed from '10' to '1'. Do this in all the sensors. In my case I only have three sensors active.

And the result:

(Yes we do run hot. Saves energy.)

So there you have it. Thanks to Keith from Sensatronics for the final tip!

Saturday, April 12, 2014

A Password Odyssey - Two Well Liked Password Managers

About the Contendahs

The Open Source program KeyPass is great for generating and securely storing all sorts of information (passwords, web addresses, SSH keys, ftp logins, even combo lock codes)

LastPass is a web service that securely stores your password information. It runs in the browser and there is no desktop app. There is also a mobile app if you pay the 'freemium'.

Both systems can use a master password for the repository. But Keypass has other options, and one is to use the windows logon credentials to open the database. Both systems are generally secure options.

Lastpass seems to be best for storing website credentials. Keypass is more general purpose and gives greater flexibility (maybe too much?), such as choosing your encryption algorithm. And I have used it as a place to store all sorts of access information, including combo lock codes, ftp logins, and encryption keys.

A great feature of Lastpass is to let it choose passwords for sites, and store them, so that you don't need to remember those passwords. It helpfully reminds you when a password is duplicated between sites, to make each site's password unique. This way you are not relying on your browser or operating system to store your web site passwords. For a little more money, you can get an App on your iPad or smartphone.

Keypass is more the free swiss army knife of password encryption. You need to move that encrypted password file around with you. Or save it in Dropbox and open it from wherever you are. (That feature is front and center in KeypassDroid.)

In the Heartbleed story, Mashable referenced Lastpass. And so I looked into using it as a place to save and update passwords. Looking for browser integration, I decided to give it a try. Converting from Keypass2 KDBX format was not straightforward.

Converting from Keepass2 to Lastpass

Lastpass suggests using a Keypass XML format export with the Lastpass import routine.
The XML import resulted in a series of notes with credentials stored in them,
instead of a list of sites and the username and password stored in the correct field.

The obvious thing to try is a CSV export.
Save the database as a CSV.
Edit the CSV to match the column format in Excel. (Yes you still need that!)


Unfortunately, my favorite Mac Keepass port; KyPass Companion did not allow CSV export, so I had to fire up a PC to convert the data.

The next thing to note is that the import process un-checks entries without a URL. I always used Keepass as a reference, so I did not have a URL for each site. Without the URL, the browser integration piece is broken.

So, you really want to track down the URLs and enter them in your CSV file before importing the CSV. In any case you will want to decide whether to check the entries for sites that would otherwise not be imported during the process.

Running the import with an edited CSV

With a complete CSV, Lastpass complains about using Chrome during the import - so I had to open up Safari. Or install Firefox. Safari worked just fine.

Final Impressions

Both programs seem to be secure. Lastpass is only free in two ways: Free in the browser, and free as in beer. Keepass is open source, and so the source code is available for review (free as in freedom); and there is no cost unless you wish to pay for a specialized version such as  KyPass Companion.

Given that the Heartbleed OpenSSL bug was available for review for two years before it was discovered - the freedom argument is even more of a philosophical one this week.

Keepass is definitely the winner when it comes to a convenient file based manager.
If you're OK with Dropbox, that is also a really handy way to sync Keepass files.
And I think it is better as a swiss army knife, to store items other than website login information.

Having used Lastpass for a few minutes - it really is easy to jump onto a website with browser integration. Having looked at how they claim encryption is done in Lastpass, seeing that the passwords are encrypted before they reach the server, that is another great feature. If the server is compromised, your passwords are still encrypted.

When changing passwords, however, the browser integration is annoying. Unfortunately the app does not overwrite (clear out) anything that was previously entered in these 'new password' fields when it inserts the new replacement password. But you can work around this by generating a new password. Then copy and paste your generated new password into the two 'new password' fields directly before updating.

Make sure the 'old' password is good. It's easy to get out of sync when generating a new password. You might want to copy down the old one before you make any updates. Particularly in a case where there is no easy password recovery option.

Parting Thought

I am not sure if I will be comfortable with a process where I never see the password itself. Generally I remember many dozens of passwords, so until now Keepass has really been a backup. What if Lastpass goes down?

Thursday, April 10, 2014

Moving a Mac iTunes library to a NAS device - the most overlooked step...

Moving iTunes library to a NAS device

So, I bit the bullet and picked up a NAS device to offload AV files from my Mac.
Now I want iTunes to run from the network disk drive instead of needing to keep the Mac on all the time. It takes less juice :-)

I followed a couple of different walk-throughs:

Most overlooked setup detail

The key point from the ARS article is this: If the drive is not mounted at boot time, iTunes will not play. It also won't sync to an iPad or other device.

Key was to go into the "Users and Groups" control panel and select "Login Items".
Here you can navigate to shared network resources, and set them to mount at login.

The drives need to be mounted before iTunes is launched. iTunes did move my music library to the external device, and correctly updated the file location, but it just chokes when it tries to play.

I had to reboot the Mac to ensure that the drives were mounted before it would work.

So, now we can share iTunes to PCs wirelessly. But for other devices the story is not straightforward, the NAS device does not have iTunes' home sharing. So accessing these media resources will happen through a non-Apple app from the iPad unless it has been synced through the Mac.

Tuesday, April 1, 2014

Changing the root password in VMware

OK, so its not supported. Don't do this at home folks. Or at least test it first.
Some days you just need to hack things into shape...